The Provisum Platform
A purpose-built system for security role mapping during enterprise migrations. From source data import through audit-ready export.
Five stages. One audit trail.
Provisum implements a structured workflow that transforms raw access data into approved, exportable role assignments. Each stage builds on the previous one, and every action is logged.
Data Upload & Validation
Import user records, source role libraries with detailed permission structures, target role libraries, and your SOD rulebook. Provisum validates each dataset on import and surfaces data quality issues before analysis begins.
Supports CSV upload with smart validation, dynamic templates, and picklist matching. Handles SAP, Oracle, and custom formats out of the box.
AI-Powered Persona Generation
The AI engine analyzes each user’s permission set at the transaction level and clusters users with similar access patterns into security personas. This is not a role-level comparison — it examines specific permissions and transaction codes.
A typical engagement with 10,000 users produces 200–300 personas, representing a 95–98% reduction in entities that need individual mapping. Low-confidence assignments are flagged for human review.
Intelligent Role Mapping
Mappers assign target roles using Provisum’s mapping workspace. Auto-map identifies the minimum set of target roles that covers each persona’s permissions while enforcing least-privilege access.
Coverage metrics and over-provisioning indicators provide immediate feedback. User-level refinements are supported without disrupting the broader mapping. Gap analysis identifies unmapped permissions.
SOD Analysis & Refinement
Every user’s combined access is evaluated against the full SOD rulebook. Conflicts are classified by severity and categorized as between-role or within-role, each with specific resolution paths.
Mappers can remove conflicting roles, substitute alternatives, or request risk acceptance with documented justification. Within-role conflicts route to the security design team automatically.
Approval & Export
Approved mappings flow through role-based approval queues. Approvers see only their assigned scope and can approve individually or in bulk for high-confidence mappings.
Export to Excel for audit documentation, PDF for management reporting, and CSV for direct system provisioning. The audit log captures every action with actor, timestamp, and change detail.
Try it yourself
Walk through the role assignment workflow. Click through to see how mappers review assignments, resolve conflicts, and submit for approval.
Built for the migration use case
AI-First Design
The AI performs the analytical work — clustering users, suggesting mappings, detecting conflicts. Humans make the judgment calls. This is not a traditional tool with AI bolted on; the engine is foundational to the workflow.
Integrated SOD Analysis
Segregation of duties analysis is embedded in the mapping workflow, not a separate tool. Conflicts are identified before mappings reach approval, eliminating the costly cycle of discovering compliance issues during post-migration audit.
Audit-Ready Output
Every action is logged with actor, timestamp, and the specific change made. Export capabilities produce compliance-ready documentation in Excel, PDF, and CSV formats at any point in the project lifecycle.
Transparent AI
Every AI-generated output includes its reasoning. When a mapper confirms a suggestion, the decision and its provenance are recorded. Nothing is a black box. Confidence scores reflect the model’s assessment of its own certainty.
Transaction-Level Analysis
Provisum analyzes permissions at the transaction code level, not the role level. This produces more accurate persona groupings and more precise mapping suggestions than approaches that compare only role names.
Lumen AI Assistant
Ask questions about your migration in natural language. Specialized tools for reading data, creating mappings, resolving conflicts, submitting reviews, and sending reminders — all within a conversational interface.
Enterprise-grade by design
Built on a modern web architecture with a structured relational database, deployed as a single-tenant application to ensure data isolation between engagements.
Single-tenant isolation
Each deployment is fully isolated. Your data never shares infrastructure with another client engagement.
Role-based access control
Six platform roles — System Admin, Admin, Approver, Mapper, Coordinator, Viewer — with enforced permissions at both UI and API layers.
Structured data model
50+ entity types spanning the full workflow lifecycle, from source data import through approved role assignments and audit records.
AI attribution & provenance
AI-generated outputs are visually distinguished. When confirmed by a human, the visual treatment changes — creating a clear record of contribution and accountability.
Designed for migration, built to scale
SAP ECC to S/4HANA
The primary use case, driven by SAP’s 2027 end-of-support deadline. Full role mapping lifecycle from legacy ECC roles to S/4HANA Fiori-based role structures.
Oracle EBS to Oracle Cloud
The same persona-based mapping approach applies to Oracle’s responsibility-to-role model transition, with SOD analysis adapted for Oracle’s access control framework.
Multi-system consolidation
Organizations merging access structures across acquired entities or migrating from multiple legacy systems to a single platform. Normalize and reconcile disparate role architectures.
Security role redesign
Even outside migration scenarios — transaction-level analysis of current access patterns and automated gap identification for organizations redesigning their security role models.
Ready to map
with confidence?
See how Provisum handles your migration — with your data, your rules, your timeline.