Frequently Asked Questions

Provisum is a purpose-built platform that replaces manual, spreadsheet-based security role mapping with an AI-powered, auditable workflow. It handles persona generation, intelligent role mapping, segregation of duties analysis, and structured approval workflows — with a full audit trail.

Provisum is designed for any enterprise system migration that involves security role redesign. The primary use case is SAP ECC to S/4HANA migrations, but the platform also supports Oracle EBS to Oracle Cloud transitions, multi-system consolidations, and standalone security role redesign projects.

Provisum’s AI engine analyzes user permissions at the transaction level — not just role names — to cluster users with similar access patterns into security personas. It then suggests target role mappings using composite confidence scoring that combines AI reasoning, permission overlap analysis, and historical acceptance patterns. Every AI output includes its reasoning, and all outputs are visually distinguished from human decisions.

Every AI-generated output in Provisum is visually tagged and includes the reasoning behind the suggestion. When a mapper confirms an AI suggestion, the visual treatment changes from AI-attributed to human-confirmed. The audit trail records exactly where AI contributed and where humans made the final call.

What previously required 3–6 months of manual mapping effort can typically be completed in 2–3 weeks with Provisum, with higher accuracy and defensible compliance documentation from day one.

Four categories: user records with current role and transaction code assignments, your legacy source role library with detailed permission structures, the target role library for the new system, and your organization’s SOD rulebook. Provisum validates each dataset on import.

Instead of mapping each user individually, Provisum clusters users with similar access patterns into security personas. A typical engagement with 10,000 users produces 200–300 personas — a 95–98% reduction in entities that need to be individually mapped. Each persona is then mapped to target roles, and the mapping applies to all users assigned to that persona.

Low-confidence persona assignments are flagged for human review. Mappers can also apply user-level refinements to individual users within a persona without disrupting the broader mapping.

After each mapping, Provisum evaluates every user’s combined access against your full SOD rulebook. Conflicts are classified by severity and categorized as between-role (resolvable by the mapping team) or within-role (requiring security design changes). Each conflict includes the specific permissions that triggered it and the rule that was violated.

Yes, with documented business justification. Risk acceptance follows a structured workflow with appropriate approval authority. Critical-severity conflicts have additional safeguards — they require escalated approval and cannot be silently risk-accepted.

Every action in Provisum is logged with who did it, when they did it, and what specifically changed. This includes mapping decisions, approval actions, SOD conflict resolutions, risk acceptance justifications, and configuration changes. Export to Excel, PDF, and CSV formats at any point.

Yes. Provisum was designed with audit defensibility as a first-class requirement. The structured approval workflows, complete audit trail, SOD analysis, and compliance-ready export formats meet the documentation standards required for external audit review.

Provisum is deployed as a single-tenant application, ensuring complete data isolation between client engagements. Each deployment has its own infrastructure — your data never shares resources with another client.

Excel for audit documentation, PDF for management reporting, and CSV for direct system provisioning. Exports can be generated at any point during the engagement, not just at the end.

Six platform roles: System Admin, Admin, Approver, Mapper, Coordinator, and Viewer. Each role has enforced permissions at both the UI and API layers, ensuring that users can only access and modify data within their authorized scope.