on 08-25-2008 9:49 PM
Hi , I have the CC 5.2 connected to single system and using GLOBAL ruleset.
In backend i have created a role Z:CONFLICTING_ROLE and assigned to user ERIC.
Now there are two risks in the role F030 and S027 , i have created two mitigating controls for them and have mitigated the risks at role level .
When i run the report on the USER ERIC , it should show in there also as mitigated , but there is nothing in mitigation.
I was under impression that roles once mitigated , users with be mitigated also, what is wrong here ? ?
The option under Configuration :
Risk Analysis ->Add Options -> Include Role/Profile Mitigating Controls in User Analysis
is set to yes..
Pls help me to resolve this issue.
regds
navdeep
Edited by: navdeep pathania on Aug 25, 2008 11:02 PM
navdeep,
I was rather talking about the PFUD in the back-end system.
But okay, if the synch with GRC is not working in the first place, then this issue should be addressed as well. However, that goes beyond this particular post 'Need help in Mitigation"
In an attempt to help you : is your diamond shaped adapter green ? are you using the correct model in the JCO in terms of your release of backend system ? did you do a full sync or incremental ?
for sure, this is your issue why the users are not mitigated through their assigned mitigated roles.
succes
sam
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
jco connection is working and diamond is all green , it pulls in the roles but different and the number of roles is always 1341 , this is sandbox .
The setup was to use the VIRSA addin abap packages below :
IRSANH 520_700 0003
VIRSAHR 520_700 0000
and at the JCO level in SLD i am using
VIRSAHR_01_METADATA
VIRSAHR_01_MODEL
Also one thing i noticed in the profiles display it s showing me the T-XXX profiles also it is showing objects like S_SPO_USER_A in profiles , which is quite odd , has u seen this somewhere else.
regds
navdeep
Hello navdeep,
I have impression that you have created yourself a test role. Are you sure that you have peformed a user comparison in the back-end system ? Please note that SAP GRC does not care about which roles are assigned to users. Only the assigned profiles count.
hope this helps,
sam
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
i have done a user/role/profile sync, but in the security reports section , "i can find all users and profiles", but when i see the reports for the roles " i cannot find the Z* roles only SAP_ roles .
But in the sync i have selected all roles to be synced , but somehow last roles i can see is, SAP_LE_BASIC_DATA_DISPLAY , 1341 roles so it got no Z roles in the CC , tables i don;t know why i don;t have roles sycned up. Any idea why the roles are not picked up ??
This maybe the reason why the user level mitigations are not working.
regds
navdeep
I already have the * after the risk , in mitigation , the problem is the roles are mitigated but the user who has the same role ( and single role only) is not mitigated .
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
We prefer to call the "tricks" as undocumented features
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello navdeep,
You're absolutely right, however there is a little trick that you might have missed when creating the mitigating control. You should add a star () after the control ID. So instead of just creating the control for risk F030 just enter F030.
Hope it helps !
Regards,
Jerome.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.