cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC 5.3: CUP risk analysis VS. RAR risk analysis

Former Member

on ‎02-10-2009 2:20 PM

0 Kudos

I've installed and configured RAR and CUP. When I do a risk analysis simulation in RAR on a user for adding a role, it comes back with no conflicts. When I go into CUP and make a new request for adding the same role to the same user, it comes back with risk violations, but it looks like they are critical actions that are being flagged. Why is there a discrepancy, and how do I go about getting the same risks in CUP as I do in RAR?

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (5)

Answers (5)

Former Member
‎08-11-2009 4:38 AM
0 Kudos

Mr. Jackson:

To correctly do this, you should create a second Rule Set in RAR called something like "CRITACTPERM" and move all Critical Action / Permsission Risks there. You then need to make sure that a scan is scheduled for this rule set to update to the Management Reports. If the Default Rule Set is set to Global in RAR, then CUP will only use the SOD rules.

Show replies
Show replies
Former Member
‎07-01-2009 10:30 AM
0 Kudos

Any news if a new enhancement will be included in CUP to enable risk analysis at different levels?

Due the problem you guys mentioned, we are unable to activate Critical Actions as it will flag the transactions irregardless of the permissions. We have to mitigate every single user that requests for access in CUP.

I would have thought it would have make sense that in RAR, if critical actions are assessed at a object level, that in CUP it would too.

Show replies
Show replies
achristian17
Participant
‎04-21-2009 10:43 PM
0 Kudos

Hi I'm facing similar problem at couple of clients installation. We raise this to SAP but there is no firm answer from them. So one client gone with by de-activating certain critical actions from RAR. Other they're okay to go with this but awaiting for SAP's response.

That's my experience.

Rgds,

Asok

Show replies
Show replies
Former Member
‎03-09-2009 3:31 PM
0 Kudos

Hi Guys, I am in the same situation when try to do risk analysis from CUP its brings critical action values even if I select permission level or action level risk analysis.

Need help how can I ignore critical action.

Show replies
Show replies
Former Member
‎03-09-2009 3:34 PM
0 Kudos

You'll have to remove critical actions from RAR. There is no way to force CUP to only do a SoD risk analysis; it will pull in critical actions as well.

koehntopp
Product and Topic Expert
Product and Topic Expert
‎04-23-2009 10:41 AM
0 Kudos

I guess the behaviour is on purpose.

In RAR, you can do a selective analysis on only one kind of risk. You usually only need to do that in the remediation process, where this kind of selection is helpful to track down the root cause (although I'd like to have an ALL option in RAR as well...)

In CUP, you do want to see any kind of risk that might arise from a role assignement to a user.

I have to say, I can not really understand why you'd want to switch off critical action or permission risks here. The user analysis in RAR and CUP serve two different purposes, hence I cannot see a bug here. If you have defined critical risks, why would you not want to see them???

Former Member
‎07-01-2009 3:22 PM
0 Kudos

> 

> I guess the behaviour is on purpose.
> 
> In RAR, you can do a selective analysis on only one kind of risk. You usually only need to do that in the remediation process, where this kind of selection is helpful to track down the root cause (although I'd like to have an ALL option in RAR as well...)
> 
> In CUP, you do want to see any kind of risk that might arise from a role assignement to a user.
> 
> I have to say, I can not really understand why you'd want to switch off critical action or permission risks here. The user analysis in RAR and CUP serve two different purposes, hence I cannot see a bug here. If you have defined critical risks, why would you not want to see them???

Hi Frank,

I understand your point, but we are in the same situation as the others. We do not want to see Critical Action Risks in CUP because this is a separate process (for us) than Permission Level Risks Analysis piece. With our current structure, our Security Admins use RAR to run Permission Level Risk Analysis and mitigates appropriately. A separate compliance group uses the Critical Action reports to see who has what Critical tcodes, etc. We do not mitigate these "risks," we more or less use it as a report.

I do not understand what you mean when you say "The user analysis in RAR and CUP serve two different purposes" - I feel it should be the same purpose, to ultimatley simulate if adding security to a user will cause SOD violations. If I have CUP configured to do Permission Level Analysis, that's all I want to be seeing in CUP.

Let me know if I need to clarify further.

Former Member
‎08-10-2009 9:41 PM
0 Kudos

Anyone hear know of any updates to this issue?

As my post from July 1st explains, we do not want to run risk analysis on all levels for various reasons. We are going to raise this issue to SAP (as others have done) and my hope is that they have at least looked into it somewhat. Just curious if anyone else has received feedback from them.

Thanks!

--

Jes Behrens

Former Member
‎08-10-2009 9:44 PM
0 Kudos

The only workaround I found was to remove the risks we had as critical actions (I know that's a poor and probably unavailable solution for you).

Former Member
‎02-10-2009 3:21 PM
0 Kudos

One more thing: I realize that CUP is doing a risk analysis on all levels, while in RAR I'm doing a permission level analysis. In the configuration guide for AC, it says that CUP can't do analysis on different risk levels, but I thought it was referring to the critical, high, medium, etc. levels. Is it possible to force RAR to do an analysis only on segregation of duties conflicts at the permission level?

Show replies
Show replies
Former Member
‎02-11-2009 1:55 PM
0 Kudos

Hi

In CUP go to Configuration --> Risk Analysis

Here you have Default Analysis Type. and set the risk analysis level there.

In CUP we dont do any risk analysis. We just call the web service of RAR to do the risk analysis.

We just set the level on which we want to do the risk analysis.

So if you have both set to permission level/ action level then result will not differ for any role.

Hope it helps

Regards

Abhishek

Former Member
‎02-11-2009 5:35 PM
0 Kudos

Yeah, even though it's at permission level, it's doing a risk analysis on all levels: SoD, critical action, and critical permission. I guess it's not possible to change this from CUP, so what I've done is just deactivated all critical action rules in RAR, because we don't use them anyway. This has solved my issue.

Thanks.

Ask a Question