on 03-20-2009 6:50 AM
Hi Gurus,
I am totally confused by the way our CC is working while using it for User Analysis. I understand that during Risk Analysis for a user with Report Type "Action Level" will give the conflicts at the transaction level for the user and with Report Type "Permission Level" will give the conflicts at the Object level for the user. Also the permission level report includes the results of the action level report as well and hence Permission level report is more detailed & reliable.
But now when I run the analysis report for a particular user both at Action & Permission level...the user is not getting any conflicts at Action level but it is showing conflicts at the Permission level. For another user the vice versa is happening. Could anyone help me in understanding the above 2 scenarios?
Regards,
Lakshmi.
Lakshmi-
Permission-level reporting is more granular than Action-level. Most of our customers perform analysis on the permission-level. It will depend on the company and their policy.
You might have action-level conflicts that are not on the permission-level, because the user might not have all the auth objects.
Ankur
SAP GRC RIG
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Permission level - Removes "False Positives" therefore if the risk does not occur at permission level, even if it may still get reported at Action level.
In regards to the issue where you are seeing no report of the risk at Action level, but you are seeing the report at Permission level, just re-sync the roles/users/profile again between RAR and the target system and try running the Risk Analysis again (may have to do a Batch Risk update).
One other way of investigating this is to simulate the user/role in question by adding/removing tcodes and permission and see what is happening in the ad-hoc results.
thanks
Hi
A user to be need to have a action level conflict should have that transansaction code access only ie object s-tcode = xyz transaction code.
Similarly for a user to be reported in permission level conflict the user should have access to
S_tcode = xyz transaction code Plus all other authorisation objects...Or in other words if the user is missing any authorisation object it wont be reported there...
So just check what authorisation object level check is enabled for that transaction code in the rule architect tab.. Thereafter see whether user have access to all those authorisation object with the values specified...
Parveen
Hello Lakshmi,
You are correct in your understanding of Action and Permission level reports but one thing has to be clear that the output is always based on the risks you have configured in your system.
Does your first user have any Action risks configured in the Rule Architect tab? Please make sure that you have the Action risks configured corresponding to the actions assigned to this user. Are you running these jobs in foreground?
Regards
Harleen
SAP GRC RIG
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Laxmi,
Were you able to perform Backgound sync for users, roles and profiles properly?
How about the Batch Risk Analysis, Does that report has any disceprancy with the findings for the former user from the ad-hoc risk analysis.
What about the Mitigation Controls? Have these users/risks been mitigated and during Foreground Analysis; did you turn on/off Ignore Mitigation Controls ?
SAP is releasing SP 7 for AC 5.3 very soon at SMP. I would recommend if possible please uprade both RTA and front-end to the latest SP levels.
--
Cheers!,
Aman
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Lakshmi,
Which version and SP level of CC are you on?
Regards
Harleen
SAP GRC RIG
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.