cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RAR 5.3- use of role level mitigation

Go to solution
Former Member

on ‎12-02-2009 12:47 PM

0 Kudos

If we mitigate a role and assign the role to a user, the risk will still appear in user level risk analysis, then what is the use of assigning mitigating control to the role?

If this is the case than I'll consider assigining mitigating controls only to users.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎12-02-2009 1:30 PM
0 Kudos

I generally work on the principle that you remediate roles and mitigate users. However, there are times when you may find that there is a mitigation which is automatically assigned to all users who would ever have that role.

If the user is still shown with conflicts despite the role being mitigated, I would check the user's access to see whether the risk is triggered from outside of this role in the first instance.

I would then check the configuration of the mitigation control and the validity period of the assignment to the role as it maybe that it's not covering the entire risk or may have expired.

Regards, Simon

Show replies
Show replies
Former Member
‎12-02-2009 5:57 PM
0 Kudos

There is only one role assigined to the user and the mitigatiing contriol is not expired.

I think the mitigating control needs to be assigined to the user also for the risk to not appear in the user analysis despite the risk being mitigated at role level.

Former Member
‎12-02-2009 9:26 PM
0 Kudos

Can you run role level analysis on this role and see if the mitigation is working or not? Also, make sure to exclude object with mitigation while running the analysis.

Alpesh

Former Member
‎12-03-2009 5:26 AM
0 Kudos

Hi,

If you want to exclude the mitigated risks via role while doing user analysis, check this configuration-

RAR-Risk analysis-Additional Options-

Include Role/Profile Mitigating Controls in User Analysis - YES

Explanation of configuration-

"To include role-based or profile-based mitigating controls in user-based risk analysis reports, set this value to Yes.

The risk analysis includes user-level mitigation controls IDs (if any exist)If not, the report will display either the role-based or profile-based mitigating control ID, in that order."

Answers (1)

Answers (1)

Former Member
‎12-03-2009 3:42 PM
0 Kudos

If you are using SP7 there is a need to include the * symbol after the risk id for the mitigation to take effect.

This was solved by SP8, but appears again in SP9.

The fleld name is RISK ID, but SAP GRC RAR considers it as RULE.

Edited by: Mesly Fernandes on Dec 3, 2009 4:48 PM

Show replies
Show replies
Former Member
‎12-03-2009 5:39 PM
0 Kudos

Mesly,

Not quite!!

If you want to mitigate the whole risk then you are correct but you can actually mitigate specific rules by including some of the more specific elements and then, you would enter the rule ID rather than just the risk.

I suspect that is why the "Fix" is not in SP09!

Simon

Former Member
‎12-03-2009 9:28 PM
0 Kudos

Simon,

There is an OSS that was closed by SP8 and solved this issue with the * after the risk. Thats why I'm sure that it was a recognized bug by SAP.

If what is planned is to mitigate risk F001 for example, in SP7 and now again in SP9 you will need to declare F001*.

I must emphasize that the filed is clearly stating that is the Risk ID and not the Rule ID, so it should be enough to declare the four digits that is the limit for risks IDs. If there were a Rule ID field this mistake could be avoided. I'm aware that risks IDs are not kept by itself in the RAR tables, but only rules IDs, but the core could filter only the four initial digits of it.

The original post claims for a full risk mitigation, right PARTHASARATHY?

Former Member
‎12-04-2009 12:50 PM
0 Kudos

If you want to mitigate the complete risk I understand that we need to put Riskid* in the riskid field or we can mention a complele ruleid for mitigating a particular rule but my original question was not regarding this. Let me give more details:

Risk F008* is mitigated for role R1003GBAR by assigning mitigating control FI99 to the role.

Now Iu2019ve created a test user RARTEST1 and assigned role R1003GBAR in backend R3 system and ran the user sync and user analysis background job for this test user.

From informer tab I did user level risk analysis for user RARTEST1 and it shows the risk F008.

So I was under the impression that if we mitigate a role and assign the role to a user, the risk will still appear in user level risk analysis though it doesnu2019t appear in role level risk analysis.

I tried what Sabita suggested and it works. Thanks everyone.

Ask a Question