on 12-02-2009 12:47 PM
If we mitigate a role and assign the role to a user, the risk will still appear in user level risk analysis, then what is the use of assigning mitigating control to the role?
If this is the case than I'll consider assigining mitigating controls only to users.
I generally work on the principle that you remediate roles and mitigate users. However, there are times when you may find that there is a mitigation which is automatically assigned to all users who would ever have that role.
If the user is still shown with conflicts despite the role being mitigated, I would check the user's access to see whether the risk is triggered from outside of this role in the first instance.
I would then check the configuration of the mitigation control and the validity period of the assignment to the role as it maybe that it's not covering the entire risk or may have expired.
Regards, Simon
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
If you want to exclude the mitigated risks via role while doing user analysis, check this configuration-
RAR-Risk analysis-Additional Options-
Include Role/Profile Mitigating Controls in User Analysis - YES
Explanation of configuration-
"To include role-based or profile-based mitigating controls in user-based risk analysis reports, set this value to Yes.
The risk analysis includes user-level mitigation controls IDs (if any exist)If not, the report will display either the role-based or profile-based mitigating control ID, in that order."
If you are using SP7 there is a need to include the * symbol after the risk id for the mitigation to take effect.
This was solved by SP8, but appears again in SP9.
The fleld name is RISK ID, but SAP GRC RAR considers it as RULE.
Edited by: Mesly Fernandes on Dec 3, 2009 4:48 PM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Simon,
There is an OSS that was closed by SP8 and solved this issue with the * after the risk. Thats why I'm sure that it was a recognized bug by SAP.
If what is planned is to mitigate risk F001 for example, in SP7 and now again in SP9 you will need to declare F001*.
I must emphasize that the filed is clearly stating that is the Risk ID and not the Rule ID, so it should be enough to declare the four digits that is the limit for risks IDs. If there were a Rule ID field this mistake could be avoided. I'm aware that risks IDs are not kept by itself in the RAR tables, but only rules IDs, but the core could filter only the four initial digits of it.
The original post claims for a full risk mitigation, right PARTHASARATHY?
If you want to mitigate the complete risk I understand that we need to put Riskid* in the riskid field or we can mention a complele ruleid for mitigating a particular rule but my original question was not regarding this. Let me give more details:
Risk F008* is mitigated for role R1003GBAR by assigning mitigating control FI99 to the role.
Now Iu2019ve created a test user RARTEST1 and assigned role R1003GBAR in backend R3 system and ran the user sync and user analysis background job for this test user.
From informer tab I did user level risk analysis for user RARTEST1 and it shows the risk F008.
So I was under the impression that if we mitigate a role and assign the role to a user, the risk will still appear in user level risk analysis though it doesnu2019t appear in role level risk analysis.
I tried what Sabita suggested and it works. Thanks everyone.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.