cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Mitigation of Roles and Users do not affect each other - correct behaviour

Go to solution
Former Member

on ‎10-25-2010 10:01 AM

0 Kudos

Hello,

I had a certain understanding of the Access Control system which obviously does not fit to the actual behaviour of the system:

Let's say I have a role, that has one single conflict with one risc.

So when I try to assign that role to a person (for instance using the CIM-scenario in IdM via VDS to CUP/RAR) I have to mitigate that risc of the assignment. That's okay so far.

Now I mitigate the role itself in RAR. When I do a risk analysis in RAR (afterwards) there are no more conflicts (since I mitigated the single one mentioned above).

But when I now assign that role again to a person, the one risc conflict still has to be mitigated on the assignment (and: yes, it is excactly that assignment, double checked it, no other one).

Is this correct behaviour? I thought, after having mitigated the conflict(s) of the role itself, the mitigation of these riscs for an assignment is not necessar any more? Or what is the role mitigation for?

Or: do I do something wrong in the system?

Thank you for your input in advance.

Best regards

Matthias

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎10-25-2010 10:26 AM
0 Kudos

hi,

this is correct behaviour

in RAR if you mitigate risk and you want it to be applied to user level also, then you have to set one configuration parameter to YES

sorry i forgot parameter name ........ (no more using GRC.....)

it will be something like 'User and Role mitigation..........'

please check under Mititgation and Misc and let me know if you any similar one.

regards,

Surpret

Show replies
Show replies
Former Member
‎10-25-2010 1:31 PM
0 Kudos

Hi,

thank you for the fast answers. I currently found option "Include Role/Profile Mitigating Controls in User Analysis" in RAR which sounded much like the switch you talked about - but did not change anything (in either way: set to "YES" or "NO") - The explanation for the option was:

Include Role/Profile Mitigating Controls in User Analysis

To include Role or Profile-based Mitigating Controls in User-based Risk Analysis reports, set this value to Yes.The risk analysis will include User-level Mitigating Controls IDs(if any exist)if not, the report will display either the Role-based or Profile-based Mitigating Control ID in that order.The default value is No.

Is this the correct option? Or can someone name the correct one?

Thank you.

Former Member
‎10-25-2010 1:35 PM
0 Kudos

this is correct option.

please logoff and login again after setting this option to YES.

then do analysis only on the user which was earliar showing conflict in RAR.

kindly let me know the results

regards,

Surpreet

Former Member
‎10-25-2010 1:55 PM
0 Kudos

Hello Surpreet,

when I now make a risk check on a user that already has this role, there are no conflicts.

But in my scenario I make a risk check with CUP (using RAR) on a User who is about to get the role - and still I have to make a mitigation there?

Do I have to set something additionally in CUP?

THank you so far.

Best regards

Matthias

Former Member
‎10-25-2010 4:28 PM
0 Kudos

Hello together,

the final step I did on my own - but the hint from Surpreet give me the direction (so you got points!).

In CUP there is an option as well (Configuration > Risk Analysis > Consider Mitigation Controls) that has to be checked!

So the mitigation will be considered and there has to be no additional mitigation for the user as well.

Best regards

Matthias

Former Member
‎12-10-2013 7:31 PM
0 Kudos

Hi Matthias,

Wich GRC version are you using? I didn´t find the option you mentioned  in GRC 10 (Configuration > Risk Analysis > Consider Mitigation Controls).

We have the same scenario in one of our clients, Business Roles with N single roles.

The client has the expectation that, once the Business Role is mitigated, there is no reason to mitigate the risk in user level when is requested accecc to this Business Role.

Thanks,

Felipe Barros

Former Member
‎12-11-2013 8:41 AM
0 Kudos

Hi Felipe,

since this discussion was from 2010 we talk about GRC 5.5 and so is completely different from GRC 10.

Unfortunately I now work in another department and so have no connection to GRC any more, so can not help you, sorry.

Regards

Matthias

Answers (1)

Answers (1)

Former Member
‎10-25-2010 10:36 AM
0 Kudos

Hi,

As per my knowledge, the mitigation that you carried out in a role (referred as mitigation for intra conflict) will not be popped-up for the risk analysis at the user level.

However, the user level mitigations will be done when there are violations/conflicts (referred as mitigation for extra conflicts) existed with assignment of morethan one role, i.e., the conflicts that occur from different roles.

If a role level mitigation is implemented, all the users assigned under that role should be monitored, where in with a user level mitigation, only the specific users who are mitigated under the control will be monitored.

I am not sure if you can deploy the mitigations automatically that are carried at the role level to the users parallely with a parameter.

Hope this helps!!

Regards,

Raghu

Show replies
Show replies
Ask a Question