on 10-25-2010 10:01 AM
Hello,
I had a certain understanding of the Access Control system which obviously does not fit to the actual behaviour of the system:
Let's say I have a role, that has one single conflict with one risc.
So when I try to assign that role to a person (for instance using the CIM-scenario in IdM via VDS to CUP/RAR) I have to mitigate that risc of the assignment. That's okay so far.
Now I mitigate the role itself in RAR. When I do a risk analysis in RAR (afterwards) there are no more conflicts (since I mitigated the single one mentioned above).
But when I now assign that role again to a person, the one risc conflict still has to be mitigated on the assignment (and: yes, it is excactly that assignment, double checked it, no other one).
Is this correct behaviour? I thought, after having mitigated the conflict(s) of the role itself, the mitigation of these riscs for an assignment is not necessar any more? Or what is the role mitigation for?
Or: do I do something wrong in the system?
Thank you for your input in advance.
Best regards
Matthias
hi,
this is correct behaviour
in RAR if you mitigate risk and you want it to be applied to user level also, then you have to set one configuration parameter to YES
sorry i forgot parameter name ........ (no more using GRC.....)
it will be something like 'User and Role mitigation..........'
please check under Mititgation and Misc and let me know if you any similar one.
regards,
Surpret
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
thank you for the fast answers. I currently found option "Include Role/Profile Mitigating Controls in User Analysis" in RAR which sounded much like the switch you talked about - but did not change anything (in either way: set to "YES" or "NO") - The explanation for the option was:
Include Role/Profile Mitigating Controls in User Analysis
To include Role or Profile-based Mitigating Controls in User-based Risk Analysis reports, set this value to Yes.The risk analysis will include User-level Mitigating Controls IDs(if any exist)if not, the report will display either the Role-based or Profile-based Mitigating Control ID in that order.The default value is No.
Is this the correct option? Or can someone name the correct one?
Thank you.
Hello Surpreet,
when I now make a risk check on a user that already has this role, there are no conflicts.
But in my scenario I make a risk check with CUP (using RAR) on a User who is about to get the role - and still I have to make a mitigation there?
Do I have to set something additionally in CUP?
THank you so far.
Best regards
Matthias
Hello together,
the final step I did on my own - but the hint from Surpreet give me the direction (so you got points!).
In CUP there is an option as well (Configuration > Risk Analysis > Consider Mitigation Controls) that has to be checked!
So the mitigation will be considered and there has to be no additional mitigation for the user as well.
Best regards
Matthias
Hi Matthias,
Wich GRC version are you using? I didn´t find the option you mentioned in GRC 10 (Configuration > Risk Analysis > Consider Mitigation Controls).
We have the same scenario in one of our clients, Business Roles with N single roles.
The client has the expectation that, once the Business Role is mitigated, there is no reason to mitigate the risk in user level when is requested accecc to this Business Role.
Thanks,
Felipe Barros
Hi,
As per my knowledge, the mitigation that you carried out in a role (referred as mitigation for intra conflict) will not be popped-up for the risk analysis at the user level.
However, the user level mitigations will be done when there are violations/conflicts (referred as mitigation for extra conflicts) existed with assignment of morethan one role, i.e., the conflicts that occur from different roles.
If a role level mitigation is implemented, all the users assigned under that role should be monitored, where in with a user level mitigation, only the specific users who are mitigated under the control will be monitored.
I am not sure if you can deploy the mitigations automatically that are carried at the role level to the users parallely with a parameter.
Hope this helps!!
Regards,
Raghu
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.