on 11-16-2010 6:17 PM
Hi,
We have configured the New and Change access request to go through a Role Owner Approval in CUP. As to enable the role owners aware of the reported risks with an access request when it lands in their Inbox, we have enabled the Risk Analysis config: 'Risk Analysis On Request Submission' to Yes. This setting makes the system to perform Risk Analysis using the RA webservice on ALL requests.
But we are not enforcing the Risk analysis and mitigation in all systems that are provisioned through GRC CUP. The property seems global and hence we are looking for a work around to bypass the RA on requests for some systems or rather a system specific setting.
Is there any tweak available with GRC 5.3 SP08 to achieve this?
As of now, we don't maintain the RAR rules for the systems where risk analysis is non-mandatory, but notice that the system is unnecessarily performing RA amounting to inefficient utilization of resources.
Any help would be greatly appreciated.
Thanks, Anil
Wouldn't creating seprate initiators based on the application type help you in this case. Just have different intiators for different system.
Thanks!
Chinmaya
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
The only way to proceed with risk analysis on submission is to have all systems created in RAR. This is a simple dummy connector that can be created via the File - Local connector type. Insert dummy values, but make sure the technical name matches the name in CUP.
This will allow you to receive accurate SOD results and no errors when using the "Risk Analysis on Submission" feature.
Hi Tyler,
This already there in place, and as you mentioned, it's just a dummy system in RAR. Else the system won't create a request itself. But what I'm trying to achieve is to avoid the unnecessary RA when I know i don't maintain any rules for some systems and hence the RA comes back with no violations for those systems.
Thx, Anil
I totally agree with Tyler and that is the only way to achive this. Having different initiators based on systems would not work as CUP can not route requests to parallel path based on system selection.
Create a connector in RAR and CUP both for all the systems and do not generate rules in RAR for the systems for which you don't want to run risk analysis.
Regards,
Alpesh
Anil,
There will be a few seconds extra for each system not included in risk analysis, but it should realize very quickly that there are no rules for that system (and that it can't even connect to pull authorizations if it is a dummy system).
Sorry there isn't a better answer, but it's the way it is built.
Tyler
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.