cancel
Showing results for 
Search instead for 
Did you mean: 

Need help creating RAR reports at permission (object) level.

Former Member
0 Kudos

Hi All! I'm very new to this forum and was wondering if I could get some ideas on how to go about creating permission level reporting in RAR. We are running action level reporting now and need to look into permission level reporting. IE: if we find no violations at the action level, how confident can we be that we may or may not have issues at the permission level? I guess my first step is to create some rules/functions, but not really clear on how to start. Also, we have not started user mitigation, as I think it would be important to drill down to pemission level first and try and clear up any issues there. We have already cleaned all of our SAP roles that had high risk violations (we are only concentrating on high risks) and only for risks that don't have any manual mitigation tied to them). So we could still have roles that have high risk violations but if the risks associated with them are mitigated, then we are not concerning ourselves with thos... just the risks tied to roles that are not mitigated. Unfortunaly, we have to run a manual and tedious offline report analaysis to get this data because there doesn't appear to be anything within RAR. Thanks in advance!

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
0 Kudos

Hi Anne,

You need to configure the permission object level to avoid False Positives. At action level Conflicts you might get lot of false positives which may not be real conflicts.

Eg: A role/user has X & Y t-codes which are conflicting in nature. But for t-code X role has only Display access and Y - create/change access. In this case role should not be thrown conflicts as X is restricted for Display access only.

When you run reports at Action level you will find X & Y as SOD conflict, where as when you run the same report at permission level there will be no conflicts. These kind of false positives will wipe through permission level configuration

For this you need to enable the permission objects for X - eg., S_TABU_DIS - ACTVT - 01 & 02 as conflicting in nature. Similarly for Y define permission for ACTVT - 01,02 & 06 etc.

In a role if X is given only 03 - Display access then there will be no conflicts

If you are using Standard SOD rule set it is better to use the permission levels provided as per the standard initially and then customize your rule set as per your business requirement.

If you are using customized rule set, then you need to identify the authorization obejcts of each t-code and enable those objects which leads to maintenance and risk in nature.

Can you please elaborate what exactly you are refering to Manual mitigation where RAR could not able to support?

Thanks and Best Regards,

Srihari.K