- SAP Community
- Products and Technology
- Additional Q&A
- GRC AC RAR: Comprehension question Mitigating Cont...
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
GRC AC RAR: Comprehension question Mitigating Controls
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 02-22-2011 10:40 AM
Hello all,
I have a small comprehension question regarding Mitigating Controls.
Situation:
We have identified some authorization roles that contained lots of risks and we decided that they should not be used anymore. I therefore had our admins remove those roles from all the userIDs and update the role descriptions so it is clear that these roles are obsolete and must not be used anymore. For specific reasons we are currently not able to archive those roles in order to remove them from the system (can't delete them either for unclarified data retention questions).
What has been done:
1. I have created the necessary userIDs for Management Approver, Monitor, etc. in tab Mitigation -> Administrators -> Create
2. I have created the necessary business unit and assigned to userIDs created in 1. in tab Mitigation -> Business Units -> Create
3. I have created a Mitigation Control "Obsolete Roles" in tab Mitigation -> Mitigating Controls -> Create
4. Within the Mitigatin Control I have mitigated all associated risks in tab "Associated Risks", added a userID in tab "Monitors" and I have added all the obsolete roles using the button "Mitigate roles"
What I want to achieve:
- Roles should not show up in the analysis anymore -> I've checked that and it works as expected
- I now want the userID I added in tab "Monitors" and when mitigating the roles to regularly check in the SAP system whether the mitigated roles have been assigned to any userIDs again (using PFCG or any other suitable report in the system).
Can I achieve that by using tab "Reports" within the Mitigating Control ?
If I provide the system in column "System", provide "PFCG" in column "Action", "Use PFCG to check is role is assigned again" in "Description", add the userID in tab "Monitor" and set Frequency to "4" this would mean that that userID needs to check whether the roles have been used again at least every 4 weeks ?
Will the system automatically send a reminder eMail to that userID every 4 weeks or does the user have to check the RAR manually in order to see "his/her" tasks ?
Regards,
Benjamin
Accepted Solutions (0)
Answers (3)
Answers (3)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Jwalant,
sorry for my late reply, but I have waited for a few weeks to make be sure wheather the way you described works or not.
- The background job gets executed once a week and finishes without any error.
- The only thing that doesn't work is that the userID that I maintained in clolumn "monitor" and for which I defined a mitigation control which has to be executed every 2-weeks (using column "report") does NOT get a mail from the system that reminds him/her to execute the mitigating control.
Log of background job execution:
INFO: -
Scheduling Job =>16----
Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob run
INFO: --- Starting Job ID:16 (GENERATE_ALERT) - Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION
Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob setStatus
INFO: Job ID: 16 Status: Running
Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob updateJobHistory
FINEST: --- @@@@@@@@@@@ Updating the Job History -
1@@Msg is Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION started :threadid: 2
Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
INFO: -
Background Job History: job id=16, status=1, message=Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION started :threadid: 2
Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
INFO: @@@ Alert Generation Started @@@
Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
INFO: @@@ Conflict Risk Input has 1 records @@@
Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
INFO: @@@ Critical Risk Input has 1 records @@@
Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
INFO: @@@ Mitigation Monitor Control Input has 1 records @@@
Mar 28, 2011 4:00:00 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
INFO: @@@@@ Backend Access Interface execution has been started @@@@@
Mar 28, 2011 4:00:00 AM com.virsa.cc.common.util.ExceptionUtil logError
SEVERE: null
java.lang.NullPointerException
at com.virsa.cc.comp.wdp.IPublicBackendAccessInterface$IStatRecInputElement.wdGetObject(IPublicBackendAccessInterface.java)
at com.sap.tc.webdynpro.progmodel.context.NodeElement.getAttributeAsText(NodeElement.java:888)
at com.virsa.cc.comp.BackendAccessInterface.execBAPI(BackendAccessInterface.java:401)
at com.virsa.cc.comp.BackendAccessInterface.executeBAPI(BackendAccessInterface.java:302)
at com.virsa.cc.comp.BackendAccessInterface.get_TcodeLog_Rec(BackendAccessInterface.java:2800)
at com.virsa.cc.comp.BackendAccessInterface.alertGenerate(BackendAccessInterface.java:1940)
at com.virsa.cc.comp.wdp.InternalBackendAccessInterface.alertGenerate(InternalBackendAccessInterface.java:4355)
at com.virsa.cc.comp.wdp.InternalBackendAccessInterface$External.alertGenerate(InternalBackendAccessInterface.java:4824)
at com.virsa.cc.xsys.bg.BgJob.alertGen(BgJob.java:1666)
at com.virsa.cc.xsys.bg.BgJob.runJob(BgJob.java:697)
at com.virsa.cc.xsys.bg.BgJob.run(BgJob.java:362)
....
here it keeps ranting on for pages about Null Pointer Exceptions
I'll just leave that part out
...
Mar 28, 2011 4:00:29 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
INFO: -
No of Records Inserted in ALTCDLOG =>16 For System =>XXX_xxx -
Mar 28, 2011 4:00:29 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
INFO: ==$$$===Notif Current Date=>2011-03-28==$$$==Notif Current Time=>04:00:00===$$$===
Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.mgmbground.dao.AlertStats execute
INFO: Start AlertStats.............
Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob alertGen
INFO: @@@=== Alert Generation Completed Successfully!===@@@
Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob setStatus
INFO: Job ID: 16 Status: Complete
Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob updateJobHistory
FINEST: --- @@@@@@@@@@@ Updating the Job History -
0@@Msg is Job Completed successfully
Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
INFO: -
Background Job History: job id=16, status=0, message=Job Completed successfully
Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob scheduleJob
INFO: -
Complted Job =>16----
- Anothjer thing I noticed is that the job always adds some entries to table "ALTCDLOG" which I guess means something like "Alert T-Code Log".
It always adds entries like:
...
581 XXX_XXX userID#1 SE16 2011-03-21 07:49:44 xxx 5
582 XXX_XXX userID#1 SM37 2011-03-21 07:55:44 xxx 5
...
Where does the system get the information which T-Codes are "bad" and for which it needs to create those entries ? I have never configured anything like that in the system.
Or is this an indicator that the authorization roles I mitigated have been used again ?
Regards,
Benjamin
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Jwalant,
thanks for te quick and detailed answer!
I have done as you suggested.
I'll have to wait until next week to see if the eMail is sent to the employee by the system.
I will get back here when I have verified that everything works as expected.
Regards,
Benjamin
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Benjamin,
You can use ' Report' part of Mitigation control as narrated by you. However to generate alert you have to do below activities in configuration:
In background job tab under configuration, there is Alert Generation tab. On Alert generation screen click on Generate Action log and select appropriate system.
Next tick the check box for control monitoring and mention 'Mitigating control id'
Next under Alert Notification, select control montoring and click on schedule. In next screen you can select 'Schedule Periodically' under Period Selection in which you can mention the periodicity for background job you require e.g. 4 weeks. This will trigger mail notification to Monitor.
Hope this will resolve your issue
regards,
Jwalant
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- GRC Tuesdays: Takeaways from the 2024 Internal Controls, Compliance and Risk Management Conference in Financial Management Blogs by SAP
- Shift to Remote, Continuous, and Risk-Adjusted Management with SAP Three Lines of Defense Package in Financial Management Blogs by SAP
- SAP Datasphere - Space, Data Integration, and Data Modeling Best Practices in Technology Blogs by SAP
- A Comprehensive Guide to the Sustainability Control Tower (SCT) Inbound API in Technology Blogs by Members
- GRC Tuesdays: Insights into Cybersecurity Supply Chain Risk Management: Why, What and How in Financial Management Blogs by SAP
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.