- SAP Community
- Products and Technology
- Additional Q&A
- Mitigating control - download and upload feature
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Mitigating control - download and upload feature
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 03-30-2011 1:22 PM
Hello !
I am trying to abuse the mitigating control feature in order to reduce the hits, as access control lacks the feature that it is ok and confirmed that a user has certain critical transactions in his role.
Anyway, as the definition on the web frontend is quite time-consuming, I tried it with the download and upload feature. It also works fine, unless it comes to table VIRSA_CC_MITROLE which includes DATE values.
At that point the file looks like the following:
M VIRSA_CC_MITROLE MITREFNO RISKID ROLEID VALIDFROM VALIDTO MONITORID STATUS
D VIRSA_CC_MITROLE FI_01 F100 ABCDE 15.03.2011 14.03.2012 XYZ 0
This results in the following error:
SQL:=>Insert into VIRSA_CC_MITROLE(MITREFNO,RISKID,ROLEID,VALIDFROM,VALIDTO,MONITORID,STATUS ) Values(?,?,?,?,?,?,?)
Aufzeichnen::Line Number :37 : D VIRSA_CC_MITROLE FI_01 F100 ABCDE 15.03.2011
The last line stops at the FIRST date value.
I also tried to execute the following statement in the CCDebugger, but it didn't work:
Insert into VIRSA_CC_MITROLE(MITREFNO,RISKID,ROLEID,VALIDFROM,VALIDTO,MONITORID,STATUS ) Values('FI_01','F100','ABCDE','20110315','20120314','XYZ',0);
I also tried without ' regarding the date values and with 20110315 and 2011-03-15 but it didn't help:
contains the semantics error[s]: - type check error: new value (element number 4 (CHAR)) is not assignable to column >>VALIDFROM<< (DATE) - type check error: new value (element number 5 (CHAR)) is not assignable to column >>VALIDTO<< (DATE)
Does any have a solution for this issue ?
Kind regards,
Max
Accepted Solutions (1)
Accepted Solutions (1)
koehntopp
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Maximilian,
the problem is quite obvious - the error message (in this case) tells you exactly where it is: the date format is wrong.
In the files that I have been using successfully the date is in US format, i.e. 2011-03-15, no delimiters. Try that with the text file again.
You can also do an export first for a manually created mitigation to see the correct format.
Frank.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Answers (2)
Answers (2)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Frank,
yes you were right. I found it out by myself and I forgot to close the question. However, Excel is crap and it seems virsa didn't know what localization function in Java is ... I don't care about US date format, I am in Europe
Kind regards,
Max
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Max
CCDebugger is a read-only tool, hence insert commands will not work.
If you would want to get rid of your problem at the root, move your critical transactions from your default rule set into a separate one. You can deal with mitigation of critical transactions separately in RAR.
Regards,
Vit
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Vit,
thanks for you reply ! Either I didn't get your point or it is not a solution for my problem. Let's say there is a SAP CC role which is assigned to every developer and customizing expert. If the SAP CC consits of 20 people you get tons of false positive in RAR. Moving the risks into a seperate ruleset doesn't help, as I still need to identify users which are actual risks.
My thought was to define a compensating control for the SAP CC role and exclude it from the hit list. IF this would work, it would be very cool !
Kind regards,
Max
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Max,
I guess I didn't understood your question. Sorry about that.
You can indeed mitigate at role level. But when the risk will pop up on user level. One solution would be to exclude all CC members when you define a batch risk analysis with the "exclude object" button at the bottom.
Or you can create separate CC roles which you can exclude the same way.
Because customization and development are not done on production systems our general recommendation is that the CC members should only have read-only authorizations in the production systems. Only on request from business (valid helpdesk ticket) they can preform live actions in PRD (with a firefigther account).
regards,
Vit
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- explore the business continuity recovery sap solutions on AWS DRS in Technology Blogs by Members
- Deep dive into Q4 2023, What’s New in SAP Cloud ALM for Implementation Blog Series in Technology Blogs by SAP
- List of Employee Central & Employee Central Payroll Guide Updates for the 1H 2024 Release in Human Capital Management Blogs by SAP
- S/4HANA 2023 FPS00 Upgrade in Technology Blogs by Members
- Configuration: SAP Ariba SSO with SAP Cloud Identity Services - Identity Authentication in Technology Blogs by SAP
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.