cancel
Showing results for 
Search instead for 
Did you mean: 

NO RISK

Former Member
0 Kudos

i am creating a Risk and trying to do risk analysis(RA) at Role(or User level). I have created 2 functions with 1 tcode each.on backend i have created 3 roles, where 2 of the roles contain 1 (different)tcode each, and the 3rd role contains both the tocde.

on doing RA, only the 3rd role gives risk(desired result), but the other 2 roles(given together) do not give risk.

I have done Role Sync. from backend in RAR. FYI, i get Risk, without Role sync for the 3rd role.

Can anyone suggest why there is NO RISK for the 2 roles?

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
0 Kudos

Hi Plaban,

For the scenario given by you.

If you run a role level Risk Analysis than only role 3 will show the risk, as there is a conflict within the role for role 3 (as TC1 and TC2 (TC - here stands for T-Code) are within the same role and you have defined your risk as presence of both the T-Codes simultaneously)

when you run role level risk analysis for role 1 and role 2 there is no risk in the role as role 1 has TC1 and role 2 has TC2, hence within the role there is nor risk as per the risk defined by you.

When you assign role 1 and role 2 to the same user, and run a user level risk analysis than there will be a risk that will appear for user, however if you run role level analysis for the same it still doesn't show the risk as only one Tcode is present in each role and hence within the role there is no conflict.

Regards,

Ankit

Former Member
0 Kudos

@Sabita:could you provide the reason why Role level analysis for SOD will not give a risk.

i tried at user level(at permission level) for SOD, but still there is no risk.

@Ankit: i am comparing 2 roles, which will be assigned to 1 user in Production.So, it should give a risk. This Role Analysis does NOT ONLY calculate risk within 1 Role, but within different roles. A Role in a Production system, will ideally not contain conflicting(risk producing tcodes) within itself. Normally, the objective of RAR is to find out conflicting roles assigned to 1 user.

So, i am still wondering why there is no RISK.

Former Member
0 Kudos

Hi Plaban,

There is no option for cross-role analysis. SOD consists of two conflicitng tcodes, which you are not giving in one role. That is why it will not come in roles which are having only one of them.

Why is is not coming in User Analysis, that is a question of how the risk is defined and how risk analysis is performed. If it is at only tcode level, it must show the risk.

1. If the User is mitigated, locked, expired and setting is on to exclude them, than it will not show.

2. If Object level control is there and conditions are not filled, it will not show.

3. Most important, if user sync is not done, than also it may skip showing risk.

Above are the reason for not showing a risk in User Analysis where two roles containg SOD tcodes are assigned.

Can you check the permission rules in rule architect and paste the output?

Regards,

Sabita

Former Member
0 Kudos

Hi Plaban,

There are two different types of risk analysis, they are:

1 Role Level

2. User Level

Role Level Risk Analysis:

The risk analysis run under this will give you risk within the role only .

User Level Risk Analysis:

When you run risk analysis under this, than you will have all the risk that a user has (be it due to conflicting tcode withing a single (one) role or due to conflicting tcode present in different roles)

If you are running a user level risk analysis, and still not able to get the conflict this may be due to several reasons(Sabita has already given this reasons, you can please refer to her post for the same)

Regards,

Ankit

Former Member
0 Kudos

Hi Plaban,

If the risk is defined SOD, it will not show in role analysis.

If doing User level who is given both roles, it should show risk in below scenarios-

1. SOD is not defined at Object Level

2. If SOD is defined at Object level, the roles are fulfilling all criteria for tcode and Object Values.

Regards,

Sabita

Former Member
0 Kudos

Hi Plaban,

There's any kind of autorizathion object?

Cheers

Former Member
0 Kudos

there is no Auth. object involved. could you clarfiy your question

Former Member
0 Kudos

Yeah,

I mean if there's some Authorization Object (OA) declared in GRC RAR, roles need to have these OA's too and so the risk will appear.

Cheers.