on 07-26-2011 9:50 AM
Hi all,
I have three questions to WebServices regarding SAP GRC v10.0:
1. Is it possible with v10 to check permissions via WebServices (SAPGRC_AC_IDM_*) only with the RAR component? In v5.3 it was only possible, if CUP was installed too.
2. Contain the WebService SAPGRC_AC_IDM_RISKANALYSIS in v10 a analysis of critical permissions? In v5.3 only SoDs and critical actions was checked.
3. What is the task of the parameter includeCrossSystemsAnalysis of the WebService VirsaCCRiskAnalysisService in v10? In v5.3 the value of this WebService has no impact to the SoD check (it SHOULD be:
includeCrossSystemsAnalysis == true ==> cross system SoD check
includeCrossSystemsAnalysis == false ==> single system SoD check
But doesn't matter what's the value of the parameter. There is always a cross system check. Has this changed in v10.0?
Regards
Peter
Hi Peter,
AFAIK the web services have not yet been published.
If you had the web service return violations without the requirement for CUP, what would you do with that information?
I hear that question a lot, I would really like to understand the ideas behind it.
To one of your other questions: cross system check is only possible for dedicated cross system risks. If there are no such risks defined, this will not yield any results no matter what the value of the parameter is.
Thanks,
Frank.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Frank, thank you for response
@CUP
Our customer won't implement CUP because it has another system for privilege approval etc.
@Cross system check
I am not sure if you understand: We configured cross system risks which we also discoverd in our analysis. But we discover the cross system risks every time, regardless which value is assign to includeCrossSystemsAnalysis
Peter,
the cross system issue sounds like a bug - I suggest you open a ticket with SAP.
I understand that people may not want to implement CUP, but what else do they do with what the web service returns?
- how do you display the result (which may be large), including the information necessary for remediation/mitigation?
- how do you discover alternatives (simulation)?
- how do you hand over to remediation/mitigation
Frank.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.