on 08-18-2011 8:46 PM
Hello,
My company has been looking to update our global rule-set to one more aligned with SOX. We have 2 environments: one for production, (PRD) and one for development (DEV); and 2 rule-sets: global, and SOX. Before changes are made to PRD, they are made in DEV in order to see the variance of the user level risk analysis at the permission level once the changes are made.
Now, we use the Global rule-set as our active rule-set for reporting purposes, and our SOX rule-set is currently undergoing a fine-tuning to understand why our PRD and DEV reports are not the same.
The issue we are having is that our PRD reports from the SOX rule-set do not match our DEV reports from the SOX rule-set. The difference comes from only 1 user - sapserviceNPP SAP*.
In the DEV report, this user's roles all look like:
&_SAP_ALL_14 : &_SAP_ALL_14
or
&_SAP_ALL_5 : &_SAP_ALL_5
this type of syntax.
In the PRD report, this user has the same roles:
&_SAP_ALL_14 : &_SAP_ALL_14
but also "generated partial profiles" such as:
&_SAP_ALL_14 : Generated partial profile for SAP_ALL
My question is, why would the PRD report contain "generated partial profiles" when the DEV report does not?
The only roles in DDIC are SAP_ALL, but they have different numbers;
&_SAP_ALL_5 : &_SAP_ALL_5
&_SAP_ALL_14 : &_SAP_ALL_14
&_SAP_ALL_4 : &_SAP_ALL_4
etc.
Regenerating it from SU21 will get rid of the Generated Partial Profiles?
Thanks!
Rob
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Where do you see these? Under roles tab or Profiles tab.
If you see this under the roles tab, you may have have to go to individual role and generate the profile again. I infer these are assigned from a role, and is not a direct SAP_ALL profile assignment.
If SAP_ALL profile is directly assigned (under profles tab), yes, re-generating the profile should solve the issue.
Regards,
Raghu
Hi Rob,
I've just checked in the system. The partial profiles are related to the below profiles:
&_SAP_ALL_5 : &_SAP_ALL_5
&_SAP_ALL_14 : &_SAP_ALL_14
&_SAP_ALL_4 : &_SAP_ALL_4
etc.
You may assign SAP_ALL instead of these profiles which will resolve the issue. (You may look at the description of these profiles. They say partial profile for SAP_ALL)
Regards,
Raghu
I ran a new report - the Generated Partial Profiles are still occurring, but only within the DDIC user... not from sapserviceNPP SAP*
Does this change anything?
Thanks in advance!
Rob
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Raghu,
The last sync for both DEV and PRD was on 8/16/2011 - The day after this sync was completed, the full report was run in both DEV and PRD (8/17/2011)
Both DEV and PRD syncs were:
Sync Mode: Full Sync
User Sync
Role Sync
Profile Sync
Batch Mode: Full Sync
Report Type: Permission Level Analysis
User Analysis
Role Analysis
Profile Analysis
Critical Action and Role/Profile Analysis
Management Reports
The only thing unchecked is "Action Level Analysis"
Any ideas?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Raghu,
Thank you for your response.
To clarify your points:
1 - We are evaluating 2 rulesets in one SAP GRC environment. Therefore, the two rulesets are looking at the exact same profile. What we don't understand is why one ruleset has "Generated Partial Profiles" and the other does not.
2 - We do run the reports as Dialog Only. sapserviceNPP SAP* should be run as a service, and not as dialog, however this still does not explain the difference we see in our report.
What would cause GRC ruleset 1 to have these "Generated Partial Profiles" (GPP) while GRC ruleset 2 does not? They evaluate the exact same profiles/users, the only difference is these GPP's showing up in the report from 1 ruleset and not in the other.
Thanks in advance,
Rob
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Rob,
2 points:
1. Did you check the &_SAP_ALL_14 role. It might have profile inconsistencies, since it contains composite profiles (more than one profile).
2. sapserviceNPP SAP*. should not be actually in the list of conflicting users, since you assigned almost all authorizations. I infer it should be a service user ID. Do you run risk analysis for service type users too?
Regards,
Raghu
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.