- SAP Community
- Products and Technology
- Additional Q&A
- GRC Rule customization
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
GRC Rule customization
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 11-10-2011 9:51 AM
Hello Friends,
Could you please inform whether there is a way to disable particular 'function' in GRC RAR with conflicting 'Action' or 'Permission'?
It will be helpful as I am working on the permanent solution for falsely mitigated Rules and the only way "rule redesigning' is hectic and time consuming..........
Accepted Solutions (1)
Accepted Solutions (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi,
I tried to follow-up this thread , but still not sure I understood what do you mean by "falsely mitigated".
I imagine that you have some Risk that is mitigated only for those conflicts involving a specific transaction and not all transactions of the relevant function, and also this transaction may still be relevant as part os that same function for other risks, so you cannot remove it from the function. I also imagine that you mitigated the whole Risk (4 digit Rule plus ) and not the specific 7 digit Rule IDs +.
Is that your scenario?
If so, I see 2 approaches you may follow :
1. Review your Risk and Function. Isolate the mitigated scenario in a new risk with new functions. So you can apply the Mitigation control to it.
2. Identify which Rules ID (7 digit) specifically you have to apply the Mitigation Control. (use Rule Architect-> Rules-> Action Rules, filter by Action and export). This approach is risky: depending on how you maintain the rules, GRC may assign different 7 digit Rule ID when regenerating rules, then you must review all your Mitigation Controls, you may be mitigating the wrong conflict!)
I used approach 2 sometimes and regretted, now I avoid it as much as I can. I really miss in Mitigation Controls process a way to restrict the Control to a more persistent information, like Application and Action, instead of the system defined RuleID "hash" code. Can someone tell me if that changed in V.10 (I am in 5.3 sp17)
Hope this can help. Sorry if I misunderstood the issue!
Best Regards,
Vaner
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Answers (5)
Answers (5)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Vaneer,
Thank you very much for the info.Here, I meant to say that Rule IDS with previously specified conflicting t-codes are mitigated by false positive mitigation control ID. But,now those t-codes are no more conflicting as per the new guideline.Now,we need to disable the falsely mitigated Rules and find out the permanent solution.
Now,Please suggest the possible approach in detail.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hello,
It seems you just need to remove the Mitigation Control / RiskID from the Users and/or Roles, after that you can remove the RiskID association with Mitigation Control ID (to avoid new associations). You can do that in RAR/Mitigation/Mitigation Controls, search for the Control you want to maintain, then navigate to Associated Roles/Users.
If you have lots of Users/Roles mitigated, consider exporting the whole Mitigation, adjust in Mitigation.txt, then Import back.
If you use Organizational Rules, you may have other steps. But I am not familiar with them.
Good luck,
Vaner
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Frank,
Actually,I need to find out the permanent solution for the falsely mitigated rules.Previously, some t-codes were specified as conflicting and they were mitigated. Right now,those tcodes are declared as nonconflicting and we need to find out the permanent solution.
Now, a function contains both conflicting(as per previous specification) and non conflicting tcodes and permissions.Now,If I deactivate the rule,the entire content will be deactivated.
I thought to create new funtion ID and to add only the non conflicting tcodes and permission to it and also to create new rule correspond to the old rule containing the conflicting tcodes. Now if I add the newly created funtions,risks to the newly created rule and accordingly disable the old rule with conflicting tcodes,then we can get the permanent solution.
Please advise whether I am on the correct way or there is any alternative approach.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Alex,Thank you for your feedback.
Hi Fank,
I understood the issue can be resolved in the following way,please correct me if I am wrong.
Simple Rule redesigning.
we need to create a new rule with the nonconflicting Actions and Permissions and then we need to deactivate the corresponding old rule.
Please suggest whether it's correct way or there is any suitable alternative.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
koehntopp
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Sorry, I don't think that's how it works...
- there are no rules for "nonconflicting actions" - rules are there to identify conflicting actions
- rules originate in the combinations of functions in a risk. If you want to change the rules that get created, you need to work on function and risk level
Again, what exactly is it you want to do? Do you have combinations of actions that come up as a risk, and you don't want them to come up?
Frank.
koehntopp
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Moved to correct forum.
Not sure I understand your question.
- you say "falsely mitigated rules" - why not remove the mitigation?
- if you disable a function (which you can do) and rebuild the rules , you take away one side of one or more risks - how exactly does that help???
Please try to explain your issue in more detail, maybe then we can help you.
Frank.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi,
This cannot be achieved. The correct way is to optimise your risks.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Manage Analytics App- How to change data model to custom PA from Best Practices Pa- SAPIBP1 in Supply Chain Management Q&A
- Recommended approach for Fiori Adapt UI in S/4H On-Premise system (Customizing client) with no data in Technology Q&A
- Recurring invoices for Customers and Direct Debit set up and collection in Enterprise Resource Planning Q&A
- MDK - setFocus AlwaysHide not working on Android in OnReturning rule in Technology Q&A
- SAP Asset Performance Management Embedding Cumulocity IoT to Drive Innovations in IoT and AI in Supply Chain Management Blogs by SAP
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.