- SAP Community
- Products and Technology
- Additional Q&A
- Mitigating Controls in GRC10
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Mitigating Controls in GRC10
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 12-08-2011 11:01 AM
Hi,
Is their a way we can maintain and update mitigating controls on GRC (GUI) back-end.UI can't be able to find those i created and migrated. Any ideas?
Regards, Melvin
Accepted Solutions (0)
Answers (4)
Answers (4)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Does anyone has the .dat files for mitigation controls? Perhaps it's a good way to mass upload the controls in SAP GRC AC where no PC is installed
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Did any one figure out a solution for this ? We have run into a situation where we decided not to use the migration utility to migrate our mitigating controls due to the referential integrity issues that other clients have experienced while using the migration tool to migrate mitigating controls from 4.0/5.3 to AC 10.0. It turns out that manually creating the mitigating controls landed us in the same ditch!
30 out of the 90 mitigating controls we manually created in NWBC suddenly dissapered. When i go into the SE16 tables where mitigating controls are being stored, i do see ALL 90 mitigating controls but in NWBC the 30 are NOT showing up. clicking refresh doesn't help. Funny thing is I still see the user/role assignment that were applied to the mitigating controls and see them when I run mitigation reports but when I go to master data>> Mitigation controls, I can't find my 30 mitigation controls. Any ideas on why? and how to fix this issue?
Please, this is an urgent one for me so I would appreciate if anyone has any ideas on possible fix or solution.
2) The other unrelated issue is : what are the details on how to leverage CLM to transport mitigation controls or does any body has any specific work around on how to ttransport mitigating controls in AC 10? I hope AC 10.1 comes with the transport functionality.
3) We have completely set up our rulesets, generated the rules, ran all the required jobs but violations are not being reported or no results is coming up for certain users whom of course have violations in the back end systems. The rules generated sucessffully and I ran the anlaysis to include teh mitigated risks. Any ideas? This is the first time I am seeing this ....
I would appreciate if any one has any timely response to any or all of the above stated issues.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Guys:
There is a way to do it via Process Controls but I'm not sure if it is possible given your situation or if it will even meet your requirements. I haven't had a chance to do much work integrating AC10 and PC10 but I know PC10 pretty well. IMG: GRC=>Shared Master Data Settings=>Setup Strucuture Expert Mode OR you can just use TCode GRFN_STR_CHANGE.
In the PC2.5 days we would make occasional updates here. In PC10 we've made none. As Simon says, if you have updates to make I would keep them pretty simple. There are a lot of referential integrity issues the front-end performs so I would definitely do this at your own risk. Depending on the type of update, it can be high risk so we haven't made any here; there was no need to bypass the frontend for standard maintenance issues. I would thoroughly test in sandbox first. You'll also have to give thought as to how you would manage this across your landscape (at least to get everything baselined).
Check it out and let me know if it works.
Thanks.
Matt
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Please explain wyour issue further? Do you mean maintain mitigation on the ECC (SAP GUI) side vs the Web (NWBC) side? If you mean that I do not believe there is a way to maintain mitigations in the ECC (SAP GUI) side. Mitigations, as far as I can see, are only maintained in the Web (NWBC) side of the application.
I did see that there is an "upload mitigations" in SPRO but that is used for migrations and I dont think you can just create a file and upload it there.
Please correct me if I am mistaken as I would love to know of a Mass Maintain function for GRC Mitigations.
Regards,
Paul
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi,
REF CALL # : 968707 / 2011
I created mitigating controls and imported the old mitigating controls from GRC 5.3.
When I go to the mitigating controls on the UI no mitigating controls appear when opening the page. When I do a drop down (drill) on the TAB (SETUP) Work Centre  Link - Mitigating Control
When drilling down on Mitigating Control IDu2019s
The only two displayed is the ones I created on the UI. When I import the GRC5.3 mitigating controls I get the following
message on the import tool within GRC10 back-end
--Start Loading File - Scenario of 5.3 Mitigation - Migration
sapvirdevexport53/BUNITdata.dat
Mitigation Control EA:BS001 already exists
Mitigation Control EA:BU001 already exists
Mitigation Control SOLMAN99 already exists
--File loaded successfully
The migration document refers to the following steps and this was followed
Why is the screen empty when going into the mitigating control link on the UI - Another strange phenomenon is when I run the mitigating report from report and analytics the mitigating control comes up blank.
When in the report and analytic work centre, and running the mitigation control report - -> I drill down on the Control ID and get the blank screen.
This is why im asking can I look at mitigating controls not from ECC but GRC back-end system and maintain it from their
Regards, Melvin
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
With the migration of mitigation contents, you have to be very particular on the referential master data including the Owners and Organisation assignment mapping from Business Units.
Without all of these data elements mapped, you may find such inconsistencies.
I have noticed a fewe gremlins in previous support packs but most things seem to be fixed in SP06 for the GRC system.
As is noted above, there is no mass maintenance functionality for mitigating controls as yet in GRC 10 other than the migration tool. This has been raised to SAP and I believe that they are indeed working on the development to facilitate this.
I know that a few people have experimented with direct table updates but i really do not recommend that as you'll get yourself into a massive mess with the inter-dependencies with the different tables in the data dictionary.
Regards, Simon
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hello Simon,
I have the same problem. Can you explain a little more on what kind of configuration is needed on org level and business process. I have different business processes for Mitigations and risks/functions. Since i did not have any mitigations on sandbox. I migrated RAR stuff earlier. Than created a mitigation control and tried to migrate it later. I could not migrate the mitigations. I was able to see the control owners in the table. I cannot use these owners to attach new mitigation controls. I am stuck at the migration of mitigations. Any help is higly appreciated.
Thanks,
Raghav
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hello Melvin,
Were you able to see the mitigating controls in NWBC. I am having a similar issue. I have Migrated all the information. I see the owners (approvers, monitors), i see the users mitiagted, roles mitigated. I do not see the actual mitigations. Any help is highly appreciated. Thanks,
Raghav
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi,
We renamed the controls and repeated the mitigation process with the new controls via spreadsheets and uploaded it to our development 5.3 box, migrated the data and the issue was solved. I investigated and heard you can do mass changes from CLM as this has import and export functionality of risk and control libraries across the GRC environment.
Regards, Melvin
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Raghav, Melvin,
In 10.0, you have to have the Organisations setup in the Master Data tab of the NWBC. This is like the Business Unit data element in 5.3. You also need to have the appropriate Owners defined against the organisations aligned with the Administrators in 5.3.
Only then can you select the applicable mitigating contols for inport via the GRAC_DATA_MIGRATION transaction utility.
You'll need to have the correct source files from the 5.3 extract (including the Business Units and Administrators) as they will then map against the correct data elements in 10.0.
Simon
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Thank you Simon and Melvin for the response
,
I have created a root Org and a child org (ECC). I have used this in data migration. I was able to bring in the mitigating control owners (approvers, Monitors), the business units (Organizational units in 10.0), Mitigated users and mitigated roles. I cannot display the mitigating controls. If i try to create a control with the same name( as in 5.3). It throws an error mitigating control number not unique. I think the controls are mitigated but got messed up some how that they are not displayed in NWBC. Also, I have risks tagged with an "". for example for risk SD01 i have it defined as SD01 in 5.3. Do you think that is a problem?. I should cleanup the mitiagtion in 5.3 and migrate them again. What would be a best way to make these changes? Would it be a Manual process?
i know a lot of questions in one post...butthis kinda surprises me...
Any help is highly appreciated!!!
thanks,
Raghav
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
If the controls are already there, then you may have to re-load them with the overwrite rather than append option.
I would check the data carefully to make sure that you have exactly the correct file formats without any special characters or format issues and then try the upload again.
Unfortunately, this is the only mass maintenance option at the moment.
Simon
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hello Simon,
I have tried to import the data again. I see the same issue repeated. I would like to share a few screenshots with you to exactly show whats missing. The link between the mitigating controls and the organizations is not there. Can i delete the organizations, Mitigated users, Mitigated roles, and try to import the data back? Do you know which tables these controls sit in. If we can delete the entries from these tables, We may be able to do a fresh load. Or should i just edit the controls in 5.3 and try to perform the migration again. I am lost here.
Thanks again for all the support.
Thanks,
Raghav
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hello Raghav,
Please let me know if you have resolved your issue of Mitigation control MIgration to GRC 10.
As i am not able to upload the same using Migration tool so in the process of creating them manually.
If you have sucessfully migrated Mitigation control in GRC 10.
It will be great help if you can let me know steps in detail.
Please reply as early as possible.
Regards,
Yatin Phad
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Melvin,
I already have GRAC_MITC, I am guessing you meant GRAC_MITC as GRAC_MIT auth object does not exist. Still I am showing no Mitigating Controls in NWBC and also cannot import with the migration tool, getting the same error message you were getting.
Even the trace doesnot show any auth values missing, I have SAP_GRAC_ALL role already assigned which should give me plenty of AC access however still no luck.
Thanks,
Sergiy
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Shift to Remote, Continuous, and Risk-Adjusted Management with SAP Three Lines of Defense Package in Financial Management Blogs by SAP
- SAP Datasphere - Space, Data Integration, and Data Modeling Best Practices in Technology Blogs by SAP
- GRC Tuesdays: Insights into Cybersecurity Supply Chain Risk Management: Why, What and How in Financial Management Blogs by SAP
- Environment, Health and Safety in SAP S/4HANA Cloud Public Edition 2402 in Enterprise Resource Planning Blogs by SAP
- 2024 SAP Cloud Identity Services & IAM Portfolio: What’s New? in Technology Blogs by Members
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.