cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RAR 5.3 Support Pack 18 Issue - SoD conflicts wrongly showing as mitigated

Former Member

on ‎01-17-2012 5:11 PM

0 Kudos

Hello,

We recently implemented support pack 18 for our GRC 5.3 environment. RAR is now showing some odd behavior in Production that we did not see in testing (in our Sandbox or Development) environment.

Our SAP security admins globally are asked to mitigate users (if they have SoD's) at the time roles are assigned to them. Sometimes, this step gets missed or roles change on the backend causing/changing SoD conflicts. To catch these, we run a Global SoD report every Sunday. There's usually 30-80 SoD conflicts that show up on this report weekly. Since implementing support pack 18, only 4 conflicts show on the report, and these are all custom-built risks.

We were thinking this is strange behavior because we were expecting to see more SoD's (30-80). After some investing, we've discovered that the system believes the roles are mitigated at the Role Level, even though they are not.

For example, we have USER1 who has a legitimate P005 conflict. None of this user's roles are mitigated at the Role Level. We expect P005 to show on the SoD report, but it does not. When we run Risk Analysis with the "Exclude Mitigated Risks" option set to "No," it shows P005 is a true conflict but that it is Mitigated at the Role Level. I can confirm in the Mitigation Tab that none of this user's roles are mitigated. Why is the system saying it is?

We have confirmed that configuration has not changed recently. All RAR configuration has remained the same for some time now (in all environements, PROD, DEV, and SBOX). We do set the following configuration to YES: Include Role/Profile Mitigating Controls in User Analysis. Per our compliance policies, we do want to keep this option set to yes because we do mitigate some roles, but not many.

Does this sound like a bug with SP 18?

Or are there additional troubleshooting measures I should try?

Has anyone else had similar issues or issues in general with RAR and SP 18?

THANKS in advance!

Jes

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

ChristoA
Explorer
‎05-09-2012 5:05 PM
0 Kudos

Jes,

Had a question for you, we are planning to Upgrade to SP18 from SP17.

During that process did you have to undeploy the old components

Thanks

Christo

Show replies
Show replies
Former Member
‎01-17-2012 5:47 PM
0 Kudos

Hello Jes,

I also had problems after SP 18.

I had several Mitigation Controls that mitigate only some specific roles, all working fine before SP18. Now GRC is mitigating all roles.

I opened a message in SAP, identify a specific case and SAP is currently SQL tracing in my GRC toi try to identify the cause.

While we do not have a solution I removed almost all of our mitigations (25), and I warned Internal Controls Dept. that they will receive some requests with "false positive" SOD risks. If I had let the controls active I would have a huge number of 'false negatives".

I wll share the developments in this forum.

Best

Vaner

Show replies
Show replies
Former Member
‎01-17-2012 10:03 PM
0 Kudos

Thank you for your response, Vaner.

We have also opened a message with SAP. Because this is a high priority issue for us, we are eagerly waiting to learn a solution or workaround, so any developments you are willingto share would be greatly appreciated!

I will also share any information from SAP related to a fix on this forum as well.

Former Member
‎01-23-2012 10:10 AM
0 Kudos

Hello Jes,

Did you have any success with SAP?

Last feedback I had says that this was a known issue fixed in SP 17 P3, they will check why is this fix is missing in SP 18.

Let me know if you had more information or any workaround.

Thanks,

Vaner

Former Member
‎01-23-2012 9:53 PM
0 Kudos

Unfortunately no, we have not heard back from SAP in 2 business days. We may need to escalate this message to Very High priority level because our current security/SoD process is out of compliance and would fail audit requirements.

Thank you for posting an update.

Jes

Former Member
‎01-25-2012 8:44 AM
0 Kudos

Dear Jes,

After some pressure, I have a feedback from SAP that they will not leave the issue to SP19, they intend to issue a patch for SP18 in a few days . Let us see.

Good luck for us!

Regards,

Vaner

Former Member
‎01-27-2012 3:50 PM
0 Kudos

Greetings Vaner,

That is good news! We however have not heard this response from SAP. We are pushing to hear an update from their side.

Can you kindly keep me posted via this forum when the patch is made available to you?

Thanks again!

Jes

Former Member
‎01-30-2012 5:02 PM
0 Kudos 
Dear Jes,
> After some pressure, I have a feedback from SAP that they will not leave the issue to SP19, they intend to issue a patch for SP18 in a few days .  Let us see.
> Good luck for us!
> 
> Regards,
> Vaner

Hi Vaner,

SAP has informed us the fix will be available in SP 18 Patch 2, tentatively scheduled for second week from February.

Thanks

Jes

Former Member
‎01-31-2012 5:57 AM
0 Kudos

Hi Jes,

I also received this feedback.

Regards,

Vaner

Former Member
‎02-27-2012 7:18 PM
0 Kudos

Dear Jes,

Latest news on this issue:

SAP released patches:

sap.com/VIRAE 530.700.18.2

sap.com/VIRCC 530.700.18.1

We have applied them to test environment. the previous issue (mitigation applied to role was mitigating all conflicts instead of only for those users with that role) seemed to be solved.

Now we have a new problem: No Blanket Mitigation (* or partial names ending with *) is working (neither role nor user).

We decided not to apply this patch to production. As a workaround, we are not using mitigation by role, we identified all users and are mitigating by user, one by one.

Have you also applied the patch? Any findings to share?

Vaner

Former Member
‎02-27-2012 10:33 PM
0 Kudos 
Dear Jes,
> 
> Latest news on this issue:
> SAP released patches:
>  sap.com/VIRAE 530.700.18.2
>  sap.com/VIRCC 530.700.18.1
> 
> We have applied them to test environment. the previous issue (mitigation applied to role was mitigating all conflicts instead of only for those users with that role)    seemed to be solved.
> Now we have a new problem:  No Blanket Mitigation (* or partial names ending with *) is working (neither role nor user). 
> 
> We decided not to apply this patch to production.  As a workaround, we are not using mitigation by role, we identified all users and are mitigating by user, one by one. 
> 
> Have you also applied the patch?  Any findings to share?
> 
> Vaner

Hi Vaner,

We applied the patch provided from SAP in our test environment and confirmed that our issue has been resolved. We moved the patch to PRODUCTION last week. We do not use blanket mitigation so we did not run into that issue.

Please let me know if there is additional information you would like me to provide.

Thanks!!

Jes

Ask a Question