cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SOD Risks shows in GRC RAR but not in GRC CUP for same roles

Go to solution
Former Member

on ‎04-20-2012 11:54 AM

0 Kudos

Hi

I have run Risk analysis for two roles in GRC RAR, it shows Critical risks fro these two roles..

But If I run Riskanalysis for same roles in GRC CUP (Via GRC CUP Request), I didnt get any Risks..It shows 0 Risks found..

Please help out ..

Reg,

Naga

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎04-20-2012 12:59 PM
0 Kudos

Hi,

A few checkpoints:

1) Are you using GRC 5.X or 10? if 5.X, ignore my additional comments below.

2) Are you using multiple rule sets?

3) By default, what type of risk analysis is performed in CUP? If it is an SOD risk analysis (Action or Permission Level) then Critical Risks will not be detected by default. I know that there is a restriction in having more than one risk analysis type running as default in a CUP request (due to Config Param 1023 - Default report type for Risk analysis). The user has to manually select the other risk analysis report types and then re-run the risk analysis within the request again to get the full violation picture.

Hope that helps

Show replies
Show replies
Former Member
‎04-20-2012 1:07 PM
0 Kudos

HI

I am using GRC 5.3 version..SP16

Answers (2)

Answers (2)

Former Member
‎04-20-2012 4:44 PM
0 Kudos

Hi Nagaraju,

Please refer the below mentioned notes:-

1472227 / 1145700 / 1540822.

I hope these SAP notes will help you to resolve your issue.

Regards,

Yukti

Show replies
Show replies
koehntopp
Product and Topic Expert
Product and Topic Expert
‎04-20-2012 12:49 PM
0 Kudos

CUP has two tabs for risk results - SoD risks and critical action risks are different. Also, you need to configure CUP to also check for action level risk if that's what you want.

So, it's either the case that you didn't see the result, or you did not configure CUP to look at the type of risk you have defined, please chekc those two.

Frank.

Show replies
Show replies
Former Member
‎04-20-2012 12:54 PM
0 Kudos

The purpose of these tabs are

If mitigation of critical access risks is not required before approving, then critical

access risks are displayed on the Critical Access Risks tab page for information only

 

Risks displayed on the Risks for Mitigation tab page require mitigation before approving

 

The approver needs to mitigate risks displayed on the Risks for Mitigation tab page,

depending on the configuration (Approve despite conflicts at global and workflow stage level

setting)

Is it correct..if not please tell me what is teh difference between these tabs and where we need to change Risk analysis type in GRc CUP Configuration..

Former Member
‎04-20-2012 12:56 PM
0 Kudos

We have maintained Permision level Risk for Both GRC RAR and GRC CUP configuration..

Ask a Question