on 08-07-2012 10:37 PM
Hi everyone!
I have a really stupid question. I am trying to figure out how critical role / profile anlaysis works in GRC 5.3, and I can't find any documentation. What I've seen in my trial and error so far only partially makes sense.
I found that creating critical roles and profiles and setting configuration to ignore them brings my SoD counts down as I expected. It does NOT populate the user analysis counts for critical roles / profiles and users with critical roles / profiles when I look at User Analysis on the Informer Tab. Both show zero. I then tried setting configuration to consider critical roles / profiles and set up exclusion rules for my critical roles / profiles. That resulted in a million (literally) SoDs and still zero critical roles / profiles and users with critical roles / profiles in my user analysis.
Can someone please point me to the how-to for this? I've looked at the config guide, master guide, and operations guide. I found some application help that wasn't exactly helpful.
Thanks!
Krysta
Thanks for the information, ladies!
So by setting up critical roles / profiles and selecting the config option to ignore, I should get rid of my 1 million violations. I did read note 1168120 and saw that some issue with critical role / profile analysis had been fixed.
Here is what I am seeing, though. This is the same whether I have the config set to ignore or include critical roles / profiles:
Number of Users Analyzed | 800 |
Number of Critical Actions | 2,088 |
Number of critical roles or profiles | 0 |
Users with Critical Actions | 323 |
Users with critical roles or profiles | 0 |
The number of critical roles / profiles and users with critical roles / profiles is showing zero. I would expect the number of critical roles / profiles to at least have a number regardless of the configuration. I would also have expected the number of users to be updated based on running the critical role / profile anlaysis as part of my synch job.
After all that, I guess my question is this. When should I expect to see values for number of critical roles / profiles and users with critical roles / profiles?
Thanks,
Krysta
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Krysta,
It seems that you are facing issue in the Management Report.
The Management report populates the reports showing which users have access to Critical roles or profiles as defined in the Rule Architect under Critical Roles and Critical Profiles sections.
Yes, you are also correct that the number for Critical role and profile should show regardless of the 'Ignore Critical Role and Profile Setting' . It should be populated after running the Batch Risk analysis job for Critical Role and Profile.
Kindly again run the Batch risk analysis for 'Critical Action and Role Profile analysis' and then run management report to check the data.
Regards
Shaily
Hi Shaily,
I did that already. I ran a full synch including Critical Action and Role/Profile Analysis and Management Reports. The critical action counts are updated, but the critical role / profile counts still show zero.
I guess I'll be putting in my 3rd message with SAP on GRC 5.3.
Regards,
Krysta
Hi Krysta,
"Ignore Critical Roles & Profiles" parameter is functional while running the Analysis only at User Level for various Report Types i.e. Action/Permission/Critical Action etc.
Please go through the parameter description as from the Configuration =>Additional Options =>Ignore Critical Roles & Profiles as below:
"This option specifies whether roles and profiles maintained in the Critical Roles table and the critical Profile tables are ignored when running a risk analysis; the default value is No; when set to Yes, critical roles and profiles are ignored when running a user analysis"
Please note the last line, where it says it works "when running a user analysis".
There are some similar issues which has been fixed in 5.3 version. For that you may refer to SAP note 1168120.
I hope this informations helps you.
Regards,
Yukti
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Krysta,
When you create a Critical Role say 'ADMIN' and your setting of 'Ignore Critical Role and Profile' is NO then if you run the role/user level risk analysis (either at Action/Permission/Critical Action/Critical Permission) for ADMIN then it will show the risk possessed by the 'ADMIN' role. but if the setting 'Ignore Critical Role and Profile' is YES then if you run the risk analysis the result will show zero result as you are ignoring this ADMIN role as a Critical Role.
We generally make a Critical Role or profile as we already know that the particular role/profile is critical to the organization and has many risk, thats why we generally ignores it in the normal risk analysis as we do not want our risk result so large.
I hope it clarifies your query.
Regards,
Shaily
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.