cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC AC 10 SP13 - User Risk Analysis Returns No Violations

Go to solution
Former Member

on ‎08-06-2013 5:49 PM

0 Kudos

Hello

I had a question regarding the expected results of a user risk analysis run on a user assigned two roles with the same conflicting transaction codes, SU01 and PFCG. One of the roles with violations, ZS:GB_SM_GRC_SOD_TEST, has been mitigated. The other, ZS:GB_SM_GRC_SOD_TEST_2, has not been mitigated. The roles have the same risk(s) since they are identical.

When I run a user risk analysis, I thought that violations would show for the unmitigated role, ZS:GB_SM_GRC_SOD_TEST_2. Instead, the user shows no violations. I'm assuming this is because both roles have the same risk(s) since they are assigned the same transaction codes, SU01 and PFCG.

Are these the results I should expect? I could see an argument both ways because the one role was not mitigated but the associated role technically is mitigated in another role. I've included screen shots below as a reference.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

neerajmanocha
Product and Topic Expert
Product and Topic Expert
‎08-08-2013 4:45 AM
0 Kudos

Hi Stacey,

This is a right behavior. When you have 2 roles (Test1 & Test2) with same tcodes and mitigate only one role (say Test1) and try to run the Risk analysis at ROLE level, you will see the actual difference in RESULTS for both the roles.

However, when it comes at USER level (considering you have including Role level mitigation in User Analysis),  it is always a Risk (irrespective of the role from where it comes) for a USER. Here Role level mitigation will now turn towards USER level with Risk ID. User is mitigated now with particular risk and that is irrespective how many roles has that same risk. So system will show all the roles as mitigated, because user is mitigated for that risk.

This does not sound good, if we mitigate one user with one role for one risk and do the same activitiy for same risk for different roles.

Thanks & Regards

Neeraj

Show replies
Show replies

Answers (3)

Answers (3)

Former Member
‎08-07-2013 2:49 PM
0 Kudos

Hi Stacey

I faced the similar issue.After troubleshooting I found that the Logical Groups was not correct instead of SAP_ECC group you need to activate SAP_R3 group in BC set and make sure that all your connectors are mapped to this group.

This should resolve your issue.

Regards

Pradeep

Show replies
Show replies
Former Member
‎08-07-2013 12:39 PM
0 Kudos

Hi Stacey,

Good Question..

Hi Experts,

Just to add on 

User: U1 ( Role 1 and 2)

Role1: ZS:GB_SM_GRC_SOD_TEST         (SU01 N PFCG)  Mitigated by control M1

Role 2: ZS:GB_SM_GRC_SOD_TEST_2    (SU01 N PFCG)

If we execute User Level Risk Analysis, Risk doesn't appear. Now if check 'Include Mitigated Risk' then the Risk appears but if select Detailed view on results screen we see that 

Role 2: ZS:GB_SM_GRC_SOD_TEST_2   also appears as a Mitigated Role by Control M1. which is not the case here.

Regards,

Arun Singal

Show replies
Show replies
Arif1
Active Participant
‎08-06-2013 6:17 PM
0 Kudos

Hi,

as you mitigate one role and T-code is same in another role so, those t-code is mitigated for the assigned user. here no violation is coming based on T-code not role.

thanks/

Arif

Show replies
Show replies
Ask a Question