SAP VIRSA SOD Issue

Former Member · ‎01-24-2014

Hi,

We have one strange issue in VIRSA SOD Analysis - Risk mitigated at role level are still showing at user level analysis.

Parameter - Include Role/Profile Mitigation Control in user Analysis = YES

Scenario 1 : User1 is assigned with only one Composite role. Risks under this composite role 1 are Mitigated at role level. when we run SOD at user level it (with ticking Excluding Mitigation Control Risks ) it shows no Risk found

Scenario 2: user1 now assigned with another composite role 2 ( This has very common roles and it do not have any risks) , when we run SOD at user level (with ticking Excluding Mitigation Control Risks ) it shows Risks of Composite role 1.

can anyone help me in scenario 2 - why it is showing risks which are already mitigated at role level after assigning another composite role ?

Regards,

Satyajit

Former Member · ‎01-24-2014

Hi Satyajitsinh,

There may be risks posing because of the addition of the 2nd composite role to the user.

Did you check what type of risks are being displayed?

Nagarajan Viswanathan

Former Member · ‎01-25-2014

Other role only have basic codes like su53...risk coming on VA01...

naveen_alluru · ‎01-27-2014

Rahevar,

There could be risk between a object in first role and object in second role. You have not mitigated the user and not mitigated the second role. I guess that could be the reason

Or

risk between object vs object in second role.

Please check let us know the result

Former Member · ‎02-04-2014

Hi Naveen,

user level Risks it is showing are risks between Child Roles of only one composite role.

this composite role is already mitigated , all risks coming in this composite are already mitigated.

Risk 1 Tcode1 Tcode 2 (including all objects) Mitigated at role level

Risk 2 Tcode 3 Tcode 4 (including all objects) Mitigated at role level

now when we run SOD for user it shows

Risk 1 Tcode1 Tcode 2 Not mitigated

Risk 2 Tcode 3 Tcode 4 Not Mitigated

if you check out Images i have attached - for same risk ID S01411801 we are getting risk at user level but not getting at role level.

Regards,

Satyajit

Former Member · ‎02-04-2014

Can you check whether there is a mitigation already assigned to user 1 at user level? And also run a risk analysis on role level with one only composite role 1, second only composite role 2 and third scenario both composite role 1 and role 2?

Former Member · ‎02-05-2014

Case 1: There is no mitigation assigned to user at user level

Case 2: Risk analysis on role level/user level with one only composite role 1 will not give any conflicts

Case 3 : Risk analysis on role level / user level with one only composite role 2 will not give any conflicts

Case 4 : assigning both composite roles will give user level SOD Conflicts but those risks are of composite 1 which is already mitigated at role level and that is way i have not got any SOD in Case 2.

Regards,

Satyajit

Former Member · ‎02-05-2014

Hi Satyajit,

Does a role from composite role 2 contain the authorization object causing the risk, such as

K_KEKO

V_VBAK_AAT

The combination with tcode VA01 from composite role 1 is not mitigated. Please check

Former Member · ‎02-05-2014

Hi T. de Jong

composite role 2 does not have K_KEKO / V_VBAK_AAT, this composite role is for basic transactions like SU53 and ESS Portal Related access, does not have any Business operation authorizations.

Regards,

Satyajit