cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC - ARA Risk "False/Positive" in rule set

Former Member

on ‎06-10-2014 4:33 PM

0 Kudos

Risk "False/Positive" in rule set

We use VIRSA Compliance Calibrator 4.0 to monitor segregation of
duties, and we want upgrade the version, and currently we are testing
GRC AC ARA 10.0.

The problem is that we have the same rule set in both versions
(exactly), but in GRC 10.0 the reports show us different results.
We don´t know what is the reason, we are trying to investigate if we
did something wrong. But the "false/positive" risk that ARA is showing
is when we run the report to permission and action level.

Could you tell us if we forgot update some parameter? this situation
happens for users and roles (simple, composite and derived).

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

alessandr0
Active Contributor
‎06-10-2014 5:30 PM
0 Kudos

Action Level and Permission Level are two different types to run the risk analysis. Action levels checks if there is a conflict on action level, e.g. PFCG and SU01. Permission checks also authorization objects.

Just as a short example: SU01 and PFCG (with Activity 03 - Display) does not show as violation when you run Permission Level, as Display authorization is not considered in your rule set (I assume that). While running on action level it will show as violation, as the user can access both transactions.

Do you understand the difference in the two reports?

It is necessary to run the same report types in both systems to check if you have the same results. Also it would help if you can give us a short example.

Regards,

Alessandro

Show replies
Show replies
Former Member
‎06-10-2014 7:49 PM
0 Kudos

IThanks for your reply Alessandro.

If I understand the difference between the two reports.
I have a question, when I run one risk analysis in GRC-10.0 for a user, the permissions level analysis throws me risks of transactions has not assigned, is it only reads the objects? I believe that this is not correct.

alessandr0
Active Contributor
‎06-11-2014 7:42 AM
0 Kudos

Nope this is not correct. It only shows risks of transactions which are assigned. Can you run an analysis on permission level and in the result show us a hardcopy of the detail report?

Difficult to tell you the issue as we do not know in detail what you see.

Regards,

Alessandro

Former Member
‎06-11-2014 10:08 PM
0 Kudos

Thanks.

I send you a example.

Can you send me you email acconunt please, beacuse in this section can´t attach a file.
Colleen
Advisor
Advisor
‎06-11-2014 11:16 PM
0 Kudos

Hi Lizeth

Perhaps post some screen shots in your comment as there may be others in the community able to help. As well as that explain it with an example of what you believe is not working.

Please do not ask for personal information to be posted in SCN. Email and Contact details should be maintained via your personal profile.

Regards

Colleen

Former Member
‎06-12-2014 4:42 PM
0 Kudos

I did an analysis with the rol ZXXXXXXXXXXXXXXXX,  this role  has the transaction Z and this role call other transacction en backround.

when I run the analysis of SOD in Virsa gives me the following result

when I run the analysis of SOD in GRC 10.0gives me the following result

the result has more risks than virsa, it is important to note that the same rule set.

If I analyze the risks of giving access to more I visualize that the analysis does object level only and does not link the transaction.

I hope your can help me.

Thanks

Former Member
‎09-08-2014 2:13 PM
0 Kudos

Hello Lizeth,

I took part at the GRC300 Course, where we were told that it is better to do Risk Analysis at the permission Level, because the Risk Analysis at Action Level only shows transactions which are in the role, even though the activity is only 03.

Really important is the Risk Analysis at the permission Level (SOD).

Good luck,

Sabrina

Ask a Question