cancel
Showing results for 
Search instead for 
Did you mean: 

ARQ: What level of risk analysis is performed in Access Request???

former_member184114
Active Contributor
0 Kudos

Hi,

I have a question/doubt which might look silly!

When we perform risk analysis in access request in "Risk Violation" Tab. May I know if I am correct in saying that this is "USER LEVEL" risk analysis?

Secondly, note#1638140 says:


Resolution

The Impact Analysis type in Access Request risk analysis simulation is suppose to evaluate the HR org or position changes, which might have an impact on other users that are in the same org or assigned to the same positions.  The Risk Analysis type is showing existing risks plus the risks if the new access in the request is added to the users or roles.

.

I am a bit confused with this statement. It says "if the new access in the request is added to the users or roles".

Can anybody please help me understand this?

Thirdly, if a request shows existing risks plus new risks if the new access (only 1 single role) in the request is added to a user, does such request qualify for "Violation Detour" and changes its path for the new role added?

Please advise.

Regards,

Faisal

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
0 Kudos

ARM will perform a User level simulation.

As for the risks in a "Role", if you are using BRM to create and maintain roles, the 'Analyse Risk' step of the methodology and the role maintenance approval workflow will perform a Role level simulation.

alessandr0
Active Contributor
0 Kudos

Faisal,

not really sure if I understand your doubts correctly.

The risk analysis in simulation analyzes all the current and to-be-added authorization. Better to explain in an example.

User has ROLE_A and ROLE_B and in simulation you add ROLE_C. ROLE_A contains FB60, ROLE_B MM03 and ROLE_C FK02. Per definition from rule set a violations is between FK02 and FB60. MM03, as it is only display, isn't a risk.

So the user has with the current authorization (MM03, FB60) no risk. In simulation you add FK02 which conflicts with FB60 and the simulation will show a violation. In the simulation you can differenciate risks based on their color if it comes from existing or newly added authorization.

In simulation it is possible to simulate different scenarios like adding tcodes, roles or profiles. Be aware that if you run the simulation if always analyzes the full authorization (current and simulated).

Does this answer your question?


Regards,

Alessandro