cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Migration from VIRSA 4.0 to GRC 10.0 (ARA)

Go to solution
Former Member

on ‎08-14-2014 8:36 PM

0 Kudos

Hi Guys,

We've just migrated from VIRSA 4.0 to GRC 10.0. We have only two connectors configured ECC and Finace System.

Rules have been generated and we're using the standard "global" ruleset. The rules seem to be generated successfully ( I've checked in the NWBC that the permissions appear after the risk generation and also I've checked some tables like GRACSYSRULE and GRACACTRULE and risks appear there).

When running  a risk analysis report at user level in both the system VIRSA 4.0 and GRC 10.0 the no. of conflicts matches where as no. of mitigation doesnot match.Due to this mis-match we are not in a position to go 100% LIVE with GRC and decommisioning VIRSA. We use concept of mitigated roles and not users. Raised the concern with SAP too 2 weeks back and no luck yet.

Does anyone faced a similar issue? can you give me some light in order to solve the issue?

Many Thanks!

Ratan Roy

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

AndrzejP
Active Participant
‎08-14-2014 9:40 PM
0 Kudos

Hi,

we had similar issue when migrating rulebook from 5.3 to 10.0. The reason was that during upload ARA applied slightly different logic for AND/OR, my suggestion would be first to download the rulebook from ARA (via GRAC_DOWNLOAD_RULES) and compare (e.g. in Excel) with that from Virsa if all the rules match each other (on permission level). If yes - then please check on selected function what are the discrepancies and post here some examples

Best regards, Andrzej.

Show replies
Show replies
Former Member
‎08-15-2014 5:33 PM
0 Kudos

Thanks! Andrzej.

How to get the rule book from VIRSA 4.0??

I have compared all the risk ids those are having discrepancies between 4 and 10 and found all the actions and functions matches.

Thanks in advance.

Regards

Ratan

Former Member
‎08-15-2014 7:40 PM
0 Kudos

Hi Andrzej,

There are differences in permissions for some of the actions in function both in VIRSA 4.0 and GRC 10.0

Please suggest the possible solution to match the mitigation counts between both the system.

Thanks & Regards

Ratan

AndrzejP
Active Participant
‎08-15-2014 7:57 PM
0 Kudos

Hi Ratan,

in SAP note 1758853 you could find detailed guide how to download rules in 4.0 env.

Best regards, Andrzej

AndrzejP
Active Participant
‎08-15-2014 8:38 PM
0 Kudos

Hi Ratan,

it depends what difference you have, below I have listed key SAP Notes which helped me to resolve issues, maybe they will be useful also for your case: 1026576, 1330165, 1514544, 1655862.

Best regards, Andrzej

Former Member
‎08-19-2014 7:46 PM
0 Kudos

Hi Andrzej,

Thanks for all the SAP notes. Still we are wondering why don't the mitigations match where as all the Violation matches between the 4 and 10.

Also it will be really helpful if you could let us know whats the logic behind calculating the mitigations count both in VIRSA and GRC.

Thanks in advance.

Regards

Ratan

AndrzejP
Active Participant
‎08-20-2014 12:18 PM
0 Kudos

Hi Ratan,

Please let me know which report exactly in ARA you check to verify mitigation count? and what are the discrepancies in mitigations?

Best regards, Andrzej

Former Member
‎08-20-2014 4:53 PM
0 Kudos

Hi Andrzej,

We run an user level simulation report to get a month end audit report. As well as we also check the dashboard reports.

For various risk Ids the mitigations are not same as no. of violations in GRC. Also when we compare the same report between 4 and 10 the Violation matches but mitigations dont.

The risk Ids are not static. For example for the risk ID F018 the violation and mitigation matches for the month of June and it dont match for the month of July.

Thanks & Regards

Ratan.

AndrzejP
Active Participant
‎08-20-2014 6:16 PM
0 Kudos

Hi Ratan,

For the calculation basis you could check:

- for SAP GRC 10 -  http://service.sap.com/sap/support/notes/1179717

- for Virsa 4.0 - http://service.sap.com/sap/support/notes/1072971

when I went through Virsa 4.0 documents I have also noted that they were many corrections to mitigation (like problem with mitigation of composite roles: http://service.sap.com/sap/support/notes/1721822 or locked / expired users: http://service.sap.com/sap/support/notes/1013217), so maybe issue is there? Do you have any regularities in those discrepancies?

Best regards, Andrzej

Former Member
‎08-21-2014 8:37 PM
0 Kudos

Thanks! Andrzej.

Let me know one thing. If we do the Migration from VIRSA 4.0 to GRC 10.0,is it necessary that all the mitigations between both the systems should match?

We have only 2 system connected one is ECC and other one is Finance box.

Also we do not have any composite roles and no concept of mitigated users.

Thanks & Regards

Ratan

Former Member
‎08-21-2014 8:39 PM
0 Kudos

Also the no.of Risk IDs are not same when ran a user level risk analysis. For a particular user virsa reads only 35 Risks and GRC reads 65 Risks.

Thanks

Ratan

AndrzejP
Active Participant
‎08-22-2014 9:58 AM
0 Kudos

Hi Ratan,

this is good question if everything should match 1:1 between two tools. If you have really hard time to reconcile, maybe you could compare results directly with ECC, just run report from GRC/Virsa for selected risk (which does not match) then check in ECC which result is correct.

If you will confirm that reports from GRC 10 give correct results, personally I do not think that it would be required to agree them 1:1 with Virsa 4.0, especially that (as I have mentioned above) Virsa had some bugs which may had implication on results.

Please let me know what you think.

Best regards, Andrzej

Former Member
‎08-22-2014 9:40 PM
0 Kudos

Thanks Andrzej for all your help and support.

I more thing I missed to mention earlier is while migrating from 4 to 10 we have uploaded the mitigated users from Virsa and later on business demand we deleted all the mitigated users from GRC 10 system manually. As business wants to go with the logic of mitigated roles rather then mitigated users. Is these deletion of mitigated users may cause the conflicts in counts? If I can upload those mitigated users in GRC-DEV box and check the counts? If yes then please let me know the procedure to upload only mitigated users.

Many a Thanks in Advance.

Regards

Ratan

AndrzejP
Active Participant
‎08-23-2014 8:55 AM
0 Kudos

Hi Ratan,

yes, it may be the cause. Here you have links to interesting threads regarding uploading mitigating users:

That should help.

Best regards, Andrzej

Former Member
‎08-29-2014 6:23 PM
0 Kudos

Hi Andrzej,

Thanks for the reply.

I have one more simple question: how can I change the Violation or Mitigation counts to any RISK Ids?

Say for example:I wanted to make changes in violation and mitigation counts in below mentioned risk.

Access Risk ID

Risk Description

No. of ConflictNo. of MitigationSOD Object
F020Open closed periods previously enter incoming payments7245

AndrzejP
Active Participant
‎08-29-2014 8:41 PM
0 Kudos

Hi Ratan,

not sure what you mean by changing counts... if you would like to reduce number of false-positives you could use organization rules or run reports on permission level, furthermore you could set-up parameter 1012 (mitigation) to NO, to include all rules when mitigate access risk, by setting parameter 1030 to NO you could avoid reporting mitigated risks...does it meet your requirement or you need sth different?

Best regards,  Andrzej

Former Member
‎08-29-2014 8:48 PM
0 Kudos

Hi Andrzej,

Thanks for the reply.

I have been asked on how the mitigation and violation counts are getting populated. I tried adding some critical transactions and permission and then assigning the mitigation ID to the RISK ID F020 and then ran the report but still the violation and mitigation counts are same as 72 and 45 respectively.

The question is what is the contributing factor to the violation and mitigation so its count changes.

Thanks & Regards

Ratan

Answers (1)

Answers (1)

Former Member
‎11-11-2014 1:31 AM
0 Kudos

Hi Ratan,

Is this issue resolved?

Show replies
Show replies
Ask a Question