on 08-14-2014 8:36 PM
Hi Guys,
We've just migrated from VIRSA 4.0 to GRC 10.0. We have only two connectors configured ECC and Finace System.
Rules have been generated and we're using the standard "global" ruleset. The rules seem to be generated successfully ( I've checked in the NWBC that the permissions appear after the risk generation and also I've checked some tables like GRACSYSRULE and GRACACTRULE and risks appear there).
When running a risk analysis report at user level in both the system VIRSA 4.0 and GRC 10.0 the no. of conflicts matches where as no. of mitigation doesnot match.Due to this mis-match we are not in a position to go 100% LIVE with GRC and decommisioning VIRSA. We use concept of mitigated roles and not users. Raised the concern with SAP too 2 weeks back and no luck yet.
Does anyone faced a similar issue? can you give me some light in order to solve the issue?
Many Thanks!
Ratan Roy
Hi,
we had similar issue when migrating rulebook from 5.3 to 10.0. The reason was that during upload ARA applied slightly different logic for AND/OR, my suggestion would be first to download the rulebook from ARA (via GRAC_DOWNLOAD_RULES) and compare (e.g. in Excel) with that from Virsa if all the rules match each other (on permission level). If yes - then please check on selected function what are the discrepancies and post here some examples
Best regards, Andrzej.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Andrzej,
Thanks for all the SAP notes. Still we are wondering why don't the mitigations match where as all the Violation matches between the 4 and 10.
Also it will be really helpful if you could let us know whats the logic behind calculating the mitigations count both in VIRSA and GRC.
Thanks in advance.
Regards
Ratan
Hi Andrzej,
We run an user level simulation report to get a month end audit report. As well as we also check the dashboard reports.
For various risk Ids the mitigations are not same as no. of violations in GRC. Also when we compare the same report between 4 and 10 the Violation matches but mitigations dont.
The risk Ids are not static. For example for the risk ID F018 the violation and mitigation matches for the month of June and it dont match for the month of July.
Thanks & Regards
Ratan.
Hi Ratan,
For the calculation basis you could check:
- for SAP GRC 10 - http://service.sap.com/sap/support/notes/1179717
- for Virsa 4.0 - http://service.sap.com/sap/support/notes/1072971
when I went through Virsa 4.0 documents I have also noted that they were many corrections to mitigation (like problem with mitigation of composite roles: http://service.sap.com/sap/support/notes/1721822 or locked / expired users: http://service.sap.com/sap/support/notes/1013217), so maybe issue is there? Do you have any regularities in those discrepancies?
Best regards, Andrzej
Thanks! Andrzej.
Let me know one thing. If we do the Migration from VIRSA 4.0 to GRC 10.0,is it necessary that all the mitigations between both the systems should match?
We have only 2 system connected one is ECC and other one is Finance box.
Also we do not have any composite roles and no concept of mitigated users.
Thanks & Regards
Ratan
Hi Ratan,
this is good question if everything should match 1:1 between two tools. If you have really hard time to reconcile, maybe you could compare results directly with ECC, just run report from GRC/Virsa for selected risk (which does not match) then check in ECC which result is correct.
If you will confirm that reports from GRC 10 give correct results, personally I do not think that it would be required to agree them 1:1 with Virsa 4.0, especially that (as I have mentioned above) Virsa had some bugs which may had implication on results.
Please let me know what you think.
Best regards, Andrzej
Thanks Andrzej for all your help and support.
I more thing I missed to mention earlier is while migrating from 4 to 10 we have uploaded the mitigated users from Virsa and later on business demand we deleted all the mitigated users from GRC 10 system manually. As business wants to go with the logic of mitigated roles rather then mitigated users. Is these deletion of mitigated users may cause the conflicts in counts? If I can upload those mitigated users in GRC-DEV box and check the counts? If yes then please let me know the procedure to upload only mitigated users.
Many a Thanks in Advance.
Regards
Ratan
Hi Andrzej,
Thanks for the reply.
I have one more simple question: how can I change the Violation or Mitigation counts to any RISK Ids?
Say for example:I wanted to make changes in violation and mitigation counts in below mentioned risk.
Access Risk ID | Risk Description | No. of Conflict | No. of Mitigation | SOD Object |
F020 | Open closed periods previously enter incoming payments | 72 | 45 |
Hi Ratan,
not sure what you mean by changing counts... if you would like to reduce number of false-positives you could use organization rules or run reports on permission level, furthermore you could set-up parameter 1012 (mitigation) to NO, to include all rules when mitigate access risk, by setting parameter 1030 to NO you could avoid reporting mitigated risks...does it meet your requirement or you need sth different?
Best regards, Andrzej
Hi Andrzej,
Thanks for the reply.
I have been asked on how the mitigation and violation counts are getting populated. I tried adding some critical transactions and permission and then assigning the mitigation ID to the RISK ID F020 and then ran the report but still the violation and mitigation counts are same as 72 and 45 respectively.
The question is what is the contributing factor to the violation and mitigation so its count changes.
Thanks & Regards
Ratan
Hi Ratan,
Is this issue resolved?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.