on 11-24-2014 12:32 PM
Dear All,
When I am doing risk analysis on user level for two users having simillar roles there are two different access risk ID popping up for simillar roles.
Any problem with risk rule setup?
Regards,
Abhisshek
why don't you check in the back-end system if the user comparison is done or not? If yes, then try troubleshooting in Quality by assigning them same roles and perform risk analysis.
Also,
try running Risk analysis at role level and make sure the data is same for all the roles.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Abhisshek,
did you run the sychronization jobs for users and roles? Could be that the information is not up to date.
Can you show us some printscreens from the risk analysis so that we can check ourself?
Thanks and regards,
Alessandro
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
thanks - does user CHUGA* also have rule id 005I? And access risk P061?
The first user has the risk between F-44 (Function AP01) and MEKL (Function PR01). Does the second user have the same risk?
Please be aware that rule id 005I is part of the access risk P061 and means between transaction F-44 and MEKL. Please check if the second user has the same risk (if yes, it has to be same rule id).
Let me know.
Regards,
Alessandro
okay - but then something with the authorization is different. Can you please also share the detail information from the first user fitered for 005I rule ID? I would like to see if the risk comes from other roles.
Detail report means in the view "Detail" as format in the result so that we can see authorization objects, etc.
Thanks in advance.
Dear Alessandro,
Please check the detail level results for first user filtered for 005I rule ID.
Action level risk analysis for first user where 005I rule id is popping up unfortunately the objects are not coming up here on action level.
Permission level risk analysis for first user. Please check the rule id.
When I do permission level risk analysis on detail level for CHUGA* no risk violation pops up.
Action level I already uploaded in previous comments.
Regards,
Abhisshek
that's really strange.
Can you check in table GRACUSERROLE that both users have the same role assignments? I am still wondering if both users have the same access as I've never heard that risk analysis is not working properly.
Alternatively you can also check in the backend system (the one you analze) if both users have the same role assignments easily in table agr_users (filter on UNAME).
Regards,
Alessandro
Okay - strange. You don't have a mitigation for the user? Could be that the risk is already mitigated. I assume that you run the online risk analysis and not checking offline data? Please also see ).
If possible you can try to regenerate the SOD rules (SPRO > GRC > AC > Access Risk Analysis > SOD Rules > Generate SOD Rules). Please be aware that generation of rules means that the current rules are overwritten and hence this cannot be performed when you have mitigations on rule level (or you have to check in detail).
Can you try to re-generate and run the risk analysis again?
Sorry for guessing around... it's a strange issue and very difficult to help as I don't have the system to check.
Regards,
Alessandro
Abhisshek,
the risk might be a combination of authorization objects that are in several roles. Means that based on your rule set and definition of the function it shows as risk. Therefore I asked for detail report where we can see all the authorization objects and its relationship to the roles.
ps. Can you please follow me so that I can send you a private message.
Regards,
Alessandro
Hi Abhisshek,
You can check the detailed Risk Analysis report. For which role ,risks are appearing and then further
you can come to some conclusion. ideally if both have same access , risk ids should be similar. But in
case user A have access to additional system compared to User B ,It might show up another risk id.
Thanks,
Mamoon
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.