cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Different risk popping up for different user on same roles.

former_member399658
Participant

on ‎11-24-2014 12:32 PM

0 Kudos

Dear All,

When I am doing risk analysis on user level for two users having simillar roles there are two different access risk ID popping up for simillar roles.

Any problem with risk rule setup?

Regards,

Abhisshek

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

former_member339174
Explorer
‎11-24-2014 4:31 PM
0 Kudos

why don't you check in the back-end system if the user comparison is done or not? If yes, then try troubleshooting in Quality by assigning them same roles and perform risk analysis.

Also,

try running Risk analysis at role level and make sure the data is same for all the roles.

Show replies
Show replies
alessandr0
Active Contributor
‎11-24-2014 1:25 PM
0 Kudos

Abhisshek,

did you run the sychronization jobs for users and roles? Could be that the information is not up to date.

Can you show us some printscreens from the risk analysis so that we can check ourself?

Thanks and regards,

Alessandro

Show replies
Show replies
former_member399658
Participant
‎11-24-2014 1:39 PM
0 Kudos

Dear Allssandro,

The synchronization jobs are running in background and scheduled for Repository,authrozation and FF log.

Please check the printscreen with exported risk analysis result.

alessandr0
Active Contributor
‎11-24-2014 1:46 PM
0 Kudos

thanks - does user CHUGA* also have rule id 005I? And access risk P061?

The first user has the risk between F-44 (Function AP01) and MEKL (Function PR01). Does the second user have the same risk?

Please be aware that rule id 005I is part of the access risk P061 and means between transaction F-44 and MEKL. Please check if the second user has the same risk (if yes, it has to be same rule id).

Please also see here: and

Let me know.

Regards,

Alessandro

former_member399658
Participant
‎11-24-2014 1:59 PM
0 Kudos

Dear Alessandro,

The user CHUGA* does not have rule ID 005I and risk P061 but has fucntion AP01 with diffrent action F-51.

Also F-44 is also different access risk IDs.

Looks like business has not defined the ruleset correctly please advice.

Regards,

Abhishek

alessandr0
Active Contributor
‎11-24-2014 2:10 PM
0 Kudos

Can you please show the role assignments for both users? As it seems that the second user CHUGA* doesn't have access to MEKL and hence the risks are not similar.

Regards,

Alessandro

former_member399658
Participant
‎11-24-2014 2:14 PM
0 Kudos

Dear Alessandro,

The second user CHUGA* do have access to MEKL.

Why during risk analysis the risk P061 is not popping up for CHUGA*?

Regards,

Abhisshek

alessandr0
Active Contributor
‎11-24-2014 2:40 PM
0 Kudos

okay - but then something with the authorization is different. Can you please also share the detail information from the first user fitered for 005I rule ID? I would like to see if the risk comes from other roles.

Detail report means in the view "Detail" as format in the result so that we can see authorization objects, etc.

Thanks in advance.

former_member399658
Participant
‎11-24-2014 3:34 PM
0 Kudos

Dear Alessandro,

Please check the detail level results for first user filtered for 005I rule ID.

Action level risk analysis for first user where 005I rule id is popping up unfortunately the objects are not coming up here on action level.

Permission level risk analysis for first user. Please check the rule id.

When I do permission level risk analysis on detail level for CHUGA* no risk violation pops up.

Action level I already uploaded in previous comments.

Regards,

Abhisshek

alessandr0
Active Contributor
‎11-24-2014 3:40 PM
0 Kudos

that's really strange.

Can you check in table GRACUSERROLE that both users have the same role assignments? I am still wondering if both users have the same access as I've never heard that risk analysis is not working properly.

Alternatively you can also check in the backend system (the one you analze) if both users have the same role assignments easily in table agr_users (filter on UNAME).

Regards,

Alessandro

former_member399658
Participant
‎11-24-2014 4:27 PM
0 Kudos

Dear Allessandro,

I just checked the table AGR_USERS and both have simillar composite roles which are popping up as different risk as per the previous screenshot and comments.

Regards,

Abhisshek


alessandr0
Active Contributor
‎11-24-2014 4:32 PM
0 Kudos

Okay - strange. You don't have a mitigation for the user? Could be that the risk is already mitigated. I assume that you run the online risk analysis and not checking offline data? Please also see ).

If possible you can try to regenerate the SOD rules (SPRO > GRC > AC > Access Risk Analysis > SOD Rules > Generate SOD Rules). Please be aware that generation of rules means that the current rules are overwritten and hence this cannot be performed when you have mitigations on rule level (or you have to check in detail).

Can you try to re-generate and run the risk analysis again?

Sorry for guessing around... it's a strange issue and very difficult to help as I don't have the system to check.

Regards,

Alessandro

former_member399658
Participant
‎11-25-2014 9:39 AM
0 Kudos

Dear Alessandro,

Thats perfectly fine ! your efforts are really apreciated.

I just did risk analysis on role level what surprised me is P061 didnt popped up as a access risk for same role which is on user level risk analysis popping up as a risk.

Regards,Abhisshek

alessandr0
Active Contributor
‎11-25-2014 9:59 AM
0 Kudos

Abhisshek,

the risk might be a combination of authorization objects that are in several roles. Means that based on your rule set and definition of the function it shows as risk. Therefore I asked for detail report where we can see all the authorization objects and its relationship to the roles.

ps. Can you please follow me so that I can send you a private message.

Regards,

Alessandro

mamoonr
Active Participant
‎11-24-2014 12:49 PM
0 Kudos

Hi Abhisshek,

You can check the detailed Risk Analysis report. For which role ,risks are appearing and then further

you can come to some conclusion. ideally if both have same access , risk ids should be similar. But in

case user A have access to additional system compared to User B ,It might show up another risk id.

Thanks,

Mamoon

Show replies
Show replies
former_member399658
Participant
‎11-24-2014 12:58 PM
0 Kudos

Dear Mamoon,

I cheked on detail level anlalysis only with simillar roles different risk popping up.

I also checked the other SAP system both users have access to APO and BW.

Regards,

Abhisshek

mamoonr
Active Participant
‎11-24-2014 1:15 PM
0 Kudos

Hi Abhisshek,

Generate the rule set and then try.

Thanks,

Mamoon

Ask a Question