on 04-09-2015 3:30 PM
Dear all.
I am considering the two following scenarios Mitigate at User level or Role level. What are the features, benefits and disadvantatges for each of them?
I am wondering two big questions which probably you have faced before for the mitigation at role level.
Question1: Role Mitigation scope. Let me explain with this example:
Question2: Role Mitigation level during User Provisioning. Let me explain with this example:
Kind regards and thank you.
Sara.
Sara:
In role mitigation, once you have the role, then you are mitigated for the associated Risk, no matter how many roles or combination of roles that it may exist in. In your question 1, line 7, The risk analysis will show that the risk is mitigated or not show at all depending upon your configuration.
In your question 2, I believe that if you set the default as 'show mitigated risks', then it should show, if not then no risks should appear. I have not tested that before as I VERY RARELY ever use or recommend role mitigation.
The other item that would need to be considered is if you need to know exactly who is covered by the mitigation. This cannot be found in GRC, but needs to be extracted from the target system that the role is in and over the entire reporting period.
Hope this helps.
Kevin Tucholke
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Kevin.
Many thanks for your reply.
Regarding your response for question 1, i consider this is something already tested or you have tested this escenario, rigth? I am facing an error with param 1033 and i cannot proceed with the proper testing.
I have also see the following link where an issue and a possible enhacement is raised
Role Level Mitigation enhancement : View Idea
The problem raised cannot be solved by indicating which exactly rule do you want to mitigate?
Kind regards and thank you.
Sara.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.