cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC online ad-hoc user level risk analysis role/profile field

Go to solution
Former Member

on ‎11-27-2015 3:34 AM

0 Kudos

Dear experts,

In our ad-hoc user level risk analysis, the filed role/profile contains role information for some users but the profile information for others.

Is this a normal behavior? Is there a way to configure it to only show say, role information.

We are in GRC 10.0 SP19

Thanks in advance for your time and help.

For user SD001, it shows the role:

For another user, it shows profile:

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎11-27-2015 1:26 PM
0 Kudos

Hi Emma,

In the ad-hoc analysis you cannot exclude objects (eg. direct profiles like SAP_ALL).

Since SAP_ALL does not originate from a role, you will the see profile/subprofile instead of a role.

In Batch Risk Analysis, excluding objects is possible (Users, Roles, Profiles, User Groups).

-Tuomas

Show replies
Show replies
Former Member
‎11-27-2015 1:52 PM
0 Kudos

Dear Tuomas,

Thanks a lot for your explanation.

I am still confused though: from which table does the data for this particular field role/profile come from?

Because I looked at tables GRACUSERROLE and GRACRLCONN, there are many roles for this user. I wonder why didn't the system show the real role name?

Former Member
‎11-27-2015 2:09 PM
0 Kudos

Hi Emma,

Profile/User assignments can be found from the GRACUSERPROFILE table.

Repository object sync updates these tables with the relations, but ad-hoc analysis checks current assignments from the target system, without updating these tables.


You can refer to the following document about the repository synchronization:

The details of the database tables involved in repository sync job. - Governance, Risk and Complianc...

Answers (2)

Answers (2)

Former Member
‎12-02-2015 1:34 PM
0 Kudos

The above postings are right. It is due to user having profile SAP_ALL.We fixed the issue with development.

Show replies
Show replies
Former Member
‎11-30-2015 8:08 PM
0 Kudos

Hi Emma,

SAP_ALL is contributing to risks (all risks in the ruleset), and is therefore reported in the Risk Analysis report.  Attempting to prevent the system from evaluating risks against profiles would undermine the integrity of the report, as SAP_ALL contributes to every single risk by virtue of granting all access in the system.  You should remove SAP_ALL and similar profiles from the test accounts and only assign roles.  Then, you will see only roles reported.

-Ken

Show replies
Show replies
Ask a Question