on 11-27-2015 3:34 AM
Dear experts,
In our ad-hoc user level risk analysis, the filed role/profile contains role information for some users but the profile information for others.
Is this a normal behavior? Is there a way to configure it to only show say, role information.
We are in GRC 10.0 SP19
Thanks in advance for your time and help.
For user SD001, it shows the role:
For another user, it shows profile:
Hi Emma,
In the ad-hoc analysis you cannot exclude objects (eg. direct profiles like SAP_ALL).
Since SAP_ALL does not originate from a role, you will the see profile/subprofile instead of a role.
In Batch Risk Analysis, excluding objects is possible (Users, Roles, Profiles, User Groups).
-Tuomas
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Tuomas,
Thanks a lot for your explanation.
I am still confused though: from which table does the data for this particular field role/profile come from?
Because I looked at tables GRACUSERROLE and GRACRLCONN, there are many roles for this user. I wonder why didn't the system show the real role name?
Hi Emma,
Profile/User assignments can be found from the GRACUSERPROFILE table.
Repository object sync updates these tables with the relations, but ad-hoc analysis checks current assignments from the target system, without updating these tables.
You can refer to the following document about the repository synchronization:
The above postings are right. It is due to user having profile SAP_ALL.We fixed the issue with development.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Emma,
SAP_ALL is contributing to risks (all risks in the ruleset), and is therefore reported in the Risk Analysis report. Attempting to prevent the system from evaluating risks against profiles would undermine the integrity of the report, as SAP_ALL contributes to every single risk by virtue of granting all access in the system. You should remove SAP_ALL and similar profiles from the test accounts and only assign roles. Then, you will see only roles reported.
-Ken
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.