on 07-13-2016 12:34 PM
Anyone experience with this?
When I'm performing a risk analysis on HR object level, GRC is generating hits because of a combination of fields of the same authorization object coming from different roles.
Example 1/
hit generated because S_TABU_DIS-ACTVT comes from one role and S_TABU_DIS-DICBERCLS from another:
Ruleset
Example 2/
Again S_TABU_DIS: gets ACTVT and DIBCERCLS from seperate roles
ruleset
Users are linked to HR objects.
Whenever I perform the same analysis on user level, I don't get any results (which is expected & correct)
Checking HR Position assignment to users
Object 50001134
Object 50001775
Analysis
Permission rules:
Any thoughts or advice is highly appreciated
We are on GRC 10.1 SP 12
Target system has GRCPINW V1100_731 0013
Best regards,
Hi Tom,
The GRC system is likely reporting the risks accurately. A user's authorizations are just a total combination of all the authorizations from the roles that they have. This is why security is so tricky - you can get "cross-pollination" of authorizations for the specific auth object but from different roles.
Look into the roles involved here. One role may have no restriction (*) on table group for S_TABU_DIS, which overrides the other restriction the user may have from another role. Same with ACTVT values. If any of the roles haven't been restricted enough, you will see these values from the roles in your report.
You can perform negative testing to see if the user has the flagged access or not by modeling the account in your test environment and actually attempting to perform what is being flagged as a risk.
-Ken
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Ken,
Thank you for your answer. I'm very aware of accumulation of access rights.
But this is incorrect.
SAP will always check the combination of fields within the same object.
Look very carefully at my 'Detailed results' screenshots: field ACTVT for object S_TABU_DIS comes from one role and field DICBERCLS for object S_TABU_DIS comes from another role.
This is not how authorizations work.
I checked the access rights of the users via SU56 (user buffer) and via SUIM: they do NOT have access to table group SS in maintain mode (02)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.