cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Risk Analysis generates hits because of fields in different roles

former_member282031
Explorer

on ‎07-13-2016 12:34 PM

0 Kudos

Anyone experience with this?

When I'm performing a risk analysis on HR object level, GRC is generating hits because of a combination of fields of the same authorization object coming from different roles.

Example 1/

hit generated because S_TABU_DIS-ACTVT comes from one role and S_TABU_DIS-DICBERCLS from another:

Ruleset

Example 2/

Again S_TABU_DIS: gets ACTVT and DIBCERCLS from seperate roles

ruleset

Users are linked to HR objects.

Whenever I perform the same analysis on user level, I don't get any results (which is expected & correct)

Checking HR Position assignment to users

Object 50001134

Object 50001775

Analysis

Permission rules:

Any thoughts or advice is highly appreciated





We are on GRC 10.1 SP 12

Target system has GRCPINW V1100_731 0013



Best regards,


Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎07-13-2016 3:34 PM
0 Kudos

Hi Tom,

The GRC system is likely reporting the risks accurately.  A user's authorizations are just a total combination of all the authorizations from the roles that they have.  This is why security is so tricky - you can get "cross-pollination" of authorizations for the specific auth object but from different roles.

Look into the roles involved here.  One role may have no restriction (*) on table group for S_TABU_DIS, which overrides the other restriction the user may have from another role.  Same with ACTVT values.  If any of the roles haven't been restricted enough, you will see these values from the roles in your report.

You can perform negative testing to see if the user has the flagged access or not by modeling the account in your test environment and actually attempting to perform what is being flagged as a risk.

-Ken

Show replies
Show replies
former_member282031
Explorer
‎07-13-2016 3:53 PM
0 Kudos

Ken,

Thank you for your answer. I'm very aware of accumulation of access rights.

But this is incorrect.

SAP will always check the combination of fields within the same object.

Look very carefully at my 'Detailed results' screenshots: field ACTVT for object S_TABU_DIS comes from one role and field DICBERCLS for object S_TABU_DIS comes from another role.

This is not how authorizations work.

I checked the access rights of the users via SU56 (user buffer) and via SUIM: they do NOT have access to table group SS in maintain mode (02)

Former Member
‎07-13-2016 4:02 PM
0 Kudos

Yes I understand.  Can you share the S_TABU_DIS authorization from PFCG for the roles involved?

former_member282031
Explorer
‎07-13-2016 4:10 PM
0 Kudos

Sure

Role that "gives access to ACTVT 02"

Role that "gives access" to SS

Former Member
‎07-13-2016 4:26 PM
0 Kudos

I agree, this is a false positive based on these two roles.  However, can you also provide the same screen for role LID_GEN_BC_SE16 ?

former_member282031
Explorer
‎07-14-2016 8:19 AM
0 Kudos

Sure, cfr. below

I've already opened an OSS incident. I think it's a bug for the risk analysis on HR objects. I was hoping somebody else ever had/noticed this & knew of an OSS note that solved the problem.

Thanks for your input!

Ask a Question