on 07-14-2016 12:34 PM
Hello everyone,
I am new bee to GRC and I am getting very confused the way GRC is pulling the report.
In my organization, we have ran a report on permission level.
Now this screen is showing two conflicting function AP02 and GL01. In both the function, the permission level is set with AND condition for authorsation object F_BKPF_BUK but when I see the role in backend system, the role consists only activity 01 and not activity 02.
So my question, if it is AND condition the GRC should not generate this as a risk because 02 is not maintained in the role. This is my understanding, please let me know if I am wrong.
Hi,
The values maintained in the RuleBook as From Values as '01' to To Values as '02' which means any values falling in this range is a Risk.As you said the Role is having the '01' value so it is showing as a violation.
Now, in GRC the Risk Analysis Report is showing from the Rule Values and not from the Auth Values.
Rule Value : the values mentioned or maintained in the RuleBook
Auth Value : the values maintained in the Role
If '01' and '02' are maintained in two different line item (instead of high value low value or range) in the RuleBook , it wont show 02 value in the Risk Analysis Report.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello,
if you have defined a range from ACTVT 01 to 02 it consider once a value in that particular range is present. In that case you have tcode FB01 with the ACTVT 01/02.
Let me just explain once violation (Rule ID: 01UN):
The violation exists because of the two functions (AP01 and GL01). In both functions you have transaction FB01 with resource F_BKPF_BUK and this authorization object has either activity 01 or 02, or both.
To avoid the violation either change your rule set (if the risk shall only appear if 01 AND 02 is present, then change the function and add two line items.. one with 01, and one with 02, so that they are AND connected), or change the authorization within the PFCG role.
Hope this helps.
Regards,
Alessandro
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.