RAR 5.3 - Mitigating Control Mass Upload

Similar Messages

• GRC AC RAR: Comprehension question Mitigating Controls

  Hello all,
  I have a small comprehension question regarding Mitigating Controls.
  Situation:
  We have identified some authorization roles that contained lots of risks and we decided that they should not be used anymore. I therefore had our admins remove those roles from all the userIDs and update the role descriptions so it is clear that these roles are obsolete and must not be used anymore. For specific reasons we are currently not able to archive those roles in order to remove them from the system (can't delete them either for unclarified data retention questions).
  What has been done:
  1. I have created the necessary userIDs for Management Approver, Monitor, etc. in tab Mitigation -> Administrators -> Create
  2. I have created the necessary business unit and assigned to userIDs created in 1. in tab Mitigation -> Business Units -> Create
  3. I have created a Mitigation Control "Obsolete Roles" in tab Mitigation -> Mitigating Controls -> Create
  4. Within the Mitigatin Control I have mitigated all associated risks in tab "Associated Risks", added a userID in tab "Monitors" and I have added all the obsolete roles using the button "Mitigate roles"
  What I want to achieve:
  - Roles should not show up in the analysis anymore -> I've checked that and it works as expected
  - I now want the userID I added in tab "Monitors" and when mitigating the roles to regularly check in the SAP system whether the mitigated roles have been assigned to any userIDs again (using PFCG or any other suitable report in the system).
  Can I achieve that by using tab "Reports" within the Mitigating Control ?
  If I provide the system in column "System", provide "PFCG" in column "Action", "Use PFCG to check is role is assigned again" in "Description", add the userID in tab "Monitor" and set Frequency to "4" this would mean that that userID needs to check whether the roles have been used again at least every 4 weeks ?
  Will the system automatically send a reminder eMail to that userID every 4 weeks or does the user have to check the RAR manually in order to see "his/her" tasks ?
  Regards,
  Benjamin

  Hi Jwalant,
  sorry for my late reply, but I have waited for a few weeks to make be sure wheather the way you described works or not.
  - The background job gets executed once a week and finishes without any error.
  - The only thing that doesn't work is that the userID that I maintained in clolumn "monitor" and for which I defined a mitigation control which has to be executed every 2-weeks (using column "report") does NOT get a mail from the system that reminds him/her to execute the mitigating control.
  Log of background job execution:
  INFO: -
  Scheduling Job =>16----
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob run
  INFO: --- Starting Job ID:16 (GENERATE_ALERT) - Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob setStatus
  INFO: Job ID: 16 Status: Running
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob updateJobHistory
  FINEST: --- @@@@@@@@@@@ Updating the Job History -
  1@@Msg is Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION started :threadid: 2
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
  INFO: -
  Background Job History: job id=16, status=1, message=Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION started :threadid: 2
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Alert Generation Started @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Conflict Risk Input has 1 records @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Critical Risk Input has 1 records @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Mitigation Monitor Control Input has 1 records @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
  INFO:  @@@@@ Backend Access Interface execution has been started @@@@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.common.util.ExceptionUtil logError
  SEVERE: null
  java.lang.NullPointerException
       at com.virsa.cc.comp.wdp.IPublicBackendAccessInterface$IStatRecInputElement.wdGetObject(IPublicBackendAccessInterface.java)
       at com.sap.tc.webdynpro.progmodel.context.NodeElement.getAttributeAsText(NodeElement.java:888)
       at com.virsa.cc.comp.BackendAccessInterface.execBAPI(BackendAccessInterface.java:401)
       at com.virsa.cc.comp.BackendAccessInterface.executeBAPI(BackendAccessInterface.java:302)
       at com.virsa.cc.comp.BackendAccessInterface.get_TcodeLog_Rec(BackendAccessInterface.java:2800)
       at com.virsa.cc.comp.BackendAccessInterface.alertGenerate(BackendAccessInterface.java:1940)
       at com.virsa.cc.comp.wdp.InternalBackendAccessInterface.alertGenerate(InternalBackendAccessInterface.java:4355)
       at com.virsa.cc.comp.wdp.InternalBackendAccessInterface$External.alertGenerate(InternalBackendAccessInterface.java:4824)
       at com.virsa.cc.xsys.bg.BgJob.alertGen(BgJob.java:1666)
       at com.virsa.cc.xsys.bg.BgJob.runJob(BgJob.java:697)
       at com.virsa.cc.xsys.bg.BgJob.run(BgJob.java:362)
  here it keeps ranting on for pages about Null Pointer Exceptions
  I'll just leave that part out
  Mar 28, 2011 4:00:29 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
  INFO:  -
  No of Records Inserted in ALTCDLOG =>16 For System =>XXX_xxx -
  Mar 28, 2011 4:00:29 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
  INFO: ==$$$===Notif Current Date=>2011-03-28==$$$==Notif Current Time=>04:00:00===$$$===
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.mgmbground.dao.AlertStats execute
  INFO: Start AlertStats.............
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@=== Alert Generation Completed Successfully!===@@@
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob setStatus
  INFO: Job ID: 16 Status: Complete
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob updateJobHistory
  FINEST: --- @@@@@@@@@@@ Updating the Job History -
  0@@Msg is Job Completed successfully
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
  INFO: -
  Background Job History: job id=16, status=0, message=Job Completed successfully
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob scheduleJob
  INFO: -
  Complted Job =>16----
  - Anothjer thing I noticed is that the job always adds some entries to table "ALTCDLOG" which I guess means something like "Alert T-Code Log".
  It always adds entries like:
  581 XXX_XXX userID#1 SE16 2011-03-21 07:49:44 xxx 5
  582 XXX_XXX userID#1 SM37 2011-03-21 07:55:44 xxx 5
  Where does the system get the information which T-Codes are "bad" and for which it needs to create those entries ? I have never configured anything like that in the system.
  Or is this an indicator that the authorization roles I mitigated have been used again ?
  Regards,
  Benjamin

• Error while uploading mitigation controls

  Dear All,
  While uploading the mitigation controls i am facing with the below error. Can you please help me in resolving this error.
  Error in table dataVIRSA_CC_MITUSER
  SQL:=>Insert into  VIRSA_CC_MITMON(MITREFNO,MONITORID) Values(?,?)
  Record::Line Number :21 : D VIRSA_CC_MITMON TESTC1 TEST1
  Below is the text file which i am uploading into the RAR for test purposes
  M     VIRSA_CC_ADMIN     USERID     NAME     EMAILID     ROLEID               
  D     VIRSA_CC_ADMIN     TEST1     TEST1     test     M          
  M     VIRSA_CC_BUSUNIT     BUSID                              
  D     VIRSA_CC_BUSUNIT     TH                              
  M     VIRSA_CC_BUSUNITT     BUSID     LANG     DESCN                    
  D     VIRSA_CC_BUSUNITT     TH     EN     Thailand                    
  M     VIRSA_CC_BUAPPVR     BUSID     APPROVERID                    
  D     VIRSA_CC_BUAPPVR     TH     TEST1                         
  M     VIRSA_CC_BUMONITOR     BUSID     MONITORID                         
  D     VIRSA_CC_BUMONITOR     TH     TEST1                         
  M     VIRSA_CC_MITREF     MITREFNO     BUSID     APPROVERID               
  D     VIRSA_CC_MITREF     TESTC1     TH     TEST1                    
  M     VIRSA_CC_MITREFT     MITREFNO     LANG     DESCN                    
  D     VIRSA_CC_MITREFT     TESTC1     EN     Test mitigation control               
  M     VIRSA_CC_MITRISK     MITREFNO     RISKID                         
  D     VIRSA_CC_MITRISK     TESTC1     F006*                         
  M     VIRSA_CC_MITMON     MITREFNO     MONITORID                         
  D     VIRSA_CC_MITMON     TESTC1     TEST1                         
  M     VIRSA_CC_MITRPT     MITREFNO     ACTIONS     VSYSKEY     MONITORID     FREQUENCY          
  M     VIRSA_CC_MITUSER     MITREFNO     RISKID     USERID     VALIDFROM     VALIDTO     MONITORID     STATUS
  M     VIRSA_CC_MITROLE     MITREFNO     RISKID     ROLEID     VALIDFROM     VALIDTO     MONITORID     STATUS
  D     VIRSA_CC_MITROLE     TESTC1     F006*     Z1.*.ASST-SC-FINC-MGR     6/9/2010     7/25/2010     TEST1     0     
  M     VIRSA_CC_MITHROBJ     MITREFNO     RISKID     HROBJ     HROBJTYP     VALIDFROM     VALIDTO     MONITORID     STATUS
  M     VIRSA_CC_MITPROF     MITREFNO     RISKID     PROFILE     VALIDFROM     VALIDTO     MONITORID     STATUS
  M     VIRSA_CC_MITUSRORG     MITREFNO     RISKID     USERID     ORGRULEID     VALIDFROM     VALIDTO     MONITORID     STATUS
  M     VIRSA_CC_DETDESC     OBJECT_TYPE     OBJECT_ID     LANG     DETAIL_DESCN     
  D     VIRSA_CC_DETDESC     MIT     TESTC1     EN     Test Mitigation control                    
  We are not mitigating users now. Only roles are getting mitigated and hence we have not provided any values to the MIT USER table.
  Thanks and Best Regard,
  Srihari.K

  Dear Varun,
  Thanks for your reply. It helped me a lot. But however i am facing the following issue while uploading the mitigation controls
  After exporting the mitigation file from RAR, we opened the text file in a spreadsheet format and added few lines to the file and saved in the same text format or in UTF-8 format also
  After uploading the same into RAR again after changes we are facing similar errors mentioned in above query.
  But when we add lines  directly in the wordpad and upload the file then it is successful.
  We have to add so many mitigation controls and roles to be assigned for which excel would be easy way to dump.
  Is there anything wrong we  are doing here in editing and converting the files.
  Thanks and Best Regards,
  Srihari.K

• Mass maintenance of Mitigation controls in GRC 10.0

  Dear All,
  How to do mass maintenance of mitigation in ARA of GRC 10.0. We successfully migrated the mitigation controls from 5.3 to 10.0. I need to change the monitors for many user conflicts and also add new user conflict mitigation controls. Is it possible to do a mass changes in GRC 10.0 as there is no upload functionality for mitigation controls
  Thanks and Best Regards,
  Srihari.K

  Hi Sri,
  you can achieve by downloading and uploading the mitigations.
  Go to SE38 and use the following program GRAC_DOWNLOAD_MIT_ASSIGNMENTS to download the file and make necessary changes to it and upload the file by using the following program GRAC_UPLOAD_MIT_ASSIGNMENTS.
  and put the active column in the file as X.
  Regards,
  Venugopal Ireni

• Mitigation controls assignation to users in RAR

  Hi,
  While assigning mitigation control to the users (RAR>Mitigation> Mitigated Users-->Add), it is only possible to assign 1 user at a time...Would it be possible to assign more than 1 user through multiple selection
  Thanks
  Abhijeet

  Abhijeet,
  From that path, you cannot assign multiple users at once however, if authorised, you can upload mitigation controls and within the upload files, you can upload users assigned to them.
  Simon

• RAR 5.3 SP10 Mitigating Control Import Utility

  All -
  I exported my mitigating controls from a RAR 5.3 SP9 system and imported them into a 5.3 SP10 system. I received a successful confirmation of the import, but when I "searched" my mitigating controls there were duplicated mitigating control numbers. It looks like the import tool duplicated the mitigating control ID for every "monitor" assigned to the mitigating control number. For example, mitigating control MC00000001 with Monitor1, Monitor2, & Monitor3 equated to 3 entries of MC00000001. If I try to delete 2 of the 3 entries, I receive a "Successfully deleted" message and get the error "Exception!!. No relavent language message available in database for :0053". When I "search" again, the mtigating control is no longer there (as expected).
  I confirmed my mitigating control import file does not have the multiple entries.
  Any ideas?
  Thanks,
  Daniel

  Venky,
  Thank you for your response. The message issue actually wasn't the one that I was asking about, but thanks for the heads up. The main issue is that RAR (5.3 SP10) is multiplying mitigating control entries for the number of monitors assigned to the mitigating control. It appears to be an issue with SP10 as it did not occur in SP9. I'm trying to see if anyone knows what the fix is.
  Thanks,
  Daniel

• Uploading mitigating controls - UAT to production system

  Dear gurus
  Before i place the issue i would like to give some background: In the Production system of Complaince calibrator we have 3 systems assigned Production, UAT and Develeopment. We are the implementation team and are not authorised to assign the mitigating controls for users in production system , therefore before going live we have assigned the mitigating controls to same set of users in UAT system in the production system of compliance calibrator. Now the region has gone live and the same set of mitigating controls needs to be assigned to same set of users with same risks to production system users.
  Issue: Now there are over 100 users and its not feasible for us to manually once again assign the same mitigating controls to the users. is there a posiibility to automate this assignment or will we have to do it manually. In case we can automate then how? in case we have to manually do it what is the best way to cover the users faster.
  Thanks in advance
  Vani

  Thanks Frank, Would you advise which would be the better editor?
  Hi Alpesh,
  If i understand correct, you mean to say that its the same table, since its the same RAR production system, but currently while adding the mitigations I would have chosen the users as mentioned in UAT system that is attached to RAR production, but how do I make it as production system? If i go by what you say, I should add the user ids as per the production backend system in the same tabel and then it will automatically pick it while running reports for production users, is that correct?

• Reports in Mitigation Controls RAR

  HI,
  Does anyone know what are reports in the mitigation control setup? Reports are transactions or just reflects numbered activities that the monitor must realize?
  Kind regards,
  RCL.

  Hi RCL
  If you are using any SAP report as a mitigating control you can give its name  there. In addition in the Frequency field you can give the frequency at which the report should be executed. and if that report is not executed at the stated frequency RAR can send an alert to the montior of Mitigating control
  Parveen

• Mass application of mitigating control to users

  Hello
  Is there a way to apply a mitigating control to a large number of users at the user level (not at the role level)?  We have an SOD for the ability to park and post GL entries for which we have a monitoring control.  There are a large number of users that have this access. 
  Is there a way to - in mass - apply a mitigating control at the user level?
  Thank you in advance,
  JD Schmidt

  Hi JD,
  thats the way the software logic works.
  Question is why you would mitigate such a mass of users and instead choose to mitigate that role.
  Or out of an auditor, why would such a mass of useres need authorizations which cause an SoD violation.
  Best,
  Frank

• RAR 5.3 SP8 - Invalid Mitigating Controls Report Issue

  Hello,
  When I view the Invalid Mit Controls Report, and I click the "Click to Change" button, it brings me to blank mitigating controls screen with an error at the bottom of the screen that reads "Category should be U, R, P, H or O"
  Has anyone seen this before? The log shows nothing when I look to it to view more info about the error...
  Any troubleshooting tips or is this something I need to bring up with SAP?
  Thanks!
  Jes

  yep

• RAR: Mitigation Control Monitoring

  Hi,
  I have configured and executed alert generation job but we are not able to obtain the alerts for mitigation control monitoring.
  What we have done:
  1) Define mitigation control including transaction XXXX to be executed daily
  2) Monitor has executed thansaction XXXX on day 1
  3) Alert generation job has been executed on day 1 (after step 2)
  3) Monitor has not executed transaction XXXX on day 2
  4) Alert generation job has been executed on day 2 BUT alert for control monitoring are not obtained.
  Does anyone know why we are not getting the alerts for control monitoring?
  Thanks in advance. Kind regards,
    Imanol

  What is value of number of days for this Monitoring in Mit Control?
  Is email id of Monitor maintained in Alert tab?

• Report tab in mitigating control - RAR 5.3

  While creating mitigating control there are 3 tabs - Associated risks / Monitors / Reports. What is the use of reports tab ?
  The control is working even with populating the report tab.

  If you have a report that you want mitigation monitors to run in order to perform the control activities you can put it in there.
  The alert functionality will then allow you to report on monitors that did not run that report in the specified period.
  Frank.

• Mitigation Control Description export

  Hi all,
  I am working on upgrade from Virsa to GRC 5.3 upgrade.
  I am trying to upload the mitigating controls into GRC-RAR after exporting from Virsa.
  I am not able to get the descriptions of the Mitigation control in complete on my export. Only the first line is getting exported.
  We have about 900 ! Controls in place.
  Is there a better way  to get all the lines in the description field when we export it out of Virsa.
  your suggestion will be helpful.
  Thanks
  Vidyar

  Hi,
  do you have a J2ee cluster running on your server??? if so, you have to set up the same url parametter for reporting, i the parameter area of AC.
  regards,
  Alejandro

• Mitigation control errors out in CUP approval

  We are on GRC 5.3 SP8 and I am trying to create a mitigating control in RAR.  Once it goes for approval into CUP, it erroru2019s out when I try to approve it.  Here is the message:
  2010-05-25 10:57:43,367 [SAPEngine_Application_Thread[impl:3]_9] ERROR com.virsa.ae.commons.utils.StringEncrypter$EncryptionException: Invalid PKCS#5 padding length: 32
  com.virsa.ae.service.ServiceException: com.virsa.ae.commons.utils.StringEncrypter$EncryptionException: Invalid PKCS#5 padding length: 32
       at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.getCCDocument(RequestExitServiceHelper.java:315)
       at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.callCCExitService(RequestExitServiceHelper.java:263)
       at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.callExitServiceForApprovedRequest(RequestExitServiceHelper.java:51)
       at com.virsa.ae.accessrequests.bo.RequestBO.callExitService(RequestBO.java:5391)
       at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:5230)
       at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:5023)
       at com.virsa.ae.accessrequests.actions.RequestViewAction.confirmRequestApproval(RequestViewAction.java:946)
       at com.virsa.ae.accessrequests.actions.RequestViewAction.execute(RequestViewAction.java:103)
       at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:295)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(AccessController.java:219)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  Caused by:
  com.virsa.ae.commons.utils.StringEncrypter$EncryptionException: Invalid PKCS#5 padding length: 32
       at com.virsa.ae.commons.utils.StringEncrypter.decrypt(StringEncrypter.java:200)
       at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.getCCDocument(RequestExitServiceHelper.java:305)
       ... 32 more
  Thanks,
  Peggy

  Hello Peggy,
    Did you recently upgraded your NW Java Support package? If yes, then kindly check the SAP Note "1417651 - Unable to retrieve connector & application configuration"
  The problem is coming due to change in NW encryption algorithm and impacted GRC as well. This is fixed in SP10 of GRC.
  Regards, Varun

• Workaround for non-SAP mitigating control reminders

  Dear all,
  Our business users would like to document mitigating controls in RAR 5.3 regardless of whether they are connected with an SAP report. They would also like to receive email reminders for those controls.
  Unfortunately, the frequency of the control can only be defined per connected SAP report and reminders will only be sent for controls if the SAP report has not been executed.
  Have you been exposed with a similar requirement? It seems like a natural thing to ask from a business perspective. RAR 5.3, however, is not designed in that way.
  Have you come up with any feasible workarounds for this?
  My current approach would be to create a dummy Z-report per SAP system (such as Z_MANUAL_MITCTRL) that control monitors have to call once to confirm the execution of their control.
  Cheers and best regards
  Patrick

  Hello,
  Regarding your question, in fact this is dependant on how your UME (User Management Engine) is configured on your WAS (Web Application Server). If the UME is connected to your R/3 back-end then the user need to have a R/3 account to connect to CC, otherwise if your UME is "independant" then you just need to create an account in the UME.
  Regards,
  Jérôme.