AC10 - Auto risk analysis and auto mitigation
Hi,
I was wondering if it is possible to
- run an automatic risk analysis at the end of an approval stage of the workflow, the same way it is possible to configure at the time of request sending?
- automatically put a mitigating control in the request for the risks found?
In our case, there is only one mitigating control for each risk and the assignment of the control is an unnecessary manual task to perform. The mitigation assignment will be approved in a seperate WF by the mitigation owner.
It seems there is no out of the box solution to this, so any alternative suggestions are welcome.
Thanks,
Daniela
Hi Daniela,
If I may give my opinion, I would probably break your question down into 2 parts.
1) Auto Risk analysis at the end of a stage - Making "Risk Analysis Mandatory" at that stage is probably the method. Unfortunately this does mean clicking one or two buttons (so not fully automated). Think AC uses this method to ensure the reviewer is aware of the conflicts caused etc.
2) Auto Mitigation - For a business access workflow in a 'Live' situation, this is probably not a good idea, as analysing and making the decision on whether to proceed with the request should really be performed by an actual person responsible for that stage in the work flow e.g. Role Owner or Security Lead etc. You would not want to mitigate all risks automatically (if I have understood correctly that you have a mitigation per risk ID). In theory, an automated mitigation process would mitigate all risks without discrimination.
On a side note, there is a configuration setting under SPRO for Access controls as follows
"Risk Analysis- Access Request : Param ID 1072 - Mitigation of critical risk required before approving the request". By enabling this configuration, you could force a mitigating control to be applied to any user requesting Critical Access.
Hope this helps.
Similar Messages
-
Risk Analysis and Remediation Mitigating Control Monitoring Alerts
Hello,
We have configured an alert for a Mitigating Control. The Monitor must execute the report every day (report frequency = 1) or an alert email is sent to the Risk Owner.
The Risk Owner recieves the Alert email and the Alert is logged on the Alerts tab only for the first two days after the report is not executed by the Monitor. Is there a setting somewhere that controls why the alert is not generated after two days?
thanks
TammiCorrection.
The email is only sent for 2 days. The alert is logged on the Alert Monitor tab every day. -
Convert from Compliance Calibrator 4.0 to Risk Analysis and Remediation 5.2
Hello Forum,
I'm looking for other opinions on converting Compliance Calibrator (CC) 4.0 to Risk Analysis and Remediation (RAR) 5.2 (formerly CC)
I have inherited responsibility for RAR and need to upgrade it to the 5.2 level; our current ECC level prevents us from going to 5.3
I found a process that will unload the data from CC 4.0 and be imported into RAR 5.2
I want to understand the definitions that comprise the RAR and was thinking about recreating the definitions in 5.2 based on what is already defined in the CC 4.0 system; I have time to do this since there is no definitive deadline that would make it impossible to meet
Currently, I have the following definitions:
Business Process 6 entries
Functions 47 entries
Risks 147 entries
Mitigating Controls 40 entries
Would others find this approach acceptable and reasonable even though I would be entering all the information? Basically, it would be like defining the data for the very first time if this was NEW software
I would expect to come away with a good understanding of how everything ties together; at this point, I am only looking to create the necessary data that would allow for producing SOD reports that show all users with "risks" have been mitigated with acceptable controls
Thanks for your responses in advance
Jerry
Ryerson, Inc
630-758-2021Thanks for the reply
I have the migration guide and have reviewed it; I have actually played around a bit with obtaining the file from CC 4.0; I found that the data records may need some adjustments to be compatible with RAR 5.2; one of the reasons that may be leading me to do everything from scratch
The definitions currently defined were completed by an outside source and the mitigated controls were defined by the Internal Audit area
I'm not sure if they were mixed with the defaults
I'm not sure at this point what impact or changes I would experience if I use the "default" supplied rules set but I expect to find out
Thanks again for your reply
Jerry -
Need to exclude certain risks in Risk Analysis and Remediation (5.2)
Hello Experts,
My requirement is I need to exclude certain unwanted risks whenever I execute the simulation for a user or an SAP role. We had this provision in the ABAP version of compliance calibrator 4.0. But we are not able to do the same in the upgraded 5.2 risk analysis and remediation.
Can anyone please provide a solution to this problem or some workaround. Thanks in advance.
Best Regds,
Suyog Chakot...Hi,
there are several options:
- you can disable single risks in rule architect.
- you can create a seond rule set that only checks the roles you want to check on
- you can mitigate certain roles or users to exclude them from analysis
The options are all there - depends on what exactly you want to do.
Frank. -
Cannot find CCRTAWS at Access Control Risk Analysis and Remediation?
I am looking for the Web service CCRTAWS in Access Control Risk Analysis and Remediation.
But I cannot find it.
Could you help? Thanks a lot!Ashley,
Go to main page of WAS (Web application server) where AC 5.3 is installed. It would be
http://(servername):(port)/index.html [Replace servername and port with the actual servername and port number]
Click on Web service navigator (First link on right side). This link will show you all the web services installed. Search for CCRTAWS. I can see it in my AC installation.
Regards,
Alpesh -
SAP GRC AC: Organizational rules at Batch risks analysis and Dashboards
Dear All.
I would like to know GRC AC is able to consider the organizational rules defined (for example: risk only affected to Company, BUKRS 0001) at the Batch risks analysis and at the Dashboard. I already know that for the ad-hoc reporting you can filter by the Org.rules created but i would like to know if this filter is also able for the Batch risks analysis.
Thanks and regards.Dear all.
As per my knowledge this parameter only sets the flag of Consider Org.Rules at the filters. This is what the guide indicates:
"Setting the value to YES automatically selects the Consider Org Rule checkbox on the Risk Violations tab of the Access Request and
Role Maintenance screens."
So how are you so sure about that indicating this flag to YES will take into consideration the org rules at the Dashboards?
Regards -
Stopping Background job in Risk Analysis and Remediation
Hi,
We have scheduled background job for Batch Risk Analysis in CC 5.3. Later we have terminated that job for some reasons. But that terminated job status is showing as Stopping from past 3 days. How we can cancel that job?
We have restated the J2E server but the job is still running. Please suggest me how we can stop that job immediately.
Regards,
KKRao.
Edited by: KKRao_2020 on May 12, 2009 9:14 AMHi,
If you have access to oracle backend then I can tell an work arround for this issue,
when the job is in stoping status then you can delete an entry from VIRSA_CC_JOBHST table.
The command is
SQL> delete from VIRSA_CC_JOBHST where jobid=your jobid and status=3;
After running this command the job in the RAR will show aborted status then the delete button will be enabled and if you want then you can delete that job from RAR screen.
Regards,
Sudip. -
Custom Tabs in Risk Analysis and Remediation
In the configuration Tab of the RAR, one has the ability to add 3 custom tabs. These custom tabs appear to the right of the Configuration Tab. The name which brings up the tab is appended at the end of the url as mentioned in the configuration guide. For example if you append "CCdebugger" the Debugger tab is appended.
Does anyone know what other tabs can be added and how does go about finding the names of the tabs that can be appended like the one example shown above? The configuration guide does not provide any list of tabs that can be attached in this way. (Granted the maximum at a time is 3).
Would appreciate your help and input on this.
ThanksHello Arun,
You can add in custom tabs any webservice (webservices urls can be found in UME Web Services Navigator) or any other link even external (as a webmail or a google search bar!).
You are free to configure your custom tabs according to your needs, but do keep in mind that custom tabs are common to all users!
For information here are 3 tabs we have chosen to configure:
debug mode : .../webdynpro/dispatcher/sap.com/grc~ccappcomp/BgJobStart?debug=1
CC Background deamon : .../sap/CCBgStatus.jsp
Thread follow up : .../sap/CCADStatus.jsp
Hope this helps,
Kind regards,
Sophie Planchais
Edited by: Sophie Planchais on Sep 3, 2008 1:52 PM -
Mitigation not showing in Risk Analysis
I have migitated a role and can see the mitigation on the Mitigation tab under Mitigated Roles. I wanted to run a Risk Analysis on the role to make sure the mitigation is in my reports and they not showing.
I have checked my settings on the configuration tab under "Risk Analysis" on "Exclued Mitigated Risk" and it's set to "No". I run my reports in the Infomer Tab > Risk Analysis > Role Analysis and the Report Type is at the permission level and under "More Options" the "Ignore Migitation" is set to "No".
I have reran my "sync" jobs and management reports in the order they should be ran and they are still not showing up. The migitation is not showing up in my management reports either. I am on SP9.
Is there anything else I'm missing?I answered my own question on this.
-
SAP GRC AC 5.3 CUP Risk Analysis issue
Hi all,
I have assigned a new SoD Role to a user, who has been given previously other SoD Roles that were authorized to assingn, then I launched the Risk Analysis and it shows the risk between the previously SoD Roles, but I want to see the new posible risks between the new SoD Role and the others.
Is there any parameter into CUP to set up that controls the issue ? How must I do?
Thanks in advance.
Regards.Hi Chinmaya,
Firstly, thanks for your help and support.
According to the post, I mean when the user manager or approver, receives the request to assign one role to a user, the approver has to decide the needs of the user to use that role.
Then the approver can check (clicking on Risk Analysis button) the number of concflicts or criticals risk that the user could violate. The issue is when the approver launched the anaylisis and it shows same conflict risks that have been mitigated in the previously assignment. It may show the possible risks between the new role and the others, isn´t it?, or instead of the case ,that the oldest risks are showed. Must that risks showed as mitigated?
Thanks, regards. -
Did CUP risk analysis change with SP7?
Dear GRC experts,
I am pretty sure when we tested CUP 5.3 SP4 when doing risk analysis it would only show new risks caused by new roles selected in request (like Risks from Simulation Only YES in RAR). Exisitng risks for that user would not be shown.
Now with CUP 5.3 SP7 fix1 we get the existing risks shown as well not in any way related to the role(s) selected, which will be confusing to the role approvers. E.g. role request is display role, approver needs to run risk analysis and gets existing risks shown. He/she can not deselect roles to remove risks as only display role is in request. There might be no mitigating controls for those risks (creation of new mitigating controls is blocked). This would end up in requests with risks even though the requested role is not risk relevant, or even request gets stuck because no mitigatign control exists and config is set to do not allow approval of requests with risks.
Please confirm if indeed only new risks where shown in CUP risk analysis in previous support pack levels or rel. 5.2, or that I am mistaken and all risks where always shown at risk analysis in CUP.
Principally I think existing risks should be focus of GET CLEAN effort. Risk analysis in CUP should focus on preventing new risks at part of STAY CLEAN phase.Hi,
When we run Risk Analysis for the user, it will show the existing violations as well as the violation which are there with new roles also.
When we click on Risk Analysis under Simulation tab we can find Risk Violation details.
Here I have a doubt, how to deselect violation role while approving request. I m unable to find that option. Please advice.
Thanks & regards,
KKRao.
Edited by: KKRao_2020 on Oct 9, 2009 9:22 AM
Edited by: KKRao_2020 on Oct 9, 2009 9:27 AM -
Hello experts,
When an approver does risk analysis for adding a role to a user in CUP before approval, the system shows 0 risk(0 risks found), However when the role is added to the user in RAR simulation, there are Risks.
Similarly,
When an approver does risk analysis for a role in CUP before approval, the system shows 0 risk(0 risks found), However when the role is analysed in RAR, there are Risks.
I have checked the Org Rules parameter in RAR (It was set to No as we are not using Org Rules).
When I set the org rule parameter to Yes, I got exception " Risk analysis failed: EXCEPTION_FROM_THE_SERVICEInconsistency Org Rule Analysis Flag Parameter". I reset the parameter to NO.
Many thanks,Hello Raghu
Here is the note number: Note 1168120 - Risk Analysis and Remediation 5.3 Support Package (VIRCC).
Also I would suggest going to:
1. CUP - configuration -Risk analysis - And see if the web service link for Risk analysis is correct.
Better would be to go to Netweaver Administration -Webdynpro console -and get the correct link.
2. CUP -configuration - Mitigation and here also put the correct link for all four options there i.e. (Risk analysis, Mitigation etc),
Hopefully this should solve the problem .I donu2019t think it is related to org level.
If problem still persist, kindly paste the log.
Best Regards
Asheesh -
Risk Analysis On Request Submission property config
Hi,
We have configured the New and Change access request to go through a Role Owner Approval in CUP. As to enable the role owners aware of the reported risks with an access request when it lands in their Inbox, we have enabled the Risk Analysis config: 'Risk Analysis On Request Submission' to Yes. This setting makes the system to perform Risk Analysis using the RA webservice on ALL requests.
But we are not enforcing the Risk analysis and mitigation in all systems that are provisioned through GRC CUP. The property seems global and hence we are looking for a work around to bypass the RA on requests for some systems or rather a system specific setting.
Is there any tweak available with GRC 5.3 SP08 to achieve this?
As of now, we don't maintain the RAR rules for the systems where risk analysis is non-mandatory, but notice that the system is unnecessarily performing RA amounting to inefficient utilization of resources.
Any help would be greatly appreciated.
Thanks, AnilAnil,
There will be a few seconds extra for each system not included in risk analysis, but it should realize very quickly that there are no rules for that system (and that it can't even connect to pull authorizations if it is a dummy system).
Sorry there isn't a better answer, but it's the way it is built.
Tyler -
Access Enforcer Risk Analysis question
Hello All.
We are receiving an error message in an AE request. We are receiving the following error in Access Enforcer 'Mitigation control ZM030 could not be saved for user XXXX - Exception from the service: ERROR: This user is already mitigated for this risk' when doing the final approval on some requests.
Request #1 approved without error but when I did Request #2 received error message. I tried it again, same error, but the tick boxes are grey instead of green.
In all cases the roles were added to the user's account, but now AE request 1 and 2 cannot be removed from the listing.Ankur,
this can happen under different circumstances - say 1 of 3 systems to provision to is down. You will get an error message and the request is not closing, although provisioned to the other 2.
Jonathan,
for this request that is still open, can you remove the mitigation? And then re-run Risk Analysis and approve again.
From version 5.3 you cannot create multiple concurrent requests for the same user, this will prevent your exact error.
Regards
Daniela -
How to verify Risk Analysis done for CUP request?
We are on GRC 5.3 SP 13.
Is there a way to verify whether a Risk Analysis was performed during a stage for a CUP request?
We have a CUP request that should have generated a SOD Risk when it was processed. However the closed request shows no risk or mitigations on it. The approvers say they ran a Risk Analysis, and the workflow stage does have that set as mandatory. Also, you do get SODs if you run a User Analysis for this userid in RAR directly, so it looks like the request should have had them also.
Is there any way to verify whether a Risk Analysis was actually performed in the CUP request workflow stage?
At this point I don't know if this is a problem with the CUP Risk Analysis, or if the user just didn't run one and the system let that slip thru somehow.
Thanks.I bellieve you can log into RAR>RAR Debugger>View Server Log>You can search on Analysis. If your are getting any errors they will also show up here.
Example:
INFO: Foreground : Analysis starts:
Mar 9, 2012 3:44:23 PM com.virsa.cc.xsys.meng.ObjAuthMatcher <init>
FINEST: ObjAuthMatcher constructed: 0ms, #singles=11, #ranges=0, #super=0
Mar 9, 2012 3:44:23 PM com.virsa.cc.xsys.riskanalysis.AnalysisEngine performActPermAnalysis
INFO: Foreground : Analysis done: 55550000 elapsed time: 49 ms
Mar 9, 2012 3:44:23 PM com.virsa.cc.xsys.riskanalysis.AnalysisEngine performActPermAnalysis
INFO: Foreground : 1 out of 1 (100%) done
Mar 9, 2012 3:44:23 PM com.virsa.cc.xsys.riskanalysis.AnalysisEngine performActPermAnalysis
INFO: Foreground : All Analysis done, elapsed time: 64 ms , memory usage: free=782M, total=2048M
Mar 9, 2012 3:44:23 PM com.virsa.cc.xsys.riskanalysis.AnalysisEngine performActPermAnalysis
Maybe you are looking for
-
I used to print all my BioBench data by first exporting them to Excel and then print from there. Recently I need to print some of the screen shots and some data directly from array analysis, but when I click on the "print" buttons, the "Error, the pr
-
Conversation view, some message are missing
Hi All, I've a doubt regarding the new conversation feature in Mail. When I'm at wor, I'm using GMail, and I noticed these messages to not be aggregated to the conversation despite they are into my sent mailbox, whereas the messages sent by iPhone a
-
New computer sync with ipod nano
so i have had the ipod since december. then i moved and bought a new computer. i cant get my songs from my songs from my ipod onto the computer. what kind of software do i need to get the old songs on the new com???? sincerely, taylor groves
-
I lose ID icloud and pass, How i can get it?
-
What would be the best export settings for an iMovie movie for use in DVD-SP? I am looking at around 20 movies ranging from 3-10min each. I recently switched from CD based distribution to DVD and would obviously like to utilize the DVD's capacity but