Bringing mitigating controls from PC to AC in GRC 10.0
Hi ,
I am going through remediation process in GRC 10.0, However there are no mitigation controls setup in AC.
my client is asking me to copy all the mitigating controls from PC to AC.
Is this possible ? if yes, What will be the process ?
Thank you.
Hi Sri,
you can achieve by downloading and uploading the mitigations.
Go to SE38 and use the following program GRAC_DOWNLOAD_MIT_ASSIGNMENTS to download the file and make necessary changes to it and upload the file by using the following program GRAC_UPLOAD_MIT_ASSIGNMENTS.
and put the active column in the file as X.
Regards,
Venugopal Ireni
Similar Messages
-
Transport of mitigation controls from GRC Dev to GRC Production in 10.0
Hi All,
Is there an option to transport mitigation controls from Dev to Prod in 10.0. Where is that option available. We could not find even download or upload option unlike 5.3 in 10.0
Thanks and Best Regards,
Srihari.KHi
I can see that this question is marked as answered . Could you please update what steps were taken for transporting mitigation controls? Thanks
Best Regards
Srilakshmi S -
Creating Mitigation Control from CUP
Hi Guys,
Is this feature implemented in Access Control???? Or Stills as enhancementHi Alpesh
In order to your answer... Can you help me to identify what I doing wrong when I want to approve a mitigate control in CUP.
Path 1 : Approve request
Stage 1: Request
Stage 2: Security
Stage 3: Role Owner
Detour Path:
Type: CUP
Stage: Role Owner
Condition: SoD Review
Detour Path: Path 2
Path 2:
Stage 1: Approval -- > CAD : Mitigation Monitor
The request is send to the Mitigation Monitor but when we try to approve request show the next error:
2010-03-30 14:10:26,390 [SAPEngine_Application_Thread[impl:3]_25] ERROR Mitigation control TEST_5.1 could not be saved for user PRUEBAGRC_6
com.virsa.ae.core.BOException: Exception from the service : Mitigation record doesn't exist
at com.virsa.ae.accessrequests.bo.MitigationControlBO.insertMitigationControl(MitigationControlBO.java:207)
at com.virsa.ae.accessrequests.bo.MitigationControlBO.saveMitigationControls(MitigationControlBO.java:321)
at com.virsa.ae.accessrequests.bo.RequestBO.callAEExitService(RequestBO.java:6993)
at com.virsa.ae.accessrequests.bo.RequestBO.callExitService(RequestBO.java:6748)
at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:6600)
at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:6393)
at com.virsa.ae.accessrequests.actions.RequestViewAction.confirmRequestApproval(RequestViewAction.java:949)
at com.virsa.ae.accessrequests.actions.RequestViewAction.execute(RequestViewAction.java:104)
at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:295)
at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
Caused by: com.virsa.ae.service.ServiceException: Exception from the service : Mitigation record doesn't exist
at com.virsa.ae.service.sap.MitigationControlWS52DAO.checkForSuccess(MitigationControlWS52DAO.java:832)
at com.virsa.ae.service.sap.MitigationControlWS52DAO.executeUpdateUserMitigation(MitigationControlWS52DAO.java:287)
at com.virsa.ae.service.sap.MitigationControlWS52DAO.insertUserMitigation(MitigationControlWS52DAO.java:309)
at com.virsa.ae.accessrequests.bo.MitigationControlBO.insertMitigationControl(MitigationControlBO.java:195)
Can you help me please?? All URI are OK.
Thanks !!!!
Edited by: Karen_sans on Mar 31, 2010 7:45 PM -
Mitigating Control creation and application in SAP GRC 10
Hi Expert,
We have SAP GRC Access Control 10 being implemenmted for our client. While trying to create Mitigating Control, we just realized that Before creating mitigating controls you need to create a Root Org entry, this replaces the Business Units in previous AC versions which is visible only when we activate the GRC-PC Application.
My queries are:
1. Is it that Mitigation control can only be created if PC is enable.
2. What about Licencing if GRC-PC Application is used for Mitigating Control Creation.
Thanking you i advance.
Thanks & Regards,
Abhimanu Kumar SinghHI,
Thank you for the response, I just checked and could find that I can create Mitigating control without PC application. It is just that PC relevant fields are not displayed.
However can anybody answer as to what happens if I use PC to create Mitigating Control, Do I have to purchase the license for SAP GRC PC or it is ok for shared resources.
Thanks again.
Thanks & Regards,
Abhimanu Kumar Singh -
Mitigation Control Migration From 53. to GRC10
Hello,
Can you please let me know where do I find a templete for downloading Mitigation Controls from 5.3 and how do I upload them in GRC 10?
An early reply would be highly appreciated.
Thank you.Hello,
Can you share how you migrated the mitigation controls?
While migration of the mitigation controls
I get an error "Creation of object ID 00000000 is not allowed"
I have different buisness processes for risks/functions and the mitigations...Is it something to do with that? or shoudl i create the business processes in GRC 10 before migration?
I am pretty much stuck here...any help is really appreciated.
Thanks,
Raghav -
Mass maintenance of Mitigation controls in GRC 10.0
Dear All,
How to do mass maintenance of mitigation in ARA of GRC 10.0. We successfully migrated the mitigation controls from 5.3 to 10.0. I need to change the monitors for many user conflicts and also add new user conflict mitigation controls. Is it possible to do a mass changes in GRC 10.0 as there is no upload functionality for mitigation controls
Thanks and Best Regards,
Srihari.KHi Sri,
you can achieve by downloading and uploading the mitigations.
Go to SE38 and use the following program GRAC_DOWNLOAD_MIT_ASSIGNMENTS to download the file and make necessary changes to it and upload the file by using the following program GRAC_UPLOAD_MIT_ASSIGNMENTS.
and put the active column in the file as X.
Regards,
Venugopal Ireni -
RAR 5.3 SP10 Mitigating Control Import Utility
All -
I exported my mitigating controls from a RAR 5.3 SP9 system and imported them into a 5.3 SP10 system. I received a successful confirmation of the import, but when I "searched" my mitigating controls there were duplicated mitigating control numbers. It looks like the import tool duplicated the mitigating control ID for every "monitor" assigned to the mitigating control number. For example, mitigating control MC00000001 with Monitor1, Monitor2, & Monitor3 equated to 3 entries of MC00000001. If I try to delete 2 of the 3 entries, I receive a "Successfully deleted" message and get the error "Exception!!. No relavent language message available in database for :0053". When I "search" again, the mtigating control is no longer there (as expected).
I confirmed my mitigating control import file does not have the multiple entries.
Any ideas?
Thanks,
DanielVenky,
Thank you for your response. The message issue actually wasn't the one that I was asking about, but thanks for the heads up. The main issue is that RAR (5.3 SP10) is multiplying mitigating control entries for the number of monitors assigned to the mitigating control. It appears to be an issue with SP10 as it did not occur in SP9. I'm trying to see if anyone knows what the fix is.
Thanks,
Daniel -
Hi,
Is their a way we can maintain and update mitigating controls on GRC (GUI) back-end.UI can't be able to find those i created and migrated. Any ideas?
Regards, MelvinHi,
REF CALL # : 968707 / 2011
I created mitigating controls and imported the old mitigating controls from GRC 5.3.
When I go to the mitigating controls on the UI no mitigating controls appear when opening the page. When I do a drop down (drill) on the TAB (SETUP) Work Centre  Link - Mitigating Control
When drilling down on Mitigating Control IDu2019s
The only two displayed is the ones I created on the UI. When I import the GRC5.3 mitigating controls I get the following
message on the import tool within GRC10 back-end
--Start Loading File - Scenario of 5.3 Mitigation - Migration
sapvirdevexport53/BUNITdata.dat
Mitigation Control EA:BS001 already exists
Mitigation Control EA:BU001 already exists
Mitigation Control SOLMAN99 already exists
--File loaded successfully
The migration document refers to the following steps and this was followed
Why is the screen empty when going into the mitigating control link on the UI - Another strange phenomenon is when I run the mitigating report from report and analytics the mitigating control comes up blank.
When in the report and analytic work centre, and running the mitigation control report - -> I drill down on the Control ID and get the blank screen.
This is why im asking can I look at mitigating controls not from ECC but GRC back-end system and maintain it from their
Regards, Melvin -
Risks has been removed but Mitigating Control still stays with the users?
Hi all,
I have a situation where after a risk has been removed from the users by removing the violating roles, however the Mitigating Control still remains tagged to the same user. Is there any efficient way of removing Mitigating Controls from users where the risks no longer exists?Hi Joseph, thanks for the info. My problem comes in when the user request to have the violating role removed via CUP and it so happens that the Mitigating Control assigned for the old risk still has 6 more months of validity left. It seem like there is no mechanism to auto remove this MC when the role has been removed after the request in CUP have been approved and auto-provision.
My problem is that there might be many more of such users with redundant MC assigned to them in RAR. I can't find a way to search for such redundant MCs for cleanup. There is a possibility that when the same roles are assigned back to the users via request in CUP, these redundant MC if applicable will cause the Risk Analysis via CUP to not flag out any SoD issue. -
Error while uploading mitigation controls
Dear All,
While uploading the mitigation controls i am facing with the below error. Can you please help me in resolving this error.
Error in table dataVIRSA_CC_MITUSER
SQL:=>Insert into VIRSA_CC_MITMON(MITREFNO,MONITORID) Values(?,?)
Record::Line Number :21 : D VIRSA_CC_MITMON TESTC1 TEST1
Below is the text file which i am uploading into the RAR for test purposes
M VIRSA_CC_ADMIN USERID NAME EMAILID ROLEID
D VIRSA_CC_ADMIN TEST1 TEST1 test M
M VIRSA_CC_BUSUNIT BUSID
D VIRSA_CC_BUSUNIT TH
M VIRSA_CC_BUSUNITT BUSID LANG DESCN
D VIRSA_CC_BUSUNITT TH EN Thailand
M VIRSA_CC_BUAPPVR BUSID APPROVERID
D VIRSA_CC_BUAPPVR TH TEST1
M VIRSA_CC_BUMONITOR BUSID MONITORID
D VIRSA_CC_BUMONITOR TH TEST1
M VIRSA_CC_MITREF MITREFNO BUSID APPROVERID
D VIRSA_CC_MITREF TESTC1 TH TEST1
M VIRSA_CC_MITREFT MITREFNO LANG DESCN
D VIRSA_CC_MITREFT TESTC1 EN Test mitigation control
M VIRSA_CC_MITRISK MITREFNO RISKID
D VIRSA_CC_MITRISK TESTC1 F006*
M VIRSA_CC_MITMON MITREFNO MONITORID
D VIRSA_CC_MITMON TESTC1 TEST1
M VIRSA_CC_MITRPT MITREFNO ACTIONS VSYSKEY MONITORID FREQUENCY
M VIRSA_CC_MITUSER MITREFNO RISKID USERID VALIDFROM VALIDTO MONITORID STATUS
M VIRSA_CC_MITROLE MITREFNO RISKID ROLEID VALIDFROM VALIDTO MONITORID STATUS
D VIRSA_CC_MITROLE TESTC1 F006* Z1.*.ASST-SC-FINC-MGR 6/9/2010 7/25/2010 TEST1 0
M VIRSA_CC_MITHROBJ MITREFNO RISKID HROBJ HROBJTYP VALIDFROM VALIDTO MONITORID STATUS
M VIRSA_CC_MITPROF MITREFNO RISKID PROFILE VALIDFROM VALIDTO MONITORID STATUS
M VIRSA_CC_MITUSRORG MITREFNO RISKID USERID ORGRULEID VALIDFROM VALIDTO MONITORID STATUS
M VIRSA_CC_DETDESC OBJECT_TYPE OBJECT_ID LANG DETAIL_DESCN
D VIRSA_CC_DETDESC MIT TESTC1 EN Test Mitigation control
We are not mitigating users now. Only roles are getting mitigated and hence we have not provided any values to the MIT USER table.
Thanks and Best Regard,
Srihari.KDear Varun,
Thanks for your reply. It helped me a lot. But however i am facing the following issue while uploading the mitigation controls
After exporting the mitigation file from RAR, we opened the text file in a spreadsheet format and added few lines to the file and saved in the same text format or in UTF-8 format also
After uploading the same into RAR again after changes we are facing similar errors mentioned in above query.
But when we add lines directly in the wordpad and upload the file then it is successful.
We have to add so many mitigation controls and roles to be assigned for which excel would be easy way to dump.
Is there anything wrong we are doing here in editing and converting the files.
Thanks and Best Regards,
Srihari.K -
Detect obsolete mitigating control assignments?
Hello,
What report/s would you use to detect obsolete mitigating control assignments?
The scenario is: A user has been assigned a mitigating control, let's say during the CUP workflow, to mitigate a certain risk that came with a certain role. Later, that role is removed from the user. Now the user is in the scope of a mitigating control. However, the user is not even subject to the risk in question anymore.
Which way (periodically?) could you detect these cases and clean up the mitigating control assignments?
Thanks and regards
PatrickHey,
My experience of cleaning up controls has not been very straight forward.
I have had to perform various risk analysis reports and look up a list of user accounts that have been marked as "Expired" etc.
It can be slightly more difficult if, like many organisations, you decide to assign a control with a infinite validity period (i.e. 12.12.9999).
The Business and Internal Control team need to be very proactive about regularly monitoring the controls and reviewing the assignments. This is one reason why I strongly recommend that controls are only assigned for a set period (i.e. 365 days/1 year), so a compulsory review takes place by the control owners/business on a regular basis. This makes the controls much more affective, robust and fit for purpose.
Happy to hear other's opinions and ideas. -
Workaround for non-SAP mitigating control reminders
Dear all,
Our business users would like to document mitigating controls in RAR 5.3 regardless of whether they are connected with an SAP report. They would also like to receive email reminders for those controls.
Unfortunately, the frequency of the control can only be defined per connected SAP report and reminders will only be sent for controls if the SAP report has not been executed.
Have you been exposed with a similar requirement? It seems like a natural thing to ask from a business perspective. RAR 5.3, however, is not designed in that way.
Have you come up with any feasible workarounds for this?
My current approach would be to create a dummy Z-report per SAP system (such as Z_MANUAL_MITCTRL) that control monitors have to call once to confirm the execution of their control.
Cheers and best regards
PatrickHello,
Regarding your question, in fact this is dependant on how your UME (User Management Engine) is configured on your WAS (Web Application Server). If the UME is connected to your R/3 back-end then the user need to have a R/3 account to connect to CC, otherwise if your UME is "independant" then you just need to create an account in the UME.
Regards,
Jérôme. -
Hello All,
We have migrated data from virsa 4.0 to grc 10.1, all virsa mitigation
approvers and controllers got migrated but we are not able to map new
mitigation approver and controller to the mitigation ids.
The steps we have done below.
1. We have created user id in su01 with necessary authorizations
2. we have declared this user id in Access control owners as a
mitigation approver and assigned to the organization unit
Now we are trying to map to newly created mitigation approver to the
mitigation id but we are not able to find that approver id for the mitigation ids. (only old mitigation ids came from VIRSA only we are able to see, not able to add new mitigation approvers / controllers to the mitigation ids)
Kindly check this issue, this is very critical for us.
Thanks in advance.
Regards,
KarunakarHi Karunakar,
- Assign Owners to Organization unit
- Make these owners as Mitigation Approver and Monitor
- Create Mitigation Id in this Org. unit
Regards
plaban -
Hi all,
We have configured Mitigation Controls and mitigated some of the users. We have the following queries in this regard:
a) When we run the SoD anlaysis for that particular user we could able to see only half description of the Mitigation Control.
Is there any limitation for the space or the parameters for the Mitigation Control Description.We are unable to see the entire description of the Mitigation Control (If the mitigation control is more than 7-8 lines) in the Detailed Report screen as well. Even after downloading into a spreadsheet also we are getting only the part of the mitigation control and not the entire description of the mitigation control
b) A risk ID can be addressed by 2 or 3 mitigation controls. In this scenario,we have assigned 2-3 mitigation controls to one Mitigated user for mitigation. When we run SoD analysis we could able to see only the latest mitigation control assigned to the user in the report format (say out of 3 assigned only the 3rd one assigned is being shown).
But when we did a search for Mitigation controls with the Risk ID & User ID combination then it is throwing all the 3 mitigation controls. But the same is not shown in SoD violations reports
Is there anything to do with the parameters set up or at the configuration side to resolve this.
Please provide the procedure also in case of any changes to be made at configuration level.
Thanks and Best Regards,
SriHi Vit,
Thanks for your reply. We crosschecked and you are correct that the space limitation is only for 132 characters in this table.
Is there a way to get the mitigation control whole description or do we need to stick to this limitation itself.
Also, when we did a search for Mitigation Control it gives only Mit.ID, Mit Control Desc, BU and Management approver. Whether there are any tables (from SAP Backend) or reports where we can get the Risk Ids including the above addressed by the mitigation controls.
Thanks and Best Regards,
Sri -
Mitigation Control Description export
Hi all,
I am working on upgrade from Virsa to GRC 5.3 upgrade.
I am trying to upload the mitigating controls into GRC-RAR after exporting from Virsa.
I am not able to get the descriptions of the Mitigation control in complete on my export. Only the first line is getting exported.
We have about 900 ! Controls in place.
Is there a better way to get all the lines in the description field when we export it out of Virsa.
your suggestion will be helpful.
Thanks
VidyarHi,
do you have a J2ee cluster running on your server??? if so, you have to set up the same url parametter for reporting, i the parameter area of AC.
regards,
Alejandro
Maybe you are looking for
-
I am unable to update apps on my iPhone 4. I tried rebooting but still I get an error message which says "unable to update"
-
I have very thin, colored lines that have shown up on my IMac monitor screen. I don't know where they came from or how to get rid of them. I'm concerned now because I started with one and now have three. Does any know why this occurs or how to get
-
Hello, I'm trying to start a process from bpm workspace but getting this error. Does anyone knows what's that mean and how to resolve it?? <bpelFault><faultType>0</faultType><remoteFault xmlns="http://schemas.oracle.com/bpel/extension"><part name="su
-
I am using:Oracle JDeveloper 10g Release 2 (10.1.3) - Developer Preview I create J2EE web service using "J2EE 1.4(JAX RPC) web service" but have error:"WSDL and mapping file generation failed for the following reason" details>> oracle.j2ee.ws.common.
-
I caused myself a problem a couple of years ago when a disc failed and in relation to iPhoto I did a sloppy job of restoring everything from backups. It is so long ago that I cannot remember what, how and why I did it but basically I restored all the