CC: Entering Mitigation Controls

Hi ,
I am entering mitigation controls in CC and am noticing 2 issues
1) I cannot blanket mitigate a selection of users. Blanket mitigation only seems to apply if I want to mitigate all users. Is there any way to add 10 select users to a mitigation control by selecting the 10 users, rather than having to specify risk, validity dates etc. for all 10?
2) I have noticed in SAP documentation that * should be entered after the risk ID e,g, P005*. Why should this be entered. This does not default when setting up the mitigation control and if I forget to do it, I have to delete the mitigation entry for the user and recreate. Can anybody advise why * must be entered and if there is a way to default *
Thanks,
Gary

Gary,
1)  No there is no way to select 10 individual users without creating a line item for each one.  Unless they all get the access from the same Role.  If that was the case you could just create the mitigating control for that role and anyone that would have the conflict via that Role would not appear in your risk reports.
2)  The reason you have to enter * in the mitigating controls is so that all risk ID's are mitigated by your rule.  For example short risk ID P033 is made up of multiple long risk ID's based on each transactional combination i.e. P03300101 for ME21,ME51, P03300201 for ME21N,ME51, P03300301 for ME22,ME51, P03300401 for ME22N,ME51.
So to cover all possible transaction combinations with a mitigating control you need to enter it for P033*.  This would also allow you to enter a mitigating control for only long risk id P03300101 it your mitigating control only covered users with access to ME21 and ME51.
Hope that helps.
Matt.

Similar Messages

  • Mitigation controls - mitigating reports

    Hi all,
    I have a question regarding the frequency field in Reports tab of mitigating controls (RAR).
    What is the purpose of the frequency field. If you set this to 1, does that mean that the control is to be executed daily? Does the system send a mail to the monitor to inform her that its time to execute the control?
    Thanks.
    Arif

    The frequency must be established in number of days, for example, enter u201C30u201D for monthly reports or enter "7" for weekly reports. The frequency field is to ensure, monitors are executing applicable controls or more specifically monitoring the users who are executing the specified actions within the period "frequency" stated in a mitigation control. In your case 1 means 24 hours, so the monitor will be getting a daily report of the user actions. 
    Best Regards,
    Amol Bharti
    http://amudee.com

  • Changing Monitor on Mitigating Controls

    HI all:
    Just wondering, is there a way to change the Monitor on an existing mitigating control once it is assigned to either a role or user??  When we try to do it, the error message says "Role is already mitigated to Control xxxx: Monitor xxxx cannot delete".
    The only workaround is to delete the exisintg entries and re-enter them with the new monitor...however this is not an efficient approach when we have many entries for one mitigating control.
    The monitors are defined properly....we just can't change the mitigating control monitor once there are assignments to roles or users.
    Any help would be appreciated.
    Margaret

    I think one of the option may be to keep the monitor ID same but change the name of the monitor for that monitor ID in the administrator tab of mitigation.
    Hope this helps
    Regards,
    Nitin

  • Error Message KI112 Enter a Controlling Error in IW22 and IW23

    Hello Friends,
    We have a set up where MO are entered on a web front end application and transferred to SAP. The problem I am experiencing with these orders are when we need to enter a WBS element in the Location tab. When this tab is selected, we receive the Enter a Controlling Area, closing the message pop-up closes the session and brings the users back to the main SAP screen. We do not have this issue with SAP generated MO's.
    The work around we have found is to delete the functional location and equipment save the notification and paste the details back into the notification, then go to the Location tab and enter the WBS element for the MO.
    We are already beyond the notes that I have found that addressed a similar issue and were are using 4.7.
    Any ideas?

    Ken,
    How does the front-end web application call SAP?
    PeteA

  • Error while uploading mitigation controls

    Dear All,
    While uploading the mitigation controls i am facing with the below error. Can you please help me in resolving this error.
    Error in table dataVIRSA_CC_MITUSER
    SQL:=>Insert into  VIRSA_CC_MITMON(MITREFNO,MONITORID) Values(?,?)
    Record::Line Number :21 : D VIRSA_CC_MITMON TESTC1 TEST1
    Below is the text file which i am uploading into the RAR for test purposes
    M     VIRSA_CC_ADMIN     USERID     NAME     EMAILID     ROLEID               
    D     VIRSA_CC_ADMIN     TEST1     TEST1     test     M          
    M     VIRSA_CC_BUSUNIT     BUSID                              
    D     VIRSA_CC_BUSUNIT     TH                              
    M     VIRSA_CC_BUSUNITT     BUSID     LANG     DESCN                    
    D     VIRSA_CC_BUSUNITT     TH     EN     Thailand                    
    M     VIRSA_CC_BUAPPVR     BUSID     APPROVERID                    
    D     VIRSA_CC_BUAPPVR     TH     TEST1                         
    M     VIRSA_CC_BUMONITOR     BUSID     MONITORID                         
    D     VIRSA_CC_BUMONITOR     TH     TEST1                         
    M     VIRSA_CC_MITREF     MITREFNO     BUSID     APPROVERID               
    D     VIRSA_CC_MITREF     TESTC1     TH     TEST1                    
    M     VIRSA_CC_MITREFT     MITREFNO     LANG     DESCN                    
    D     VIRSA_CC_MITREFT     TESTC1     EN     Test mitigation control               
    M     VIRSA_CC_MITRISK     MITREFNO     RISKID                         
    D     VIRSA_CC_MITRISK     TESTC1     F006*                         
    M     VIRSA_CC_MITMON     MITREFNO     MONITORID                         
    D     VIRSA_CC_MITMON     TESTC1     TEST1                         
    M     VIRSA_CC_MITRPT     MITREFNO     ACTIONS     VSYSKEY     MONITORID     FREQUENCY          
    M     VIRSA_CC_MITUSER     MITREFNO     RISKID     USERID     VALIDFROM     VALIDTO     MONITORID     STATUS
    M     VIRSA_CC_MITROLE     MITREFNO     RISKID     ROLEID     VALIDFROM     VALIDTO     MONITORID     STATUS
    D     VIRSA_CC_MITROLE     TESTC1     F006*     Z1.*.ASST-SC-FINC-MGR     6/9/2010     7/25/2010     TEST1     0     
    M     VIRSA_CC_MITHROBJ     MITREFNO     RISKID     HROBJ     HROBJTYP     VALIDFROM     VALIDTO     MONITORID     STATUS
    M     VIRSA_CC_MITPROF     MITREFNO     RISKID     PROFILE     VALIDFROM     VALIDTO     MONITORID     STATUS
    M     VIRSA_CC_MITUSRORG     MITREFNO     RISKID     USERID     ORGRULEID     VALIDFROM     VALIDTO     MONITORID     STATUS
    M     VIRSA_CC_DETDESC     OBJECT_TYPE     OBJECT_ID     LANG     DETAIL_DESCN     
    D     VIRSA_CC_DETDESC     MIT     TESTC1     EN     Test Mitigation control                    
    We are not mitigating users now. Only roles are getting mitigated and hence we have not provided any values to the MIT USER table.
    Thanks and Best Regard,
    Srihari.K

    Dear Varun,
    Thanks for your reply. It helped me a lot. But however i am facing the following issue while uploading the mitigation controls
    After exporting the mitigation file from RAR, we opened the text file in a spreadsheet format and added few lines to the file and saved in the same text format or in UTF-8 format also
    After uploading the same into RAR again after changes we are facing similar errors mentioned in above query.
    But when we add lines  directly in the wordpad and upload the file then it is successful.
    We have to add so many mitigation controls and roles to be assigned for which excel would be easy way to dump.
    Is there anything wrong we  are doing here in editing and converting the files.
    Thanks and Best Regards,
    Srihari.K

  • Detect obsolete mitigating control assignments?

    Hello,
    What report/s would you use to detect obsolete mitigating control assignments?
    The scenario is: A user has been assigned a mitigating control, let's say during the CUP workflow, to mitigate a certain risk that came with a certain role. Later, that role is removed from the user. Now the user is in the scope of a mitigating control. However, the user is not even subject to the risk in question anymore.
    Which way (periodically?) could you detect these cases and clean up the mitigating control assignments?
    Thanks and regards
    Patrick

    Hey,
    My experience of cleaning up controls has not been very straight forward.
    I have had to perform various risk analysis reports and look up a list of user accounts that have been marked as "Expired" etc.
    It can be slightly more difficult  if, like many organisations, you decide to assign a control with a infinite validity period (i.e. 12.12.9999).
    The Business and Internal Control team need to be very proactive about regularly monitoring the controls and reviewing the assignments. This is one reason why I strongly recommend that controls are only assigned for a set period (i.e. 365 days/1 year), so a compulsory review takes place by the control owners/business on a regular basis. This makes the controls much more affective, robust and fit for purpose.
    Happy to hear other's opinions and ideas.

  • Mitigation control errors out in CUP approval

    We are on GRC 5.3 SP8 and I am trying to create a mitigating control in RAR.  Once it goes for approval into CUP, it erroru2019s out when I try to approve it.  Here is the message:
    2010-05-25 10:57:43,367 [SAPEngine_Application_Thread[impl:3]_9] ERROR com.virsa.ae.commons.utils.StringEncrypter$EncryptionException: Invalid PKCS#5 padding length: 32
    com.virsa.ae.service.ServiceException: com.virsa.ae.commons.utils.StringEncrypter$EncryptionException: Invalid PKCS#5 padding length: 32
         at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.getCCDocument(RequestExitServiceHelper.java:315)
         at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.callCCExitService(RequestExitServiceHelper.java:263)
         at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.callExitServiceForApprovedRequest(RequestExitServiceHelper.java:51)
         at com.virsa.ae.accessrequests.bo.RequestBO.callExitService(RequestBO.java:5391)
         at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:5230)
         at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:5023)
         at com.virsa.ae.accessrequests.actions.RequestViewAction.confirmRequestApproval(RequestViewAction.java:946)
         at com.virsa.ae.accessrequests.actions.RequestViewAction.execute(RequestViewAction.java:103)
         at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:295)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
         at java.security.AccessController.doPrivileged(AccessController.java:219)
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
    Caused by:
    com.virsa.ae.commons.utils.StringEncrypter$EncryptionException: Invalid PKCS#5 padding length: 32
         at com.virsa.ae.commons.utils.StringEncrypter.decrypt(StringEncrypter.java:200)
         at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.getCCDocument(RequestExitServiceHelper.java:305)
         ... 32 more
    Thanks,
    Peggy

    Hello Peggy,
      Did you recently upgraded your NW Java Support package? If yes, then kindly check the SAP Note "1417651 - Unable to retrieve connector & application configuration"
    The problem is coming due to change in NW encryption algorithm and impacted GRC as well. This is fixed in SP10 of GRC.
    Regards, Varun

  • Workaround for non-SAP mitigating control reminders

    Dear all,
    Our business users would like to document mitigating controls in RAR 5.3 regardless of whether they are connected with an SAP report. They would also like to receive email reminders for those controls.
    Unfortunately, the frequency of the control can only be defined per connected SAP report and reminders will only be sent for controls if the SAP report has not been executed.
    Have you been exposed with a similar requirement? It seems like a natural thing to ask from a business perspective. RAR 5.3, however, is not designed in that way.
    Have you come up with any feasible workarounds for this?
    My current approach would be to create a dummy Z-report per SAP system (such as Z_MANUAL_MITCTRL) that control monitors have to call once to confirm the execution of their control.
    Cheers and best regards
    Patrick

    Hello,
    Regarding your question, in fact this is dependant on how your UME (User Management Engine) is configured on your WAS (Web Application Server). If the UME is connected to your R/3 back-end then the user need to have a R/3 account to connect to CC, otherwise if your UME is "independant" then you just need to create an account in the UME.
    Regards,
    Jérôme.

  • Bringing mitigating controls from PC to AC in GRC 10.0

    Hi ,
    I am going through remediation process in GRC 10.0, However there are no mitigation controls setup in AC.
    my client is asking me to copy all the mitigating controls from PC to AC.
    Is this possible ? if yes, What will be the process ?
    Thank you.

    Hi Sri,
    you can achieve by downloading and uploading the mitigations.
    Go to SE38 and use the following program GRAC_DOWNLOAD_MIT_ASSIGNMENTS to download the file and make necessary changes to it and upload the file by using the following program GRAC_UPLOAD_MIT_ASSIGNMENTS.
    and put the active column in the file as X.
    Regards,
    Venugopal Ireni

  • Mass maintenance of Mitigation controls in GRC 10.0

    Dear All,
    How to do mass maintenance of mitigation in ARA of GRC 10.0. We successfully migrated the mitigation controls from 5.3 to 10.0. I need to change the monitors for many user conflicts and also add new user conflict mitigation controls. Is it possible to do a mass changes in GRC 10.0 as there is no upload functionality for mitigation controls
    Thanks and Best Regards,
    Srihari.K

    Hi Sri,
    you can achieve by downloading and uploading the mitigations.
    Go to SE38 and use the following program GRAC_DOWNLOAD_MIT_ASSIGNMENTS to download the file and make necessary changes to it and upload the file by using the following program GRAC_UPLOAD_MIT_ASSIGNMENTS.
    and put the active column in the file as X.
    Regards,
    Venugopal Ireni

  • Transport of mitigation controls from GRC Dev to GRC Production in 10.0

    Hi All,
    Is there an option to transport mitigation controls from Dev to Prod in 10.0. Where is that option available. We could not find even download or upload option unlike 5.3 in 10.0
    Thanks and Best Regards,
    Srihari.K

    Hi
    I can see that this question is marked as answered . Could you please update what steps were taken for transporting mitigation controls? Thanks
    Best Regards
    Srilakshmi S

  • CUP-5.3-SP13-Mitigation Controls by rol/users

    Hi all!
    Since RAR consider mitigations contros both by rol and users, If I have the role ZROL1 mitigated for the ID risk P001* then, would be able CUP to consider this mitigation control even when CUP is managing users?
    I mean, if ZROL1 has a mitigation control, would appear at the request the ID risk whenever I add this role to a user?
    Many thanks in advance! any help would be welcomed.
    Margarita.

    Hi Margarita,
    If you want it will consider the role level mitigation controls. So in the request risk violation will not be shown.
    For this u need check the option, consider mitigation control in CUP. Configuration-> Risk anlsysis.
    Also in RAR following things needs to be done.
    RAR Configuration->Risk analysis-> Defaults values.
    Exclude mitigated Risk as yes.
    RAR Configuration-> Risk Analysis ->Additional options
    Include Role/Profile Mitigating Controls in User Analysis  as yes.
    If above values are defined as No. than Risk Voilation will be shown in the request.
    Kind Regards,
    Srinivasan

  • CUP - Mitigation Controls in a Detour Workflow

    Hello everybody,
    I have a problem with a detour workflow in CUP.
    I choose the detour condition: "SoD violation".
    So in theory, if there is no conflicts the workflow don't take the detour path.
    We supposed that the user request has an SoD conflict.
    In the stage(s) before the detour, if we assign a mitigation control that mitigate the risk, the detour is still taken.
    I think the workflow swich systematically to the detour if the request had a conflict, even if the risks were deleted by an Mitigation Controls assignment.
    Does anyone have a solution to avoid the detour path if we mitigate the risks?
    Thank you in advance!!

    Ben,
       This is how CUP works. There is no configuration which allows you to ignore SOD violaton even if there is mitigation. You will have to live with this for now.
    Regards,
    Alpesh

  • GRC AC10 Mitigation Control Temporary Tables

    Hi everyone,
    I'm trying to find the table where GRC stores the organizational unit for a new mitigation control before the request is approved. As I could see, after approval (when the control is created) they are moved to HRP1000, 1001, etc.
    I've also tried with system trace (ST01 and ST05) but I could only find these tables: GRFNMWRTINST, GRFNMWRTINSTAPPL. Unfortunately I've checked them but they don't store OU data.
    Maybe it is stored in an XML file and that's why I cant reach the table.
    If you have any idea or any experience to share, I would really appreciate it!
    Thanks and regards,
    Fernando

    Hi Fernando
    Maybe it is stored in an XML file and that's why I cant reach the table.
    I was trying to figure out the same thing and suspected that was the case. Or if there might be a temporary text file
    I hope someone here can clear it up. But it's a bit annoying in the approach as you cannot tell what changes have been requested or compare changes to current. Hope SAP eventually cleans this up.
    Might need to trace it to identify the function module that is used by approver to view the request?
    Regards
    Colleen

  • Query on Mitigation Control

    Hi all,
    We have configured Mitigation Controls and mitigated some of the users. We have the following queries in this regard:
    a) When we run the SoD anlaysis for that particular user we could able to see only half description of the Mitigation Control.
    Is there any limitation for the space or the parameters for the Mitigation Control Description.We are unable to see the entire description of the Mitigation Control (If the mitigation control is more than 7-8 lines) in the Detailed Report screen as well. Even after downloading into a spreadsheet also we are getting only the part of the mitigation control and not the entire description of the mitigation control
    b) A risk ID can be addressed by 2 or 3 mitigation controls. In this scenario,we have assigned 2-3 mitigation controls to one Mitigated user for mitigation. When we run SoD analysis we could able to see only the latest mitigation control assigned to the user in the report format (say out of 3 assigned only the 3rd one assigned is being shown).
    But when we did a search for Mitigation controls with  the Risk ID & User ID combination then it is throwing all the 3 mitigation controls. But the same is not shown in SoD violations reports
    Is there anything to do with the parameters set up or at the configuration side to resolve this.
    Please provide the procedure also in case of any changes to be made at configuration level.
    Thanks and Best Regards,
    Sri

    Hi Vit,
    Thanks for your reply. We crosschecked and you are correct that the space limitation is only for 132 characters in this table.
    Is there a way to get the mitigation control whole description or do we need to stick to this limitation itself.
    Also, when we did a search for Mitigation Control it gives only Mit.ID, Mit Control Desc, BU and Management approver. Whether there are any tables (from SAP Backend) or reports where we can get the Risk Ids including the above addressed by the mitigation controls.
    Thanks and Best Regards,
    Sri

Maybe you are looking for

  • Exice Invoice

    hi, while saving excise invoice for factory sale i am getting following error- Balance in transaction currency How to solve this? Rahul

  • Why doesn't com.apple.IE.client.exeshut down when Mobile Me finishes sync?

    Since upgrading to iTunes 9.1.0.74 a couple of days ago, the com.apple.IE.client.exe process, which starts during the Calendars phase of a Mobile Me manual sync process, fails to shut down when the sync process is complete. The Calendars phase now ru

  • How to check old value in form personalization.

    Hi All, Could anybody please tell me how to check the old value in oracle forms using form personalization if someone is updating to someother value. For example. My Vendor Site Alternate name is XYZ and someone has changed it to ABC, How could i che

  • Dynamic text behind image?

    Hello, i have this dynamic textbox where im loading a number, that works fine, but then im loading a picture from an array on the same place as the number, and the picture comes on top of the textbox. How do i get the number on top of the image? thx.

  • Changing casuser password on solaris

    Dear *, I have intalled LMS 3.2 or solaris 10. The installation is successfull. Now i want to change the password of casuser but i am unable to find the resetCasuser. Seems like file is missing. Any idea why? NMSROOT\setup\support\resetCasuser Is the