Changing Monitor on Mitigating Controls
HI all:
Just wondering, is there a way to change the Monitor on an existing mitigating control once it is assigned to either a role or user?? When we try to do it, the error message says "Role is already mitigated to Control xxxx: Monitor xxxx cannot delete".
The only workaround is to delete the exisintg entries and re-enter them with the new monitor...however this is not an efficient approach when we have many entries for one mitigating control.
The monitors are defined properly....we just can't change the mitigating control monitor once there are assignments to roles or users.
Any help would be appreciated.
Margaret
I think one of the option may be to keep the monitor ID same but change the name of the monitor for that monitor ID in the administrator tab of mitigation.
Hope this helps
Regards,
Nitin
Similar Messages
-
Significance of Monitor in Mitigation control
Can any body help me understand what does Monitor does in Mitigation control and what does the statement mean below:
"When creating a mitigation control, need to define the Action, Monitor ID, and
Frequency. If the monitor does not execute the action within the set frequency, then an alert
is generated"
Thanks,
AbhimanuHello Abhimanyu,
1. Can any body help me understand what does Monitor does in Mitigation control:
The role of Monitor is to see whether everything that was risky from the access being mitigated is fine or not. That is, he/she would see to it that the user who has been given extra excess or conflicting access has not misused it. Every Mitigatin control, for this purpose has a Monitor attached to it who does this job.
2. what does the statement mean below:
"When creating a mitigation control, need to define the Action, Monitor ID, and
Frequency. If the monitor does not execute the action within the set frequency, then an alert
is generated"
I guess this is also covered in the explanation for point 1 and the post above from Margaret. In case not, please let us know.
Regards,
Hersh.
http://www.linkedin.com/in/hersh13
Edited by: HERSH GUPTA on May 7, 2009 10:43 AM -
Changing a monitor on a mitigating control
1. I am using CUP 5.2 and I noticed that I am not able to change the monitor on a mitigating control. The messages reads that the administrator id is already assigned as a monitor to a business unit and cant be deleted. When I go to the business unit and try and update that monitor it is not allowing me to do that also. There are users that have been assigned to that mitigating control although their valid to date has expired. Does anyone know how I can update the monitor and keep the mitigatig control?
2. When I am assigning a user to a mitigating control is there away to do them all at once instead of one by one?Hi Valarie,
You cannot edit the monitor of a mitigation control if that mitigation control has already been assigned to users. You will either have to delete all the users and then change the Mitigation control ID or you will have to assign a new monitor to all these mitigated users and then you will be able to delete the old monitor.
Hope this clarifies your doubt.
Thanks
Harleen
SAP GRC RIG -
Risk Analysis and Remediation Mitigating Control Monitoring Alerts
Hello,
We have configured an alert for a Mitigating Control. The Monitor must execute the report every day (report frequency = 1) or an alert email is sent to the Risk Owner.
The Risk Owner recieves the Alert email and the Alert is logged on the Alerts tab only for the first two days after the report is not executed by the Monitor. Is there a setting somewhere that controls why the alert is not generated after two days?
thanks
TammiCorrection.
The email is only sent for 2 days. The alert is logged on the Alert Monitor tab every day. -
Mitigation Monitor does not appear in Mitigation Controls section
In GRC RAR in the u201CMitigationu201D tab, I added a new Mitigation Monitor in the u201CAdministratorsu201D section and a new Mitigating Control. When I try to add the new monitor in the u201CMonitorsu201D tab within the u201CMitigation Controlsu201D section, the new monitor does not appear as an option. Iu2019m pretty sure I have every bit of authorization possible, so I donu2019t think this is an auth issue. I do not have any users assigned to the new mitigation control, so that isnu2019t the problem either.Is there a trick to getting my new monitor to show up? Thank you!
You also are required to first add the users to a Business Unit: Mitigation - Business Units - Search
Edit the business unit associated with the Mitigating control that you created and add the users.
Go back to the mitigating control and you should not see the users that you associated with the Business Unit.
-J -
RAR: Mitigation Control Monitoring
Hi,
I have configured and executed alert generation job but we are not able to obtain the alerts for mitigation control monitoring.
What we have done:
1) Define mitigation control including transaction XXXX to be executed daily
2) Monitor has executed thansaction XXXX on day 1
3) Alert generation job has been executed on day 1 (after step 2)
3) Monitor has not executed transaction XXXX on day 2
4) Alert generation job has been executed on day 2 BUT alert for control monitoring are not obtained.
Does anyone know why we are not getting the alerts for control monitoring?
Thanks in advance. Kind regards,
ImanolWhat is value of number of days for this Monitoring in Mit Control?
Is email id of Monitor maintained in Alert tab? -
Mass maintenance of Mitigation controls in GRC 10.0
Dear All,
How to do mass maintenance of mitigation in ARA of GRC 10.0. We successfully migrated the mitigation controls from 5.3 to 10.0. I need to change the monitors for many user conflicts and also add new user conflict mitigation controls. Is it possible to do a mass changes in GRC 10.0 as there is no upload functionality for mitigation controls
Thanks and Best Regards,
Srihari.KHi Sri,
you can achieve by downloading and uploading the mitigations.
Go to SE38 and use the following program GRAC_DOWNLOAD_MIT_ASSIGNMENTS to download the file and make necessary changes to it and upload the file by using the following program GRAC_UPLOAD_MIT_ASSIGNMENTS.
and put the active column in the file as X.
Regards,
Venugopal Ireni -
Error while uploading mitigation controls
Dear All,
While uploading the mitigation controls i am facing with the below error. Can you please help me in resolving this error.
Error in table dataVIRSA_CC_MITUSER
SQL:=>Insert into VIRSA_CC_MITMON(MITREFNO,MONITORID) Values(?,?)
Record::Line Number :21 : D VIRSA_CC_MITMON TESTC1 TEST1
Below is the text file which i am uploading into the RAR for test purposes
M VIRSA_CC_ADMIN USERID NAME EMAILID ROLEID
D VIRSA_CC_ADMIN TEST1 TEST1 test M
M VIRSA_CC_BUSUNIT BUSID
D VIRSA_CC_BUSUNIT TH
M VIRSA_CC_BUSUNITT BUSID LANG DESCN
D VIRSA_CC_BUSUNITT TH EN Thailand
M VIRSA_CC_BUAPPVR BUSID APPROVERID
D VIRSA_CC_BUAPPVR TH TEST1
M VIRSA_CC_BUMONITOR BUSID MONITORID
D VIRSA_CC_BUMONITOR TH TEST1
M VIRSA_CC_MITREF MITREFNO BUSID APPROVERID
D VIRSA_CC_MITREF TESTC1 TH TEST1
M VIRSA_CC_MITREFT MITREFNO LANG DESCN
D VIRSA_CC_MITREFT TESTC1 EN Test mitigation control
M VIRSA_CC_MITRISK MITREFNO RISKID
D VIRSA_CC_MITRISK TESTC1 F006*
M VIRSA_CC_MITMON MITREFNO MONITORID
D VIRSA_CC_MITMON TESTC1 TEST1
M VIRSA_CC_MITRPT MITREFNO ACTIONS VSYSKEY MONITORID FREQUENCY
M VIRSA_CC_MITUSER MITREFNO RISKID USERID VALIDFROM VALIDTO MONITORID STATUS
M VIRSA_CC_MITROLE MITREFNO RISKID ROLEID VALIDFROM VALIDTO MONITORID STATUS
D VIRSA_CC_MITROLE TESTC1 F006* Z1.*.ASST-SC-FINC-MGR 6/9/2010 7/25/2010 TEST1 0
M VIRSA_CC_MITHROBJ MITREFNO RISKID HROBJ HROBJTYP VALIDFROM VALIDTO MONITORID STATUS
M VIRSA_CC_MITPROF MITREFNO RISKID PROFILE VALIDFROM VALIDTO MONITORID STATUS
M VIRSA_CC_MITUSRORG MITREFNO RISKID USERID ORGRULEID VALIDFROM VALIDTO MONITORID STATUS
M VIRSA_CC_DETDESC OBJECT_TYPE OBJECT_ID LANG DETAIL_DESCN
D VIRSA_CC_DETDESC MIT TESTC1 EN Test Mitigation control
We are not mitigating users now. Only roles are getting mitigated and hence we have not provided any values to the MIT USER table.
Thanks and Best Regard,
Srihari.KDear Varun,
Thanks for your reply. It helped me a lot. But however i am facing the following issue while uploading the mitigation controls
After exporting the mitigation file from RAR, we opened the text file in a spreadsheet format and added few lines to the file and saved in the same text format or in UTF-8 format also
After uploading the same into RAR again after changes we are facing similar errors mentioned in above query.
But when we add lines directly in the wordpad and upload the file then it is successful.
We have to add so many mitigation controls and roles to be assigned for which excel would be easy way to dump.
Is there anything wrong we are doing here in editing and converting the files.
Thanks and Best Regards,
Srihari.K -
Detect obsolete mitigating control assignments?
Hello,
What report/s would you use to detect obsolete mitigating control assignments?
The scenario is: A user has been assigned a mitigating control, let's say during the CUP workflow, to mitigate a certain risk that came with a certain role. Later, that role is removed from the user. Now the user is in the scope of a mitigating control. However, the user is not even subject to the risk in question anymore.
Which way (periodically?) could you detect these cases and clean up the mitigating control assignments?
Thanks and regards
PatrickHey,
My experience of cleaning up controls has not been very straight forward.
I have had to perform various risk analysis reports and look up a list of user accounts that have been marked as "Expired" etc.
It can be slightly more difficult if, like many organisations, you decide to assign a control with a infinite validity period (i.e. 12.12.9999).
The Business and Internal Control team need to be very proactive about regularly monitoring the controls and reviewing the assignments. This is one reason why I strongly recommend that controls are only assigned for a set period (i.e. 365 days/1 year), so a compulsory review takes place by the control owners/business on a regular basis. This makes the controls much more affective, robust and fit for purpose.
Happy to hear other's opinions and ideas. -
Mitigation control errors out in CUP approval
We are on GRC 5.3 SP8 and I am trying to create a mitigating control in RAR. Once it goes for approval into CUP, it erroru2019s out when I try to approve it. Here is the message:
2010-05-25 10:57:43,367 [SAPEngine_Application_Thread[impl:3]_9] ERROR com.virsa.ae.commons.utils.StringEncrypter$EncryptionException: Invalid PKCS#5 padding length: 32
com.virsa.ae.service.ServiceException: com.virsa.ae.commons.utils.StringEncrypter$EncryptionException: Invalid PKCS#5 padding length: 32
at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.getCCDocument(RequestExitServiceHelper.java:315)
at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.callCCExitService(RequestExitServiceHelper.java:263)
at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.callExitServiceForApprovedRequest(RequestExitServiceHelper.java:51)
at com.virsa.ae.accessrequests.bo.RequestBO.callExitService(RequestBO.java:5391)
at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:5230)
at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:5023)
at com.virsa.ae.accessrequests.actions.RequestViewAction.confirmRequestApproval(RequestViewAction.java:946)
at com.virsa.ae.accessrequests.actions.RequestViewAction.execute(RequestViewAction.java:103)
at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:295)
at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(AccessController.java:219)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
Caused by:
com.virsa.ae.commons.utils.StringEncrypter$EncryptionException: Invalid PKCS#5 padding length: 32
at com.virsa.ae.commons.utils.StringEncrypter.decrypt(StringEncrypter.java:200)
at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.getCCDocument(RequestExitServiceHelper.java:305)
... 32 more
Thanks,
PeggyHello Peggy,
Did you recently upgraded your NW Java Support package? If yes, then kindly check the SAP Note "1417651 - Unable to retrieve connector & application configuration"
The problem is coming due to change in NW encryption algorithm and impacted GRC as well. This is fixed in SP10 of GRC.
Regards, Varun -
Workaround for non-SAP mitigating control reminders
Dear all,
Our business users would like to document mitigating controls in RAR 5.3 regardless of whether they are connected with an SAP report. They would also like to receive email reminders for those controls.
Unfortunately, the frequency of the control can only be defined per connected SAP report and reminders will only be sent for controls if the SAP report has not been executed.
Have you been exposed with a similar requirement? It seems like a natural thing to ask from a business perspective. RAR 5.3, however, is not designed in that way.
Have you come up with any feasible workarounds for this?
My current approach would be to create a dummy Z-report per SAP system (such as Z_MANUAL_MITCTRL) that control monitors have to call once to confirm the execution of their control.
Cheers and best regards
PatrickHello,
Regarding your question, in fact this is dependant on how your UME (User Management Engine) is configured on your WAS (Web Application Server). If the UME is connected to your R/3 back-end then the user need to have a R/3 account to connect to CC, otherwise if your UME is "independant" then you just need to create an account in the UME.
Regards,
Jérôme. -
Bringing mitigating controls from PC to AC in GRC 10.0
Hi ,
I am going through remediation process in GRC 10.0, However there are no mitigation controls setup in AC.
my client is asking me to copy all the mitigating controls from PC to AC.
Is this possible ? if yes, What will be the process ?
Thank you.Hi Sri,
you can achieve by downloading and uploading the mitigations.
Go to SE38 and use the following program GRAC_DOWNLOAD_MIT_ASSIGNMENTS to download the file and make necessary changes to it and upload the file by using the following program GRAC_UPLOAD_MIT_ASSIGNMENTS.
and put the active column in the file as X.
Regards,
Venugopal Ireni -
GRC AC10 Mitigation Control Temporary Tables
Hi everyone,
I'm trying to find the table where GRC stores the organizational unit for a new mitigation control before the request is approved. As I could see, after approval (when the control is created) they are moved to HRP1000, 1001, etc.
I've also tried with system trace (ST01 and ST05) but I could only find these tables: GRFNMWRTINST, GRFNMWRTINSTAPPL. Unfortunately I've checked them but they don't store OU data.
Maybe it is stored in an XML file and that's why I cant reach the table.
If you have any idea or any experience to share, I would really appreciate it!
Thanks and regards,
FernandoHi Fernando
Maybe it is stored in an XML file and that's why I cant reach the table.
I was trying to figure out the same thing and suspected that was the case. Or if there might be a temporary text file
I hope someone here can clear it up. But it's a bit annoying in the approach as you cannot tell what changes have been requested or compare changes to current. Hope SAP eventually cleans this up.
Might need to trace it to identify the function module that is used by approver to view the request?
Regards
Colleen -
Hi all,
We have configured Mitigation Controls and mitigated some of the users. We have the following queries in this regard:
a) When we run the SoD anlaysis for that particular user we could able to see only half description of the Mitigation Control.
Is there any limitation for the space or the parameters for the Mitigation Control Description.We are unable to see the entire description of the Mitigation Control (If the mitigation control is more than 7-8 lines) in the Detailed Report screen as well. Even after downloading into a spreadsheet also we are getting only the part of the mitigation control and not the entire description of the mitigation control
b) A risk ID can be addressed by 2 or 3 mitigation controls. In this scenario,we have assigned 2-3 mitigation controls to one Mitigated user for mitigation. When we run SoD analysis we could able to see only the latest mitigation control assigned to the user in the report format (say out of 3 assigned only the 3rd one assigned is being shown).
But when we did a search for Mitigation controls with the Risk ID & User ID combination then it is throwing all the 3 mitigation controls. But the same is not shown in SoD violations reports
Is there anything to do with the parameters set up or at the configuration side to resolve this.
Please provide the procedure also in case of any changes to be made at configuration level.
Thanks and Best Regards,
SriHi Vit,
Thanks for your reply. We crosschecked and you are correct that the space limitation is only for 132 characters in this table.
Is there a way to get the mitigation control whole description or do we need to stick to this limitation itself.
Also, when we did a search for Mitigation Control it gives only Mit.ID, Mit Control Desc, BU and Management approver. Whether there are any tables (from SAP Backend) or reports where we can get the Risk Ids including the above addressed by the mitigation controls.
Thanks and Best Regards,
Sri -
Disable mitigation control workflow
Hi community,
one pretty simple question: I would like to be disable the mitigation control workflow, meaning, I would like to be able to directly save mitigation controls, without sending this through an approval process. I cannot find the associated activity in the spro. Can you please assist me on this?
The way I saw this some time ago was that, if one disabled the mitigation control workflow, the Save button was visible in the mitigation control maintenance screen. When the workflow was enabled, the Submit button was visible (which, of course, makes sense). Now, I would like to be able to do this change.
I did also look into transaction GRFNMW_CONFIGURE_WD - nothing suspicious here.
Any help is highly appreciated. Thanks in advance!
EMHi EM,
Please set 1061 and 1062 to NO as per your requirement for mitigation assignment and mitigation maintenance.
BR,
Mangesh
Maybe you are looking for
-
I called the police and they told me they were there to escort me off the premisies. The person who stole my iPad was actually helping me buy accessories for yea go ahead and laugh im not happy. I called my carrier and they said there was nothing I
-
Can Appletalk be active on two network ports for printing?
Here's the core of my question: Can I keep Appletalk active on my Airport network port (in order to print to a wireless print server on an HP Laserjet 2100M) and simultaneously keep it active on my Ethernet port (in order to print to a Brother HL 270
-
I've created my site and compressed my video for iWeb in iMovie HD6. But for some reason, the video won't play when I visit the site. Any ideas? FYI, you can see the page here: http://web.mac.com/aubreysinger/iWeb/TheTrip/cinematique.html
-
IMPORT_LOGFILE_KEY_TOO_SHORT
Hi, in my z report i use FM 'L_TO_CREATE_DN'. Sometimes i get this dump 'IMPORT_LOGFILE_KEY_TOO_SHORT'. I´ve debugged the code and the dump arises within FM 'L_TO_CREATE_DN' in statement COMMIT WORK. I´ve searched in OSS but i haven´t found anything
-
Problem in Print Program, picking JECS value but not maintained
Hi, I have a report for Invoice Printing. My query is related to Item conditions that in one item we have not maintained JECS condition of 3% but when we are printing the program, that is printing Education cess 3%. This is done by the user mistake,