Compliance Calibrator 4.0 - importing Long Risk Detailed Description text

Similar Messages

• Virsa table containing Risk detailed description

  Dear,
  I would like to know witch table contains the information related to the Detailed Risk description.
  The table VIRSA_CC_RISKT contains the following fields RISKID, LANG, DESCN.
  DESCN refers to the short description. I would expect to have in that table a long /detailed description field.
  Thank you and kind regards
  Vincent

  I foud the solution by myself :
  I've to look into table VIRSA_CC_DETDESC
  Thank you and kind regards
  Vincent

• Convert from Compliance Calibrator 4.0 to Risk Analysis and Remediation 5.2

  Hello Forum,
  I'm looking for other opinions on converting Compliance Calibrator (CC) 4.0 to Risk Analysis and Remediation (RAR) 5.2 (formerly CC)
  I have inherited responsibility for RAR and need to upgrade it to the 5.2 level; our current ECC level prevents us from going to 5.3
  I found a process that will unload the data from CC 4.0 and be imported into RAR 5.2
  I want to understand the definitions that comprise the RAR and was thinking about recreating the definitions in 5.2 based on what is already defined in the CC 4.0 system; I have time to do this since there is no definitive deadline that would make it impossible to meet
  Currently, I have the following definitions:
  Business Process 6 entries
  Functions 47 entries
  Risks 147 entries
  Mitigating Controls 40 entries
  Would others find this approach acceptable and reasonable even though I would be entering all the information? Basically, it would be like defining the data for the very first time if this was NEW software
  I would expect to come away with a good understanding of how everything ties together; at this point, I am only looking to create the necessary data that would allow for producing SOD reports that show all users with "risks" have been mitigated with acceptable controls
  Thanks for your responses in advance
  Jerry
  Ryerson, Inc
  630-758-2021

  Thanks for the reply
  I have the migration guide and have reviewed it; I have actually played around a bit with obtaining the file from CC 4.0; I found that the data records may need some adjustments to be compatible with RAR 5.2; one of the reasons that may be leading me to do everything from scratch
  The definitions currently defined were completed by an outside source and the mitigated controls were defined by the Internal Audit area
  I'm not sure if they were mixed with the defaults
  I'm not sure at this point what impact or changes I would experience if I use the "default" supplied rules set but I expect to find out
  Thanks again for your reply
  Jerry

• Custom Risks in Compliance Calibrator?

  Hello,
  Can someone please verify this process for me?
  My understanding is that once you create and configure a custom risk in Compliance Calibrator 5.2, you simply click generate and can then immediately run a risk analysis using the new custom risk.
  Is there any kind of a background job required to synchronise the new custom rule prior to running a risks analysis or any steps that I'm missing?
  Thanks your help is much appreciated,

  Hi Adamo,
     This is the exact process you need to follow. Once you create main risk and generate rules, you should be able to see the risk in CC. Have you enabled the particular risk? You can go to informer and try to run a simulation or ad-hoc analysis on that particular risk.
  Regards,
  Alpesh

• How to do mass risks deletetion in 5.2 compliance calibrator?

  Hello,
  Can anyone tell me the relevant table which store the risks for compliance calibrator? I want to perform mass deletion on the risks.
  Thanks
  Eric

  You can also just pull up the list of risks, click the delete key, and then press enter with the prompt to confirm the delete and hold the enter key down.  It will then loop through all the risks and delete them.  It can take about 20-30 minutes, but it works.  I just prop something up on the enter key when going to lunch or meeting.

• Compliance Calibrator 5.1 Risk Categories

  Hello.
  Is there a difference in the way the systems reacts to a risk category i.e. if the risk is classified as High, does it stop a user from doing something? Is there any difference between medium and low or are the categories merely used in the risk analysis reports as a statistic?
  Thanks.

  It is still preventative in that you can perform a risk analysis simulation.  That is, you can test for risks <i>before</i> you grant the user access.  It is also preventative in that it is testing segregation of duties controls, which are a type of preventative control.
  Risk Terminator leverages from the Compliance Calibrator rule-sets and basically modifies the user maintenance and role maintenance tcodes to add a risk-analysis step in there.  So, for example, if you are maintaining a role, when you go to generate, it will perform a risk analysis and you will have to document the reasons for creating/changing a risky role.  Same when you assign roles to a user that combine to cause a risk.  So, yes, Risk Terminator is also preventative.  As is Access Enforcer.

• SAP GRC Access Control - Compliance Calibrator - License Cost

  Dear all,
  I have some questions on Compliance Calibrator implementation.
  1. Do  we have to pay additional cost for the license to implement Compliance Calibrator?
  2. Since SAP GRC 5.3 is just released, which one do you recommend? SAP GRC 5.2 or 5.3?
  3. What would be the major difference between Compliance Calibrator in GRC 5.2 and 5.3?
  Best regards,
  Rolando

  Hi Rolando-
  1. Yes, there lies some license cost and the amount should not as much as taking SAP R/3 license. I am not sure of exact amount but its nominal as compared to other SAP products.
  2. SAP always recommend for the latest version available and why not one would go for latest version if you are paying something for that.
  Also, it depends on your existing R/3 version and its compatibility. In short run, you can choose per your existing versions but in long run everyone has to move to latest version. Say for example whoever is using SAP R/3 technology with whatever version, they all need to upgrade to ECC6.0 by 2011 with extension upto 2013. I am not sure of any such information about GRC AC though.
  3. Some enhancement have been done with CC 5.3. Those features include-
  1. Risk analysis for SAP Enterprise Portal and UME
  2. BI integration for custom reporting
  3. Reporting enhancement features include additional auditor, business manager and IT reports
  4. SOD management by exception. Can be integrated with workflow.
  5. Import/Export of configuration data
  6. Migration scripts
  7. Download and print capability on every report.
  Some performance improvements-
  1. Concurrent risk analysis.
  2. batch mode risk analysis
  3. Improved memory mgmnt etc.
  Hope it gives you now some more visibility.
  Cheers!
  Ashok

• Need some practical Scenarios to test Compliance Calibrator, FF and AE

  Hi Experts,
  I have installed Compliance Calibrator 5.2 / Access Enforcer and Firefighter on a test System. However i am looking for some practical scenarios / Examples to test the functionlity of these installations. If any of you is currently working on these technologies i appreciate if you c an provide 2 3 scenarios to test my installation and functionality .
  Thanks in advance.
  Your help is much apprecaited..
  SK

  Hi SK,
  Testing the functionality of CC
  1. I would recommend to create some test roles where in you plug in some conflicting tcodes
      which can pose a sure SoD Risk, lets say Create Vendor Invoice(FB01) and Make an
      Automatic Payment(F110).
  2. Now run the Risk Analysis by choosing the Default SAP GRC ruleset library and do a  
      Role level Analysis.Then Assign the Test Roles to Test Users and then do a User Level Analysis.
  3. You may have create some Custom Rule sets with appropriate naming of Conflicting functions
      like Creation of Purchase Order (P001), Approve Purchase Order(P002)
      in different Application Areas like Purchase 2 Pay(P2P), Order 2 Cash (O2D) and try to do
      the same as above two steps.
  4. Test the functionality of Risk Remediation by removing the conflicting tcodes and do the
      Risk Analysis.Your previous Risk Roles must not appear
  5. Test the functionality of Risk Mitigation by placing a mitigation Control on the Conflicting tcodes
     and do the Risk Analysis.Your previous Risk Roles must not appear if you have properly
      configured your CC
  Testing the functionality of FF
  1. I would say create a few Firefighter IDs in different functional areas like FI, SD, MM, and then
     create some test users for Firefighter Owners, Controllers and Firefighters who can use
     the functionality of FF.
  2. Create some FF roles which have exceptional access in those functional areas
      encompassing transaction codes and authorization objects that are not used in normal incidents.
  3. Assign each of the FF roles to the respective FF IDs and then to the test Firefighters.
  4. Pull the log reports in FF and see if it gives exact details of the FF usage.
  5. You may have take some assistance of the Functional team members to do the testing.
  Testing the functionality of AE
  1. Create a workflow scenario of hiring a new user.
  2. Create the request under a test requestor. Assign the request to some test approver
  3. Also Assign some roles and test the functionality.
  Hope this helps for a good start
  Regards,
  Kiran Kandepalli.

• Is Compliance Calibrator the same as GRC Access Control?

  I have been asked to look at<b> Compliance Calibrator </b>and am getting confused about what functionality is offered. I have done the basic e-learning course for Compliance Calibrator (GRC200): this was all about separation of duties etc. Fair enough. But I also have a Document called "<b>SAP GRC Access Control</b>" which talks about the same S.O.D compliance functionality but also talks of "roles triggering workflows", "users creating roles", "automated approvals for roles" eg:
  "SAP GRC Access Control streamlines access requests by filling each request automatically with user identity information from a lightweight directory access protocol (LDAP) directory or HR database, thereby eliminating the need for user intervention. Approvers receive an e-mail with a direct hyperlink to the request inside the application, where they can easily view and approve the request. The application then checks for security violations before updating accounts  automatically."
  None of this was covered on the Compliance Calibrator course, so what product offers this? I can see another product by Virsa called <b>Access Enforcer</b> but have no info on this... can anyone enlighten me?

  SAP GRC Access Control is the SAP application that comprises the former Virsa products Compliance Calibrator, Access Enforcer, Risk Terminator, Firefighter and Role Expert.

• Compliance Calibrator SOD Conflict (FI01 and FB05)

  I was hoping that someone could provide some insight as to why the "FI01 - Create Bank" and "FI02 - Change Bank" transactions would create a risk (in Compliance Calibrator) when coupled in the same security role with the "FB05 - Post with Clearing" transaction.  The risk description given by Compliance Calibrator is "Maintain bank account and post a payment from it".
    The FI01 and FI02 t-codes appear to only create/change routing numbers or addresses for banks.  There is no ability to create or change an actual bank account.  This alone doesn't seem to create a conflict when coupled with a posting transaction.  Is there possibly some functionality that I am missing?

  Hi Joshua,
  I strongly agree with you that there is no SOD conflict technically with FI01, FI02 with FB05 although the wording of the SOD conflict in a business sense meaning Maintain Bank Accounts vs Posting Payments sounds more like a Conflict.
  I dont see by anyway how you can maintain actual bank account in either FI01, FI02.
  FI01 and FI02 - Maintain Bank Info like Bank Address, Bank Key and soforth.
  FB05 - Make Payments to various accounts.
  Regards,
  Kiran Kandepalli.

• SAP GRC 5.2 Compliance Calibrator rule sets for HR module

  HI All,
  The company i am working for has done installation of GRC 5.2. I would like to download the SAP out of box Compliance Calibrator rule sets for HR function module in a spreadsheet format.
  I would like to download the rule set for risks at Function level, Tcode level and also at authorization object level in ABAP and Roles, actions and permissions in JAVA.
  I will discuss with the BPAs, internal auditors and come up with a new rule set exclusively for my company needs with the help of the above spreadhseet.
  Please tell me what steps i need to do to get this thing done.

  Please go through the process but save these as txt files for UNIX. I am not sure about 5.2 but CC4 was not uploading rule files correctly if file was not saved for TXT for UNIX.
  Regards,
  Harry Sidhu

• Updating Compliance Calibrator Rule Set

  The business has decided to change a few rules by removing a couple of custom tcodes from the rule set.  In DEV I go into the Function and remove the objects associated with the tcode and disable the tcode.  After running the rule set update there is still some sort of tie.  I have created a test ID in DEV with a known issue around each of the changes.  I'm not getting a different result when running compliance calibrator.
  Any ideas?
  We are running R/3 4.6C and compliance calibrator 4.0

  Can you please check the following demo?
  [Virsa Compliance Calibrator Application for SAP v5.1 Demo|http://www.sdn.sap.com/irj/scn/elearn?rid=/library/uuid/d2f1cf9c-0d01-0010-2dac-aedd3c4f7f5b&overridelayout=true]
  Please give more details on the step where you got stuck.
  Regards,
  Dipanjan

• Configuring Role Expert Web services for Compliance Calibrator

  Hi @all,
  performing the configuration of Virsa Role Expert I've got a question regarding the settings for the various Web Service Info. for the Compliance Calibrator.
  Apart from the Web Service URL, user name and password need to be declared. The user guide names 'sapgrc' and 'webuser' as account names.
  My question: How do I setup these accounts? Is this an UME-Job - if so: what are the required roles and authorizations for these accounts?
  Kind regards,
  Martin

  Hi,
  the Web Services URLs are:
  Web Service Info. for CC Risk Analysis:     http://SERVER_NAME:PORT/VirsaCCRiskAnalysisService/Config1?wsdl&style=document
  Web Service Info. for CC Transaction Usage: http://SERVER_NAME:PORT/VirsaCCActionUsageService/Config1?wsdl&style=document
  Web Service Info. for CC Mitigation Control: http://SERVER_NAME:PORT/VirsaCCMitigation5_0Service/Config1?wsdl&style=document
  Web Service Info. for CC Functions: http://SERVER_NAME:PORT/VirsaCCFunction5_0Service/Config1?wsdl&style=document
  Web Service Info. for AE Workflow: http://SERVER_NAME:PORT/AEWFRequestSubmissionService_5_2/Config1?wsdl&style=document
  Does that answer your question?
  Regards,
  Martin

• Upload spreadsheet into Compliance Calibrator

  Hey Experts....
  Does anyone know how to upload a large amount of Users and Roles into Compliance Calibrator to do a simulation for SOD analysis?
  I have about 500 Users I need to run CC against in Production and don't want to do them manually.
  Any help would save a lot of time/$$.
  Thanks.
  Chris

  Chris,
       What version of CC do you have? What do you mean by doing it manually? If you have SAP 4.6C and above, you should be able to schedule background job to syn users, roles etc.
  Please provide more details.
  Regards,
  Alpesh

• Deleted Roles appearing in Compliance Calibrator (Informer Tab)

  Hi
  We had deletd some roles from SAP . These roles still show up on complaince calibrator as having high risk violations.
  This role was delted a month ago and we also have completed as full sync of the system . Still the roles are appearing in compliance calibrator in the informer tab.
  Coudl you please let me know how we can avoid this?

  instead of running a full synch I would attempt running an incremental synch and run the management reports again.  I believe this should do it.  I am not sure why the full synch would not work.