Compliance Calibrator SOD Conflict (FI01 and FB05)

Similar Messages

• Need some practical Scenarios to test Compliance Calibrator, FF and AE

  Hi Experts,
  I have installed Compliance Calibrator 5.2 / Access Enforcer and Firefighter on a test System. However i am looking for some practical scenarios / Examples to test the functionlity of these installations. If any of you is currently working on these technologies i appreciate if you c an provide 2 3 scenarios to test my installation and functionality .
  Thanks in advance.
  Your help is much apprecaited..
  SK

  Hi SK,
  Testing the functionality of CC
  1. I would recommend to create some test roles where in you plug in some conflicting tcodes
      which can pose a sure SoD Risk, lets say Create Vendor Invoice(FB01) and Make an
      Automatic Payment(F110).
  2. Now run the Risk Analysis by choosing the Default SAP GRC ruleset library and do a  
      Role level Analysis.Then Assign the Test Roles to Test Users and then do a User Level Analysis.
  3. You may have create some Custom Rule sets with appropriate naming of Conflicting functions
      like Creation of Purchase Order (P001), Approve Purchase Order(P002)
      in different Application Areas like Purchase 2 Pay(P2P), Order 2 Cash (O2D) and try to do
      the same as above two steps.
  4. Test the functionality of Risk Remediation by removing the conflicting tcodes and do the
      Risk Analysis.Your previous Risk Roles must not appear
  5. Test the functionality of Risk Mitigation by placing a mitigation Control on the Conflicting tcodes
     and do the Risk Analysis.Your previous Risk Roles must not appear if you have properly
      configured your CC
  Testing the functionality of FF
  1. I would say create a few Firefighter IDs in different functional areas like FI, SD, MM, and then
     create some test users for Firefighter Owners, Controllers and Firefighters who can use
     the functionality of FF.
  2. Create some FF roles which have exceptional access in those functional areas
      encompassing transaction codes and authorization objects that are not used in normal incidents.
  3. Assign each of the FF roles to the respective FF IDs and then to the test Firefighters.
  4. Pull the log reports in FF and see if it gives exact details of the FF usage.
  5. You may have take some assistance of the Functional team members to do the testing.
  Testing the functionality of AE
  1. Create a workflow scenario of hiring a new user.
  2. Create the request under a test requestor. Assign the request to some test approver
  3. Also Assign some roles and test the functionality.
  Hope this helps for a good start
  Regards,
  Kiran Kandepalli.

• Compliance Calibrator v4.0 - Cross System SoD Analysis

  Hi all,
  I'm looking to run SoD analysis across BI7 and ERP using Compliance Calibrator v4.0.  I can see the Parameter in the config overview, and have set it to yes is both systems.  But there is nothing else in the documentation as to what other config etc is needed.  Does anyone now the steps involved or could you point me in the direction of documentation.
  Thanks in advance,
  Fiona

  Hi,
  there is a difference only if you have created and assigned mitigation controls to users.
  In that case, you can decide to see the report of SOD conflicts with or without mitigation controls:
  - Either you see all SOD conflicts including these that are mitigated (it is however clearly stated in the report whether a mitigation control exists or not)
  - Or you see all SOD conflicts excepted these that are mitigated (we consider thus that mitigated conflicts should not appear in the report)
  Rgds,
  Karim

• Convert from Compliance Calibrator 4.0 to Risk Analysis and Remediation 5.2

  Hello Forum,
  I'm looking for other opinions on converting Compliance Calibrator (CC) 4.0 to Risk Analysis and Remediation (RAR) 5.2 (formerly CC)
  I have inherited responsibility for RAR and need to upgrade it to the 5.2 level; our current ECC level prevents us from going to 5.3
  I found a process that will unload the data from CC 4.0 and be imported into RAR 5.2
  I want to understand the definitions that comprise the RAR and was thinking about recreating the definitions in 5.2 based on what is already defined in the CC 4.0 system; I have time to do this since there is no definitive deadline that would make it impossible to meet
  Currently, I have the following definitions:
  Business Process 6 entries
  Functions 47 entries
  Risks 147 entries
  Mitigating Controls 40 entries
  Would others find this approach acceptable and reasonable even though I would be entering all the information? Basically, it would be like defining the data for the very first time if this was NEW software
  I would expect to come away with a good understanding of how everything ties together; at this point, I am only looking to create the necessary data that would allow for producing SOD reports that show all users with "risks" have been mitigated with acceptable controls
  Thanks for your responses in advance
  Jerry
  Ryerson, Inc
  630-758-2021

  Thanks for the reply
  I have the migration guide and have reviewed it; I have actually played around a bit with obtaining the file from CC 4.0; I found that the data records may need some adjustments to be compatible with RAR 5.2; one of the reasons that may be leading me to do everything from scratch
  The definitions currently defined were completed by an outside source and the mitigated controls were defined by the Internal Audit area
  I'm not sure if they were mixed with the defaults
  I'm not sure at this point what impact or changes I would experience if I use the "default" supplied rules set but I expect to find out
  Thanks again for your reply
  Jerry

• Re: Virsa Compliance Calibrator & Pre-defined SOD Rule Set

  Hi All,
  We have installed the Virsa Compliance calibrator 5.1 in our sandbox environment. When we goto the "Rule Architect" tab under Compliance calibrator using tcode /virsa/zvrat it brings up the page with Rules information.
  Per the Virsa documents that i read they have mentioned that there are pre-defined SOD Rules (Transaction codes and Tcode objects) that we can use in the Rule Architect.
  My question is how do i enable and use those pre-set SOD Rules that Virsa provides by default. I do not see them under the Rule architect tab though. Can someone give some pointers to use these pre-set SOD rules.
  Thanks & Regards
  -Murali

  Hi Laziz,
  Thanks for your patience in replying to my CC 5.1 queries. I did follow your steps for the Generate Rule & Background Job-> Schedule Analysis and scheduled the job immediate.
  However, when i looked up the status of the scheduled analysis Background Job-> Search pulls up the job i scheduled at the top it reads "Job scheduler Status: unknown error" . I clicked on "View Log" button and it shows some messages as shown below (Note: I am just posting some parts of the error msgs below. but it still goes for 1 page...)
  May 16, 2007 1:09:07 PM com.virsa.cc.xsys.bg.BgJobDaemon init
  INFO: *** BgJobDaemon loaded
  May 16, 2007 1:11:09 PM com.virsa.cc.common.util.ConfigUtil setDefaultJ2EEParam
  WARNING: Cannot get Application URL: null. PLEASE SET 'Background Daemon URL' IN CONFIGURATION TAB
  java.lang.NullPointerException
       at com.virsa.cc.common.util.ConfigUtil.setDefaultJ2EEParam(ConfigUtil.java:203)
       at com.virsa.cc.common.util.ConfigUtil.getBgJobStartURL(ConfigUtil.java:192)
       at com.virsa.cc.xsys.bg.AnalysisDaemonThread.run(AnalysisDaemonThread.java:45)
       at java.lang.Thread.run(Thread.java:534)
  May 16, 2007 1:24:37 PM com.virsa.cc.extreport.JarClassLoader loadClassData
  FINEST: class name: com.virsa.cc.extreport.ReportPack50SP1_01.ReportPack50SP1_01 class: com/virsa/cc/extreport/ReportPack50SP1_01/ReportPack50SP1_01.class
  May 16, 2007 1:24:37 PM com.virsa.cc.extreport.JarClassLoader loadClassData
  FINEST: Jar Entry length=1568 compressed size=1568 actual read=1568
  May 16, 2007 1:24:37 PM com.virsa.cc.extreport.JarClassLoader loadClassData
  FINEST: class name: com.virsa.cc.extreport.ReportPack50SP1_01.CrtActbyRsk_Act_RskLvl class: com/virsa/cc/extreport/ReportPack50SP1_01/CrtActbyRsk_Act_RskLvl.class
  May 16, 2007 1:24:37 PM com.virsa.cc.extreport.JarClassLoader loadClassData
  FINEST: Jar Entry length=13210 compressed size=13210 actual read=13210
  May 16, 2007 1:24:37 PM com.virsa.cc.extreport.JarClassLoader loadClassData
  FINEST: class name: com.virsa.cc.extreport.ReportPack50SP1_01.CrtRolbyRsk class: com/virsa/cc/extreport/ReportPack50SP1_01/CrtRolbyRsk.class
  May 16, 2007 1:24:37 PM com.virsa.cc.extreport.JarClassLoader loadClassData
  FINEST: Jar Entry length=19287 compressed size=19287 actual read=19287
  May 16, 2007 1:24:37 PM com.virsa.cc.extreport.JarClassLoader loadClassData
  FINEST: class name: com.virsa.cc.extreport.ReportPack50SP1_01.CrtProfbyRsk class: com/virsa/cc/extreport/ReportPack50SP1_01/CrtProfbyRsk.class
  May 16, 2007 1:24:37 PM com.virsa.cc.extreport.JarClassLoader loadClassData
  FINEST: Jar Entry length=12807 compressed size=12807 actual read=12807
  May 16, 2007 1:24:37 PM com.virsa.cc.extreport.JarClassLoader loadClassData
  FINEST: class name: com.virsa.cc.extreport.ReportPack50SP1_01.UsersbyOrgLevels class: com/virsa/cc/extreport/ReportPack50SP1_01/UsersbyOrgLevels.class
  May 16, 2007 1:24:37 PM com.virsa.cc.extreport.JarClassLoader loadClassData
  FINEST: Jar Entry length=18557 compressed size=18557 actual read=18557
  May 16, 2007 1:24:59 PM com.virsa.cc.common.util.ConfigUtil setDefaultJ2EEParam
  WARNING: Cannot get Application URL: null. PLEASE SET 'Background Daemon URL' IN CONFIGURATION TAB
  java.lang.NullPointerException
  I am not sure whats causing this and it's been 2hrs since i scheduled the user analysis but i don't see any data still appearing in the fron-end..Any pointers again???
  Thanks
  -Murali

• Compliance Calibrator for SRM and SCM???

  Hello,
  Can we use the compliance calibrator for the modules like SRM and SCM? Do we get any ruleset for these modules from SAP or need to create ourself?
  Thanks in advance
  Eric

  Alexander,
  Thanks for your prompt response. But the note available from SAP is not included SCM?
  <b>Note 1033326 - Compliance Calibrator 5.2 Rule Upload</b>
  SOD Action and Permission level rules are provided for R/3, APO, ECCS, CRM
  and SRM. HR and Basis rules are included in the R/3 but also broken out
  separately.
  Could you tell me what all other modules are included in the standard ruleset?
  Thanks in advance
  Eric

• Compliance Calibrator: Background jobs didn't bring in the correct data.

  Hi Gurus;
  In Compliance Calibrator; background jobs were last run on 5/27/09 but the management report shows that the summary is as of 5/20/09. That should have been updated uptill 5/27/09 and the new number of conflicts should have come up, which it didn't. What can be the problem?
  Thanking you;
  Raja

  Hi Harleen;
  This job was actually set by the client. So when I went to check the parameters of the jobs, I found that the field MGR_ANALYSIS consists of Field value "N". Does this mean that the Management Analysis box was not ticked when this job was scheduled?
  Regards;
  Raja

• GRC - SOD Conflict Management (SAP Role Substitution)

  Hi,
  I am looking to see how others handle SAP Role Substitution and SOD conflicts.
  For example, a person is going to be out on vacation for a few day and assigns their roles to another employees to continue with daily tasks....SOD risks result because of the temporary assignment and role combinations....what are you guys doing to manage, and monitor this sort of activity?
  Your help and comments greatly appreciated!

  Hi
  As already stated by Martin, one of the option for handling adtional backup access to users could be through Superuser Privilage management(If GRC has been implemented with your client). This would allow detailed reporting at transaction level for audit purposes.
  If GRC is not implemented with your client then any additional access which is resulting in SoD, there has to a proper documentation of temporary access assignment to users(For Audit purpose). Mitigation control should be documented and submitted by the supervisor of the user to the SoD team to ensure proper compliance is in place for the additional access provided to the user.
  Thanks.
  Anjan

• SAP GRC Access Control - Compliance Calibrator - License Cost

  Dear all,
  I have some questions on Compliance Calibrator implementation.
  1. Do  we have to pay additional cost for the license to implement Compliance Calibrator?
  2. Since SAP GRC 5.3 is just released, which one do you recommend? SAP GRC 5.2 or 5.3?
  3. What would be the major difference between Compliance Calibrator in GRC 5.2 and 5.3?
  Best regards,
  Rolando

  Hi Rolando-
  1. Yes, there lies some license cost and the amount should not as much as taking SAP R/3 license. I am not sure of exact amount but its nominal as compared to other SAP products.
  2. SAP always recommend for the latest version available and why not one would go for latest version if you are paying something for that.
  Also, it depends on your existing R/3 version and its compatibility. In short run, you can choose per your existing versions but in long run everyone has to move to latest version. Say for example whoever is using SAP R/3 technology with whatever version, they all need to upgrade to ECC6.0 by 2011 with extension upto 2013. I am not sure of any such information about GRC AC though.
  3. Some enhancement have been done with CC 5.3. Those features include-
  1. Risk analysis for SAP Enterprise Portal and UME
  2. BI integration for custom reporting
  3. Reporting enhancement features include additional auditor, business manager and IT reports
  4. SOD management by exception. Can be integrated with workflow.
  5. Import/Export of configuration data
  6. Migration scripts
  7. Download and print capability on every report.
  Some performance improvements-
  1. Concurrent risk analysis.
  2. batch mode risk analysis
  3. Improved memory mgmnt etc.
  Hope it gives you now some more visibility.
  Cheers!
  Ashok

• Create rules in Compliance Calibrator for HR PD profiles

  Hello
  In Compliance Calibrator can we create a rule to check PD profile combinations?
  Example:
  We have 3 PD profiles say 1, 2, 3
  We dont want 1, 3 together
  Any help on this, is greatly appreciated.

  Alexander,
  Thanks for your prompt response. But the note available from SAP is not included SCM?
  <b>Note 1033326 - Compliance Calibrator 5.2 Rule Upload</b>
  SOD Action and Permission level rules are provided for R/3, APO, ECCS, CRM
  and SRM. HR and Basis rules are included in the R/3 but also broken out
  separately.
  Could you tell me what all other modules are included in the standard ruleset?
  Thanks in advance
  Eric

• Upload spreadsheet into Compliance Calibrator

  Hey Experts....
  Does anyone know how to upload a large amount of Users and Roles into Compliance Calibrator to do a simulation for SOD analysis?
  I have about 500 Users I need to run CC against in Production and don't want to do them manually.
  Any help would save a lot of time/$$.
  Thanks.
  Chris

  Chris,
       What version of CC do you have? What do you mean by doing it manually? If you have SAP 4.6C and above, you should be able to schedule background job to syn users, roles etc.
  Please provide more details.
  Regards,
  Alpesh

• Compliance Calibrator 5.2 RTA for Non-SAP Apps

  Hi all,
  Can SoD rules be written for analyzing a Users access to SAP and NON-SAP applications across the enterprise?
  If yes will CC RTA need to be installed on the NON-SAP application?
  If yes are there any requirements that need to be met by NON-SAP application and is there a list of NON-SAP applications (other than-Peoplesoft, Oracle, Hyperion, JD Edwards) that CC has an RTA for?
  Is there any documentation specific to aplications that can support CC RTAs and installation on these?
  -Cheers

  Hi,
  Yes SoD rules can be written for analyzing user accesses to SAP and non-SAP applications.
  Basically there is no other application for which an RTA exists, but there is a documentation discussing the technical requirements for file generation from the non-SAP systems for integration of non-SAP Systems with SAP Compliance Calibrator.
  This documentation is available in <a href="http://service.sap.com/rkt-grc">http://service.sap.com/rkt-grc</a>
  under SAP GRC Access Control 5.2 -> SAP GRC Compliance Calibrator 5.2 -> Step2: Prepare for your project -> Cross Application Material
  You'll need your OSS user-id to access that page; in case you cannot access it, please post a message in the OSS.
  Rgds,
  Karim

• Compliance Calibrator 5.1 Alert File generation

  Greetings,
  I would like to understand how the Compliance Calibrator (CC) 5.1 Alert Generation File is created.  I specify a file name in 'Configuration/Miscellaneous/Alert Log Filename & Location', and schedule the job via 'Configuration/Background Job/Alert Generation'.  The file is updated daily, but where is the data pulled from?  It looks like the data is sorted daily by User ID and tcode.  The data looks like it could come from the Security Audit Logs on ABAP instance, but would this be required?
  Any technical information would be helpful.
  Thank you,
  Rob

  Hi Rob,
    There are different types of alerts, which can be generated by Compliance Calibrator:
    a) system finds that certain mitigation reports were not run in time;
    b) end users executed critical transaction, listed in one of your risks;
    c) end user executed conflicting transactions, lsited in one of your risks.
    So, the data is pulled from your ABAP system. And it explains why you get the list of user IDs and tcodes.
    Please, advise whether it asnwers your question ? And if yes, award the points accordingly
  Best regards,
  Laziz

• Compliance Calibrator Start up

  Hi,
  We are planning to bring SOD tool Compliance calibrator soon for our r/3 system.......
  before that I need to know how it works....I mean SAP provides CC software to be installed on R/3 server???
  Can some tell me on which server CC installation takes place.

  Hi Lisa,
  Purpose of Installing RTA in R/3 Server
  ==============================
  This is an ABAP component which continously and regularly collects data from R/3 Server. As I said, this the Backend used by all the GRC components that is:
  1)Access Enforcer
  2)FireFighter
  3)Role Expert    and
  4)Compliance Calibrator
  What we install in J2EE Server and Purpose of it
  ====================================
  These are Java Deployable files (called Software Deployable Archives, SDA). These files form the frontend to access GRC components. The purpose of this is that, this forms an Interface to access the different applications.
  You have different SDAs for different applications like:
  1)Access Enforce
  2) Role Expert
  3) FireFighter    and
  4) Compliance Calibrator
  For each application, you have respective Java Deployable files i.e., SDAs. Example, if you want to use Compliance Calibrator, then you need to install it FronEnd files (SDAs) on J2EE server access through Web Browser.
  Data Flow
  =========
  I will take Compliance Calibrator example and explain it you you:
  You have RTA installed in R/3 server and frontend files on J2EE server.
  As you know, Compliance Calibrator is SODs violations reporting tool. Here you define all the rules and save it. You run reports called "Synchronization" for:
  Users
  Roles and
  Profiles
  When you run this, RTA (ABAP component in R/3 Server) will send the data as per your selection (User/Role/Profile) to FrontEnd on J2EE server where it maintains its own database in J2EE server for rendering purpose.
  Then you run the "Risk Analysis" reports in front end of different types:
  User
  Roles and
  Profiles
  Then it gives you the reports accordingly. Any change in the R/3 Server, you need to re-run the "Synchronizaiton" reports again. Usually, these reports are run every day on "Incremental" basis.
  Hope, this will answer what you have asked for.
  Feel free to ask further queries.
  Reward points if useful.
  Thanks and Regards,
  Faisal

• Is Compliance Calibrator the same as GRC Access Control?

  I have been asked to look at<b> Compliance Calibrator </b>and am getting confused about what functionality is offered. I have done the basic e-learning course for Compliance Calibrator (GRC200): this was all about separation of duties etc. Fair enough. But I also have a Document called "<b>SAP GRC Access Control</b>" which talks about the same S.O.D compliance functionality but also talks of "roles triggering workflows", "users creating roles", "automated approvals for roles" eg:
  "SAP GRC Access Control streamlines access requests by filling each request automatically with user identity information from a lightweight directory access protocol (LDAP) directory or HR database, thereby eliminating the need for user intervention. Approvers receive an e-mail with a direct hyperlink to the request inside the application, where they can easily view and approve the request. The application then checks for security violations before updating accounts  automatically."
  None of this was covered on the Compliance Calibrator course, so what product offers this? I can see another product by Virsa called <b>Access Enforcer</b> but have no info on this... can anyone enlighten me?

  SAP GRC Access Control is the SAP application that comprises the former Virsa products Compliance Calibrator, Access Enforcer, Risk Terminator, Firefighter and Role Expert.