Conflicting Roles

Similar Messages

• Specifying Conflicting Roles in Authorization

  I need to specify conflicting roles.
  For example, I have 2 roles - HR_Administrator and HR_Payroll_Manager. These 2 roles should never be assigned to the same user. There has to be a consistency check for conflicting roles while assigning roles to users.
  How could this be done? Have any of you done this before? Any user exits will help?

  Hi Lucy,
  perhaps you could use BAdI
  SMUM_ASSIGN_ROLE
  Regards
  Bernd

• Role based Firefighter approach in AC 10

  I am in the process of implementing "role based" FF (ID based approach not implemented as users are not comfortable to login to GRC system to execute the tcodes).  I have a query about it.
  If we maintain the role based FF logins, and we run risk report, still all the conflicts are found associated with that FF ids as they have the conflicting role assigned to them in SU01.  So is it ok, to live with these conflict found related to FF ids.  what will be the case during audit, will they accept these risks occuring for the FF can be ignored.

  Hello,
  I think the best approach is to mitigate the risk as Alexander describes here:
  Why Role based Firefighter
  Cheers,
  Diego.

• Windows Media player and flash player conflicting

  Hello,
  I have a problem with watching streams (television programs)
  on the internet. I think this is caused by conflicting roles of
  windows media player and flash player. When i don't have installed
  flash player i can watch the streams. When i install flash player,
  i see only green and red blocks on the respective screen. I don't
  know where the problem lies. I have installed Windows Media player
  again, (also Flash player) but this hasn't worked. The streams work
  with Mozilla firefox.
  I hope you could really help me,
  Sincerily,
  Tuncie

  Hi Tuncie
  Verify that Windows Media Player is not set as the default
  player for all content in Firefox including Flash.
  Also, please respond with a URL for testing.

• Role Based Risk Analysis Report

  Hello All,
  When I executed the Risk Analysis report for a role with SOD Risk Level = ALL and Report type = SOD at Authorization Object level, the results come back as "NO CONFLICT FOUND".  this is the correct response.
  However, I executed the Risk Analysis report for the same role with SOD Risk Level = HIGH and Report type = SOD at Authorization Object level, the results come back SOD conflicts based on the conflicting transactions.  Is there a bug with analyzing roles using this option?
  Also, when I click on the Detail Report button, I received object data that does not appear correct.
  Please Help.  Thanks.
  Edited by: Michael Johnson on Apr 8, 2009 8:54 PM

  Hi Babiji,
  Are you using any specific tools for SOD's? If you are using GRC tool, then it can be done using compliance calibrator Role level Risk analysis.In addition to what Sneha has said,
  To find out the conflicting roles in CC version 5.2 the path is INFORMER->Risk Analysis->Role level.In Virsa 4.0 you have the option of carrying out risk anaysis at role level by executing the t-code /N/VIRSA/ZVRAT.
  In section Analysis type, choose Roles and enter the list of roles.
  In section SOD Risk level, choose the appropriate risk.
  Then choose the appropriate report type and report format before executing it.
  This will display all the roles with the levels of risk associated with it and then you can mitigate these as per your organizational policies & procedures.
  Thanks,
  Saby..

• ARQ: Are "Valid From" and "Valid To" dates are considered for risk analysis???

  Hi All,
  I have one question w.r.t. risk analysis of user while raising a request in ARQ.
  I have noticed that, when a user is assigned 2 conflicting roles in a request (with "Valid From" and "Valid To" fields being the same), ARQ shows risk violations properly.
  This is quite logical, because user is assigned conflicting roles within the same dates.
  In another scenario, if a user is assigned 2 conflicting roles in a request (with "Valid From" and "Valid To" fields being different)
  Example:
  Time Administration : Valid From=15.06.2014 and Valid To= 31.12.2014
  Payroll Administrator: Valid From=20.06.2014 and Valid To= 31.12.2014
  ARA still shows as violations (in ARQ)! Though the "Valid From" dates are different.
  Logically, user is not assigned these roles at the same time to cause a risk violations. However, system is showing violations.
  May I know if validity dates are considered while performing risk analysis in ARQ? If no, then what could be the justification?
  Please advise.
  Regards,
  Faisal

  Rafal,
  Thanks for your reply.
  Does it mean that all future dates will be considered while analysis?
  OR
  Does ARA consider these dates?
  Regards,
  Faisal

• CUP Risk Analysis Error

  Hi Experts,
  OUR GRC AC system configuration is: GRC AC 5.3 CUP Patch 7.0. One of our enduser has requested for a new role through CUP. While the manager performs the risk analysis, it is showing the following error: "Risk Analysis failed: Exception in getting the result from the webservice: service call exception, nested exception is: java.net.socket Timeout Exception: Read timout".
  Below is the system log of CUP for futher reference:
  2009-12-02 11:08:41,428 [SAPEngine_Application_Thread[impl:3]_12] ERROR com.virsa.ae.core.BOException: Exception in getting the results from the web service : Service call exception; nested exception is:
                  java.net.SocketTimeoutException: Read timed out
  com.virsa.ae.core.BOException: Exception in getting the results from the web service : Service call exception; nested exception is:
                  java.net.SocketTimeoutException: Read timed out
                  at com.virsa.ae.accessrequests.bo.RiskAnalysisBO.findViolations(RiskAnalysisBO.java:199)
                  at com.virsa.ae.accessrequests.actions.RiskAnalysisAction.doRiskAnalysis(RiskAnalysisAction.java:1073)
                  at com.virsa.ae.accessrequests.actions.RiskAnalysisAction.doAnalysis(RiskAnalysisAction.java:300)
                  at com.virsa.ae.accessrequests.actions.RiskAnalysisAction.execute(RiskAnalysisAction.java:109)
                  at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:271)
                  at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
                  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
                  at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
                  at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
                  at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
                  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
                  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
                  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
                  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
                  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
                  at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
                  at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
                  at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
                  at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
                  at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
                  at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
                  at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
                  at java.security.AccessController.doPrivileged(AccessController.java:219)
                  at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
                  at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
  Caused by:
  com.virsa.ae.service.ServiceException: Exception in getting the results from the web service : Service call exception; nested exception is:
                  java.net.SocketTimeoutException: Read timed out
                  at com.virsa.ae.service.sap.RiskAnalysisWS53DAO.getViolations(RiskAnalysisWS53DAO.java:343)
                  at com.virsa.ae.service.sap.RiskAnalysisWS53DAO.getViolations(RiskAnalysisWS53DAO.java:451)
                  at com.virsa.ae.service.sap.RiskAnalysisWS53DAO.determineRisks(RiskAnalysisWS53DAO.java:569)
                  at com.virsa.ae.service.sap.RiskAnalysis53DAO.determineRisks(RiskAnalysis53DAO.java:119)
                  at com.virsa.ae.accessrequests.bo.RiskAnalysisBO.findViolations(RiskAnalysisBO.java:182)
                  ... 24 more
  Caused by:
  java.rmi.RemoteException: Service call exception; nested exception is:
                  java.net.SocketTimeoutException: Read timed out
                  at com.virsa.ae.service.sap.ws53.Config1BindingStub.execRiskAnalysis(Config1BindingStub.java:90)
                  at com.virsa.ae.service.sap.ws53.Config1BindingStub.execRiskAnalysis(Config1BindingStub.java:99)
                  at com.virsa.ae.service.sap.RiskAnalysisWS53DAO.getViolations(RiskAnalysisWS53DAO.java:311)
                  ... 28 more
  Caused by:
  java.net.SocketTimeoutException: Read timed out
                  at java.net.SocketInputStream.socketRead0(Native Method)
                  at java.net.SocketInputStream.read(SocketInputStream.java:153)
                  at java.io.BufferedInputStream.fill(BufferedInputStream.java:200)
                  at java.io.BufferedInputStream.read(BufferedInputStream.java:218)
                  at com.sap.engine.services.webservices.jaxm.soap.HTTPSocket.readLine(HTTPSocket.java:806)
                  at com.sap.engine.services.webservices.jaxm.soap.HTTPSocket.getInputStream(HTTPSocket.java:341)
                  at com.sap.engine.services.webservices.jaxm.soap.HTTPSocket.getResponseCode(HTTPSocket.java:250)
                  at com.sap.engine.services.webservices.jaxrpc.wsdl2java.soapbinding.HTTPTransport.getResponseCode(HTTPTransport.java:362)
                  at com.sap.engine.services.webservices.jaxrpc.wsdl2java.soapbinding.MimeHttpBinding.outputMessage(MimeHttpBinding.java:553)
                  at com.sap.engine.services.webservices.jaxrpc.wsdl2java.soapbinding.MimeHttpBinding.call(MimeHttpBinding.java:1432)
                  at com.virsa.ae.service.sap.ws53.Config1BindingStub.execRiskAnalysis(Config1BindingStub.java:83)
                  ... 30 more
  Could anyone please analyze, where it went wrong.
  Thanks a lot in advance.
  Regards,
  Gurugobinda

  We are facing this issue as well. This is seen in requests where there are a lot of conflicting roles requested, or if the user on the backend already has many SoD conflicts.
  How many risk violations did show up in the RAR simulation? Seems that above 1000 you will get performance issues in CUP risk analysis.
  We are also on SP7 and we did receive a reply from SAP that the risk violation threshold can be changed in RAR as of SP9:
  =======================================================
  From CUP 5.3 SP9 onwards, we have one parameter in RAR in
  'Configuration>Risk Analysis>Performance Tuning' which will
  enable you to set threshold violation limit for the Risk Analysis web
  service. The name of the attribute is 'Threshold Violation Limit for webservice' and default value of this attribute is 1000.
  When you perform risk analysis from CUP and the violation data count
  exceeds this limit then error message will appear.
  Setting this attribute will help tuning your performance.
  ==========================================================
  Regards,
  Stefan.

• SoD Error in Back system

  Hello,
  While changing the user in SU01 the following error occured:
  SAP Adapter has a problem, SOD violations will not be checked !!!
  Please check with your system Administrator
  Technical Info:
  Bean VIRSA/RT_JAVA_RISK_ANALYSISnot found on host ulldev, ProgId =GRCRTTOCC5X
  I searched and found a thread with the same error but the OSS mentioned in that thread was not opening in the service marketplace (Error was Requested OSS Notes was either in reworking mode or it is released internally)
  Can you please help me on this error?
  Can you please paste the content of the OSS Note: 1145048
  Regards,
  Kumar Rayudu

  Hello Kumar,
  Please check SAP Note 1225960 which has the same issue mentioned and is available for download.
  The content of note 1145048 is also pasted below.
  1. Go to Backend system where Risk Terminator is giving this error.    
  2. Go to SM59 and delete all (old and new) TCP/IP connections created  
  for Risk Terminator per note 1060673.                                                                               
  3. Now go to Visual Admin -> Server<number> -> Services -> JCo RFC     
  provider.                                                              
  Here if you see any entries related to TCP/IP connector you created for
  Risk Terminator, delete them all, by clicking 'Remo..' (Remove) button.
  4. Then go to Backend system (where RTA is installed) and follow below 
  steps:                                                                               
  a. SM59 -> click on TCP/IP and click 'Create'.                       
    b. Give 'RFC Destination' name and it should be EXACTLY 10 character 
  long. Apart from that first three characters should be System Id. Say                                                                               
  'PRDGRCCONN' (This is precautionary step).                             
    c. Now select 'Connection Type' as T.                                
    d. Give Description.                                                 
    e. Under 'Technical Settings' tab select radio button 'Registered    
  Server Program' and enter 'Program ID' EXACTLY 10 character (This is   
  compulsary step). And the important thing you have to take care while  
  giving name is that no character in this program id name should be part
  of 'RFC Destination' name given in step 'b.' above. Per above 'RFC     
  Destination' name, Program ID should be like 'ABEFHIJKLM' (This is     
  precautionary step).                                                   
    f. Avoid entering value for 'Gateway Host' while creating TCP/IP     
  connection.                                                            
    g. However 'Gateway service' entry is MUST. Use transaction 'RSGWLST'
  to check the same.                                                     
    h. Go to transaction /VIRSA/ZRTCNFG and maintain option 'RFC         
  destination for release CC5.X' same as 'RFC Destination' given above in
  step 'b.' say 'PRDGRCCONN' and 'Save'.                                                                               
  5. Now go to Frontend Compliance Calibrator 5.2 and follow below steps:
    a. Go to 'Configuration' -> 'Connector' -> 'Search' -> 'Search' ->   
  select the relevant connector and click 'Change'.                      
    b. Now change 'Report Name' to be same as Program ID given while     
  creating TCP/IP connection and per above example it should be          
  'ABEFHIJKLM' and 'Save'.                                               
    c. Now 'Logoff' from Compliance Calibrator.                          
    d. 'Login' again into Compliance Calibrator 5.2 and go to            
  'Configuration' -> 'SAP Adapter' and click on the grey diamond for the 
  relevant SAP system.                                                   
    e. If it don't become Green and gives error, then restart J2EE. Else 
  test Risk Terminator in the Backend system by creating or changing one 
  conflicting Role.                                                      
  Regards,
  Varun
  Edited by: Thakur Varun on Jul 20, 2009 11:22 AM

• How to mitigate control at User levels

  Hello Friends,
  Can anyone send me step by step process documentation on how to mitigating control at user levels? I have already run the risk analysis ( Global Conflict roles analysis/risk analysis). So I do have all detail information like control ID , management approver and description,etc.
  It will be highly appreciated on any guidence on this.
  Regards,
  Suvi

  Hi,
  Please follow the below steps to mitigate user.
  1.  once you get the all details ( Mitigation control id, approver id and Monitor id), then select/click on the RAR Mitigation tab-> click on the Mitigated User option->search.
  There is one page is open and then click on ADD button at the bottom of the screen. once you click on add option it will ask the Mitigation control id, user id, Risk id etc... once filled the all required filelds and save. Now successfully applied the moitihation control to the particler user.
  Regrads,
  Arjuna.

• Risk Analysis thru Web Service

  I'm trying to get Risk Analysis (SoD violaions) for roles using web service. Current approach we are using is to first use web service SubmitRequest to create service and then use web service RiskAnalysis for SoD checks for that request. However, is there any web service which gives Risk analysis directly without creating request in GRC? If i give 2 conflicting roles then can i get risk analysis without actually creating request in GRC?
  Thanks,

  Hi Alpesh, Ankur,
  Thaks for your answer. As you said, the web service which you mentioned works for existing users with assigned roles/profiles. I was more looking for web service which will give me Risk Analysis before i assign Roles/Profiles.
  I found one service VirsaCCRiskAnalysisService which allows me to do risk analysis before assigning any roles/profiles. Of course, the condition is that User should exist in back-end system.
  Thanks,
  Sanjay shah

• SSAS Caused Users Excel Filter to Reset

  I have multiple end users linking to a Tabular Analysis Server data cube. The cube is refreshed (full) every night when the BI datawarehouse it draws from is updated. This setup has been in place for over a year.  One morning several users reported
  that the Excel manual filter for employeeid had been reset in all their charts and graphs.  It had been on multi-select, but had been reset to none selected.  Filters for categories, location, etc where unaffected.  Most users where affected,
  but one was not.  Once the filters are reset, they seem to be staying set again.  The data cube had not been structurally modified for a week before this incident, and the modification was unrelated to the employees data.  I can find no updates
  for that week to the server or user's machines.  All user machines are Windows7 with Office 2013, the server is Windows 2012 with Sql Server 2014 running in tabular mode.  Since several users at once suffered the effect, I am assuming the server
  was to blame, but can find no cause.  Anybody with any ideas on this?  They refuse to believe that Ninja Gremlins were involved. 

  Hi PaterVater,
  According to your description, a lot of user of your tabular get the row filter reset in Excel. Right?
  In this scenario, as you mentioned, the tabular data has some modification before, I want to know what those modifications do.
  Did you change anything in Role setting? It might be an additive security on two conflict Role membership which makes a conflict field unselect. See:
  The Additive Design of SSAS Role Security
  Please still check the employeeid in your data source. If the data get changed in some other way, it may cause the filter unselect as well due to mismatch data.
  Also what's the role membership and permission of the user who is not affected?
  Please provide some detail information with screenshots if possible.
  Best Regards,
  Simon Hou
  TechNet Community Support

• Socket Timeout Webservice Exception

  I am trying to connect to the webservice called as Currency Convertor..
  Its a very simple process which just connects to the webservice to get the conversion result..
  But I get the following error doing that..
  How can I resolve the error?
  A component failed while executing activity '/WebServicePOC#Default-1.0/ComponentExecution[ConvertingCurrency]' (BP-method convertingCurrency) over instance '/WebServicePOC#Default-1.0/2/0'.
  Details:
  The method 'CIL_convertingCurrency' from class 'WebService.WebServicePOC.Default_1_0.Instance' could not be successfully executed.
  Caused by: Read timed out
  fuego.lang.ComponentExecutionException: The method 'CIL_convertingCurrency' from class 'WebService.WebServicePOC.Default_1_0.Instance' could not be successfully executed.
       at fuego.component.ExecutionThreadContext.invokeMethod(ExecutionThreadContext.java:506)
       at fuego.component.ExecutionThreadContext.invokeMethod(ExecutionThreadContext.java:260)
       at fuego.fengine.FEEngineExecutionContext.invokeMethodAsCil(FEEngineExecutionContext.java:215)
       at fuego.server.execution.EngineExecutionContext.runCil(EngineExecutionContext.java:1175)
       at fuego.server.execution.microactivity.ComponentExecutionMicroActivity.runCil(ComponentExecutionMicroActivity.java:127)
       at fuego.server.execution.microactivity.ComponentExecutionMicroActivity.execute(ComponentExecutionMicroActivity.java:85)
       at fuego.server.execution.microactivity.MicroActivityEngineExecutionHandler.executeActivity(MicroActivityEngineExecutionHandler.java:89)
       at fuego.server.execution.ImmediateActivity.execute(ImmediateActivity.java:42)
       at fuego.server.execution.DefaultEngineExecution$AtomicExecutionTA.runTransaction(DefaultEngineExecution.java:304)
       at fuego.transaction.TransactionAction.startBaseTransaction(TransactionAction.java:470)
       at fuego.transaction.TransactionAction.startTransaction(TransactionAction.java:551)
       at fuego.transaction.TransactionAction.start(TransactionAction.java:212)
       at fuego.server.execution.DefaultEngineExecution.executeImmediate(DefaultEngineExecution.java:123)
       at fuego.server.execution.DefaultEngineExecution.executeAutomaticWork(DefaultEngineExecution.java:63)
       at fuego.server.execution.EngineExecution.executeAutomaticWork(EngineExecution.java:42)
       at fuego.server.execution.ToDoItem.executeAutomaticWork(ToDoItem.java:264)
       at fuego.server.execution.ToDoItem.run(ToDoItem.java:559)
       at fuego.component.ExecutionThread.processMessage(ExecutionThread.java:767)
       at fuego.component.ExecutionThread.processBatch(ExecutionThread.java:747)
       at fuego.component.ExecutionThread.doProcessBatch(ExecutionThread.java:143)
       at fuego.component.ExecutionThread.doProcessBatch(ExecutionThread.java:135)
       at fuego.fengine.ToDoQueueThread$PrincipalWrapper.processBatch(ToDoQueueThread.java:446)
       at fuego.component.ExecutionThread.work(ExecutionThread.java:831)
       at fuego.component.ExecutionThread.run(ExecutionThread.java:409)
  Caused by: java.net.SocketTimeoutException: Read timed out
       at java.net.SocketInputStream.socketRead0(Native Method)
       at java.net.SocketInputStream.read(Unknown Source)
       at fuego.net.FuegoSocketInputStream.read(FuegoSocketInputStream.java:91)
       at java.io.BufferedInputStream.fill(Unknown Source)
       at java.io.BufferedInputStream.read(Unknown Source)
       at org.apache.axis.transport.http.HTTPSender.readHeadersFromSocket(HTTPSender.java:583)
       at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:143)
       at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
       at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
       at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
       at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
       at org.apache.axis.client.Call.invokeEngine(Call.java:2765)
       at org.apache.axis.client.Call.invoke(Call.java:2748)
       at org.apache.axis.client.Call.invoke(Call.java:2424)
       at org.apache.axis.client.Call.invoke(Call.java:2347)
       at org.apache.axis.client.Call.invoke(Call.java:1804)
       at fuego.soaptype.SoapCall.invoke(SoapCall.java:234)
       at fuego.soaptype.SoapObject.invoke(SoapObject.java:310)
       at fuego.lang.Invokeable.invokeImpl(Invokeable.java:234)
       at fuego.lang.Invokeable.invokeDynamic(Invokeable.java:188)
       at WebService.WebServicePOC.Default_1_0.Instance.CIL_convertingCurrency(Instance.xcdl:6)
       at WebService.WebServicePOC.Default_1_0.Instance.CIL_convertingCurrency(Instance.xcdl)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
       at java.lang.reflect.Method.invoke(Unknown Source)
       at fuego.component.ExecutionThreadContext.invokeMethod(ExecutionThreadContext.java:499)
       ... 23 more

  We are facing this issue as well. This is seen in requests where there are a lot of conflicting roles requested, or if the user on the backend already has many SoD conflicts.
  How many risk violations did show up in the RAR simulation? Seems that above 1000 you will get performance issues in CUP risk analysis.
  We are also on SP7 and we did receive a reply from SAP that the risk violation threshold can be changed in RAR as of SP9:
  =======================================================
  From CUP 5.3 SP9 onwards, we have one parameter in RAR in
  'Configuration>Risk Analysis>Performance Tuning' which will
  enable you to set threshold violation limit for the Risk Analysis web
  service. The name of the attribute is 'Threshold Violation Limit for webservice' and default value of this attribute is 1000.
  When you perform risk analysis from CUP and the violation data count
  exceeds this limit then error message will appear.
  Setting this attribute will help tuning your performance.
  ==========================================================
  Regards,
  Stefan.

• CC - Unable to run Simulations.

  Hi All,
  Currently on CC 5.2, with the latest patches, i am facing an issue in the simlations at the User level, when I give a conflicting role to a user.
  Scenerio is :
  Roles Z1 and Z2 have conflicting functions for a risk RS01. This come as a risk when I assign the two roles to a user and run a risk analysis. At the same time I assign Z1 to a user and try doing a simulation to test what happens if I add Z2 to the same user. Ideally, it should come as the same risk as it was coming when I had assigned both the roles to the user. But to my surprise, it aint coming that way.
  Just wanted to have some ideas on the same if any of you have come across/know a resolution, for the same.
  Thanks a lot in advance!!
  Regards,
  Hersh.

  In a similar problem, what we realized was that even though we'd copied and pasted the role name, in fact there was something wrong with the pasted role name so it wouldn't show any conflicts.  Instead if we searched for the role and then selected it, things worked out.

• ARA does not show Violations in a role though conflicting transaction codes are assigned???

  Hi,
  I have noticed that a role having conflicting transaction codes assigned in the back end system is not propelry analyzed and in ARA application. When this role is analyzed, "No Violations" message is shown though there are conflicing transaction codes assigned.
  As far risk definitaion is concerned, conflicting actions are properly defined in respective conflicting actions and thse actions are grouped in a risk, which is applicable to a logical group (which in turn has the connector included causing this problem) and they are active.
  Rule are properly generated for the all the risks and functions. However, at the time of running risk analysis for this role, ARA is not showing as risk.
  May any one please advise on this?
  Regards,
  Rehan

  Neeraj,
  Now I have defined SAP_R3_LG logical group as "SAP" connector type and regenerated all the rules. Still it is showing no violations!
  Below are the screens for your reference:
  Can you please advise?
  Regards,
  Rhn

• GRC - SOD Conflict Management (SAP Role Substitution)

  Hi,
  I am looking to see how others handle SAP Role Substitution and SOD conflicts.
  For example, a person is going to be out on vacation for a few day and assigns their roles to another employees to continue with daily tasks....SOD risks result because of the temporary assignment and role combinations....what are you guys doing to manage, and monitor this sort of activity?
  Your help and comments greatly appreciated!

  Hi
  As already stated by Martin, one of the option for handling adtional backup access to users could be through Superuser Privilage management(If GRC has been implemented with your client). This would allow detailed reporting at transaction level for audit purposes.
  If GRC is not implemented with your client then any additional access which is resulting in SoD, there has to a proper documentation of temporary access assignment to users(For Audit purpose). Mitigation control should be documented and submitted by the supervisor of the user to the SoD team to ensure proper compliance is in place for the additional access provided to the user.
  Thanks.
  Anjan