Creating Mitigation Control from CUP

Similar Messages

• Bringing mitigating controls from PC to AC in GRC 10.0

  Hi ,
  I am going through remediation process in GRC 10.0, However there are no mitigation controls setup in AC.
  my client is asking me to copy all the mitigating controls from PC to AC.
  Is this possible ? if yes, What will be the process ?
  Thank you.

  Hi Sri,
  you can achieve by downloading and uploading the mitigations.
  Go to SE38 and use the following program GRAC_DOWNLOAD_MIT_ASSIGNMENTS to download the file and make necessary changes to it and upload the file by using the following program GRAC_UPLOAD_MIT_ASSIGNMENTS.
  and put the active column in the file as X.
  Regards,
  Venugopal Ireni

• Transport of mitigation controls from GRC Dev to GRC Production in 10.0

  Hi All,
  Is there an option to transport mitigation controls from Dev to Prod in 10.0. Where is that option available. We could not find even download or upload option unlike 5.3 in 10.0
  Thanks and Best Regards,
  Srihari.K

  Hi
  I can see that this question is marked as answered . Could you please update what steps were taken for transporting mitigation controls? Thanks
  Best Regards
  Srilakshmi S

• Create data control from java class, not see "ADF Parameter Forms" option

  Hi,
  I have created a Fusion Web Application (ADF) in jdev 11g. In the application model project, I created a java class. Inside the java class, I have a public method as below
  public Asset [] searchAsset3(SearchTerm s) // SearchTerm is a java bean. It implements java.io.Serializable.
  I created data control from my java class. After that, I see an xml file generated under the same folder of my java class. Here is the xml content.
  <?xml version="1.0" encoding="UTF-8" ?>
  <JavaBean xmlns="http://xmlns.oracle.com/adfm/beanmodel" version="11.1.1.53.62"
  id="AIAAsset" Package="oracle.apps.aia.oer.model"
  BeanClass="oracle.apps.aia.oer.model.AIAAsset" isJavaBased="true">
  <MethodAccessor IsCollection="true"
  Type="com.flashline.registry.openapi.entity.Asset"
  BeanClass="com.flashline.registry.openapi.entity.Asset"
  id="searchAsset" ReturnNodeName="Asset"
  CollectionBeanClass="UpdateableCollection">
  <ParameterInfo id="name" Type="java.lang.String" isStructured="false"/>
  <ParameterInfo id="version" Type="java.lang.String" isStructured="false"/>
  <ParameterInfo id="description" Type="java.lang.String"
  isStructured="false"/>
  </MethodAccessor>
  <MethodAccessor IsCollection="true"
  Type="com.flashline.registry.openapi.entity.AssetSummary"
  BeanClass="com.flashline.registry.openapi.entity.AssetSummary"
  id="searchAssetSummary" ReturnNodeName="AssetSummary"
  CollectionBeanClass="UpdateableCollection">
  <ParameterInfo id="name" Type="java.lang.String" isStructured="false"/>
  <ParameterInfo id="version" Type="java.lang.String" isStructured="false"/>
  <ParameterInfo id="description" Type="java.lang.String"
  isStructured="false"/>
  <ParameterInfo id="type" Type="java.lang.String" isStructured="false"/>
  </MethodAccessor>
  <MethodAccessor IsCollection="true"
  Type="com.flashline.registry.openapi.entity.Asset"
  BeanClass="com.flashline.registry.openapi.entity.Asset"
  id="searchAsset3" ReturnNodeName="Asset"
  CollectionBeanClass="UpdateableCollection">
  <ParameterInfo id="s" Type="com.flashline.registry.openapi.query.SearchTerm"
  isStructured="true"/>
  </MethodAccessor>
  <ConstructorMethod IsCollection="true"
  Type="oracle.apps.aia.oer.model.AIAAsset"
  BeanClass="oracle.apps.aia.oer.model.AIAAsset"
  id="AIAAsset"/>
  </JavaBean>
  Then, in application user interface project, I created a JSPX page. From the data controls palette, I want to drag and drop the searchAsset3 onto my page. However, I don't see an option for me to choose "Create -> Parameters -> ADF Parameter Form". I only see "Create -> Methods". Unlike other public methods (e.g.searchAssetSummary and searchAsset) which have simple data type as input, I can see the "Create -> Parameters -> ADF Parameter Form" option when I drag and drop to my jspx page. Is that something I missed while creating data controls?
  Thanks.
  Arnold.

  Then, my other question is how do you do the bindings? I drag and drop the attributes from SearchTerm bean. Now the pagedef file has the AttributeValues added but my method is actually expecting one input parameter of type SearchTerm. How do you bind the attributes to the input of the method? Thanks.
  See below of my pagedef xml file.
  <?xml version="1.0" encoding="UTF-8" ?>
  <pageDefinition xmlns="http://xmlns.oracle.com/adfm/uimodel"
  version="11.1.1.53.62" id="SearchAssetBySearchTerm1PageDef"
  Package="oracle.apps.aia.oer.view.pageDefs">
  <parameters/>
  <executables>
  <variableIterator id="variables"/>
  <methodIterator Binds="SearchTerm.result" DataControl="AIAAsset"
  RangeSize="25"
  BeanClass="com.flashline.registry.openapi.query.SearchTerm"
  id="SearchTermIterator"/>
  </executables>
  <bindings>
  <methodAction id="SearchTerm" RequiresUpdateModel="true"
  Action="invokeMethod" MethodName="SearchTerm"
  IsViewObjectMethod="false" DataControl="AIAAsset"
  ClassName="com.flashline.registry.openapi.query.SearchTerm"
  ReturnName="AIAAsset.methodResults.SearchTerm_AIAAsset_SearchTerm_result"/>
  <attributeValues IterBinding="SearchTermIterator" id="key">
  <AttrNames>
  <Item Value="key"/>
  </AttrNames>
  </attributeValues>
  <attributeValues IterBinding="SearchTermIterator" id="operator">
  <AttrNames>
  <Item Value="operator"/>
  </AttrNames>
  </attributeValues>
  <attributeValues IterBinding="SearchTermIterator" id="value">
  <AttrNames>
  <Item Value="value"/>
  </AttrNames>
  </attributeValues>
  <methodAction id="searchAsset3" RequiresUpdateModel="true"
  Action="invokeMethod" MethodName="searchAsset3"
  IsViewObjectMethod="false" DataControl="AIAAsset"
  InstanceName="AIAAsset.dataProvider"
  ReturnName="AIAAsset.methodResults.searchAsset3_AIAAsset_dataProvider_searchAsset3_result">
  *<NamedData NDName="s"*
  NDType="com.flashline.registry.openapi.query.SearchTerm"/>+
  </methodAction>
  </bindings>
  </pageDefinition>

• Error when trying to approve a mitigation control in CUP

  Hi,
  I have created a Mitigation Control in RAR and set-up the necessary workflow. The request ends up in CUP and the approver is able to see the request when he/she logs in, however the approver cannot approve or reject the request.
  The following error messages appear:
  - Approve: Error processing your request, Request no: 2 in stage : MITIGATION
  - Reject: Error rejecting request no: 2
  I have check the workflow many times now and I have also checked the mitigation URL's.
  Any idea what the problem can be?
  Thanks.

  Thank you for your response. No the approver is not part of the DL. I just added the approver to the workflow (CAD).
  Please find log details below:
  2010-03-18 16:09:32,729 [SAPEngine_Application_Thread[impl:3]_8] ERROR Service call exception; nested exception is:
       com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (401) Unauthorized. The requested URL was:"http://vgrdci.sap.client.co.za:51900/VirsaCCWFExitService5_2Service/Config1?style=document"
  java.rmi.RemoteException: Service call exception; nested exception is:
       com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (401) Unauthorized. The requested URL was:"http://vgrdci.sap.client.co.za:51900/VirsaCCWFExitService5_2Service/Config1?style=document"
       at com.virsa.ae.request.ws.cc.Config1BindingStub.execWFExitService(Config1BindingStub.java:87)
       at com.virsa.ae.request.ws.cc.Config1BindingStub.execWFExitService(Config1BindingStub.java:96)
       at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.callCCExitService(RequestExitServiceHelper.java:263)
       at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.callExitServiceForApprovedRequest(RequestExitServiceHelper.java:51)
       at com.virsa.ae.accessrequests.bo.RequestBO.callExitService(RequestBO.java:5335)
       at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:5174)
       at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:4967)
       at com.virsa.ae.accessrequests.actions.RequestViewAction.confirmRequestApproval(RequestViewAction.java:928)
       at com.virsa.ae.accessrequests.actions.RequestViewAction.execute(RequestViewAction.java:103)
       at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:271)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:425)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:455)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:455)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(AccessController.java:219)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  Caused by:
  com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (401) Unauthorized. The requested URL was:"http://vgrdci.sap.client.co.za:51900/VirsaCCWFExitService5_2Service/Config1?style=document"
       at com.sap.engine.services.webservices.jaxrpc.wsdl2java.soapbinding.MimeHttpBinding.handleResponseMessage(MimeHttpBinding.java:998)
       at com.sap.engine.services.webservices.jaxrpc.wsdl2java.soapbinding.MimeHttpBinding.call(MimeHttpBinding.java:1449)
       at com.virsa.ae.request.ws.cc.Config1BindingStub.execWFExitService(Config1BindingStub.java:80)
       ... 33 more

• Is it possible to create data control from wsdl when complextype is used

  Getting DCA-40015 error when trying to create a data control from WSDL file.
  The error clearly says complextype is not supported . just trying to see if there are any workarounds . because creating data control will save time in developing user interface by dragging and dropping the the data control in jsf page. jdeveloper webservice tester is able to create user interface for me based on wsdl when i run it , trying to develop the user interface using jsf pages
  oracle.adf.model.adapter.AdapterException: DCA-40015: Failed to create the structure for schema element "result". The complex type definition of the element is not supported.

  Hi,
  I could reproduce what I did:
  - created WebService from custom Pojo Model
  - Made sure all entities implemented serializable
  - In the WebServices Wizard, I created XML representations for my entities
  - tested with OC4J WebServices tester
  - Built ADF data control from WSDL file of deployed WebService
  - Created dependency t project containing the POJO entities
  - Selected result.xml of each method exposed in the WebService project
  - In the structure window, selected "item" (result-->item)
  - changed Bean class to my entity class name (absolute name)
  This showed my entity in the DC palette
  Frank

• Create dynamic controls from JSON Response

  I have a requirement to create a group of checkbox with lebels in a page from JSON response.
  The JSON response is
      "data": [
              "CodeStatus": "Red"
              "CodeStatus": "Orange"
              "CodeStatus": "Green"
              "CodeStatus": "Yellow"
  the  design is:
  the box is vertically scrollable, as it can have more color codes.
  Can anyone suggest how to design the above?
  If one can provide the implemantation code, that would be very good as I have very time to implement it.

  Have a look at templates and for more complex scenarios factory functions, which give you the ability to dynamically create controls from model data.
  SAPUI5 SDK - Demo Kit
  Regards,
  Jason

• Create subVI Control from Reference Name Bug

  If you connect N references to a sequence structure and create a subVI from this structure, the first N-1 controls will have the name of the original control (desired), but the last one will not. It will have the name of the generic type of the control this reference is pointing to. Of course, if N = 1, that means that the created control will have the generic name.
  Illustration:
  In the diagram above, subVI 1 has been created from a sequence to which a reference to "Numeric Control" was connected. Here is the FP of that subVI, as created by LV:
  subVI 2 was created from a sequence to which both references were connected. Here is the FP of that subVI:
  This does not seem to depend on the type of the control. If I add a graph:
  the created subVI looks like this:

  Kind of an extension of this bug, but not exactly the same. Might be due to the same cause though
  If you create a subVI incorporating Property Nodes (not recommended in general for performance reasons, but not a killer either), the subVI will obviously have references to the corresponding controls as controls and references to the controls will appear in the calling VI:
  Before:
  After:
  (it never ceases to amaze me how bad the cleanup/auto-routing algorithm developed by NI is :-)
  Here is the corresponding FP of the created subVI:
  This time, never mind the names of the original controls, they will be ignored, no matter how many different controls there is.
  (I am not even mentioning the well-known feature that if instead of enclosing the property nodes you just enclose the wires coming from the "Value" node, the subVI's controls will read "Value, Value2", etc, where the type of the "Value" controls will in general have absolutely nothing in common).

• Trigger mitigation workflow within CUP

  Hi,
  I have configured the necessary workflow types, Mitigation controls and Mitigation objects. I am able to trigger workflow when I create a control in RAR. How do I go about triggering workflow within CUP?
  Currently, when I create a request, in one of the stages a risk analysis is mandatory. I am able to create or assign an existing mitigation control before the workflow process can continue. This works well. However, I would like a workflow to be triggered when somebody clicks on the 'create' mitigation control button as well as when somebody assigns an existing mitigation control.
  Any input would be highly appreciated.
  Thanks
  Mo

  Hello Muhammad,
    What you are saying is that you wish to trigger workflow from within CUP itself when you are assigning/creating mitigation control from within CUP, right? If i got that right then i would say that it is not possible. For mitigation control creation/assignment the trigger is only RAR application and be done through that only. Since for such workflows the request types would be type MITCTRL  and MITOBJ and not CUP..
  I nice feature though if it would have been there. In case i got anything wrong, then kindly elaborate so that i could get clarity.
  Regards, Varun

• Mitigation Control Migration From 53. to GRC10

  Hello,
  Can you please let me know where do I find a templete for downloading Mitigation Controls from 5.3 and how do I upload them in GRC 10?
  An early reply would be highly appreciated.
  Thank you.

  Hello,
  Can you share how you migrated the mitigation controls?
  While migration of the mitigation controls
  I get an error "Creation of object ID 00000000 is not allowed"
  I have different buisness processes for risks/functions and the mitigations...Is it something to do with that? or shoudl i create the business processes in GRC 10 before migration?
  I am pretty much stuck here...any help is really appreciated.
  Thanks,
  Raghav

• CUP-5.3-SP13-Mitigation Controls by rol/users

  Hi all!
  Since RAR consider mitigations contros both by rol and users, If I have the role ZROL1 mitigated for the ID risk P001* then, would be able CUP to consider this mitigation control even when CUP is managing users?
  I mean, if ZROL1 has a mitigation control, would appear at the request the ID risk whenever I add this role to a user?
  Many thanks in advance! any help would be welcomed.
  Margarita.

  Hi Margarita,
  If you want it will consider the role level mitigation controls. So in the request risk violation will not be shown.
  For this u need check the option, consider mitigation control in CUP. Configuration-> Risk anlsysis.
  Also in RAR following things needs to be done.
  RAR Configuration->Risk analysis-> Defaults values.
  Exclude mitigated Risk as yes.
  RAR Configuration-> Risk Analysis ->Additional options
  Include Role/Profile Mitigating Controls in User Analysis  as yes.
  If above values are defined as No. than Risk Voilation will be shown in the request.
  Kind Regards,
  Srinivasan

• GRC 5.3 mitigation control

  Dear Guys,
  Please help me to understand the concept of mitigation control in GRC 5.3 and when it is useful and at what time we need to implement mitigation control.
  How could we mitigate user and on what criteria....????
  Also some brief about control monitor.
  Thanks in Advance......

  Hi Arpit,
  Steps for remediation and mitigation strategy is as below,
  Once you do risk analysis, you have the list of risk available in your system, after this you have the option to remove (Remediate) risk by removing conflicting permission or action from role.
  OR
  there is scenario where you have to accept the risk in this case you have to opt for mitigation control, just consider one example given below,
  Function A: Create PO
  Function B: Release PO
  Above two functions are conflicting and create risk in standard process, so as a standard practice, in reference to compliance SAP recommends to have two people doing it separately, but customer might not be having 2 postions in org to separate this, so customer has to accept the risk and create mitigation control to document this and put the monitoring control so one person can perform this function.
  This way it is helful to follow the compliance and when audit happens customer can show that they have identified the risk and documented it and put alternate monitoring control, so the risk cannot be misused.
  Hope this helps you understand it.
  BR,
  Mangesh

• Blanket Mitigation Controls

  Hi Gurus,
  We are on 5.3 version of RAR,
  I am creating a blanket Mitigation control to Mitigate a risk id against one role. when I run the Risk Analysis report the I found that , the risk id is mitigated for all the roles. For e.g.
  The user has roles three roles A,B andC. The SOD Risk Id " R" is coming from all the three roles. I create Control M to Mitigate Risk id " R" only against Role A.
  When I run the Risk analysis report the risk is mitigated for all the three roles whereas I am expecting it should be mitigated only for Role A and For Role B and C it should still show as unmitigated risk.
  Is there there anything else I need to do??
  Parveen

  Praveen,
     Don't put '' after the risk when you are creating mitigationg control. If you put '' after risk ID, it creates a blanket mitigating control. When you create mitigating control for particular risk, you will have to select the particular role and mitigate it.
  Regards,
  Alpesh

• Mitigating Controls in GRC10

  Hi,
  Is their a way we can maintain and update mitigating controls on GRC (GUI) back-end.UI can't be able to find those i created and migrated. Any ideas?
  Regards, Melvin

  Hi,
  REF CALL # : 968707 / 2011
  I created mitigating controls and imported the old mitigating controls from GRC 5.3.
  When I go to the mitigating controls on the UI no mitigating controls appear when opening the page. When I do a drop down (drill) on the TAB (SETUP) Work Centre &#61664; Link - Mitigating Control
  When drilling down on Mitigating Control IDu2019s
  The only two displayed is the ones I created on the UI. When I import the GRC5.3 mitigating controls I get the following
  message on the import tool within GRC10 back-end
  --Start Loading File - Scenario of 5.3 Mitigation - Migration
  sapvirdevexport53/BUNITdata.dat
  Mitigation Control EA:BS001 already exists
  Mitigation Control EA:BU001 already exists
  Mitigation Control SOLMAN99 already exists
  --File loaded successfully
  The migration document refers to the following steps and this was followed
  Why is the screen empty when going into the mitigating control link on the  UI - Another strange phenomenon is when I run the mitigating report from report and analytics the mitigating control comes up blank.
  When in the report and analytic work centre, and running the mitigation control report - -> I drill down on the Control ID and get the blank screen.
  This is why im asking can I look at mitigating controls not from ECC but GRC back-end system and maintain it from their
  Regards, Melvin

• Risks has been removed but Mitigating Control still stays with the users?

  Hi all,
      I have a situation where after a risk has been removed from the users by removing the violating roles, however the Mitigating Control still remains tagged to the same user. Is there any efficient way of removing Mitigating Controls from users where the risks no longer exists?

  Hi Joseph, thanks for the info. My problem comes in when the user request to have the violating role removed via CUP and it so happens that the Mitigating Control assigned for the old risk still has 6 more months of validity left. It seem like there is no mechanism to auto remove this MC when the role has been removed after the request in CUP have been approved and auto-provision.
  My problem is that there might be many more of such users with redundant MC assigned to them in RAR. I can't find a way to search for such redundant MCs for cleanup. There is a possibility that when the same roles are assigned back to the users via request in CUP, these redundant MC if applicable will cause the Risk Analysis via CUP to not flag out any SoD issue.