CUA and Risk Analysis

Similar Messages

• AC 5.3 RAR - combined risk analysis reports for regular auth. and SPM auth.

  Dear All,
  we have users that have regular day-today authorization and also FF authorization.
  Does the Batch Risk Analysis takes into account both authorizations when doing the risk analysis for those users ? will we see it in the reports ?
  Thanks
  Yudit

  ok, so basically the answer is no, in the RAR components we do not have risk analysis for the combinations of the roles assigned to the user and to his FF ID.
  in that case, at what stage does the system checks for those combined risks ?
  is it checked when we manage the risk analysis phase in the CUP request that is asking to assign the FF ID to the user ?
  thanks
  Yudit

• Different Risk Analysis Results with 10.0 and 10.1

  Hello,
  I do not understand why I get different results with 10.0 and 10.1. Exactly the same ruleset is applied!
  Definition in 10.0 and 10.1:
  Analyzed Role (which definitely contains the SOD):
  Version GRC 10.0 finds the SOD S_FI14 and displays it. In 10.1 nothing is displayed...Any ideas what's the problem?
  Regards
  Peter

  We had similar issues with 10 and 10.1.
  We applied an SAP Note about logical groups and the ruleset, it did not work.
  What did work:
  When performing Risk Analysis, remove the Ruleset selection criteria (use the minus button).

• ARQ: Are "Valid From" and "Valid To" dates are considered for risk analysis???

  Hi All,
  I have one question w.r.t. risk analysis of user while raising a request in ARQ.
  I have noticed that, when a user is assigned 2 conflicting roles in a request (with "Valid From" and "Valid To" fields being the same), ARQ shows risk violations properly.
  This is quite logical, because user is assigned conflicting roles within the same dates.
  In another scenario, if a user is assigned 2 conflicting roles in a request (with "Valid From" and "Valid To" fields being different)
  Example:
  Time Administration : Valid From=15.06.2014 and Valid To= 31.12.2014
  Payroll Administrator: Valid From=20.06.2014 and Valid To= 31.12.2014
  ARA still shows as violations (in ARQ)! Though the "Valid From" dates are different.
  Logically, user is not assigned these roles at the same time to cause a risk violations. However, system is showing violations.
  May I know if validity dates are considered while performing risk analysis in ARQ? If no, then what could be the justification?
  Please advise.
  Regards,
  Faisal

  Rafal,
  Thanks for your reply.
  Does it mean that all future dates will be considered while analysis?
  OR
  Does ARA consider these dates?
  Regards,
  Faisal

• Convert from Compliance Calibrator 4.0 to Risk Analysis and Remediation 5.2

  Hello Forum,
  I'm looking for other opinions on converting Compliance Calibrator (CC) 4.0 to Risk Analysis and Remediation (RAR) 5.2 (formerly CC)
  I have inherited responsibility for RAR and need to upgrade it to the 5.2 level; our current ECC level prevents us from going to 5.3
  I found a process that will unload the data from CC 4.0 and be imported into RAR 5.2
  I want to understand the definitions that comprise the RAR and was thinking about recreating the definitions in 5.2 based on what is already defined in the CC 4.0 system; I have time to do this since there is no definitive deadline that would make it impossible to meet
  Currently, I have the following definitions:
  Business Process 6 entries
  Functions 47 entries
  Risks 147 entries
  Mitigating Controls 40 entries
  Would others find this approach acceptable and reasonable even though I would be entering all the information? Basically, it would be like defining the data for the very first time if this was NEW software
  I would expect to come away with a good understanding of how everything ties together; at this point, I am only looking to create the necessary data that would allow for producing SOD reports that show all users with "risks" have been mitigated with acceptable controls
  Thanks for your responses in advance
  Jerry
  Ryerson, Inc
  630-758-2021

  Thanks for the reply
  I have the migration guide and have reviewed it; I have actually played around a bit with obtaining the file from CC 4.0; I found that the data records may need some adjustments to be compatible with RAR 5.2; one of the reasons that may be leading me to do everything from scratch
  The definitions currently defined were completed by an outside source and the mitigated controls were defined by the Internal Audit area
  I'm not sure if they were mixed with the defaults
  I'm not sure at this point what impact or changes I would experience if I use the "default" supplied rules set but I expect to find out
  Thanks again for your reply
  Jerry

• Need to exclude certain risks in Risk Analysis and Remediation (5.2)

  Hello Experts,
  My requirement is I need to exclude certain unwanted risks whenever I execute the simulation for a user or an SAP role. We had this provision in the ABAP version of compliance calibrator 4.0. But we are not able to do the same in the upgraded 5.2 risk analysis and remediation.
  Can anyone please provide a solution to this problem or some workaround. Thanks in advance.
  Best Regds,
  Suyog Chakot...

  Hi,
  there are several options:
  - you can disable single risks in rule architect.
  - you can create a seond rule set that only checks the roles you want to check on
  - you can mitigate certain roles or users to exclude them from analysis
  The options are all there - depends on what exactly you want to do.
  Frank.

• Cannot find CCRTAWS at Access Control Risk Analysis and Remediation?

  I am looking for the Web service CCRTAWS  in Access Control Risk Analysis and Remediation.
  But I cannot find it.
  Could you help? Thanks a lot!

  Ashley,
     Go to main page of WAS (Web application server) where AC 5.3 is installed. It would be
  http://(servername):(port)/index.html [Replace servername and port with the actual servername and port number]
  Click on Web service navigator (First link on right side). This link will show you all the web services installed. Search for CCRTAWS. I can see it in my AC installation.
  Regards,
  Alpesh

• AC10 - Auto risk analysis and auto mitigation

  Hi,
  I was wondering if it is possible to
  - run an automatic risk analysis at the end of an approval stage of the workflow, the same way it is possible to configure at the time of request sending?
  - automatically put a mitigating control in the request for the risks found?
    In our case, there is only one mitigating control for each risk and the assignment of the control is an unnecessary manual task to perform. The mitigation assignment will be approved in a seperate WF by the mitigation owner.
  It seems there is no out of the box solution to this, so any alternative suggestions are welcome.
  Thanks,
  Daniela

  Hi Daniela,
  If I may give my opinion, I would probably break your question down into 2 parts.
  1) Auto Risk analysis at the end of a stage - Making "Risk Analysis Mandatory" at that stage is probably the method. Unfortunately this does mean clicking one or two buttons (so not fully automated). Think AC uses this method to ensure the reviewer is aware of the conflicts caused etc.
  2) Auto Mitigation - For a business access workflow in a 'Live' situation, this is probably not a good idea,  as analysing and making the decision on whether to proceed with the request should really be performed by an actual person responsible for that stage in the work flow e.g. Role Owner or Security Lead etc. You would not want to mitigate all risks automatically (if I have understood correctly that you have a mitigation per risk ID). In theory, an automated mitigation process would mitigate all risks without discrimination.
  On a side note, there is a configuration setting under SPRO for Access controls as follows
  "Risk Analysis- Access Request : Param ID 1072 - Mitigation of critical risk required before approving the request". By enabling this configuration, you could force a mitigating control to be applied to any user requesting Critical Access.
  Hope this helps.

• In Primavera Risk Analysis, the MIN. ML, MAX columns is for imput the minimum impact, most likely impact , maximum impact duration of a risk or the remaining duration for MIN, ML and adding remaining duration with maximum impact for MAX?

  In Primavera Risk Analysis, the MIN. ML, MAX columns is for imput the minimum impact, most likely impact , maximum impact duration of a risk or the remaining duration for MIN, ML and adding remaining duration with maximum impact for MAX?

  You are welcome. I'm glad you got it back up.
  (1) You say you did the symbolic link. I will assume this is set correctly; it's very important that it is.
  (2) I don't know what you mean by "Been feeding the [email protected] for several weeks now, 700 emails each day at least." After the initial training period, SpamAssassin doesn't learn from mail it has already processed correctly. At this point, you only need to teach SpamAssassin when it is wrong. [email protected] should only be getting spam that is being passed as clean. Likewise, [email protected] should only be getting legitimate mail that is being flagged as junk. You are redirecting mail to both [email protected] and [email protected] ... right? SpamAssassin needs both.
  (3) Next, as I said before, you need to implement those "Frontline spam defense for Mac OS X Server." Once you have that done and issue "postfix reload" you can look at your SMTP log in Server Admin and watch as Postfix blocks one piece of junk mail after another. It's kind of cool.
  (4) Add some SARE rules:
  Visit http://www.rulesemporium.com/rules.htm and download the following rules:
  70sareadult.cf
  70saregenlsubj0.cf
  70sareheader0.cf
  70sarehtml0.cf
  70sareobfu0.cf
  70sareoem.cf
  70sarespoof.cf
  70sarestocks.cf
  70sareunsub.cf
  72sare_redirectpost
  Visit http://www.rulesemporium.com/other-rules.htm and download the following rules:
  backhair.cf
  bogus-virus-warnings.cf
  chickenpox.cf
  weeds.cf
  Copy these rules to /etc/mail/spamassassin/
  Then stop and restart mail services.
  There are other things you can do, and you'll find differing opinions about such things. In general, I think implementing the "Frontline spam defense for Mac OS X Server" and adding the SARE rules will help a lot. Good luck!

• SAP GRC AC: Organizational rules at Batch risks analysis and Dashboards

  Dear All.
  I would like to know GRC AC is able to consider the organizational rules defined (for example: risk only affected to Company, BUKRS 0001) at the Batch risks analysis and at the Dashboard. I already know that for the ad-hoc reporting you can filter by the Org.rules created but i would like to know if this filter is also able for the Batch risks analysis.
  Thanks and regards.

  Dear all.
  As per my knowledge this parameter only sets the flag of Consider Org.Rules at the filters. This is what the guide indicates:
  "Setting the value to YES automatically selects the Consider Org Rule checkbox on the Risk Violations tab of the Access Request and
  Role Maintenance screens."
  So how are you so sure about that indicating this flag to YES will take into consideration the org rules at the Dashboards?
  Regards

• Risk Analysis result different in DEV and PROD

  Hi Gurus,
  I have modified few functions in development and transported the changes but after transport there is a new SOD produced at the user level and with same access in Development there is no violation when I checked the function permission there is two duplicate entries in production ruleset compared to Development. Do I need to remove the duplicate entries in production and then run risk analysis is this going to fix SOD ?
  My assumption is GRC 10 doesn't have ability to transport changes for deletion in functions.
  Regards,
  Salman

  Dear Salman,
  looks that the rules have been appended so it shows twice.
  I suggest to download the correct rules from DEV and upload in PROD again. You can use program GRAC_UPLOAD_RULES to upload in PROD. Please make sure you set the option to overwrite, and not append.
  With GRAC_RULE_DELETE you can also delete the rules before you upload (not necessary, but possible).
  Hope this helps.
  Regards,
  Alessandro

• After the risk analysis I am trying to mitigate the users with risk ID and I am getting an authorization error.

  Dear All,
  I am trying to mitigate some users and after running risk analysis when I am trying to mitigate them I am getting an error saying I am not authorized to do so.
  I have requird roles to do my activity-

  Dear Prasant,
  I am getting above error.
  I have required roles
  GRC_CONTROL_APPROVER
  GRC_RISK_OWNER
  Regards,
  Abhishek

• Stopping Background job in Risk Analysis and Remediation

  Hi,
  We have scheduled background job for Batch Risk Analysis in CC 5.3. Later we have terminated that job for some reasons. But that terminated job status is showing as Stopping from past 3 days. How we can cancel that job?
  We have restated the J2E server but the job is still running. Please suggest me how we can stop that job immediately.
  Regards,
  KKRao.
  Edited by: KKRao_2020 on May 12, 2009 9:14 AM

  Hi,
  If you have access to oracle backend then I can tell an work arround for this issue,
  when the job is in stoping status then you can delete an entry from VIRSA_CC_JOBHST table.
  The command is
  SQL> delete from  VIRSA_CC_JOBHST where jobid=your jobid and status=3;
  After running this command the job in the RAR will show aborted status then the delete button will be enabled and if you want then you can delete that job from RAR screen.
  Regards,
  Sudip.

• Role and User level Risk Analysis is not displaying any output or report.

  Hello,
  I have a problem when I run risk analysis, both in foreground and background. The issue is that no report is displayed and I have followed all the instructions carefully.
  I have done the following:
  Maintained Access Risk table to contain functions and assigned it to a rule set.
  The functions contains actions and permissions that are explicitly assigned to my ERP connector in the system field in both action and permission tabs.
  I have run the sync job to update the roles in the GRC server from the ERP backend. I am surprise that no report is displayed as I have a test role that I am sure has conflict as per my function definition.
  Please advice me if there is something I am missing.
  Thank you.

  Hello John,
  Good Morning !!
  Sorry for the late reply , but to my surprise , i do not see any tab containing "Actions & Permission".
  This are the tabs that i have in NWBC
  My Home
  Master Data
  Access Management
  Rule Setup
  Reports & Analytics
  Assessments
  Setup
  I am currently on SAPK-V1005INGRCFNDA support package for GRCFND_A .
  Is there something wrong that's hapenning?? or i am looking at wrong place !!
  Under Setups , i have an option "Access Rule Maintenance" which has
  Rule Sets
  Functions
  Access Risks
  When i click Accesas rule sets , i see Risk IDS : e.g. B001, B002 etc and when i click "generate rule" in foregroubd/background",
  it does not generate any rules ,when i click
  View Action Rules
  View Permission Rules
  It shows "Table does not contain any data".
  Please guide.
  Thanks
  Regards,
  Victor

• The risk analysis results are different when choose report type as "summary" and "management" summary

  Hello experts,
  I found a expired user with SOD conflicts in "management summary" report format, but it doesn't exist in "Summary" report. You can find the screenshot in attached file. The user name is "YINPENG2_BK".
  What happened? The result of different report formats are from different data source?
  Sincerely yours,
  Lynn

  Hi Lynn,
  that's not an issue from the system. It's more a handling issue as the results are splitted into several result sets. In management summary view you have only one result set as it's grouped by user and risk, whereas you have more than one in summary view (as you have multple entries for each user and risk).
  Change to the second, third, etc. result set and you will see the user in the list:
  Regards,
  Alessandro