CUP 5.3: SOD violations detour to Super Access Owner
Hi GRC Experts
Is it possible for us to set-up SOD violations detour to a super access owner as an approver when violation is identified?
Has anyone done does this before?
Edited by: Donovan Mathews on Oct 6, 2009 2:47 PM
I'm fairly sure that you could configure the workflow to trigger an approval stage which is then approved by the SuperUser Owners.
However, you may need to be on patch level 08 to allow this approval mechanism to work correctly.
I've not had the chance to play with detours massively yet so cannot comment on that element but I'm sure others here have.
Simon
Similar Messages
-
SAP GRC 5.3 CUP: Approver Determinator "Super Access Owner"
Hi,
when configuring a stage, a standard approver determinator called "Super Access Owner" could be selected.My question is where to specify the Super Access Owner in SAP GRC CUP? In the Config Guide of SAP GRC AC 5.3 a hint explains on page 145
"If you select Superuser Access Owner as the approver determinator, the system
fetches the configured owner from the SAP system where the Superuser Privilege
Management is installed and assigns the request to that particular approver."
I do not really unterstand where to specifiy. Is it the former FireFighter in the backend.
Did anybody user this Approver Determinator already?
Thank you in advance.
MarcoHi Marco,
Yes this approver is defined in the backend Firefighter which is now Super User Privelege Management. The Firefighter ID owner will be taken as the approver if we select Super User Access Owner in the CUP request. This option is basically being provided for Integration of Compliant User Provisioning and Super User Privelege Management for SAP GRC AC 5.3. You may now create a request to assign a Firefighter ID to a Firefighter in CUP and do not need to go to SPM for the same.
In case you do not want to use this approver, please create a Custom Approver Determinator for the same.
Hope this helps.
Harleen -
CUP 5.3 SP16, detour path for SOD violations doesn't exclude critical risks
Hello,
Has anyone else had this issue:
If you set your configuration to not require mitigation of critical risks, but only SOD risks, the workflow detour path condition 'SOD violations' still triggers to go to the detour path even if the request only has critical risks. This is a bug in the workflow detour logic. First of all, CUP doesn't differentiate between SOD violations vs Critical Risks violations. If we only want the mitigation approver detour to happen for SOD risks, the detour seems to happen even if the request only has critical risks issue which doesn't require mitigation.
Since our Approver determinator for SOX approval is the RAR Mitigation Control approver, the workflow detours to SOD violations path but doesn't find any mitigation approvers on critical risks and so goes to the administrator inbox as a approver not found issue escape route.
If SAP gives the option to not require to mitigate critical risks under config>mitigation>uncheck mark mitigation of critical risks not required, then the logic for detour also shouldn't happen for critical risks under 'SOD violations' condition. This doesn't make any sense why SAP has both in the same condition when one is clearly not SOD risks. Now our workflows keep failing bc of this bc we have several roles that might have a critical transaction or so, but we can't stop it from detouring even when we do not want them mitigated or approved for SOX stage. But we still need this detour path for additional approval for the actual SOD Risks.
Will greatly appreciate any1's feedback on what they have done to resolve this.
Thanks,
A.I was actually able to resolve the issue by adding the role approver stage first to the sox approver detour path.. this way..if the manager has roles with sod violations and updates mitigations for it, it goes to the role approver via detour path as well first and then to the sox approver stage b4 auto provisioining. So, that solved our problem. And if the request doesn't have SOD violations then it just goes to the next stage without detour which also has the role approver as the last stage.
Since I couldn't get the sox approver stage to show up after the role approver as originally anticipated since the request already had mitigation assigned at the manager level, we did the above scenario to fix the issue.
Requestor>Manager->Role Approver-->auto provisioning (without SOD violations)
Requestor>Manager> Detour (Role Approver>SOX Approver)->Auto Provisioning (with SOD violations) -
GRC CUP 5.3 SP16, detour path not working for SOD violations
Hi,
Something bazaar is going on in our requests processing and not sure if that's the way SAP has set it up.
We configured a detour path for requests with SOD violations to go to the additional stage of 'SOX Approver' but the first stage (manager) does the risk analysis and Mitigation assignment and then it goes to Role owner approver that approves the roles access. Once the role owner approves the roles , if the request had SOD violations, even if the mitigation was selected and approved by the manager stage, it needs to go to the SOX approver stage to approve the mitigation assignment before the request can be auto provisioned for any requests that had sod violations.
But it seems to skip the sox approver detour path stage after the role owner approval and go directly to auto provisioing. I thought that any requests that had sod violations inspite of having mitigation assignment in a previous stage can be detoured to the next path for SOX approval and then auto provisioned. Since SAP doesn't give different approval option to approve mitigation vs. approve roles, wherever you make the risk analysis mandatory, that's where the mitigation controls have to be assigned. But we want the option to detour the path to SOX approver to approve those mitigation controls b4 auto provisioning the request.
Any idea of how to fix this?
Is the detour only going to work if the mitigation wasn't assigned? But then how can you get approval for the mitigation on a different stage if the same person has to assign and approve that?
Will appreciate any feedback in this.
Thanks,
AlleyI was actually able to resolve the issue by adding the role approver stage first to the sox approver detour path.. this way..if the manager has roles with sod violations and updates mitigations for it, it goes to the role approver via detour path as well first and then to the sox approver stage b4 auto provisioining. So, that solved our problem. And if the request doesn't have SOD violations then it just goes to the next stage without detour which also has the role approver as the last stage.
Since I couldn't get the sox approver stage to show up after the role approver as originally anticipated since the request already had mitigation assigned at the manager level, we did the above scenario to fix the issue.
Requestor>Manager->Role Approver-->auto provisioning (without SOD violations)
Requestor>Manager> Detour (Role Approver>SOX Approver)->Auto Provisioning (with SOD violations) -
CUP - Mitigation Controls in a Detour Workflow
Hello everybody,
I have a problem with a detour workflow in CUP.
I choose the detour condition: "SoD violation".
So in theory, if there is no conflicts the workflow don't take the detour path.
We supposed that the user request has an SoD conflict.
In the stage(s) before the detour, if we assign a mitigation control that mitigate the risk, the detour is still taken.
I think the workflow swich systematically to the detour if the request had a conflict, even if the risks were deleted by an Mitigation Controls assignment.
Does anyone have a solution to avoid the detour path if we mitigate the risks?
Thank you in advance!!Ben,
This is how CUP works. There is no configuration which allows you to ignore SOD violaton even if there is mitigation. You will have to live with this for now.
Regards,
Alpesh -
GRC 10.1 - Routing at Request Submission in case of SOD violations
I am trying to configure MSMP workflow or risks analysis while creating userid
1. No Risks >> User created and access assigned automatically
2. Risks found >> forward to security team to review and approve
I have checked the standard functional module - GRAC_MSMP_DETOUR_SODVIOL cannot be used in AC 10.0 . This is only be used as Routing Rule after first stage approval and at subsequent stages as per Note - 1783157 - Routing at Request Submission in case of SOD violations
Can anyone advise the standard SAP delivered rule / functional module we can use in GRC AC 10.1 to achieve the outcome at the time of request submission ??Hi Anil,
You have enable riak analysis at submission buy setting parameter and the need to have a first stage as dummy where risk analysis result can be analysed and have a detour at this dummy stage so that in case of risk request is forwarded to next stage.
Hope that helps..
Regards
Ashish -
SOD violation as per sizing guide
Hi All,
I have a query regarding sizing for GRC server. As per sizing guide, there are few inputs like total roles and total users in system landscape, which are to be connected to GRC and total violations during per peak hour etc.
I want to know what violation count means in this context -
Is it SOD violation before GRC implementation occuring in system?
Or is it SOD voilation count when GRC is established and we assume that either most of the risks are mitigated and / or remediations are done.
Does this count SATs as well?
Thanks & Regards,
SabitaHi Experts,
Please excuse me for re-opening this message. Our client wants clear understaning on sizing and I want confirmation before I can convince them.
Here are my queries-
1. When we do sizing for RAR, what activities are covered under " Daily Transactional Sizing per hour". We do incremental Sync and Batch risk Analysis, but they run in nights when system is less loaded. So what does it mean"during peak hour"? What else are under transactional sizing-do webservice calls from ERM or CUP are included in it and does Alert Monitor job also falls under it?
2. What does it mean voilations in context of Risk Analysis? Does it mean actual violations in daily backend transactions or it is only voilations based upon Role/User authorizations? What kind of voilation it includes-permission level all line items(like ME21N ACTVT 01, 02, 03 are 4 voilations or it is only one for one risk?
3. Under which criteria or parametr should we do sizing for Adhoc risk analysis ( run from Informer tab) .
4. There is parameter for "initial load" in RAR and CUP. We would like to know why there are two parameters for "initial load" and "daily transactional". They may overlap for sizing purpose because when we do initial it means system is not ready to perform daily tasks. And when we say " Transactional" it means initial load is done. So in this case, the SAPS used in initial load is released for daily transactional task.
Thanks in advace.
Regards,
Sabita -
Error in Role level SoD violations Dashboard
Hi All,
We are running on GRC V10 SP06.
When role level SoD violations dashboard is opened there is no relation between Number of role analyzed (X) in system and Number of roles with violations(Y).
In our case Y is far greater than actual X.
Even the percentage of roles with and without violatons together doesnt constitute 100 % ...
Please help what may be a solution to fix it.
-ThanksHi All,
We are running on GRC V10 SP06.
When role level SoD violations dashboard is opened there is no relation between Number of role analyzed (X) in system and Number of roles with violations(Y).
In our case Y is far greater than actual X.
Even the percentage of roles with and without violatons together doesnt constitute 100 % ...
Please help what may be a solution to fix it.
-Thanks -
SAP Adapter has a problem, SOD violations will not be checked
Hi,
In our ides server whenever i click save button in su01 i get the following error ,
"SAP Adapter has a problem, SOD violations will not be checked !
Please check with your system Administrator
Technical Info:
Error when opening an RFC connection "
we didn't have this problem before . can anybody help me to resolve the issue
Also I am getting this error only if I click save in su01. in other t code. I don't get this error
Thanks in Advance
Edited by: gajula jhansi on Apr 11, 2011 11:28 AMYou need to restart your sap adapter in GRC front end from configurations tab-->Sap adapter >choose the one for your back end system> if it's grayed out or even green still, click on it and let it restart and turn green again.
Then you go back to your backend ECC system and in SM59 , choose the RFC connection for the Risk Terminator (the one you have saved in the Risk Terminator transaction /VIRSA/ZRTCNFG in backend system).. and test the connection. It should pass the connection test if your adapter is working and set up correctly. Then when you do save in SU01 or make changes in PFCG and have Risk Terminator activated for the backend system, it will check the SOD violations against those transactions from RAR front end.
If you don't want Risk Terminator to check for SOD violations in front end RAR, then you need to set your settings to 'NO' for all in the Risk Terminator transaction. You can get all this info in the GRC config guide for RAR and SPM area.
Regards,
Alley -
ERM: Exceeding SoD violations treshold
Hi all,
In ERM role definition, when exceeding the SoD violations treshold, it is not possible to continue the role definition since next stage doesn't get active.
Has anyone of you face this before? How do you tackle it?
Many thanks ion advance. Kind regards,
Imanolthis was known issue with SAP on older SP's...
not sure if it was resolved or not.
however why are you creating role with so many violations...
as workaround create two separate roles (with min conflicting tcodes...)
so two roles can be assigned to a user in end... and role will be created in ERM also
regards,
Surpreet -
SOD Violations at R/3 Backend
Hi all,
we are using GRC 5.2 version,and Backend R/3 is ECC6.0,wen i am changing at user level i.e in su01 if i add any role it is showing that
Checking SOD Violations at Object Level with Time stamp at Status bar.
But when i am changing any thing in PFCG it is not showing violations.
Really it shows SOD Violations at R/3 Backend.
Kindly clarify my QueryHi,
When I executed * /n/VIRSA/ZRTCNFG*, I got the following options:
Stop generation if violations exist
Comments are required in case of violations
Send notification in case of violations
Default analysis level
I did not get anything like PFCG Plug in value
Could you please tell me actually what is the use of these?
Regards,
Faisal -
Firefighter - SoD Violations Report - not showing any data
We have ECC6 and GRC 5.3 with latest patch. Our RAR is working well also. We recently installed firefighter. All reports are working fine except following two reports,
1: SoD Violations Report
2: Critical Transactions
We want to use RAR critical table and SoD data, therefore In our configuration table we have following paramter set as:
Critical Transaction Table from Compliance Calibrator (VRAT) = YES
Could someone please direct in right direction how to get it fixed. Is there any SAP Note suggesting configuration setup etc.
Thanks in Advance
Masood AkhterThere are a number of settings to be made in order to get this working. The note is helpful but effectively you need the following:
In ECC
TCP/IP RFC Dest created with a unique report name.
This RFC mentioned in the /VIRSA/ZRTCNFG transaction
In RAR
The Report name entered into the RAR connector.
The SAP gateway mentioned in the RAR Connectior.
The RAR connector marked as outbound connection.
The SAP Adapter activated.
In SPM (ECC)
Set the "Connector ID for Risk Analysis" parameter to the name of the RAR Connector in the SPM configuration table.
You may also have to do a Java system Restart if you encounter error messages when activating the SAP adapter in RAR.
Simon -
Hi all,
We are trying to find details documentation for user SPM report "SoD Violation Report" but there is any in 5.3 configuration and user guide.
What is the purpose of such report? Which is the expected result? Are they the SoD conflicts within FF authorizations? OR SoD conflicts of transactions executed by FF?
Many thanks in advance. Best regards,
ImanolYes, Imanol. it will show the SoD conflicts of transactions executed by FF
The Segregation of Duties (SoD) Conflicts Report captures the data from the selected system for
each designated firefighter ID. The data is grouped by firefighter and by violated risk. The report
lists the SoD Conflicts that arise for each login event.
The report displays the following information for each firefighter ID:
· Name of the firefighter using the firefighter ID.
· The Risk ID associated with the conflict.
· The name of the transaction.
· The date that the conflict occurred. -
Should the SPM SOD Violations Report populate if you don't have Risk Terminator enabled?
If so, I'm not sure I have the correct configurations in place. Whenever I click the report in SPM I get the following message: "No match nor conflict found". I have other reports that are function correctly, which makes me belive this is not a connector issue. Am I supposed to run some background job?
Please advise.
Thanks,
KunalKunal
did you imported the default rules and risks before connecting the system? And than did the sync job?
The sequence has to be followed as per the config guide
Nesimi -
Security Sandbox violation bitmapData.draw() cant access null
very strange. I am testing with two different HD streams. One an akamai stream and another one of our clients not on akamai and using an F4M manifest file. I have tried allowing the domain and they have a crossdomain.xml file on their side but i still get this error.
SecurityError: Error #2123: Security sandbox violation: BitmapData.draw: http://web.mobilerider.com/flash/osmflive/OSMF_Live.swf?mediaID=190&vendorID=513&extras=vs :1,skin:osmf_live,muteOn:0,autoplay:1,live:1,showArchive:1,&serviceID=2&jsID=1316213568052 cannot access null. No policy files granted access.
any help would be very appreciated, thanksHello!
This seems to be relevant:
http://forums.adobe.com/message/3759490#3759490
Maybe you are looking for
-
My wife, kids, and I each have our own ipods. Can we have one family iTunes account or do we need one for each for our own devices?
-
Getting error which passing a variable to the cursor
hi all, i am passing pl/sql table value into the sql cursor DECLARE CURSOR cr(i_oList IN tList) IS SELECT SOMETHING FROM SOMETABLE WHERE SOMECOL IN (SELECT COLUMN_VALUE FROM TABLE(CAST(i_oList AS tList));but i am getting following er
-
Hello. I would like to activate my CS3 Educational Program (version 2007) on my new computer. Unfortunatly he is not accepting my serial number. What can I do? I have delated the program on my old computer but it doesn't accept the activation on the
-
Fuzzy video + fishbowl stablization in iMovie09:will FCE4 do better?
I got some strange pixelated like funky video and the fishbowl in imovie 09. I heard imported full HD size video in iMovie is the same quality in FCE4, but will the fishbowl effect when stabilizing video in iMovie09 be present in FCE4? if you see in
-
Editable ALV using FM REUSE_ALV_GRID_DISPLAY_LVC.
Hi Friends, I have ALV with editable field and I am using FM REUSE_ALV_GRID_DISPLAY_LVC. In this case I am unable to get data enter in editable column. I have customize PF - STATUS for ALV. Please guide me to resolve. Thanks