CUP-5.3-SP13-Mitigation Controls by rol/users

Hi all!
Since RAR consider mitigations contros both by rol and users, If I have the role ZROL1 mitigated for the ID risk P001* then, would be able CUP to consider this mitigation control even when CUP is managing users?
I mean, if ZROL1 has a mitigation control, would appear at the request the ID risk whenever I add this role to a user?
Many thanks in advance! any help would be welcomed.
Margarita.

Hi Margarita,
If you want it will consider the role level mitigation controls. So in the request risk violation will not be shown.
For this u need check the option, consider mitigation control in CUP. Configuration-> Risk anlsysis.
Also in RAR following things needs to be done.
RAR Configuration->Risk analysis-> Defaults values.
Exclude mitigated Risk as yes.
RAR Configuration-> Risk Analysis ->Additional options
Include Role/Profile Mitigating Controls in User Analysis  as yes.
If above values are defined as No. than Risk Voilation will be shown in the request.
Kind Regards,
Srinivasan

Similar Messages

  • Mitigation controls assignation to users in RAR

    Hi,
    While assigning mitigation control to the users (RAR>Mitigation> Mitigated Users-->Add), it is only possible to assign 1 user at a time...Would it be possible to assign more than 1 user through multiple selection
    Thanks
    Abhijeet

    Abhijeet,
    From that path, you cannot assign multiple users at once however, if authorised, you can upload mitigation controls and within the upload files, you can upload users assigned to them.
    Simon

  • Maintain Validity Date for Mitigation Control Assignment to Users Virsa 5.2

    We have over 1,000 SoD's all mitigated.  The val;idity date for these mitigation controls needs to be updated.  Does anyone know a way to perform a range of updates so it is not necessary to update each user assigned to a Mitigation Control.

    The only way to do that currently would be to download the table information, edit in Excel and re-upload the table.
    Not for the faint of heart, but doable.
    Frank.

  • Error while uploading mitigation controls

    Dear All,
    While uploading the mitigation controls i am facing with the below error. Can you please help me in resolving this error.
    Error in table dataVIRSA_CC_MITUSER
    SQL:=>Insert into  VIRSA_CC_MITMON(MITREFNO,MONITORID) Values(?,?)
    Record::Line Number :21 : D VIRSA_CC_MITMON TESTC1 TEST1
    Below is the text file which i am uploading into the RAR for test purposes
    M     VIRSA_CC_ADMIN     USERID     NAME     EMAILID     ROLEID               
    D     VIRSA_CC_ADMIN     TEST1     TEST1     test     M          
    M     VIRSA_CC_BUSUNIT     BUSID                              
    D     VIRSA_CC_BUSUNIT     TH                              
    M     VIRSA_CC_BUSUNITT     BUSID     LANG     DESCN                    
    D     VIRSA_CC_BUSUNITT     TH     EN     Thailand                    
    M     VIRSA_CC_BUAPPVR     BUSID     APPROVERID                    
    D     VIRSA_CC_BUAPPVR     TH     TEST1                         
    M     VIRSA_CC_BUMONITOR     BUSID     MONITORID                         
    D     VIRSA_CC_BUMONITOR     TH     TEST1                         
    M     VIRSA_CC_MITREF     MITREFNO     BUSID     APPROVERID               
    D     VIRSA_CC_MITREF     TESTC1     TH     TEST1                    
    M     VIRSA_CC_MITREFT     MITREFNO     LANG     DESCN                    
    D     VIRSA_CC_MITREFT     TESTC1     EN     Test mitigation control               
    M     VIRSA_CC_MITRISK     MITREFNO     RISKID                         
    D     VIRSA_CC_MITRISK     TESTC1     F006*                         
    M     VIRSA_CC_MITMON     MITREFNO     MONITORID                         
    D     VIRSA_CC_MITMON     TESTC1     TEST1                         
    M     VIRSA_CC_MITRPT     MITREFNO     ACTIONS     VSYSKEY     MONITORID     FREQUENCY          
    M     VIRSA_CC_MITUSER     MITREFNO     RISKID     USERID     VALIDFROM     VALIDTO     MONITORID     STATUS
    M     VIRSA_CC_MITROLE     MITREFNO     RISKID     ROLEID     VALIDFROM     VALIDTO     MONITORID     STATUS
    D     VIRSA_CC_MITROLE     TESTC1     F006*     Z1.*.ASST-SC-FINC-MGR     6/9/2010     7/25/2010     TEST1     0     
    M     VIRSA_CC_MITHROBJ     MITREFNO     RISKID     HROBJ     HROBJTYP     VALIDFROM     VALIDTO     MONITORID     STATUS
    M     VIRSA_CC_MITPROF     MITREFNO     RISKID     PROFILE     VALIDFROM     VALIDTO     MONITORID     STATUS
    M     VIRSA_CC_MITUSRORG     MITREFNO     RISKID     USERID     ORGRULEID     VALIDFROM     VALIDTO     MONITORID     STATUS
    M     VIRSA_CC_DETDESC     OBJECT_TYPE     OBJECT_ID     LANG     DETAIL_DESCN     
    D     VIRSA_CC_DETDESC     MIT     TESTC1     EN     Test Mitigation control                    
    We are not mitigating users now. Only roles are getting mitigated and hence we have not provided any values to the MIT USER table.
    Thanks and Best Regard,
    Srihari.K

    Dear Varun,
    Thanks for your reply. It helped me a lot. But however i am facing the following issue while uploading the mitigation controls
    After exporting the mitigation file from RAR, we opened the text file in a spreadsheet format and added few lines to the file and saved in the same text format or in UTF-8 format also
    After uploading the same into RAR again after changes we are facing similar errors mentioned in above query.
    But when we add lines  directly in the wordpad and upload the file then it is successful.
    We have to add so many mitigation controls and roles to be assigned for which excel would be easy way to dump.
    Is there anything wrong we  are doing here in editing and converting the files.
    Thanks and Best Regards,
    Srihari.K

  • Validity period mitigating control

    Hi,
    I checked this forum but didn't find any helpful thread for my question. We are using GRC version 5.3. Is there any SAP report or tables available that would show history of mitigating controls per user? In running the Compliance Calibrator for a user, SOD issues were present that we didn't expect because we thought existing mitigating controls were applied and that we were  regularly monitoring this user for the associated risks. We thought that the problem might be that the validity period might have expired, but our corporate security group currently doesn't even show the mitigating control for the user. I wanted to look at the history of the mitigating control for the user to see if I could validate their claim.
    Thanks,
    John

    Hi,
    First of all, there's a special forum for GRC: "Governance, Risk and Compliance".
    Check under RAR-> configuration tab:
    Default expiration time for mitigating controls (in days) 
    When assigning a mitigating control to a risk, you must specify the validity period of the controlIf the End Date is left blank, the value in this option is used to calculate the end date of the validity period; the default value is 365 (days)
    Check also under CUP->configuration->mitigation.
    You'll be able to find the documentation for this configuration parameters in the corresponding Config Guide.
    Regarding Mitigation controls per user, I guess you can just check RAR -> Mitigation tab.
    Cheers,
    Diego.

  • GRC AC RAR: Comprehension question Mitigating Controls

    Hello all,
    I have a small comprehension question regarding Mitigating Controls.
    Situation:
    We have identified some authorization roles that contained lots of risks and we decided that they should not be used anymore. I therefore had our admins remove those roles from all the userIDs and update the role descriptions so it is clear that these roles are obsolete and must not be used anymore. For specific reasons we are currently not able to archive those roles in order to remove them from the system (can't delete them either for unclarified data retention questions).
    What has been done:
    1. I have created the necessary userIDs for Management Approver, Monitor, etc. in tab Mitigation -> Administrators -> Create
    2. I have created the necessary business unit and assigned to userIDs created in 1. in tab Mitigation -> Business Units -> Create
    3. I have created a Mitigation Control "Obsolete Roles" in tab Mitigation -> Mitigating Controls -> Create
    4. Within the Mitigatin Control I have mitigated all associated risks in tab "Associated Risks", added a userID in tab "Monitors" and I have added all the obsolete roles using the button "Mitigate roles"
    What I want to achieve:
    - Roles should not show up in the analysis anymore -> I've checked that and it works as expected
    - I now want the userID I added in tab "Monitors" and when mitigating the roles to regularly check in the SAP system whether the mitigated roles have been assigned to any userIDs again (using PFCG or any other suitable report in the system).
    Can I achieve that by using tab "Reports" within the Mitigating Control ?
    If I provide the system in column "System", provide "PFCG" in column "Action", "Use PFCG to check is role is assigned again" in "Description", add the userID in tab "Monitor" and set Frequency to "4" this would mean that that userID needs to check whether the roles have been used again at least every 4 weeks ?
    Will the system automatically send a reminder eMail to that userID every 4 weeks or does the user have to check the RAR manually in order to see "his/her" tasks ?
    Regards,
    Benjamin

    Hi Jwalant,
    sorry for my late reply, but I have waited for a few weeks to make be sure wheather the way you described works or not.
    - The background job gets executed once a week and finishes without any error.
    - The only thing that doesn't work is that the userID that I maintained in clolumn "monitor" and for which I defined a mitigation control which has to be executed every 2-weeks (using column "report") does NOT get a mail from the system that reminds him/her to execute the mitigating control.
    Log of background job execution:
    INFO: -
    Scheduling Job =>16----
    Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob run
    INFO: --- Starting Job ID:16 (GENERATE_ALERT) - Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION
    Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob setStatus
    INFO: Job ID: 16 Status: Running
    Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob updateJobHistory
    FINEST: --- @@@@@@@@@@@ Updating the Job History -
    1@@Msg is Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION started :threadid: 2
    Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
    INFO: -
    Background Job History: job id=16, status=1, message=Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION started :threadid: 2
    Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
    INFO: @@@ Alert Generation Started @@@
    Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
    INFO: @@@ Conflict Risk Input has 1 records @@@
    Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
    INFO: @@@ Critical Risk Input has 1 records @@@
    Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
    INFO: @@@ Mitigation Monitor Control Input has 1 records @@@
    Mar 28, 2011 4:00:00 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
    INFO:  @@@@@ Backend Access Interface execution has been started @@@@@
    Mar 28, 2011 4:00:00 AM com.virsa.cc.common.util.ExceptionUtil logError
    SEVERE: null
    java.lang.NullPointerException
         at com.virsa.cc.comp.wdp.IPublicBackendAccessInterface$IStatRecInputElement.wdGetObject(IPublicBackendAccessInterface.java)
         at com.sap.tc.webdynpro.progmodel.context.NodeElement.getAttributeAsText(NodeElement.java:888)
         at com.virsa.cc.comp.BackendAccessInterface.execBAPI(BackendAccessInterface.java:401)
         at com.virsa.cc.comp.BackendAccessInterface.executeBAPI(BackendAccessInterface.java:302)
         at com.virsa.cc.comp.BackendAccessInterface.get_TcodeLog_Rec(BackendAccessInterface.java:2800)
         at com.virsa.cc.comp.BackendAccessInterface.alertGenerate(BackendAccessInterface.java:1940)
         at com.virsa.cc.comp.wdp.InternalBackendAccessInterface.alertGenerate(InternalBackendAccessInterface.java:4355)
         at com.virsa.cc.comp.wdp.InternalBackendAccessInterface$External.alertGenerate(InternalBackendAccessInterface.java:4824)
         at com.virsa.cc.xsys.bg.BgJob.alertGen(BgJob.java:1666)
         at com.virsa.cc.xsys.bg.BgJob.runJob(BgJob.java:697)
         at com.virsa.cc.xsys.bg.BgJob.run(BgJob.java:362)
    here it keeps ranting on for pages about Null Pointer Exceptions
    I'll just leave that part out
    Mar 28, 2011 4:00:29 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
    INFO:  -
    No of Records Inserted in ALTCDLOG =>16 For System =>XXX_xxx -
    Mar 28, 2011 4:00:29 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
    INFO: ==$$$===Notif Current Date=>2011-03-28==$$$==Notif Current Time=>04:00:00===$$$===
    Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.mgmbground.dao.AlertStats execute
    INFO: Start AlertStats.............
    Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob alertGen
    INFO: @@@=== Alert Generation Completed Successfully!===@@@
    Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob setStatus
    INFO: Job ID: 16 Status: Complete
    Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob updateJobHistory
    FINEST: --- @@@@@@@@@@@ Updating the Job History -
    0@@Msg is Job Completed successfully
    Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
    INFO: -
    Background Job History: job id=16, status=0, message=Job Completed successfully
    Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob scheduleJob
    INFO: -
    Complted Job =>16----
    - Anothjer thing I noticed is that the job always adds some entries to table "ALTCDLOG" which I guess means something like "Alert T-Code Log".
    It always adds entries like:
    581 XXX_XXX userID#1 SE16 2011-03-21 07:49:44 xxx 5
    582 XXX_XXX userID#1 SM37 2011-03-21 07:55:44 xxx 5
    Where does the system get the information which T-Codes are "bad" and for which it needs to create those entries ? I have never configured anything like that in the system.
    Or is this an indicator that the authorization roles I mitigated have been used again ?
    Regards,
    Benjamin

  • Significance of Monitor in Mitigation control

    Can any body help me understand what does Monitor does in Mitigation control and what does the statement mean below:
    "When creating a mitigation control, need to define the Action, Monitor ID, and
    Frequency. If the monitor does not execute the action within the set frequency, then an alert
    is generated"
    Thanks,
    Abhimanu

    Hello Abhimanyu,
    1. Can any body help me understand what does Monitor does in Mitigation control:
    The role of Monitor is to see whether everything that was risky from the access being mitigated is fine or not. That is, he/she would see to it that the user who has been given extra excess or conflicting access has not misused it. Every Mitigatin control, for this purpose has a Monitor attached to it who does this job.
    2. what does the statement mean below:
    "When creating a mitigation control, need to define the Action, Monitor ID, and
    Frequency. If the monitor does not execute the action within the set frequency, then an alert
    is generated"
    I guess this is also covered in the explanation for point 1 and the post above from Margaret. In case not, please let us know.
    Regards,
    Hersh.
    http://www.linkedin.com/in/hersh13
    Edited by: HERSH GUPTA on May 7, 2009 10:43 AM

  • CC: Entering Mitigation Controls

    Hi ,
    I am entering mitigation controls in CC and am noticing 2 issues
    1) I cannot blanket mitigate a selection of users. Blanket mitigation only seems to apply if I want to mitigate all users. Is there any way to add 10 select users to a mitigation control by selecting the 10 users, rather than having to specify risk, validity dates etc. for all 10?
    2) I have noticed in SAP documentation that * should be entered after the risk ID e,g, P005*. Why should this be entered. This does not default when setting up the mitigation control and if I forget to do it, I have to delete the mitigation entry for the user and recreate. Can anybody advise why * must be entered and if there is a way to default *
    Thanks,
    Gary

    Gary,
    1)  No there is no way to select 10 individual users without creating a line item for each one.  Unless they all get the access from the same Role.  If that was the case you could just create the mitigating control for that role and anyone that would have the conflict via that Role would not appear in your risk reports.
    2)  The reason you have to enter * in the mitigating controls is so that all risk ID's are mitigated by your rule.  For example short risk ID P033 is made up of multiple long risk ID's based on each transactional combination i.e. P03300101 for ME21,ME51, P03300201 for ME21N,ME51, P03300301 for ME22,ME51, P03300401 for ME22N,ME51.
    So to cover all possible transaction combinations with a mitigating control you need to enter it for P033*.  This would also allow you to enter a mitigating control for only long risk id P03300101 it your mitigating control only covered users with access to ME21 and ME51.
    Hope that helps.
    Matt.

  • Mitigation runs against role but not user with same role assignment

    Hello, I'm currently running Compliance Calibrator 4.0. I've created a Mitigation Control and assigned a number of Risks to the Mitigation Control.
    I've then assigned the Risks in that Mitigation Control to a specific role.
    When I run the SoD check, the role no longer shows any issues. This is good and expected.
    However, when I run the SoD against a user that has that role assigned the user is reported with issues when no SoD issues should be shown.
    Am I missing something? I don't believe I need to assign Mitigation Control to the user, because one day the risk might be valid to that user, but just not for the role I'm trying to mitigate against. Many thanks.

    Hi Dylan, the system is reacting correctly.
    When you mitigate a role, you mitigate the risk associated with the role and under 'Role Analysis' you will see that this role has been mitigated.
    However when u run a User analysis, the system will still identify him if there is a 'RISK' associated with the user and this is regardless of whether the associated Role is mitigated or not because what you want to know is the risk of the user and not what roles this user has.
    You will need to specifically mitigate the User in order for the mitigation control to show against the User in the report.
    This is the same Vice Versa. when you mitigate a User, it also does not mean that all the associated Roles that the user have are mitigated. The risk associated with the roles will still appear when you do 'Role Analysis'
    Cheers!

  • Mass application of mitigating control to users

    Hello
    Is there a way to apply a mitigating control to a large number of users at the user level (not at the role level)?  We have an SOD for the ability to park and post GL entries for which we have a monitoring control.  There are a large number of users that have this access. 
    Is there a way to - in mass - apply a mitigating control at the user level?
    Thank you in advance,
    JD Schmidt

    Hi JD,
    thats the way the software logic works.
    Question is why you would mitigate such a mass of users and instead choose to mitigate that role.
    Or out of an auditor, why would such a mass of useres need authorizations which cause an SoD violation.
    Best,
    Frank

  • Uploading mitigating controls - UAT to production system

    Dear gurus
    Before i place the issue i would like to give some background: In the Production system of Complaince calibrator we have 3 systems assigned Production, UAT and Develeopment. We are the implementation team and are not authorised to assign the mitigating controls for users in production system , therefore before going live we have assigned the mitigating controls to same set of users in UAT system in the production system of compliance calibrator. Now the region has gone live and the same set of mitigating controls needs to be assigned to same set of users with same risks to production system users.
    Issue: Now there are over 100 users and its not feasible for us to manually once again assign the same mitigating controls to the users. is there a posiibility to automate this assignment or will we have to do it manually. In case we can automate then how? in case we have to manually do it what is the best way to cover the users faster.
    Thanks in advance
    Vani

    Thanks Frank, Would you advise which would be the better editor?
    Hi Alpesh,
    If i understand correct, you mean to say that its the same table, since its the same RAR production system, but currently while adding the mitigations I would have chosen the users as mentioned in UAT system that is attached to RAR production, but how do I make it as production system? If i go by what you say, I should add the user ids as per the production backend system in the same tabel and then it will automatically pick it while running reports for production users, is that correct?

  • Creating Mitigation Control from CUP

    Hi Guys,
    Is this feature implemented in Access Control???? Or Stills as enhancement

    Hi Alpesh
    In order to your answer... Can you help me to identify what I doing wrong when I want to approve a mitigate control in CUP.
    Path 1 : Approve request
    Stage 1: Request
    Stage 2: Security
    Stage 3: Role Owner
    Detour Path:
    Type: CUP
    Stage: Role Owner
    Condition: SoD Review
    Detour Path: Path 2
    Path 2:
    Stage 1: Approval -- > CAD : Mitigation Monitor
    The request is send to the Mitigation Monitor but when we try to approve request show the next error:
    2010-03-30 14:10:26,390 [SAPEngine_Application_Thread[impl:3]_25] ERROR  Mitigation control TEST_5.1 could not be saved for user PRUEBAGRC_6
    com.virsa.ae.core.BOException: Exception from the service : Mitigation record doesn't exist
         at com.virsa.ae.accessrequests.bo.MitigationControlBO.insertMitigationControl(MitigationControlBO.java:207)
         at com.virsa.ae.accessrequests.bo.MitigationControlBO.saveMitigationControls(MitigationControlBO.java:321)
         at com.virsa.ae.accessrequests.bo.RequestBO.callAEExitService(RequestBO.java:6993)
         at com.virsa.ae.accessrequests.bo.RequestBO.callExitService(RequestBO.java:6748)
         at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:6600)
         at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:6393)
         at com.virsa.ae.accessrequests.actions.RequestViewAction.confirmRequestApproval(RequestViewAction.java:949)
         at com.virsa.ae.accessrequests.actions.RequestViewAction.execute(RequestViewAction.java:104)
         at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:295)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
         at java.security.AccessController.doPrivileged(Native Method)
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
    Caused by: com.virsa.ae.service.ServiceException: Exception from the service : Mitigation record doesn't exist
         at com.virsa.ae.service.sap.MitigationControlWS52DAO.checkForSuccess(MitigationControlWS52DAO.java:832)
         at com.virsa.ae.service.sap.MitigationControlWS52DAO.executeUpdateUserMitigation(MitigationControlWS52DAO.java:287)
         at com.virsa.ae.service.sap.MitigationControlWS52DAO.insertUserMitigation(MitigationControlWS52DAO.java:309)
         at com.virsa.ae.accessrequests.bo.MitigationControlBO.insertMitigationControl(MitigationControlBO.java:195)
    Can you help me please?? All URI are OK.
    Thanks !!!!
    Edited by: Karen_sans on Mar 31, 2010 7:45 PM

  • GRC CUP 5.3 SP16.3 Mitigation Controls automation removal

    Does anyone know that if you create any user requests to remove roles from a user, that if any mitigation controls were assigned to the users for those roles, the mitigating control ids can also be automatically removed from RAR during auto provisioning of the request?
    Right now, GRC CUP, if configured properly, during auto provisioning, will assign the mitigation controls automatically to the userid in RAR to mitigate the risks when the request is processed if the new access will give any SOD violations.  But if you remove the roles from a user and he/she had any mitigation ids assigned in RAR, can the request also automatically remove the mitigated control id associated with it if the user will no longer have that risk?  I have not seen the request automatically remove the mitigated id from RAR when the role was removed from the user id during auto provisioning. But I'm not sure if this requires additional workflow configuration or not.
    Will greatly appreciate if any1 is aware of this issue and how to resolve it. Or is the only solution to manually remove it from RAR..but this can be tiresome..bc then you have to run the report every week or month in RAR to remove the excessive controls assigned if the users do not have the risks anymore..comparing reports from current to previous month, etc.
    Thanks,
    A.

    Hi Alley,
    It is not possible to automate the removal of mitigation controls through a workflow in CUP. The only solution is to review on a regular basis and remove them manually from RAR
    We also has the same issue and performing manual review at regular intervals of the user & role assigned mitigation controls
    Best Regards,
    Srihari.K

  • Mitigation control errors out in CUP approval

    We are on GRC 5.3 SP8 and I am trying to create a mitigating control in RAR.  Once it goes for approval into CUP, it erroru2019s out when I try to approve it.  Here is the message:
    2010-05-25 10:57:43,367 [SAPEngine_Application_Thread[impl:3]_9] ERROR com.virsa.ae.commons.utils.StringEncrypter$EncryptionException: Invalid PKCS#5 padding length: 32
    com.virsa.ae.service.ServiceException: com.virsa.ae.commons.utils.StringEncrypter$EncryptionException: Invalid PKCS#5 padding length: 32
         at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.getCCDocument(RequestExitServiceHelper.java:315)
         at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.callCCExitService(RequestExitServiceHelper.java:263)
         at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.callExitServiceForApprovedRequest(RequestExitServiceHelper.java:51)
         at com.virsa.ae.accessrequests.bo.RequestBO.callExitService(RequestBO.java:5391)
         at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:5230)
         at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:5023)
         at com.virsa.ae.accessrequests.actions.RequestViewAction.confirmRequestApproval(RequestViewAction.java:946)
         at com.virsa.ae.accessrequests.actions.RequestViewAction.execute(RequestViewAction.java:103)
         at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:295)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
         at java.security.AccessController.doPrivileged(AccessController.java:219)
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
    Caused by:
    com.virsa.ae.commons.utils.StringEncrypter$EncryptionException: Invalid PKCS#5 padding length: 32
         at com.virsa.ae.commons.utils.StringEncrypter.decrypt(StringEncrypter.java:200)
         at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.getCCDocument(RequestExitServiceHelper.java:305)
         ... 32 more
    Thanks,
    Peggy

    Hello Peggy,
      Did you recently upgraded your NW Java Support package? If yes, then kindly check the SAP Note "1417651 - Unable to retrieve connector & application configuration"
    The problem is coming due to change in NW encryption algorithm and impacted GRC as well. This is fixed in SP10 of GRC.
    Regards, Varun

  • CUP - Mitigation Controls in a Detour Workflow

    Hello everybody,
    I have a problem with a detour workflow in CUP.
    I choose the detour condition: "SoD violation".
    So in theory, if there is no conflicts the workflow don't take the detour path.
    We supposed that the user request has an SoD conflict.
    In the stage(s) before the detour, if we assign a mitigation control that mitigate the risk, the detour is still taken.
    I think the workflow swich systematically to the detour if the request had a conflict, even if the risks were deleted by an Mitigation Controls assignment.
    Does anyone have a solution to avoid the detour path if we mitigate the risks?
    Thank you in advance!!

    Ben,
       This is how CUP works. There is no configuration which allows you to ignore SOD violaton even if there is mitigation. You will have to live with this for now.
    Regards,
    Alpesh

Maybe you are looking for

  • My printer will not print the web pages using firefox...how do I set it up to print a web page?

    I have an hp photosmart c4180 printer and it will not print the web pages in firefox...how exactly do I set up FF so I can print web pages? I will need step by step instruction also on exactly where to go to set it up.

  • Power on password error

    I have an HP Compaq nc6200 laptop in which I have set up a power on password for. The problem is, when I try to enter my password, it does not work. I can enter my password up to 3 times then I get a little picture that looks like a circle with 3 lin

  • Permissions differ not being fixed...

    Hi Everyone, I run "verify permissions" time to time and the permissions stated below always pops out even though i have run "repair permissions" several times on them. It appears again the next time i do the testing again. So it appears that they ar

  • Help needed: Canon 5D Mark II video to Apple TV conversion

    I'm new to Apple TV and would appreciate any advice. I have been taking Full HD video 1920 x 1080 using my Canon 5D Mark II. Would like to play these files through Apple TV. What do I need to do? Do I need any conversion tool? If so, any recommendati

  • How do I resolve error 54

    how do I resolve error  54 on my i- pod touch