CUP 5.3 SP16, detour path for SOD violations doesn't exclude critical risks

Similar Messages

• GRC CUP 5.3 SP16, detour path not working for SOD violations

  Hi,
  Something bazaar is going on in our requests processing and not sure if that's the way SAP has set it up.
  We configured a detour path for requests with SOD violations to go to the additional stage of 'SOX Approver' but the first stage (manager) does the risk analysis and Mitigation assignment and then it goes to Role owner approver that approves the roles access. Once the role owner approves the roles , if the request had SOD violations, even if the mitigation was selected and approved by the manager stage, it needs to go to the SOX approver stage to approve the mitigation assignment before the request can be auto provisioned for any requests that had sod violations.
  But it seems to skip the sox approver detour path stage after the role owner approval and go directly to auto provisioing. I thought that any requests that had sod violations inspite of having mitigation assignment in a previous stage can be detoured to the next path for SOX approval and then auto provisioned. Since SAP doesn't give different approval option to approve mitigation vs. approve roles, wherever you make the risk analysis mandatory, that's where the mitigation controls have to be assigned. But we want the option to detour the path to SOX approver to approve those mitigation controls b4 auto provisioning the request.
  Any idea of how to fix this?
  Is the detour only going to work if the mitigation wasn't assigned? But then how can you get approval for the mitigation on a different stage if the same person has to assign and approve that?
  Will appreciate any feedback in this.
  Thanks,
  Alley

  I was actually able to resolve the issue by adding the role approver stage first to the sox approver detour path.. this way..if the manager has roles with sod violations and updates mitigations for it, it goes to the role approver via detour path as well first and then to the sox approver stage b4 auto provisioining. So, that solved our problem. And if the request doesn't have SOD violations then it just goes to the next stage without detour which also has the role approver as the last stage.
  Since I couldn't get the sox approver stage to show up after the role approver as originally anticipated since the request already had mitigation assigned at the manager level, we did the above scenario to fix the issue.
  Requestor>Manager->Role Approver-->auto provisioning (without SOD violations)
  Requestor>Manager> Detour (Role Approver>SOX Approver)->Auto Provisioning (with SOD violations)

• Mitigation of risk at detour path

  Dear experts,
  I have a scenario wherein I am using detour path for SOD violation.I want that SOD violation path goes to person depending on type of risk present in access request.
  The path with HR risk should go to person X where as non-HR(ECC) risk to person Y who will do the mitigation. There are only two(one from HR and other ECC) person to do mitigation.
  They are responsible for only mitigation and mitigation control id approver/monitor are different.
  How could this be achieved.Please share your thought.
  Thanks,
  Mamoon

  Hi Mamoon,
  Please check the below link. This could be helpful for you.
  AC10.0/10.1: Create Rule Based on Risk Violation in Request, Using BRF+ Procedure Calls
  Regards,
  Madhu.

• SAP Adapter has a problem, SOD violations will not be checked

  Hi,
  In our ides server whenever i click save button in su01 i get the following error ,
  "SAP Adapter has a problem, SOD violations will not be checked !
  Please check with your system Administrator
  Technical Info:
  Error when opening an RFC connection "
  we didn't have this problem before . can anybody help me to resolve the issue
  Also I am getting this error only if I click save in su01. in other t code. I don't get this error
  Thanks in Advance
  Edited by: gajula jhansi on Apr 11, 2011 11:28 AM

  You need to restart your sap adapter in GRC front end from configurations tab-->Sap adapter >choose the one for your back end system> if it's grayed out or even green still, click on it and let it restart and turn green again.
  Then you go back to your backend ECC system and in SM59 , choose the RFC connection for the Risk Terminator (the one you have saved in the Risk Terminator transaction /VIRSA/ZRTCNFG in backend system).. and test the connection. It should pass the connection test if your adapter is working and set up correctly. Then when you do save in SU01 or make changes in PFCG and have Risk Terminator activated for the backend system, it will check the SOD violations against those transactions from RAR front end.
  If you don't want Risk Terminator to check for SOD violations in front end RAR, then you need to set your settings to 'NO' for all in the Risk Terminator transaction. You can get all this info in the GRC config guide for RAR and SPM area.
  Regards,
  Alley

• Mitigated risks workflow for SoD detour approval

  Hi All,
  Please assist. I have configured a workflow for requests as follows:
  Super user submits request - Workflow to Business Analyst (if there are violations they can assign an existing mitigation control) - Auto Provision
  If no existing control is available - Detour to SoD officer (to compile a new control with Business Analyst) - workflow to GRC administrator to capture new control on the system - Auto provision
  The problem that I have now is with the first part of the workflow wherein there are violations and there is a control in place that can be applied to mitigate the risk. If mitigate the risks associated with the request, the worflow still goes to SoD officer in spite of all risks mitigated.
  Is there a way I can set this to enforce the assigned controls? Checking from RAR, the user is only linked to the control upon closing the request.
  I have set Risk Analysis defaults on CUP to "Consider Mitigation Controls"
  GRC 5.3 SP13
  Any help will be appreciated.
  Thanks,

  Hi Sabrina,
  For Access Request workflow, we generally use GRAC_MSMP_DETOUR_SODVIOL to implement routing rule(based on detour condition - risk found). Purpose of same (if I am not mistaken) is to through the request to another level of approver wherein mitigation monitor agent reviews the mitigation performed by role owner stage and approve/reject the request.
  But, when we create a role same is not the condition as we do not mitigate role level risk thus no need to go for mitigation monitor stage. May be you have some business scenario, if you can let us know will be gr8.
  For the rule ID, did you try adding the rule ID ?(you may already know, still would like to cross check with you).
  GRAC_MSMP_DETOUR_SODVIOL under list of rules for "
  Role Approval Workflow" In the screenshot you have shown, just click on ADD feed -
  Rule ID -GRAC_MSMP_DETOUR_SODVIOL.
  Rule description - same as Access request.
  Rule type - Function module based
  rule kind - routing rule.
  Add this and check if it works and let us know the result too.
  Regards,
  Nishant

• CUP 5.3: SOD violations detour to Super Access Owner

  Hi GRC Experts
  Is it possible for us to set-up SOD violations detour to  a super access owner as an approver when violation is identified?
  Has anyone done does this before?
  Edited by: Donovan Mathews on Oct 6, 2009 2:47 PM

  I'm fairly sure that you could configure the workflow to trigger an approval stage which is then approved by the SuperUser Owners.
  However, you may need to be on patch level 08 to allow this approval mechanism to work correctly.
  I've not had the chance to play with detours massively yet so cannot comment on that element but I'm sure others here have.
  Simon

• Detour path in GRC 10

  Dear Expert ,
  Any idea where we can maintain Detour configuration in GRC AC 10 .
  In MSMP i can see route mapping but not sure if this is place where i need cinfigure detour as it doenot have option to set detour condition .
  Thanks & Regards
  Asheesh

  HI Asheesh,
  Can you confirm whether you fixed the issue. Routing works only if we reject the request ??
  I have following scenario
  1. No SoDs >> Take approval from Role Owner and create user/ assign the access using workflow
  2. SoDs found >> Role Owner approval and then Security team approval  after this userid will be created and assign the access
  I have configured as below
  Maintain Paths
  1.GRAC_DEFUALT_PATH . In this I have configured re routing using Functional module GRAC_MSMP_DETOUR_SODVIOL to route from Role Owner stage to Security stage
  2. ZGRAC_NO_SOD_PATH  . .with stage as role owner only
  Maintain Route Mapping
  1. Map GRAC_DEFUALT_result to Default_path
  2. Map GRAC_MSMP_DETOUR_SODVIOL  to Defualt Path again for any SOD violations
  3. Used one more functional module GRAC_INITIATOR_SOD_VIOLATIONS to check SoDs and map No SOD result to ZGRAC_NO_SOD_PATH
  Workflow is working perfectly for  Scenario# where SoD exist
  But for Scenario#1 , it is still following same path with 2 stages . Ideally it should go to role owner and assign the access
  I believe this is due to it is just following 1 path GRAC_DEFUALT_PATH even though there are no SODs

• GRC CUP 5.3 SP16.3 Mitigation Controls automation removal

  Does anyone know that if you create any user requests to remove roles from a user, that if any mitigation controls were assigned to the users for those roles, the mitigating control ids can also be automatically removed from RAR during auto provisioning of the request?
  Right now, GRC CUP, if configured properly, during auto provisioning, will assign the mitigation controls automatically to the userid in RAR to mitigate the risks when the request is processed if the new access will give any SOD violations.  But if you remove the roles from a user and he/she had any mitigation ids assigned in RAR, can the request also automatically remove the mitigated control id associated with it if the user will no longer have that risk?  I have not seen the request automatically remove the mitigated id from RAR when the role was removed from the user id during auto provisioning. But I'm not sure if this requires additional workflow configuration or not.
  Will greatly appreciate if any1 is aware of this issue and how to resolve it. Or is the only solution to manually remove it from RAR..but this can be tiresome..bc then you have to run the report every week or month in RAR to remove the excessive controls assigned if the users do not have the risks anymore..comparing reports from current to previous month, etc.
  Thanks,
  A.

  Hi Alley,
  It is not possible to automate the removal of mitigation controls through a workflow in CUP. The only solution is to review on a regular basis and remove them manually from RAR
  We also has the same issue and performing manual review at regular intervals of the user & role assigned mitigation controls
  Best Regards,
  Srihari.K

• Relative path for images in RTF templates

  Hi everybody!
  When I insert an image in a RTF template, I put its path into the web dialog, in order to see correctly the picture when I open the report from the xmlp server, in this way: url:{"http://servername/analytics/res/Images/image.bmp"}
  How can I make this path relative, in order to see the images even if the server name changes?
  Thanks so!
  Francesco

  Hi Tim,
  I am using BIP 10.1.3.3.2. I am able to access system variable CURRENT_SERVER URL.
  Steps:
  <?param@begin:CURRENT_SERVER_URL?>
  <xsl:value-of select="$ CURRENT_SERVER_URL"/>
  CURRENT_SERVER_URL is getting printed in BI Publisher. Value displayed is http://xx4697.xxx.co.in:9704/xmlpserver.
  Now we are importing xsl into RTF template. File aaa.xsl is stored at [BIP_Installation_Directory\oc4j_bi\j2ee\home\default-web-app]
  We have hardcoded the path for XSL in RTF. The path is <?import: http://xx4697.xxx.co.in:9704/aaa.xsl?>
  As we want to set dynamic path we changed hardcoded xsl path to <?import: {$CURRENT_SERVER_URL}/../aaa.xsl?> but it is not working. Sometimes BIP is taking local path of MyDocuments folder and sometimes Desktop path. If I put that XSL file in MyDocuments folder or Desktop, it is working fine. But ideally it should refer [BIP_Installation_Directory\oc4j_bi\j2ee\home\default-web-app] path...
  Thanks,
  Amit D

• Search c:\ drive and return file path for winword.exe and save as variable

  Hi all, here is what I'm trying to do;
  1. Search C:\ drive for winword.exe
  2. take the file path and save it as a variable.
  3. Then based on the path value, use the switch statement to run "some command" 
  Essentially I'm trying to find what the file path for winword.exe is, then run a command to modify the registry.  I already have the script that will modify the registry like I want but the problem it, the path is hard coded in the script, I want to
  now look for all versions of word and set the right file path so I can make the right registry changes.

  This should get you started:
  http://ss64.com/ps/get-childitem.html
  Don't retire TechNet! -
  (Don't give up yet - 13,085+ strong and growing)

• Css/js relative path for embedded server

  We have recently begun using relative paths for css and js files in our deployed applications:
  <link href="../../resources/css/global3.css" rel="stylesheet" type="text/css" />
  <script language="JavaScript" src="../../resources/script/globalScript.js" type="text/JavaScript"></script>
  I cannot figure out where to put the resources folder on my local machine so the pages will link correctly when running a project on my embedded server in JDev. Can anyone please help?

  Hi,
  the embedded OC4J has its configuration files at
  \jdeveloper_installdir\jdev\system\oracle.j2ee.<version>\embedded-oc4j
  However, if you use relative addressing then web applications try to find them relative to the public_html directory of the Viewlayer project
  Frank

• Get the relative path for java class

  How to get Relative path for java class which is inside in web-inf directory in webapps

  ajay.manchu wrote:
  Hi gimbal2,
  My Requirement is i need to run a java class from batch file,when i created batch file in that i need to mention the complete path of the java class,so instead of mentioning that i want to provide only java class name,thats why i asked that one..
  can u help me regarding that....
  Thanks in advanceI wonder how that would work then. Let's take a fictive example. You have a class com.mycompany.myapp.Foo. This would mean that the class is stored in some directory like this:
  c:/webrootdir/myapp/WEB-INF/classes/com/mycompany/myapp/Foo.classTo be able to run such a class from the commandline using Java, you would have to invoke this command:
  java -cp c:/webrootdir/myapp/WEB-INF/classes com.mycompany.myapp.FooHow would knowing the exact path to this class help you?

• Using relative path for in file/ftp adapter

  Hi All,
  How to have a relative path for file/ ftp adapter's inbound/outbound operation?
  Example: Consider $ORA_HOME = /home/oracle --> This environment variable can be different on different machines
  i want to drop a file in to $ORA_HOME/folder1/folder2 (Or poll for a file).
  <partnerLinkBinding name="FTP">
  <property name="wsdlLocation">FTP.wsdl</property>
  <property name="out_dir" type="LogicalDirectory">What do i write here???</property>
  <property name="retryInterval">60</property>
  </partnerLinkBinding>
  if i cant configure this in partner link section or in activation agent sction, how else do i achieve this?
  i am using 10.1.3.* version.
  Thanks in advance.
  Roshan.

  You can achive it using the deployment scripts if the directory is changing on the basis of the environment
  If you want to change at run time than you can use the jca properties to set using the variables at runtime.
  Regards,
  Ajay

• Relative path for servlet property file.

  I have the following java file. When I use the absolute path for the configFile, it works. I would like to know how I could use it as relative path as in installation, the name of the directory could change.
  How do I fix the problem? Thank you.
  ---------------------- LoadProperties.java ----------------
  import java.util.*;
  import java.io.*;
  public class LoadProperties {
  private String driver="";
  private String dbURL="";
  private String login="";
  private String password="";
  static public void main(String[] args) {
  LoadProperties lp = new LoadProperties();
  } // main
  public LoadProperties() {
  //String configFile = "C:/1LMS/web-app/WEB-INF/config/db.properties";
  String configFile = getClass().getResource("config/db.properties").toString(); <--- This line could not find the db.properties file.
  Properties Prop = new Properties();
  try {
  FileInputStream configStream = new FileInputStream(configFile);
  Prop.load(configStream);
  configStream.close();
  } catch(IOException e) {
            System.out.println("Error: Cannot laod configuration file ");
  driver =Prop.getProperty("driver");
       dbURL = Prop.getProperty("dbURL");
       login = Prop.getProperty("login");
  password = Prop.getProperty("password");
  printResult();
  } //Load Property
  private void printResult() {
       System.out.println("Driver = " + driver);
       System.out.println("dbURL = " + dbURL);
       System.out.println("Login = " + login);
  System.out.println("PSWD = " + password);
  } // class

  hi there,
  had the same problem... you need to use following API:
  http://java.sun.com/j2ee/sdk_1.3/techdocs/api/javax/servlet/ServletContext.html#getRealPath(java.lang.String)
  In your case something like that:
  // get the servlet context
  ServletContext context = getServletContext();
  // directory name where the file is located
  String realPath = context.getRealPath("/config");
  // get real path to your file
  String propertyPath = real+"filename.txt";
  hope that helps!!
  minu

• Relative Path for Jquery into Content Editor Web Part

  Hi;
  I'd add a Content Editor Web Part (CEWP) to a web part zone. I'd edit that CEWP in HTML view and add my script which load Jquery and my question :  how to use a relative
  path for Jquery :
  <SharePoint:ScriptLink Name="SP.js" runat="server" OnDemand="true"
    Localizable="false" />
  <script src="/sites/XXX/Style%20Library/Scripts/jquery.min.js" type="text/javascript"></script>
  <script type="text/javascript">
  My code
  </script>
  Regards

  Hi;
  Firstly, I have used : 
  <script src="/Style%20Library/Scripts/jquery.min.js" type="text/javascript"></script>
  But any result and any change and If I add /Sites/XXX/ : it works correctly ?
  My code is :
  <SharePoint:ScriptLink Name="SP.js" runat="server" OnDemand="true"
      Localizable="false" />
  <script src="/sites/XXX/Style Library/Scripts/jquery.min.js" type="text/javascript"></script>    
  <script type="text/javascript">
  ExecuteOrDelayUntilScriptLoaded(displayTitle, "SP.js");
  var site;
    var context;
    function displayTitle() {
      //Get the current client context
      context = SP.ClientContext.get_current();
      //Add the site to query queue
      site = context.get_web();
      context.load(site);
      //Run the query on the server
      context.executeQueryAsync(onQuerySucceeded, onQueryFailed);
  function onQueryFailed(sender, args) {
    alert('request failed ' + args.get_message() +
      '\n' + args.get_stackTrace());
  function onQuerySucceeded(sender, args) {
      $("#layoutsTable table th span").html("Bienvenue sur le site " + site.get_title() + " - Direction Technique");
      $("#zz17_V4QuickLaunchMenu ul.root li span:contains('Biblioth')").parent().parent().hide();
      $("#zz17_V4QuickLaunchMenu ul.root li span:contains('Listes')").parent().parent().hide();
  </script>