GRC AC 10 Mitigation Tables

Similar Messages

• GRC PC 2.5 table for task plan and testlog and its link

  Hi,
  I want to know the list of tables used and the link between the tables related to GRC PC.
  Mainly I need tables involved while creating task plan, test logs. We need to develop a report using this data. We need to know how the tables are linked. We saw some two, three GRPC tables, in which the primary key is GUID. We need to know how this GUID is getting generated and on what basis we can retrieve this information from the tables.
  There is one report in report center of GRC PC 2.5. In that selection screen, is it possible to add another filed and based on that retrive data.
  Regards,
  Karthick S
  Edited by: Karthick Sitaraman on Apr 24, 2009 9:55 AM

  Karthick,
  I can offer the following:
  1) SP07 was released on 4/20/2009 and contains a new report "Test Step Status."  You might want to look at this report so you don't unnecessarily reinvent the wheel.  This would, however, require application of SP07.  That report has 42 available fields.....lots of data.
  2) The table that contains Test plan Master data is HRP5327.
  We previously had minor reporting change required and SAP was able to issue a fix for it.  The request was a minor, natural extension of an existing report.  Part of the problem is that we have very limited web dynpro ABAP skills in house so development of a report was very time consuming.  Another option you might want to look at is BI. 
  I hope this helps.
  Matt

• GRC 5.3 mitigation control

  Dear Guys,
  Please help me to understand the concept of mitigation control in GRC 5.3 and when it is useful and at what time we need to implement mitigation control.
  How could we mitigate user and on what criteria....????
  Also some brief about control monitor.
  Thanks in Advance......

  Hi Arpit,
  Steps for remediation and mitigation strategy is as below,
  Once you do risk analysis, you have the list of risk available in your system, after this you have the option to remove (Remediate) risk by removing conflicting permission or action from role.
  OR
  there is scenario where you have to accept the risk in this case you have to opt for mitigation control, just consider one example given below,
  Function A: Create PO
  Function B: Release PO
  Above two functions are conflicting and create risk in standard process, so as a standard practice, in reference to compliance SAP recommends to have two people doing it separately, but customer might not be having 2 postions in org to separate this, so customer has to accept the risk and create mitigation control to document this and put the monitoring control so one person can perform this function.
  This way it is helful to follow the compliance and when audit happens customer can show that they have identified the risk and documented it and put alternate monitoring control, so the risk cannot be misused.
  Hope this helps you understand it.
  BR,
  Mangesh

• GRC AC 10 - ARM Table with Requests violations

  Dear Experts,
  Anyone know if there is any GRC AC 10 table containing the summary information if the ARM requests have has violation or not?
  Thanks in advance,
  Regards,
  Vitor Cozer

  Hi Victor,
  No, there are no such tables which could give the relations between the ARM requests and the corresponding violations.
  You have only one option; like Neeraj suggested, run the reports for this need.
  Regards,
  Ameet

• GRC Access Control VIRSA_CC_ACTRULHDR table

  Hi all,
  we are using GRC AC 5.3 SP14.
  We have noticed that, using the function "Rule Architect -> Utilities -> Export Rules", table VIRSA_CC_ACTRULHDR is not exported.
  In the previous SP it was exported.
  Do you know if this table is no more relevant ?
  Andrea

  Hello Andrea,
  I just want to give you some feedback, I know that I'm not answering your question.
  I've checked the table VIRSA_CC_ACTRULE and it has the fields: [ACTRISK] ,[ACTIONS] ,[VSYSKEY] ,[FUNCTID] ,[RISKID],[STATUS].
  The table you mentioned (VIRSA_CC_ACTRULHDR) has the following columns: [ACTRISK], [RISKID] ,[STATUS] ,[ENABLEORGRULE]
  Then it seems that VIRSA_CC_ACTRULHDR only adds ENABLEORGRULE information. If I were a developer I'd check first if there are org. rules defined. If not, it doesn't make sense to export the whole table because it can be generated automatically with the info. in  VIRSA_CC_ACTRULE table.
  It just a thought, I don't know the source code of the export program and I'm not a developer either (LOL).
  I couldn't find any kind of info regarding this in the corresponding note (1168120).
  Cheers,
  Diego.

• GRC AC V10 - Mitigation Control Approval Workflow

  Hi guys,
  can me explain somebody the difference between the processID SAP_GRAC_CONTROL_ASGN und SAP_GRAC_CONTROL_MAINT?
  And as well can somebody provide me the initiator rule ID for both so that we can have a detailed look into the brfplus rule.
  We only want to mitigate controls via an controlowner approval and not a process for the creation of new controls.
  That means an asisgnment approval workflow for mitigation controls.
  Thanks a lot.

  Hello Alexa,
  Did you ever employ SAP_GRAC_CONTROL_ASGN ? Were you able to identify the included agents ?
  I am interested in identifying approvers for mitigating controls who can be included in the workflow but are not risk owners. Would you have any suggestions for this type of agent ?
  Any information would be appreciated.
  Thanks,
  Jamie

• GRC 5.3 SPM - Tables

  Hi,
  I would like to know whether SPM tables are transportable? or do we need to open the client every time you update tables?
  Thanks
  Sam

  Hi Ahmed,
  You can download and upload all configurations within Backend /n/virsa/zvfat tcode itself.
  Goto Utilities> Download and take the desired dump, you will have to do one by one all. Next you upload it in QA and Prod server in the same place - Utilities> Upload
  Just two things might be different in each system - RFC and connector, make sure to change them manually after upload and it will work fine.
  FFIDs are to be created manually and Roles are to be transported and attached.
  Regards,
  Sabita

• Audit log is not showing any data GRC 10 PC

  Hi,
  when we are trying to execute the audit logs
  under reports in process controls,not showing data and getting
  error like no data matching the entere selec criteria.
  do we need any configuration changes required
  Thanks
  GRC Admin

  Hello,
  check the table DBTABLOG if data contains or not,if no data then maintain the parameter rec/client in RZ11 and try the same
  while executing the audit log need to maintain the time frame as HH:MM not HH:MM:SS
  check the below link about DBTABLOG
  Change Log Monitor Enabling by Table log Activation in SAP Production Environment - Governance, Risk and Compliance - SC…
  Regards
  Baithi

• GRC AC 5.3 and GRC Process Control on the same server

  Hello,
  Can we install SAP GRC AC 5.3 and GRC Process Control 3.0 and GRC Risk Management 3.0 on the same box/ same server.
  Is there a OSS Note, which talks about having the above 3 components on one box?
  Thanks,
  Imran

  Hello Imran,
    1- My 3 question ARE do I need a separate JAVA Stack for GRC Process Control and seperate JAVA Stack for GRC Access Control
  -> No, you can have them installed on save Java stack.
  OR
  Can I use the same JAVA Stack for GRC Process Control & GRC Access Control?
  -> Yes, you can. You have to make sure that you are on SP10 or above for Access Control as only then it will support NW Java 7.01.
  2- Can I use EP 7.0.1 installed on same server for both GRC PC 3.0 and GRC AC 5.3?
  -> Yes, you can.
  3- Can 1 single AS JAVA Database contain both GRC Access Control VIRSA Tables and GRC Process control tables at the same time?
  -> For process Control the tables reside on the backend SAP as it is webdynpro ABAP application and for access control the tables reside on the Java database as it is java and webdynpro JAVA application.
  Regards, Varun

• Mitigation control ID validity extension -easy way

  I work in GRC AC 5.3. All Mitigation control IDs have a validity expiration on same date in near future. Our GRC has many mitigation control IDs with mitigated users. How can I change the valid to date in convenient way?
  It may be extended for all mitigated users separately/individually, but it will take huge time.

  You can download all of them in a text file, make changes and upload it back via the import/export utility under mitigation tab,
  Alpesh

• Tables that contains the legacy systems authorization information

  Hi all,
  I'm setting up legacy systems in my SAP GRC 5.3. We would like to check if the information uploaded from the extractor is correct. Does anyone know what are the GRC 5.3 tables that contains all the systems authorization from the legacy system uploaded?
  Thank you in advanced.

  Hi,
  If I understand your question correctly, you wish to know the GRC 5.3 RAR tables that contains the authorization information and want to connect a legacy system.
  If you check the /VIRSA/* tables, you can find all the GRC related tables.
  However, if you are trying to perform an offline risk analysis, refer the below Article:
  http://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/20a06e3f-24b6-2a10-dba0-e8174339c47c
  Hope this helps!!
  Regards,
  Raghu

• Configuration of  User Access Review process

  Hi,
  I'm new to the forum.
  I´m looking at the User Access Review process in CUP.
  I would like implement the User Access Review request. So, my question is:
  1.  Where take GRC the data to make the analysis? I need to know the exactly place where data are collected (which table, transaction code or  statistical data)
  In case that GRC use the backend tables, I should be aware of time that tables are operational in the system, correct?
  2. Otherwise, how affects this analysis the performance in backend system?
  3. I have read that it is possible obtain reports with use of Action Usage. The report that I mention is: RAR --> Informer --> Security Reports --> Miscellaneous --> Action Usage by User
  Where does it gets information from? Could be data in the same place that use User Access Review process?
  4. Is it possible to introduce another actors in the Reviewers (In Configuration Tab, User Review > Options > User Review pane)? Now, the reviewers configured are Manager or Role Owner.
  5. To set User Access Reviews, I need some additional technical or is an automatic procedure?
  If there is any requirements that I should be taken into account please, let me know.
  Thanks in advance
  Marta

  Hi,
  I have found this document that answers all my questions:   www.sdn.sap.com/irj/bpx/go/portal/prtroot/docs/library/uuid/b05010a3-ed45-2c10-79b2-96df60a6bf2b
  So, now I have another question:
  The GRC Access Control that I have, ERM is not configured and there is no communication with it; (only RAR and CUP are configured).  So, I would like to know if it´s possible configured User Access Review apart from ERM.
  To realize the Role Usage Synchronization job in ERM, the transaction usage information from RAR alert data is needed. The job also obtains role to user assignments and role content information from the back-end systems. Access Control then translates the transaction usage information into role usage.
  If this information could be extracted from the backend tables, I am looking for an alternative to way to load data in the system, regardless ERM. Is it possible?
  Thanks in advance
  Marta

• Problem in Virsa 4.0 in Mitigate Users

  Hi ...
  We have patched Virsa 4.0( 400_620) on our production server.  After patching, we are facing problem with Mitigate Users.
  After logging in CC4.0, under the Mitigation Tab, Mitigation Control ->Mitigate Users -> New Entries.
  Here when we add or Mitigate a User under this New Entries, filled required data and SAVE, it prompts "INVALID RISK ID" on the status bar.
  We have all the RISK IDs in the CC4.0, when searched for RISK ID and MITIGATING CONTTROL ID, we can see all data in CC4.0.
  Due to this SOX team is not able to MITIGATE USERS.
  Please advice and suggest how we can fix this problem.
  Thanks,
  Regards,
  Narender

  Hi Kathy,
  I am facing the same issue here. The patch update from 400_640 to 400_700. Originally the 'user mitigated' table had a major flaw within it, whereby it would accept any value, ie you could potentially mitigate a user against a series of risks that did not exist in the system or were not associated with the control id.
  The patch has somewhat filled this flaw. Since then all risk appear to be invalid when you mitigate (whether mass way or within the control ID). To resolve this, there is a table called /VIRSA/RISKS (Rule Architect>Risks) which needs to have the risk ID defined. For example DP02 (Create outbound delivery with order ref). This was not needed to be maintained before or there was no check in the code previously.
  If your rule matrix has this risk split into various org risks like ours such as DP02ES (spain) you will be able to associate that risk to a control ID or mitigate a user with that risk (via the mass option), as long as the DP02 is defined in the risks table.
  The good thing with these checks is 1) the system now checks if the risk is first defined in the system (Rule Architect>Risks- /VIRSA/RISKS) and 2) you will not be able to mitigate user via the mass option if the risk being used is not associated  within the mitigation control ID your using.
  Hope that helps
  Amar

• Brain Bender - select where not data

  Hi Gurus'
  I have an problem that is doing my head in, just cant get the data set back that I want.
  I have two tables (more than that really, these are the last two of 6 related tables) 'mitigation' and mitigation_tracking" which have a one to many relation ship.
  The primary and foreign keys relationships are shown at the bottom of the post.
  In my example the mitigation table (pkey MIT_ID) has 8 records and I want to return the 8 records except if the user (mit_userid) has already submitted an entry into the tracking table.
  With a right outer join using MIT_ID mitigaiton to mitigation_tracking will return the 8 records and 3 nulls I want but if I try and limit this because the user has already processed some entries, is where I run into trouble.
  MIT_ID     RECORD_ID     ASSET_ID CATEGORY_ID RE_ID MIT_ID MIT_USERID
  10100     10046     10060     10102     10063     10100 BRAD
  10071     10046     10060     10102     10063     10071     BRAD
  10100     10046     10060     10102     10063     10100     SCOTT
  10070     10046     10060     10104     10065     10070     SCOTT
  10081     10046     10080     10140     10080     10081     SCOTT
  10082     10046     10080     10140     10080          
  10083     10046     10080     10140     10080          
  10120     10046     10060     10102     10064          
  When I try: where (mit_userid is null or MIT_USRE_ID != BRAD)
  the return will still include the data with the MIT_ID = 10100 because both BRAD and SCOTT have both processed this record.
  What I want in to return only the rows where BRAD has not made an entry into the second mitigation tracking table even if SCOTT has.
  I thought it would be easy but no matter how I look at it I cant get a query to work.
  Any help would be greatly appreciated.
  Data key sets.
  MITIGATION
  MIT_ID     RE_ID     CATEGORY_ID     ASSET_ID     RECORD_ID DATA
  10081     10080     10140     10080     10046 Some Data
  10082     10080     10140     10080     10046 Some Data
  10120     10064     10102     10060     10046 Some Data
  10070     10065     10104     10060     10046 Some Data
  10071     10063     10102     10060     10046 Some Data
  10100     10063     10102     10060     10046 Some Data
  10083     10080     10140     10080     10046 Some Data
  MITIGATION_TRACKING
  MTRACK_ID RECORD_ID ASSET_ID CATEGORY_ID RE_ID MIT_ID MIT_USERID
  71 10046 10060 10102 10063 10100 BRAD
  70 10046 10060 10102 10063 10071 BRAD
  67 10046 10060 10102 10063 10100 SCOTT
  68 10046 10060 10104 10065 10070 SCOTT
  69 10046 10080 10140 10080 10081 SCOTT

  I would just like to express my thanks to
  The Flying Spontinalli and John Spencer.
  Your suggestion have proved to be on the money.
  This was one of the last things I needed to do in an APEX application that I was working on and I had been banging my head against the wall for 2 days.
  I new that I needed to intersect on the mit_id but did not know about the "NOT IN" and NOT EXISTS"
  I appreciate your taking the time to read, understand and respond.
  Thanks
  Regards
  Brad

• GRC AC10 Mitigation Control Temporary Tables

  Hi everyone,
  I'm trying to find the table where GRC stores the organizational unit for a new mitigation control before the request is approved. As I could see, after approval (when the control is created) they are moved to HRP1000, 1001, etc.
  I've also tried with system trace (ST01 and ST05) but I could only find these tables: GRFNMWRTINST, GRFNMWRTINSTAPPL. Unfortunately I've checked them but they don't store OU data.
  Maybe it is stored in an XML file and that's why I cant reach the table.
  If you have any idea or any experience to share, I would really appreciate it!
  Thanks and regards,
  Fernando

  Hi Fernando
  Maybe it is stored in an XML file and that's why I cant reach the table.
  I was trying to figure out the same thing and suspected that was the case. Or if there might be a temporary text file
  I hope someone here can clear it up. But it's a bit annoying in the approach as you cannot tell what changes have been requested or compare changes to current. Hope SAP eventually cleans this up.
  Might need to trace it to identify the function module that is used by approver to view the request?
  Regards
  Colleen