GRC AC10 Mitigation Control Temporary Tables

Similar Messages

• SAP GRC AC10 Common Practices on Mitigation Control

  Hi all,
  Currently, our company is implementing the GRC tool globally and we are required to set up mitigation control. I would like to get some ideas about what structures are used in various companies. And are those mitigation control align with the internal audit practices?
  We are having some initial idea that setting up template for those mitigation control, but should these be applied to all companies? And if we set up in this way, do we still need to identify any approver and monitor in local organization?
  And the mitigation controls should be owned by global organization or compliance department or local organization?
  Please help.
  Thx!

  Hi "GRC_SAP_AUDIT"
  I presume that you have a single Global Ruleset used within the company to define the risks across the company, but some risks may not be applicable or realistically avoidable in certain parts of the organisation in different countries due to the possible nature of a "Small office" structure (i.e. a small team doing various types of job tasks which are bound to cause SOD conflicts etc). So you may want to create a control for a risk in one area/region, but not for another. This is all possible with GRC AC.
  You can have a Specific Risk assigned to as many Mitigating Control definitions; therefore if you had different controls in different countries for that risk, e.g. UK Risk F001 is to have control X applied, whilst USA Risk F001 is to have control Y applied, it is good practice to define it that way.
  With the example above, you can then assign regional Control Owners and Monitors. Usually, I recommend giving the ownership of controls to the regional/company/departmental leads (depending on your org structure) who would manage the control, as I strongly feel that this has to be business driven. The decision of what approach to take is yours, as you have to see what will be the best solution to implement within your organisation.
  Hope this helps. If you wish to add any further detail, im sure the forum members are happy to help.

• Joining table in GRC 10 Process Control

  Hi,
  I am trying to create a new Data Source in GRC 10 Process Control. I need to join tables AGR_1251 (main table) and AGR_USERS. I am selecting AGR_1251 as main table. However, nothing comes up when I try to select AGR_USERS as 'Related Table'. On searching AGR_USERS , the system does not return any tables. Both are transparent tables and hence can be joined. I tried using both 'Reference Tables' as well as 'Dependent Tables' .
  Can you also explain the difference between 'Reference Tables' and 'Dependent Tables'.
  Regards,

  Hi Amarnath,
  tables is used to provide the table for the CURR(currency) or QUAN (quantity) fields.
  In your case you want to join tables via foreign key(s) and therefore will have to use dependant tables.
  The search for table AGR_USERS as dependant table for AGR_1251 will not return anything since the only table
  referred as check table (for a foreign key) in AGR_1251 is AGR_DEFINES.
  I would suggest to build your query based on defined check tables (see se11) of the needed tables (in this case AGR_DEFINE is the common point of both AGR_USERS & AGR_1251).
  Kind regards,
  Pascal

• Bringing mitigating controls from PC to AC in GRC 10.0

  Hi ,
  I am going through remediation process in GRC 10.0, However there are no mitigation controls setup in AC.
  my client is asking me to copy all the mitigating controls from PC to AC.
  Is this possible ? if yes, What will be the process ?
  Thank you.

  Hi Sri,
  you can achieve by downloading and uploading the mitigations.
  Go to SE38 and use the following program GRAC_DOWNLOAD_MIT_ASSIGNMENTS to download the file and make necessary changes to it and upload the file by using the following program GRAC_UPLOAD_MIT_ASSIGNMENTS.
  and put the active column in the file as X.
  Regards,
  Venugopal Ireni

• Mass maintenance of Mitigation controls in GRC 10.0

  Dear All,
  How to do mass maintenance of mitigation in ARA of GRC 10.0. We successfully migrated the mitigation controls from 5.3 to 10.0. I need to change the monitors for many user conflicts and also add new user conflict mitigation controls. Is it possible to do a mass changes in GRC 10.0 as there is no upload functionality for mitigation controls
  Thanks and Best Regards,
  Srihari.K

  Hi Sri,
  you can achieve by downloading and uploading the mitigations.
  Go to SE38 and use the following program GRAC_DOWNLOAD_MIT_ASSIGNMENTS to download the file and make necessary changes to it and upload the file by using the following program GRAC_UPLOAD_MIT_ASSIGNMENTS.
  and put the active column in the file as X.
  Regards,
  Venugopal Ireni

• Mitigating Control creation and application in SAP GRC 10

  Hi Expert,
  We have SAP GRC Access Control 10 being implemenmted for our client.  While trying to create Mitigating Control, we just realized that Before creating mitigating controls you need to create a Root Org entry, this replaces the Business Units in previous AC versions which is visible only when we activate the GRC-PC Application.
  My queries are:
  1. Is it that Mitigation control can only be created if PC is enable.
  2. What about Licencing if GRC-PC Application is used for Mitigating Control Creation.
  Thanking you i advance.
  Thanks & Regards,
  Abhimanu Kumar Singh

  HI,
  Thank you for the response, I just checked and could find that I can create Mitigating control without PC application. It is just that PC relevant fields are not displayed.
  However can anybody answer as to what happens if I use PC to create Mitigating Control, Do I have to purchase the license for SAP GRC PC or it is ok for shared resources.
  Thanks again.
  Thanks & Regards,
  Abhimanu Kumar Singh

• GRC 5.3 mitigation control

  Dear Guys,
  Please help me to understand the concept of mitigation control in GRC 5.3 and when it is useful and at what time we need to implement mitigation control.
  How could we mitigate user and on what criteria....????
  Also some brief about control monitor.
  Thanks in Advance......

  Hi Arpit,
  Steps for remediation and mitigation strategy is as below,
  Once you do risk analysis, you have the list of risk available in your system, after this you have the option to remove (Remediate) risk by removing conflicting permission or action from role.
  OR
  there is scenario where you have to accept the risk in this case you have to opt for mitigation control, just consider one example given below,
  Function A: Create PO
  Function B: Release PO
  Above two functions are conflicting and create risk in standard process, so as a standard practice, in reference to compliance SAP recommends to have two people doing it separately, but customer might not be having 2 postions in org to separate this, so customer has to accept the risk and create mitigation control to document this and put the monitoring control so one person can perform this function.
  This way it is helful to follow the compliance and when audit happens customer can show that they have identified the risk and documented it and put alternate monitoring control, so the risk cannot be misused.
  Hope this helps you understand it.
  BR,
  Mangesh

• GRC AC RAR: Comprehension question Mitigating Controls

  Hello all,
  I have a small comprehension question regarding Mitigating Controls.
  Situation:
  We have identified some authorization roles that contained lots of risks and we decided that they should not be used anymore. I therefore had our admins remove those roles from all the userIDs and update the role descriptions so it is clear that these roles are obsolete and must not be used anymore. For specific reasons we are currently not able to archive those roles in order to remove them from the system (can't delete them either for unclarified data retention questions).
  What has been done:
  1. I have created the necessary userIDs for Management Approver, Monitor, etc. in tab Mitigation -> Administrators -> Create
  2. I have created the necessary business unit and assigned to userIDs created in 1. in tab Mitigation -> Business Units -> Create
  3. I have created a Mitigation Control "Obsolete Roles" in tab Mitigation -> Mitigating Controls -> Create
  4. Within the Mitigatin Control I have mitigated all associated risks in tab "Associated Risks", added a userID in tab "Monitors" and I have added all the obsolete roles using the button "Mitigate roles"
  What I want to achieve:
  - Roles should not show up in the analysis anymore -> I've checked that and it works as expected
  - I now want the userID I added in tab "Monitors" and when mitigating the roles to regularly check in the SAP system whether the mitigated roles have been assigned to any userIDs again (using PFCG or any other suitable report in the system).
  Can I achieve that by using tab "Reports" within the Mitigating Control ?
  If I provide the system in column "System", provide "PFCG" in column "Action", "Use PFCG to check is role is assigned again" in "Description", add the userID in tab "Monitor" and set Frequency to "4" this would mean that that userID needs to check whether the roles have been used again at least every 4 weeks ?
  Will the system automatically send a reminder eMail to that userID every 4 weeks or does the user have to check the RAR manually in order to see "his/her" tasks ?
  Regards,
  Benjamin

  Hi Jwalant,
  sorry for my late reply, but I have waited for a few weeks to make be sure wheather the way you described works or not.
  - The background job gets executed once a week and finishes without any error.
  - The only thing that doesn't work is that the userID that I maintained in clolumn "monitor" and for which I defined a mitigation control which has to be executed every 2-weeks (using column "report") does NOT get a mail from the system that reminds him/her to execute the mitigating control.
  Log of background job execution:
  INFO: -
  Scheduling Job =>16----
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob run
  INFO: --- Starting Job ID:16 (GENERATE_ALERT) - Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob setStatus
  INFO: Job ID: 16 Status: Running
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob updateJobHistory
  FINEST: --- @@@@@@@@@@@ Updating the Job History -
  1@@Msg is Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION started :threadid: 2
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
  INFO: -
  Background Job History: job id=16, status=1, message=Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION started :threadid: 2
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Alert Generation Started @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Conflict Risk Input has 1 records @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Critical Risk Input has 1 records @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Mitigation Monitor Control Input has 1 records @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
  INFO:  @@@@@ Backend Access Interface execution has been started @@@@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.common.util.ExceptionUtil logError
  SEVERE: null
  java.lang.NullPointerException
       at com.virsa.cc.comp.wdp.IPublicBackendAccessInterface$IStatRecInputElement.wdGetObject(IPublicBackendAccessInterface.java)
       at com.sap.tc.webdynpro.progmodel.context.NodeElement.getAttributeAsText(NodeElement.java:888)
       at com.virsa.cc.comp.BackendAccessInterface.execBAPI(BackendAccessInterface.java:401)
       at com.virsa.cc.comp.BackendAccessInterface.executeBAPI(BackendAccessInterface.java:302)
       at com.virsa.cc.comp.BackendAccessInterface.get_TcodeLog_Rec(BackendAccessInterface.java:2800)
       at com.virsa.cc.comp.BackendAccessInterface.alertGenerate(BackendAccessInterface.java:1940)
       at com.virsa.cc.comp.wdp.InternalBackendAccessInterface.alertGenerate(InternalBackendAccessInterface.java:4355)
       at com.virsa.cc.comp.wdp.InternalBackendAccessInterface$External.alertGenerate(InternalBackendAccessInterface.java:4824)
       at com.virsa.cc.xsys.bg.BgJob.alertGen(BgJob.java:1666)
       at com.virsa.cc.xsys.bg.BgJob.runJob(BgJob.java:697)
       at com.virsa.cc.xsys.bg.BgJob.run(BgJob.java:362)
  here it keeps ranting on for pages about Null Pointer Exceptions
  I'll just leave that part out
  Mar 28, 2011 4:00:29 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
  INFO:  -
  No of Records Inserted in ALTCDLOG =>16 For System =>XXX_xxx -
  Mar 28, 2011 4:00:29 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
  INFO: ==$$$===Notif Current Date=>2011-03-28==$$$==Notif Current Time=>04:00:00===$$$===
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.mgmbground.dao.AlertStats execute
  INFO: Start AlertStats.............
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@=== Alert Generation Completed Successfully!===@@@
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob setStatus
  INFO: Job ID: 16 Status: Complete
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob updateJobHistory
  FINEST: --- @@@@@@@@@@@ Updating the Job History -
  0@@Msg is Job Completed successfully
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
  INFO: -
  Background Job History: job id=16, status=0, message=Job Completed successfully
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob scheduleJob
  INFO: -
  Complted Job =>16----
  - Anothjer thing I noticed is that the job always adds some entries to table "ALTCDLOG" which I guess means something like "Alert T-Code Log".
  It always adds entries like:
  581 XXX_XXX userID#1 SE16 2011-03-21 07:49:44 xxx 5
  582 XXX_XXX userID#1 SM37 2011-03-21 07:55:44 xxx 5
  Where does the system get the information which T-Codes are "bad" and for which it needs to create those entries ? I have never configured anything like that in the system.
  Or is this an indicator that the authorization roles I mitigated have been used again ?
  Regards,
  Benjamin

• Table for mitigation control frequency

  Hi,
  We are trying to build a program to be able to send notifications to mitigation monitors. For this I am trying to find the tables where the relevant details of the mitigation controls are located.
  I need the following information from the tables:
  1. Mitigation ID - I have found this in HRP5354
  2. Mitigation Name - I have found this in HRP1000
  3. Mitigation Monitor - I have found this in HRT5320
  4. Tcode in Reports - I have found this in HRT5320 + GRACACTION
  5. Frequency - I have NOT found this.
  The #5 - frequency of the report action is something that I am still missing. Please help me with the info, also suggest if there is a better way to get this information. Thanks!!
  Thanks,
  Sammukh

  Hi Sammukh,
  you can find the frequency in table GRFNCNREPORT.
  In general you can easily find the tables with SE11 to check where the object is used.
  Hope this helps.
  Regards
  Alessandro

• GRC CUP 5.3 SP16.3 Mitigation Controls automation removal

  Does anyone know that if you create any user requests to remove roles from a user, that if any mitigation controls were assigned to the users for those roles, the mitigating control ids can also be automatically removed from RAR during auto provisioning of the request?
  Right now, GRC CUP, if configured properly, during auto provisioning, will assign the mitigation controls automatically to the userid in RAR to mitigate the risks when the request is processed if the new access will give any SOD violations.  But if you remove the roles from a user and he/she had any mitigation ids assigned in RAR, can the request also automatically remove the mitigated control id associated with it if the user will no longer have that risk?  I have not seen the request automatically remove the mitigated id from RAR when the role was removed from the user id during auto provisioning. But I'm not sure if this requires additional workflow configuration or not.
  Will greatly appreciate if any1 is aware of this issue and how to resolve it. Or is the only solution to manually remove it from RAR..but this can be tiresome..bc then you have to run the report every week or month in RAR to remove the excessive controls assigned if the users do not have the risks anymore..comparing reports from current to previous month, etc.
  Thanks,
  A.

  Hi Alley,
  It is not possible to automate the removal of mitigation controls through a workflow in CUP. The only solution is to review on a regular basis and remove them manually from RAR
  We also has the same issue and performing manual review at regular intervals of the user & role assigned mitigation controls
  Best Regards,
  Srihari.K

• Rule set/mitigation control tables backups

  I am working in GRC AC 5.3 with old SPs. How can I take backup of existing rule set and mitigation controls so that I can compare those after GRC AC SP upgrade. Please guide me in detail.

  You can download the ruleset via rule architect -> utilities -> export and mitigation via mitigation -> utilities -> export.
  Regards,
  Alpesh

• Anyway to fill the multiple owners in Access Control owner Table in GRC 10.0?

  Hi,
  Is their any way to fill the data in the access control owner table in case we have many owners?
  Any script or any table for inserting this at one shot!

  Hi Pranjal,
  not really recommended, but you can fill directly in table GRACOWNER.
  Regards,
  Alessandro

• Transport of mitigation controls from GRC Dev to GRC Production in 10.0

  Hi All,
  Is there an option to transport mitigation controls from Dev to Prod in 10.0. Where is that option available. We could not find even download or upload option unlike 5.3 in 10.0
  Thanks and Best Regards,
  Srihari.K

  Hi
  I can see that this question is marked as answered . Could you please update what steps were taken for transporting mitigation controls? Thanks
  Best Regards
  Srilakshmi S

• GRC AC V10 - Mitigation Control Approval Workflow

  Hi guys,
  can me explain somebody the difference between the processID SAP_GRAC_CONTROL_ASGN und SAP_GRAC_CONTROL_MAINT?
  And as well can somebody provide me the initiator rule ID for both so that we can have a detailed look into the brfplus rule.
  We only want to mitigate controls via an controlowner approval and not a process for the creation of new controls.
  That means an asisgnment approval workflow for mitigation controls.
  Thanks a lot.

  Hello Alexa,
  Did you ever employ SAP_GRAC_CONTROL_ASGN ? Were you able to identify the included agents ?
  I am interested in identifying approvers for mitigating controls who can be included in the workflow but are not risk owners. Would you have any suggestions for this type of agent ?
  Any information would be appreciated.
  Thanks,
  Jamie

• Mitigation control workflow for AC10

  We are configuring the Mitigation control workflow during the implementation of AC 10.
  I would like to know whether its mandatory to have the workflow for Mitigation approver and monitor. As per the implementation team there is no requirement for them as this is not covered during the rampup.  But I think this should be mandatory to have the mitigation approval worflow so all the mitigation risk should be approved before mitigating. Otherwise, security admin can mitigate any risk and complete the request.
  Please advice.

  Hi,
  Yes. It will be a manual process. In some of the organizations, risks identification and mitigation will be performed manually by the Business process owners, which means in reality there will not be any risks that pop-up in CUP or RAR since they are already mitigated for the user.
  If you don't want to enable the mitigation process in the workflow, you have to do it and record the evidences manually.
  Hope this answers.
  Regards,
  Raghu