Mitigated Role Question

Similar Messages

• Inconsitency mitigated roles

  Hi,
  we're currently using GRC 5.3 RAR and I have an issue with mitigated roles. i've defined some mitigating controls and linked them to risks and roles.
  When I run the list of mitigated roles on the mitigation tab, I recieve a list of the roles that were entered. however, if I run the Role analysis report on the Informer tab (management View) no mitigated roles are shown. The mitigations are valid since 1-12-2010 (and one from 1-1-2010 , just to check if that was the problem), and the report states that the last run was on 21-12-2010 so in my opinion there should be some mitigated roles visible in the second report. Am I missing something?
  Regards,
  Jesse

  Hi ,
  Before Running the Management report just run the Batch Risk Analysis job either Incremental/Full sync and perform the management job. I think this will sort the issue.
  Regards,
  Ravi.

• Managed Roles Question

  I have just a basci question. If I have a role in the form of :
  cn=MDMS, ou=Industrial, dc=test, dc=com
  Does the organization Industrial have to exist soemwhere in LDAP as a real ou?
  I am using the Java API and I need to associate the cn with an organizational unit, but I do not want to have
  someone phisically managing these groups.
  And if this can be done, are there any drawbacks and or gotchas that I need to be aware of.
  Thanks in advance...

  You can do this, there should be no gotchas.

• Privilege and roles Question

  Hi All
  I did a queries
  SELECT GRANTEE, PRIVILEGE,GRANTABLE FROM DBA_TAB_PRIVS
  WHERE TABLE_NAME='TABLE1' AND GRANTEE IN ('USER1', 'USER_ROLE');
  GRANTEE        PRIVILEGE       GRANTABLE
  USER1 SELECT NO
  USER1 INSERT NO
  USER1 DELETE NO
  USER1 UPDATE NO
  USER_ROLE SELECT YES
  USER_ROLE INSERT YES
  USER_ROLE DELETE YES
  USER_ROLE UPDATE YES
  SELECT 'ROLE' TYP, GRANTEE, GRANTED_ROLE, ADMIN_OPTION FROM DBA_ROLE_PRIVS WHERE GRANTEE ='USER1';
  TYP      GRANTEE   GRANTED_ROLE   ADMIN_OPTION
  ROLE USER1 CONNECT NO
  ROLE USER1 RESOURCE NO
  ROLE USER1 USER_ROLE NO
  My question is since the USER1 is granted the role of USER_ROLE, will it cause conflict to the table privilege?
  Because I can't perform Insert when I'm using USER1. It give me an error of ORA-01031L insufficent privileges SQL source: ..

  Since you did not mention how you are performing the Inserts/DML's on the TABLE1, and you are facing privileges issues, I presume you are performing it from a PL/SQL Block. However, the priviliges acquired via a Role are not valid in Function/Procedure. You need to have explicit privileges to perform an action in Function/Procedure.
  Even without the privilege, you would be able to perform the Inserts/DML's as in static SQL statements that are not contained in PL/SQL blocks.
  Try:
  grant insert on table1 to user1;

• Certificate Authority CA Role question

  Well I haven't asked a question on here in quite some time.
  Does anyone know if I can export my CA role and cert from first primary servwer ZEN internal CA store and import on another primary for redundant internal zen CA servers?
  Not sure if this is supported or even works in case one bites the dust.
  Thanks in advance

  Originally Posted by mark7508
  Well I haven't asked a question on here in quite some time.
  Does anyone know if I can export my CA role and cert from first primary servwer ZEN internal CA store and import on another primary for redundant internal zen CA servers?
  Not sure if this is supported or even works in case one bites the dust.
  Thanks in advance
  No, you can't have "redundant".
  But the CA server is only needed when Generating Certs such as when building a new Primary or configuring an Auth Satellite.
  I've seen folks lose their CA server and not know it for a year or more )
  Simply make sure you have followed the steps for backup up your CA and if you ever lose your CA server permanently, you can use those files to install the CA service on another server.

• Role Question

  The SCOTT user has been granted the CONNECT and RESOURCE roles only.
  The database administrator (DBA) grants MGR_ROLE to the SCOTT user by using this command:
  SQL> GRANT MGR_ROLE TO SCOTT WITH ADMIN OPTION;
  Which statement is true about the SCOTT user after he is granted this role?
  A: The SCOTT user can grant the MGR_ROLE role and the privileges in it to other users.
  B: The SCOTT user can grant the privileges in the MGR_ROLE role to other users but not
  with ADMIN_OPTION.
  C: The SCOTT user can grant only the MGR_ROLE role to other users but not the privileges
  in it.
  D: The SCOTT user can grant the privileges in the MGR_ROLE role to other users but cannot
  revoke privileges from them.
  what is the true answer And why?
  Thanks in advance

  SYS@orcl > create role mgr_role;
  Role created.
  SYS@orcl > grant create any view to mgr_role;
  Grant succeeded.
  SYS@orcl > grant mgr_role to scott with admin option;
  Grant succeeded.
  SYS@orcl > connect scott/tiger
  Connected.
  SCOTT@orcl > grant create any view to mike;
  grant create any view to mike
  ERROR at line 1:
  ORA-01031: insufficient privileges
  SQL> grant mgr_role to mike;
  Grant succeeded.(C) The SCOTT user can grant only the MGR_ROLE role to other users but not the privileges in it. (if this means that Scott cannot grant the individual privileges)
  Enrique
  Edited by: Enrique Orbegozo on Dec 18, 2008 7:40 PM

• "SUIM User Users by Complex Selection Criteria by Role" question

  Hi all,
  Suppose the situation is:
  Composite role ZCR contains single role ZSR (profile T-001) . Composite role ZCR assigned to below two users with different expire date (both users are not locked and not expire):
  UserA - 01.01.2013
  UserB - 01.01.2024
  (Case 1) SUIM -> User -> Users by Complex Selection Criteria -> by Role (either specify ZCR or ZSR) the result is:
  UserA
  UserB
  (Case 2) SUIM -> User -> Users by Complex Selection Criteria -> by Profiles (T-001) the result is:
  UserB
  Is SUIM has error or other assumption on Case 1?   I expected the result is UserB only.
  I knew there is program PRGN_COMPRESS_TIMES to remove assignment which have already expire and all the related tables.  Please let me know if the result in case 1 is SAP standard or can be fixed by OSS notes?  Thanks.
  Regards,
  Donald

  Hi Donald,
  If the user having validity expired role in his user master SU01, then the expired role can be seen under 'Role' tab in SU01 with 'Valid to' date, but the role relevant profile will be removed from user at the time of role expiration date.
  So when you search for users based roles (Case 1), the SUIM lists all users who are assigned to that particular role, irrespective of expired role assignments. So in Case 1, please follow below step for accurate results.
  1.  (Case 1) SUIM -> User -> Users by Complex Selection Criteria -> by Role (either specify ZCR or ZSR) the result is:
  UserA
  UserB
  2. Then select all users in SUIM output (UserA & UserB), and click on 'In Accordance with Selection' button. So that you can see the users and the (ZCR) ZSR role 'Valid to' (End Date) date for each user.
  By doing second step here, you will get the accurate results. This is how the SUIM works.
  Thanks
  Sridhar
  >point begging removed by Moderator - last warning!<

• BEx Roles question

  /thread/750293 [original link is broken]
  Edited by: sam on Feb 20, 2008 4:18 PM

  Hello Sam,
  You have to create Roles in PFCG and assign appropriate reports authorization to the roles. For example you can create roles for End User , Power User etc.
  Once this is done, then assign the user to the Roles.
  For more details
  [Advanced Features of SAP BW Reporting Authorizations|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06]
  [Authorizations in a SAP Business Information Warehouse Project|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/adeac294-0501-0010-5a97-9ac5d562b1be]
  [SAP NetWeaver 2004s BI Authorizations for Reporting - Webinar Powerpoint|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a6c54319-0e01-0010-20a4-fb81ad32f330]
  [Authorizations in a SAP Business Information Warehouse Project|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/b014a2fa-fc1c-2a10-6ab2-e8e288de0e08]
  [Field Based Authorizations in BW BEx Queries|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/4753ed83-0e01-0010-e186-f98413f868cb]
  [An Expert Guide to new SAP BI Security Features|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/659fa0a2-0a01-0010-b39c-8f92b19fbfea]
  Hope it helps
  Thanks
  Chandran

• ACE Role question

  Just a clarification about ACE roles. Why does the predefined "Admin" role have any rules beyond:
  1. Permit Create all
  Why are the other 3 rules necessary?
  2. Permit Create user access
  3. Permit Create system
  4. Permit Create changeto
  thanks,
  marty

  The ACE provides role-based access control (RBAC), which is a mechanism that determines the commands and resources available to each user. A role defines a set of permissions for accessing the objects and resources in a context and the actions you can perform on them.

• Platform Role Question.

  I've got a Dell Windows 8.1 tablet which seems to be suffering something of an identity crisis.
  It's showing it's Platform Role as Mobile rather than Slate so some features aren't working properly. So far I've not been able to find a way to override this setting and manual set it to Slate.
  Anybody got any idea how or even if this is possible?
  Thanks
  Steve

  Hi Steve,
  According to your description, I suggest you ask your IT admin for help to see if there is any restriction for tablet.
  In addition, what's the box for inputting the Server name? What function did you want to achieve?
  Karen Hu
  TechNet Community Support

• User admin role questions

  Does one really have to individually give User Admin status to each user
  in order for them to be able to change their own data? I was not able to
  select a group to assign to the role.
  Also, having assigned users to this role, can they then modifiy any
  other user's info? (This seems to be implied by the docs.)
  Tia,
  Ken
  Ken McLeod
  The Delphian School
  http://www.delphian.org

  Ken,
  It appears that in the past few days you have not received a response to your posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com/ to search the knowledgebase and check the other support options available on that page under "Self Support" and "Support Programs".
  - You could also try posting your message again. Make sure it is posted in the correct newsgroup. (http://support.novell.com/forums)
  If this is a reply to a duplicate posting, please ignore and accept our apologies and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• Sync Role questions

  Hi, in an iPlanet cluster what is the difference between a sync alternate
  and a sync local other than the fact that sync alternates can be promoted
  while sync locals cannot?
  According to iPlanet documentation, sync alternates and sync locals behave
  similarly aside from sync alternates' ability to be promoted. So why would
  you ever have sync locals in your cluster and not just have all sync
  alternates?
  Also, if you have multiple sync backups, do they both sync with the sync
  primary or just the higher priority one? Again, if only the higher priority
  one syncs with the sync primary, what is the difference between having two
  sync backups with a sync alternate versus one sync backup with two sync
  alternates?
  Thanks,
  Linc

  Hi, in an iPlanet cluster what is the difference between a sync alternate
  and a sync local other than the fact that sync alternates can be promoted
  while sync locals cannot?This is the only difference.
  >
  According to iPlanet documentation, sync alternates and sync locals behave
  similarly aside from sync alternates' ability to be promoted. So why would
  you ever have sync locals in your cluster and not just have all sync
  alternates?Generally, you wouldn't ever designate a machine as a SyncLocal. The only case
  where you might is if you had one machine in the cluster that was so
  underpowered that it couldn't handle the load of being a DSYNC server.
  >
  Also, if you have multiple sync backups, do they both sync with the sync
  primary or just the higher priority one?They both sync with the primary.
  Again, if only the higher priority
  one syncs with the sync primary, what is the difference between having two
  sync backups with a sync alternate versus one sync backup with two sync
  alternates?
  Having two sync backups would double the overhead of maintaining backups.
  Having two sync backups is not generally recommended, since it is only an
  advantage if you have two Primary failures before the new Primary can create a
  new backup.

• GRC AC RAR: Comprehension question Mitigating Controls

  Hello all,
  I have a small comprehension question regarding Mitigating Controls.
  Situation:
  We have identified some authorization roles that contained lots of risks and we decided that they should not be used anymore. I therefore had our admins remove those roles from all the userIDs and update the role descriptions so it is clear that these roles are obsolete and must not be used anymore. For specific reasons we are currently not able to archive those roles in order to remove them from the system (can't delete them either for unclarified data retention questions).
  What has been done:
  1. I have created the necessary userIDs for Management Approver, Monitor, etc. in tab Mitigation -> Administrators -> Create
  2. I have created the necessary business unit and assigned to userIDs created in 1. in tab Mitigation -> Business Units -> Create
  3. I have created a Mitigation Control "Obsolete Roles" in tab Mitigation -> Mitigating Controls -> Create
  4. Within the Mitigatin Control I have mitigated all associated risks in tab "Associated Risks", added a userID in tab "Monitors" and I have added all the obsolete roles using the button "Mitigate roles"
  What I want to achieve:
  - Roles should not show up in the analysis anymore -> I've checked that and it works as expected
  - I now want the userID I added in tab "Monitors" and when mitigating the roles to regularly check in the SAP system whether the mitigated roles have been assigned to any userIDs again (using PFCG or any other suitable report in the system).
  Can I achieve that by using tab "Reports" within the Mitigating Control ?
  If I provide the system in column "System", provide "PFCG" in column "Action", "Use PFCG to check is role is assigned again" in "Description", add the userID in tab "Monitor" and set Frequency to "4" this would mean that that userID needs to check whether the roles have been used again at least every 4 weeks ?
  Will the system automatically send a reminder eMail to that userID every 4 weeks or does the user have to check the RAR manually in order to see "his/her" tasks ?
  Regards,
  Benjamin

  Hi Jwalant,
  sorry for my late reply, but I have waited for a few weeks to make be sure wheather the way you described works or not.
  - The background job gets executed once a week and finishes without any error.
  - The only thing that doesn't work is that the userID that I maintained in clolumn "monitor" and for which I defined a mitigation control which has to be executed every 2-weeks (using column "report") does NOT get a mail from the system that reminds him/her to execute the mitigating control.
  Log of background job execution:
  INFO: -
  Scheduling Job =>16----
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob run
  INFO: --- Starting Job ID:16 (GENERATE_ALERT) - Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob setStatus
  INFO: Job ID: 16 Status: Running
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob updateJobHistory
  FINEST: --- @@@@@@@@@@@ Updating the Job History -
  1@@Msg is Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION started :threadid: 2
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
  INFO: -
  Background Job History: job id=16, status=1, message=Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION started :threadid: 2
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Alert Generation Started @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Conflict Risk Input has 1 records @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Critical Risk Input has 1 records @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Mitigation Monitor Control Input has 1 records @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
  INFO:  @@@@@ Backend Access Interface execution has been started @@@@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.common.util.ExceptionUtil logError
  SEVERE: null
  java.lang.NullPointerException
       at com.virsa.cc.comp.wdp.IPublicBackendAccessInterface$IStatRecInputElement.wdGetObject(IPublicBackendAccessInterface.java)
       at com.sap.tc.webdynpro.progmodel.context.NodeElement.getAttributeAsText(NodeElement.java:888)
       at com.virsa.cc.comp.BackendAccessInterface.execBAPI(BackendAccessInterface.java:401)
       at com.virsa.cc.comp.BackendAccessInterface.executeBAPI(BackendAccessInterface.java:302)
       at com.virsa.cc.comp.BackendAccessInterface.get_TcodeLog_Rec(BackendAccessInterface.java:2800)
       at com.virsa.cc.comp.BackendAccessInterface.alertGenerate(BackendAccessInterface.java:1940)
       at com.virsa.cc.comp.wdp.InternalBackendAccessInterface.alertGenerate(InternalBackendAccessInterface.java:4355)
       at com.virsa.cc.comp.wdp.InternalBackendAccessInterface$External.alertGenerate(InternalBackendAccessInterface.java:4824)
       at com.virsa.cc.xsys.bg.BgJob.alertGen(BgJob.java:1666)
       at com.virsa.cc.xsys.bg.BgJob.runJob(BgJob.java:697)
       at com.virsa.cc.xsys.bg.BgJob.run(BgJob.java:362)
  here it keeps ranting on for pages about Null Pointer Exceptions
  I'll just leave that part out
  Mar 28, 2011 4:00:29 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
  INFO:  -
  No of Records Inserted in ALTCDLOG =>16 For System =>XXX_xxx -
  Mar 28, 2011 4:00:29 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
  INFO: ==$$$===Notif Current Date=>2011-03-28==$$$==Notif Current Time=>04:00:00===$$$===
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.mgmbground.dao.AlertStats execute
  INFO: Start AlertStats.............
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@=== Alert Generation Completed Successfully!===@@@
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob setStatus
  INFO: Job ID: 16 Status: Complete
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob updateJobHistory
  FINEST: --- @@@@@@@@@@@ Updating the Job History -
  0@@Msg is Job Completed successfully
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
  INFO: -
  Background Job History: job id=16, status=0, message=Job Completed successfully
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob scheduleJob
  INFO: -
  Complted Job =>16----
  - Anothjer thing I noticed is that the job always adds some entries to table "ALTCDLOG" which I guess means something like "Alert T-Code Log".
  It always adds entries like:
  581 XXX_XXX userID#1 SE16 2011-03-21 07:49:44 xxx 5
  582 XXX_XXX userID#1 SM37 2011-03-21 07:55:44 xxx 5
  Where does the system get the information which T-Codes are "bad" and for which it needs to create those entries ? I have never configured anything like that in the system.
  Or is this an indicator that the authorization roles I mitigated have been used again ?
  Regards,
  Benjamin

• Mitigation not showing in Risk Analysis

  I have migitated a role and can see the mitigation on the Mitigation tab under Mitigated Roles. I wanted to run a Risk Analysis on the role to make sure the mitigation is in my reports and they not showing.
  I have checked my settings on the configuration tab under "Risk Analysis" on "Exclued Mitigated Risk" and it's set to "No". I run my reports in the Infomer Tab > Risk Analysis > Role Analysis and the Report Type is at the permission level and under "More Options" the "Ignore Migitation" is set to "No".
  I have reran my "sync" jobs and management reports in the order they should be ran and they are still not showing up. The migitation is not showing up in my management reports either. I am on SP9.
  Is there anything else I'm missing?

  I answered my own question on this.

• Need help in Mitigation...

  Hi , I have the CC 5.2 connected to single system and using GLOBAL ruleset.
  In backend i have created a role Z:CONFLICTING_ROLE and assigned to user ERIC.
  Now there are two risks in the role F030 and S027 , i have created two mitigating controls for them and have mitigated the risks at role level .
  When i run the report on the USER ERIC , it should show in there also as mitigated , but there is nothing in mitigation.
  I was under impression that roles once mitigated , users with be mitigated also, what is wrong here ? ?
  The option under Configuration :
  Risk Analysis ->Add Options -> Include Role/Profile Mitigating Controls in User Analysis
  is set to yes..
  Pls help me to resolve this issue.
  regds
  navdeep
  Edited by: navdeep pathania on Aug 25, 2008 11:02 PM

  navdeep,
  I was rather talking about the PFUD in the back-end system.
  But okay, if the synch with GRC is not working in the first place, then this issue should be addressed as well. However, that goes beyond this particular post 'Need help in Mitigation"
  In an attempt to help you : is your diamond shaped adapter green ? are you using the correct model in the JCO in terms of your release of backend system ? did you do a full sync or incremental ?
  for sure, this is your issue why the users are not mitigated through their assigned mitigated roles.
  succes
  sam