Mitigating Control creation and application in SAP GRC 10

Similar Messages

• BC SETS creation and usage for sap mm  point of view

  Hi All,
  Need Information About  BC SETS  creation and usage from sap mm point of view.
  Thanks in advance for sap mm forum guys.
  Regards.
  Parameshwar.

  Hi,
  Customizing settings can be collected by processes into Business Configuration Sets (BC Sets). BC Sets make Customizing more transparent by documenting and analyzing the Customizing settings. They can also be used for a group rollout, where the customizing settings are bundled by the group headquarters and passed on in a structured way to its subsidiaries.
  BC Sets are provided by SAP for selected industry sectors, and customers can also create their own.
  When a BC Set is created, values and combinations of values are copied from the original Customizing tables into the BC Set and can be copied into in the tables, views and view clusters in the customer system. The BC Sets are always transported into the customer system in which Customizing is performed.
  Advantages of using BC Sets:
  1.     Efficient group rollout.
  2.     Industry sector systems are easier to create and maintain.
  3.     Customizing can be performed at a business level.
  4.     Change Management is quicker and safer.
  5.     Upgrade is simpler.
  To create BC sets follow the below step:
  Choose Tools ® Customizing ® Business Configuration Sets® Maintenance in the SAP
  menu, or enter the transaction code SCPR3 in the command field.
  Choose Bus.Conf.Set ® Create.

• Mitigation control: Sending failed No valid SAP sender address

  GRC 5.3 SP10 RAR
  In mitigation control:  I have created a new control ID. When I am trying to assign it to a user getting error
  "Sending failed No valid SAP sender address"
  Please advise to resolve the issue. I need to mitigate user.

  Hello Pal,
  Please go to RAR configuration -> Risk Analysis -> Additional Options. Here check if you have the parameter Enable Monitor Notification set to YES. If you do then set this one to NO. Also, kindly check and make sure that you have a valid email address maintained for each of the mitigation control monitor in Mitigation tab.
  If you wish to have the parameter set to yes only then you need to do the JAVA mail settings in Visual Admin. Check configuration of the JAVA mail client, which can be done using Visual Administrator, to send the Email Notification.
  (Configuration > Java Mail Client > Properties > Smtp).
  Regards, Varun
  Edited by: Thakur Varun on May 21, 2010 3:47 PM

• Bringing mitigating controls from PC to AC in GRC 10.0

  Hi ,
  I am going through remediation process in GRC 10.0, However there are no mitigation controls setup in AC.
  my client is asking me to copy all the mitigating controls from PC to AC.
  Is this possible ? if yes, What will be the process ?
  Thank you.

  Hi Sri,
  you can achieve by downloading and uploading the mitigations.
  Go to SE38 and use the following program GRAC_DOWNLOAD_MIT_ASSIGNMENTS to download the file and make necessary changes to it and upload the file by using the following program GRAC_UPLOAD_MIT_ASSIGNMENTS.
  and put the active column in the file as X.
  Regards,
  Venugopal Ireni

• MITIGATION CONTROL CREATION

  Hi
       I am Rakesh, my question is  while creating a mitigation
  control, in the reports tab there is a field called action.what is
  this action and what is the use of it?
  thanks in advance for the reply

  I think this field was meant as a reference as to what report/transaction you run to mitigate the risk. Based on this and the frequence you put in, the system could check if the monitor actually ran the transactions required for performing the mitigating control.
  But, as Amol is saying, this is free text, and you can put whatever you want in there - however, if you put a transaction code (action in GRC speak) it will look up the tranaction text
  Note that this is based purely on what I think I remember, so don't go selling this as a feature
  /henrik

• EP7 Sizing :db Instance and application servers SAPS splitting

  Hello,
  We are about to install a SAP EP7 EHPA in High Availability Mode.
  Database : Oracle 10.2 on HP-UX.
  The sizing has been performed, we require 10000 SAPS.
  We will perform a distributed installation on several servers :
  DBInstance on a dedicated physical host, and Applications servers on other machines.
  Therefore we still have to decide how the required 10000 SAPS should be splitted between DB host
  and the others hosts. For example : 30 % DB and 70 % Others
  I'm aware that it is specific to the EP usage but I just want to have an overall idea
  I tried to find that kind of information on SAP benchmark, or HP websites but didn't find anything.
  Any help on this question will be apreciated.
  Regards.
  Raoul

  Hi Raoul,
  you are absolutely right - it depends on how you use EP. If you expect a lot of data in your database you will need to use a higher percentage. Maybe you should also think about the data source configuration for user management you'd like to use. This can contain a lot of data if you use database only with a lot of roles, groups and users. Another point would be how you like to archive log files. The portal may produce a lot of log files - depending on your settings and on the activity at the portal. If you like to archive them for a very long time you will need a lot of space. Another thing is portal activity report for example. It generates a lot of data in the database for weekly, monthly and daily aggregation when there is a lot of activity in the portal. Maybe this helps you to decide...
  Cheers,
  Anja

• Extracting Service Ports (ITS) and Application Server (SAP)

  Hi,
  Can any one pls do let me know how i can extract the information of the port number of Service (AGate) "sapavw00" and ITS Manager "sapavwmm" , Without goijg to the Service file under root/windows/system32/drivers/etc.
  I want to extract these information from SAP system only using some T-code.
  how can i do that??  and if i know the name of the application server of system running on remote host, how can i get its IP address?? say for example name is "I90external"
  Abhishek

  Hi,
  pl be aware of the fact that SAP system is running on the Remote Machine. I have ITS Installes with a Instance name I62 on my mchine. i installed the Wgate part on my machine (i.e. dual host) not the Agate as SAP system is running on the remote host.
  Now I want to use IACOR Admin Tool. the service is already running and there are no entry in the connection of the IACOR Admin, so i want to create a new one.
  on pressing new button. i entered the ITS instance name I62 (which i prepared as Wgate part) and the Web server (hosting Wgate).
  my confusion is that what should i fill up in these values.................
  ITS (AGate)=
  R/3 Name=
  Group?
  Message Server=
  I know the Name of Application server i.e. I62production, System ID i.e. I62, System Number i.e. 09
  the question is from where i should extract the value of  R/3 Name??? and Message Server of the SAP system running on the Remote Host.
  Abhishek

• Dimension and Application limitations SAP BPC and Backend BIW

  Hi All,
  Please let me know what is the maximum limitations:
  1. Dimensions in an application and its backend support in BIW
  2. MaxApplication in Application Set.
  Thanks & Regards,
  Kashvi

  Hi,
  Technically the maximum  possible number of dimensions in BPC NW applicaiton is 3224.
  /people/pravin.datar/blog/2008/10/28/the-conundrum-of-time-dimension
  As no one can practically create these many dimensions in an application. If you have 13 n , the performance can be optimized because then each  BPC dimension is line item dimension by default as this happens automatically.
  Thanks.

• Mitigation in SAP GRC AC

  Hi all,
  Two questions regarding mitigation in SAP GRC AC:
  1)
  Reading through the forum, we have seen that if monitor does not execute the report (action) within the frequecny set and alert is generated. Are these alerts sent out to the mitigation controls' approvers automatically or need to be triggered by executing alerts generation with mitigation flags set?
  2)
  If WF  is set and appropriate configuration is set in RAR, approver activities in CUP are approval for mitigation control maintenance and mitigation control assignment. Is this correct?
  Thanks in advance. Best regards,
    Imanol

  Hi Imanol,
     Here is my response:
  1) Reading through the forum, we have seen that if monitor does not execute the report (action) within the frequecny set and alert is generated. Are these alerts sent out to the mitigation controls' approvers automatically or need to be triggered by executing alerts generation with mitigation flags set?
  You need to go to Alert Generation -> Select Generate Alert log, Control Monitoring under Action Monitoring and Alert notification.
  2) If WF is set and appropriate configuration is set in RAR, approver activities in CUP are approval for mitigation control maintenance and mitigation control assignment. Is this correct?
  Yes, that is correct.
  Regards,
  Alpesh

• Mass maintenance of Mitigation controls in GRC 10.0

  Dear All,
  How to do mass maintenance of mitigation in ARA of GRC 10.0. We successfully migrated the mitigation controls from 5.3 to 10.0. I need to change the monitors for many user conflicts and also add new user conflict mitigation controls. Is it possible to do a mass changes in GRC 10.0 as there is no upload functionality for mitigation controls
  Thanks and Best Regards,
  Srihari.K

  Hi Sri,
  you can achieve by downloading and uploading the mitigations.
  Go to SE38 and use the following program GRAC_DOWNLOAD_MIT_ASSIGNMENTS to download the file and make necessary changes to it and upload the file by using the following program GRAC_UPLOAD_MIT_ASSIGNMENTS.
  and put the active column in the file as X.
  Regards,
  Venugopal Ireni

• Process control inheritence to child org units - GRC 10.0

  Hi All,
  We created few process controls in Parent Org Unit - X. We assigned mitigation control ID and access risks to these controls along with control owners. These process controls are being used as Standard Global Controls
  We created another Child Org Unit - Y and copied the sub-process and then selected only 1 or 2 controls which are applicable to the Child Org Unit. This will allow us to use few Global controls and create local controls if required.
  Now the issue we observed that the Child Org Unit does not carry the Mit. Ctrl ID & Access Risks & Owners from the same control of Parent Org Unit. When we tried to provide the same Mit. Ctrl ID it is stating Mit. Ctrl is not UNIQUE.
  Our requirement is we would like to have the same Mit. Ctrl ID for Global Controls both at Parent & Child Org Unit and different Mit. ID for local controls at Child org unit. This will be easy to identify controls which are from Global & Local for testing and other reporting purposes.
  We understood that since we are copying the sub-process to Child Unit it is taking only Process control details, not the access control information as it is provided in Org Unit
  Can somebody please guide how to acheive the above requirement. How to inherit all the controls from Parent to Child Org unit reflecting Mit. Ctrl ID, Access Risks and Owners
  We are on PC 10.0 - SP07
  Thanks and Best Regards,
  Srihari.K

  Hi Sabita,
    Did you check this article on Content Life Cycle Mngt supports all SAP GRC products. Check the link for detailed article and I hope this would be right direction for your company to go.
  http://www.sdn.sap.com/irj/bpx/go/portal/prtroot/docs/library/uuid/e0431d8f-2298-2e10-5fb0-87840e285f4c
  warm regards,
  Asok Christian

• Implementing Mitigation Control IDs

  Hi,
  We are planning to implement mitigation control ids in GRC. Currently we are only having 1 mitigation control id and all the users are mitigated into this id.
  Now, the plan is to include the mitigation control advise/comments by the SOD approvers into the GRC and thus by introducing multiple mitigation control id we could achieve this.
  In our system users are mapped as per the Business Unit and we have around 25-30 business units. so each BU is have a seprate mitigation control approval (SOD Approver).
  We have around 150 Risk IDs.
  We are not able to understand how to design mitigation control IDs in such case? Is it a best practice to create mitigation control ID for each Risk ID in the system (May be we can group similar Risk IDs)? Your help is appreciated.
  Thanks,
  Umesh

  Hi Umesh,
  No, for 1 Mitigation COntrol there are serveral Monitors and users who are mitigated are added to only 1 mitigation control id.
  Which means you have multiple people monitoring every risk in your system. Does all of the monitors belong to the same functional group?? If yes, what happens if there is a risk in other functional groups? How they can identify and monitor it??
  If no, why a FI functional group monitor, needs to monitor the risk related to other groups?
  Can you pls explain more on primary and secondary functions?
  If the risk is related to one functional area only, the respective functional area will own it. If it is a cross functional risk, then it will be owned by both the functional area managers, which is often referred as primary and secondary functions.
    and what are the disadvantage of creating 1 mitigation control id for each risk (may be grouping some risks) considering the fact that we have 25 business units.
  It is just like giving 1 coke with 100 straws while you still have a stock in your refrigerator
  Regards,
  Raghu

• How to get Install number, system number, Hardware key and Application

  Hi Experts,
  I want to fetch the  Install number, system number, Hardware key and Application of sap b1. these values are shown in about menu of SAP B1. where these values are stored like in registry or server?
  Please help me out.
  Thanking you
  vishwajit kumar

  Hi
  Try this
  http://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/508623e3-425c-2910-38be-cbe56e65930c
  Please check the samples(VS2005)  this will provide you all the informations required.
  Regards
  Arun

• SAP GRC AC10 Common Practices on Mitigation Control

  Hi all,
  Currently, our company is implementing the GRC tool globally and we are required to set up mitigation control. I would like to get some ideas about what structures are used in various companies. And are those mitigation control align with the internal audit practices?
  We are having some initial idea that setting up template for those mitigation control, but should these be applied to all companies? And if we set up in this way, do we still need to identify any approver and monitor in local organization?
  And the mitigation controls should be owned by global organization or compliance department or local organization?
  Please help.
  Thx!

  Hi "GRC_SAP_AUDIT"
  I presume that you have a single Global Ruleset used within the company to define the risks across the company, but some risks may not be applicable or realistically avoidable in certain parts of the organisation in different countries due to the possible nature of a "Small office" structure (i.e. a small team doing various types of job tasks which are bound to cause SOD conflicts etc). So you may want to create a control for a risk in one area/region, but not for another. This is all possible with GRC AC.
  You can have a Specific Risk assigned to as many Mitigating Control definitions; therefore if you had different controls in different countries for that risk, e.g. UK Risk F001 is to have control X applied, whilst USA Risk F001 is to have control Y applied, it is good practice to define it that way.
  With the example above, you can then assign regional Control Owners and Monitors. Usually, I recommend giving the ownership of controls to the regional/company/departmental leads (depending on your org structure) who would manage the control, as I strongly feel that this has to be business driven. The decision of what approach to take is yours, as you have to see what will be the best solution to implement within your organisation.
  Hope this helps. If you wish to add any further detail, im sure the forum members are happy to help.

• Workaround for non-SAP mitigating control reminders

  Dear all,
  Our business users would like to document mitigating controls in RAR 5.3 regardless of whether they are connected with an SAP report. They would also like to receive email reminders for those controls.
  Unfortunately, the frequency of the control can only be defined per connected SAP report and reminders will only be sent for controls if the SAP report has not been executed.
  Have you been exposed with a similar requirement? It seems like a natural thing to ask from a business perspective. RAR 5.3, however, is not designed in that way.
  Have you come up with any feasible workarounds for this?
  My current approach would be to create a dummy Z-report per SAP system (such as Z_MANUAL_MITCTRL) that control monitors have to call once to confirm the execution of their control.
  Cheers and best regards
  Patrick

  Hello,
  Regarding your question, in fact this is dependant on how your UME (User Management Engine) is configured on your WAS (Web Application Server). If the UME is connected to your R/3 back-end then the user need to have a R/3 account to connect to CC, otherwise if your UME is "independant" then you just need to create an account in the UME.
  Regards,
  Jérôme.