Mitigation controls - mitigating reports

Similar Messages

• RAR 5.3 SP8 - Invalid Mitigating Controls Report Issue

  Hello,
  When I view the Invalid Mit Controls Report, and I click the "Click to Change" button, it brings me to blank mitigating controls screen with an error at the bottom of the screen that reads "Category should be U, R, P, H or O"
  Has anyone seen this before? The log shows nothing when I look to it to view more info about the error...
  Any troubleshooting tips or is this something I need to bring up with SAP?
  Thanks!
  Jes

  yep

• Role level mitigating controls not affecting position level reports

  Hi,
  Here's the problem we're having with mitigating controls:
  When I assign a mitigating control to a role, it correctly mitigates the risk when we perform a role level SoD analysis.  However, when we perform a position level analysis, the same role shows up again in the report as not mitigated.  Anyone else running into this issue?  We are on CC5.2 with SP4.  Is this fixed in later SPs?
  Simple Example:
  Role ABC has conflicting tcodes FBV0 and FBVB.  We applied a mitigating control to this role and it doesn't show up anymore on the role level reports.
  When running the position level SoD analysis, position number 50010000 contains role ABC and the same conflict shows up again even though the conflict is entirely within Role ABC and not with other roles that are in position 50010000.
  Thanks,
  Robert

  All,
  I opened a customer message with SAP and it seems that this issue is a limitation with CC 5.2  Mitigating at the role level will will not follow through to the position level reports.  However, it seems that it will follow through to the user level as long as you have configured it under the Configuration->Additional Options tab.  There is a setting there that will allow rule level mitigating controls to take affect at the user level.
  Thanks,
  Robert

• Report Tab in Mitigation Control

  Dear Experts,
  Can anyone explain me the purpose/usage of Report Tab in Mitigration Control. I have browsed the forum but could not understand the actual need of this tab as I found different answers.
  Thanks,
  Raj

  HI Raj,
  Access Controls is used as a documental tool for Mitigating Controls, rather than a implementing tool, i.e. you apply the control against the role/user, but the actual application of the control is performed outside of Access Control. This may be realized by running a custom SAP report to monitor the usage of the risky functions within the ECC system etc.
  Access Control allows you to document such reports against the Mitigation Control, so this is the purpose of the tab. Given that GRC 10.0 integrates AC and PC, Mitigating Controls is master data that is shared amongst the different GRC modules, so I get the feeling Process Controls might utilize the "Report" data and check if the reports are being monitored by the control monitor/s at the scheduled frequency etc.

• Report tab in mitigating control - RAR 5.3

  While creating mitigating control there are 3 tabs - Associated risks / Monitors / Reports. What is the use of reports tab ?
  The control is working even with populating the report tab.

  If you have a report that you want mitigation monitors to run in order to perform the control activities you can put it in there.
  The alert functionality will then allow you to report on monitors that did not run that report in the specified period.
  Frank.

• Reports in Mitigation Controls RAR

  HI,
  Does anyone know what are reports in the mitigation control setup? Reports are transactions or just reflects numbered activities that the monitor must realize?
  Kind regards,
  RCL.

  Hi RCL
  If you are using any SAP report as a mitigating control you can give its name  there. In addition in the Frequency field you can give the frequency at which the report should be executed. and if that report is not executed at the stated frequency RAR can send an alert to the montior of Mitigating control
  Parveen

• Detect obsolete mitigating control assignments?

  Hello,
  What report/s would you use to detect obsolete mitigating control assignments?
  The scenario is: A user has been assigned a mitigating control, let's say during the CUP workflow, to mitigate a certain risk that came with a certain role. Later, that role is removed from the user. Now the user is in the scope of a mitigating control. However, the user is not even subject to the risk in question anymore.
  Which way (periodically?) could you detect these cases and clean up the mitigating control assignments?
  Thanks and regards
  Patrick

  Hey,
  My experience of cleaning up controls has not been very straight forward.
  I have had to perform various risk analysis reports and look up a list of user accounts that have been marked as "Expired" etc.
  It can be slightly more difficult  if, like many organisations, you decide to assign a control with a infinite validity period (i.e. 12.12.9999).
  The Business and Internal Control team need to be very proactive about regularly monitoring the controls and reviewing the assignments. This is one reason why I strongly recommend that controls are only assigned for a set period (i.e. 365 days/1 year), so a compulsory review takes place by the control owners/business on a regular basis. This makes the controls much more affective, robust and fit for purpose.
  Happy to hear other's opinions and ideas.

• Workaround for non-SAP mitigating control reminders

  Dear all,
  Our business users would like to document mitigating controls in RAR 5.3 regardless of whether they are connected with an SAP report. They would also like to receive email reminders for those controls.
  Unfortunately, the frequency of the control can only be defined per connected SAP report and reminders will only be sent for controls if the SAP report has not been executed.
  Have you been exposed with a similar requirement? It seems like a natural thing to ask from a business perspective. RAR 5.3, however, is not designed in that way.
  Have you come up with any feasible workarounds for this?
  My current approach would be to create a dummy Z-report per SAP system (such as Z_MANUAL_MITCTRL) that control monitors have to call once to confirm the execution of their control.
  Cheers and best regards
  Patrick

  Hello,
  Regarding your question, in fact this is dependant on how your UME (User Management Engine) is configured on your WAS (Web Application Server). If the UME is connected to your R/3 back-end then the user need to have a R/3 account to connect to CC, otherwise if your UME is "independant" then you just need to create an account in the UME.
  Regards,
  Jérôme.

• Query on Mitigation Control

  Hi all,
  We have configured Mitigation Controls and mitigated some of the users. We have the following queries in this regard:
  a) When we run the SoD anlaysis for that particular user we could able to see only half description of the Mitigation Control.
  Is there any limitation for the space or the parameters for the Mitigation Control Description.We are unable to see the entire description of the Mitigation Control (If the mitigation control is more than 7-8 lines) in the Detailed Report screen as well. Even after downloading into a spreadsheet also we are getting only the part of the mitigation control and not the entire description of the mitigation control
  b) A risk ID can be addressed by 2 or 3 mitigation controls. In this scenario,we have assigned 2-3 mitigation controls to one Mitigated user for mitigation. When we run SoD analysis we could able to see only the latest mitigation control assigned to the user in the report format (say out of 3 assigned only the 3rd one assigned is being shown).
  But when we did a search for Mitigation controls with  the Risk ID & User ID combination then it is throwing all the 3 mitigation controls. But the same is not shown in SoD violations reports
  Is there anything to do with the parameters set up or at the configuration side to resolve this.
  Please provide the procedure also in case of any changes to be made at configuration level.
  Thanks and Best Regards,
  Sri

  Hi Vit,
  Thanks for your reply. We crosschecked and you are correct that the space limitation is only for 132 characters in this table.
  Is there a way to get the mitigation control whole description or do we need to stick to this limitation itself.
  Also, when we did a search for Mitigation Control it gives only Mit.ID, Mit Control Desc, BU and Management approver. Whether there are any tables (from SAP Backend) or reports where we can get the Risk Ids including the above addressed by the mitigation controls.
  Thanks and Best Regards,
  Sri

• Mitigation Control Description export

  Hi all,
  I am working on upgrade from Virsa to GRC 5.3 upgrade.
  I am trying to upload the mitigating controls into GRC-RAR after exporting from Virsa.
  I am not able to get the descriptions of the Mitigation control in complete on my export. Only the first line is getting exported.
  We have about 900 ! Controls in place.
  Is there a better way  to get all the lines in the description field when we export it out of Virsa.
  your suggestion will be helpful.
  Thanks
  Vidyar

  Hi,
  do you have a J2ee cluster running on your server??? if so, you have to set up the same url parametter for reporting, i the parameter area of AC.
  regards,
  Alejandro

• Validity period mitigating control

  Hi,
  I checked this forum but didn't find any helpful thread for my question. We are using GRC version 5.3. Is there any SAP report or tables available that would show history of mitigating controls per user? In running the Compliance Calibrator for a user, SOD issues were present that we didn't expect because we thought existing mitigating controls were applied and that we were  regularly monitoring this user for the associated risks. We thought that the problem might be that the validity period might have expired, but our corporate security group currently doesn't even show the mitigating control for the user. I wanted to look at the history of the mitigating control for the user to see if I could validate their claim.
  Thanks,
  John

  Hi,
  First of all, there's a special forum for GRC: "Governance, Risk and Compliance".
  Check under RAR-> configuration tab:
  Default expiration time for mitigating controls (in days) 
  When assigning a mitigating control to a risk, you must specify the validity period of the controlIf the End Date is left blank, the value in this option is used to calculate the end date of the validity period; the default value is 365 (days)
  Check also under CUP->configuration->mitigation.
  You'll be able to find the documentation for this configuration parameters in the corresponding Config Guide.
  Regarding Mitigation controls per user, I guess you can just check RAR -> Mitigation tab.
  Cheers,
  Diego.

• Risk Analysis and Remediation Mitigating Control Monitoring Alerts

  Hello,
  We have configured an alert for a Mitigating Control.  The Monitor must execute the report every day (report frequency = 1) or an alert email is sent to the Risk Owner.
  The Risk Owner recieves the Alert email and the Alert is logged on the Alerts tab only for the first two days after the report is not executed by the Monitor.  Is there a setting somewhere that controls why the alert is not generated after two days?
  thanks
  Tammi

  Correction.
  The email is only sent for 2 days.  The alert is logged on the Alert Monitor tab every day.

• GRC AC RAR: Comprehension question Mitigating Controls

  Hello all,
  I have a small comprehension question regarding Mitigating Controls.
  Situation:
  We have identified some authorization roles that contained lots of risks and we decided that they should not be used anymore. I therefore had our admins remove those roles from all the userIDs and update the role descriptions so it is clear that these roles are obsolete and must not be used anymore. For specific reasons we are currently not able to archive those roles in order to remove them from the system (can't delete them either for unclarified data retention questions).
  What has been done:
  1. I have created the necessary userIDs for Management Approver, Monitor, etc. in tab Mitigation -> Administrators -> Create
  2. I have created the necessary business unit and assigned to userIDs created in 1. in tab Mitigation -> Business Units -> Create
  3. I have created a Mitigation Control "Obsolete Roles" in tab Mitigation -> Mitigating Controls -> Create
  4. Within the Mitigatin Control I have mitigated all associated risks in tab "Associated Risks", added a userID in tab "Monitors" and I have added all the obsolete roles using the button "Mitigate roles"
  What I want to achieve:
  - Roles should not show up in the analysis anymore -> I've checked that and it works as expected
  - I now want the userID I added in tab "Monitors" and when mitigating the roles to regularly check in the SAP system whether the mitigated roles have been assigned to any userIDs again (using PFCG or any other suitable report in the system).
  Can I achieve that by using tab "Reports" within the Mitigating Control ?
  If I provide the system in column "System", provide "PFCG" in column "Action", "Use PFCG to check is role is assigned again" in "Description", add the userID in tab "Monitor" and set Frequency to "4" this would mean that that userID needs to check whether the roles have been used again at least every 4 weeks ?
  Will the system automatically send a reminder eMail to that userID every 4 weeks or does the user have to check the RAR manually in order to see "his/her" tasks ?
  Regards,
  Benjamin

  Hi Jwalant,
  sorry for my late reply, but I have waited for a few weeks to make be sure wheather the way you described works or not.
  - The background job gets executed once a week and finishes without any error.
  - The only thing that doesn't work is that the userID that I maintained in clolumn "monitor" and for which I defined a mitigation control which has to be executed every 2-weeks (using column "report") does NOT get a mail from the system that reminds him/her to execute the mitigating control.
  Log of background job execution:
  INFO: -
  Scheduling Job =>16----
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob run
  INFO: --- Starting Job ID:16 (GENERATE_ALERT) - Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob setStatus
  INFO: Job ID: 16 Status: Running
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob updateJobHistory
  FINEST: --- @@@@@@@@@@@ Updating the Job History -
  1@@Msg is Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION started :threadid: 2
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
  INFO: -
  Background Job History: job id=16, status=1, message=Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION started :threadid: 2
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Alert Generation Started @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Conflict Risk Input has 1 records @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Critical Risk Input has 1 records @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Mitigation Monitor Control Input has 1 records @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
  INFO:  @@@@@ Backend Access Interface execution has been started @@@@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.common.util.ExceptionUtil logError
  SEVERE: null
  java.lang.NullPointerException
       at com.virsa.cc.comp.wdp.IPublicBackendAccessInterface$IStatRecInputElement.wdGetObject(IPublicBackendAccessInterface.java)
       at com.sap.tc.webdynpro.progmodel.context.NodeElement.getAttributeAsText(NodeElement.java:888)
       at com.virsa.cc.comp.BackendAccessInterface.execBAPI(BackendAccessInterface.java:401)
       at com.virsa.cc.comp.BackendAccessInterface.executeBAPI(BackendAccessInterface.java:302)
       at com.virsa.cc.comp.BackendAccessInterface.get_TcodeLog_Rec(BackendAccessInterface.java:2800)
       at com.virsa.cc.comp.BackendAccessInterface.alertGenerate(BackendAccessInterface.java:1940)
       at com.virsa.cc.comp.wdp.InternalBackendAccessInterface.alertGenerate(InternalBackendAccessInterface.java:4355)
       at com.virsa.cc.comp.wdp.InternalBackendAccessInterface$External.alertGenerate(InternalBackendAccessInterface.java:4824)
       at com.virsa.cc.xsys.bg.BgJob.alertGen(BgJob.java:1666)
       at com.virsa.cc.xsys.bg.BgJob.runJob(BgJob.java:697)
       at com.virsa.cc.xsys.bg.BgJob.run(BgJob.java:362)
  here it keeps ranting on for pages about Null Pointer Exceptions
  I'll just leave that part out
  Mar 28, 2011 4:00:29 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
  INFO:  -
  No of Records Inserted in ALTCDLOG =>16 For System =>XXX_xxx -
  Mar 28, 2011 4:00:29 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
  INFO: ==$$$===Notif Current Date=>2011-03-28==$$$==Notif Current Time=>04:00:00===$$$===
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.mgmbground.dao.AlertStats execute
  INFO: Start AlertStats.............
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@=== Alert Generation Completed Successfully!===@@@
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob setStatus
  INFO: Job ID: 16 Status: Complete
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob updateJobHistory
  FINEST: --- @@@@@@@@@@@ Updating the Job History -
  0@@Msg is Job Completed successfully
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
  INFO: -
  Background Job History: job id=16, status=0, message=Job Completed successfully
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob scheduleJob
  INFO: -
  Complted Job =>16----
  - Anothjer thing I noticed is that the job always adds some entries to table "ALTCDLOG" which I guess means something like "Alert T-Code Log".
  It always adds entries like:
  581 XXX_XXX userID#1 SE16 2011-03-21 07:49:44 xxx 5
  582 XXX_XXX userID#1 SM37 2011-03-21 07:55:44 xxx 5
  Where does the system get the information which T-Codes are "bad" and for which it needs to create those entries ? I have never configured anything like that in the system.
  Or is this an indicator that the authorization roles I mitigated have been used again ?
  Regards,
  Benjamin

• Table for mitigation control frequency

  Hi,
  We are trying to build a program to be able to send notifications to mitigation monitors. For this I am trying to find the tables where the relevant details of the mitigation controls are located.
  I need the following information from the tables:
  1. Mitigation ID - I have found this in HRP5354
  2. Mitigation Name - I have found this in HRP1000
  3. Mitigation Monitor - I have found this in HRT5320
  4. Tcode in Reports - I have found this in HRT5320 + GRACACTION
  5. Frequency - I have NOT found this.
  The #5 - frequency of the report action is something that I am still missing. Please help me with the info, also suggest if there is a better way to get this information. Thanks!!
  Thanks,
  Sammukh

  Hi Sammukh,
  you can find the frequency in table GRFNCNREPORT.
  In general you can easily find the tables with SE11 to check where the object is used.
  Hope this helps.
  Regards
  Alessandro

• GRC CUP 5.3 SP16.3 Mitigation Controls automation removal

  Does anyone know that if you create any user requests to remove roles from a user, that if any mitigation controls were assigned to the users for those roles, the mitigating control ids can also be automatically removed from RAR during auto provisioning of the request?
  Right now, GRC CUP, if configured properly, during auto provisioning, will assign the mitigation controls automatically to the userid in RAR to mitigate the risks when the request is processed if the new access will give any SOD violations.  But if you remove the roles from a user and he/she had any mitigation ids assigned in RAR, can the request also automatically remove the mitigated control id associated with it if the user will no longer have that risk?  I have not seen the request automatically remove the mitigated id from RAR when the role was removed from the user id during auto provisioning. But I'm not sure if this requires additional workflow configuration or not.
  Will greatly appreciate if any1 is aware of this issue and how to resolve it. Or is the only solution to manually remove it from RAR..but this can be tiresome..bc then you have to run the report every week or month in RAR to remove the excessive controls assigned if the users do not have the risks anymore..comparing reports from current to previous month, etc.
  Thanks,
  A.

  Hi Alley,
  It is not possible to automate the removal of mitigation controls through a workflow in CUP. The only solution is to review on a regular basis and remove them manually from RAR
  We also has the same issue and performing manual review at regular intervals of the user & role assigned mitigation controls
  Best Regards,
  Srihari.K