Permission risks

Similar Messages

• GRC BO AC 10.0 Risk Analisys & Role management from SRM

  Hi Gurus,
  Anyone know if  GRC AC 10.0 can analyze and manage (create/modify) the SAP SRM (Portal Based) Role and User?
  Thank you,
  Luigi

  Hi Vishal,
  The parameters will be invoked in different scenarios. 1085 is specific to when roles are generated in the SAP Backend system using risk terminator and therefore this will have no impact if you are using BRM to generate the roles.
  3011 & 3014 are specific to BRM and govern different behaviours. 3011 will facilitate the risk analysis prior to triggering the generation steps in the methodology and 3014 will allow the roles to be generated despite any permission risks that are returned.
  They are not exclusive and actually work together. For instance, you may want to have a block on generation of roles when there are open conflicts identified and therefore you should have 3011 set to YES and 3014 set to NO. If both are set to YES, then you could propagate conflicts in the roles.
  You can use Risk Terminator if you wish to continue to develop roles within the SAP system itself rather than to rely on the GRC BRM system wholly.
  There are still wide discussions and differing opinions about which represents the best approach for this and so it depends on your organisation as to which process you follow.
  The parameter descriptions in question are:  
  1085 - Stop Role Generation if violations exist
  3011 - Conduct Risk Analysis before Role Generation
  3014 - Allow role generation with Permission Level violations
  Regards, Simon

• GRC AC 10.0  Risk Analysis -Risk Terminator Vs BRM-Role Management

  Hi All,
  After having seen the configuration for Risk Analysis- Risk Terminator and Role Management , I observed that there is very little difference  for eg parameters 1085 and 3011 ,3014 .  If we configure all three parameters to TRUE which one would take effect ?Can anyone let us know under what circumstances we must configure RT and Role Management . BRM to has a whole lot of new features which supercede RT. 
  Best Regards,
  Vishal

  Hi Vishal,
  The parameters will be invoked in different scenarios. 1085 is specific to when roles are generated in the SAP Backend system using risk terminator and therefore this will have no impact if you are using BRM to generate the roles.
  3011 & 3014 are specific to BRM and govern different behaviours. 3011 will facilitate the risk analysis prior to triggering the generation steps in the methodology and 3014 will allow the roles to be generated despite any permission risks that are returned.
  They are not exclusive and actually work together. For instance, you may want to have a block on generation of roles when there are open conflicts identified and therefore you should have 3011 set to YES and 3014 set to NO. If both are set to YES, then you could propagate conflicts in the roles.
  You can use Risk Terminator if you wish to continue to develop roles within the SAP system itself rather than to rely on the GRC BRM system wholly.
  There are still wide discussions and differing opinions about which represents the best approach for this and so it depends on your organisation as to which process you follow.
  The parameter descriptions in question are:  
  1085 - Stop Role Generation if violations exist
  3011 - Conduct Risk Analysis before Role Generation
  3014 - Allow role generation with Permission Level violations
  Regards, Simon

• Running Risk analysis at User Level(CC)

  Hi
  Please Clear my query, wat is the difference between running the risk analysis at userlevel Violation count by Risk and Violation count by Permission.
  violation count by Permission, the total number of violations are 377,569.
  Violation count by Risk,the total number of violations are 11,716.
  Thanks & Regards

  Hi Karuna,
  When you perform Risk Analysis at User level and choose violation count by Permission/Risk. Here are the details of each analysis:
  1. Violation Count by Risk
  This analysis will display the count of how many SOD risks associated with the users existing in each business process like FI, HR, MM, PR, SD.
  It will display as a bar graph or pie chart. If you choose each of the business processes and drill down to the particular SOD risk,P001 then you can display how many users have that risk, P001
  2. Violation Count by Permission
  This analysis will display the count of SOD violations at the action/permission level associated with the users existing in each business process.
  If you choose the conflicting functions inside each SOD risk, and then expand on the permission tab you will understand why the huge number of violations it is showing.
  In the Risk information screen, in Conflicting Functions, click the AP02 u2013 Process Vendor Invoices link to display the SAP transaction codes and the authorization objects. There are 26 different transactions in SAP to Process Vendor Invoices and another 185 authorization object values u2013 all come preconfigured out of the box.
  Choose the Permission tab. Expand Action F-42. Open an authorization object to show field values. By looking at all possible permutations of actions/permissions of one business function with all actions/permissions of the second business function, you can understand how the system arrives at the number of violations.
  Hope this will help you understand better.
  Regards,
  Kiran Kandepalli.

• GRC 5.3: CUP risk analysis VS. RAR risk analysis

  I've installed and configured RAR and CUP.  When I do a risk analysis simulation in RAR on a user for adding a role, it comes back with no conflicts.  When I go into CUP and make a new request for adding the same role to the same user, it comes back with risk violations, but it looks like they are critical actions that are being flagged.  Why is there a discrepancy, and how do I go about getting the same risks in CUP as I do in RAR?

  >
  Frank Koehntopp wrote:
  > I guess the behaviour is on purpose.
  >
  > In RAR, you can do a selective analysis on only one kind of risk. You usually only need to do that in the remediation process, where this kind of selection is helpful to track down the root cause (although I'd like to have an ALL option in RAR as well...)
  >
  > In CUP, you do want to see any kind of risk that might arise from a role assignement to a user.
  >
  > I have to say, I can not really understand why you'd want to switch off critical action or permission risks here. The user analysis in RAR and CUP serve two different purposes, hence I cannot see a bug here. If you have defined critical risks, why would you not want to see them???
  Hi Frank,
  I understand your point, but we are in the same situation as the others. We do not want to see Critical Action Risks in CUP because this is a separate process (for us) than Permission Level Risks Analysis piece. With our current structure, our Security Admins use RAR to run Permission Level Risk Analysis and mitigates appropriately. A separate compliance group uses the Critical Action reports to see who has what Critical tcodes, etc. We do not mitigate these "risks," we more or less use it as a report.
  I do not understand what you mean when you say "The user analysis in RAR and CUP serve two different purposes" - I feel it should be the same purpose, to ultimatley simulate if adding security to a user will cause SOD violations. If I have CUP configured to do Permission Level Analysis, that's all I want to be seeing in CUP.
  Let me know if I need to clarify further.

• AC 5.3 RAR and Organizational rules

  Hi all,
  we are implementing risks based on organizational rules. It is not clear in my mind how the system manages actions that do not have authorizations objects activated (at permission levels) or have authorization object activated but without organizational fileds.
  In other words: I have a SOD risk containing the function called FN99. In this function there are the actions TCD01 and TCD02. For TCD01 there are not permission linked and active (just tcode), for TCD02 there is only the authorization object M_BEST_BSA. So, this function does not have any authorization objects with organizational fields (BUKRS, WERKS and so on).
  If we use the RAR organzational rules, the 2 actions TCD01 and TCD02 are managed or are not considered at all since they do not have organizational fields.
  Thanks in advance.
  Andrea Cavalleri

  Andrea,
  Within RAR you can run either risk analysis at transaction level or at permission level.
  Transaction level: Just S_TCODE || TCD authorization objects will be checked
  Permission level: S_TCODE and any other authorization object included within the SoD matrix will be checked
  Risk Analysis at organizational level is a further level of permission risk analysis taken into account authorization objects that include ORG fields (BUKRS, EKORG, WERKS etc.) and verifying specific values you have defined within the organizational rules.
  The goal of running risk analysis at organizational level is to eliminate false positives that might be detected when you run risk analysis at permission level without taken organizational authorizations into account.
  Under an organizational Rule approach, you will be detecting conflicts JUST if user U1 is able to execute transaction T1 and T2 (assuming this pair of transaction define a conflict) within the same organizational level (for example the same Company Code).
  Please, check the documents have been pointed out in this post.
  Hope it helps. Regards,
     Imanol

• Rule Upload : GRC10

  Hello Gurus,
  Would appreciate if anyone can let me know how to use the Upload SOD rules feature under SPRO>Access Control> Access Risk Analysis> SOD Rules> Upload SOD rules.
  Here I am asked to upload the files for Business Process, Function, Permission, Risk etc. but not sure where can I get the format for these files? I need to append few new functions and their corresponding risks into an existing ruleset.
  Many thanks in advance.

  Hello Vikas,
  Thanks, have dropped you a mail for the files. Though I am not very sure I need them or whould I directly use the export functionality of my exixting SAP GRC 5.3 ruleset.
  We have decided not go to for the Global Ruleset but use the custom one from GRc 5.3 (as we were using GRC 5.3 earlier) by importing the same. Thus I have the following questions on he rueset Migration:
  1. How will I migrate existing Ruleset from 5.3 to 10.0 Development Box(using your files or I guess there is a functionality already in 5.3 to export the ruleset)? Can you please tell me how to Migrate this (which was actually my question)?
  2. How will then I be able to Migrate the ruleset from GRC 10.0 Development Box to GRC 10.0 Quality Box?
  Thanks.

• SAP GRC AC 5.3 integrated with BW

  Hi all,
  Has anyone of you implemented integration between SAP GRC AC 5.3 and BW and develop custom reports?
  Thanks in advance. Regards,
     Imanol

  Imanol,
  There is documentation available for the integration.  You can find that here:
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/e05a9879-d204-2c10-54a9-ebc94eaddc4e?quicklink=index&overridelayout=true
  Also, there are numerous pre-delivered queries already developed.  However, if you wish to develop your own reports, then you will need a BW resource to do so.
  Pre-delivered queries:
  For RAR:
  Alert Detail Listing
  Alert Header Listing
  Critical Action Violations by User
  Critical Role Viols Analysis with Long Portal IDs
  Current User Permission Risk-Perm Violation Analysis Breakdowns
  Current User Permission Risk Violation Analysis Breakdowns
  Management Summary Total Listing
  Mitigated Users Analysis
  Risk Long Descriptions
  Risk-Rule Set Relationship Listing
  Role Permission Risk Violation Analysis
  Role (Portals) Permission Risk Violation Analysis
  Supplementary Rule Detail Listing
  Supplementary Rule Header Listing
  User Permission Risk Violation with Functions
  User Permission Risk Violation with Remediation by User
  User Permission Risk Violation with Remediation by User (Top 10)
  User Permission Violation with Remediation by Risk
  User Permission Violation with Remediation by Risk (Top 10)
  For CUP:
  Access Requests
  Risk Violations
  Role Provisioning
  Service Levels
  SOD Review
  User Access Review
  User Provisioning
  Thanks!
  Ankur
  SAP GRC RIG

• CUP 5.3 SP09 Riskanalysis

  Hi together,
  If we run the riskanalysis in CUP on a stage, we received all risks for the user.
  But there I have a question: Why is there shown for one risk the responsible role and for another risk not?
  E.g.:
  A role "XY" is a critical role by itself (risk1). The role "Z" isn't, but in combination with the role "J" there is a SoD(risk2).
  In the tab "risks for mitigation" there is shown the information for the risk1 and risk2.
  But for the risk2 it is also shown the responsible roles regarding the SoD.
  The specific risk1, because of the critical role "XY", doesn't show the role in the overview.
  Has anybody an idea?
  Thanks a lot.
  Alexa

  Hi Alexa,
  you actually answered it in your question: a critical role is in fact NOT a risk, so it can't be mitigated.
  If you want to achieve that, you need to put the critical role's critical stuff into a function and create a critical action/permission risk, which could then be mitigated.
  Frank.

• RAR - Risk Analysis - Permission Level - V_VBAK_AAT||AUART - Error

  I have a trouble related with risk analysis at permission level, when the V_VBAK_AAT||AUART is activated in two functions of my customized GRC rule-set (VIRSA_CC_FUNCPRM) for controlling some "document types" for tcodes VA01 and VA02. When I execute this customization in RAR, the system says "No match / No conflicts" for the risks where these functions appear, however performing some queries in the back-end systems, I have realized there are more than 80 users in conflict for some of them, given the fact that they have value '*' in object/field V_VBAK_AAT||AUART.
  At a first time I thought that most probably would be related with the fact that these functions are part of risks that combine 3 and 4 functions at the same time, with OR logical activated in document types, but when I searched for the rules generated for these risks I noticed that only 34.000 rules were generated and this no overpass the limit of 45566 rules defined at RAR. Anyway, I performed some tests reducing the number of possible combinations and, basically, whenever the following line is activated, the outcome is u201Cno conflictsu201D:
  D VIRSA_CC_FUNCPRM FN15 VA01 GRC-C21 V_VBAK_AAT||AUART ZSO ZSO OR 0 null
  If this line is disabled, then, several users with conflicts are reported. As mentioned above, these users have value '*'   for object/field V_VBAK_AAT||AUART, so I do not understand why those users are not reported when the line above is activated.
  I have done the following checks, all of them correct:
  - The user/role/profile synchro has been done and all the users has been stored in table VIRSA_CC_
  - All the lines in VIRSA_CC_FUNCPRM part of my customized rule-set have been correctly inserted in the same Oracle table
  - All the combinations of rules has been created (including VA01 and VA02 with V_VBAK_AAT||AUART)
  Any suggestions?
  Thanks in advance

  I've detected the same problem for the following authorization objects:
  - F_BKPF_BLA||BRGRU
  - V_VBRK_FKA||FKART
  - M_MSEG_BWE||WERKS
  RAR reports no conflicts (at authoriztion level) when these objects are activated (of course having users with these conflicts in back-end systems)
  This problem has been proved in the installation of different customer with SAP GRC Access Control 5.3 SP12.
  Anybody else has experienced this issue????

• Any document explaining Risks involved in assigning "Delegation Permission" to a computer for Kerberos Authentication

  Need SSO on CRM 2013. As per documents assigning Delegation Permission in Kerberos Authentication is mandatory to achieve SSO in CRM 2013.
  Before doing that need to evaluate risks in doing so. Any help or document for the same is helpful.
  Devesh

  Hi Devesh,
  “The idea of delegation in Kerberos is that if a user makes a request to a final resource, and some
  intermediary accounts must process the request, then those intermediary accounts can be trusted to delegate on the user’s behalf. You can configure an account for delegation by using Active Directory Users and Computers as a domain administrator.
  Select Trust this user/computer for delegation to any service (Kerberos) under the Delegation tab of the user or computer account.”
  Quoted from this article below:
  Using Kerberos for SharePoint Authentication
  http://technet.microsoft.com/en-us/magazine/ee914605.aspx
  From my point of view, as long as the intermediary account can be trusted, then it is safe.
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Can I access my husband's iTunes acct. from my iPad?  I have his permission & pass code.  We want to keep all music in one place & family accessible.

  Can I access my husband's iTunes acct. from my iPad?  i have his permission & pass code.  We want to keep all music in one place & family accessible.

  If you log into his account and download some of his past purchases on your iPad then you risk tying your iPad to his account for 90 days : iTunes Store: Associating a device or computer to your Apple ID
  But it looks like that might change when iOS 8 is released in the Autumn (no date has been announced yet) : http://www.apple.com/ios/ios8/family-sharing/
  If you have his content in your computer's iTunes library then you could sync it from there instead of risking the 90 days association on your iPad. If you don't then you could copy it from his computer and then sync it to your iPad e.g. copy his music to a flash drive and then add it to your library via File > Add To Library

• Questions regarding risk register, resource pool, reports and KPI

  I am going on a requirement gathering activity today about a new MS Project Server project. I have knowledge of SharePoint but my knowledge of Project Server is very limited. Following will be my topic of discussion with client. Can you please tell me what
  kind of questions can I ask about them? I want to gather as much requirement as possible from client.
  Some of the question I can think of are:
  1. What fields will be there in each register?
  2. What kind of permission do you want on each register? For e.g. will each register will be publicly viewable to all users or not?
  3. How many KPIs and Dashboards do you need?
  Topics
  • Project Register
  • Issue Register
  • Risk Register
  • Decision Register
  • Invoice Register
  • Change Request Register
  • Deliverable Register
  • Resource Pool
  • Reports and KPIs

  As You know Project Server sits on SharePoint. If you know which version of Project server your client want.
  Then you can ask some question(I am giving you list of few question) like:
  1. Approx No of users 
  group and security related questions like which kind of permission they want for Project manager, team member, resource manager etc.
  2 Approx no of Project per year
  3. Avg no of task per project
  4. Project level Custom field
  5. Task level Custom Field
  6. Resource Level Custom field
  7. Project, resource or task level of custom view 
  8. Any demand Management workflow
  9. back up and restore strategy.
  10. any Issue or risk associated with project and mitigation plans
  11. drivers or strategy for Portfolio management 
  12. If any change need to be done in EPM environment how you guys can handle it. 
  13. for Delivery you can split your project in phases in which first phase will contain installation and basic configuration  then report development, then Custom development, then Training  and support
  14. which kind of report they want (SSRS, Excel baed, Performance point, dashboard, Power pivot)
  15. for reports what would  be the KPI 
  16. Tracking method, Timsheet usage, status Reports
  17. whether they will use default Project site or customized project site 
  18. Enterprise Project template for Business unit.
  19. Department specific reports.
  20 .for infra you can ask (Redundancy, server performance high availability )
  etc.
  Please group all these as per our need.
  kirtesh

• User analysis at Action level and Permission level

  Hi Gurus,
  I am totally confused by the way our CC is working while using it for User Analysis. I understand that during Risk Analysis for a user with Report Type "Action Level" will give the conflicts at the transaction level for the user and with Report Type "Permission Level" will give the conflicts at the Object level for the user. Also the permission level report includes the results of the action level report as well and hence Permission level report is more detailed & reliable.
  But now when I run the analysis report for a particular user both at Action & Permission level...the user is not getting any conflicts at Action level but it is showing conflicts at the Permission level. For another user the vice versa is happening. Could anyone help me in understanding the above 2 scenarios?
  Regards,
  Lakshmi.

  Hi
  A user to be need to have a action level conflict should have that transansaction code access only ie object s-tcode =  xyz transaction code.
  Similarly for a user to be reported in permission level conflict the user should have access to
  S_tcode = xyz transaction code Plus all other authorisation objects...Or in other words if the user is missing any authorisation object it wont be reported there...
  So just check what authorisation object level check is enabled for that transaction code in the rule architect tab.. Thereafter see whether user have access to all those authorisation object with the values specified...
  Parveen

• User Analysis at Permission Level - Detail Report (RAR SP12)

  Hello All,
  I have having question regarding the User Level Analysis at Permission level report. Currently, we are on GRC Access control 5.3 SP12.
  Per my understanding when you execute the User level analysis at Action level, you get SOD conflict reports based on T-code level and not on authorization / permission level. But, if you execute the user level analysis at permission level then SOD report is based on the authorization / permission object level.
  But now, when I execute the user level analysis at PERMISSION LEVEL in the Informer tab, in the report I am only able to see "Transaction Code Check at Transaction Start" name in the Permission Object Column and "Transaction Code" name in the Field column.
  Look forward to hear from you all.
  Thanks in advance,
  Regards,
  Angelica

  Hi Angelica,
  This behaviour is ok for those risks in which you have not enabled any Object/Field value. It will pick S_TCODE Object and show you the risk.
  This is useful because -
  1. If you have risks defiend at Tcode level - you can still catch them while running risk analysis at permission level.
  2. If you have Object Values defined in risk and you are running permission level analysis it will show risk only if Object Values meet. In that case permission level risk anlysis will not show risk if there is no actual risk.
  3. Running risk analysis at Action level can show false positives when risk is defined ta Object level. So, it is always better to r
  un alanysis at permission level, it will bring all actual risks skipping false positives.
  4. You can run only one level risk analysis in CUP and ERM and permission level covers all risks.
  If you have risk defined at Object Level and the role/user is not fulfilling all values, it should not show in permission level. In your case, if it is showing only "Transaction code check at start"  and the risk is defined at Object Level, then sure it is a bug.
  Regards,
  Sabita