RAR 5.3 SP8 - Invalid Mitigating Controls Report Issue

Similar Messages

• Mitigating Controls Headache

  Hi guys, i've been able to finally get the alerts generation and email sending working.
  However i'm having problems with the mitigating controls report.
  I've created a few Mitigation Controls and also stated under the 'reports' section that Monitor X should run Report Z in a frequency of 1 day. However even after a few days the mitigating controls report is showing nothing.
  Is there something wrong with my setup? If i created a control again Risk AA, do i need to explicitly execute the conflicts relating to Risk AA or is it assumed that even if i do not, the system is still expecting Monitor X to run report Z everyday ?

  First, as you probably know, the recording of any info on the Reports Tab of the Mitigating Control screen is completely optional. Even if information is recorded, it has nothing to do with the Mitigating Controls reports available within Informer.
  If report information is recorded, this is done either purely for documentation purposes or to set the stage for the generation of a "Mitigating Monitor" Alert. This type of alert will be generated if the designated monitor does not execute the designated SAP "report" transaction within the timeframe specified.
  Like any other type of alert, generation requires execution of the Alert Generation background job.

• Mitigating Controls in GRC10

  Hi,
  Is their a way we can maintain and update mitigating controls on GRC (GUI) back-end.UI can't be able to find those i created and migrated. Any ideas?
  Regards, Melvin

  Hi,
  REF CALL # : 968707 / 2011
  I created mitigating controls and imported the old mitigating controls from GRC 5.3.
  When I go to the mitigating controls on the UI no mitigating controls appear when opening the page. When I do a drop down (drill) on the TAB (SETUP) Work Centre  Link - Mitigating Control
  When drilling down on Mitigating Control IDu2019s
  The only two displayed is the ones I created on the UI. When I import the GRC5.3 mitigating controls I get the following
  message on the import tool within GRC10 back-end
  --Start Loading File - Scenario of 5.3 Mitigation - Migration
  sapvirdevexport53/BUNITdata.dat
  Mitigation Control EA:BS001 already exists
  Mitigation Control EA:BU001 already exists
  Mitigation Control SOLMAN99 already exists
  --File loaded successfully
  The migration document refers to the following steps and this was followed
  Why is the screen empty when going into the mitigating control link on the  UI - Another strange phenomenon is when I run the mitigating report from report and analytics the mitigating control comes up blank.
  When in the report and analytic work centre, and running the mitigation control report - -> I drill down on the Control ID and get the blank screen.
  This is why im asking can I look at mitigating controls not from ECC but GRC back-end system and maintain it from their
  Regards, Melvin

• Reports in Mitigation Controls RAR

  HI,
  Does anyone know what are reports in the mitigation control setup? Reports are transactions or just reflects numbered activities that the monitor must realize?
  Kind regards,
  RCL.

  Hi RCL
  If you are using any SAP report as a mitigating control you can give its name  there. In addition in the Frequency field you can give the frequency at which the report should be executed. and if that report is not executed at the stated frequency RAR can send an alert to the montior of Mitigating control
  Parveen

• Report tab in mitigating control - RAR 5.3

  While creating mitigating control there are 3 tabs - Associated risks / Monitors / Reports. What is the use of reports tab ?
  The control is working even with populating the report tab.

  If you have a report that you want mitigation monitors to run in order to perform the control activities you can put it in there.
  The alert functionality will then allow you to report on monitors that did not run that report in the specified period.
  Frank.

• GRC AC RAR: Comprehension question Mitigating Controls

  Hello all,
  I have a small comprehension question regarding Mitigating Controls.
  Situation:
  We have identified some authorization roles that contained lots of risks and we decided that they should not be used anymore. I therefore had our admins remove those roles from all the userIDs and update the role descriptions so it is clear that these roles are obsolete and must not be used anymore. For specific reasons we are currently not able to archive those roles in order to remove them from the system (can't delete them either for unclarified data retention questions).
  What has been done:
  1. I have created the necessary userIDs for Management Approver, Monitor, etc. in tab Mitigation -> Administrators -> Create
  2. I have created the necessary business unit and assigned to userIDs created in 1. in tab Mitigation -> Business Units -> Create
  3. I have created a Mitigation Control "Obsolete Roles" in tab Mitigation -> Mitigating Controls -> Create
  4. Within the Mitigatin Control I have mitigated all associated risks in tab "Associated Risks", added a userID in tab "Monitors" and I have added all the obsolete roles using the button "Mitigate roles"
  What I want to achieve:
  - Roles should not show up in the analysis anymore -> I've checked that and it works as expected
  - I now want the userID I added in tab "Monitors" and when mitigating the roles to regularly check in the SAP system whether the mitigated roles have been assigned to any userIDs again (using PFCG or any other suitable report in the system).
  Can I achieve that by using tab "Reports" within the Mitigating Control ?
  If I provide the system in column "System", provide "PFCG" in column "Action", "Use PFCG to check is role is assigned again" in "Description", add the userID in tab "Monitor" and set Frequency to "4" this would mean that that userID needs to check whether the roles have been used again at least every 4 weeks ?
  Will the system automatically send a reminder eMail to that userID every 4 weeks or does the user have to check the RAR manually in order to see "his/her" tasks ?
  Regards,
  Benjamin

  Hi Jwalant,
  sorry for my late reply, but I have waited for a few weeks to make be sure wheather the way you described works or not.
  - The background job gets executed once a week and finishes without any error.
  - The only thing that doesn't work is that the userID that I maintained in clolumn "monitor" and for which I defined a mitigation control which has to be executed every 2-weeks (using column "report") does NOT get a mail from the system that reminds him/her to execute the mitigating control.
  Log of background job execution:
  INFO: -
  Scheduling Job =>16----
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob run
  INFO: --- Starting Job ID:16 (GENERATE_ALERT) - Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob setStatus
  INFO: Job ID: 16 Status: Running
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob updateJobHistory
  FINEST: --- @@@@@@@@@@@ Updating the Job History -
  1@@Msg is Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION started :threadid: 2
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
  INFO: -
  Background Job History: job id=16, status=1, message=Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION started :threadid: 2
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Alert Generation Started @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Conflict Risk Input has 1 records @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Critical Risk Input has 1 records @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Mitigation Monitor Control Input has 1 records @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
  INFO:  @@@@@ Backend Access Interface execution has been started @@@@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.common.util.ExceptionUtil logError
  SEVERE: null
  java.lang.NullPointerException
       at com.virsa.cc.comp.wdp.IPublicBackendAccessInterface$IStatRecInputElement.wdGetObject(IPublicBackendAccessInterface.java)
       at com.sap.tc.webdynpro.progmodel.context.NodeElement.getAttributeAsText(NodeElement.java:888)
       at com.virsa.cc.comp.BackendAccessInterface.execBAPI(BackendAccessInterface.java:401)
       at com.virsa.cc.comp.BackendAccessInterface.executeBAPI(BackendAccessInterface.java:302)
       at com.virsa.cc.comp.BackendAccessInterface.get_TcodeLog_Rec(BackendAccessInterface.java:2800)
       at com.virsa.cc.comp.BackendAccessInterface.alertGenerate(BackendAccessInterface.java:1940)
       at com.virsa.cc.comp.wdp.InternalBackendAccessInterface.alertGenerate(InternalBackendAccessInterface.java:4355)
       at com.virsa.cc.comp.wdp.InternalBackendAccessInterface$External.alertGenerate(InternalBackendAccessInterface.java:4824)
       at com.virsa.cc.xsys.bg.BgJob.alertGen(BgJob.java:1666)
       at com.virsa.cc.xsys.bg.BgJob.runJob(BgJob.java:697)
       at com.virsa.cc.xsys.bg.BgJob.run(BgJob.java:362)
  here it keeps ranting on for pages about Null Pointer Exceptions
  I'll just leave that part out
  Mar 28, 2011 4:00:29 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
  INFO:  -
  No of Records Inserted in ALTCDLOG =>16 For System =>XXX_xxx -
  Mar 28, 2011 4:00:29 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
  INFO: ==$$$===Notif Current Date=>2011-03-28==$$$==Notif Current Time=>04:00:00===$$$===
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.mgmbground.dao.AlertStats execute
  INFO: Start AlertStats.............
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@=== Alert Generation Completed Successfully!===@@@
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob setStatus
  INFO: Job ID: 16 Status: Complete
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob updateJobHistory
  FINEST: --- @@@@@@@@@@@ Updating the Job History -
  0@@Msg is Job Completed successfully
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
  INFO: -
  Background Job History: job id=16, status=0, message=Job Completed successfully
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob scheduleJob
  INFO: -
  Complted Job =>16----
  - Anothjer thing I noticed is that the job always adds some entries to table "ALTCDLOG" which I guess means something like "Alert T-Code Log".
  It always adds entries like:
  581 XXX_XXX userID#1 SE16 2011-03-21 07:49:44 xxx 5
  582 XXX_XXX userID#1 SM37 2011-03-21 07:55:44 xxx 5
  Where does the system get the information which T-Codes are "bad" and for which it needs to create those entries ? I have never configured anything like that in the system.
  Or is this an indicator that the authorization roles I mitigated have been used again ?
  Regards,
  Benjamin

• Mitigation controls - mitigating reports

  Hi all,
  I have a question regarding the frequency field in Reports tab of mitigating controls (RAR).
  What is the purpose of the frequency field. If you set this to 1, does that mean that the control is to be executed daily? Does the system send a mail to the monitor to inform her that its time to execute the control?
  Thanks.
  Arif

  The frequency must be established in number of days, for example, enter u201C30u201D for monthly reports or enter "7" for weekly reports. The frequency field is to ensure, monitors are executing applicable controls or more specifically monitoring the users who are executing the specified actions within the period "frequency" stated in a mitigation control. In your case 1 means 24 hours, so the monitor will be getting a daily report of the user actions. 
  Best Regards,
  Amol Bharti
  http://amudee.com

• RAR 5.3 SP10 Mitigating Control Import Utility

  All -
  I exported my mitigating controls from a RAR 5.3 SP9 system and imported them into a 5.3 SP10 system. I received a successful confirmation of the import, but when I "searched" my mitigating controls there were duplicated mitigating control numbers. It looks like the import tool duplicated the mitigating control ID for every "monitor" assigned to the mitigating control number. For example, mitigating control MC00000001 with Monitor1, Monitor2, & Monitor3 equated to 3 entries of MC00000001. If I try to delete 2 of the 3 entries, I receive a "Successfully deleted" message and get the error "Exception!!. No relavent language message available in database for :0053". When I "search" again, the mtigating control is no longer there (as expected).
  I confirmed my mitigating control import file does not have the multiple entries.
  Any ideas?
  Thanks,
  Daniel

  Venky,
  Thank you for your response. The message issue actually wasn't the one that I was asking about, but thanks for the heads up. The main issue is that RAR (5.3 SP10) is multiplying mitigating control entries for the number of monitors assigned to the mitigating control. It appears to be an issue with SP10 as it did not occur in SP9. I'm trying to see if anyone knows what the fix is.
  Thanks,
  Daniel

• Role level mitigating controls not affecting position level reports

  Hi,
  Here's the problem we're having with mitigating controls:
  When I assign a mitigating control to a role, it correctly mitigates the risk when we perform a role level SoD analysis.  However, when we perform a position level analysis, the same role shows up again in the report as not mitigated.  Anyone else running into this issue?  We are on CC5.2 with SP4.  Is this fixed in later SPs?
  Simple Example:
  Role ABC has conflicting tcodes FBV0 and FBVB.  We applied a mitigating control to this role and it doesn't show up anymore on the role level reports.
  When running the position level SoD analysis, position number 50010000 contains role ABC and the same conflict shows up again even though the conflict is entirely within Role ABC and not with other roles that are in position 50010000.
  Thanks,
  Robert

  All,
  I opened a customer message with SAP and it seems that this issue is a limitation with CC 5.2  Mitigating at the role level will will not follow through to the position level reports.  However, it seems that it will follow through to the user level as long as you have configured it under the Configuration->Additional Options tab.  There is a setting there that will allow rule level mitigating controls to take affect at the user level.
  Thanks,
  Robert

• Report Tab in Mitigation Control

  Dear Experts,
  Can anyone explain me the purpose/usage of Report Tab in Mitigration Control. I have browsed the forum but could not understand the actual need of this tab as I found different answers.
  Thanks,
  Raj

  HI Raj,
  Access Controls is used as a documental tool for Mitigating Controls, rather than a implementing tool, i.e. you apply the control against the role/user, but the actual application of the control is performed outside of Access Control. This may be realized by running a custom SAP report to monitor the usage of the risky functions within the ECC system etc.
  Access Control allows you to document such reports against the Mitigation Control, so this is the purpose of the tab. Given that GRC 10.0 integrates AC and PC, Mitigating Controls is master data that is shared amongst the different GRC modules, so I get the feeling Process Controls might utilize the "Report" data and check if the reports are being monitored by the control monitor/s at the scheduled frequency etc.

• Mitigation controls assignation to users in RAR

  Hi,
  While assigning mitigation control to the users (RAR>Mitigation> Mitigated Users-->Add), it is only possible to assign 1 user at a time...Would it be possible to assign more than 1 user through multiple selection
  Thanks
  Abhijeet

  Abhijeet,
  From that path, you cannot assign multiple users at once however, if authorised, you can upload mitigation controls and within the upload files, you can upload users assigned to them.
  Simon

• RAR 5.3 - Mitigating Control Mass Upload

  Hi Everyone,
  My client wants to perfrom a mass upload of Mitigating Controls, but I can't find the format of the tables that are needed.
  I have tried creating a control manually, exporting it and then changing the file and uploading but it always throws an error.
  I know that there is a SAP Note about this but it is Internal Only.
  Can anyone help?  I guess I am looking for standard upload file format or something of that nature.
  regards
  Simon

  Hi Frank
  as always you are the man who knows the answer!!
  You were correct Excel 2007 had converted 2010-10-11 to 11/10/2010, during the importation process, even though I had told it to keep all fields as text.
  Additionally, on almost every row of the export file after having made the changes in excel, it had added several "TAB" characters as well, so I had to go down every line of the upload file to remove the extra "TABS".
  After that it worked perfectly.
  Now I will attempt world domination, after all it must be easier than trying to configure Access Controls 5.3
  Simon
  Edited by: Simon Carty on Nov 26, 2010 10:05 AM
  Edited by: Simon Carty on Nov 26, 2010 10:05 AM

• RAR: Mitigation Control Monitoring

  Hi,
  I have configured and executed alert generation job but we are not able to obtain the alerts for mitigation control monitoring.
  What we have done:
  1) Define mitigation control including transaction XXXX to be executed daily
  2) Monitor has executed thansaction XXXX on day 1
  3) Alert generation job has been executed on day 1 (after step 2)
  3) Monitor has not executed transaction XXXX on day 2
  4) Alert generation job has been executed on day 2 BUT alert for control monitoring are not obtained.
  Does anyone know why we are not getting the alerts for control monitoring?
  Thanks in advance. Kind regards,
    Imanol

  What is value of number of days for this Monitoring in Mit Control?
  Is email id of Monitor maintained in Alert tab?

• Mitigation control errors out in CUP approval

  We are on GRC 5.3 SP8 and I am trying to create a mitigating control in RAR.  Once it goes for approval into CUP, it erroru2019s out when I try to approve it.  Here is the message:
  2010-05-25 10:57:43,367 [SAPEngine_Application_Thread[impl:3]_9] ERROR com.virsa.ae.commons.utils.StringEncrypter$EncryptionException: Invalid PKCS#5 padding length: 32
  com.virsa.ae.service.ServiceException: com.virsa.ae.commons.utils.StringEncrypter$EncryptionException: Invalid PKCS#5 padding length: 32
       at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.getCCDocument(RequestExitServiceHelper.java:315)
       at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.callCCExitService(RequestExitServiceHelper.java:263)
       at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.callExitServiceForApprovedRequest(RequestExitServiceHelper.java:51)
       at com.virsa.ae.accessrequests.bo.RequestBO.callExitService(RequestBO.java:5391)
       at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:5230)
       at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:5023)
       at com.virsa.ae.accessrequests.actions.RequestViewAction.confirmRequestApproval(RequestViewAction.java:946)
       at com.virsa.ae.accessrequests.actions.RequestViewAction.execute(RequestViewAction.java:103)
       at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:295)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(AccessController.java:219)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  Caused by:
  com.virsa.ae.commons.utils.StringEncrypter$EncryptionException: Invalid PKCS#5 padding length: 32
       at com.virsa.ae.commons.utils.StringEncrypter.decrypt(StringEncrypter.java:200)
       at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.getCCDocument(RequestExitServiceHelper.java:305)
       ... 32 more
  Thanks,
  Peggy

  Hello Peggy,
    Did you recently upgraded your NW Java Support package? If yes, then kindly check the SAP Note "1417651 - Unable to retrieve connector & application configuration"
  The problem is coming due to change in NW encryption algorithm and impacted GRC as well. This is fixed in SP10 of GRC.
  Regards, Varun

• Workaround for non-SAP mitigating control reminders

  Dear all,
  Our business users would like to document mitigating controls in RAR 5.3 regardless of whether they are connected with an SAP report. They would also like to receive email reminders for those controls.
  Unfortunately, the frequency of the control can only be defined per connected SAP report and reminders will only be sent for controls if the SAP report has not been executed.
  Have you been exposed with a similar requirement? It seems like a natural thing to ask from a business perspective. RAR 5.3, however, is not designed in that way.
  Have you come up with any feasible workarounds for this?
  My current approach would be to create a dummy Z-report per SAP system (such as Z_MANUAL_MITCTRL) that control monitors have to call once to confirm the execution of their control.
  Cheers and best regards
  Patrick

  Hello,
  Regarding your question, in fact this is dependant on how your UME (User Management Engine) is configured on your WAS (Web Application Server). If the UME is connected to your R/3 back-end then the user need to have a R/3 account to connect to CC, otherwise if your UME is "independant" then you just need to create an account in the UME.
  Regards,
  Jérôme.