RAR: Mitigation Control Monitoring

Similar Messages

• Risk Analysis and Remediation Mitigating Control Monitoring Alerts

  Hello,
  We have configured an alert for a Mitigating Control.  The Monitor must execute the report every day (report frequency = 1) or an alert email is sent to the Risk Owner.
  The Risk Owner recieves the Alert email and the Alert is logged on the Alerts tab only for the first two days after the report is not executed by the Monitor.  Is there a setting somewhere that controls why the alert is not generated after two days?
  thanks
  Tammi

  Correction.
  The email is only sent for 2 days.  The alert is logged on the Alert Monitor tab every day.

• Changing Monitor on Mitigating Controls

  HI all:
  Just wondering, is there a way to change the Monitor on an existing mitigating control once it is assigned to either a role or user??  When we try to do it, the error message says "Role is already mitigated to Control xxxx: Monitor xxxx cannot delete".
  The only workaround is to delete the exisintg entries and re-enter them with the new monitor...however this is not an efficient approach when we have many entries for one mitigating control.
  The monitors are defined properly....we just can't change the mitigating control monitor once there are assignments to roles or users.
  Any help would be appreciated.
  Margaret

  I think one of the option may be to keep the monitor ID same but change the name of the monitor for that monitor ID in the administrator tab of mitigation.
  Hope this helps
  Regards,
  Nitin

• Mitigation control: Sending failed No valid SAP sender address

  GRC 5.3 SP10 RAR
  In mitigation control:  I have created a new control ID. When I am trying to assign it to a user getting error
  "Sending failed No valid SAP sender address"
  Please advise to resolve the issue. I need to mitigate user.

  Hello Pal,
  Please go to RAR configuration -> Risk Analysis -> Additional Options. Here check if you have the parameter Enable Monitor Notification set to YES. If you do then set this one to NO. Also, kindly check and make sure that you have a valid email address maintained for each of the mitigation control monitor in Mitigation tab.
  If you wish to have the parameter set to yes only then you need to do the JAVA mail settings in Visual Admin. Check configuration of the JAVA mail client, which can be done using Visual Administrator, to send the Email Notification.
  (Configuration > Java Mail Client > Properties > Smtp).
  Regards, Varun
  Edited by: Thakur Varun on May 21, 2010 3:47 PM

• RAR 5.3 SP10 Mitigating Control Import Utility

  All -
  I exported my mitigating controls from a RAR 5.3 SP9 system and imported them into a 5.3 SP10 system. I received a successful confirmation of the import, but when I "searched" my mitigating controls there were duplicated mitigating control numbers. It looks like the import tool duplicated the mitigating control ID for every "monitor" assigned to the mitigating control number. For example, mitigating control MC00000001 with Monitor1, Monitor2, & Monitor3 equated to 3 entries of MC00000001. If I try to delete 2 of the 3 entries, I receive a "Successfully deleted" message and get the error "Exception!!. No relavent language message available in database for :0053". When I "search" again, the mtigating control is no longer there (as expected).
  I confirmed my mitigating control import file does not have the multiple entries.
  Any ideas?
  Thanks,
  Daniel

  Venky,
  Thank you for your response. The message issue actually wasn't the one that I was asking about, but thanks for the heads up. The main issue is that RAR (5.3 SP10) is multiplying mitigating control entries for the number of monitors assigned to the mitigating control. It appears to be an issue with SP10 as it did not occur in SP9. I'm trying to see if anyone knows what the fix is.
  Thanks,
  Daniel

• GRC AC RAR: Comprehension question Mitigating Controls

  Hello all,
  I have a small comprehension question regarding Mitigating Controls.
  Situation:
  We have identified some authorization roles that contained lots of risks and we decided that they should not be used anymore. I therefore had our admins remove those roles from all the userIDs and update the role descriptions so it is clear that these roles are obsolete and must not be used anymore. For specific reasons we are currently not able to archive those roles in order to remove them from the system (can't delete them either for unclarified data retention questions).
  What has been done:
  1. I have created the necessary userIDs for Management Approver, Monitor, etc. in tab Mitigation -> Administrators -> Create
  2. I have created the necessary business unit and assigned to userIDs created in 1. in tab Mitigation -> Business Units -> Create
  3. I have created a Mitigation Control "Obsolete Roles" in tab Mitigation -> Mitigating Controls -> Create
  4. Within the Mitigatin Control I have mitigated all associated risks in tab "Associated Risks", added a userID in tab "Monitors" and I have added all the obsolete roles using the button "Mitigate roles"
  What I want to achieve:
  - Roles should not show up in the analysis anymore -> I've checked that and it works as expected
  - I now want the userID I added in tab "Monitors" and when mitigating the roles to regularly check in the SAP system whether the mitigated roles have been assigned to any userIDs again (using PFCG or any other suitable report in the system).
  Can I achieve that by using tab "Reports" within the Mitigating Control ?
  If I provide the system in column "System", provide "PFCG" in column "Action", "Use PFCG to check is role is assigned again" in "Description", add the userID in tab "Monitor" and set Frequency to "4" this would mean that that userID needs to check whether the roles have been used again at least every 4 weeks ?
  Will the system automatically send a reminder eMail to that userID every 4 weeks or does the user have to check the RAR manually in order to see "his/her" tasks ?
  Regards,
  Benjamin

  Hi Jwalant,
  sorry for my late reply, but I have waited for a few weeks to make be sure wheather the way you described works or not.
  - The background job gets executed once a week and finishes without any error.
  - The only thing that doesn't work is that the userID that I maintained in clolumn "monitor" and for which I defined a mitigation control which has to be executed every 2-weeks (using column "report") does NOT get a mail from the system that reminds him/her to execute the mitigating control.
  Log of background job execution:
  INFO: -
  Scheduling Job =>16----
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob run
  INFO: --- Starting Job ID:16 (GENERATE_ALERT) - Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob setStatus
  INFO: Job ID: 16 Status: Running
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob updateJobHistory
  FINEST: --- @@@@@@@@@@@ Updating the Job History -
  1@@Msg is Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION started :threadid: 2
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
  INFO: -
  Background Job History: job id=16, status=1, message=Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION started :threadid: 2
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Alert Generation Started @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Conflict Risk Input has 1 records @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Critical Risk Input has 1 records @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Mitigation Monitor Control Input has 1 records @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
  INFO:  @@@@@ Backend Access Interface execution has been started @@@@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.common.util.ExceptionUtil logError
  SEVERE: null
  java.lang.NullPointerException
       at com.virsa.cc.comp.wdp.IPublicBackendAccessInterface$IStatRecInputElement.wdGetObject(IPublicBackendAccessInterface.java)
       at com.sap.tc.webdynpro.progmodel.context.NodeElement.getAttributeAsText(NodeElement.java:888)
       at com.virsa.cc.comp.BackendAccessInterface.execBAPI(BackendAccessInterface.java:401)
       at com.virsa.cc.comp.BackendAccessInterface.executeBAPI(BackendAccessInterface.java:302)
       at com.virsa.cc.comp.BackendAccessInterface.get_TcodeLog_Rec(BackendAccessInterface.java:2800)
       at com.virsa.cc.comp.BackendAccessInterface.alertGenerate(BackendAccessInterface.java:1940)
       at com.virsa.cc.comp.wdp.InternalBackendAccessInterface.alertGenerate(InternalBackendAccessInterface.java:4355)
       at com.virsa.cc.comp.wdp.InternalBackendAccessInterface$External.alertGenerate(InternalBackendAccessInterface.java:4824)
       at com.virsa.cc.xsys.bg.BgJob.alertGen(BgJob.java:1666)
       at com.virsa.cc.xsys.bg.BgJob.runJob(BgJob.java:697)
       at com.virsa.cc.xsys.bg.BgJob.run(BgJob.java:362)
  here it keeps ranting on for pages about Null Pointer Exceptions
  I'll just leave that part out
  Mar 28, 2011 4:00:29 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
  INFO:  -
  No of Records Inserted in ALTCDLOG =>16 For System =>XXX_xxx -
  Mar 28, 2011 4:00:29 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
  INFO: ==$$$===Notif Current Date=>2011-03-28==$$$==Notif Current Time=>04:00:00===$$$===
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.mgmbground.dao.AlertStats execute
  INFO: Start AlertStats.............
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@=== Alert Generation Completed Successfully!===@@@
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob setStatus
  INFO: Job ID: 16 Status: Complete
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob updateJobHistory
  FINEST: --- @@@@@@@@@@@ Updating the Job History -
  0@@Msg is Job Completed successfully
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
  INFO: -
  Background Job History: job id=16, status=0, message=Job Completed successfully
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob scheduleJob
  INFO: -
  Complted Job =>16----
  - Anothjer thing I noticed is that the job always adds some entries to table "ALTCDLOG" which I guess means something like "Alert T-Code Log".
  It always adds entries like:
  581 XXX_XXX userID#1 SE16 2011-03-21 07:49:44 xxx 5
  582 XXX_XXX userID#1 SM37 2011-03-21 07:55:44 xxx 5
  Where does the system get the information which T-Codes are "bad" and for which it needs to create those entries ? I have never configured anything like that in the system.
  Or is this an indicator that the authorization roles I mitigated have been used again ?
  Regards,
  Benjamin

• Mitigation Monitor does not appear in Mitigation Controls section

  In GRC RAR in the u201CMitigationu201D tab, I added a new Mitigation Monitor in the u201CAdministratorsu201D section and a new Mitigating Control. When I try to add the new monitor in the u201CMonitorsu201D tab within the u201CMitigation Controlsu201D section, the new monitor does not appear as an option. Iu2019m pretty sure I have every bit of authorization possible, so I donu2019t think this is an auth issue. I do not have any users assigned to the new mitigation control, so that isnu2019t the problem either.Is there a trick to getting my new monitor to show up? Thank you!

  You also are required to first add the users to a Business Unit: Mitigation - Business Units - Search
  Edit the business unit associated with the Mitigating control that you created and add the users.
  Go back to the mitigating control and you should not see the users that you associated with the Business Unit.
  -J

• Reports in Mitigation Controls RAR

  HI,
  Does anyone know what are reports in the mitigation control setup? Reports are transactions or just reflects numbered activities that the monitor must realize?
  Kind regards,
  RCL.

  Hi RCL
  If you are using any SAP report as a mitigating control you can give its name  there. In addition in the Frequency field you can give the frequency at which the report should be executed. and if that report is not executed at the stated frequency RAR can send an alert to the montior of Mitigating control
  Parveen

• Significance of Monitor in Mitigation control

  Can any body help me understand what does Monitor does in Mitigation control and what does the statement mean below:
  "When creating a mitigation control, need to define the Action, Monitor ID, and
  Frequency. If the monitor does not execute the action within the set frequency, then an alert
  is generated"
  Thanks,
  Abhimanu

  Hello Abhimanyu,
  1. Can any body help me understand what does Monitor does in Mitigation control:
  The role of Monitor is to see whether everything that was risky from the access being mitigated is fine or not. That is, he/she would see to it that the user who has been given extra excess or conflicting access has not misused it. Every Mitigatin control, for this purpose has a Monitor attached to it who does this job.
  2. what does the statement mean below:
  "When creating a mitigation control, need to define the Action, Monitor ID, and
  Frequency. If the monitor does not execute the action within the set frequency, then an alert
  is generated"
  I guess this is also covered in the explanation for point 1 and the post above from Margaret. In case not, please let us know.
  Regards,
  Hersh.
  http://www.linkedin.com/in/hersh13
  Edited by: HERSH GUPTA on May 7, 2009 10:43 AM

• Mitigation controls assignation to users in RAR

  Hi,
  While assigning mitigation control to the users (RAR>Mitigation> Mitigated Users-->Add), it is only possible to assign 1 user at a time...Would it be possible to assign more than 1 user through multiple selection
  Thanks
  Abhijeet

  Abhijeet,
  From that path, you cannot assign multiple users at once however, if authorised, you can upload mitigation controls and within the upload files, you can upload users assigned to them.
  Simon

• Report tab in mitigating control - RAR 5.3

  While creating mitigating control there are 3 tabs - Associated risks / Monitors / Reports. What is the use of reports tab ?
  The control is working even with populating the report tab.

  If you have a report that you want mitigation monitors to run in order to perform the control activities you can put it in there.
  The alert functionality will then allow you to report on monitors that did not run that report in the specified period.
  Frank.

• Control monitoring alerts- RAR 5.3

  I've few mitigating controls in palce with frequency in reports tab as 1. I'm sure that the action given in the reports tab was not executed in the backend system by the monitor but still I do not get alterts for control monitoring in Alert monitor tab. Please advise

  Plz. note the correction:
  It is not 9 character or 5 character risk id that makes the difference. I was not getting control monitoring alert because the 9 character riskid I specified in the mitigating control was a permission level rule id and SAP says that from 5.3 onwards permission rules are not considered for any analysis. So we have to mention the riskid with * or we can specify the action level rule id to receive the control monitoring alerts.

• Changing a monitor on a mitigating control

  1. I am using CUP 5.2 and I noticed that I am not able to change the monitor on a mitigating control. The messages reads that the administrator id is already assigned as a monitor to a business unit and cant be deleted. When I go to the business unit and try and update that monitor it is not allowing me to do that also. There are users that have been assigned to that mitigating control although their valid to date has expired. Does anyone know how I can update the monitor and keep the mitigatig control?
  2. When I am assigning a user to a mitigating control is there away to do them all at once instead of one by one?

  Hi Valarie,
  You cannot edit the monitor of a mitigation control if that mitigation control has already been assigned to users. You will either have to delete all the users and then change the Mitigation control ID or you will have to assign a new monitor to all these mitigated users and then you will be able to delete the old monitor.
  Hope this clarifies your doubt.
  Thanks
  Harleen
  SAP GRC RIG

• RAR 5.3 SP8 - Invalid Mitigating Controls Report Issue

  Hello,
  When I view the Invalid Mit Controls Report, and I click the "Click to Change" button, it brings me to blank mitigating controls screen with an error at the bottom of the screen that reads "Category should be U, R, P, H or O"
  Has anyone seen this before? The log shows nothing when I look to it to view more info about the error...
  Any troubleshooting tips or is this something I need to bring up with SAP?
  Thanks!
  Jes

  yep

• RAR 5.3 - Mitigating Control Mass Upload

  Hi Everyone,
  My client wants to perfrom a mass upload of Mitigating Controls, but I can't find the format of the tables that are needed.
  I have tried creating a control manually, exporting it and then changing the file and uploading but it always throws an error.
  I know that there is a SAP Note about this but it is Internal Only.
  Can anyone help?  I guess I am looking for standard upload file format or something of that nature.
  regards
  Simon

  Hi Frank
  as always you are the man who knows the answer!!
  You were correct Excel 2007 had converted 2010-10-11 to 11/10/2010, during the importation process, even though I had told it to keep all fields as text.
  Additionally, on almost every row of the export file after having made the changes in excel, it had added several "TAB" characters as well, so I had to go down every line of the upload file to remove the extra "TABS".
  After that it worked perfectly.
  Now I will attempt world domination, after all it must be easier than trying to configure Access Controls 5.3
  Simon
  Edited by: Simon Carty on Nov 26, 2010 10:05 AM
  Edited by: Simon Carty on Nov 26, 2010 10:05 AM