SAP GRC AC10 Common Practices on Mitigation Control

Similar Messages

• GRC AC RAR: Comprehension question Mitigating Controls

  Hello all,
  I have a small comprehension question regarding Mitigating Controls.
  Situation:
  We have identified some authorization roles that contained lots of risks and we decided that they should not be used anymore. I therefore had our admins remove those roles from all the userIDs and update the role descriptions so it is clear that these roles are obsolete and must not be used anymore. For specific reasons we are currently not able to archive those roles in order to remove them from the system (can't delete them either for unclarified data retention questions).
  What has been done:
  1. I have created the necessary userIDs for Management Approver, Monitor, etc. in tab Mitigation -> Administrators -> Create
  2. I have created the necessary business unit and assigned to userIDs created in 1. in tab Mitigation -> Business Units -> Create
  3. I have created a Mitigation Control "Obsolete Roles" in tab Mitigation -> Mitigating Controls -> Create
  4. Within the Mitigatin Control I have mitigated all associated risks in tab "Associated Risks", added a userID in tab "Monitors" and I have added all the obsolete roles using the button "Mitigate roles"
  What I want to achieve:
  - Roles should not show up in the analysis anymore -> I've checked that and it works as expected
  - I now want the userID I added in tab "Monitors" and when mitigating the roles to regularly check in the SAP system whether the mitigated roles have been assigned to any userIDs again (using PFCG or any other suitable report in the system).
  Can I achieve that by using tab "Reports" within the Mitigating Control ?
  If I provide the system in column "System", provide "PFCG" in column "Action", "Use PFCG to check is role is assigned again" in "Description", add the userID in tab "Monitor" and set Frequency to "4" this would mean that that userID needs to check whether the roles have been used again at least every 4 weeks ?
  Will the system automatically send a reminder eMail to that userID every 4 weeks or does the user have to check the RAR manually in order to see "his/her" tasks ?
  Regards,
  Benjamin

  Hi Jwalant,
  sorry for my late reply, but I have waited for a few weeks to make be sure wheather the way you described works or not.
  - The background job gets executed once a week and finishes without any error.
  - The only thing that doesn't work is that the userID that I maintained in clolumn "monitor" and for which I defined a mitigation control which has to be executed every 2-weeks (using column "report") does NOT get a mail from the system that reminds him/her to execute the mitigating control.
  Log of background job execution:
  INFO: -
  Scheduling Job =>16----
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob run
  INFO: --- Starting Job ID:16 (GENERATE_ALERT) - Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob setStatus
  INFO: Job ID: 16 Status: Running
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob updateJobHistory
  FINEST: --- @@@@@@@@@@@ Updating the Job History -
  1@@Msg is Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION started :threadid: 2
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
  INFO: -
  Background Job History: job id=16, status=1, message=Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION started :threadid: 2
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Alert Generation Started @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Conflict Risk Input has 1 records @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Critical Risk Input has 1 records @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Mitigation Monitor Control Input has 1 records @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
  INFO:  @@@@@ Backend Access Interface execution has been started @@@@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.common.util.ExceptionUtil logError
  SEVERE: null
  java.lang.NullPointerException
       at com.virsa.cc.comp.wdp.IPublicBackendAccessInterface$IStatRecInputElement.wdGetObject(IPublicBackendAccessInterface.java)
       at com.sap.tc.webdynpro.progmodel.context.NodeElement.getAttributeAsText(NodeElement.java:888)
       at com.virsa.cc.comp.BackendAccessInterface.execBAPI(BackendAccessInterface.java:401)
       at com.virsa.cc.comp.BackendAccessInterface.executeBAPI(BackendAccessInterface.java:302)
       at com.virsa.cc.comp.BackendAccessInterface.get_TcodeLog_Rec(BackendAccessInterface.java:2800)
       at com.virsa.cc.comp.BackendAccessInterface.alertGenerate(BackendAccessInterface.java:1940)
       at com.virsa.cc.comp.wdp.InternalBackendAccessInterface.alertGenerate(InternalBackendAccessInterface.java:4355)
       at com.virsa.cc.comp.wdp.InternalBackendAccessInterface$External.alertGenerate(InternalBackendAccessInterface.java:4824)
       at com.virsa.cc.xsys.bg.BgJob.alertGen(BgJob.java:1666)
       at com.virsa.cc.xsys.bg.BgJob.runJob(BgJob.java:697)
       at com.virsa.cc.xsys.bg.BgJob.run(BgJob.java:362)
  here it keeps ranting on for pages about Null Pointer Exceptions
  I'll just leave that part out
  Mar 28, 2011 4:00:29 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
  INFO:  -
  No of Records Inserted in ALTCDLOG =>16 For System =>XXX_xxx -
  Mar 28, 2011 4:00:29 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
  INFO: ==$$$===Notif Current Date=>2011-03-28==$$$==Notif Current Time=>04:00:00===$$$===
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.mgmbground.dao.AlertStats execute
  INFO: Start AlertStats.............
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@=== Alert Generation Completed Successfully!===@@@
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob setStatus
  INFO: Job ID: 16 Status: Complete
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob updateJobHistory
  FINEST: --- @@@@@@@@@@@ Updating the Job History -
  0@@Msg is Job Completed successfully
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
  INFO: -
  Background Job History: job id=16, status=0, message=Job Completed successfully
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob scheduleJob
  INFO: -
  Complted Job =>16----
  - Anothjer thing I noticed is that the job always adds some entries to table "ALTCDLOG" which I guess means something like "Alert T-Code Log".
  It always adds entries like:
  581 XXX_XXX userID#1 SE16 2011-03-21 07:49:44 xxx 5
  582 XXX_XXX userID#1 SM37 2011-03-21 07:55:44 xxx 5
  Where does the system get the information which T-Codes are "bad" and for which it needs to create those entries ? I have never configured anything like that in the system.
  Or is this an indicator that the authorization roles I mitigated have been used again ?
  Regards,
  Benjamin

• GRC AC10 Mitigation Control Temporary Tables

  Hi everyone,
  I'm trying to find the table where GRC stores the organizational unit for a new mitigation control before the request is approved. As I could see, after approval (when the control is created) they are moved to HRP1000, 1001, etc.
  I've also tried with system trace (ST01 and ST05) but I could only find these tables: GRFNMWRTINST, GRFNMWRTINSTAPPL. Unfortunately I've checked them but they don't store OU data.
  Maybe it is stored in an XML file and that's why I cant reach the table.
  If you have any idea or any experience to share, I would really appreciate it!
  Thanks and regards,
  Fernando

  Hi Fernando
  Maybe it is stored in an XML file and that's why I cant reach the table.
  I was trying to figure out the same thing and suspected that was the case. Or if there might be a temporary text file
  I hope someone here can clear it up. But it's a bit annoying in the approach as you cannot tell what changes have been requested or compare changes to current. Hope SAP eventually cleans this up.
  Might need to trace it to identify the function module that is used by approver to view the request?
  Regards
  Colleen

• Mitigating Control creation and application in SAP GRC 10

  Hi Expert,
  We have SAP GRC Access Control 10 being implemenmted for our client.  While trying to create Mitigating Control, we just realized that Before creating mitigating controls you need to create a Root Org entry, this replaces the Business Units in previous AC versions which is visible only when we activate the GRC-PC Application.
  My queries are:
  1. Is it that Mitigation control can only be created if PC is enable.
  2. What about Licencing if GRC-PC Application is used for Mitigating Control Creation.
  Thanking you i advance.
  Thanks & Regards,
  Abhimanu Kumar Singh

  HI,
  Thank you for the response, I just checked and could find that I can create Mitigating control without PC application. It is just that PC relevant fields are not displayed.
  However can anybody answer as to what happens if I use PC to create Mitigating Control, Do I have to purchase the license for SAP GRC PC or it is ok for shared resources.
  Thanks again.
  Thanks & Regards,
  Abhimanu Kumar Singh

• GRC 5.3 mitigation control

  Dear Guys,
  Please help me to understand the concept of mitigation control in GRC 5.3 and when it is useful and at what time we need to implement mitigation control.
  How could we mitigate user and on what criteria....????
  Also some brief about control monitor.
  Thanks in Advance......

  Hi Arpit,
  Steps for remediation and mitigation strategy is as below,
  Once you do risk analysis, you have the list of risk available in your system, after this you have the option to remove (Remediate) risk by removing conflicting permission or action from role.
  OR
  there is scenario where you have to accept the risk in this case you have to opt for mitigation control, just consider one example given below,
  Function A: Create PO
  Function B: Release PO
  Above two functions are conflicting and create risk in standard process, so as a standard practice, in reference to compliance SAP recommends to have two people doing it separately, but customer might not be having 2 postions in org to separate this, so customer has to accept the risk and create mitigation control to document this and put the monitoring control so one person can perform this function.
  This way it is helful to follow the compliance and when audit happens customer can show that they have identified the risk and documented it and put alternate monitoring control, so the risk cannot be misused.
  Hope this helps you understand it.
  BR,
  Mangesh

• Mitigation in SAP GRC AC

  Hi all,
  Two questions regarding mitigation in SAP GRC AC:
  1)
  Reading through the forum, we have seen that if monitor does not execute the report (action) within the frequecny set and alert is generated. Are these alerts sent out to the mitigation controls' approvers automatically or need to be triggered by executing alerts generation with mitigation flags set?
  2)
  If WF  is set and appropriate configuration is set in RAR, approver activities in CUP are approval for mitigation control maintenance and mitigation control assignment. Is this correct?
  Thanks in advance. Best regards,
    Imanol

  Hi Imanol,
     Here is my response:
  1) Reading through the forum, we have seen that if monitor does not execute the report (action) within the frequecny set and alert is generated. Are these alerts sent out to the mitigation controls' approvers automatically or need to be triggered by executing alerts generation with mitigation flags set?
  You need to go to Alert Generation -> Select Generate Alert log, Control Monitoring under Action Monitoring and Alert notification.
  2) If WF is set and appropriate configuration is set in RAR, approver activities in CUP are approval for mitigation control maintenance and mitigation control assignment. Is this correct?
  Yes, that is correct.
  Regards,
  Alpesh

• Mitigation control: Sending failed No valid SAP sender address

  GRC 5.3 SP10 RAR
  In mitigation control:  I have created a new control ID. When I am trying to assign it to a user getting error
  "Sending failed No valid SAP sender address"
  Please advise to resolve the issue. I need to mitigate user.

  Hello Pal,
  Please go to RAR configuration -> Risk Analysis -> Additional Options. Here check if you have the parameter Enable Monitor Notification set to YES. If you do then set this one to NO. Also, kindly check and make sure that you have a valid email address maintained for each of the mitigation control monitor in Mitigation tab.
  If you wish to have the parameter set to yes only then you need to do the JAVA mail settings in Visual Admin. Check configuration of the JAVA mail client, which can be done using Visual Administrator, to send the Email Notification.
  (Configuration > Java Mail Client > Properties > Smtp).
  Regards, Varun
  Edited by: Thakur Varun on May 21, 2010 3:47 PM

• Integrate external identity management solution in SAP GRC Access Control

  We need to integrate an external identity management solution into SAP GRC Access Enforcer. Some white paper mention extensibility is provided by web services. It seems that none of these web services are documented. Does anybody have infos about these services and documentation. Any hint is appreciated.
  thanks
  Detlef

  Unfortunately Access Enforcer doesn't implement a number of critical requirements and implementing it "as is" would be a lot of steps backwards in our process.
  what do the published webservices do? Is there any documentation about them?
  In a part of our process, we must manually pick the current roles(1), the pending roles(2) (roles that were approved but not given due to training prerequisites) and the requested new roles(3) and make the simulation in the VCC.
  The information (1) and (2) and (3) we have in our internal system, the information (1) we have inside VCC and (2) and(3) must be manually inputted by the operator to run the simulations. Since this operation is repeated 6000+ times a month in my company, eliminating this manual input will cause a great gain in efficiency.
  Other thing that we want to do is to create a job where it would automatically desassociate the mitigating controls if the user does not have the risks anymore (users can lose roles automatically in some events here, so it would be coherent that the user also loses the associated mitigating controls)
  IMHO as a former programmer, these are classic cases where I would like to consume some webservices for this tasks to avoid a lot of ctrc ctrlv from the operators (inefficient and error prone)
  VCC has any documentation that would help me to find how I would do this integrations?
  Thanks in advance

• Best practice for the Update of SAP GRC CC Rule Set

  Hi GRC experts,
  We have in a CC production system a SoD matrix that we would like to modified extensively. Basically by activating many permissions.
  Which is a best practice for accomplish our goal?
  Many thanks in advance. Best regards,
    Imanol

  Hi Simon and Amir
  My name is Connie and I work at Accenture GRC practice (and a colleague of Imanolu2019s). I have been reading this thread and I would like to ask you a question that is related to this topic. We have a case where a Global Rule Set u201CLogic Systemu201D and we may also require to create a Specific Rule Set. Is there a document (from SAP or from best practices) that indicate the potential impact (regarding risk analysis, system performance, process execution time, etc) caused by implementing both type of rule sets in a production environment? Are there any special considerations to be aware? Have you ever implemented this type of scenario?
  I would really appreciate your help and if you could point me to specific documentation could be of great assistance. Thanks in advance and best regards,
  Connie

• Workaround for non-SAP mitigating control reminders

  Dear all,
  Our business users would like to document mitigating controls in RAR 5.3 regardless of whether they are connected with an SAP report. They would also like to receive email reminders for those controls.
  Unfortunately, the frequency of the control can only be defined per connected SAP report and reminders will only be sent for controls if the SAP report has not been executed.
  Have you been exposed with a similar requirement? It seems like a natural thing to ask from a business perspective. RAR 5.3, however, is not designed in that way.
  Have you come up with any feasible workarounds for this?
  My current approach would be to create a dummy Z-report per SAP system (such as Z_MANUAL_MITCTRL) that control monitors have to call once to confirm the execution of their control.
  Cheers and best regards
  Patrick

  Hello,
  Regarding your question, in fact this is dependant on how your UME (User Management Engine) is configured on your WAS (Web Application Server). If the UME is connected to your R/3 back-end then the user need to have a R/3 account to connect to CC, otherwise if your UME is "independant" then you just need to create an account in the UME.
  Regards,
  Jérôme.

• Bringing mitigating controls from PC to AC in GRC 10.0

  Hi ,
  I am going through remediation process in GRC 10.0, However there are no mitigation controls setup in AC.
  my client is asking me to copy all the mitigating controls from PC to AC.
  Is this possible ? if yes, What will be the process ?
  Thank you.

  Hi Sri,
  you can achieve by downloading and uploading the mitigations.
  Go to SE38 and use the following program GRAC_DOWNLOAD_MIT_ASSIGNMENTS to download the file and make necessary changes to it and upload the file by using the following program GRAC_UPLOAD_MIT_ASSIGNMENTS.
  and put the active column in the file as X.
  Regards,
  Venugopal Ireni

• Mass maintenance of Mitigation controls in GRC 10.0

  Dear All,
  How to do mass maintenance of mitigation in ARA of GRC 10.0. We successfully migrated the mitigation controls from 5.3 to 10.0. I need to change the monitors for many user conflicts and also add new user conflict mitigation controls. Is it possible to do a mass changes in GRC 10.0 as there is no upload functionality for mitigation controls
  Thanks and Best Regards,
  Srihari.K

  Hi Sri,
  you can achieve by downloading and uploading the mitigations.
  Go to SE38 and use the following program GRAC_DOWNLOAD_MIT_ASSIGNMENTS to download the file and make necessary changes to it and upload the file by using the following program GRAC_UPLOAD_MIT_ASSIGNMENTS.
  and put the active column in the file as X.
  Regards,
  Venugopal Ireni

• SAP GRC Process Control - General Questions

  Hi all,
  We have the following general questions regarding SAP GRC Process Control:
  1) Assume that we have set up 5 different SAP Connectors in Process Control. When you configured a specific rule and control and then, schedule the job for such control, how does the system (SAP Process Control) knows which back-end system needs to be accesed for such control?
  2) In which language are the out-of-the box rule steps's script coded? In which different languages can those scripts be coded, what is to say, in which language can we code our own scripts?
  3) How is the detailed flow between SAP Process Control and SAP Back-end system?
  Many thanks. Regards,
      Imanol

  null

• SAP GRC Access Control 5.3 .TXT - where to upload it

  Hi Experts,
  can anyone please tell me, I have to deploy/upload the patch:
  SAP GRC Access Control 5.3 .TXT SP04
  As I am new to GRC, can somebody please tell me where I upload/deploy this file.
  Is it on the server at operating system level, or through the application in the Web Browser ?
  Thanks and regards,
  Petr.

  HI ,
  As sahad said that is the right way to extract the *.SAR files the syntax is given below .
  for unix : SAPCAR -xvf /<path>/<filename>
  windows : SAPCAR -xvf <volume>:\<path>\<filename>
  If you donot specify the path then it would get extracted in the path where you are right now means the same location where you the *.SAR file is present and then you can upload .
  Then you can login into RAR portal and then go to configuration tab then click on utilities which would be the last option and then click on import and give the file location.

• SAP GRC Access Control 5.3 intergration with orcale

  Good Day GRC Gurus,
  We want to integrate SAP GRC Access Control 5.3 with ORACLE.
  It would be great if someone could share some documents, presentation and experience on the same.
  Thanks in advance!!!!!!!!!!!!!
  Thanks and Regards,
  Jagat

  Hello Hersh,
  RTA for Oracle is basically a set of PL/SQL stored procedures to create grc schema, grant access and object creation. The package was created using oracle 11.5.10.2 version. I am not sure about the compatibility of the package with the new versions of oracle but still batch mode risk analysis is achievable even if the RTA is not compatible.
  I do not really like batch mode but it does serve the purpose. If I get a chance to test oracle RTA on new version I will surely share it with you.
  Best Regards,
  Amol Bharti
  http://amudee.com