Virsa Config Logic?: Include Role/Prof mitigating contls in User Analysis

Similar Messages

• Mitigated Risks Still Show up on User Analysis - RAR

  Not sure if you have ever seen this - I'm perplexed. We recently upgraded to AC-RAR 5.3_14.0. When I mitigate a risk for a user for the first time or extend an existing mitigation into the future, the risks will still show up on the next user level risk analysis. I am sure I use correct risk ID (no copy - paste issues). It is as if I never mitigated to begin with. Thanks for any ideas.
  Joerg

  Hi,
  Are you doing User Level mitigation or Role level mitigation? If it is role level mitigation, you need to check 3 places-
  1. RAR>Configuration>Additional Option> Include Role/Profile Mitigating Controls in User Analysis> YES
  2. RAR>Configuration>Default Values> Exclude Mitigated Risks> YES
  3. CUP>Configuration>Risk Analysis--> Consider Mitigation Controls --Checked.
  If you are doing user level mitigation, check for points 2 & 3.
  Regards,
  Sabita

• Can we create a variant in FBL3N including the Profit Ctr GrOUP

  Hi,
  Would it be possible to create a variant in FBL3N including the Profit Ctr Group ?
  Already i am having profit center, but i want profit center group shuld also displayed. Can anybody let me what could be procedure or steps.
  Thanks

  I doubt if you can do this in the standard.
  The only possible option would be to use a customised report.
  Cheers!

• How can I know the security role of the logged in user

  When you design an enterprise bean or Web component, you should always think about the kinds of users who will access the component. For example, an Account enterprise bean might be accessed by customers, bank tellers, and branch managers. Each of these user categories is called a security role, an abstract logical grouping of users that is defined by the person who assembles the application. When an application is deployed, the deployer will map the roles to security identities in the operational environment.
  But wondering when I log into my application with some user name and password (specified in my Oracle database),wondering how this works with the security role I created .How does J2EE know the security role of the logged in user.
  Thanks
  Manohar

  shet wrote:
  role at run time.
  When I login say as "manju" and password as "money" then how does it know that this user belongs to this security role.Is that the j2ee administrator has to say that user manju has this this security role.Programmitically how does it really work.I am confusedThe j2ee implementation assigns the roles using the JAAS module you have configured for your application on your application server. different JAAS modules get roles in different ways. many allow a single static role to be assigned using a config file. if using a database, often there will be configuration to specify additional database fields which specify the role for a given username.
  At runtime, a developer can test roles using methods like EJBContext.isCallerInRole().

• Setting up a Role to Restrict SQVI by user (on field BUKRS table KNC3)

  Hi Everyone!
  I am trying to get my basis team to give me access to SQVI - but they want to restrict the financial data I have access to by company code (9000 in our company). The authorisation checking for SQVI is not straightforward apparently. It depends on the data source of the view created. If it is logical database, then the authorisation follows the access required for the database (e.g. system will check for vendor access if data source is the logical database “Vendor Database”). But if the source is table or table join, then system will check for table access right, which, in our environment, is unristricted.
  So, in essensce, we do not restrict access rights by table and I will be using SQVI to directly query many tables... which will include tables that store data other than info relating to my company code
  I have tried applying a role in our Q&A, where in Authorizations (change authorization data) I pass in a variable on the field and table (field name BUKRS '9000' - master table KNC3) for a role assigned to a test user (zSQVI) but this is not restricting the data I can access via SQVI when logged in as zSQVI.
  Has anyone had this problem before? Does anyone know how to restrict SQVI access by a field variable using roles?
  Kind Regards,
  Gavin

  It's not possible to restrict SQVI to this level as it doesn't contain authorisation checks at the organisational level.  You can achieve this by using Infoset Query / Ad-hoc query where you have the option to apply your own code to the query, thus allowing you to check the company code.

• No portal roles are assigned for this user.If this problem persists, contac

  I am trying to access portal first time using j2ee_admin user. It is saying "No portal roles are assigned for this user.If this problem persists, contact your system administrator."
  iam using abap+java enginee how config in abap enginne ,iwant which role to assign  j2ee_admin  user
  i already asiigned sap_j2ee_admin,SAP_BC_JSF_COMMUNICATION,SAP_BC_JSF_COMMUNICATION_RO   but it show same problem
  please help me..
  Edited by: Mugala Balu on Aug 7, 2010 5:53 PM
  Edited by: Mugala Balu on Aug 8, 2010 7:48 AM

  Balu,
  Well this issue has been discussed many a times in forums. You would have to point your data source to ABAP system.
  Check this thread in [here|J2EE Failed to start  , after changing UME datasource;.
  Good Luck!
  Sandeep Tudumu

• Custom Report: the list of IT ROLES of one or more users

  Hi all,
  I want to do a custom report that gives me the list of IT ROLES of one or more users. Anyone could give me some guidelines?
  Thanks

  according to the docs... if I interpret them right
  getRoles returns roles assigned to the context given, this is wise since it is usualy used to check if the current user invoking the call has the rights in a form, workflow or similiar...
  Adding the "accountId" string as a second argument would invoke this form of the getRoles
  getRoles
  public static java.util.List getRoles(LighthouseContext s, java.lang.String current) throws WavesetException
  This variant allows a specific name to be included in the returned list. Used to ensure that the current value of a role may continue to be assigned even though the current admin may not have access to that role.
  I believe you should get the users view and get your info from there...
  if you try using the debug page and getObject User and the accountId, you will see the user in its full glory...
  there you can see what you might want to do I hope

• Roles Creating and assigning to user

  Hi all,
  Am creating a role as venki & granting some privileges to that role i.e, create session,create table...
  Then am creating a user & assigning a role "venki" to the created user.
  then after connecting to the user am unable to create a table in that user, am getting privilege problem..
  Please give a solution..
  Thanks in advance..
  Edited by: Venkateshj on Jan 1, 2013 3:32 PM
  Edited by: Venkateshj on Jan 1, 2013 4:12 PM

  JohnWatson wrote:
  The answer you have so far is not necessarily correct. You have granted RESOURCE to the role, and RESOURCE includes an implicit grant of UNLIMITED TABLESPACE. See this:orcl> create role venki;
  Role created.
  orcl> grant connect,resource,create table to venki;
  Grant succeeded.
  orcl> create user tpt identified by tpt default tablespace users account unlock;
  User created.
  orcl> grant venki to tpt;
  Grant succeeded.
  orcl> conn tpt/tpt
  Connected.
  Session altered.
  orcl> create table app(sname varchar2(9),sid int);
  Table created.
  orcl>there is no need to grant quota on a tablespace if the user already has RESOURCE, which is one reason why you should never grant RESOURCE to anyone. Clearly, there is sonething else going on in your database. Another indication that things are not as they seem is that in 11.2.x by default you do not need quota on a tablespace (or unlimnited tablespace) to create tables, because by default segment creation is deferred. So you get the error only when you try to insert into the table:orcl> create user me identified by me;
  User created.
  orcl> grant create session,create table to me;
  Grant succeeded.
  orcl> conn me/me
  Connected.
  Session altered.
  orcl> create table t1(c1 date) tablespace system;
  Table created.
  orcl> insert into t1 values(sysdate);
  insert into t1 values(sysdate)
  ERROR at line 1:
  ORA-01950: no privileges on tablespace 'SYSTEM'
  orcl>I think you need to investigate further. Things are not as they seem.Ok sir i'l investigate further, but my problem is solved.. By the above content i have to know why the error occurs in 11g..Let me check Once...
  Thank u Sir..

• Run User analysis excluding fire fighter roles

  Compliance Calibrator
  I am trying to run user risk analysis from CC. We have fire fighter already implemented and user mostly have fire fighter roles.
  Every time I run risk analysis, I get conflicts even though some of the transactions are only in fire fighters.
  Let me know if there is way to exclude fire fighter roles from user analysis.
  Or any other method that may work.
  Thanks

  Dear Bindu,
  You can exclude these roles from getting into analysis everytime by Defining these roles as critical in the Rule Architect--> Critical Roles TAB and then setting up the option "Ignore Critical Roles & Profiles " in Config-->Risk Analysis TAB to YES, which would ignore these roles to be taken up during Risk analysis.
  Regards,
  Hersh.

• User Valid to changed while assigning role to a set of users in SU10

  Hi All
  I had a task of assigning a role to a set of users in various systems across landscape. I find that some of the users had their valid to date (logon data tab) changed to their last login date. Moreover, in every system; the list of user ids who had this issue of valid to date changed to their last logon date is different. It seems it occurs randomly in various system but out of every 10-11 users 3-4 get affected with this issue. Has anyone faced such an issue before and how could we resolve this issue.
  Many thanks for your help and time !!
  Best Regards
  Prashant

  Have you checked OSS notes? Maybe note 1325775 may be relevant for you.
  Cheers

• How to Disply the List of Roles assigned to a  selected user ?

  Hi all,
  I have a specific requirement to develope using Webdynpro. I want to programically display the list of roles assigned to a selected user. Could some one help me . I promise to award points for the solution.
  Thank you in advance
  Regards
  Maruti

  Hi Maruti,
     Iterator rit = null;
  try
  IWDClientUser clientUser = WDClientUser.getCurrentUser();
  IUser user = clientUser.getSAPUser();
  rit = user.getRoles(true);
  IRoleFactory rfact = UMFactory.getRoleFactory();
  while (rit.hasNext()) {
  String roleName = (String) rit.next();
  IRole role = rfact.getRole(roleName);
  }catch(Exception e)
  e.getLocalizedMessage();
  check this thread too
  /message/1565111#1565111 [original link is broken]
  Regards, Suresh KB

• "Role not defined for individual users" on user import

  Hello,
  I am trying to import a certain user from one portal to another and I get this warning message:
  "Role <pcd_role_path> not defined for individual users."
  This role is assigned to this user at the 1st portal and exists at the 2nd portal at the same location.
  What does it mean and what do I need to do in this case?

  hi Roy,
  just check one thing ....
  please check wether the user have permissions to those roles.
  please go to the PCD location, where the roles have defined.
  right click on the role and check permissions.
  see if the user you are using is mentioned there. if no, add your user with read/write end user permission.
  i hope this will help you .
  Regards,
  Sujay

• Roles require for BI configuration user

  Hi All,
  I have done BI connection with our PRD ECC 6.0 server successfully , but while making RFC connections i used user with sap_all profile ,
  Now i want to know which exact roles are required for that user to maintain successfull connection and extraction , as i have been asked to remove sap_all from the user which is used by me.
  which are roles i should allocate to the user so that i can gurantee nothing happens to my current configuration.
  Help is really appreciated.
  Best Regards,
  AjitR

  Hi Ajit,
  In SAP <b>BW</b>, you should create a system (not a dialog) user called BWREMOTE.
  BWREMOTE should have the authorization profile S_BI-WHM_RFC.
  Note: S_BI-WHM_RFC is a profile, not a role.
  This profile will give user BWREMOTE the access needed to extract from an
  OLTP system. The profile also provides the access required for staging steps
  to get the data into InfoCubes.
  On <b>ECC</b> system, you should create a system user called BWALEREMOTE. This user should have the authorization profile S_BI-WX_RFC.
  Note: S_BI-WX_RFC is a profile, not a role.
  This profile will give user BWALEREMOTE the access needed to connect and
  send data to the SAP BW system.
  (It is permissible to use a different name for the users BWREMOTE and BWALEREMOTE. What matters is that the user in SAP BW has the profile S_BI-WHM_RFC and the user in the other SAP system has the profile S_BI-WX_RFC.)
  Hope this solves your concern...
  Regards,
  Habeeb
  Assign points if helpful.
  Message was edited by:
          Habeebuddin Mohammed

• Do you really have to delete roles if you deactivate a user?

  I was searching through threads trying to find a recommendation regarding the best way to deactivate users in SAP.  I understand locking and changing the validity date, but I am also seeing recommendations to delete the roles...  In addition to roles do you also recommend deleting profiles (ones not associated with a specific role)?  I'm just asking because I was under the impression it was good for security purposes to know what roles/profiles (authorizations) the user had in the past if something happened that required research and the ability to identify "who had the ability to do what".  If we delete all of that information from their account, is their still a way to determine what they did have when they were an active user?  If it is OK to leave roles in and maybe just set their expiration date, how should profiles not associated to roles be handled?
  I guess most importantly, is there a known recommendation straight from SAP that I can reference?  My searches have come up empty.

  In my opinion, best is to:
  - Retire the user ID by locking the account (not just the password).
  - Set the validity on the user account to expire (preferably when this is known already, and not when a piece of paper becomes current...).
  - Setting the validity of roles is subject to the user compare to a large extent. It is very usefull.
  - Manual profiles are a bugger - dirty trick is to import them as a template into a role.
  > I guess most importantly, is there a known recommendation straight from SAP that I can reference? My searches have come up empty.
  I know that the technical explanations of how it works is to a large extent available, release dependently.
  If you search for the reports associated to the "user compare" (tcode PFUD) then you will find a lot of infos.
  Recommendations are more tricky, as it depends on what you want. SAP enables a lot of stuff and is responsible for the correct checks in the programs. But how you build your roles and profiles is up to you, and you have a lot of freedom in that area. You can also shoot yourself in the foot
  I am assuming that you are not on SAP release R/2. Perhaps a bit more details would help...
  Cheers,
  Julius

• HOW MANY ROLES ARE ELGIBLE FOR THE USER

  hello gurus,
  how many roles can we assign to the user... what is the maximum limit of the roles  and profiles for the user.
  thanks in advance!
  sri

  Dear Srinivas,
  About roles it's indeed not to easy to tell..just imagine the scenario:
  1. Maximum number of profile is 312 ... (however due to some known bug system reads about 300). So, let's say 300 profile maximum can be assigned to an user
  2. Now you can have single ABAP role which generally one-to-one to profile. So, this theory says if you are only assigning single ABAP roles, you can assign maximum 312 (or 300) roles.
  3. But, you might also have Composite ABAP role. A composite ABAP role can have one or more Single/Composite ABAP role. So, one Composite ABAP role can correspond to any number of Profile which is determined by number of individual Single roles under than composite role. So, when you are assiging Composite ABAP role, you have to take care underlying number of profiles and make sure total does not exceed 312 (or 300 without note correction)
  4. Now, last part of complication (and my favourite one). Sometimes, there is an empty Role which does not have any ABAP authorization assigned to it. But, this type of roles are used to map a authorization role in JAVA system. These roles does not have any Profile (as it does not have any ABAP authorization). Now, that brings my confusion ..What happens you assign 300 ABAP profiles via ABAP Roles and another 20 empty role for JAVA system without profile. You see my point
  Hope this clarifies a bit
  Cheers !!
  Satya.