Tuesday, August 18, 2015

Creation of Mitigation Controls-Access Controls

  1. Create a Root Org entry, this replaces the Business Units in previous AC versions. Navigate to the IMG under Shared Master Data Settings and create a Root Org as shown below:

    http://scn.sap.com/servlet/JiveServlet/downloadImage/102-51292-10-364980/433-400/pastedImage_3.png

    http://scn.sap.com/servlet/JiveServlet/downloadImage/102-51292-10-364981/640-276/pastedImage_4.png

    You will need to:
  2. Create User in SU01 master in GRC.
  3. Run the user sync jobs in GRC.
  4. NWBC - Access Management - Access Control Owners - Create an entry and select owner type as Mitigation Monitor or Mitigation Approver

     http://scn.sap.com/servlet/JiveServlet/downloadImage/102-51292-10-364985/436-400/pastedImage_10.png
     NWBC- Master Data – Organization - Assign user in Owner tab. After assigning the user to the organization then user can be maintained as Mitigation Approver/Monitor during Mitigation Control creation workflow.

    http://scn.sap.com/servlet/JiveServlet/downloadImage/102-51292-10-364986/640-261/pastedImage_12.png
     Now create mitigation control from NWBC -> Setup -> Mitigation Controls -> Create

    http://scn.sap.com/servlet/JiveServlet/downloadImage/102-51292-10-364988/640-342/pastedImage_17.png

     http://scn.sap.com/servlet/JiveServlet/downloadImage/102-51292-10-364989/640-153/pastedImage_18.png

     http://scn.sap.com/servlet/JiveServlet/downloadImage/102-51292-10-364990/pastedImage_19.png


    Without the report the mitigation saves without issue. I am also adding the Action value by clicking F4, searching and then adding it. To resolve this implement SAP Note: 1902129 - Unable to save Mitigation control after adding AC Report

    Mitigation Monitor: Mitigation monitor is the one who would be checking whether mitigation is being performed. This monitoring can be done either manually or alerts can be sent to the monitor. "Reports" which are maintained in reports tab of mitigating control, will trigger an e-mail to the Mitigation approver if control monitor does not run that report with in the frequency mentioned.
    Alerts can be set through the program mentioned below by executing the Tcode GRAC_ALERT

    http://scn.sap.com/servlet/JiveServlet/downloadImage/102-51292-10-364991/pastedImage_20.png


    Mitigation Approver: Mitigation Approvers are assigned to controls and are responsible for approving changes to the control definition and assignments when workflow is enabled. In GRC 10.0 we have predefined workflow for this. We need to maintain the below configuration settings in SPRO.
    http://scn.sap.com/servlet/JiveServlet/downloadImage/102-51292-10-365001/640-32/pastedImage_0.png
     Below mentioned standard workflows needs to be enabled.
    http://scn.sap.com/servlet/JiveServlet/downloadImage/102-51292-10-364993/640-199/pastedImage_22.png

     Issues with Deletion of Mitigation Controls or MC assignments


    When deleting Mitigation Controls or Mitigation control assignments, we used to a get a message task executed but deletion was not happening. After implementing the steps mentioned below issue was resolved.

    1.Run transaction SM30

    2. Display the view GRFNPARENT in change mode

    3. Add new line

    4. Entity = SUBPROCESS

    5. Parent = ORGUNIT

    Mitigation Control Assignment Workflow

    In GRC we have standard SAP provided workflow for Mitigation control assignment. I have come across few queries w.r.t this workflow as the mitigation assignment approver is not able to view the details as the "VIEW DETAILS" button is greyed out as shown in below screen.
    http://scn.sap.com/servlet/JiveServlet/downloadImage/102-51292-10-369060/640-81/pastedImage_14.png

    SAP has confirmed that this is the standard functionality and has release a note to inform all the users. Please check the below note for the same.


     http://scn.sap.com/servlet/JiveServlet/downloadImage/102-51292-10-369061/532-400/pastedImage_0.png


    Mitigation Controls - Deleting Root org. Issues
    When few users tried to delete the root organizations which were created as part of creating mitigation controls through Tcode PPOM, they were getting some error message as shown below.

    Assignment to subordinate objects (Organizational unit ABCD, for example), not possible

    Resolution:

    Execute the report RHRHDL00 and from here try to delete the root. orgs and the issue will be fixed and they will be removed. But one thing to make sure is all the all the objects under the root org are deleted prior to this.

    Transport Organizational Units & Mitigation Controls

    There is no Transport Mechanism to move the Business Units/Organizational Units & Mitigation Controls
    from one Landscape to another Landscape in GRC Suite, because it is Master Data.

    There is no Download & Upload functionality available for these Controls to move from one Landscape
    to another.  Organizational Units & Mitigation Controls are tied together as these are shared among
    GRC Access Controls & Process Controls.

    You need to recreate it in Destination Environment as Transport/Movement is not possible.

    When you create the Organizational Unit with the Description in GRC, the System will generate a 
    unique number for Organization Unit, which will be different for each system.  That was the
    reason, we need to recreate Organizational Unit in each System.

    But, Mitigating Control Assignments of User/Role/Profile/User Org/Role Org can downloaded from
    one Landscape & can upload it to  another Landscape.

    Most convenient way to change existing mitigations is to use standard ABAP program for download and upload.

    Go to SA38 and use the following programs:

    GRAC_UPLOAD_MIT_ASSIGNMENTS
    GRAC_DOWNLOAD_MIT_ASSIGNMENTS

    Once you have downloaded the full list into an Excel file you can do your adjustments and upload it again.


Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)