Quantcast
Channel: Governance, Risk and Compliance (SAP GRC)
Viewing all articles
Browse latest Browse all 205

Maintenance of Critical Risks at Critical Permission level

$
0
0

Risks:


Risks are the core objects that identify the potential access issues which your enterprise may encounter. The elements that make up a risk are its attributes. Risk management uses the attribute descriptions to generate rules. Risk management is the set of processes through which management identifies, analyzes, and, where necessary, responds appropriately by mitigation or remediation to risks that might adversely affect realization of the organization's business objectives. The response to risks typically depends on their perceived gravity, and involves controlling, avoiding, accepting or transferring them to a third party. Whereas organizations routinely manage a wide range of risks (e.g. technological risks, commercial/financial risks, information security risks etc.), external legal and regulatory compliance risks are arguably the key issue in GRC.

 

Critical Permission Risk:


Defining a critical permission risk ensures that risk analysis identifies any employee who has been assigned a potentially risky permission. You can use this feature if the permission has been enabled but has no actions. This risk can have only one function.

 

SAP delivered SoD doesn't contain any Critical Risk ID specific to Critical actions or Critical permissions. So, if you run the access risk violation reports either at user or role level and if you select any option among Action level, Permission level, Critical action level et al. but Critical Permission level, you would see the risk reports as expected out of the selected rule sets. But once you select only Critical Permission level, you wouldn't see any violations. Reason being is that SAP standard SoD doesn’t contain any critical risk ID either at action or permission levels.

 

So, in order to customize the rule set and to create Critical risk at permission level, first we need to create a Function ID which would contain the permission (authorization object) and no action (transaction code) in it.

 

// Verion of GRC used: GRC AC 10.1 and SP 06 //

 

Go to create Functions as per the path defined below and don't add any action in this function.

snap1.png

 

Now, we will go to Permission tab to enter the required permission to be treated as Critical Permission.

 

snap2.png

 

Now, this Function ID (CF01) has to be added to a new Risk ID (CR02), map this risk ID with the Rule set and assign the risk owner as below:

 

snap3new.png

 

Then generate this newly created Risk ID; either via NWBC or via SPRO (IMG -->GRC --> Access control --> Access risk analysis --> SoD rules --> Generate SoD rules; and mention the lately created Risk ID and execute).

 

 

snap5.png

 

We would see the risk violations at critical permission as below:

snap6.png

 

Your inputs/suggestions are always welcome

 

Courtesy & Regards,

Ameet kumar& Fernando Bassuino


Viewing all articles
Browse latest Browse all 205

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>