on 02-04-2015 9:20 PM
Hi GRC experts,
We are going from VIRSA 4.0 to GRC 10.1. Now, some of our roles have a few conflicts at transaction / auth. object level. Is it necessary / a must to solve those conflicts before installation of GRC 10.1?
During data export to GRC would this result in error and we will have to solve all those conflicts first?
OR
It would just result in warning and we will have time to work on role design after moving to GRC?
please help!
Dear Pooja
The existing risks in a end user role shouldn't have any impact what so ever on the implementation of GRC AC 10.1
feel free to implement the ARA module & then run risks analysis against the upgraded ruleset & then perform remediation or mitigation activities - so that you end up with clean roles.
I wouldnt suggest performing role cleanup activity in 4.0 & then redoing the same exercise in 10.1 since you will have new risk ruleset.
Naveen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
This also brings a question - Wouldn't new rule set always have more rules added / enhanced over previous one? SODs identified in 4.6 should all be "included" in AC 10.1, no?
Is that a correct statement, if so, we might as well start working on those now so that we have fewer to work on once we have new rule set?
Hi Pooja,
As Naveen mentioned it is not mandatory to resolve / mitigate all your risks for an upgrade.
Although, when you say "SODs identified in 4.6 should all be "included" in AC 10.1, no?" the answer would be it depends. Rule set is updated by SAP regularly, the updates are applicable for GRC 4.0, 5.x and 10.x versions alike. The latest update as per my understanding was in Q4, 2013. This update is already included in all above GRC 10.0 SP14. Assuming you are moving to 10.1, say even the (n-1) SP, it should have the latest updates already in its BC sets.
Now, if you would like to validate the changes in the standard rules made by SAP. You would need to verify the changes in all the updates provided from the one that is being used currently in your system and the one that is latest. You can find the changes in SAP Notes. For example the last one Q1, 2013's note is "1960531 - GRC - Access Control - Access Risk Management Rule Update Q4, 2013". Similar notes for other previous updates would hold the list of all changes.
These notes also provide information of how to use the information provided.
In whatever case, the ideal active ruleset should be the one that is signed off and customized for your customer. Which, irrespective of any changes to the standard best practice provided by SAP, must remain as is, unless said so by the decision making party from your customer's end. Therefore, any changes you find must then be ran through the customer / decision making party to come to a conclusion.
Thanks
Sammukh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.