Skip to Content

Risk Analysis generates hits because of fields in different roles

Anyone experience with this?

When I'm performing a risk analysis on HR object level, GRC is generating hits because of a combination of fields of the same authorization object coming from different roles.

Example 1/

hit generated because S_TABU_DIS-ACTVT comes from one role and S_TABU_DIS-DICBERCLS from another:

Ruleset

Example 2/

Again S_TABU_DIS: gets ACTVT and DIBCERCLS from seperate roles

ruleset

Users are linked to HR objects.

Whenever I perform the same analysis on user level, I don't get any results (which is expected & correct)

Checking HR Position assignment to users

Object 50001134

Object 50001775

Analysis

Permission rules:

Any thoughts or advice is highly appreciated





We are on GRC 10.1 SP 12

Target system has GRCPINW V1100_731 0013



Best regards,


01.png (210.3 kB)
02.png (170.5 kB)
03.png (158.4 kB)
04.png (206.9 kB)
A.png (211.5 kB)
B.png (290.7 kB)
C.png (160.1 kB)
001.png (318.9 kB)
002.png (281.9 kB)
003.jpg (60.9 kB)
004.png (157.8 kB)
005.png (423.1 kB)
006.png (106.2 kB)
Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Jul 13, 2016 at 02:34 PM

    Hi Tom,

    The GRC system is likely reporting the risks accurately.  A user's authorizations are just a total combination of all the authorizations from the roles that they have.  This is why security is so tricky - you can get "cross-pollination" of authorizations for the specific auth object but from different roles.

    Look into the roles involved here.  One role may have no restriction (*) on table group for S_TABU_DIS, which overrides the other restriction the user may have from another role.  Same with ACTVT values.  If any of the roles haven't been restricted enough, you will see these values from the roles in your report.

    You can perform negative testing to see if the user has the flagged access or not by modeling the account in your test environment and actually attempting to perform what is being flagged as a risk.

    -Ken

    Add comment
    10|10000 characters needed characters exceeded

    • Sure, cfr. below

      I've already opened an OSS incident. I think it's a bug for the risk analysis on HR objects. I was hoping somebody else ever had/noticed this & knew of an OSS note that solved the problem.

      Thanks for your input!

      01.PNG (25.8 kB)
      02.PNG (21.5 kB)