on 06-27-2007 3:32 PM
Hello, I'm currently running Compliance Calibrator 4.0. I've created a Mitigation Control and assigned a number of Risks to the Mitigation Control.
I've then assigned the Risks in that Mitigation Control to a specific role.
When I run the SoD check, the role no longer shows any issues. This is good and expected.
However, when I run the SoD against a user that has that role assigned the user is reported with issues when no SoD issues should be shown.
Am I missing something? I don't believe I need to assign Mitigation Control to the user, because one day the risk might be valid to that user, but just not for the role I'm trying to mitigate against. Many thanks.
Dylan- Make sure the configuration parameter- ' Include Role/Prof mitigating contls in User analysis(YES/NO)' is set to YES.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Dylan,
You have mentioned that you run the SoD against a user to whom the specific role is assigned. Whether this user has been assigned any other role.
When you get issues for that user, are they for the same risks or other than you have defined mitigating controls.
-- Anjali
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Anjali, thanks for the response.
The user I'm evaluating only has that role assigned. The role is Composite if that makes a difference or not..? The issues are exactly the same for the role and the user. Only that when the SoD report is run against the user, no mitigating controls are reported, but when against the composite role itself, the mitigating controls are reported.
-Dylan
Hi Dylan, the system is reacting correctly.
When you mitigate a role, you mitigate the risk associated with the role and under 'Role Analysis' you will see that this role has been mitigated.
However when u run a User analysis, the system will still identify him if there is a 'RISK' associated with the user and this is regardless of whether the associated Role is mitigated or not because what you want to know is the risk of the user and not what roles this user has.
You will need to specifically mitigate the User in order for the mitigation control to show against the User in the report.
This is the same Vice Versa. when you mitigate a User, it also does not mean that all the associated Roles that the user have are mitigated. The risk associated with the roles will still appear when you do 'Role Analysis'
Cheers!
Hello Naveen,
The thing is, the rule is producing a false positive against the user because they have a wide display role. The rule is still valid if the user one day has another role that gives them the access. If I make the mitigation against the user, then I will miss a real risk against that user one day.
So, what should happen is that I mitigate the role, and if the role is assigned to the user, then the role is removed from the user analysis before the SoD engine checks the auths.
Do I misunderstand the concept with Virsa 4.0 mitigations? -dylan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.