Skip to Content
avatar image
Former Member

Virsa Config Logic?: Include Role/Prof mitigating contls in User Analysis

Hello All,

After changing configurations option "26 Include Role/Prof mitigating contls in User analysis(YES/NO)" to YES from NO, I noticed that the mitigation seems to be overextending itself into other roles. Example:

User with RoleA, RoleB and RoleC has potential conflicts. It turns out that RoleC is not a real problem but RoleA and RoleB are. So, I mitigate one rule against RoleC.

With the configuration option 26 set to YES, I would expect that The mitigation control would apply only against RoleC and SoD issues against RoleA and RoleB should still be a problem; however, RoleA and RoleB are now also mitigated. Therefore, this means that roles which I had not intended to be mitigated are mitigated.

How should the logic within Virsa be understood?

Thanks, Dylan

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • avatar image
    Former Member
    Aug 22, 2007 at 01:44 PM

    Adding details to this subject, here is a test scenario for which anyone can try:

    Build RoleA only with S_TABU_DIS and change/display access to P000 to PZZZ table groups.

    Build RoleB with transactions PC00_M10_CDTC and PC00_M99_CURSET

    Build RoleC also with transactions PC00_M10_CDTC and PC00_M99_CURSET

    Create a dummy user with all three roles assigned and run the SOD report against the user and risk H00600501.

    Afterward create a mitigation for that risk and RoleC combination only.

    Re-run the report. If possible, please also list your Virsa version and support pack level. The customer system I'm on is 4.0 and SP 04.

    Many thanks for any help in this regard. The mitigations configuration option is a really important option under the circumstances and I would like to use it but cannot at the moment considering the results.

    Add comment
    10|10000 characters needed characters exceeded