Skip to Content
avatar image
Former Member

GRC ARA risk defined as critical


Can you please confirm that this is how GRC Access control should work.

Here is the scenario:

We have few SOD risks defined as Critical (Risk level) . Those risks seem to behave in Risk Analysis like it would be a Critical action. By this we mean that we get results from the ad-hoc risk analysis even though the user/role does not have transaction codes from the both functions from the particular risk.


Risk ID: H005 (risk level Critical)

Function ID's: HR04 and PY04

The user is having transactions only from HR04, but usage of this function comes to the report. User does not have ANY transactions from the PY04.

This happens to multiple users. This does not happen if the Risk level of the SOD risk is something else than Critical.

Is this normal functionality of ARA risk analysis?

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Nov 29, 2017 at 01:26 PM

    Hello Sanna,

    Firstly, no its not normal functionality and its not how GRC ARA should work.

    Coming to your issue, could you please share few screen shots, your GRC SP level, it will help in better analysis.

    Also, please cross check the rule IDs while executing risk analysis with the rule IDs of generated ruleset.

    Kind regards,


    Add comment
    10|10000 characters needed characters exceeded