Skip to Content
author's profile photo Former Member
Former Member

GRC 5.3: CUP risk analysis VS. RAR risk analysis

I've installed and configured RAR and CUP. When I do a risk analysis simulation in RAR on a user for adding a role, it comes back with no conflicts. When I go into CUP and make a new request for adding the same role to the same user, it comes back with risk violations, but it looks like they are critical actions that are being flagged. Why is there a discrepancy, and how do I go about getting the same risks in CUP as I do in RAR?

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

5 Answers

  • author's profile photo Former Member
    Former Member
    Posted on Feb 10, 2009 at 03:21 PM

    One more thing: I realize that CUP is doing a risk analysis on all levels, while in RAR I'm doing a permission level analysis. In the configuration guide for AC, it says that CUP can't do analysis on different risk levels, but I thought it was referring to the critical, high, medium, etc. levels. Is it possible to force RAR to do an analysis only on segregation of duties conflicts at the permission level?

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Yeah, even though it's at permission level, it's doing a risk analysis on all levels: SoD, critical action, and critical permission. I guess it's not possible to change this from CUP, so what I've done is just deactivated all critical action rules in RAR, because we don't use them anyway. This has solved my issue.

      Thanks.

  • author's profile photo Former Member
    Former Member
    Posted on Mar 09, 2009 at 03:31 PM

    Hi Guys, I am in the same situation when try to do risk analysis from CUP its brings critical action values even if I select permission level or action level risk analysis.

    Need help how can I ignore critical action.

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Apr 21, 2009 at 09:43 PM

    Hi I'm facing similar problem at couple of clients installation. We raise this to SAP but there is no firm answer from them. So one client gone with by de-activating certain critical actions from RAR. Other they're okay to go with this but awaiting for SAP's response.

    That's my experience.

    Rgds,

    Asok

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Jul 01, 2009 at 09:30 AM

    Any news if a new enhancement will be included in CUP to enable risk analysis at different levels?

    Due the problem you guys mentioned, we are unable to activate Critical Actions as it will flag the transactions irregardless of the permissions. We have to mitigate every single user that requests for access in CUP.

    I would have thought it would have make sense that in RAR, if critical actions are assessed at a object level, that in CUP it would too.

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Aug 11, 2009 at 03:38 AM

    Mr. Jackson:

    To correctly do this, you should create a second Rule Set in RAR called something like "CRITACTPERM" and move all Critical Action / Permsission Risks there. You then need to make sure that a scan is scheduled for this rule set to update to the Management Reports. If the Default Rule Set is set to Global in RAR, then CUP will only use the SOD rules.

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.