We recently implemented support pack 18 for our GRC 5.3 environment. RAR is now showing some odd behavior in Production that we did not see in testing (in our Sandbox or Development) environment.
Our SAP security admins globally are asked to mitigate users (if they have SoD's) at the time roles are assigned to them. Sometimes, this step gets missed or roles change on the backend causing/changing SoD conflicts. To catch these, we run a Global SoD report every Sunday. There's usually 30-80 SoD conflicts that show up on this report weekly. Since implementing support pack 18, only 4 conflicts show on the report, and these are all custom-built risks.
We were thinking this is strange behavior because we were expecting to see more SoD's (30-80). After some investing, we've discovered that the system believes the roles are mitigated at the Role Level, even though they are not.
For example, we have USER1 who has a legitimate P005 conflict. None of this user's roles are mitigated at the Role Level. We expect P005 to show on the SoD report, but it does not. When we run Risk Analysis with the "Exclude Mitigated Risks" option set to "No," it shows P005 is a true conflict but that it is Mitigated at the Role Level. I can confirm in the Mitigation Tab that none of this user's roles are mitigated. Why is the system saying it is?
We have confirmed that configuration has not changed recently. All RAR configuration has remained the same for some time now (in all environements, PROD, DEV, and SBOX). We do set the following configuration to YES: Include Role/Profile Mitigating Controls in User Analysis. Per our compliance policies, we do want to keep this option set to yes because we do mitigate some roles, but not many.
Does this sound like a bug with SP 18?
Or are there additional troubleshooting measures I should try?
Has anyone else had similar issues or issues in general with RAR and SP 18?
THANKS in advance!