cancel
Showing results for 
Search instead for 
Did you mean: 

AC 10.0 - I got too many conflicts

0 Kudos

Hi all,

in my risk analysis to the user level, the system shows me too much conflicts in comparison to our prod.system analysis. I filled the same action (transaction) in Access Control (in the function-ID's) like in our prod.system. Could it be, that the values will bring me more conflicts than in our prod.system? Maybe they are not correct pronounced? What kind of reason could it be?

Thanks for your help!

Thorsten

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
0 Kudos

Hi Thorsten,

Please make sure that your Risks are correctly configured in Access Control.

Moreover the Actions and Permissions which are maintained in the Functions are available in many of your Roles which are assigned to Users in Prod (plugin) system. Also refer the Detail format report of the Risk Analysis results to view the Roles which are causing violations.

Please revert if you have any questions.

Regards,

Nikita

0 Kudos

Hi Nikita,

thanks for your answer.

Let me explain my situation what I have done:

I created a function-ID with 5 actions (transactions). Next step was under sheet "authorisation" to activate all authorisation objects with the field and values. So I activate for all 5 transactions each authorisation obejct (for example F_SKA1_BES). Therefore I have this authorisation object 5 times activated (5 transactions to this object). But I'm not sure if this is correct. Maybe it is enough to activate every authorisation object only one time (even if there are 5 transactions - in R/3 it is also enough!). So I tried this and I change this - now I have only activate this object one time only. But I get the same number of conflicts like before.

What can I do? Is there any customizing that I have to edit? Is there any synchronisation job that I have to activated after every change? Or isn't still my permission correct?

Thanks for your help.

Thorsten

simon_persin4
Contributor
0 Kudos

Hi Thorsten,

The ruleset looks at transactions and each of the defined permissions in isolation to check whether the user or role has that combination. This is aggregated into either an Action or permission rule. When a combination of these permissions is triggered, this satisfies a particular element of the total function. If it is a Critical action or permission risk, this will be sufficient to trigger a violation and put the details onto the report output (with the risk and rule identified). If it is an SOD risk, then this satisfies one side of the risk but will not be reported unless a combination of the other side is also triggered.

Therefore, if you have 5 transactions in the function, you will need to activate the permission checks for all of those transactions in the function if the authorisations are required.

Simon

Former Member
0 Kudos

Hi Thorsten,

You have to individually activate the permissions for the actions that your are adding. Hence the combination of Transaction and authorization object will result into a Risk.

Apart from that, please run the Authorization and Repository sync jobs for the plug in system.

Regards,

Nikita

0 Kudos

Hi Simon,

I did copy a function-ID and did some test with it. Is it possible that it doesn't make a different if the values are activ or inactive? Because I get the same number of risks when I took the values from activ to inactives. Could it be that I have to start a job or synchronisation job between both analysis?

Regards

Thorsten

0 Kudos

Hi Nikita,

I did copy a function-ID and did some test with it. Is it possible that it doesn't make a different if the values are activ or inactive? Because I get the same number of risks when I took the values from activ to inactives. Could it be that I have to start a job or synchronisation job between both analysis?

Regards

Thorsten

Former Member
0 Kudos

Hi Thorsten,

 

Please generate the Rules whenever you try to activate or inactivate the Action / Permissions in your Function.

Also, run the Authorization and Repository sync jobs for the plug in system.

Regards,

Nikita

koehntopp
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Thorsten,

this is quite hard to debug in a discussion forum, but judging by the kind of questions you have 2 or 3 days with a good consultant might be an excellent investment.

From what I can see here:

- the "object" you activated is actually an org lrvrl, i.e. it's not part of the standard risk analysis

- what kind of risk analysis did you trigger - action level or permission level?

Frank.

koehntopp
Product and Topic Expert
Product and Topic Expert
0 Kudos

Actually you should not have to do that at this level, as the functions generally come with the (most) necessary objects pre-activated, or they pull them in via SU24.

If you have functions where no permission objects are active I would try to find out how you got to that state in the first place - that's not what it should be like...

Frank.

0 Kudos

Hi Frank,

what would be the right forum if I have questions?

Thorsten

simon_persin4
Contributor
0 Kudos

Hi Thorsten,

Its not that this is the wrong forum, it is more that issues like these will not normally be fixed via any sort of forum. It is really difficult to analyse and suggest an appropriate course of action with offline content and only discussion posts about the issue.

As Frank suggests, perhaps a couple of days onsite consultancy might yeald better results than a public forum.

Simon

0 Kudos

Hi Simon,

thanks for your answer. Maybe you have another tip for me.

If I make a risk-analyse (Risikoüberschreitung - see screenshot) I get a different number of users. We have 235 users (dialog & others) in prod.system but AC tells me about 217. Do you have any idea? What could be the reason for the different?

Thanks

Thorsten 

koehntopp
Product and Topic Expert
Product and Topic Expert
0 Kudos

Is it possible you set up AC to ignore non-dialog users?

Frank.

0 Kudos

Hi Frank,

maybe, but I don't know where? Do you have an idea?