on 09-19-2012 1:40 PM
Hi all,
in my risk analysis to the user level, the system shows me too much conflicts in comparison to our prod.system analysis. I filled the same action (transaction) in Access Control (in the function-ID's) like in our prod.system. Could it be, that the values will bring me more conflicts than in our prod.system? Maybe they are not correct pronounced? What kind of reason could it be?
Thanks for your help!
Thorsten
Hi Thorsten,
Please make sure that your Risks are correctly configured in Access Control.
Moreover the Actions and Permissions which are maintained in the Functions are available in many of your Roles which are assigned to Users in Prod (plugin) system. Also refer the Detail format report of the Risk Analysis results to view the Roles which are causing violations.
Please revert if you have any questions.
Regards,
Nikita
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Nikita,
thanks for your answer.
Let me explain my situation what I have done:
I created a function-ID with 5 actions (transactions). Next step was under sheet "authorisation" to activate all authorisation objects with the field and values. So I activate for all 5 transactions each authorisation obejct (for example F_SKA1_BES). Therefore I have this authorisation object 5 times activated (5 transactions to this object). But I'm not sure if this is correct. Maybe it is enough to activate every authorisation object only one time (even if there are 5 transactions - in R/3 it is also enough!). So I tried this and I change this - now I have only activate this object one time only. But I get the same number of conflicts like before.
What can I do? Is there any customizing that I have to edit? Is there any synchronisation job that I have to activated after every change? Or isn't still my permission correct?
Thanks for your help.
Thorsten
Hi Thorsten,
The ruleset looks at transactions and each of the defined permissions in isolation to check whether the user or role has that combination. This is aggregated into either an Action or permission rule. When a combination of these permissions is triggered, this satisfies a particular element of the total function. If it is a Critical action or permission risk, this will be sufficient to trigger a violation and put the details onto the report output (with the risk and rule identified). If it is an SOD risk, then this satisfies one side of the risk but will not be reported unless a combination of the other side is also triggered.
Therefore, if you have 5 transactions in the function, you will need to activate the permission checks for all of those transactions in the function if the authorisations are required.
Simon
Hi Thorsten,
You have to individually activate the permissions for the actions that your are adding. Hence the combination of Transaction and authorization object will result into a Risk.
Apart from that, please run the Authorization and Repository sync jobs for the plug in system.
Regards,
Nikita
Hi Simon,
I did copy a function-ID and did some test with it. Is it possible that it doesn't make a different if the values are activ or inactive? Because I get the same number of risks when I took the values from activ to inactives. Could it be that I have to start a job or synchronisation job between both analysis?
Regards
Thorsten
Hi Nikita,
I did copy a function-ID and did some test with it. Is it possible that it doesn't make a different if the values are activ or inactive? Because I get the same number of risks when I took the values from activ to inactives. Could it be that I have to start a job or synchronisation job between both analysis?
Regards
Thorsten
Hi Thorsten,
this is quite hard to debug in a discussion forum, but judging by the kind of questions you have 2 or 3 days with a good consultant might be an excellent investment.
From what I can see here:
- the "object" you activated is actually an org lrvrl, i.e. it's not part of the standard risk analysis
- what kind of risk analysis did you trigger - action level or permission level?
Frank.
Actually you should not have to do that at this level, as the functions generally come with the (most) necessary objects pre-activated, or they pull them in via SU24.
If you have functions where no permission objects are active I would try to find out how you got to that state in the first place - that's not what it should be like...
Frank.
Hi Thorsten,
Its not that this is the wrong forum, it is more that issues like these will not normally be fixed via any sort of forum. It is really difficult to analyse and suggest an appropriate course of action with offline content and only discussion posts about the issue.
As Frank suggests, perhaps a couple of days onsite consultancy might yeald better results than a public forum.
Simon
Hi Simon,
thanks for your answer. Maybe you have another tip for me.
If I make a risk-analyse (Risikoüberschreitung - see screenshot) I get a different number of users. We have 235 users (dialog & others) in prod.system but AC tells me about 217. Do you have any idea? What could be the reason for the different?
Thanks
Thorsten
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.