on 11-21-2019 5:18 AM
Dear Experts,
My client has custom ruleset in which they have OR condition between 2 auth objects of a t-code within a function.
For example, t-code se16 with object s_tabu_dis "OR" s_tabu_nam both will show Risk.
In GRC by default, we can only have AND between 2 objects of same t-code in 1 function.
Is there any way to realize this in GRC ?
I'm not keen towards splitting the function as there are multiple such t-code/object scenarios in 1 function and it would lead to many smaller splits of 1 function.
Thanks,
Kaushal
Hi Kaushal
SAP Note 1541577 - Impact of S_TABU_NAM in Risk Analysis and Remediation explains the S_TABU_NAM and S_TABU_DIS It is that special situations of needing an OR for two objects.
As a result, the note advises you would need to define two functions (what you're trying to avoid)
An alternative idea would be to make a design decision for roles to only allow S_TABU_NAM. If you do this you would then
1. Define all functions for SE16/etc with the S_TABU_DIS
2. Define a Critical Permission Risk with S_TABU_DIS ACTVT 02 or 03 and disable the DIBERCLs field
3. Risk analysis for S_TABU_NAM would be handled as per your current approach for remediations
4. Risk analysis for S_TABU_DIS would require remediation of removing and switching the role authorisations to the granular level
The validation needed would be to check TSTCA to make sure no SE93 definitions have S_TABU_DIS. If these are used, then you would need to consider exceptions.
Regards
Colleen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
13 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.