Solved: GRC Risk Analysis - OR condition between 2 objects...

moondhrakaush · ‎11-21-2019

Dear Experts,

My client has custom ruleset in which they have OR condition between 2 auth objects of a t-code within a function.

For example, t-code se16 with object s_tabu_dis "OR" s_tabu_nam both will show Risk.

In GRC by default, we can only have AND between 2 objects of same t-code in 1 function.

Is there any way to realize this in GRC ?

I'm not keen towards splitting the function as there are multiple such t-code/object scenarios in 1 function and it would lead to many smaller splits of 1 function.

Thanks,

Kaushal

Colleen · ‎11-21-2019

Hi Kaushal

SAP Note 1541577 - Impact of S_TABU_NAM in Risk Analysis and Remediation explains the S_TABU_NAM and S_TABU_DIS It is that special situations of needing an OR for two objects.

As a result, the note advises you would need to define two functions (what you're trying to avoid)

An alternative idea would be to make a design decision for roles to only allow S_TABU_NAM. If you do this you would then
1. Define all functions for SE16/etc with the S_TABU_DIS
2. Define a Critical Permission Risk with S_TABU_DIS ACTVT 02 or 03 and disable the DIBERCLs field
3. Risk analysis for S_TABU_NAM would be handled as per your current approach for remediations

4. Risk analysis for S_TABU_DIS would require remediation of removing and switching the role authorisations to the granular level

The validation needed would be to check TSTCA to make sure no SE93 definitions have S_TABU_DIS. If these are used, then you would need to consider exceptions.

Regards

Colleen

GRC Risk Analysis - OR condition between 2 objects of same t-code in a Function

Accepted Solutions (1)

Accepted Solutions (1)

Answers (0)

S4 HANA Brownfield Implementation: BSEG VS ACDOCA...

Journal Entry Workflow to trigger for posting thr...

Bank-to-Bank Transfer Web Service?

Re: Asset transfer ABUMN - partial transfer of wro...

Re: Different Number Range Required for Sales Bill...