Escolar Documentos
Profissional Documentos
Cultura Documentos
It is one of the components in SAP GRC which takes care of risk analysis,
detection, and remediation solution for access and authorization control.
In the below screen shot you have the home page for SAP GRC RAR, where you
are able to see 7 tabs for different types of activity to be performed.
Users have associated work in Mitigation and Informer tab.
Risk Analysis:
A Risk is defined as two or more actions that, when available to a single user,
role, profile,
or HR Object, creates the possibility of error or irregularity. There are thousands
of action
combinations that can be categorized as Risks. Risks can also be defined by
different
combinations of permissions associated with specific actions.
Purpose:
When you run a Risk Analysis or a Simulation, you generate reports presenting
different
types of information. You may generate reports presenting risks or conflicts or the
use of
critical actions by the User, Role, Profile, or HR Object you included in the
analysis.
By generating these reports you can identify the Risk and either remove it or
apply a
Control.
Mitigation:
Purpose
Once you have run a Risk Analysis and have identified any Risks associated with
a User,
Role, you may want to limit or monitor the Risk rather than removing the cause.
Mitigation Controls give us the ability to associate controls with Risks, so they can
be
applied to Users, Roles identified to violate SODs during Risk Analysis. You also
define monitors and approvers, and assign them to specific controls, and create
Business Units to help categorize our Mitigation Controls.
The Mitigation tab allows us to mitigate certain risk violations that you want
available to
specific users or roles . This is done by creating and assigning a Mitigation
Control.
Mitigation Control performs the following functions:
Identifies the Segregation of Duties (SOD) as a known Risk.
Establishes a period of time during which the Risk may exist (is monitored).
Associates a list of Monitors with the Control. Only Monitors associated with a
Control definition may be selected when mitigating a Risk.
o Administrator
o Business Units
The Administrator option allows us to create and maintain Approvers, Monitors
and Risk Owners. Users who need to perform these functions need to be
maintained in this Administrator screen in order to be available in subsequent
screens.
Administrator ID
Full Name
Email
Role
FBD_M004
Supratip Narayan Roy
supratip.roy@itc.in
Monitor
Search Administrator:
Menu Path:
Go to Mitigation Tab Administrator Select the role you want to search
Search .
Now you can view and edit the created Administrator by selecting and clicking in
the change button.
Business Unit:
Establishing Business Units allows you to categorize your Mitigation Controls.
When you
define Mitigation Controls, you will categorize them by assigning each one a
specific Business Unit. This enables us to limit the Controls available to the
Business Units specified in a RAR Role definition.
Creation of Business Unit:
1. The Business Units option expands to Create and Search. Click Create and
the
Define Business Unit page appears.
Click on the search button you will be directed to the below mentioned page
where you have the change and delete option.
Mitigating Controls:
When you define a Mitigation Control you create a Mitigation Control ID. This
Control ID
appears in various Risk Analysis reports.
Defining a Mitigation Control includes associating the Risk IDs that are mitigated
by the
control. Roles are to be mitigated corresponding to the Risk IDs associated in the
Control definition are mitigated.
Create Of Mitigating Control:
1 Menu Path:
Go to Mitigation Tab Mitigation Controls Create
10 In the Valid From and Valid To fields, click the Calendar icon to define a
valid time range during which the mitigation control mitigates a user/role.
11 In the Status drop down menu, select the desired status (All, Enable,
Disable).
12 Click Search.
Mitigation of Roles:
Search the mitigation control id under which the risk id exist for which you want
to mitigate the specific roles then select the control id and click on change button
as shown in below mentioned pic.
Now you select the risk under which you want to put the mitigation roles click the
mitigate roles button as shown in the below mentioned pic.
After clicking the mitigate role you will be directed to below mentioned page
where you will click on add button to add the roles which you want to mitigate.
After clicking the add button you will be directed to below mentioned page where
you search for the role as shown in the below mentioned screen
click on the Role name select the system paste the role name click on
search button , you will have the roll click select put the risk id followed by
star select the monitor id save the data.
Informer:
RAR provides detailed compliance analysis for enterprises. RAR software allows
enterprises to examine every aspect of their complex Enterprise Resource
Planning (ERP) system and to
implement internal controls. The data gathered in each analysis is made available
for
immediate viewing in an exceptionally wide range of predetermined and user
modified
reports. These reports are accessible through the Informer tab.
Informer tab report types include:
Management View
Risk Analysis
Audit Reports
Security Reports
Background Job
You can generate reports for Users, User Groups, Roles, Profiles, HR Objects and
Organizational Levels.
Management View
The following reports are accessed from the Management View menu:
Risk Violations
Users Analysis
Role Analysis
Comparisons
Alerts
Rules Library
Controls Library
Each item in the Management View category includes at least one of the
following
interactive, graphical displays:
Pie Chart
Bar Chart
After selecting report parameters for any Management View report type, click
Go to show the selected information in the graphical display. Drill down further
into the information for each display by clicking anywhere on the pie chart or
clicking the chart labels for the bar and line charts. Drilling down further allows
you to view:
Risk IDs and descriptions for each severity level (critical, high, medium, low).
Detailed information for each Risk Description.
Change History for each Risk.
Conflicting functions that are causing the Risk.
Detailed information for each conflicting function.
Change History for each function.
In the above screen shot you able to see all the risk violations by process as for
example ITC Order to cash, ITC Financial Accounting. In right side you can see the
bar chart and clicking on that you can view the further report of risk violations
corresponding to each Risk.
To see individual risk violation you have to click on risk id and can see the detail
risk violation as seen in the below screen shot.
If you click to any of the risk, system will take us the below mentioned screen
where you can view the detail report including relevant functions and other
required parameters as show in the below mentioned screen shot.
You can see the change history as well by clicking on change history button which
will show the Risk change history report as show in below mentioned screen shot.
Risk Analysis
Risk Analyses are run to see if any User, Role or Organization has access to two
or more conflicting actions. When two or more actions are determined to be
conflicting, the combination of those actions are defined as Risks. Risks define
Rules, also known as SoDs.
When you run a Risk Analysis any existing SoDs are reported for each User, Role
or Organization included in the analysis.
Menu Path:
As shown in the above screen shot while doing the role level risk analysis you
have to select some parameters.
System: Select the system for which you want to run the role level risk analysis
for example ECC Quality system
Role: If you want to see a report specifically to a role then put the role name and
run the job.
Risk by process: Under several processes we define the risk. So while doing the
risk analysis we have to choose a process for which we want to view the role level
analysis as for example ITC order to cash.
Risk ID: If you want to see a report specifically to a role then put the role name
and run the job.
Risk Level: There are four types of Risk level Critical/High/Medium/Low. While
defining risk we choose these risk level. So if it is required to do a risk analysis for
specifically any risk level then we have to select that level and run the risk
analysis.
Rule Set: While creating a risk one rule set is assigned. Among several rule sets
select the rule set for which you want to run the role level risk analysis.
Report Type
There are six report types, each of which can be formatted in several ways.
Action Level SoD reports Generating this report type produces a list of SoDs at
the
action level.
Permission Level SoD reports generating this report type produces a list of SoDs
at
the permission level.
Critical Actions reports generating this report type limits the list to Critical
actions
available. Critical actions are defined under the Rule Architect tab.
Critical Permissions reports
Critical Roles/Profiles reports generating this report type lists only the Critical
Roles and Profiles associated with the User, Role or Organization. This report does
not list any risks.
Mitigation Control reports Generating this report type lists valid Mitigation
Controls assigned to the User, Role or Organization included in the analysis.
Choosing a Report Format:
You can choose one of four report formats for the six report types described
above:
1. Summary: This report format lists the combination of conflicting actions that
produce the risk in one line item.
2. Detail: This report format lists each Risk as a single line item, displays the
Risk severity level and provides a link to the Risk Resolution page where options
are available for resolving the risk. Drill down further by clicking the risk to view
more detailed information, including conflicting functions.
3. Management Summary: This report format lists each Risk as a single line item,
displays the Risk severity level and provides a link to the Risk Resolution page
where options are available for resolving the risk. Drill down further by clicking
the risk to view more detailed information, including conflicting functions.
4. Executive Summary: This report format lists each risk as a single line item and
displays the total number of conflicting actions producing the Risk.
After selecting all the required parameter run a background job as shown in the
above screen shot
Give the Background Job a name.
Select an Immediate start or schedule a Delayed start for the Background Job.
If you choose to schedule a delayed start, set the date and time for the job to
begin.
If you would like to run the Background Job more than once, click the Schedule
periodically check box and then set the schedule parameters.
Click Schedule. You will see a message at the bottom of the page that includes
a Job
Search will take us to the below mentioned screen where we can see the details
of the report
select the job for which one you want to see the detail report use the buttons
below .
The Buttons are as follows.
Show Job History: It will show the job history as shown in below mentioned screen
shot.
View Log: will show each step of the job. If any error occurs while execution of the
job that can be analyzed from this View Log.