Access Control 10 (ARM) – Risk Analysis Report Type is editable in Access Request.
Hi,
In GRC10 – ARM Access Request approver have the choice to do Risk analysis at “Action Level”, “Permission Level”, “Critical Action”, “Critical Permission” and “Critical Role/Profile”. But In 5.3, Approver didn’t have choice to decide while using from CUP.
When approver open access request in AC10 under Risk Violation tab Permission Level is always selected .Selection is fine as this is configured this way (Parameter in SPRO 1023 -Default Report Type for Risk Analysis). But the approver also has an option to deselect “Permission Level”.
If you want to ensure that approver always keep “Permission Level” as an option, in other words option should be grayed out with permanent tick mark. This is to make sure that CUP enforce “Permission Level” check, otherwise if approver deselect then they can always skip the risk analysis by clicking different report types. Also possibility at times all the approver doesn’t understand the meaning of each option. Both accidental / intentional ways skipping Risk Analysis is possible.
As you can see Permission level is always selected but editable. Approver can deselect and submit the request with no violation. This way unmitigated risks can be submitted.
We have achieved this by deploying SAP NOTE 1796838 – UAM Risk analysis at permission level set to non editable and following below steps.
1. Go to transaction se80.
Select Package as ‘GRAC_ACCESS_REQUEST’.
Click on Web Dynpro -> Web Dynpro Application
2 .Drill down to application ‘GRAC_OIF_REQUEST_APPROVAL’. Right click on it and click Test.
3. Now, the following screen will appear.
Go to the URL of the above screen and add the following string to it.
Go to Transaction SE16 and Enter table name as GRACREQ, enter any request number in REQ_ID field.
Click execute button and copy the value of field REQ_ID
Below is String to add in URL-
&SAP-CONFIG-MODE=X&OBJECT_ID=ACCREQ/<REQ_ID checked from above step>
Below is example for string to add in above screen dump URL..
&SAP-CONFIG-MODE=X&OBJECT_ID=ACCREQ/984BE163CDB81EE2B79233F7361518D9
Observe that the dump will now get removed and an access request will be opened.
4. Go to the Risk Violation Tab and right click on the Type check boxes and choose ‘Settings for Current Configuration’
5. Now, the following pop up window will appear.
In this, you can go to each of the type of result options and click on ‘read only access’ check box.
6 For example, If you click on Permission Level and set Read-Only Access as ‘Yes’, permission level will appear as non editable on approval screens for all requests.
Click on ‘Save and Close’.
Please see that the Permission level check box is now disabled.
Hope this will help you if you meet such a kind of requirement. and prevent from submit unmitigated Risk.
Regards
Dilip Jaiswal.
GRC – IDM Consultant.
Good Work Dilip..!!
Really very useful blog.
Helpful documentation. Thanks for sharing.
Cheers,
Sabitha
Very thoughtful and helpful . Thanks for sharing.
Very nice article and hoping some more good blogs like this quickly.
very helpful in understanding the concept.
Hi Dilip,
Thanks for posting this. I tried this in my system, it didn't work as given in your post. Firstly when I added the string you mentioned it opened the page but still it gave an error ("error occurred during processing)
When right clicked its doesn't gave me option for "Settings for Current Configuration"
My question.,
- Is the string to add, the same for all the systems
- is there a way to find the string for each of the web dynpro application
Thanks again.
Regards,
Muthu
Hi,
I got this string from developer who helped me in debugging. I updated the document how you can create string.
"Settings for Current Configuration" - this may be some system specific setting. it was enabled in my system.
Regards
Dilip
Hi Dilip,
I replaced the request number and it works like a charm. I really appreciate you helping others.
Keep up the good work.
Regards,
Muthu
Thanks that it worked for you.
nice article Great................
very useful document
Thanks for sharing this document sir
Hi,
I have a question.
I need to do the same for the step of risk analysis in the maintain role.
How can I do?
Regards!!!!
Hi,
Please check for relevant webdynpro and try if this work.
Regards Dilip
Hey ,
Great source of Info...I have some doubt is their any way to display the email address of the user in the user level analysis report.
HI Pranjal ,
-- i think email will no be available . but i seen you have posted in common forum so if any one come accross this will update you soon.
Reg, Dilip
Thanks Dilip,
Ok we can wait for it..??
I have one more question to ask..??
Is their any way to download the files form the dashboard as in my case i have around 20000 users and out of which only 8 having risk but as the data comes in pie chart so its tough to download i mean not able to find in the pie chart where to click as for this small amount is users is invisible to see in the pie chart.
Hi Dilip,
The article is well written and explained in a simple way along with visual/snapshots.
Great work here.
Regards,
Suvonkar
Hi Dilip
Firstly, your article is an excellent step by step demonstration of Risk Analysis.
Secondly, Please do keep up this great job and I am looking forward to learn a lot from you
Rgds
Mansoor
Very helpful docment
Superb informative and helpful blog.
Thanks
Katrice
Very nice & informative blog ! Pretty helpful.
G'Day Dilip,
Thank you for taking the time to post this blog. After reading the following blog:
Customizing Access request and approval screens in GRC Access Control
I thought I could do the same for the rest however as you pointed out here, the web pages used to throw a dummy fit. Well thanks for clearing it up that I have to append something to the end of the URL link.
I do have a couple of queries though and I would appreciate it if you could answer them.
1) Why does it show the error in the first place and why only for some links?
2) How do we know what needs to be added to the URL?
Regards,
Leo..
Hi Dilip,
I appreciate that you have share such good information.It's helpfull for all community members.
Regards
Girish Almiya
really helpful. thx
Dilip
many thanks. the doc is more informative .
Hello,
I'm trying to do something similar with checkbox "offline data" but it doesn't work. After refreshing the screen it remains grayed but unchecked.
Has anyone tried this? Any ideas?
Thanks!
Regards,
Fernando