Mass change of Mitigation Assignments
This document describes how to perform mass change of mitigation assignments. I would like to give you an overview how the down-/upload program for mitigations can be used and in which business scenarios it might be helpful.
Please note that the used programs to perform mass mitigations are available with AC 10.0 SP10. See also OSS note: http://service.sap.com/sap/support/notes/1749804
Problems which can be handled:
- Change monitor of mitigating controls (e.g. replacements)
- Change validity date
- Change system
- Add / Remove a huge number of mitigations
- Activate / Deactivate a huge numbers of mitigations
The most complex scenario is to change a monitor of mitigating controls and this best practice process I would like to share in this document. All other scenarios are similar and can be handled analog to this.
Removing an existing monitor, who still monitors mitigations, must be changed before he can be removed from a control. The following error message will appear if you try to remove the monitor.
First we have to define the new monitor by adding a new row and define with assignment type = Monitor. Please be aware that the new monitor must be assigned to the organization unit and must be an owner (pre-requirements).
The following picture shows that BANZER_A is still monitoring an active mitigation for the user T-BANZER as we could see above. It is also possible that the user monitors more than one mitigation.
Updating all mitigations in NWBC would take some time and therefore you can use the following programs.
GRAC_DOWNLOAD_MIT_ASSIGNMENTS To download all mitigations to a local file
GRAC_UPLOAD_MIT_ASSIGNMENTS To upload all mitigations from a local file
Start the program via transaction SA38.
Beside user mitigations it is also possible to download profile, roles and role/user organizational mitigations. In this example we are going to change user mitigations and therefore we choose USER.
Personally I always download all mitigations as XLS file as it is easy to change the content with Excel (filter, search, etc.).
After downloading the file you will see all mitigations in the Excel. In my example I have only one mitigation for the user T-BANZER.
The structure of the file, as the titles are missing, is given below.
It is possible to update each column (system, validity, etc.) and also to add an additional lines for new user mitigations. Please be aware that the values are checked while uploading and wrong data will abort the upload.
As we can see in the following picture I have updated the monitor in column H to LIJA (user name of the new monitor).
After I am done with editing the file I save and upload via the upload program. Therefore I use again SA38.
Here it is also possible to upload user, role, profiles and organizational mitigations. Uploading mitigations can be done in two different modes. Append means the uploaded mitigations will be added to the existing, whereas overwrite will overwrite all existing mitigations. Please be aware if you have for example 1000 mitigations and you upload a single record and choose overwrite, all others will be deleted and the single mitigation is the only one existing in the system.
To avoid such scenarios I always download all mitigations to a file, copy the file, modify the copied and upload the modified file. In case if something goes wrong I can upload the old file.
If the file is uploaded successfully you will see the following message. Errors will also be reported.
In NWBC we had the following mitigation before uploading.
After uploading we can see the new monitor.
Now the old monitor can be removed and the mitigating control is successfully updated.
As mentioned above it is also possible to change other values in the local file such as validity date, systems, etc. which offers great functionalities to easily change a huge number of mitigations.
Let me know if you have other inputs to extend this document.
Best regards,
Alessandro
thanks alessandro, very useful.
thanks a lot!
Hi Alessandro,
i have seen this very good documentation.
I have changed the Monitor user assignment to the risk.
I have made an download of existing data, changed the monitor user there too.
If I try to upload the file, I get an error message.
Valid-to date can at line number 1..., 2...and so on.
I don't see which date the program means. The valid to date below "Mitigated User" is after the valid from date.
Any idea?
BR
Melanie
Melanie,
valid-to date cannot be in the past. Make sure it's in the future.
Regards,
Alessandro
Hi Alessandro,
that's it.
BR
Melaie
Hi Alessandro,
do you know what is the right handling for "old" entries.
BR
Melanie
Dear Melanie,
difficult - you can handle it differently. Some companies do remove old entries, others want to keep them.
Basically if you want to keep the old entries you need to keep all the owners, etc. and can use the upload functionality only limited. You should then consider to work with append rather than overwrite and only update/upload new assignments.
Regrads,
Alessandro
Hi Alessandro,
thank you. This helps to solve my problem
BR
Melanie
Hi Alessandro,
Nice article, cheers!
Regards,
Suvonkar
Hi Suvonkar,
thanks a lot - hope this helps to resolve your problems.
Regards,
Alessandro
Hi Alessandro,
Very nice document!
May I know why the older monitor is removed manually? Cant we make it automatic using this excel file?
Regards,
Faisal
Dear Faisal,
the Excel just changes the mitigations, and not the mitigating control itself.
Does this answer your question?
Regards,
Alessandro
Hello Alessandro,
When I am trying to perform the steps mentioned above using the below programs
GRAC_DOWNLOAD_MIT_ASSIGNMENTS To download all mitigation to a local file
GRAC_UPLOAD_MIT_ASSIGNMENTS To upload all mitigation from a local file
I am getting the message saying the programs doesn't exist. I am on SP8.
Any inputs on how to proceed further. Thanks in advance.
Regards
Deepak M
Hi Deepak,
the functionality comes with SP10. Please implement the following note:
http://service.sap.com/sap/support/notes/1749804
Regards,
Alessandro
Thanks a lot Alessandro
Regards,
Deepak M
Hi Alessandro, thank you for the tutorial very useful.
One comment:
What happen if I try to upload a Mitigation Control for a Risk that no longer exist? Because the Mitigation is based on risks that can be eliminated in the meantime (the time between you decide to assign a mitigating control and when you actually do the mass import)
Thanks again.
Hi Alessandro, thank you for the tutorial very useful.
Can you please provide suggestions on below points:
1. Mitigation report under Set-up tab is not giving right info on Updated by and Updated on fields. Sometimes its missing updates in mitigation controls -can you plz guide what can be the matter here?
2. Any issues precautions preparations need to be done for PC 10 to 10.1 upgrade?
Thanks and kind regards
Thanks for the guide, Alessandro - des hosch' guat g'mocht.
Hopefully SAP addresses the bug with the "end to" date. There should never be a case where I can download existing mitigations as backup and then it fails to upload this same file because some mitigation assignments have expired - this is bad programming.
The program checks that end date it AFTER start date - that is good!
But it should NOT matter if the end date is in the past - this is a bug.
Thanks Steve. Probably best to raise an OSS to address the issue directly to SAP.
Cheers,
Alessandro
Hi Steve,
Have you got anything from SAP for this? We have same issue.
Thanks and Regards,
Ying Ye
Hi Ying,
Sorry, I have not followed up with SAP. We worked around this by "appending" the updated mitigations and hoping that we don't need to restore the backup fully. Nevertheless, if I get time, I may submit this to SAP as a bug.
One additional note: If mitigation monitors have changed, this will NOT be reflected in the assigned mitigations or the downloaded file. When uploading the file, this field must be updated or the upload will fail. I compare report GRC AC Reporting -> Access Risk Analysis Reports -> Mitigation Control Report with the download file and mass updated the monitor field before uploading.
Regards,
Steven
Thanks Steven. I created message to SAP and below notes helps.
2235825-Mitigation Assignment Upload Risk ID is
2209729-Mitigation Control load incorrect Date format
2094947-Invalid date format in GRAC_UPLOAD_MIT_ASSIGNMENTS causes inconsistencies
2101309-Mitigation assignment upload throws Invalid Role error
2172752-AC10.0 ARA SP20-Issue in upload mitigation-file location
Hello is it to late to ask on this topic!?
The downloaded file obtained by executing the download mit assignments, this file only deals with mitigated assignments or non mitigated assignments?
I ran a user level risk analysis and for various results I did not obtain a Control, Monitor, Monitor Name they are blank. I thought by following this blog could solve my issue, but none of the users from the report appear in the downloaded file.
What can I do to populate those fields, I was told this
"If you have the full report of users with SODs and no mitigations, you should be able to simply upload the missing mitigations into GRC once you map it in an excel spreadsheet. "
I assume they mean run a risk analysis and uncheck the included mitigated risks option? don't know how to upload the missing mitigations into GRC...
Can you help?
"