This document describes how to perform mass change of mitigation assignments. I would like to give you an overview how the down-/upload program for mitigations can be used and in which business scenarios it might be helpful.

Please note that the used programs to perform mass mitigations are available with AC 10.0 SP10. See also OSS note: http://service.sap.com/sap/support/notes/1749804

Problems which can be handled:

  • Change monitor of mitigating controls (e.g. replacements)
  • Change validity date
  • Change system
  • Add / Remove a huge number of mitigations
  • Activate / Deactivate a huge numbers of mitigations

The most complex scenario is to change a monitor of mitigating controls and this best practice process I would like to share in this document. All other scenarios are similar and can be handled analog to this.

Removing an existing monitor, who still monitors mitigations, must be changed before he can be removed from a control. The following error message will appear if you try to remove the monitor.

MassMit01.png


First we have to define the new monitor by adding a new row and define with assignment type = Monitor. Please be aware that the new monitor must be assigned to the organization unit and must be an owner (pre-requirements).

MassMit02.png

The following picture shows that BANZER_A is still monitoring an active mitigation for the user T-BANZER as we could see above. It is also possible that the user monitors more than one mitigation.

MassMit03.png

Updating all mitigations in NWBC would take some time and therefore you can use the following programs.

GRAC_DOWNLOAD_MIT_ASSIGNMENTS         To download all mitigations to a local file

GRAC_UPLOAD_MIT_ASSIGNMENTS               To upload all mitigations from a local file

Start the program via transaction SA38.

MassMit04.png

Beside user mitigations it is also possible to download profile, roles and role/user organizational mitigations. In this example we are going to change user mitigations and therefore we choose USER.

MassMit05.png

Personally I always download all mitigations as XLS file as it is easy to change the content with Excel (filter, search, etc.).

MassMit06.png

After downloading the file you will see all mitigations in the Excel. In my example I have only one mitigation for the user T-BANZER.

MassMit07.png

The structure of the file, as the titles are missing, is given below.

MassMit08.png

It is possible to update each column (system, validity, etc.) and also to add an additional lines for new user mitigations. Please be aware that the values are checked while uploading and wrong data will abort the upload.

As we can see in the following picture I have updated the monitor in column H to LIJA (user name of the new monitor).

MassMit09.png

After I am done with editing the file I save and upload via the upload program. Therefore I use again SA38.

MassMit10.png

Here it is also possible to upload user, role, profiles and organizational mitigations. Uploading mitigations can be done in two different modes. Append means the uploaded mitigations will be added to the existing, whereas overwrite will overwrite all existing mitigations. Please be aware if you have for example 1000 mitigations and you upload a single record and choose overwrite, all others will be deleted and the single mitigation is the only one existing in the system.

To avoid such scenarios I always download all mitigations to a file, copy the file, modify the copied and upload the modified file. In case if something goes wrong I can upload the old file.

MassMit11.png

If the file is uploaded successfully you will see the following message. Errors will also be reported.

MassMit12.png

In NWBC we had the following mitigation before uploading.

MassMit13.png

After uploading we can see the new monitor.

MassMit14.png

Now the old monitor can be removed and the mitigating control is successfully updated.

MassMit15.png

As mentioned above it is also possible to change other values in the local file such as validity date, systems, etc. which offers great functionalities to easily change a huge number of mitigations.

Let me know if you have other inputs to extend this document.

Best regards,

Alessandro

To report this post you need to login first.

22 Comments

You must be Logged on to comment or reply to a post.

      1. Melanie Hertel

        Hi Alessandro,

         

        i have seen this very good documentation.

         

        I have changed the Monitor user assignment to the risk.

        I have made an download of existing data, changed the monitor user there too.

        If I try to upload the file, I get an error message.

        Valid-to date can at line number 1…, 2…and so on.

         

        I don’t see which date the program means. The valid to date below “Mitigated User” is after the valid from date.

         

        Any idea?

         

        BR

        Melanie

        (0) 
              1. Alessandro Banzer Post author

                Dear Melanie,

                 

                difficult – you can handle it differently. Some companies do remove old entries, others want to keep them.

                 

                Basically if you want to keep the old entries you need to keep all the owners, etc. and can use the upload functionality only limited. You should then consider to work with append rather than overwrite and only update/upload new assignments.

                 

                Regrads,

                Alessandro

                (0) 
      1. Faisal Khan

        Hi Alessandro,

         

        Very nice document!

         

        May I know why the older monitor is removed manually? Cant we make it automatic using this excel file?

         

        Regards,

        Faisal

        (0) 
        1. Alessandro Banzer Post author

          Dear Faisal,

           

          the Excel just changes the mitigations, and not the mitigating control itself.

           

          Does this answer your question?

           

          Regards,

          Alessandro

          (0) 
          1. Rakesh Ram

            Hello Alessandro,

             

            When I am trying to perform the steps mentioned above using the below programs

             

            GRAC_DOWNLOAD_MIT_ASSIGNMENTS         To download all mitigation to a local file

            GRAC_UPLOAD_MIT_ASSIGNMENTS               To upload all mitigation from a local file

             

            I am getting the message saying the programs doesn’t exist. I am on SP8.

             

            Any inputs on how to proceed further. Thanks in advance.

             

            Regards

            Deepak M

            (0) 
  1. Alfredo Murguia

    Hi Alessandro, thank you for the tutorial very useful.

    One comment:

    What happen if I try to upload a Mitigation Control for a Risk that no longer exist?  Because the Mitigation is based on risks that can be eliminated in the meantime (the time between you decide to assign a mitigating control and when you actually do the mass import)

    Thanks again.

    (0) 
  2. dinesh sharma

    Hi Alessandro, thank you for the tutorial very useful.

    Can you please provide suggestions on below points:

    1. Mitigation report under Set-up tab is not giving right info on Updated by and Updated on fields. Sometimes its missing updates in mitigation controls -can you plz guide what can be the matter here?

     

     

    2. Any issues precautions preparations need to be done for PC 10 to 10.1 upgrade?

     

     

    Thanks and kind regards

    (0) 
  3. Steve Fletchall

    Thanks for the guide, Alessandro – des hosch’ guat g’mocht.

     

    Hopefully SAP addresses the bug with the “end to” date.  There should never be a case where I can download existing mitigations as backup and then it fails to upload this same file because some mitigation assignments have expired – this is bad programming.

     

    The program checks that end date it AFTER start date – that is good!

    But it should NOT matter if the end date is in the past – this is a bug.

    (0) 
      1. Steve Fletchall

        Hi Ying,

         

        Sorry, I have not followed up with SAP.  We worked around this by “appending” the updated mitigations and hoping that we don’t need to restore the backup fully. Nevertheless, if I get time, I may submit this to SAP as a bug.

         

        One additional note:  If mitigation monitors have changed, this will NOT be reflected in the assigned mitigations or the downloaded file.  When uploading the file, this field must be updated or the upload will fail.  I compare report GRC AC Reporting -> Access Risk Analysis Reports -> Mitigation Control Report with the download file and mass updated the monitor field before uploading.

         

        Regards,

        Steven

        (0) 
        1. Ying Ye

          Thanks Steven. I created message to SAP and below notes helps.

           

          2235825-Mitigation Assignment Upload Risk ID is

          2209729-Mitigation Control load incorrect Date format

          2094947-Invalid date format in GRAC_UPLOAD_MIT_ASSIGNMENTS causes inconsistencies

          2101309-Mitigation assignment upload throws Invalid Role error

          2172752-AC10.0 ARA SP20-Issue in upload mitigation-file location

          (0) 

Leave a Reply