Mass change of Mitigation Assignments
This document describes how to perform mass change of mitigation assignments. I would like to give you an overview how the down-/upload program for mitigations can be used and in which business scenarios it might be helpful.
Please note that the used programs to perform mass mitigations are available with AC 10.0 SP10. See also OSS note: http://service.sap.com/sap/support/notes/1749804
Problems which can be handled:
- Change monitor of mitigating controls (e.g. replacements)
- Change validity date
- Change system
- Add / Remove a huge number of mitigations
- Activate / Deactivate a huge numbers of mitigations
The most complex scenario is to change a monitor of mitigating controls and this best practice process I would like to share in this document. All other scenarios are similar and can be handled analog to this.
Removing an existing monitor, who still monitors mitigations, must be changed before he can be removed from a control. The following error message will appear if you try to remove the monitor.
First we have to define the new monitor by adding a new row and define with assignment type = Monitor. Please be aware that the new monitor must be assigned to the organization unit and must be an owner (pre-requirements).
The following picture shows that BANZER_A is still monitoring an active mitigation for the user T-BANZER as we could see above. It is also possible that the user monitors more than one mitigation.
Updating all mitigations in NWBC would take some time and therefore you can use the following programs.
GRAC_DOWNLOAD_MIT_ASSIGNMENTS To download all mitigations to a local file
GRAC_UPLOAD_MIT_ASSIGNMENTS To upload all mitigations from a local file
Start the program via transaction SA38.
Beside user mitigations it is also possible to download profile, roles and role/user organizational mitigations. In this example we are going to change user mitigations and therefore we choose USER.
Personally I always download all mitigations as XLS file as it is easy to change the content with Excel (filter, search, etc.).
After downloading the file you will see all mitigations in the Excel. In my example I have only one mitigation for the user T-BANZER.
The structure of the file, as the titles are missing, is given below.
It is possible to update each column (system, validity, etc.) and also to add an additional lines for new user mitigations. Please be aware that the values are checked while uploading and wrong data will abort the upload.
As we can see in the following picture I have updated the monitor in column H to LIJA (user name of the new monitor).
After I am done with editing the file I save and upload via the upload program. Therefore I use again SA38.
Here it is also possible to upload user, role, profiles and organizational mitigations. Uploading mitigations can be done in two different modes. Append means the uploaded mitigations will be added to the existing, whereas overwrite will overwrite all existing mitigations. Please be aware if you have for example 1000 mitigations and you upload a single record and choose overwrite, all others will be deleted and the single mitigation is the only one existing in the system.
To avoid such scenarios I always download all mitigations to a file, copy the file, modify the copied and upload the modified file. In case if something goes wrong I can upload the old file.
If the file is uploaded successfully you will see the following message. Errors will also be reported.
In NWBC we had the following mitigation before uploading.
After uploading we can see the new monitor.
Now the old monitor can be removed and the mitigating control is successfully updated.
As mentioned above it is also possible to change other values in the local file such as validity date, systems, etc. which offers great functionalities to easily change a huge number of mitigations.
Let me know if you have other inputs to extend this document.