User Manual Risk Analysis & Remediation
User Manual Risk Analysis & RemediationIt is one of the components in SAP GRC which takes care of risk analysis, detection, and remediation solution for access and authorization control.
In the below screen shot you have the home page for SAP GRC RAR, where you are able to see 7 tabs for different types of activity to be performed.Users have associated work in Mitigation and Informer tab.
Major Functions Of RAR:RAR provides the ability to perform several major functions:
Determine and report if there are any risks associated with a group of actions or
permissions and a User, Role, or Profile.
Determine and report if any risks will be introduced by simulating the addition of
actions, Roles, or Profiles to a User ID. This powerful feature effectively eliminates
new risks being introduced to your production environment.
Easily create, maintain, and manage Risks used to generate Rules.
Apply Controls to mitigate any Risk associated with a User, Role, or Profile.
Alert the appropriate monitor when conflicting or critical actions are used, or a
control is assigned to mitigate a risk.
Alert the appropriate manager when activity monitoring is not performed.SAP Security Check Sequence: R/3 user logs into SAP
SAP Programs are called
Security routines identify authorization objects and required values
Values in SAP program are matched to the values in security authorization
Access granted.Risk Analysis:A Risk is defined as two or more actions that, when available to a single user, role, profile,
or HR Object, creates the possibility of error or irregularity. There are thousands of action
combinations that can be categorized as Risks. Risks can also be defined by different
combinations of permissions associated with specific actions. Purpose:
When you run a Risk Analysis or a Simulation, you generate reports presenting different
types of information. You may generate reports presenting risks or conflicts or the use of
critical actions by the User, Role, Profile, or HR Object you included in the analysis.
By generating these reports you can identify the Risk and either remove it or apply a
Once you have run a Risk Analysis and have identified any Risks associated with a User,
Role, you may want to limit or monitor the Risk rather than removing the cause.
Mitigation Controls give us the ability to associate controls with Risks, so they can be
applied to Users, Roles identified to violate SODs during Risk Analysis. You also define monitors and approvers, and assign them to specific controls, and create Business Units to help categorize our Mitigation Controls.The Mitigation tab allows us to mitigate certain risk violations that you want available to
specific users or roles . This is done by creating and assigning a Mitigation Control.
Mitigation Control performs the following functions: Identifies the Segregation of Duties (SOD) as a known Risk.
Establishes a period of time during which the Risk may exist (is monitored).
Associates a list of Monitors with the Control. Only Monitors associated with a
Control definition may be selected when mitigating a Risk.
Prerequisite to configure Mitigation. Administrator Business UnitsThe Administrator option allows us to create and maintain Approvers, Monitors and Risk Owners. Users who need to perform these functions need to be maintained in this Administrator screen in order to be available in subsequent screens.
Administrator ID FBD_M004
Full NameSupratip Narayan Roy
Search Administrator:Menu Path: Go to Mitigation Tab ( Administrator ( Select the role you want to search ( Search . Now you can view and edit the created Administrator by selecting and clicking in the change button.
Establishing Business Units allows you to categorize your Mitigation Controls. When youdefine Mitigation Controls, you will categorize them by assigning each one a specific Business Unit. This enables us to limit the Controls available to the Business Units specified in a RAR Role definition.Creation of Business Unit:
1. The Business Units option expands to Create and Search. Click Create and the
Define Business Unit page appears.
2. In the Business Unit ID field, enter a unique alphanumeric identification for the
3. In the Description field, enter a short description of the business unit.
4. In the Approver tab, click the Plus icon to add a new Approver ID and their full
5. In the Monitor tab, click the Plus icon to add a new Monitor ID and their full
name.Note: Approvers and Monitors must be set up using the Administrator pane before they can be assigned to Business Units
6 Click Create.After creation of the same you can search the business process and can do any amendment if required.
Click on the search button you will be directed to the below mentioned page where you have the change and delete option.
When you define a Mitigation Control you create a Mitigation Control ID. This Control ID
appears in various Risk Analysis reports.
Defining a Mitigation Control includes associating the Risk IDs that are mitigated by the
control. Roles are to be mitigated corresponding to the Risk IDs associated in the Control definition are mitigated.
Create Of Mitigating Control:1 Menu Path: Go to Mitigation Tab ( Mitigation Controls ( Create
2 In the Mitigating Control ID field, enter a unique alphanumeric maximum of 10 character
number for the mitigating control ID.
3 In the Description field, enter a short description of the mitigating control ID.
4 In the Business Unit drop down menu, select the desired business unit. The dropdown
menu displays the business units that you created using the Business Units
5 In the Management Approver drop down menu, select the desired approver. The
drop down menu displays the approvers that are associated with the Business Unit
entered in Step 4.
6 In the Associated Risks tab, click the Plus icon to add risk IDs to the mitigating
control risk id should be placed followed by * as shown in the below mentioned screen shot.The Associated Risks tab is used to associate Risk IDs with the Mitigation Control.
Only Risk IDs associated with a Control can be used to mitigate a Risk.
7. In the Monitors tab, click the Plus icon to add monitors to the mitigating control as shown in the above screen shot.The Monitors tab is used to associate Monitors with the Mitigation Control.Note: Approvers and Monitors must be set up using the Administrator pane before they can be assigned to Business Units. 8. Click Save.To search a Mitigating Control:1 The Mitigating Controls option expands to Create and Search. Click Search and the Search Mitigating Controls page appears.
Note: During your search, use any of the fields in the Search Mitigating Controls page as search criteria. After entering data in any field, click Search.
2 In the Mitigating Control ID field, click the Search icon to search for a mitigating control ID.
3 In the Description field, enter a short description of the mitigating control.
4 In the Business Unit field, click the Search icon to search for a business unit.
5 In the Management Approver field, enter the approvers user ID for the mitigating control you want to search.
6 In the User ID field, click the Search icon to search for a user ID.
7 In the Role field, click the Search icon to search for a role.
8 In the Monitor drop down menu, select the desired monitor.
9 In the Risk ID field, click the Search icon to search for a risk ID.
10 In the Valid From and Valid To fields, click the Calendar icon to define a valid time range during which the mitigation control mitigates a user/role.11 In the Status drop down menu, select the desired status (All, Enable, Disable).
12 Click Search.Mitigation of Roles: Search the mitigation control id under which the risk id exist for which you want to mitigate the specific roles then select the control id and click on change button as shown in below mentioned pic.
Now you select the risk under which you want to put the mitigation roles click the mitigate roles button as shown in the below mentioned pic.
After clicking the mitigate role you will be directed to below mentioned page where you will click on add button to add the roles which you want to mitigate.
After clicking the add button you will be directed to below mentioned page where you search for the role as shown in the below mentioned screen
( click on the Role name ( select the system ( paste the role name ( click on search button , you will have the roll ( click select ( put the risk id followed by star ( select the monitor id ( save the data.
So this specific role has been mitigated now.
Informer:RAR provides detailed compliance analysis for enterprises. RAR software allows enterprises to examine every aspect of their complex Enterprise Resource Planning (ERP) system and to
implement internal controls. The data gathered in each analysis is made available for
immediate viewing in an exceptionally wide range of predetermined and user modified
reports. These reports are accessible through the Informer tab.Informer tab report types