Ara
Ara
Ara
Low
Medium
High
Critical
EX,,
User Client admin Role SCC4, SCC5, SCC7, SCC1
- Sec Admin role SU01, PFCG
Risk Analysis Report Formats:
Detail
Summary
Management Summary
Executive Summary
SOD Risk:
M002 : Production order processing and confirming
production orders
Above risk is causing due to below 2 functions which are
conflicting in nature.
PP02 - Production order processing
PP01 - Confirming production orders
Action Level SOD Risk ----- > CO01 + CO11
SM36
Critical Permission Risk:
Under BASIS business process, creating a function with
critical Auth Values
GE_BS_CPF
S_DEVELOP with Activity 01 or 02
S_TABU_CLI with ClientMaint value X
S_TABU_DIS with Activity: 01 or 02
S_USER_AGR with Activity 01 (create) or 02(change) or
22(assign)
S_CTS_ADMI
S_BATCH_ADMI
Risk Remediation:
It means removing risk by removing access.
How to remove access?
1)Remove role Single user
2)Remove Tcode from Role Multiple users
Risk Mitigation:
Reducing the probability or impact of the risk.
Normal User (access is needed on permanent basis)-----> Risk ----- > Risk Owner ------ > Mitigation Approver ------> Mitigation Monitor
Mitigation Control:
Steps
1)Create user ids in SU01 for Mitigation Approver and
Monitors in the GRC system.
2)Define/Declare them in GRC system as Mitigation
Approver and Monitor in NWBC ----- > Set up ------ >
Access Control Owners
3)Create Root Org in SPRO ---- > GRC ----- > Shared
Master Data
Risk Simulation:
Whenever User asks for extra access
Whenever role has to be modified (adding more
tcodes or authorization)
Risks from Simulation Only ?
Exclude Values ?
Example,,
Finance SOD Risk
Action Level : Create Invoice (FB01) & Approve Invoice
(FBV0)
Permission Level: FB01 ---- >AO1 with Activity:01