GRC ARA risk defined as critical

sanneval1 — Mon, 27 Nov 2017 10:54:50 GMT

Hi,

Can you please confirm that this is how GRC Access control should work.

Here is the scenario:

We have few SOD risks defined as Critical (Risk level) . Those risks seem to behave in Risk Analysis like it would be a Critical action. By this we mean that we get results from the ad-hoc risk analysis even though the user/role does not have transaction codes from the both functions from the particular risk.

Example:

Risk ID: H005 (risk level Critical)

Function ID's: HR04 and PY04

The user is having transactions only from HR04, but usage of this function comes to the report. User does not have ANY transactions from the PY04.

This happens to multiple users. This does not happen if the Risk level of the SOD risk is something else than Critical.

Is this normal functionality of ARA risk analysis?

Re: GRC ARA risk defined as critical

former_member226273 — Wed, 29 Nov 2017 13:26:23 GMT

Hello Sanna,

Firstly, no its not normal functionality and its not how GRC ARA should work.

Coming to your issue, could you please share few screen shots, your GRC SP level, it will help in better analysis.

Also, please cross check the rule IDs while executing risk analysis with the rule IDs of generated ruleset.

Kind regards,

Yashasvi

Question Re: GRC ARA risk defined as critical in Financial Management Q&A

GRC ARA risk defined as critical

Re: GRC ARA risk defined as critical