cancel
Showing results for 
Search instead for 
Did you mean: 

Mitigation runs against role but not user with same role assignment

Former Member
0 Kudos
43

Hello, I'm currently running Compliance Calibrator 4.0. I've created a Mitigation Control and assigned a number of Risks to the Mitigation Control.

I've then assigned the Risks in that Mitigation Control to a specific role.

When I run the SoD check, the role no longer shows any issues. This is good and expected.

However, when I run the SoD against a user that has that role assigned the user is reported with issues when no SoD issues should be shown.

Am I missing something? I don't believe I need to assign Mitigation Control to the user, because one day the risk might be valid to that user, but just not for the role I'm trying to mitigate against. Many thanks.

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
0 Kudos

Dylan- Make sure the configuration parameter- ' Include Role/Prof mitigating contls in User analysis(YES/NO)' is set to YES.

Former Member
0 Kudos

Please note that

parameter- ' Include Role/Prof mitigating contls in User analysis(YES/NO)'

is available in CC version 5.2

-- Anjali

Former Member
0 Kudos

The original message stated that he was on CC 4.0. This paramater is available in the 4.0 release as well.

Former Member
0 Kudos

Hello Dylan,

You have mentioned that you run the SoD against a user to whom the specific role is assigned. Whether this user has been assigned any other role.

When you get issues for that user, are they for the same risks or other than you have defined mitigating controls.

-- Anjali

Former Member
0 Kudos

Hello Anjali, thanks for the response.

The user I'm evaluating only has that role assigned. The role is Composite if that makes a difference or not..? The issues are exactly the same for the role and the user. Only that when the SoD report is run against the user, no mitigating controls are reported, but when against the composite role itself, the mitigating controls are reported.

-Dylan

Former Member
0 Kudos

Dear Dylan,

Did you assign the composite role to the user?

Regards,

Naveen.

Former Member
0 Kudos

Hi Dylan, the system is reacting correctly.

When you mitigate a role, you mitigate the risk associated with the role and under 'Role Analysis' you will see that this role has been mitigated.

However when u run a User analysis, the system will still identify him if there is a 'RISK' associated with the user and this is regardless of whether the associated Role is mitigated or not because what you want to know is the risk of the user and not what roles this user has.

You will need to specifically mitigate the User in order for the mitigation control to show against the User in the report.

This is the same Vice Versa. when you mitigate a User, it also does not mean that all the associated Roles that the user have are mitigated. The risk associated with the roles will still appear when you do 'Role Analysis'

Cheers!

Former Member
0 Kudos

Hello Naveen,

The thing is, the rule is producing a false positive against the user because they have a wide display role. The rule is still valid if the user one day has another role that gives them the access. If I make the mitigation against the user, then I will miss a real risk against that user one day.

So, what should happen is that I mitigate the role, and if the role is assigned to the user, then the role is removed from the user analysis before the SoD engine checks the auths.

Do I misunderstand the concept with Virsa 4.0 mitigations? -dylan

Former Member
0 Kudos

Hi,

You can choose to mitigate the risk, assign a Mitigating Control through Compliance Calibrator by Virsa or can remove one of the security roles that are causing the conflict. You are right.

Regards,

Naveen.

Former Member
0 Kudos

Hi All,

I fully agree with Simitaichi.

The reason is you may want to mitigate the risk for one user but not for all the users under that role. Hence the system's behavior is correct.

Cheers,

Anjali

Former Member
0 Kudos

The objective is to mitigate the risk against a role and against any user with that role. The entire user should not be mitigated, but just the results against the users from that role.

Maybe there is an alternative way to accomplish the same task?