サポートと今すぐチャット
サポートとのチャット

Identity Manager 9.1 - Risk Assessment Administration Guide

Assigning mitigating controls to SAP function definitions

NOTE: This function is only available if the SAP R/3 Compliance Add-on Module is installed.

Use this task to specify the function definitions for which a mitigating control is valid. You can only assign function definitions that are enabled on the assignment form.

To assign SAP function definitions to mitigating controls

  1. In the Manager, select the Risk index functions > Mitigating controls category.

  2. Select the mitigating control in the result list.

  3. Select the Assign function definitions task.

    In the Add assignments pane, assign the function definitions.

    TIP: In the Remove assignments pane, you can remove function definitions assignments.

    To remove an assignment

    • Select the mitigating control and double-click .

  4. Save the changes.

Displaying mitigating controls overview

You can see the most important information about a mitigating control on the overview form.

To obtain an overview of a mitigating control

  1. In the Manager, select the Risk index functions > Mitigating controls category.

  2. Select the mitigating control in the result list.

  3. Select the Mitigating control overview task.

Calculating mitigation

The reduction in significance of a mitigating control supplies the value by which the risk index of a compliance rule, SAP function, attestation policy, or company policy is reduced when the control is implemented.One Identity Manager calculates a reduced risk index based on the risk index and the significance reduction. One Identity Manager supplies default functions for calculating reduced risk indexes. These functions cannot be edited with One Identity Manager tools.

The reduced risk index is calculated from the SAP function, attestation policy or company policy and the significance reduced sum of all assigned mitigating controls.

Calculating mitigation for rule violations depends on the QER | CalculateRiskIndex | MitigatingControlsPerViolation configuration parameter.

Table 10: Effect of configuration parameters on calculating mitigation
Configuration parameters Effect

Deactivated

The compliance rule's reduced risk index is calculated. This takes mitigating controls into account that are assigned to a compliance rule.

Enabled

The compliance rule's risk index is not reduced. The reduced risk index corresponds, therefore, to the compliance rule's risk index.

This calculates the reduced risk index of employees with rule violations and takes into account mitigating controls that were assigned to a rule violation during an exception approval.

Risk index (reduced) = Risk index - sum significance reductions

If the significance reduction sum is greater than the risk index, the reduced risk index is set to 0.

Related topics

Risk index calculation example

Risk index calculation is explained here using an employee with SAP system authorizations and assigned software. The employee is a manager.

Jo User1 is:

  • External employee
  • Primary membership in the "Personal" department
  • Customer in the "Software" IT Shop

The "Personnel" department is assigned

  • A KRSAP account definition for the "SAPClient" SAP client
  • An SAPG1 SAP group

The following also applies

  • Jo User1 has requested three software applications through the IT Shop. The requests were approved; the software assigned.
  • The JOU user account (SAP R/3) was created through an account definition.
  • The JOU user account is a direct member of the SAPG2 SAP group .
  • The JOU user account is assigned directly to the SAPSP structural profile.
  • Jo User1 is team lead of a work group and therefore manager of 10 staff members.
  • Employee are attested regularly.

The following risk indexes are calculated for the company resources:

Company Resource Risk index
KRSAP 0.0
SAPG1 0.7
SAPG2 0.2
SAPSP 0.5
Software 1 0.1
Software 2 0.2
Software 3 0.3

One Identity Manager uses the default risk index functions to calculate risk indexes for the following objects:

Table From the object's risk indexes
Employees All assigned objects
Software assignments Software applications
Account definition assignments Account definitions
SAP user accounts SAP groups, structural profiles
Roles and organizations Software (for the product nodes of the three applications)

SAP groups (for department R)

Account definitions (for the department R)

The calculation type is Maximum (weighted). The weighting is 1.

Calculation Sequence

  1. Determine risk indexes of the SAP user accounts: group assignments table.

    The table contains two entries for the JOU user account. The risk indexes correspond to the risk indexes of the assigned SAPG1 and SAPG2 SAP groups. As the SAP group is assigned to SAPG1 by inheritance, the risk index of this SAP group is decremented.

  2. Determine risk indexes of the SAP user accounts: assignments to structural profiles table.

    The table contains one entry for the JOU user account. The risk index corresponds to the risk index of the assigned structural profile SAPSP.

  3. Calculate the risk index of the SAP user accounts table.

    The table contains one entry for the JOU user account. The risk index is calculated from the risk indexes determined in steps 1 and 2.

  4. Find the risk index of the Software assignments table.

    The table contains three entries for Jo User1 for the three assigned software applications. The risk indexes correspond to the risk indexes of the software applications.

  5. Find the risk index of the Account definitions assignments table.

    The table contains one entry for Jo User1. The risk index corresponds to the risk index of the assigned account definition KRSAP.

  6. Calculate the risk index of the Employees table.

    The table contains one entry for Jo User1. The risk index is calculated from the risk indexes found in steps 3, 4, and 5. The calculated risk index is increased because Jo User1 is the manager of other employees. The calculated risk index is reduced because the last attestation case for Jo User1 was approved.

    Table 11: Risk index calculation results

    #

    Object

    Calculated risk index

    +/-

    Resulting risk index

    Comment

    1

    JOU: SAPG1

    0,7

    -0,05

    0,65

    Decrement, because inherited

    USERC: SAPG2

    0,2

    0,2

    Directly assigned

    2

    JOU: SAPSP

    0,5

    0,5

    Directly assigned

    3

    JOU

    0,65

    0,65

    Maximum value from steps 1 and 2

    0,5

    4

    Jo User1: Software 1

    0,1

    0,1

    Jo User1: Software 2

    0,2

    0,2

    Jo User1: Software 3

    0,3

    0,3

    5

    Jo User1: KRSAP

    0,0

    0,0

    6

    Jo User1

    0,65

    0,65

    Maximum value from steps 3, 4, and 5

    0,3

    0.0

    +0,2

    0,85

    Incremented, as Jo User1 manages other employees

    -0,33

    0,52

    Decrement, as attestation is approved

    Legend: # - step, +/- – increment/decrement

  1. Find the risk index of the Roles and organizations: software assignments table.

    The table contains one entry each for the requested software applications. The risk indexes correspond to the risk indexes of the software applications.

  2. Calculate the risk index of the Roles and organizations table.

    The table contains one entry each for the requested software applications. The risk indexes are calculated from those determined in step 7.

  3. Find risk index or the table Roles and organizations: account definition assignments.

    The table contains one entry for the "Personnel" department. The risk index corresponds to the risk index of the assigned account definition KRSAP.

  4. Find the risk index of the Roles and organizations: SAP group assignments table.

    The table contains one entry for the "Personnel" department. The risk index corresponds to the risk index of the assigned SAP group SAPG1.

  5. Calculate the risk index of the Roles and organizations table.

    The table contains one entry each for the "Personnel" department. The risk index is calculated from the risk indexes determined in steps 9 and 10. Since no manager is assigned to the department, the calculated risk index is incremented.

  6. Find the risk index of the Employees: memberships in roles and organizations table.The table contains three entries for Jo User1 because they are a member of the three product nodes.

    The risk indexes are taken from those calculated in step 8. The table does not contain any entries for the department R because Jo User1 is not a secondary member of this department.

    Table 12: Risk index calculation results

    #

    Object

    Calculated risk index

    +/-

    Resulting risk index

    Comment

    7

    Product node 1:

    Software 1

    0,1

    0,1

    Product node 2:

    Software 2

    0,2

    0,2

    Product node 3:

    Software 3

    0,2

    0,3

    8

    Product node 1

    0,1

    0,1

    Product node 2

    0,2

    0,2

    Product node 3

    0,3

    0,3

    9

    Personnel: KRSAP

    0,0

    0,0

    10

    Personnel: SAPG1

    0,5

    0,5

    11

    Personnel

    0,0

    0,5

    Maximum value from steps 9 and 10

    0,5

    0,5

    +0,05

    0,55

    Increment, as the department has no manager

    12

    Jo User1:

    Product node 1

    0,1

    0,1

    Jo User1:

    Product node 2

    0,2

    0,2

    Jo User1:

    Product node 3

    0,3

    0,3

     

    Legend: # - step, +/- - increment/decrement

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択