Chat now with support
Chat with Support

Identity Manager 8.0 - Risk Assessment Administration Guide

Calculating Mitigation

Calculating Mitigation

Table 11: Configuration Parameters for Calculating Risk Indexes of Rule Violations
Configuration Parameter Active Meaning
QER\CalculateRiskIndex\MitigatingControlsPerViolation

This configuration parameter controls calculation of risk indexes for rule violations. If the parameter is set, exception approvers can assign mitigating controls to rule violations. The risk index calculation only takes these mitigating controls into account. If the parameter is disabled, risk index calculation take mitigating control assigned to compliance rules into account.

The significance reduction of a mitigating control supplies the value by which to reduce a compliance rule’s,an SAP function's,an attestation's or a company policy's risk index if the control is implemented. One Identity Manager calculates a reduced risk index based on the risk index and the significance reduction. One Identity Manager supplies default functions for calculating reduced risk indexes. These functions cannot be edited with One Identity Manager tools.

The reduced risk index is calculated from the SAP function, attestation policy or company policy and the significance reduced sum of all assigned mitigating controls.

Calculating mitigation for rule violations depends on the configuration parameter "QER\CalculateRiskIndex\MitigatingControlsPerViolation".

Table 12: Effect of the Configuration Parameter "QER\CalculateRiskIndex\MitigatingControlsPerViolation" on Calculating Mitigation
Configuration parameter Effect
Disabled The compliance rule's reduced risk index is calculated. This takes mitigating controls into account that are assigned to a compliance rule.
Enabled The compliance rule's risk index is not reduced. The reduced risk index corresponds, therefore, to the compliance rule's risk index.

The reduced risk index of employees with rule violations is calculated. This takes mitigating controls into account that were assigned to a rule violation during exception approval.

Risk index (reduced) = Risk index - sum significance reductions

If the significance reduction sum is greater than the risk index, the reduced risk index is set to 0.

Related Topics

Appendix: Example of a Risk Index Calculation

Appendix: Example of a Risk Index Calculation

Risk index calculation is explained here using an employee with SAP system authorizations and assigned applications. The employee is a manager.

Clara Harris is:

  • External employee
  • Primary membership in the department "Personal"
  • Customer in IT Shop "Software"

The department "Personnel" is assigned

  • An account definition "KRSAP" for the SAP client "SAPClient"
  • An SAP groups "SAPG1"

Following also applies

  • Clara Harris has requested three applications through the IT Shop. The requests were approved; the applications assigned.
  • The user account "CLARAH" (SAP R/3) was created through an account definition.
  • The user account "CLARAH" is a direct member of the SAP group "SAPG2".
  • The user account "CLARAH" is assigned directly to the structural profile "SAPSP".
  • Clara Harris is team lead of a work group and therefore manager of 10 members of staff.
  • Employee are attested regularly.

The following risk indexes are calculated for the company resources:

Company Resource Risk index
KRSAP 0.0
SAPG1 0.7
SAPG2 0.2
SAPSP 0.5
Application 1 0.1
Application 2 0.2
Application 3 0.3

The One Identity Manager calculates the risk indexes for the following object types using the default functions:

Table From the Object's Risk Indexes
Employees All assigned objects
Application assignments Applications
Account definition assignments Account definitions
SAP user accounts SAP groups, structural profiles
Roles and organizations Applications (for the product nodes of three applications)

SAP groups (for the department R)

Account definitions (for department R)

The calculation type is "Maximum (weighted)". The weighting is "1".

Calculation Sequence

  1. Determine risk indexes of the table "SAP user accounts: group assignments".

    The table contains two entries for user account CLARAH. The risk indexes correspond to the risk indexes of the assigned SAP groups SAPG1 and SAPG2. The risk index of this SAP group is reduced because the SAP group SAPG1 is assigned through inheritance.

  2. Determine risk indexes of the table "SAP user accounts: assignments to structural profiles".

    The table contains one entry for the user account CLARAH. The risk index corresponds to the risk index of the assigned structural profile SAPSP.

  3. Calculate the risk index of the table "SAP user accounts ".

    The table contains one entry for the user account CLARAH. The risk index is calculated from the risk indexes found in steps 1 and 2.

  4. Find the risk index for the table "Application assignments".

    The table contain three entries for Clara Harris for the three assigned applications. The risk indexes correspond to the application risk indexes.

  5. Find the risk index of the table "Account definitions assignments".

    The table contains one entry for Ines Franz. The risk indexes corresponds to the risk index of the assigned account definition KRSAP.

  6. Calculate the risk index of the table "Employees".

    The table contains an entry for Clara Harris. The risk index is calculated from the risk indexes found in steps 3, 4 and 5. The calculated risk index is increased because Clara Harris is the manager of other employees. The calculated risk index is reduced because the last attestation case for Clara Harris was approved.

    Table 13: Risk Index Calculation Results
    # Object Calculated risk index +/- Resulting risk index Comment
    1 CLARAH: SAPG1 0.7 -0,05 0,65 Decreased because inherited
    CLARAH: SAPG2 0.2 0.2 Direct assignment
    2 CLARAH: SAPSP 0.5 0.5 Direct assignment
    3 CLARAH 0,65 0,65 Maximum value from steps 1 and 2
    0.5
    4 Clara Harris: Application 1 0.1 0.1
    Clara Harris: Application 2 0.2 0.2
    Clara Harris: Application 3 0.3 0.3
    5 Clara Harris: KRSAP 0.0 0.0
    6 Clara Harris 0,65 0,65 Maximum value from steps 3, 4 and 5
    0.3
    0.0
    +0,2 0,85 Increased because Clara Harris is manager of others
    -0,33 0,52 Decreased because attestation is approved
    Key: # – step, +/- – increment/decrement
  1. Determine the risk index of the table "Roles and organizations: application assignments".

    This table contains one entry for each requested application. The risk indexes correspond to the application risk indexes.

  2. Calculate the risk index of the table "Roles and organizations".

    This table contains one entry for each product node of the three applications. The risk indexes are calculated from the risk indexes found in step 7.

  3. Find risk index or the table "Roles and organizations: account definition assignments".

    This table contains one entry for the department "Personnel". The risk indexes corresponds to the risk index of the assigned account definition KRSAP.

  4. Determine the risk index of the table "Roles and organizations: SAP groups assignments".

    This table contains one entry for the department "Personnel". The risk indexes correspond to the risk index of the assigned SAP group, SAPG1.

  5. Calculate the risk index of the table "Roles and organizations".

    This table contains one entry for the department "Personnel". The risk indexes are calculated from the risk indexes found in steps 9 and 10. The calculated risk index is increased because the department does not have a manager.

  6. Determine the risk index of the table "Employees: memberships in roles and organizations".

    The table contain three entries for Clara Harris because she is member of three product nodes. The risk indexes are taken from those calculated in step 8. The table does not contain any entries for the department R because Clara Harris is not a secondary member of this department.

    Table 14: Risk Index Calculation Results
    # Object Calculated risk index +/- Resulting risk index Comment
    7 Product node 1:

    Application 1

    0.1 0.1
    Product node 2:

    Application 2

    0.2 0.2
    Product node 3:

    Application 3

    0.3 0.3
    8 Product node 1 0.1 0.1
    Product node 2 0.2 0.2
    Product node 3 0.3 0.3
    9 Personnel: KRSAP 0.0 0.0
    10 Personnel: SAPG1 0.5 0.5
    11 PERSONAL 0.0 0.5 Maximum value from steps 9 and 10
    0.5
    0.5 +0,05 0,55 Increase as department has no manager
    12 Clara Harris:

    Product node 1

    0.1 0.1
    Clara Harris:

    Product node 2

    0.2 0.2
    Clara Harris:

    Product node 3

    0.3 0.3

     

    Key: # – step, +/- – increment/decrement
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating