Chat now with support
Chat with Support

We are currently experiencing issues on our phone support and are working diligently to restore services. For support, please sign in and create a case or email supportadmin@quest.com for assistance

Identity Manager 8.1.4 - Risk Assessment Administration Guide

Calculating mitigation

Table 11: Configuration parameters for calculating risk indexes of rule violations
Configuration parameter Effect when set
QER | CalculateRiskIndex | MitigatingControlsPerViolation

This configuration parameter controls calculation of risk indexes for rule violations. If the parameter is set, exception approvers can assign mitigating controls to rule violations. The risk index calculation only takes these mitigating controls into account. If the parameter is disabled, risk index calculation take mitigating control assigned to compliance rules into account.

The reduction in significance of a mitigating control supplies the value by which the risk index of a compliance rule, SAP function, attestation policy, or company policy is reduced when the control is implemented.One Identity Manager calculates a reduced risk index based on the risk index and the significance reduction. One Identity Manager supplies default functions for calculating reduced risk indexes. These functions cannot be edited with One Identity Manager tools.

The reduced risk index is calculated from the SAP function, attestation policy or company policy and the significance reduced sum of all assigned mitigating controls.

Calculating mitigation for rule violations depends on the "QER | CalculateRiskIndex | MitigatingControlsPerViolation" configuration parameter.

Table 12: Effect of the "QER | CalculateRiskIndex | MitigatingControlsPerViolation" configuration parameter on calculating mitigation
Configuration parameter Effect
Deactivated The compliance rule's reduced risk index is calculated. This takes mitigating controls into account that are assigned to a compliance rule.
Enabled The compliance rule's risk index is not reduced. The reduced risk index corresponds, therefore, to the compliance rule's risk index.

The reduced risk index of employees with rule violations is calculated. This takes mitigating controls into account that were assigned to a rule violation during exception approval.

Risk index (reduced) = Risk index - sum significance reductions

If the significance reduction sum is greater than the risk index, the reduced risk index is set to 0.

Related topics

Risk index calculation example

Risk index calculation is explained here using an employee with SAP system authorizations and assigned software. The employee is a manager.

Clara Harris is:

  • External employee
  • Primary membership in the "Personal" department
  • Customer in the "Software" IT Shop

The "Personnel" department is assigned

  • A KRSAP account definition for the "SAPClient" SAP client
  • An SAPG1 SAP group

The following also applies

  • Clara Harris has requested three software applications through the IT Shop. The requests were approved; the software assigned.
  • The CLARAH user account (SAP R/3) was created through an account definition.
  • The CLARAH user account is a direct member of the SAPG2 SAP group .
  • The CLARAH user account is assigned directly to the SAPSP structural profile .
  • Clara Harris is team lead of a work group and therefore manager of 10 staff members.
  • Employee are attested regularly.

The following risk indexes are calculated for the company resources:

Company Resource Risk index
KRSAP 0.0
SAPG1 0.7
SAPG2 0.2
SAPSP 0.5
Application 1 0.1
Application 2 0.2
Application 3 0.3

One Identity Manager calculates the risk indexes for the following object types using the default functions:

Table From the object's risk indexes
Employees All assigned objects
Software assignments Software
Account definition assignments Account definitions
SAP user accounts SAP groups, structural profiles
Roles and organizations Software (for the product nodes of the three applications)

SAP groups (for department R)

Account definitions (for the department R)

The calculation type is Maximum (weighted). The weighting is 1.

Calculation Sequence

  1. Determine risk indexes of the SAP user accounts: group assignments table.

    The table contains two entries for user account CLARAH. The risk indexes correspond to the risk indexes of the assigned SAPG1 and SAPG2 SAP groups. The risk index of this SAP group is reduced because the SAPG1 SAP group is assigned through inheritance.

  2. Determine risk indexes of the SAP user accounts: assignments to structural profiles table.

    The table contains one entry for the user account CLARAH. The risk index corresponds to the risk index of the assigned SAPSP structural profile.

  3. Calculate the risk index of the SAP user accounts table.

    The table contains one entry for the user account CLARAH. The risk index is calculated from the risk indexes determined in steps 1 and 2.

  4. Find the risk index of the Software assignments table.

    The table contain three entries for Clara Harris for the three assigned software applications. The risk indexes correspond to the software application risk indexes.

  5. Find the risk index of the Account definitions assignments table.

    The table contains one entry for Ines Franz. The risk indexes corresponds to the risk index of the assigned KRSAP account definition.

  6. Calculate the risk index of the Employees table.

    The table contains an entry for Clara Harris. The risk index is calculated from the risk indexes found in steps 3, 4, and 5. The calculated risk index is increased because Clara Harris is the manager of other employees. The calculated risk index is reduced because the last attestation case for Clara Harris was approved.

    Table 13: Risk index calculation results

    #

    Object

    Determined risk index

    +/-

    Resulting risk index

    Comment

    1

    CLARAH: SAPG1

    0.7

    -0.05

    0.65

    Decrement because inherited by

    CLARAH: SAPG2

    0.2

    0.2

    Directly assigned

    2

    CLARAH: SAPSP

    0.50

    0.5

    Directly assigned

    3

    CLARAH

    0.65

    0.65

    Maximum value from step 1 and 2

    0.5

    4

    Clara Harris: Software 1

    0.1

    0.1

    Clara Harris: Software 2

    0.2

    0.2

    Clara Harris: Software 3

    0.3

    0.3

    5

    Clara Harris: KRSAP

    0.0

    0.0

    6

    Clara Harris

    0.65

    0.65

    Maximum value from step 3, 4, and 5

    0.3

    0.0

    +0.2

    0.85

    Increment because Clara Harris manages other employees

    -0.33

    0.52

    Decrement because the attestation is approved

    Key: # – step, +/- – increment/decrement

  1. Find the risk index of the Roles and organizations: software assignments table.

    This table contains one entry for each requested software applications. The risk indexes correspond to the software application risk indexes.

  2. Calculate the risk index of the Roles and organizations table.

    This table contains one entry for each product node of the three software applications. The risk indexes are calculated from the risk indexes found in step 7.

  3. Find risk index or the table Roles and organizations: account definition assignments.

    This table contains one entry for the "Personnel" department. The risk indexes corresponds to the risk index of the assigned KRSAP account definition.

  4. Find the risk index of the Roles and organizations: SAP group assignments table.

    This table contains one entry for the "Personnel" department. The risk index corresponds to the risk index of the assigned SAPG1 SAP group.

  5. Calculate the risk index of the Roles and organizations table.

    This table contains one entry for the "Personnel" department. The risk index is calculated from the risk indexes determined in steps 9 and 10. The calculated risk index is increased because the department does not have a manager.

  6. Find the risk index of the Employees: memberships in roles and organizations table.

    The table contain three entries for Clara Harris because she is member of three product nodes. The risk indexes are taken from those calculated in step 8. The table does not contain any entries for the department R because Clara Harris is not a secondary member of this department.

    Table 14: Risk index calculation results

    #

    Object

    Determined risk index

    +/-

    Resulting risk index

    Comment

    7

    Product node 1:

    Application 1

    0.1

    0.1

    Product nodes 2:

    Application 2

    0.2

    0.2

    Product nodes 3:

    Application 3

    0.3

    0.3

    8

    Product nodes 1

    0.1

    0.1

    Product nodes 2

    0,2

    0.2

    Product nodes 3

    0,3

    0.3

    9

    Personnel: KRSAP

    0.0

    0,0

    10

    Personnel: SAPG1

    0.5

    0.5

    11

    Personnel

    0.0

    0.5

    5Maximum value from step 9 and 10

    0.5

    0.5

    +0.05

    0.55

    Increment because the department has no manage

    12

    Clara Harris:

    Product nodes 1

    0.1

    0.1

    Clara Harris:

    Product nodes 2

    0.2

    0.2

    Clara Harris:

    Product nodes 3

    0.3

    0.3

     

    Key: # – step, +/- – increment/decrement

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating