Assigning mitigating controls to SAP function definitions
NOTE: This function is only available if the SAP R/3 Compliance Add-on Module is installed.
Use this task to specify the function definitions for which a mitigating control is valid. You can only assign function definitions that are enabled on the assignment form.
To assign SAP function definitions to mitigating controls
-
In the Manager, select the Risk index functions > Mitigating controls category.
-
Select the mitigating control in the result list.
-
Select the Assign function definitions task.
In the Add assignments pane, assign the function definitions.
TIP: In the Remove assignments pane, you can remove function definitions assignments.
To remove an assignment
- Save the changes.
Displaying mitigating controls overview
You can display the most important information about a mitigating control on the overview form.
To obtain an overview of a mitigating control
-
In the Manager, select the Risk index functions > Mitigating controls category.
-
Select the mitigating control in the result list.
-
Select the Mitigating control overview task.
Calculating mitigation
The reduction in significance of a mitigating control supplies the value by which the risk index of a compliance rule, SAP function, attestation policy, or company policy is reduced when the control is implemented.One Identity Manager calculates a reduced risk index based on the risk index and the significance reduction. One Identity Manager supplies default functions for calculating reduced risk indexes. These functions cannot be edited with One Identity Manager tools.
The reduced risk index is calculated from the SAP function, attestation policy or company policy and the significance reduced sum of all assigned mitigating controls.
Calculating mitigation for rule violations depends on the QER | CalculateRiskIndex | MitigatingControlsPerViolation configuration parameter.
Table 10: Effect of configuration parameters on calculating mitigation
Deactivated |
The compliance rule's reduced risk index is calculated. This takes mitigating controls into account that are assigned to a compliance rule. |
Enabled |
The compliance rule's risk index is not reduced. The reduced risk index corresponds, therefore, to the compliance rule's risk index.
This calculates the reduced risk index of identities with rule violations and takes into account mitigating controls that were assigned to a rule violation during an exception approval. |
Risk index (reduced) = Risk index - sum significance reductions
If the significance reduction sum is greater than the risk index, the reduced risk index is set to 0.
Related topics
Risk index calculation example
Risk index calculation is explained here using an identity with SAP system authorizations and assigned software. The identity is a manager.
Jo User1 is:
- External employee
- Primary membership in the "Personal" department
- Customer in the "Software" IT Shop
The "Personnel" department is assigned
- A KRSAP account definition for the "SAPClient" SAP client
- An SAPG1 SAP group
The following also applies
- Jo User1 has requested three software applications through the IT Shop. The requests were approved; the software assigned.
- The JOU user account (SAP R/3) was created through an account definition.
- The JOU user account is a direct member of the SAPG2 SAP group .
- The JOU user account is assigned directly to the SAPSP structural profile.
- Jo User1 is team lead of a work group and therefore manager of 10 staff members.
- Identity are attested regularly.
The following risk indexes are calculated for the company resources:
KRSAP |
0.0 |
SAPG1 |
0.7 |
SAPG2 |
0.2 |
SAPSP |
0.5 |
Software 1 |
0.1 |
Software 2 |
0.2 |
Software 3 |
0.3 |
One Identity Manager uses the default risk index functions to calculate risk indexes for the following objects:
Identities |
All assigned objects |
Software assignments |
Software applications |
Account definition assignments |
Account definitions |
SAP user accounts |
SAP groups, structural profiles |
Roles and organizations |
Software (for the product nodes of the three applications)
SAP groups (for department R)
Account definitions (for the department R) |
The calculation type is Maximum (weighted). The weighting is 1.
Calculation Sequence
- Determine risk indexes of the SAP user accounts: group assignments table.
The table contains two entries for the JOU user account. The risk indexes correspond to the risk indexes of the assigned SAPG1 and SAPG2 SAP groups. As the SAP group is assigned to SAPG1 by inheritance, the risk index of this SAP group is decremented.
- Determine risk indexes of the SAP user accounts: assignments to structural profiles table.
The table contains one entry for the JOU user account. The risk index corresponds to the risk index of the assigned structural profile SAPSP.
- Calculate the risk index of the SAP user accounts table.
The table contains one entry for the JOU user account. The risk index is calculated from the risk indexes determined in steps 1 and 2.
- Find the risk index of the Software assignments table.
The table contains three entries for Jo User1 for the three assigned software applications. The risk indexes correspond to the risk indexes of the software applications.
- Find the risk index of the Account definitions assignments table.
The table contains one entry for Jo User1. The risk index corresponds to the risk index of the assigned account definition KRSAP.
- Calculate the risk index of the Identities table.
The table contains one entry for Jo User1. The risk index is calculated from the risk indexes found in steps 3, 4, and 5. The calculated risk index is increased because Jo User1 is the manager of other identities. The calculated risk index is reduced because the last attestation case for Jo User1 was approved.
Table 11: Risk index calculation results
1 |
JOU: SAPG1 |
0,7 |
-0,05 |
0,65 |
Decrement, because inherited |
USERC: SAPG2 |
0,2 |
|
0,2 |
Directly assigned |
2 |
JOU: SAPSP |
0,5 |
|
0,5 |
Directly assigned |
3 |
JOU |
0,65 |
|
0,65 |
Maximum value from steps 1 and 2 |
0,5 |
|
4 |
Jo User1: Software 1 |
0,1 |
|
0,1 |
|
Jo User1: Software 2 |
0,2 |
|
0,2 |
|
Jo User1: Software 3 |
0,3 |
|
0,3 |
|
5 |
Jo User1: KRSAP |
0,0 |
|
0,0 |
|
6 |
Jo User1 |
0,65 |
|
0,65 |
Maximum value from steps 3, 4, and 5 |
0,3 |
|
0.0 |
|
|
+0,2 |
0,85 |
Incremented, as Jo User1 manages other identities |
|
-0,33 |
0,52 |
Decrement, as attestation is approved |
Legend: # - step, +/- – increment/decrement |
- Find the risk index of the Roles and organizations: software assignments table.
The table contains one entry each for the requested software applications. The risk indexes correspond to the risk indexes of the software applications.
- Calculate the risk index of the Roles and organizations table.
The table contains one entry each for the requested software applications. The risk indexes are calculated from those determined in step 7.
- Find risk index or the table Roles and organizations: account definition assignments.
The table contains one entry for the "Personnel" department. The risk index corresponds to the risk index of the assigned account definition KRSAP.
- Find the risk index of the Roles and organizations: SAP group assignments table.
The table contains one entry for the "Personnel" department. The risk index corresponds to the risk index of the assigned SAP group SAPG1.
- Calculate the risk index of the Roles and organizations table.
The table contains one entry each for the "Personnel" department. The risk index is calculated from the risk indexes determined in steps 9 and 10. Since no manager is assigned to the department, the calculated risk index is incremented.
- Find the risk index of the Identities: memberships in roles and organizations table.The table contains three entries for Jo User1 because they are a member of the three product nodes.
The risk indexes are taken from those calculated in step 8. The table does not contain any entries for the department R because Jo User1 is not a secondary member of this department.
Table 12: Risk index calculation results
7 |
Product node 1:
Software 1 |
0,1 |
|
0,1 |
|
Product node 2:
Software 2 |
0,2 |
|
0,2 |
|
Product node 3:
Software 3 |
0,2 |
|
0,3 |
|
8 |
Product node 1 |
0,1 |
|
0,1 |
|
Product node 2 |
0,2 |
|
0,2 |
|
Product node 3 |
0,3 |
|
0,3 |
|
9 |
Personnel: KRSAP |
0,0 |
|
0,0 |
|
10 |
Personnel: SAPG1 |
0,5 |
|
0,5 |
|
11 |
Personnel |
0,0 |
|
0,5 |
Maximum value from steps 9 and 10 |
0,5 |
|
0,5 |
+0,05 |
0,55 |
Increment, as the department has no manager |
12 |
Jo User1:
Product node 1 |
0,1 |
|
0,1 |
|
Jo User1:
Product node 2 |
0,2 |
|
0,2 |
|
Jo User1:
Product node 3 |
0,3 |
|
0,3 |
|
Legend: # - step, +/- - increment/decrement |