In the Segregation of Duties' management in SAP, in the risk analysis phase, it's possible to reason in different ways on the obtained result.
If a user has a risk how can we describe this situation? Usually the terms Conflict, Risk or Violation are used as synonyms. Is that really true or not?
Are risk and violation synonymous?
Unfortunately, there is no one-size-fits-all answer, it depends on which tool is used to perform risk analysis. Infact, each tool has its own specific terminology. We can, however, say that talking about conflict can be synonymous with risk.
The main tool that SAP offers for risk analysis is SAP GRC Access Control in its module Access Risk Analysis (ARA). This is the terminology in the tool version 12. We will use the terminology of this tool as a measuring measure.
How does SAP GRC Access Control reason?
In SAP GRC there are two kind of violations:
- At risk level
- At permission or rule level
In the first case, risk level violation means how many users have a certain risk.
In the second case, permission level violation, means how many violations generate users who have that risk.
Let's see in more detail, in the following section, how this calculation works.
How is the violation calculated in SAP GRC Access Control?
The term violation is to be found in the nature of the GRC instrument. Infact, GRC, against a risk generates a number of rules (as Cartesian product) representing the combinations between transactions and authorization objects (in risk function). See the image belove:
In the dashboard management of SAP GRC Access Control, Access Risk
Analysis module, is possible to decide in which format to see the risk analysis' results.
Through drill-down of detail, for example on "low" level risks, in case of risk M004 I will have thirteen users with this type of violation. See following:
In the table GRACMGRISKD, is possible to display the same count in the risk analysis summary view, as a result I will have thirteen entries related to the system and selected risk, see the image below. The sum of the risk count for these users will be 960: the number of violations at the permission level.
Entering in the same report at permission level (see the following image) the value will be 960.
In the table GRACUSERPRMVL, that is the result of the detailed risk analysis of the GRC at permission level, the unique count of the column ACTRULEID would be 960 for the involved users. In the example below, for the "LAST" user’s case, 78 lines.
Conclusions
The number of risks per user (assuming this is the subject) is always less or equal to the number of violations.
Reading risk analysis in violations or risks mode, may show better or worse results.
Reasoning at risks is easier especially in the initial stages of Segregation of Duties Management. Violations can be a driver to focus on in remediation or mitigation.
Lowering, even almost completely, the number of violations, could leave unchanged the number of risks on users. Removing all risks is definitely the ideal way to make the remediation or mitigation phase really effective.
Blog post originally translated from: https://www.aglea.com/blog/rischio-e-violazione-nella-gestione-della-sod-sono-sinonimi