We have ECC connected to GRC. Trying to do a user level risk analysis.
ECC Backend User Info:
User Name: SAP*
No roles assigned
Profiles: SAP_ALL and SAP_New is assigned
GRC5.3 RAR Risk analysis settings:
System: ECC System
Ignore: Locked and Expired users
Ignore Mitigated risks
Global Rule set
As per my understanding with the mentioned checks in GRC it should not show SAP* having any risks. But GRC is listing the risks present in all the users having their ID starts with SAP irrespective of their user type, thus treating " * " as a wild card.
N.B. In ECC Backend SAP* is the only service id starting with SAP.
Please help. Its becoming quite serious issue for us due to SOX audit which need to be addressed.
The syntax in RAR will mean that if you put SAP* in the username, it will treat that as a wildcard search for users starting with SAP.
Are you trying to just use RAR to report on the risks from this single user?
From an auditing standpoint, you could manage this in numerous different ways.
You could set SAP_ALL / SAP_NEW etc as critical permissions and then use your reports to run for them or not as required. You should not then need to specify the indiviual users as the reports would return the users which have those permissions.
For SAP* there are also standard reports (RSUSR003) which will show the status of SAP standard users and you can prove that it is locked down from there.
The thing is SAP* is a single user with type service and status locked. Now during User level risk analysis we are selecting option for user type service and also to ignore locked users. Technically that should not bring up any risks, as locked users should be ignore. There is not other user id starting with SAP and type service. I guess the filter options on the RAR user level analysis are not working.
What Support pack level your RAR is at? I checked in RAR @ SP09, there isn't any issue with Risk analysis filter.
Application correctly excludes the users based on filter, even if search criteria contains * (ex SAP*) and there are other users matching the pattern. If users don't satisfy the filter criteria RAR doesn't fetch the auth information from backend to do risk analysis.
There will be substantial changes by implementing SP10, mostly bug fixes but also some new functionality. I suggest that you look at the SAP Notes to check the released functionality.
You should also plan for some substantial regression testing as Support packs can often cause side-effects resulting in breaking functionality which was already working successfully. Be aware that you may also have to check the compatibility of the RTAs in the ERPs to ensure that they are also in sync.