Risk Analysis Reports 
You can create user level, role level, organization level, HR Objects, and MIC reports. You use a similar process to create each report. Each contains a group of the same choices: system, risks by process, risk ID, risk level, rule set, report type, and report format.
Each report also contains a unique group of choices that relates specifically to that report.
Some fields, such as User, and User Group, permit either adding one value, or adding a range of values.
Following, is information about using a range of values in the User field:
The system employs user data to build the user list for data selection from the back-end systems.
User IDs must be entered as the selection criteria. You can use specific user IDs, or you can use ranges or asterisks to find users that have been stored in the front-end database since the last role synchronization:
If specific user IDs are entered as selection criteria, there is no dependency on user synchronization data.
User synchronization determines the users selected from the back-end system when ranges are entered for the user selection criteria in user level risk analysis.
Example
A user synchronization returns the users BAJOHNS, BDJONES, and BRJACKS from the backend system. Subsequently, user BOJENKI was created in the backend system but no user synchronization to Risk Analysis and Remediation is performed. Entering the user selection criteria of BAJOHNS - BRJACKS, for a user level risk analysis, returns results for BAJOHNS, BDJONES, and BRJACKS. If you use either the specific entry of BOJENKI plus the range BAJOHNS - BRJACKS, or, alternatively, if you specify all four user IDs individually, the system returns results for all four users.
All reports, with the exception of the MIC report, include a group of command options: execute, simulation, background, reset, search variant, and save variant.
Activities
Creating a report:
You access the Risk Analysis Reports from the Risk Analysis node on the Informer tab.
On each report, select a system from the System dropdown menu.
Next, populate the unique selection criteria for each report, followed by the common selection criteria fields.
When you have selected the relevant data, you can choose how you want to execute the report with the report command options.
For more information: Risk Analysis Command Options
Note
You need the assistance of an application administrator to create custom groups.
The following section describes the risk analysis report criteria.
Report Name |
Unique Criteria |
|---|---|
User Level |
Enter single or multiple selections of user, user group, or custom group, or a range of users, user groups, or custom groups. |
Role Level |
Enter a role or profile or a range of roles or profiles. If you enter both a profile and a role, the profile takes precedence. |
HR Objects |
Select an analysis type from the dropdown menu. Select an object type from the dropdown menu. Enter an object ID or a range of object IDs. |
Org. Level |
Select an analysis type from the dropdown menu. Select an organizational level from the dropdown menu. Enter an organizational value or a range of organizational values. Enter a user or a range of users. |
MIC |
Enter an organizational unit or a range of organizational units. Enter a control ID or a range of control IDs. Enter a process or a range of processes. Enter a period From and a period To You can enable the Update MIC Issue if Risk Analysis & Remediation is connected to MIC. Risk Analysis & Remediation sends a copy of the Risk Analysis MIC report to MIC each time the report is executed. |
Common Fields
The first table describes the common fields that appear in each of the risk analysis reports. The second and third tables describe the report type and report format dropdown menus.
Common Field |
Description |
|---|---|
Risks by Process |
This field is required. Select a risk by process from the dropdown list. |
Risk ID |
Enter a risk ID or a range or risk IDs. |
Risk Level |
Select a risk level from the dropdown list. The risk levels are: critical, high, medium, and low. |
Rule Set |
Select a global risk or a function level risk. |
You can apply the Reports Types to user, role, and organization level analysis as well as to HR Objects.
Report Type |
Description |
|---|---|
Action Level |
This report type produces a list of SoDs at the action level. |
Permission Level |
This report type produces a list of SoDs at the permission level. |
Critical Actions |
This report type limits the list to available critical actions. Critical actions are defined in the Rule Architect Tab. |
Critical Permissions |
This report type limits the list to critical permissions available. |
Critical Roles/Profiles |
This report type lists critical roles and profiles associated with the user, role, HR object, or organization. This report does not list risks. |
Analytical Report |
This is a management level report. For each risk that you designate in the report, the report includes the risk description, the risk level, the number of violations, the number of users with the role and the total number of production violations. You can use this report to prioritize role maintenance based on role assignment. |
Mitigation Control |
This report lists valid mitigation controls assigned to the user, role, HR object, or organization included in the analysis. |
Invalid Mitigation Control |
This report lists mitigating controls that are no longer valid but are still assigned to the specified user, role, profile, or HR object. You can use this report to identify controls that need to be disabled or end-dated. Mitigating controls are invalid when:
To avoid misleading results, this report must be executed for 'All' systems. For example, a user might have access that introduces risk F001 in system PRD and not in system CRM. The user has mitigation assigned for risk F001 Executing the report for system CRM causes the mitigating control for the risk F001 to be reported as invalid since mitigation is not specific to a system. You can only use this report to perform risk analysis on assigned control levels. For example, only if you have assigned controls at the organizational level, then you can execute the Invalid Mitigation Roles report at the organizational level. Before you disable or end-date controls that are based on this report, perform risk analysis for the user or role to ensure that a conflict no longer exists. |
The following table describes the report formats. These formats return different types of information.
Note
Your administrator can run Batch Risk Analysis by scheduling a Background Job in the Configuration area, and has the added functionality to access an exclusion function. Here, the administrator can Add, Change, or Delete an exclusion object. Exclusion objects are used to exclude users, user groups, roles, and profiles from the batch risk analysis and reports. The counts for these exclusions appear, for example, in the Management Report: you can compare the number of roles analyzed in the report, versus the total number of roles in the system.
Report Format |
Description |
|---|---|
Executive Summary |
The executive summary lists each risk as a single line item and displays the total number of conflicting actions that produced the risk. |
Management Summary |
The management summary lists each risk as a single line item, displays the risk severity level, and provides a link to the Risk Resolution screen (where options are available to resolve the risk). To view more detailed information, such as conflicting functions, select the risk. |
Summary |
The summary report lists all conflicting actions that produce the risk in a one line item. |
Detail |
The detail reports list each risk found and provide a link to the Risk Resolution screen (where options are available for resolving the risk). Information reported in the Detail report comprises:
To view more detailed information, such as conflicting functions, choose the Risk link. |