GRC 10.0 Adhoc Risk Analysis

Similar Messages

• GRC AC 10.1 - Risk Analysis: No rules were selected

  Hi All,
  I'm currently configuring the ARA module in GRC AC 10.1, and an facing this issue. When I run my User Analysis, its throwing an error message "No rules were selected'.
  As per your suggestions from discussions, i double checked all the below activities
  Activate the BC sets
  Run Sync Jobs
  Run Batch Risk Analysis
  After all this I found that the functions are not mapped to the logical groups(Back-end Systems) I have defined. Can you please let me know how to make sure you have correct back end system(logical Group) updated for the functions in the setup? Doesn't the configurations Connector/Connector Groups etc already mapped the functions to the back-end system? It would be a hell of work to do all the system mapping on function level manually.

  Hi Narsimha
  You need to map your connectors to the logical systems that are used in the function definitions
  Look at your integration framework Setup in the IMG.
  Governance, Risk and Compliance > Common Component Settings > Integration Framework > Maintain Connectors and Connection Types
  Also, for 10.1 there was an issue with logical systems. It may be that your configuration is correct: Re: GRC 10.0 SP14 - Poblems when generating rules for logical systems
  Regards
  Colleen

• SAP GRC 10.0 ARA - Risk Analysis Job naming

  Dear all,
  Once i trigger a risk analysis in background, a job with a very strange name (serial number) is scheduled at backend. But at Business Client i put a specific naming for hits role. It could be possible to change this backends namings? It is impossible for me recognised which job is which...
  thank you in advanced,

  Hi Sara,
  please check table TASKPLAN_GRP_NAM in GRC backend system. This table lists all scheduled background jobs by ID (field TASKPLAN_GRP_ID) and job name per business client (field TASKPLAN_GRP_NAM)
  Regards,
  Markus

• GRC AC 10.0  Risk Analysis -Risk Terminator Vs BRM-Role Management

  Hi All,
  After having seen the configuration for Risk Analysis- Risk Terminator and Role Management , I observed that there is very little difference  for eg parameters 1085 and 3011 ,3014 .  If we configure all three parameters to TRUE which one would take effect ?Can anyone let us know under what circumstances we must configure RT and Role Management . BRM to has a whole lot of new features which supercede RT. 
  Best Regards,
  Vishal

  Hi Vishal,
  The parameters will be invoked in different scenarios. 1085 is specific to when roles are generated in the SAP Backend system using risk terminator and therefore this will have no impact if you are using BRM to generate the roles.
  3011 & 3014 are specific to BRM and govern different behaviours. 3011 will facilitate the risk analysis prior to triggering the generation steps in the methodology and 3014 will allow the roles to be generated despite any permission risks that are returned.
  They are not exclusive and actually work together. For instance, you may want to have a block on generation of roles when there are open conflicts identified and therefore you should have 3011 set to YES and 3014 set to NO. If both are set to YES, then you could propagate conflicts in the roles.
  You can use Risk Terminator if you wish to continue to develop roles within the SAP system itself rather than to rely on the GRC BRM system wholly.
  There are still wide discussions and differing opinions about which represents the best approach for this and so it depends on your organisation as to which process you follow.
  The parameter descriptions in question are:  
  1085 - Stop Role Generation if violations exist
  3011 - Conduct Risk Analysis before Role Generation
  3014 - Allow role generation with Permission Level violations
  Regards, Simon

• Issue in ERM - GRC AC 10 - Is risk analysis not mandatory

  Hi,
  We have defined our Role Methodology in 10 as Define Role - Maintain Authorizations - Analyze access risks - Derive role - approval - generation
  When we defined the role and maintained authorization data and proceeding without running risk analysis the role is moving to the next stage without stating any warning that "Risk Analysis is Mandatory". Upon click on Save & COntinue it is proceeding to further stages.
  Is there any parameter which needs to be set to throw a warning message for Risk Analysis to be run before the role is moved to next stage.
  We arleady set the paramater 3011 as YES - Conduct Risk Analysis before Role Generation.
  Thanks and Best Regards,
  Srihari.K

  Hi,
  Note the definition of the parameter 3011 as per "Maintaining Configuration Settings Guide - SAP AC 10.0":
  "Set the value to YES to automatically perform risk analysis when the user generates roles."
  This parameter applies only at generation stage.
  Cheers,
  Diego.

• GRC 5.3: CUP risk analysis VS. RAR risk analysis

  I've installed and configured RAR and CUP.  When I do a risk analysis simulation in RAR on a user for adding a role, it comes back with no conflicts.  When I go into CUP and make a new request for adding the same role to the same user, it comes back with risk violations, but it looks like they are critical actions that are being flagged.  Why is there a discrepancy, and how do I go about getting the same risks in CUP as I do in RAR?

  >
  Frank Koehntopp wrote:
  > I guess the behaviour is on purpose.
  >
  > In RAR, you can do a selective analysis on only one kind of risk. You usually only need to do that in the remediation process, where this kind of selection is helpful to track down the root cause (although I'd like to have an ALL option in RAR as well...)
  >
  > In CUP, you do want to see any kind of risk that might arise from a role assignement to a user.
  >
  > I have to say, I can not really understand why you'd want to switch off critical action or permission risks here. The user analysis in RAR and CUP serve two different purposes, hence I cannot see a bug here. If you have defined critical risks, why would you not want to see them???
  Hi Frank,
  I understand your point, but we are in the same situation as the others. We do not want to see Critical Action Risks in CUP because this is a separate process (for us) than Permission Level Risks Analysis piece. With our current structure, our Security Admins use RAR to run Permission Level Risk Analysis and mitigates appropriately. A separate compliance group uses the Critical Action reports to see who has what Critical tcodes, etc. We do not mitigate these "risks," we more or less use it as a report.
  I do not understand what you mean when you say "The user analysis in RAR and CUP serve two different purposes" - I feel it should be the same purpose, to ultimatley simulate if adding security to a user will cause SOD violations. If I have CUP configured to do Permission Level Analysis, that's all I want to be seeing in CUP.
  Let me know if I need to clarify further.

• GRC AC 10 - batch risk analysis does not bring results

  Hi all,
            When I perform a batch RA the job ends quickly and bring no results. It takes like a sec per user.
  I am running it from rules that became from a Logical group. When I upload the rules to a physical system it brings results.
  What can I do??

  Hi Kailash,
  Does this issue occur with other dashboard reports too or only with risk violations?
  Also, can you check if the batch risk analysis has been successfully completed?
  Thanks
  Sammukh

• GRC AC 10 (BRM) Risk Analysis Report type is editable

  Hi,
  In  GRC10 – BRM  Risk analysis at “Action Level”, “Permission Level”, “Critical Action”, “Critical Permission” and “Critical Role/Profile” is editable.
  When i start to create a role in the Risk Analysis step, Permission Level is always selected .Selection is fine as this is configured this way (Parameter in SPRO 1023 -Default Report Type for Risk Analysis).  But exist the option to deselect "Permission Level". 
  As you can Permission level is always selected and not editable?
  Regards

  Hi,
  I guess Cristian mentions attached BRM screen. I have same issue; how to change default values of report type in BRM like parameter 1023 changes in access request.
  Also, if we change default value of check box, Cristian can set non-editable fields through SE80.

• Getting "Risk Analysis Failed " error while raising request from IDM

  Hi friends,
  Some of the User to Role mapping requests from IDM did not reach CUP (request ID = null) . When noticed the VDS log , we found the error from GRC webservice to be Risk Analysis Failed . We thought it might be an RAR issue , however , the request just got through CUP when submitted from GRC webservice directly . From RAR perspective also, everything looks ok .
  Please provide your thoughts as to whether this error is pertaining to some other issue or suggest me what I can check in Identity center to correct this .
  Thanks in advance for your help .

  The connector set up are all looking correct . However the requests are not getting raised in many cases .
  At one point we identified that , since our SAP systems have been migrated to DB2, some of the systems were down .
  So when the system is down we decided , Risk analysis is failing . however , now the systems are up and running and still the risk analysis is failing .

• ARA: Excluded Roles considered for Risk Analysis???

  Hi,
  There are certain role which are to be excluded from risk analysis or some business reasons. To achieve this, I have added entries for these roles in SPRO and saved them.
  Actually, these roles are available in all the systems. Therefore, under "System" column I have selected "ALL" and saved the entries.
  I ran risk analysis for a specific business process (above roles are belonging to this business group) and surprisingly found that, those roles which are maintained as "Excluded", as shown in the risk analysis report as violating!
  Thinking that "ALL" option does not work, I maintained (excluded) these roles for specific systems in SPRO. Ran risk anlaysis, but with no luck.
  Then I ran risk analysis for excluded role(s), I am still getting the violations for these excluded roles!
  May I know why system is considering these "excluded" roles at the time of risk analysis?
  Please advise.
  Regards,
  Faisal

  Alessanrdo,
  I think the "excluded" objects in path:
  SPRO->GRC->AC->ARA->BRA->Maintain Exclude Objects for Batch Risk Analysis
  itself says that the objects will NOT be considered while performing Batch Risk Analysis (Analytic Reports). It seems to be working fine for me.
  I dont think that the objects maintained in above path will have any importance while performing Risk Analysis from NWBC->AM->Roles Analysis) and will NOT be considered.
  Please correct me, if required.
  Secondly, I found 2 relevant posts here on SCN:
  SAP GRC Access Control: Offline-Mode Risk Analysis
  SAP GRC 10.0 Offline Risk Analysis
  Both of them are talking about the offline mode of running risk analysis. Actually I have not used it yet therefore, wanted to know the real usage of it. These posts seem to be giving the details of "Offline" mode analysis.
  I believe this will not be used in my scenario as there is no such requirement and real need. Therefore, I think I should disable it (Offline Data) option from the analysis screen just to avoid any confusion.
  Currently all our risk analysis is taking place "Online". There is no "real" need to use "Offline".
  May you please let me know in which scenario this would be useful?
  Regards,
  Faisal

• GRC10 Exclude Objects (Roles) - Batch Risk Analysis Job

  All -
  We are setting up some non-production GRC 10.1 systems at this time and are trying to exclude project roles from our dashboards via the "Maintain Exclude Objects for Batch Risk Analysis" table [SPRO --> GRC --> AC --> ARA --> Batch Risk Analysis].
  The problem that we are encountering is that this Batch Risk Analysis is taking an extremely long time to run on our Project Users even though we have excluded the project roles that these users are assigned.
  For example, User A has 3 project roles which hit a very large number of SoD violations in our rule set, however in the exclusion list we have defined the three roles the user is assigned to be in the exclusion table for All systems and for the specific system that the job is running against. With no luck. The job still takes an average of 30 minutes to run on each user even though the roles they are assigned are excluded.
  We have tested that the exclusion table works because we can exclude the users by adding them to this table and we can also exclude the groups that they are in and this also works. However we have instances where there are other users in this groups that have other roles in addition to these excluded roles that need to be checked.
  Does anyone have any recommendations for how to excluded roles so that the job quickly checks the users with these roles? It is my understanding that if the roles are in the exclusion list they should be skipped by the Batch Risk Analysis job which is running to check these users for the dashboards.
  Thanks,
  Darnell

  Hi,
  Was a solution found for this error?
  Thanks,
  Glen

• Ad-hoc Risk Analyses returning incorrect Risk Levels against Risks

  We have recently made changes to our ruleset and uploaded them in Development and Production. We have noticed whilst running Ad-Hoc Risk Analyses that the Production system is showing Risks as Medium when they are either critical or high. For example Risk ZA12 is a High risk but the Risk analyses is showing this Risk as a Medium risk.However in Develpment risks are displaying as expected when we run Adhoc risk analyses. We have deleted previous ruleset, uploaded the new ruleset, generated rules and run all the Sync jobs to no avail. In Addition i have gone into NWBC and double checked if the Ruleset had been generated (Rule Setup>Generated Rules>Access Rule Summary) and i can confirm that the risks are appearing as expected here). Oddly even the Management Reports (Reports and Analytics) seem to have the correct Risk Ratings against the violations.
  Strange!

  Hi Kevin
  Many thanks for your post, we did run a full BRA but no luck unfortunately. Some Risks still reporting as Medium when they should be Critical or High. Oddly it is reporting correctly against some risks just not for all!
  Cheers
  Hussain

• Skipping the risk analysis

  Hi All,
  I have  CUP .net version in GRC.We have a risk analysis mandatory for every request.I want to know if I can skip the risk analysis for some orders in CUP.How I can do it.
  Thanks in advance

  Yes, you can skip.
  Goto -> CUP Configuration -> Workflow -> Stage -> Addition configuration -> Risk Analysis Mandatory ->NO
  Suggest you to perform risk analysis if its part of your process..
  Rakesh

• Risk Analysis in GRC 10.0

  Dear Experts,
  I have configured RAR in GRC 10.0. Sync jobs are successful. Batch risk analysis is sucessful.
  But when I tried to run a User/Role risk analysis I am not getting any result. I am not sure whether system has run risk analysis or not but I get the confirmation screen with blank result table. Please advise how to fix this issue.
  I appreciate your help.
  Thanks,
  Raj

  Hello Raj,
  Check the below points related to risk analysis
  1.check once the parameter id in configuration settings
  2.BC set activation
  3.while running risk analysis check backend system name and connector which is configured.

• GRC AC 10 - risk analysis : No rules were selected

  Hi,
  In GRC AC 10, when I do a risk analysis (user level for example).
  For each userid the result shown in the column action is "No rules were selected "
  any idea ?
  Thanks
  Aurélien.

  Hi Vikas,
  Further to your comment above, I would like to point you to my thread here and specifically ask you about the following statement:...
  3. Open your GRC functions and make sure you have correct back end system updated for them. Check the status of all your GRC functions and make sure they all are active.
  I opened up the Functions from NWBC and realized that all the systems for each function were as follows:
  1. SAP Basis
  2. SAP CRM
  3. SAP ECCS
  4. SAP HR
  5. SAP R3 NON HR Basis Logical Group
  6. SAP R3
  7. Logical Group
  AND ALSO
  8. The DESCRIPTION of my RFC Connector ?!
  Now my question is as follows:
  1. Where in the Pre/Post/GRC300 documents does it say that one must configure each function with the backend system as you state above....should the configurations Connector/Connector/etc etc already mapped the functions to the backend system ?
  2. Also Why is the description of my RFC Connector available as a drop down menu from " System" tab on the function edit mode - see attached screenshot.
  Your advice would be appreciated.
  Best regards,
  Paul