Running Risk analysis at User Level(CC)

Similar Messages

• Risk Analysis at user level shows nothing in all 3 views though at role level shows risks of global rule set

  I am configuring ARA 10.1 for a ECC 6.0 plug in development system and facing this issue. Risk Analysis at user level shows no data  in all 3 views though at role level shows risks of global rule set. I am using Global rule set. I generated all risks/functions & using connector group as SAP_ECCS_LG not SAP_R3_LG.I activated common, R/3 & ECCS BC sets. Added integration scenario for AUTH. Run all 4 sync jobs multiple times successfully. My system already has decentralised EAM 10.1 implemented & even used in production as BAU. I have checked at both chrome & IE. The misleading thing is that RFC is also working fine & I can see risks in Risk Analysis at role level & risky roles are even assigned to valid users.GRC is at SP4 & accordingly is the ECC 6.0 plug in. Thanks in Advance. Please  consider it urgent.

  Hi,
  Assign ECC connector to SAP_ECCS_LG group.
  Run the programs GRAC_PFCG_AUTHORIZATION_SYNCand GRAC_REPOSITORY_OBJECT_SYNC) in full synch mode(this might take time so better do this in background). Better do it sequentially.Check the logs of the jobs in SLG1 just to ensure everythings fine.
  Run ARA for a specific user and mention the connector for faster output. Ensure this user has the role with risks.Also as explained earlier check the GUID against user id in table GRACUSERROLE and using GRACROLE you can find out the technical name of the role updated in the table. This should be same as the backend role.
  Then run ARA and while doing so please ensure the selection screen doesnt have any unwanted default inputs. If followed correctly , this should be of help.  I am assuming the role analysis yielded correct risks as configured since this would mean that connector have correct actions and basic config is in place.
  Regards,
  Vivek

• Error while performing Risk Analysis at user level for a cross system user

  Dear All,
  I am getting the below error, while performing the risk analysis at user level for a cross system (Oracle) user.
  The error is as follows:
  "ResourceException in method ConnectionFactoryImpl.getConnection(): com.sap.engine.services.connector.exceptions.BaseResourceException: Cannot get connection for 120 seconds. Possible reasons: 1) Connections are cached within SystemThread(can be any server service or any code invoked within SystemThread in the SAP J2EE Engine), 2) The pool size of adapter "SAPJ2EDB" is not enough according to the current load of the system or 3) The specified time to wait for connection is not enough according to the pool size and current load of the system. In case 1) the solution is to check for cached connections using the Connector Service list-conns command, in case 2) to increase the size of the pool and in case 3) to increase the time to wait for connection property. In case of application thread, there is an automatic mechanism which detects unclosed connections and unfinished transactions.RC:1
  Can anyone please help.
  Regards,
  Gurugobinda

  Hi..
  Check the note # SAP Note 1121978
  SAP Note 1121978 - Recommended settings to improve peformance risk analysis.
  Check for the following...
  CONFIGTOOL>SERVER>MANAGERS>THREADMANAGER
  ChangeThreadCountStep =50
  InitialThreadCount= 100
  MaxThreadCount =200
  MinThreadCount =50
  Regards
  Gangadhar

• Running Risk Analysis

  Hi Folks,
     I have installed CC 5.2 and ruleset to ECC are uploaded. Now, when i want to run risk analysis for User/Role from Informer. I dont see any user id from Backend system in User/Role option. I have checked everything,
  SLD is working ine
  JCo connectors are fine.
  RFC destination defined.
  Can someone help me in identifying problem?
  Thanks in acticipation.
  Regards,
  Priyank.

  Hi Priyanka,
  If you have successfully installed Virsa CC5.2 and uploaded Objects ans Rules, the plz follow the following procedure:
  1) Go to Configuration Tab->Background Job
  2)Click on "Schedule Analysis"
  3) In first Pane i.e. Sync Mode select Full Sync
  4)Select *User/Role/Profile Synchronization
  5)Select the system for put ***
  6)Dont select any other thing.
  7)click on Schedule
  8)Give a Valid name to this report.
  9)Click on Immediate
  Please check whether this report is successfully completed under Configuration Tab->Background Job->Search
  click on search
  If completed successfully, then  go to step 1 as above.
  This time select  All Check Boxes  under Batch Risk Analysis Pane and then select  Management Report check box in the last pane.
  Then schedule the job. After that only you'll be able to see the results in Informer Tab
  Reward  Points if it is useful
  Regards,
  Faisal

• CC: Risk Resolution at user level.

  HI All,
  In CC 5.2 with latest patch level, I am facing an issue in Risk Resolution. When I do the Risk analysis at user level for a particular user and then do a detail Report and then try to do the risk resolution; there are standard three options:
  1. Mitigate.
  2. Remove Access.
  3. Delimit Access.
  from the user. Out of these three, the first one is working fine, but second and third are greyed out and I can not proceed with option 2&3. Have any one of you come accross such a situation or have any clues about the same. Also, my user has Admin rights to all the actions in the Admin role provided to me.
  Thanks a lot in advance.
  Have a nice day!!
  Regards,
  Hersh

  Hello Hersh,
  This functionality is not available in 5.2.
  Regards,
  Jagat
  Edited by: Jagat Bir Singh on Jul 31, 2008 3:16 PM
  Edited by: Jagat Bir Singh on Jul 31, 2008 3:17 PM
  Edited by: Jagat Bir Singh on Aug 1, 2008 6:52 AM

• Error while running risk analysis.

  Hi,
  I am facing problem, while running risk analysis from Access Enforcer for a particular application. Infact problem is for all the connectors. I have done required configuration.
  Error i am getting is "Risk analysis failed: Exception from the service : Risk Analysis failed".
  Please suggest.
  Thanks in Advance.
  Regards,
  Pravin.

  Problem was with JCO connection.

• Can we do risk analysis at org level

  Hello experts,
                          can we do risk analysis in sap grc at org levels.
  sanjay

  Hi Sanjay,
  In RAR , under the Tab informer -> Risk analysis  , you can trigger the risk analysis at Org Level.
  Regards
  -Ranjiv

• RAR - null pointer exception message when running risk analysis

  Hi,
  We recently installed & configured AC 5.3, SP11 version. From the day1 we are getting following message in the log when running risk analysis in foreground, background, when scheduled batch risk analysis in full sync, Incremental sync mode.
  When I raised OSS message, they told that this is standard message when we use adaptive RFC connector in RAR. they proposed to use SAPJCO instead of Adaptive RFC connector to avoid this.
  But I am some how not convinced with the answer because no one reported this problem anywhere earlier.
  Can you share your ideas on this? I mean if any one got same message in any versions?
  I just wanted to know is this standard bug which is visible for all customers or some thing I did wrong?
  Here is the message:
  com.virsa.cc.common.util.ExceptionUtil logError
  SEVERE: null
  java.lang.NullPointerException
       at com.virsa.cc.comp.wdp.IPublicBackendAccessInterface$IAuthForUserInputElement.wdGetObject(IPublicBackendAccessInterface.java)
       at com.sap.tc.webdynpro.progmodel.context.NodeElement.getAttributeAsText(NodeElement.java:888)
       at com.virsa.cc.comp.BackendAccessInterface.execBAPI(BackendAccessInterface.java:401)

  Here is the complete message:
  com.virsa.cc.common.util.ExceptionUtil logError
  SEVERE: null
  java.lang.NullPointerException
       at com.virsa.cc.comp.wdp.IPublicBackendAccessInterface$IAuthForUserInputElement.wdGetObject(IPublicBackendAccessInterface.java)
       at com.sap.tc.webdynpro.progmodel.context.NodeElement.getAttributeAsText(NodeElement.java:888)
       at com.virsa.cc.comp.BackendAccessInterface.execBAPI(BackendAccessInterface.java:401)
       at com.virsa.cc.comp.BackendAccessInterface.executeBAPI(BackendAccessInterface.java:302)
       at com.virsa.cc.comp.wdp.InternalBackendAccessInterface.executeBAPI(InternalBackendAccessInterface.java:4227)
       at com.virsa.cc.comp.BackendAccessInterface.getObjPermAuth(BackendAccessInterface.java:623)
       at com.virsa.cc.comp.wdp.InternalBackendAccessInterface.getObjPermAuth(InternalBackendAccessInterface.java:4271)
       at com.virsa.cc.comp.wdp.InternalBackendAccessInterface$External.getObjPermAuth(InternalBackendAccessInterface.java:4740)
       at com.virsa.cc.dataextractor.bo.DataExtractorSAP.getObjPermissions(DataExtractorSAP.java:307)
       at com.virsa.cc.dataextractor.bo.DataExtractorSAP.getObjPermissions(DataExtractorSAP.java:263)
       at com.virsa.cc.xsys.meng.MatchingEngine.getObjPermissions(MatchingEngine.java:987)
       at com.virsa.cc.xsys.meng.MatchingEngine.matchPrmRisks(MatchingEngine.java:466)
       at com.virsa.cc.xsys.riskanalysis.AnalysisEngine.performActPermAnalysis(AnalysisEngine.java:1524)
       at com.virsa.cc.xsys.riskanalysis.AnalysisEngine.riskAnalysis(AnalysisEngine.java:311)
       at com.virsa.cc.xsys.riskanalysis.AnalysisEngine.riskAnalysis(AnalysisEngine.java:240)
       at com.virsa.cc.xsys.bg.BgJob.runJob(BgJob.java:536)
       at com.virsa.cc.xsys.bg.BgJob.run(BgJob.java:339)
       at com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob.scheduleJob(AnalysisDaemonBgJob.java:282)
       at com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob.start(AnalysisDaemonBgJob.java:84)
       at com.virsa.cc.comp.BgJobInvokerView.wdDoModifyView(BgJobInvokerView.java:444)
       at com.virsa.cc.comp.wdp.InternalBgJobInvokerView.wdDoModifyView(InternalBgJobInvokerView.java:1236)
       at com.sap.tc.webdynpro.progmodel.generation.DelegatingView.doModifyView(DelegatingView.java:78)
       at com.sap.tc.webdynpro.progmodel.view.View.modifyView(View.java:337)
       at com.sap.tc.webdynpro.clientserver.cal.ClientComponent.doModifyView(ClientComponent.java:481)
       at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.doModifyView(WindowPhaseModel.java:551)
       at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.processRequest(WindowPhaseModel.java:148)
       at com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.processRequest(WebDynproWindow.java:335)
       at com.sap.tc.webdynpro.clientserver.cal.AbstractClient.executeTasks(AbstractClient.java:143)
       at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:333)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:741)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:694)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:253)
       at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
       at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
       at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doGet(DispatcherServlet.java:46)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(AccessController.java:219)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)

• Risk Analysis - Ignored Users

  I have a client who wants to have ignored users (in User Level Risk Analysis) set to Loacked OR Expired....not just Locked, not just Expired, not Locked AND expired....is there a "hidden" selection somewhere?

  Hi Jack,
  i have made a quick test (RAR 5.3 SP11) and the option "Locked and Expired" ignores these users:
  1) Locked and Expired
  2) Locked
  3) Expired
  So i would say that "Locked and Expired" is "Locked or Expired" too.
  You can make a quick test with your SPxx and you will see.
  Regards
  Pavel

• Risk Violation at User level in SAP

  How can I do the  Risk Violoations for User
  in SAP (not in Virsa CC)
  Is there any Virsa Transaction for it?
  Please let me know.
  From
  PT.

  Well, coming from a Virsa/SAP GRC background, I still don't get your point.
  Against what do you want to check the users?
  CC 5.x requires the RTA installed on the SAP system. This contains a CC 4.0 on the SAP system, which would be accessible via /VIRSA/ZVRAT.
  But there are no rules maintained on the SAP system - so you will not get any violation results.
  Or please explain what you want to do.
  Regards,
  Daniela

• ERM: Unable to run risk analysis

  Hey, we have recently configured ERM and during role creation when risk analysis is executed, we get the error: page can't be displayed".
  I have checked Miscellenous settings and it is updated with RAR web services as per the guide. I have checked the system (in landscape) and it is same as the RAR connector id. Should the landscape name also be same as RAR connector?
  Please help.
  Thanks,
  -S

  Hi Smriti,
  Here are few things that you can check:
  1. The configuration settings are correct.
  2. The ERM workflows are configured correctly.
  3. The three initial background jobs were completed successfully (Full Sync, Batch Risk Analysis, and Management Report)
  4. The performance of the system is good.
  5. The configuration settings for the RAR URL is properly maintained.
  If there is an issue with one of the above, you will have issues with performing risk analysis from ERM.
  You may additionally refer SAP Note 1136690 - Failed to perform Risk Analysis in ERM that may help you.
  Hope this helps!!
  Regards,
  Raghu

• Error while running risk analysis in CC 5.2

  Hi guys,
  the present client i am working with had installed GRC CC 5.2 long back, they have given me the access to CC and when i am trying to run some basic reports in the informer tab the following error pops in
  type com.virsa.cc.modelvirsaxsr3_01.types.So_Text001 could not be loaded: com.sap.dictionary.runtime.DdException: TypeBroker failed to access SLD: Error while obtaining JCO connection.RC:1
  Error while executing the Job:Interface Controller does not exist for Component Instance VirsaXSR3_01 in Component Usage VirsaXSR3_01
  is it something related to the connectors.
  appriciate any suggestions.
  thanks.
  Edited by: sap sec on Nov 25, 2008 12:55 AM

  Hi,
  Check below:
  Is your ABAP system configured in the System Landscape Directory (SLD)
  Your ABAP system has a default logon group defined
  Your ABAP system can be accessed by the J2EE system services file
  Regards,
  Naveen

• User Analysis at Permission Level - Detail Report (RAR SP12)

  Hello All,
  I have having question regarding the User Level Analysis at Permission level report. Currently, we are on GRC Access control 5.3 SP12.
  Per my understanding when you execute the User level analysis at Action level, you get SOD conflict reports based on T-code level and not on authorization / permission level. But, if you execute the user level analysis at permission level then SOD report is based on the authorization / permission object level.
  But now, when I execute the user level analysis at PERMISSION LEVEL in the Informer tab, in the report I am only able to see "Transaction Code Check at Transaction Start" name in the Permission Object Column and "Transaction Code" name in the Field column.
  Look forward to hear from you all.
  Thanks in advance,
  Regards,
  Angelica

  Hi Angelica,
  This behaviour is ok for those risks in which you have not enabled any Object/Field value. It will pick S_TCODE Object and show you the risk.
  This is useful because -
  1. If you have risks defiend at Tcode level - you can still catch them while running risk analysis at permission level.
  2. If you have Object Values defined in risk and you are running permission level analysis it will show risk only if Object Values meet. In that case permission level risk anlysis will not show risk if there is no actual risk.
  3. Running risk analysis at Action level can show false positives when risk is defined ta Object level. So, it is always better to r
  un alanysis at permission level, it will bring all actual risks skipping false positives.
  4. You can run only one level risk analysis in CUP and ERM and permission level covers all risks.
  If you have risk defined at Object Level and the role/user is not fulfilling all values, it should not show in permission level. In your case, if it is showing only "Transaction code check at start"  and the risk is defined at Object Level, then sure it is a bug.
  Regards,
  Sabita

• GRC AC 10:How to generate Access Rule? No output from User or Risk Analysis

  Hello Gurus,
  We have done configuration of GRC AC 10, and uploaded files via
  SoD rules -->Upload Rules
  After that we generated SoD rules for Risk Id : B001 and B002
  Now when we go to NWBC --> Reports & Analytics >Access Dashboards>Access Rule Library
  The report shows (for Group Rule level : Action)
  Number of Active rules : 0
  Number of Disabled Rules : 0
  Number of Functions :  151
  Where as for Group Rule level : Action Risk
  The report shows
  Number of Active Risk : 42
  Disabled risk : 161
  Nmr. of functions : 151 .
  When we perform Risk Analysis at User Level or Role Level, the output is empty !!!
  Note: All the background jobs have run successfully.
  Also the SoD files also have been uploaded successfully.
  Will you please guide how can i activate the "rules" for the uploaded risk ??
  regards,
  Victor

  Hello Victor/ Inder,
  For Risk ID B001functions are BS02 and BS11 if you open any one of them you can see system maintained as SAP BASIS which is SAP_BAS_LG (logical connector group).
  Post installation you can check in SPRO>Governance, Risk and Compliance-> common Component---> integration framework-> maintain connector and connector types->select SAP and click Define connector Group.
  BUSINESS     Business Roles     SAP
  SAP_BAS_LG     SAP Basis     SAP
  SAP_CRM_LG     SAP CRM     SAP
  SAP_ECC_LG     SAP ECCS     SAP
  SAP_HR_LG     SAP HR     SAP
  SAP_NHR_LG     SAP R3 - NON HR Basis Logical Group     SAP
  SAP_R3_LG     SAP R3     SAP
  SAP_SRM_LG     SAP SRM     SAP
  (If not present then manually you can create the same)
  Select SAP_BAS_LG and put connector type as SAP,  select SAP_BAS_LG and click Assign Connector group to group types as AM & LG, then click on Assign Connector to connector group and maintain you connector.
  Post this activity re generate SOD for B001 and then check for user level and role level analysis.
  Hope it will resolve your issue.
  Regards,
  Sudesh

• Error while doing risk analysis for a user

  Hi ,
  When i did risk analysis at user level for a particular user we are getting this error under level  ."Exception!!. No relavent language message available in database for :0292".I had reuploaded the the messages text file but still the error persists i have restarted the j2ee application but still the error is not going .any pointers please thanx in advance.When checked the file CC5.3_MESSAGES.txt it does not contain any entry corresponding to message code 0292.So how shud i proceed.
  Edited by: Ambarish annapureddy on Jan 21, 2009 12:54 PM

  Hi Ambarish,
      What is the patch level of GRC AC 5.3? Did you apply any service pack recently? Did the service pack contain any message file? There has to be some message file which contains message '0292'. If you can not find the message file then open a message with SAP support and they should be able to provide it to you.
  Regards,
  Alpesh