User Analysis at Permission Level - Detail Report (RAR SP12)

Similar Messages

• Need Users and ACL permission for KM Reports

  Hello Experts,
  Need you help for one requirement , in which i need to provide a list of users with ACL permission of each report from KM. There is huge amount of reports so it is quite time consuming to get each report open & to check the ACL and user from KM.
  It there is any thing , so that i can get the list of user with the ACL permission for each reports?
  Any help will be appreciated with points.
  Regards
  AK

  Hi AK,
      I misunderstood your query,if you just want to check the permission of all reports then you can use the default permission report available in the content Administration->KM Content->toolbox->reports->permission report.
  http://help.sap.com/saphelp_nw04/helpdata/en/fe/5290412facac5fe10000000a1550b0/frameset.htm
  If you could not find the report contact basis team to do the configuration
  http://help.sap.com/saphelp_nw04/helpdata/en/07/dad131443b314988eeece94506f861/frameset.htm
  Naga

• User analysis at Action level and Permission level

  Hi Gurus,
  I am totally confused by the way our CC is working while using it for User Analysis. I understand that during Risk Analysis for a user with Report Type "Action Level" will give the conflicts at the transaction level for the user and with Report Type "Permission Level" will give the conflicts at the Object level for the user. Also the permission level report includes the results of the action level report as well and hence Permission level report is more detailed & reliable.
  But now when I run the analysis report for a particular user both at Action & Permission level...the user is not getting any conflicts at Action level but it is showing conflicts at the Permission level. For another user the vice versa is happening. Could anyone help me in understanding the above 2 scenarios?
  Regards,
  Lakshmi.

  Hi
  A user to be need to have a action level conflict should have that transansaction code access only ie object s-tcode =  xyz transaction code.
  Similarly for a user to be reported in permission level conflict the user should have access to
  S_tcode = xyz transaction code Plus all other authorisation objects...Or in other words if the user is missing any authorisation object it wont be reported there...
  So just check what authorisation object level check is enabled for that transaction code in the rule architect tab.. Thereafter see whether user have access to all those authorisation object with the values specified...
  Parveen

• Link to child level detail report via variable ? / navigate to ?

  I was wondering if anyone has had a similar experience; I am trying to based on selection link to customer details
  Example: Fact & Dimensions; Fact (I aggregated to Customers gained); Dimension1 (Date / Period); Dimension2 (Customer Dimension)
  Problem that I have aggregation level has customers and the features they have (features being lowest level); the Dimension is stored at lowest level(customer). I would like to; (based on aggregation) select value based on Time/Gained and then display applicable customers. I was trying to see if there was a way to identify via variable user selection and possible use as filter for detail/child report II. I was hesitant to go to feature level in Dimension only because of size and possible/potential relating slowness.
  Has anyone used such variable, based on selection before ? Or Has anyone noticed issue with using large Dimension 25K + w/indexes ? Also if I was to use larger dimension, is it possible to roll data up, instead of drilling down, because if going to feature level would need to show applicable customers ?
  Thank you in advance for your help

  Thanks David,
  I don't want to enhance the IMG structure. I just want to insert a link to the IMG node in my documentation.
  Example:
  Transaction SE61 -> Document class = General text -> Name = ZZ_TEST -> Create
  Within the editor choose Insert -> Link -> Document class = Implementation Guide chapter (SIMG) -> Chapter = SIMG_CFMENUOLMEOMF4 -> Name in document = PO screen layout
  Back in the editor choose Document -> Screen output
  When the output appears click the link -> SAP will navigate to the RFQ subtree in customizing, but I need that SAP navigates to the PO subtree.
  Any ideas?
  Kind regards
  Rudi

• Role Analysis at Action Level - Summary Report - Question

  When running the Role Analysis Summary report at the Action Level, will the report show tcodes  that run in the background   from the tcodes specified in the role on the report?

  Hi Varun,
  Does this also apply on alert monitor report - say we have one tcode defined as critical action or is in one SOD risk, and the tcode is run indirectly, will it show in alert or not?
  Example, we have seen one tcode showing as executed, but the user authorization doesn't have the tcode access at all. So I was wondering how did it come in alert report.
  Regards,
  Sabita

• Shipment Batch level details report

  Hi All,
  Our client has come up with a new report requirement. They want the below columns in their report.
  Sales Order , Sales Order Item, Delivery, Delivery Item, Batch , Shipment , Individual delivery quantity
  Please suggest what will be the best approach to build the report. Should we go for a generic datasource or should we enhance any existing LIS Datasource?
  Regards and Thanks,
  Vivek Das Gupta

  Hi,
  There are standard datasources for Sales Orders/Shipments:
  2LIS_11_VAITM (Sales Orders Items)
  2LIS_12_VCITM (Delivery Items)
  These datasources are used in the most BI solutions.
  Regards,
  Tiago.

• How to understand Permission level SoD analysis reports?

  Hi ,
  We would like to confirm whether our understanding is correct in analysing the SoD analysis reports at Permission Level
  Below is an example on how functions are configured at permission level
  Under Function 0C0004 we have t-code as below
  VA01 - Create Sales Order with Auth Objects
  B_USER_STAT  - ACTVT 01 AND
                              ACTVT 06 AND
  K_CKBS_CO-PC - ACTVT 01 AND
                               ACTVT 06 AND
  V_VBAK_AAT - ACTVT 01 AND 02 AND 06 etc.,
  Similarly we have another Function GA0001  with t-code as below
  F-03- Clear G/L Account
  F_BKPF_BLA  - ACTVT 01 AND
  F_BKPF_BUK -  ACTVT 01 AND
  F_BKPF_KOA - ACTVT 01 AND
  We have defined Risk betwee GA0001 & OC0004 with RISK ID 0045.
  Does this means that a User / Role which are having t-code VA01 with the above permission values should be thrown as a conflict if the same user/ role is having t-code F-03 with the above permission values.
  Do we need to understand the conflicts are only  between two transaction codes and their permission values? or
  Do we need to understand within the transaction code permission values also there are conflicts i.e. if a user is having  01,02 & 06 for V_VBAK_AAT in VA01 also.
  When SoD reports are thrown for a User/ Role it just provides the Rule ID number and the t-codes conflicting followed by the permission values of the t-codes as below
  004500101 : Transaction Code Check at Transaction Start  Transaction Code     Create Sales Order (VA01)   OC00004
  004500101 : Transaction Code Check at Transaction Start  Transaction Code      Clear G/L Account (F-03)      OCA00001
  004500101:  B_USERSTAT : ACTVT : Activity      Delete(06)                          OC00004
  004500101:  F_BKPF_BLA : ACTVT : Activity      Create or generate(01)      GA00001
  004500101: B_USERSTAT : ACTVT : Activity      Create or generate(01)      OC00004
  004500101: F_BKPF_KOA : ACTVT : Activity      Create or generate(01)      GA00001
  004500101: V_VBAK_VKO : ACTVT : Activity      Create or generate(01)      OC00004
  In the above scenario what exactly we need to understand ? Whether the conflicts are between t-codes & their respective permission values or the conflicts are intra conflicts i.e between permission values as well?  User should not posses both 01 & 06 for Auth Object B_USERSTAT and remove the access to any of them.
  Please provide your suggestions in our understanding.
  Thanks and Best Regards,
  Srihari.K

  Hi Sri,
            In RAR the conflict is always between Actions not permission. Permission level data is only for your info. All permission level details out of the box are not configured you have to activate it and fill in the value in the field. Now based on the value you feed in it will pull out the details.
  eg: if you enter * it will show all values, If you enter 01 it will show all  values with 01. 
         So to summarize the permission level details you need to configure based on needs and are not linked to conflicts they just show AS IS permission level details.
  Thanks,
  Darshan

• RAR - Risk Analysis - Permission Level - V_VBAK_AAT||AUART - Error

  I have a trouble related with risk analysis at permission level, when the V_VBAK_AAT||AUART is activated in two functions of my customized GRC rule-set (VIRSA_CC_FUNCPRM) for controlling some "document types" for tcodes VA01 and VA02. When I execute this customization in RAR, the system says "No match / No conflicts" for the risks where these functions appear, however performing some queries in the back-end systems, I have realized there are more than 80 users in conflict for some of them, given the fact that they have value '*' in object/field V_VBAK_AAT||AUART.
  At a first time I thought that most probably would be related with the fact that these functions are part of risks that combine 3 and 4 functions at the same time, with OR logical activated in document types, but when I searched for the rules generated for these risks I noticed that only 34.000 rules were generated and this no overpass the limit of 45566 rules defined at RAR. Anyway, I performed some tests reducing the number of possible combinations and, basically, whenever the following line is activated, the outcome is u201Cno conflictsu201D:
  D VIRSA_CC_FUNCPRM FN15 VA01 GRC-C21 V_VBAK_AAT||AUART ZSO ZSO OR 0 null
  If this line is disabled, then, several users with conflicts are reported. As mentioned above, these users have value '*'   for object/field V_VBAK_AAT||AUART, so I do not understand why those users are not reported when the line above is activated.
  I have done the following checks, all of them correct:
  - The user/role/profile synchro has been done and all the users has been stored in table VIRSA_CC_
  - All the lines in VIRSA_CC_FUNCPRM part of my customized rule-set have been correctly inserted in the same Oracle table
  - All the combinations of rules has been created (including VA01 and VA02 with V_VBAK_AAT||AUART)
  Any suggestions?
  Thanks in advance

  I've detected the same problem for the following authorization objects:
  - F_BKPF_BLA||BRGRU
  - V_VBRK_FKA||FKART
  - M_MSEG_BWE||WERKS
  RAR reports no conflicts (at authoriztion level) when these objects are activated (of course having users with these conflicts in back-end systems)
  This problem has been proved in the installation of different customer with SAP GRC Access Control 5.3 SP12.
  Anybody else has experienced this issue????

• GRC 10.1 SP06 - ARA shows no violations at permission Level

  Hi Guys,
  We've just installed SP06 and we came across the issue described in the title of the discussion.
  Rules have been generated and we're using the standard "global" ruleset. The rules seem to be generated successfully ( I've checked in the NWBC that the permissions appear after the risk generation and also I've checked some tables like GRACSYSRULE and GRACACTRULE and risks appear there).
  Risk analysis seem to work fine at action level but we don't have violations at permission level even when we now that user should have violations (for example a user with SAP_ALL). for some cases some risks seem to appear at permission level but only with the object S_TCODE.
  Just to discard problems with the connector we've created a Legacy connector, upload the files and ran the synch. The analysis at permission level still show "no violations". We tested with THE SAME files and ruleset in a system with SP05 and it worked as expected showing violations at permission level.
  Does anyone faced a similar issue? can you give me some light in order to solve the issue?
  Many Thanks!
  Diego.

  Hi!
  We still don't have a SAP official response but we think that the error is because of the note:
  2014811 - Risk Analysis Dump in case of huge data
  That we've implemented some days ago as part of the advance corrections of SP07.
  The error seems to be related to the following class:
  But there are many changes related to such note...So we're not sure about the exact details.
  We DE-implemented the note mentioned above and after that the analysis at permission level worked as expected.
  Hope to have a SAP response soon, but meanwhile I do not recommend to implement such note.
  Thanks!
  Diego.

• Permission level version history

  In what permission level does one can see the version history for a list record where versioning is enabled.

  HI,Apart from the restricted permissions and Limited access set to users.All other permission levels of users can able to view  the version history.
  Anil Avula[MCP,MCSE,MCSA,MCTS,MCITP,MCSM] See Me At: http://expertsharepoint.blogspot.de/

• Check if Custom Permission level exists or not

  I have cretaed a custom permission level.
  On feature activation, i need to check if that custom permission level exists or not. How can i do that?
  Thanks,
  Avni Bhatt

  Check if below helps
  SPWeb web = SPContext.Current.Web;
  // Validate the page request to avoid
  // any malicious posts
  if (Request.HttpMethod == “POST”)
     SPUtility.ValidateFormDigest();
  // Get a reference the roles that are
  // bound to the current user and the role
  // definition to which we need to verify
  // the user against
  SPRoleDefinitionBindingCollection usersRoles = web.AllRolesForCurrentUser;
  SPRoleDefinitionCollection roleDefinitions = web.RoleDefinitions;
  SPRoleDefinition roleDefinition = roleDefinitions["Full Control"];
  // Check if the user is in the role. If not
  // redirect the user to the access denied page
  if (usersRoles.Contains(roleDefinition))
     //Check if post back to run
     //code that initiates the page
     if (IsPostBack != true)
      //Do your stuff here
  else
     Response.Redirect(“/_layouts/accessdenied.aspx”);
  http://blog.rafelo.com/2008/10/13/programmatically-checking-user-roles-or-permission-levels-in-sharepoint-2007/
  http://yoursandmyideas.wordpress.com/2011/10/08/setting-custom-permission-levels-in-sharepoint-programmatically/
  Or check if it exist and then delete and recreate it
  string[] yourCustomRoles = {"Level1", "Level2"};
  using (var web = spSite.OpenWeb())
  var roles = web.RoleDefinitions;
  foreach(var levelName in yourCustomRoles)
  try
  roles[levelName];
  roles.Delete(levelName);
  catch(Exception)
  // web has no this role
  //Add code here
  http://go4answers.webhost4life.com/Example/delete-specific-permissions-108626.aspx

• 2nd Level Detail

  I created a fully functional Master-Detail report by using the HTMLDB Master-Detail Wizard and converting the Detail Form to a Report Format.
  Is it possible to drill down to a second level of detail from the first level of detail?
  With no success, I tried manually creating a second level detail report with link from first level detail, but GUI prevents creation of certain objects, like Prev and Next Buttons with No Region (GUI demands selection of region) for pagination.
  Any guidance or links to known examples would be appreciated.
  Thanks

  There is no wizard to help you out here, so with some experimentation, it is possible to go to a second level of detail. I got best results when the PK of first level detail table was the same name as the FK in the second level of detail table.
  Created the report manually, and it is lacking PREV/NEXT controls in the row counter report footer. Still have not yet figured out how to invoke the NEXT/PREV with row counter in the report. Curently the NEXT/PREV are buttons in the region but not with the report counter object.

• User Level SOD Report - Batch

  Hi GRC Experts,
  Every day my company runs a User Level SOD analysis against every user in ERP or HRP.  Here is the criteria for ERP (there is a connector):
  System:  Our defined ERP connector
  Risk Level:  All
  Rule Set:  Global
  User is not DDIC
  User Type:  Dialog
  Format: Detail      Technival View
  Access Risk Analysis at the Permission Level
  Show All Object
  This job is run in Background, and the report output is downloaded from Background Jobs.
  Is there a way to schedule this job using SE38 and a variant?  We would like to start using a automated scheduling tool.
  The program run is GRFN_BP_SCHEDULER with variant &0000000001569
  I looked at the variant, and it looks for I_PLANID and I_UPDTSK.
  Is all the criteria I selected stored in a table as a PLANID?
  Thanks in advance.
  Donna Wiley

  Hello Plaban,
  Thank you for the info!  How do you set up the variant for the "Report" options?  We need two reports for "User Level".  In the Report Options section, we need one report with a Format = Detail and one with a Format = Management Summary. Both reports should be in the Format = Technical View.
  Thank you and kind regards,
  Janice

• GRC AC RAR - long time for user analysis

  Hi all,
  we have scheduled a Risk Analysys at permission level with 2.000 users. Looking at report log we see that each user is processed in around 2 seconds. The system seems to be freezed at 41% to a specific user. Now it is working on this single user since 2 hours.
  Any suggestions to uderstand why it happens ?
  What can we look at ?
  Andrea

  First of all check the Directory where you are storing the RTA extracts to get populated in RAR analysis engine. Also check the Batch Job daemon from your browser by using the url:   http://<servername>:port/webdynpro/dispatcher/virsa/ccappcomp/BgJobStart?debug=1
  Next check can be at connector level. Try to generate the Rule Set for all the Rule Ids. If the Rule set generation also takes longer time than earlier cases then you may need to check the following notes and their suggestions:
  [Note 1121978 - Recommended settings to improve peformance risk analysis|https://websmp130.sap-ag.de/sap%28bD1lbiZjPTAwMQ==%29/bc/bsp/spn/sapnotes/index2.htm?numm=0001121978&nlang=E]
  [Note 986997 - Risk Analysis & Remediation tuning for optimal performance|https://websmp130.sap-ag.de/sap%28bD1lbiZjPTAwMQ==%29/bc/bsp/spn/sapnotes/index2.htm?numm=0000986997&nlang=E]
  Also based on the DB you are using you may need to check some other notes as well. For e.g.:
  1313116 - Performance issues when running Risk Analysis in RAR w/MaxDB
  Also to be in the safer side make sure that you are on the updated support pack level. Like SP 14 atleast for AC 5.2 or SP 8 for AC 5.3
  Regards,
  Dipanjan

• Mitigated Risks Still Show up on User Analysis - RAR

  Not sure if you have ever seen this - I'm perplexed. We recently upgraded to AC-RAR 5.3_14.0. When I mitigate a risk for a user for the first time or extend an existing mitigation into the future, the risks will still show up on the next user level risk analysis. I am sure I use correct risk ID (no copy - paste issues). It is as if I never mitigated to begin with. Thanks for any ideas.
  Joerg

  Hi,
  Are you doing User Level mitigation or Role level mitigation? If it is role level mitigation, you need to check 3 places-
  1. RAR>Configuration>Additional Option> Include Role/Profile Mitigating Controls in User Analysis> YES
  2. RAR>Configuration>Default Values> Exclude Mitigated Risks> YES
  3. CUP>Configuration>Risk Analysis--> Consider Mitigation Controls --Checked.
  If you are doing user level mitigation, check for points 2 & 3.
  Regards,
  Sabita