Access Enforcer Risk Analysis question

Hello All.
We are receiving an error message in an AE request.  We are receiving the following error in Access Enforcer 'Mitigation control ZM030 could not be saved for user XXXX - Exception from the service: ERROR: This user is already mitigated for this risk' when doing the final approval on some requests.
Request #1 approved without error but when I did Request #2 received error message.  I tried it again, same error, but the tick boxes are grey instead of green. 
In all cases the roles were added to the user's account, but now AE request 1 and 2 cannot be removed from the listing.

Ankur,
this can happen under different circumstances - say 1 of 3 systems to provision to is down. You will get an error message and the request is not closing, although provisioned to the other 2.
Jonathan,
for this request that is still open, can you remove the mitigation? And then re-run Risk Analysis and approve again.
From version 5.3 you cannot create multiple concurrent requests for the same user, this will prevent your exact error.
Regards
Daniela

Similar Messages

  • Cannot find CCRTAWS at Access Control Risk Analysis and Remediation?

    I am looking for the Web service CCRTAWS  in Access Control Risk Analysis and Remediation.
    But I cannot find it.
    Could you help? Thanks a lot!

    Ashley,
       Go to main page of WAS (Web application server) where AC 5.3 is installed. It would be
    http://(servername):(port)/index.html [Replace servername and port with the actual servername and port number]
    Click on Web service navigator (First link on right side). This link will show you all the web services installed. Search for CCRTAWS. I can see it in my AC installation.
    Regards,
    Alpesh

  • ARQ: What level of risk analysis is performed in Access Request???

    Hi,
    I have a question/doubt which might look silly!
    When we perform risk analysis in access request in "Risk Violation" Tab. May I know if I am correct in saying that this is "USER LEVEL" risk analysis?
    Secondly, note#1638140 says:
    Resolution
    The Impact Analysis type in Access Request risk analysis simulation is suppose to evaluate the HR org or position changes, which might have an impact on other users that are in the same org or assigned to the same positions.  The Risk Analysis type is showing existing risks plus the risks if the new access in the request is added to the users or roles.
    I am a bit confused with this statement. It says "if the new access in the request is added to the users or roles".
    Can anybody please help me understand this?
    Thirdly, if a request shows existing risks plus new risks if the new access (only 1 single role) in the request is added to a user, does such request qualify for "Violation Detour" and changes its path for the new role added?
    Please advise.
    Regards,
    Faisal

    Faisal,
    not really sure if I understand your doubts correctly.
    The risk analysis in simulation analyzes all the current and to-be-added authorization. Better to explain in an example.
    User has ROLE_A and ROLE_B and in simulation you add ROLE_C. ROLE_A contains FB60, ROLE_B MM03 and ROLE_C FK02. Per definition from rule set a violations is between FK02 and FB60. MM03, as it is only display, isn't a risk.
    So the user has with the current authorization (MM03, FB60) no risk. In simulation you add FK02 which conflicts with FB60 and the simulation will show a violation. In the simulation you can differenciate risks based on their color if it comes from existing or newly added authorization.
    In simulation it is possible to simulate different scenarios like adding tcodes, roles or profiles. Be aware that if you run the simulation if always analyzes the full authorization (current and simulated).
    Does this answer your question?
    Regards,
    Alessandro

  • Q&A for Live Expert Session "Enhanced Risk Analysis on AC 10.0"

    Hi,
    Please find below the questions that we could not address during yesterdays sessions. If you have any further question please create a new discussion in the forum.
    Thanks,
    Luis
    Q: Is it still possible to filter by user group using all rule sets at once?
    A: Yes, in 10.0 you can combine as many conditions as needed. In this case you would select all rulesets that apply and also the user groups.
    Q: Are user groups linked to users per system, or still as in 5.3 only the first system the user is found
    A: In the user information screen only the user group from the details deta source will be shown.
    Q:: Have there been any enhancements made to the simulation functionality?
    A: Yes, the simulation allows to use multiple combination of fields like in the new risk analysis. We can do now simulation on Business Roles. Also a new UI providing a step-by-step process for defining the simulation criteria, allowing to easily simulate changes at action, role and profile level in a single run.
    Q: Is it possible to restrict access to risk analysis or changing risks, functions on a organisational level for these employees (eg. HR, Marketing, Finance etc.)
    A: You can restict access to specific componets using standard authorizations, please refer to the Security Guide. Also such changes can be subject to workflow which can be customized to specific approvers.
    Q: How the offline risk analysis is done on 10.0?
    A: The process is the same as in 5.3. A Batch Risk Analysis must be scheduled and the "Offline Data" flag in the risk analysis must be checked.

    Hi GRC Team,
    Please help me on this. I am waiting for your replay.
    Regards,
    KR

  • Risk Analysis Error - Access Enforcer

    Hi Experts,
    I am getting error while running risk analysis in Access Enforcer and the error is
    <b>Risk analysis failed: Exception in getting the results from the web service : Service call exception; nested exception is: java.lang.Exception: Incorrect content-type found 'text/html'
    </b>
    We are using seperate RFC IDs for Access Enforcer connector and Comlaince Calibrator connector.
    Please help me.
    Thanks&Regards,
    Vijay

    Reddy,
    The user must indeed be created in the UME as a Compliance Calibrator user.
    I don't know exactly which role he should be assigned, usually I indicate there my CC admin user-id and password.
    When you see it is working with that user-id, you can try to re-fine the roles.
    Some more info regarding what needs to be set in the URI in case the one I inducated in my previous answer is not working:
    "There are two selectable versions of Compliance Calibrator. If you select 5.0 Web Service, three additional fields appear (URI, UserName, and Password). For the URI field, you need to navigate to the SAP NetWeaver Web Application Server Home page > Web Services Navigator > CCRiskAnalysisService > WSDLs > Standard link of Document, where you will see a list of all web services in the server. Select the desired URI address. If you select Compliance Calibrator 4.0, there is no need to connect to a URI address."
    Karim

  • Why Access Enforcer 5.2 considers u201CCritical Transactionu201D as a SOD Risk ?

    Hello,
    When I submit a request with Critical Transaction and no SOD conflict, Access Enforcer forwards my request to the SOD Manager.
    I have a Detour Path triggered by the condition u201CSOD Violationsu201D.
    The settings are in:
    - Access Enforcer 5.2: Configurations -> Risk Analysis -> Default Analysis Type: Object Level
    - Compliance Calibrator 5.2:
    Configuration -> Risk Analysis -> Default Values -> Default report type for risk analysis: Permission Level
    I am wondering why Access Enforcer 5.2 considers u201CCritical Transactionu201D as a SOD Risk
    Thank you.
    Abderrahim

    Hi,
    As per my knowledge even though you set the risk analysis to be done at a single level, AE will do at all the levels, i.e., at SoD, critical action, and critical permission. If you want to have only SOD risks, you need to either deactivate all critical action rules in RAR, or create a new ruleset and assign all the SOD risks to it and use it with AE.
    This will help you to address the issue.
    Best Regards,
    Raghu

  • Error in Risk Analyzer of Access Enforcer

    We are getting the below error in Risk analyzer of access enforcer in the GRC system that we have
    Risk analysis failed: Exception in getting the results from the web service : Service call exception; nested exception is: com.sap.engine.services.webservices.jaxrpc.exceptions.XmlUnmarshalException: XML Deserialization Error. Invalid parser state. This exception is caused when deserializing XML type [http://www.w3.org/2001/XMLSchema] and wrong XML node is found.
    The version of the system is AE 5.2 SP11 (Build-59112)
    could come one help on this?
    Regards
    Bharathwaj V

    Hi alpesh,
    Thanks for your answers.
    We were able to sort out the problem.The problem was with the load balancing at java level.
    We had 2 server nodes and only 1 server node was taking all the requests and so it was choked up.
    Bharathwaj V

  • GRC Access Controls v5.3 RAR Batch Job Risk Analysis Incr Analysis

    Hi All!
    re: GRC Access Controls v5.3 RAR Batch Job Risk Analysis Incr Analysis
    Can anyone list or direct me to a help link that has the progress list of processes that are contained in this batch job?
    Thanks!

    Hi All,
    I have answered my own question. The processes are:
    User Permission Analysis
    Profile Action Analysis
    Role Action Analysis
    User Action Analysis
    Role Permission Analysis
    -john

  • GRC AC 10:How to generate Access Rule? No output from User or Risk Analysis

    Hello Gurus,
    We have done configuration of GRC AC 10, and uploaded files via
    SoD rules -->Upload Rules
    After that we generated SoD rules for Risk Id : B001 and B002
    Now when we go to NWBC --> Reports & Analytics >Access Dashboards>Access Rule Library
    The report shows (for Group Rule level : Action)
    Number of Active rules : 0
    Number of Disabled Rules : 0
    Number of Functions :  151
    Where as for Group Rule level : Action Risk
    The report shows
    Number of Active Risk : 42
    Disabled risk : 161
    Nmr. of functions : 151 .
    When we perform Risk Analysis at User Level or Role Level, the output is empty !!!
    Note: All the background jobs have run successfully.
    Also the SoD files also have been uploaded successfully.
    Will you please guide how can i activate the "rules" for the uploaded risk ??
    regards,
    Victor

    Hello Victor/ Inder,
    For Risk ID B001functions are BS02 and BS11 if you open any one of them you can see system maintained as SAP BASIS which is SAP_BAS_LG (logical connector group).
    Post installation you can check in SPRO>Governance, Risk and Compliance-> common Component---> integration framework-> maintain connector and connector types->select SAP and click Define connector Group.
    BUSINESS     Business Roles     SAP
    SAP_BAS_LG     SAP Basis     SAP
    SAP_CRM_LG     SAP CRM     SAP
    SAP_ECC_LG     SAP ECCS     SAP
    SAP_HR_LG     SAP HR     SAP
    SAP_NHR_LG     SAP R3 - NON HR Basis Logical Group     SAP
    SAP_R3_LG     SAP R3     SAP
    SAP_SRM_LG     SAP SRM     SAP
    (If not present then manually you can create the same)
    Select SAP_BAS_LG and put connector type as SAP,  select SAP_BAS_LG and click Assign Connector group to group types as AM & LG, then click on Assign Connector to connector group and maintain you connector.
    Post this activity re generate SOD for B001 and then check for user level and role level analysis.
    Hope it will resolve your issue.
    Regards,
    Sudesh

  • GRC Access Control 5.3 - RAR Risk Analysis in offline mode

    Hi expert,
    I'm trying to do RAR Risk Analysis in offline mode following this guide (https://www.sdn.sap.com//irj/sdn/go/portal/prtroot/docs/library/uuid/20a06e3f-24b6-2a10-dba0-e8174339c47c). But to generate User Action file the ABAP have a problem when try to get a COMPOSITE ROLE field for a Role that is asociate to many Composite role as the unique record consists of fields IDUSER, ROLE and ACTIONFROM . Someone know how we can solve this conflict?
    Best Regards!

    I'm sorry, I think I haven't made myself clear enough. The thing is that the User Action File has a "Composite Role" field and we don't know how fill it when the Single Role belongs to multiple Composite Roles. This is because of the primary key, we can't make multiple records for each userid/role combination, each one with one different Composite Role, such as the following example:
    USERIDX/ROLEX/ACTIONX/ACTIONX/PROFILEX/COMPOSITEROLE1
    USERIDX/ROLEX/ACTIONX/ACTIONX/PROFILEX/COMPOSITEROLE2
    USERIDX/ROLEX/ACTIONX/ACTIONX/PROFILEX/COMPOSITEROLEN
    Should we instead do only one record with all the composite roles? What character should we use to separate the composite role names? A ",", a ";"? For example:
    USERIDX/ROLEX/ACTIONX/ACTIONX/PROFILEX/COMPOSITEROLE1_,_ COMPOSITEROLE2_,_ COMPOSITEROLE3
    Hope I explained myself. Thanks for your help.

  • CUA still necessary/recommended with Access Enforcer?

    Hello forum members,
    we are planning to implement SAP GRC Access Control for one of our clients. There are 5 R/3 Systems in the landscape, one of them a HR System. Currently there is no CUA in place an all users and roles are maintained separately in each system. Now with the introduction of GRC Access Control there is the question, if we should at the same time also have a CUA introduced or if it is better to directly provision the Users and Roles from Access Enforcer to the target systems.
    What are the pros/cons to have a CUA in between? Does Access Enforcer also provide overview on all users in all system and the assigned roles?
    Thanks for your replies.

    This is a question that I'm asked all the time.  For some environments, using CUA with AE is really nice.  For other environments, it's just not feasible to have CUA as the security authorisation strategies are too inconsistent across systems.
    For example:
    a. There are three systems (ECC, BI, and SRM) implemented with a consistent top-down (job) approach to defining roles.  So, a AP clerk will receive the 'AP Clerk' role in ECC, 'AP Clerk' role in BI, and 'AP Clerk' role in SRM (for simplicity).   Obviously, the roles are different as they are for different systems, but the point is, it is easy to categorise the authorisations for a particular job across each of the systems.  If security is consistent like this, then CUA can be implemented and the three single roles for the three systems can be grouped together in a cross-system composite role called 'AP Clerk'.  When AE is implemented over the top of this, a user only has to request the 'AP Clerk'  role (composite).  AE performs the workflows, risk analysis etc and then finally passes the request to CUA, which then provisions out to the other two systems.  Very easy from a user point of view as they only have to request one role, which is their job.
    b.  If however due to inconsistency between the systems, it is not feasible to group access into cross-system composites, it may just be better to go with AE without CUA.  In this scenario, a user must request the applicable roles from each of the three systems.  It is more flexible, but a little more difficult for the end user.
    I normally spend quite a bit of time developing the Access Controls strategy during the blueprint phase of the implementation just to make sure that I'm coming up with the optimal design.  A bit of prototyping helps also!

  • Error while running risk analysis.

    Hi,
    I am facing problem, while running risk analysis from Access Enforcer for a particular application. Infact problem is for all the connectors. I have done required configuration.
    Error i am getting is "Risk analysis failed: Exception from the service : Risk Analysis failed".
    Please suggest.
    Thanks in Advance.
    Regards,
    Pravin.

    Problem was with JCO connection.

  • AE 5.2 remote risk analysis with CC 520_640

    Hi,
    Can anyone please tell me if this scenario is possible.
    AE to do risk analysis in remote system by using CC rules defined in a central system.
    Eg. ECC system has mitigation rules defined for HR. ECC also has rules defined for Finance, MM etc
          AE 5.2 will connect to the CC (ECC system) when processing a request and check the HR rules for the  
          roles in AE to do a remote risk analysis before provisioning the access in HR box.
         ECC box has CC 520_640 - ECC 5.0
         HR box has CC 520_700  - ECC 6.0
          Is this possible at all? CC configuration parameters are enabled and defined to do a remote analysis.
          Risk analysis shows risks when a remote analysis is done in CC. But AE risk analysis shows no risks.
    Thanks

    Good question but quite confusing way to ask but anyways..
    As you said you are able to perform risk analysis in RAR/CC on the considered system (remote system as you mentioned) but not able to perform the same in CUP/AE
    from the symptoms It seems like the web service in AE for integration with CC to perform Risk Analysis is not configured.
    Please go to Configuration tab > Risk Analysis menu > Select CC version
    and enter the URL for the web service, it may be something like
    hostaddres:portno/VirsaCCRiskAnalysisService/config?wsdl&style=document
    or you can find it through following method.
    Go to Web Services Navigator (same location as for UME) and drill down to VirsaCCRiskAnalysisService and get the URL from there. Finally enter the URL on the above mention location.
    Then try performing the Risk Analysis on the considered system, if it is still not working and in case the web service is already configured and working for other systems let me know. We will think in some other direction.
    Best Regards,
    Amol Bharti

  • SAP GRC 10.0 - Risk Analysis - Define global variant

    Hi Experts,
    We are implementing SAP GRC 10.0 and we have a question about variant management in Access Risk Analysis.
    When we saved a variant, it seems that this variant is user specific.
    Is it to possible to define this variant as default for all users?
    Thanks.
    Best regards,
    Nicolas RICHARD

    Hi,
    I think this is still user-specific, as it was in 5.X. I have checked the new GRC authorisation object parameters delivered within the roles and also tried to see if a Admin user was able to see all the variants created by the different users, but so far I have not found a solution.
    It may be worthwhile to raise this in "IdeaPlace", hoping it gets enough votes and SAP's attention for implementing in a future Support Pack delivery.

  • AC10 - Auto risk analysis and auto mitigation

    Hi,
    I was wondering if it is possible to
    - run an automatic risk analysis at the end of an approval stage of the workflow, the same way it is possible to configure at the time of request sending?
    - automatically put a mitigating control in the request for the risks found?
      In our case, there is only one mitigating control for each risk and the assignment of the control is an unnecessary manual task to perform. The mitigation assignment will be approved in a seperate WF by the mitigation owner.
    It seems there is no out of the box solution to this, so any alternative suggestions are welcome.
    Thanks,
    Daniela

    Hi Daniela,
    If I may give my opinion, I would probably break your question down into 2 parts.
    1) Auto Risk analysis at the end of a stage - Making "Risk Analysis Mandatory" at that stage is probably the method. Unfortunately this does mean clicking one or two buttons (so not fully automated). Think AC uses this method to ensure the reviewer is aware of the conflicts caused etc.
    2) Auto Mitigation - For a business access workflow in a 'Live' situation, this is probably not a good idea,  as analysing and making the decision on whether to proceed with the request should really be performed by an actual person responsible for that stage in the work flow e.g. Role Owner or Security Lead etc. You would not want to mitigate all risks automatically (if I have understood correctly that you have a mitigation per risk ID). In theory, an automated mitigation process would mitigate all risks without discrimination.
    On a side note, there is a configuration setting under SPRO for Access controls as follows
    "Risk Analysis- Access Request : Param ID 1072 - Mitigation of critical risk required before approving the request". By enabling this configuration, you could force a mitigating control to be applied to any user requesting Critical Access.
    Hope this helps.

Maybe you are looking for