AE 5.2 cross system risk analysis with CC 4.0
Hi,
We have an unique situation.
We have CC 4.0 (central) set up in ECC system where the rules and risks are defined for systems such as R/3, HR and SRM
We need AE to use this central CC system to do the risk analysis when an access request for HR or SRM is submitted in AE 5.2. Right now for a request to a HR system, risk analysis is being done in HR system where there are no rules and hence no risks are identified.
Environment :
CC 4.0 in ECC 5.0 with VIRSANH RTA 520_640 Level 3 and VIRSAHR RTA 520_640 Level 2
AE 5.2 JAVA in NW 7.0 SP level 2
Risk analysis for Access requests to ECC system is done with out any issues and the connectors in AE are defined as well as CC 4.0 configuration for cross system is enabled.
Please give your suggestions and also tell me if this below scenario is possible.
Use CC 5.2 Java stand alone system and define logical/cross system to connect to multiple systems such as HR and SRM and use those specific rules to do the risk analysis.
Thanks
Hi RM,
You can setup Risk Analysis inside AE Configuration.
You can identify the level of risk analysis and specify the Compliance Calibrator version for processing risks.
See the details from the AE Configuration Manual
In the Select Compliance Calibrator Version pane, from the Version drop-down list, select the version of Compliance Calibrator.
In the URI field, enter the appropriate URI address for the web services.
In the User Name field, enter your User ID. Your User ID must have security access
to web service.
In the Password field, type your password.
Select the Perform Org Rule Analysis option to perform org. rule analysis at risk
analysis time.
Note: There are two selectable versions of Compliance Calibrator. If you select 5.0 Web Service, three additional fields appear (URI, User Name, and Password). For the URI field, you need to navigate to the
SAP NetWeaver Web Application Server Home page > Web Services Navigator > CCRiskAnalysisService > WSDLs > Standard link of Document, where you will see a list of all web
services in the server. Select the desired URI address.
If you select Compliance Calibrator 4.0, there is no need to connect to a URI address
So the answer is YES, you can connect AE 5.2 with CC 4.0 for Risk Analysis.
Hope this helps,
Regards,
Kiran Kandepalli.
Similar Messages
-
Risk Analysis with "ALL" systems
Gurus,
I have a scenario where we have a rule set (not global) built on a logical system with 8 systems in it. We are trying to run the analysis with "ALL" systems instead of individual systems as we are hoping that the analysis will be performed only on the systems that are part of the logical systems. My understanding on how the risk analysis run may be wrong but I need a second opinion on my assumption. Please do let me know if any one needs more explanation.Hi Varma,
The Risk Analysis System "ALL" is really all connectors and is not tied to the Logical System (LS). The LS defines which systems are applicable for the rules. If your LS has fewer systems than all the connectors, just keep in mind that this impacts the results.
Example:
Existing connectors = A, B, C, D, E, F (ALL = A-F)
LS-1 = A, B, D, F
Run the report for "ALL" systems/connectors and lets assume that every system has SOD issues. Your results would look like this:
A = SOD violations
B = SOD violations
C = "no violations found"
D = SOD violations
E = "no violations found"
F = SOD violations
You would either need to add C & E to LS-1 or create a LS-2 with connectors C & E and create/upload rules for LS-2. Then ALL would find SOD violations for connectors A - F.
Hopefully I didn't over explain the question. Short answer is system "ALL" = all connectors and there is no choice to run the SOD report based on a specific LS.
-Dylan -
AE 5.2 remote risk analysis with CC 520_640
Hi,
Can anyone please tell me if this scenario is possible.
AE to do risk analysis in remote system by using CC rules defined in a central system.
Eg. ECC system has mitigation rules defined for HR. ECC also has rules defined for Finance, MM etc
AE 5.2 will connect to the CC (ECC system) when processing a request and check the HR rules for the
roles in AE to do a remote risk analysis before provisioning the access in HR box.
ECC box has CC 520_640 - ECC 5.0
HR box has CC 520_700 - ECC 6.0
Is this possible at all? CC configuration parameters are enabled and defined to do a remote analysis.
Risk analysis shows risks when a remote analysis is done in CC. But AE risk analysis shows no risks.
ThanksGood question but quite confusing way to ask but anyways..
As you said you are able to perform risk analysis in RAR/CC on the considered system (remote system as you mentioned) but not able to perform the same in CUP/AE
from the symptoms It seems like the web service in AE for integration with CC to perform Risk Analysis is not configured.
Please go to Configuration tab > Risk Analysis menu > Select CC version
and enter the URL for the web service, it may be something like
hostaddres:portno/VirsaCCRiskAnalysisService/config?wsdl&style=document
or you can find it through following method.
Go to Web Services Navigator (same location as for UME) and drill down to VirsaCCRiskAnalysisService and get the URL from there. Finally enter the URL on the above mention location.
Then try performing the Risk Analysis on the considered system, if it is still not working and in case the web service is already configured and working for other systems let me know. We will think in some other direction.
Best Regards,
Amol Bharti -
Cross System Object Lock with ChaRM Retrofit
Hi-
I need to know if there is the ability to have a cross system object lock while utiliziing Retrofit within ChaRM. For example I am working with an N, N1 landscape. When I release a transport request in N I need the object to be locked in the N, and N1 (after retrofit) landscapes.
Will this be supported with both Workbench and Customizing requests?I dont believe this is possible at the moment. As you must be already aware, that SAP releases the locks from the objects as soon as the transport request is released from the Development System. Unless, this locking mechanism is extended to various systems first (DEV and QAS) and later to parallel landscapes (eg:- Project landscapes) it would be difficult to bring in this feature.
Rgds,
Abhijeet Bhagat -
Is it possible to conduct IT Risk Analysis with BPA?
Hi, my company has been working for long with BPA. I have been required to conduct an IT risk analysis process. I wonder if BPA could be my choice, since I am not 100% sure BPA can do that. Does anybody have used BPA to perform a risk analysis?
ThanksI am not 100% certain what IT risk analysis means, but you might want to explore the BPA simulator to see if it meets your needs.
-
Compliance Calibrator v4.0 - Cross System SoD Analysis
Hi all,
I'm looking to run SoD analysis across BI7 and ERP using Compliance Calibrator v4.0. I can see the Parameter in the config overview, and have set it to yes is both systems. But there is nothing else in the documentation as to what other config etc is needed. Does anyone now the steps involved or could you point me in the direction of documentation.
Thanks in advance,
FionaHi,
there is a difference only if you have created and assigned mitigation controls to users.
In that case, you can decide to see the report of SOD conflicts with or without mitigation controls:
- Either you see all SOD conflicts including these that are mitigated (it is however clearly stated in the report whether a mitigation control exists or not)
- Or you see all SOD conflicts excepted these that are mitigated (we consider thus that mitigated conflicts should not appear in the report)
Rgds,
Karim -
Hi,
i should extend the risk analysis report with more details from diffrent tables, they hold special role details.
I havent found an idea how to do this.
Could i extend the standard report for risk analysis with more columns?
Is there something like user.exits or enhancement-points?
thank you very much indeed
best regards
AlexHi Alex,
did you have a chance to look at standard SAP Help information about different types of reports and information available?
If not yet -please take a look at:
Risk Analysis Reports - SAP GRC Access Control - SAP Library
What exactly information you would like to add to reports?
Standard reports can by customized by adding some additional fields which are hidden in standard view.
There is also an option to add custom fields and data,
Lets us know,
Filip -
CC 5.2 - Risk Analysis on existing roles
Hello,
When I submit a change request via AE 5.2 in order to add a role to an existing user,
does CC 5.2 perform the risk analysis to the user corresponding roles (existing roles + new one) or only for the role to be added?
Thank you for your answer.
AbderrahimHi Abderrahim,
Yes. It will perform a risk analysis with the existing roles + newly added role. You should enable this in the CUP.
Go to Configuration --> Risk Analysis -> Set the default risk analysis level.
Regards,
Raghu -
AE 5.2 - Risk Analysis problem
Hello,
I am facing an issue with AE 5.2. When I create a request to assign roles and perform Risk Analysis, I get some SOD violations messages.
I copy the some assigned roles and paste them in CC 5.2 -> Informer -> Risk Analysis -> Role Level and I have no conflict!
Can you please advise why I have conflict with AE and not with CC?
Thank you very much indeed,
Cheers,
AbderrahimHello,
In fact, It was only a false positive issue because:
In CC I perform a risk analysis with Permission Level option.
However, I get risk violation in AE with Critical Transaction for the same role.
The right way is to run risk analysis in CC with Critical Actions.
Thank you for your collaboration.
Regards,
Abderrahim -
Cross-systems analysis and max. rules for a risk
Hi all,
Customer environnement: GRC AC RAR 5.2 linked to 3 R3 4.6C environments (FB0, FB1 and FB2) with different purposes. Users and roles can exist in the 3 systems so we need to run cross systems analysis.
It turns out that the cross-systems analysis works well only if you declares the functions on only 2 environments (FB0 and FB2 or FB0 and FB1).
If we declare the functions on 3 environments (FB0, FB1 and FB2) one reaches the maximum number of rules for a risk, namely 46 655.
This limit is it revised upwards in version 5.3 (if yes, how?)
Or there happens a workaround solution to run cross system analysis on multiple physical systems (the customer environment target is 6!) ?
RegardsThe limit is based on the number of character combinations are available for a risk, so if the number of characters has been increased thenteh number of rules available won't have been increased.
In AC 5.3 the number of characters for a risk ID is 4 which is the sames as AC 5.2 therefore I doubt trhat the limit has been lifted of the code changed to accomodate mor rules per risk.
The only way around the issue is to create smaller risks instead of looking in systems 1, 2 & 3 look in 1 & 2, and 2 & 3 and 1 & 3. Not ideal but at least you will get some results.
Sounds likje an enhancement request needs to be raised to me. -
Batch risk analysis over cross system
Hi,
I have the folllowing problems with batch risk analysis over cross system group (SP14) when I run the batch risk job over this group of connector:
- The number of users analyzed are wrong in reports.
- The last update date are wrong in reports.
- The reports shows some risks with locked and expired users. For example I have 3 connector in a group and user A is not locked in connector 1 but locked in 2 and 3. The reports shows this A user in all the connectors included in the cross system.
Does anyone have a similar scenario? How resolve it? Any tip is welcome.
Kind regards,Hi,
SAP solved my problems with the following notes:
-1988650 - GRC 10.0: user analyzed for single & cross connector and SAP_ALL profile disappear for cross system in ad-hoc risk analysis.
- 2028860 - AC10.0 GRACMGRISKD table shows riskid for riskcount zero
Regards, -
Error while performing Risk Analysis at user level for a cross system user
Dear All,
I am getting the below error, while performing the risk analysis at user level for a cross system (Oracle) user.
The error is as follows:
"ResourceException in method ConnectionFactoryImpl.getConnection(): com.sap.engine.services.connector.exceptions.BaseResourceException: Cannot get connection for 120 seconds. Possible reasons: 1) Connections are cached within SystemThread(can be any server service or any code invoked within SystemThread in the SAP J2EE Engine), 2) The pool size of adapter "SAPJ2EDB" is not enough according to the current load of the system or 3) The specified time to wait for connection is not enough according to the pool size and current load of the system. In case 1) the solution is to check for cached connections using the Connector Service list-conns command, in case 2) to increase the size of the pool and in case 3) to increase the time to wait for connection property. In case of application thread, there is an automatic mechanism which detects unclosed connections and unfinished transactions.RC:1
Can anyone please help.
Regards,
GurugobindaHi..
Check the note # SAP Note 1121978
SAP Note 1121978 - Recommended settings to improve peformance risk analysis.
Check for the following...
CONFIGTOOL>SERVER>MANAGERS>THREADMANAGER
ChangeThreadCountStep =50
InitialThreadCount= 100
MaxThreadCount =200
MinThreadCount =50
Regards
Gangadhar -
Risk Analysis for Third party ERP system
We want to perform offline risk analysis for third party ERP(SRM) system.... We have already GRC system installed with Global rule set for SAP ERP & want to have another ruleset for offline risk analysis.
Just would like to have a confirmation for below steps & estimated time for this.
Activities Need to be performed from Our side(Client) :-
1) Send the RAR format for Users/Roles/Actions & Permissions.
2) Cross Verify the format.
3) Create the connector for stored files.
4) Upload the files via Data Extraction utility.
5) Generate the ruleset for SRM(third party).
6) Schedule the various background jobs.
Activities Need to be Performed from Third Party - HUBWOO(Owns SRM ERP system) :-
1) Convert users/action/roles and permissions files to RAR format.
Activities need to be Performed from SAP :-
1) Provide the ruleset for HUBWOO SRM system.
Please let me know if I missed any step above & estimated time to complete from our end & did anyone has come across ruleset for HUBWOO system..?
Thanks in Advance!!Thanks all for your reply,
Alpesh, but still I have small concern here, when SAP provide the ruleset files, it also provides for Oracle, People soft & JDE ERP.
Though these are also third party ERP's for SAP...?
Does it mean that we can'task for ruleset for other third party ERP from SAP...? or does SAP Charge something for it..?
Thanks -
Different Risk Analysis Results with the same user from 2 different RAR
Hi..
I've loaded the same Risks, Rules, etc, into 2 GRC RAR environments (Sandbox and Quality systems); both of them are connected with the same SAP ECC system. But when I do a User Risk analysis (authorization level), the result from Sandbox is different from Quality system. I donu2019t have users or roles mitigated yet, users are synchronized, rules are exactly the same and I donu2019t know what happen??... Please, help me.
Thanks...Hi...
If I do a Full Sync of users to the same ECC system from both RAR boxes, I got different number of users loaded (i.e. 18757 vs. 18141), similar case with the full sync of roles. (13100 vs. 13150).
If I load exactly the same set of functions to both RAR systems and I generate the rules, I got the same problem, different number of rules is generated.
I've verified both RAR configuration and they are the same (excluded users, roles mitigated, etc.)
Is it a normal behavior? What could be wrong?
Thanks in advance!! -
GRC 10 - Risk Analysis in legacy system
Hi everybody,
I have a problem with legacy connectors in GRC 10. I implemented the note 1594963. So, I created the legacy files and storage it in GRC server.
When I run the user synch, the legacy connector only synch the first record.
Someone can help me? Someone did implement a risk analysis for legacy systems?
Regards,Hi Claudio Ekel
Can you share some inputs on the Legacy Risk Analysis.
We have configured the Legacy Connector as per the note 1594963 ; Placed the files on the server & tried running Synchronization Jobs. But the data is not getting uploaded to GRC10 .
We made sure that text files are in UTF-8 format
Is it mandatory to load all the 11 files that are provided in the note 1594963? We have excluded the Profile related files
Can you share a sample of Legacy file formats that you have used for the sync.
Can you throw some light on what could be the possible issues for data not getting uplaoded to GRC10?
Regards,
Pavan Muthyala
Maybe you are looking for
-
Best Buy Smash Preorder Bad Experience
I sent the following email to Best Buy regarding my bad experience when I went to pickup my Super Smash preorder. After hours of being on hold and being transferred to countless different people, the final explanation I was given is that Best Buy can
-
FCP 10.0.1 update now crashes every time I launch it!
FCP update now crashes every time I launch it! Won't even open a project I started last week with version 10.0.0. I have a deadline at work so I've now got a big problem! I'm trying to give the new and supposedly improved FCPX a shot but this app is
-
I had over 200 dollar takin out of my account! But this just happen! Tonight an in purchase history they are not showing up?!? What do I do!
-
How do I obtain the next number for a Primary Key using an ADF View Object?
I have two separate View Objects (A & B) for the same Entity Object. View Object A does a SELECT on all of the fields in the table. This View Object is where I execute my adds and updates. View Object B is only used to retrieve the next number for th
-
HT4436 I wish to transfer my Apple ID to a new iCloud account
I wish to transfer my Apple ID to a new iCloud account. If I create an iCloud account how do I transfer all my details from the current Apple ID in to this iCloud account? Thanks