AE 5.2 remote risk analysis with CC 520_640

Similar Messages

• Remote Risk Analysis in GRC 10

  Dear Experts,
  I am trying to configure Remote Risk Analysis in GRC 10.0.
  Could you please let me know if there are any standard programs that extracts data from ERP system. Like we have below standard programs in 5.3 to extract from ERP system.
  /VIRSA/DLOAD_AUTH_OBJS
  /VIRSA/DLOAD_ROLE_AUTH_OBJS
  /VIRSA/DLOAD_ROLES
  /VIRSA/DLOAD_USRS.
  If programs are not there in GRC 10.0, please advise how to get data for remote risk analysis.
  Thanks,
  Raj

  Hi Raj,
  Check this programs:
  /GRCPI/GRIA_DLOAD_AUTH_OBJS Download Authorization object
  /GRCPI/GRIA_DLOAD_ROLE_AU_OBJS Role Authorization Object
  /GRCPI/GRIA_DNLDROLES Download Roles
  /GRCPI/GRIA_DOWNLOAD_SAPOBJ Download objects
  /GRCPI/GRIA_R_DOWNLOAD_DESC Program /GRCPI/GRIA_R_DOWNLOAD_DESC
  /GRCPI/GRIA_R_DOWNLOAD_USRS Program /GRCPI/GRIA_R_DOWNLOAD_USRS
  /GRCPI/GRIA_ZVRAT_UPDWNLOAD updownload data
  Cheers,
  Diego.

• AE 5.2 cross system risk analysis with CC 4.0

  Hi,
  We have an unique situation.
  We have CC 4.0 (central) set up in ECC system where the rules and risks are defined for systems such as R/3, HR and SRM
  We need AE to use this central CC system to do the risk analysis when an access request for HR or SRM is submitted in AE 5.2. Right now for a request to a HR system, risk analysis is being done in HR system where there are no rules and hence no risks are identified.
  Environment :
  CC 4.0 in  ECC 5.0 with VIRSANH RTA 520_640 Level 3 and VIRSAHR RTA 520_640 Level 2
  AE 5.2 JAVA in NW 7.0 SP level 2
  Risk analysis for Access requests to ECC system is done with out any issues and the connectors in AE are defined as well as CC 4.0 configuration for cross system is enabled.
  Please give your suggestions and also tell me if this below scenario is possible.
  Use CC 5.2 Java stand alone system and define logical/cross system to connect to multiple systems such as HR and SRM and use those specific rules to do the risk analysis.
  Thanks

  Hi RM,
  You can setup Risk Analysis inside AE Configuration.
  You can identify the level of risk analysis and specify the Compliance Calibrator version for processing risks.
  See the details from the AE Configuration Manual
  In the Select Compliance Calibrator Version pane, from the Version drop-down list, select the version of Compliance Calibrator.
  In the URI field, enter the appropriate URI address for the web services.
  In the User Name field, enter your User ID. Your User ID must have security access
  to web service.
  In the Password field, type your password.
  Select the Perform Org Rule Analysis option to perform org. rule analysis at risk
  analysis time.
  Note: There are two selectable versions of Compliance Calibrator. If you select 5.0 Web Service, three additional fields appear (URI, User Name, and Password). For the URI field, you need to navigate to the
  SAP NetWeaver Web Application Server Home page > Web Services Navigator > CCRiskAnalysisService > WSDLs > Standard link of Document, where you will see a list of all web
  services in the server. Select the desired URI address.
  If you select Compliance Calibrator 4.0, there is no need to connect to a URI address
  So the answer is YES, you can connect AE  5.2 with CC 4.0 for Risk Analysis.
  Hope this helps,
  Regards,
  Kiran Kandepalli.

• Risk Analysis with "ALL" systems

  Gurus,
       I have a scenario where we have a rule set (not global) built on a logical system with 8 systems in it. We are trying to run the analysis with "ALL" systems instead of individual systems as we are hoping that the analysis will be performed only on the systems that are part of the logical systems. My understanding on how the risk analysis run may be wrong but I need a second opinion on my assumption. Please do let me know if any one needs more explanation.

  Hi Varma,
  The Risk Analysis System "ALL" is really all connectors and is not tied to the Logical System (LS). The LS defines which systems are applicable for the rules. If your LS has fewer systems than all the connectors, just keep in mind that this impacts the results.
  Example:
  Existing connectors = A, B, C, D, E, F (ALL = A-F)
  LS-1 = A, B, D, F
  Run the report for "ALL" systems/connectors and lets assume that every system has SOD issues. Your results would look like this:
  A = SOD violations
  B = SOD violations
  C = "no violations found"
  D = SOD violations
  E = "no violations found"
  F = SOD violations
  You would either need to add C & E to LS-1 or create a LS-2 with connectors C & E and create/upload rules for LS-2. Then ALL would find SOD violations for connectors A - F.
  Hopefully I didn't over explain the question. Short answer is system "ALL" = all connectors and there is no choice to run the SOD report based on a specific LS.
  -Dylan

• Is it possible to conduct IT Risk Analysis with BPA?

  Hi, my company has been working for long with BPA. I have been required to conduct an IT risk analysis process. I wonder if BPA could be my choice, since I am not 100% sure BPA can do that. Does anybody have used BPA to perform a risk analysis?
  Thanks

  I am not 100% certain what IT risk analysis means, but you might want to explore the BPA simulator to see if it meets your needs.

• GRC_10 Risk Analysis Report

  Hi,
  i should extend the risk analysis report with more details from diffrent tables, they hold special role details.
  I havent found an idea how to do this.
  Could i extend the standard report for risk analysis with more columns?
  Is there something like user.exits or enhancement-points?
  thank you very much indeed
  best regards
  Alex

  Hi Alex,
  did you have a chance to look at standard SAP Help information about different types of reports and information available?
  If not yet -please take a look at:
  Risk Analysis Reports - SAP GRC Access Control - SAP Library
  What exactly information you would like to add to reports?
  Standard reports can by customized by adding some additional fields which are hidden in standard view.
  There is also an option to add custom fields and data,
  Lets us know,
  Filip

• CC 5.2 - Risk Analysis on existing roles

  Hello,
  When I submit a change request via AE 5.2 in order to add a role to an existing user,
  does CC 5.2 perform the risk analysis to the user corresponding roles (existing roles + new one) or only for the role to be added?
  Thank you for your answer.
  Abderrahim

  Hi Abderrahim,
  Yes. It will perform a risk analysis with the existing roles + newly added role. You should enable this in the CUP.
  Go to Configuration --> Risk Analysis -> Set the default risk analysis level.
  Regards,
  Raghu

• AE 5.2 - Risk Analysis problem

  Hello,
  I am facing an issue with AE 5.2. When I create a request to assign roles and perform Risk Analysis, I get some SOD violations messages.
  I copy the some assigned roles and paste them in CC 5.2 -> Informer -> Risk Analysis -> Role Level and I have no conflict!
  Can you please advise why I have conflict with AE and not with CC?
  Thank you very much indeed,
  Cheers,
  Abderrahim

  Hello,
  In fact, It was only a false positive issue because:
  In CC I perform a risk analysis with Permission Level option.
  However, I get risk violation in AE with Critical Transaction for the same role.
  The right way is to run risk analysis in CC with Critical Actions.
  Thank you for your collaboration.
  Regards,
  Abderrahim

• Different Risk Analysis Results with the same user from 2 different RAR

  Hi..
  I've loaded the same Risks, Rules, etc, into 2 GRC RAR environments (Sandbox and Quality systems); both of them are connected with the same SAP ECC system. But when I do a User Risk analysis (authorization level), the result from Sandbox is different from Quality system. I donu2019t have users or roles mitigated yet, users are synchronized, rules are exactly the same and I donu2019t know what happen??... Please, help me.
  Thanks...

  Hi...
  If I do a Full Sync of users to the same ECC system from both RAR boxes, I got different number of users loaded (i.e. 18757 vs. 18141), similar case with the full sync of roles. (13100 vs.  13150).
  If I load exactly the same set of functions to both RAR systems and I generate the rules, I got the same problem, different number of rules is generated.
  I've verified both RAR configuration and they are the same (excluded users, roles mitigated, etc.)
  Is it a normal behavior? What could be wrong?
  Thanks in advance!!

• Different Risk Analysis Results with 10.0 and 10.1

  Hello,
  I do not understand why I get different results with 10.0 and 10.1. Exactly the same ruleset is applied!
  Definition in 10.0 and 10.1:
  Analyzed Role (which definitely contains the SOD):
  Version GRC 10.0 finds the SOD S_FI14 and displays it. In 10.1 nothing is displayed...Any ideas what's the problem?
  Regards
  Peter

  We had similar issues with 10 and 10.1.
  We applied an SAP Note about logical groups and the ruleset, it did not work.
  What did work:
  When performing Risk Analysis, remove the Ruleset selection criteria (use the minus button).

• In Primavera Risk Analysis, the MIN. ML, MAX columns is for imput the minimum impact, most likely impact , maximum impact duration of a risk or the remaining duration for MIN, ML and adding remaining duration with maximum impact for MAX?

  In Primavera Risk Analysis, the MIN. ML, MAX columns is for imput the minimum impact, most likely impact , maximum impact duration of a risk or the remaining duration for MIN, ML and adding remaining duration with maximum impact for MAX?

  You are welcome. I'm glad you got it back up.
  (1) You say you did the symbolic link. I will assume this is set correctly; it's very important that it is.
  (2) I don't know what you mean by "Been feeding the [email protected] for several weeks now, 700 emails each day at least." After the initial training period, SpamAssassin doesn't learn from mail it has already processed correctly. At this point, you only need to teach SpamAssassin when it is wrong. [email protected] should only be getting spam that is being passed as clean. Likewise, [email protected] should only be getting legitimate mail that is being flagged as junk. You are redirecting mail to both [email protected] and [email protected] ... right? SpamAssassin needs both.
  (3) Next, as I said before, you need to implement those "Frontline spam defense for Mac OS X Server." Once you have that done and issue "postfix reload" you can look at your SMTP log in Server Admin and watch as Postfix blocks one piece of junk mail after another. It's kind of cool.
  (4) Add some SARE rules:
  Visit http://www.rulesemporium.com/rules.htm and download the following rules:
  70sareadult.cf
  70saregenlsubj0.cf
  70sareheader0.cf
  70sarehtml0.cf
  70sareobfu0.cf
  70sareoem.cf
  70sarespoof.cf
  70sarestocks.cf
  70sareunsub.cf
  72sare_redirectpost
  Visit http://www.rulesemporium.com/other-rules.htm and download the following rules:
  backhair.cf
  bogus-virus-warnings.cf
  chickenpox.cf
  weeds.cf
  Copy these rules to /etc/mail/spamassassin/
  Then stop and restart mail services.
  There are other things you can do, and you'll find differing opinions about such things. In general, I think implementing the "Frontline spam defense for Mac OS X Server" and adding the SARE rules will help a lot. Good luck!

• Did CUP risk analysis change with SP7?

  Dear GRC experts,
  I am pretty sure when we tested CUP 5.3 SP4 when doing risk analysis it would only show new risks caused by new roles selected in request (like Risks from Simulation Only YES in RAR). Exisitng risks for that user would not be shown.
  Now with CUP 5.3 SP7 fix1 we get the existing risks shown as well not in any way related to the role(s) selected, which will be confusing to the role approvers. E.g. role request is display role, approver needs to run risk analysis and gets existing risks shown. He/she can not deselect roles to remove risks as only display role is in request. There might be no mitigating controls for those risks (creation of new mitigating controls is blocked). This would end up in requests with risks even though the requested role is not risk relevant, or even request gets stuck because no mitigatign control exists and config is set to do not allow approval of requests with risks.
  Please confirm if indeed only new risks where shown in CUP risk analysis in previous support pack levels or rel. 5.2, or that I am mistaken and all risks where always shown at risk analysis in CUP.
  Principally I think existing risks should be focus of GET CLEAN effort. Risk analysis in CUP should focus on preventing new risks at part of STAY CLEAN phase.

  Hi,
  When we run Risk Analysis for the user, it will show the existing violations as well as the violation which are there with new roles also.
  When we click on Risk Analysis under Simulation tab we can find Risk Violation details.
  Here I have a doubt, how to deselect violation role while approving request. I m unable to find that option. Please advice.
  Thanks & regards,
  KKRao.
  Edited by: KKRao_2020 on Oct 9, 2009 9:22 AM
  Edited by: KKRao_2020 on Oct 9, 2009 9:27 AM

• Batch Risk Analysis in Full Sync mode with special user groups not working

  Dear All,
  we start Batch Risk Analyse Job in Full Sync with special User groups (use Range). In the Joblog I can see, that he selecet lesser users as in jobs before. But after all is finished (also managment job) when I go in Informer, he shows me also this user groups I have no analysed in Backgroudjob... Also he shows me in the detailed anlayse the date from a run before.. And we have deactivated some Risk - these are still in the analysis.
  Have some one a information for me what here is wrong..
  Best Regards
  Gabriele Herr

  to old..

• Issue with risk analysis report in GRC10.0

  Hi All,
  We are running the user risk analysis report from NWBC: Reports and Analytics -> Access Risk Analysis Reports -> User Risk Violation report.
  This report is not fetching all the data even though user has all the required authorizations.
  We are getting the data when we execute the dashboard reports.
  Any one has idea?
  Cheers
  Hari

  Alessandro,
  Thanks for the reply. I am aware of this.
  Problem is when dash board report is showing the risk for the user but risk anaylsis report in Reports and Analytics is not showing the risks to that user.
  As per our investigation, the risk data that is displaying in the risk anaylsis report in Reports and Analytics is incomplete. We didn't find any errors in SLG1. Also there is no issues from authorizations side.
  Regards
  Hari

• Risk Analysis in CUP5.3 with CC4.0 in ABAP

  Hi,
     We have upgraded AE5.2 to AC5.3(CUP5.3) recently but we still have our CC/RAR in ABAP. The risk analysis as part of the CUP request generates no risks ( 0 risk(s) found message) even though the role in the request has conflicts. The request displays the critical transactions returned by the function module in ABAP but does not populate the "Risk Violation" tab in the CUP request. We have all latest SPs in both JAVA as well as ABAP side including the RTAs. Any help would be really appreciated.

  Varma,
     Have you upgraded RTA for AC 5.3 in the SAP system? What is the version and SP level of CUP and CC?
  Regards,
  Alpesh