AE 5.2 - Risk Analysis problem

Similar Messages

• Issue with risk analysis report in GRC10.0

  Hi All,
  We are running the user risk analysis report from NWBC: Reports and Analytics -> Access Risk Analysis Reports -> User Risk Violation report.
  This report is not fetching all the data even though user has all the required authorizations.
  We are getting the data when we execute the dashboard reports.
  Any one has idea?
  Cheers
  Hari

  Alessandro,
  Thanks for the reply. I am aware of this.
  Problem is when dash board report is showing the risk for the user but risk anaylsis report in Reports and Analytics is not showing the risks to that user.
  As per our investigation, the risk data that is displaying in the risk anaylsis report in Reports and Analytics is incomplete. We didn't find any errors in SLG1. Also there is no issues from authorizations side.
  Regards
  Hari

• CUP 5.3: risk analysis in workflow impossible due to web service performance?

  Hello experts,
  We are facing a huge challenge within a AC 5.3 implementation.
  Here, AC has been used successfully with CUP and RAR for quite some time now. However, the RAR analysis has not yet been integrated into the CUP workflow. We would like to integrate the RAR analyis in CUP now.
  Based on the existing role concept (that uses functional master roles and derived roles per company code, with ca. 30 company codes in place) and the shared service operations in some areas such as FI, there is a large number of users with many roles and consequently, many SoD risks (of course, they are all "repeat" risk per company code).
  This leads to a long RAR analysis run time, but it's still acceptable. Analysis on permission level for such "power users" runs about 1 minute, on action level about 5-6 seconds.
  However, the web service between RAR und CUP is a problem and cannot cope with our violations. We have currently set the threshold to 75000. In this case, the analysis + web service runs 1-2 minutes. However, we have some users with 200-300.000 violations. In this case, if we deactivate the threshold, we will experience a web service time-out eventually, even with analysis on action level because the amount of violations the web service has to process is the same (or even higher with some false positives).
  We also have compensating controls in place for these power users, which will of course reduce the web service run-time considerably. However, this is not applicable to NEW user requests because for those, the compensating controls will be assigned only AFTER the risk analysis has taken place and the risk manager receives the workflow item.
  Has anyone experienced this in the past and found a viable solution or work-around? We are basically short of options and considering dropping the project.
  Note: An upgrade to 10.X is not (currently) a solution because this upgrade is scheduled and budgeted only for later.
  Thanks a lot and best regards
  Patrick

  Any opinions on this?
  Cheers and thanks
  Patrick

• Error while executing the Job for Objects :null  Batch Risk Analysis

  Hi All,
  We've recently upgraded Virsa to version  5.3_14 .  I'm encountering a problem when executing the Batch Risk Analysis job for users, roles and profiles.  The job does not complete for some objects and it seems to be sporadic and shows this error: -
  Background Job History: job id=395, status=2, message=Error while executing the Job for Object(s) :ABROWN:null                                                                               
  I've attached the log for your review.
  Thanks in advance for your help.                                                                               
  Linda Lewis                                                                               
  Feb 9, 2011 1:47:53 PM com.virsa.cc.xsys.meng.ObjAuthMatcher <init>
  FINEST: ObjAuthMatcher constructed: 4ms, #singles=2141, #ranges=0, #super=0
  Feb 9, 2011 1:47:54 PM com.virsa.cc.xsys.riskanalysis.AnalysisEngine riskAnalysis
  WARNING:  Job ID:395 : Failed to run Risk Analysis
  java.lang.StringIndexOutOfBoundsException at java.lang.String.substring(String.java:1019)
  at com.virsa.cc.xsys.util.RuleLoader.getPermRule(RuleLoader.java:573)
  at com.virsa.cc.xsys.riskanalysis.AnalysisEngine.performActPermAnalysis(AnalysisEngine.java:1609)
  at com.virsa.cc.xsys.riskanalysis.AnalysisEngine.riskAnalysis(AnalysisEngine.java:321)
  at com.virsa.cc.xsys.bg.BatchRiskAnalysis.performBatchRiskAnalysis(BatchRiskAnalysis.java:1166)
  at com.virsa.cc.xsys.bg.BatchRiskAnalysis.performBatchSyncAndAnalysis(BatchRiskAnalysis.java:1464)
  at com.virsa.cc.xsys.bg.BgJob.runJob(BgJob.java:560)
  at com.virsa.cc.xsys.bg.BgJob.run(BgJob.java:363)
  at com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob.scheduleJob(AnalysisDaemonBgJob.java:375)
  at com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob.start(AnalysisDaemonBgJob.java:92)
  at com.virsa.cc.comp.BgJobInvokerView.wdDoModifyView(BgJobInvokerView.java:444)
  at com.virsa.cc.comp.wdp.InternalBgJobInvokerView.wdDoModifyView(InternalBgJobInvokerView.java:1236)
  at com.sap.tc.webdynpro.progmodel.generation.DelegatingView.doModifyView(DelegatingView.java:78)
  at com.sap.tc.webdynpro.progmodel.view.View.modifyView(View.java:337)
  at com.sap.tc.webdynpro.clientserver.cal.ClientComponent.doModifyView(ClientComponent.java:481)
  at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.doModifyView(WindowPhaseModel.java:551)
  at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.processRequest(WindowPhaseModel.java:148)
  at com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.processRequest(WebDynproWindow.java:335)
  at com.sap.tc.webdynpro.clientserver.cal.AbstractClient.executeTasks(AbstractClient.java:143)
  at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:332)
  at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:741)
  at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:694)
  at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:253)
  at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
  at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
  at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doGet(DispatcherServlet.java:46)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
  at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
  at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
  at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
  at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
  at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
  at java.security.AccessController.doPrivileged(AccessController.java:207)
  at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
  at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  Feb 9, 2011 1:47:54 PM com.virsa.cc.xsys.util.Lock lock
  FINEST: Lock:1004
  Feb 9, 2011 1:47:54 PM com.virsa.cc.xsys.util.Lock unlock
  FINEST: Unlock:1004
  Feb 9, 2011 1:47:54 PM com.virsa.cc.xsys.bg.BatchRiskAnalysis performBatchRiskAnalysis
  WARNING: Error: while executing BatchRiskAnalysis for JobId=395 and object(s):ABROWN: Skipping error to continue with next object: null Feb 9, 2011 1:47:54 PM com.virsa.cc.xsys.bg.BgJob updateJobHistory
  FINEST: --- @@@@@@@@@@@ Updating the Job History -
  2@@Msg is Error while executing the Job for Object(s) :ABROWN:null
  Feb 9, 2011 1:47:54 PM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
  INFO: -
  Background Job History: job id=395, status=2, message=Error while executing the Job for Object(s) :ABROWN:null
  Feb 9, 2011 1:47:54 PM com.virsa.cc.xsys.util.Lock lock
  FINEST: Lock:1004
  Feb 9, 2011 1:47:54 PM com.virsa.cc.xsys.util.Lock unlock
  FINEST: Unlock:1004
  Feb 9, 2011 1:47:54 PM com.virsa.cc.xsys.bg.BatchRiskAnalysis performBatchRiskAnalysis
  INFO: --- BKG User Permission Analysis (System: P20:020) completed ---  elapsed time: 4522 ms
  Feb 9, 2011 1:47:54 PM com.virsa.cc.xsys.util.Lock lock
  Edited by: Linda Lewis on Feb 9, 2011 9:08 PM

  Hi,
  Was a solution found for this error?
  Thanks,
  Glen

• Error while running risk analysis.

  Hi,
  I am facing problem, while running risk analysis from Access Enforcer for a particular application. Infact problem is for all the connectors. I have done required configuration.
  Error i am getting is "Risk analysis failed: Exception from the service : Risk Analysis failed".
  Please suggest.
  Thanks in Advance.
  Regards,
  Pravin.

  Problem was with JCO connection.

• Different Risk Analysis Results with the same user from 2 different RAR

  Hi..
  I've loaded the same Risks, Rules, etc, into 2 GRC RAR environments (Sandbox and Quality systems); both of them are connected with the same SAP ECC system. But when I do a User Risk analysis (authorization level), the result from Sandbox is different from Quality system. I donu2019t have users or roles mitigated yet, users are synchronized, rules are exactly the same and I donu2019t know what happen??... Please, help me.
  Thanks...

  Hi...
  If I do a Full Sync of users to the same ECC system from both RAR boxes, I got different number of users loaded (i.e. 18757 vs. 18141), similar case with the full sync of roles. (13100 vs.  13150).
  If I load exactly the same set of functions to both RAR systems and I generate the rules, I got the same problem, different number of rules is generated.
  I've verified both RAR configuration and they are the same (excluded users, roles mitigated, etc.)
  Is it a normal behavior? What could be wrong?
  Thanks in advance!!

• Risk analysis Report Error in GRC AC 10.0

  Dear GRC,
  I had problem with Risk analysis Report in GRC Access Request form
  When i run the Risk analysis report on Action Level , Permission Level , Critical Action Level and Critical Permission Level then report showing as "No Violations" but if i run the Risk analysis report only on Critical Action Level and Critical Permission Level then report showing too many Violations.
  I maintained Action Level , Permission Level , Critical Action Level and Critical Permission Level as default risk analysis type in SPRO Configuration Parameters settings.
  i am not understanding why system behaves like this. Could you please help me on this.
  System Details : GRC AC 10.0 , SP-12
  Thanks a lot for swift response.
  Best Regards,
  RK

  Hi GRC Team,
  Please help me on this. I am waiting for your replay.
  Regards,
  KR

• ARA: "[P/G]" symbol in Risk Analysis Report???

  Hi,
  I have noticed a peculiar symbol in Access Risk analysis while performing permission level analysis. The symbol is "[P/G]<TCODE>".
  I have not this before. Any idea why this is coming and how I can resolve this?
  Please see the screenshot for the same.
  Recently, our target system is upgraded. I am sure if this is coming because of that. Earlier, it was working fine.
  Also, system is showing unknown risks violations for roles and all of them are preceded by "[P/G]" symbol.
  Please advise.
  Regards,
  Faisal

  Alessandro,
  Thanks for your reply.
  Yes, these actions are assigned to functions.
  Secondly, I re-generated the rules and the result is same. Also, I used
  our quality system (upgrade is not done yet) and analyzed the same role and it gave expected results!
  I am using same GRC system but different target systems. ERP Development system is causing problem where as ERP Quality system is not.
  Based upon my analysis, I see some problem with our ERP development system which is not showing appropriate results. But not sure what to do.
  Any help please?
  Regards,
  Faisal

• GRC AC 10.0 Mass risk analysis vs. Role level analysis

  Hello GRC experts,
  I urgently need your advice on the issue  with deactivated permission objects which are identified as risks in the mass role analysis.
  For example, in one role we have deactivated the permission object: S_ARCHIVE, and there are No activities maintained.
  But in the mass role risk analysis  and in the CUP request this object S_ARCHIVE with the ACTVT 01 is displayed as risk. As you can see in the screenshot, there are no activites maintained at all. We have created the MSMP workflow where all CUP requests with risks should go the the Security Stage. Now we have the situation that even though our roles are clean, they are forwared to the Security stage. It is a huge problem, because our security stage has no even more to to, than before using GRC! Because the dectivated objects are identified as risks.
  Please advise me, how to solve the problem. Did I missed some config parameters or is it a well known problem?
  We are on SP14, AC 10.0.
  At the single role level there are no risks displayed.
  Thanks in advance,
  regards
  Sabrina

  Hi Sabrina,
  check note
  http://service.sap.com/sap/support/notes/2036645
  Please let me know if it works.
  Regards,
  Alessandro

• GRC 10 - Risk Analysis in legacy system

  Hi everybody,
  I have a problem with legacy connectors in GRC 10. I implemented the note 1594963. So, I created the legacy files and storage it in GRC server.
  When I run the user synch, the legacy connector only synch the first record.
  Someone can help me? Someone did implement a risk analysis for legacy systems?
  Regards,

  Hi  Claudio Ekel
  Can you share some inputs on the Legacy Risk Analysis.
  We have configured the Legacy Connector as per the note 1594963 ; Placed the files on the server & tried running Synchronization Jobs. But the data is not getting uploaded to GRC10 .
  We made sure that text files are in UTF-8 format
  Is it mandatory to load all the 11 files that are provided in the note 1594963? We have excluded the Profile related files
  Can you share a sample of Legacy file formats that you have used for the sync.
  Can you throw some light on what could be the possible issues for data not getting uplaoded to GRC10?
  Regards,
  Pavan Muthyala

• Different Risk Analysis Results with 10.0 and 10.1

  Hello,
  I do not understand why I get different results with 10.0 and 10.1. Exactly the same ruleset is applied!
  Definition in 10.0 and 10.1:
  Analyzed Role (which definitely contains the SOD):
  Version GRC 10.0 finds the SOD S_FI14 and displays it. In 10.1 nothing is displayed...Any ideas what's the problem?
  Regards
  Peter

  We had similar issues with 10 and 10.1.
  We applied an SAP Note about logical groups and the ruleset, it did not work.
  What did work:
  When performing Risk Analysis, remove the Ruleset selection criteria (use the minus button).

• RAR - Risk Analysis - Permission Level - V_VBAK_AAT||AUART - Error

  I have a trouble related with risk analysis at permission level, when the V_VBAK_AAT||AUART is activated in two functions of my customized GRC rule-set (VIRSA_CC_FUNCPRM) for controlling some "document types" for tcodes VA01 and VA02. When I execute this customization in RAR, the system says "No match / No conflicts" for the risks where these functions appear, however performing some queries in the back-end systems, I have realized there are more than 80 users in conflict for some of them, given the fact that they have value '*' in object/field V_VBAK_AAT||AUART.
  At a first time I thought that most probably would be related with the fact that these functions are part of risks that combine 3 and 4 functions at the same time, with OR logical activated in document types, but when I searched for the rules generated for these risks I noticed that only 34.000 rules were generated and this no overpass the limit of 45566 rules defined at RAR. Anyway, I performed some tests reducing the number of possible combinations and, basically, whenever the following line is activated, the outcome is u201Cno conflictsu201D:
  D VIRSA_CC_FUNCPRM FN15 VA01 GRC-C21 V_VBAK_AAT||AUART ZSO ZSO OR 0 null
  If this line is disabled, then, several users with conflicts are reported. As mentioned above, these users have value '*'   for object/field V_VBAK_AAT||AUART, so I do not understand why those users are not reported when the line above is activated.
  I have done the following checks, all of them correct:
  - The user/role/profile synchro has been done and all the users has been stored in table VIRSA_CC_
  - All the lines in VIRSA_CC_FUNCPRM part of my customized rule-set have been correctly inserted in the same Oracle table
  - All the combinations of rules has been created (including VA01 and VA02 with V_VBAK_AAT||AUART)
  Any suggestions?
  Thanks in advance

  I've detected the same problem for the following authorization objects:
  - F_BKPF_BLA||BRGRU
  - V_VBRK_FKA||FKART
  - M_MSEG_BWE||WERKS
  RAR reports no conflicts (at authoriztion level) when these objects are activated (of course having users with these conflicts in back-end systems)
  This problem has been proved in the installation of different customer with SAP GRC Access Control 5.3 SP12.
  Anybody else has experienced this issue????

• Running Risk Analysis

  Hi Folks,
     I have installed CC 5.2 and ruleset to ECC are uploaded. Now, when i want to run risk analysis for User/Role from Informer. I dont see any user id from Backend system in User/Role option. I have checked everything,
  SLD is working ine
  JCo connectors are fine.
  RFC destination defined.
  Can someone help me in identifying problem?
  Thanks in acticipation.
  Regards,
  Priyank.

  Hi Priyanka,
  If you have successfully installed Virsa CC5.2 and uploaded Objects ans Rules, the plz follow the following procedure:
  1) Go to Configuration Tab->Background Job
  2)Click on "Schedule Analysis"
  3) In first Pane i.e. Sync Mode select Full Sync
  4)Select *User/Role/Profile Synchronization
  5)Select the system for put ***
  6)Dont select any other thing.
  7)click on Schedule
  8)Give a Valid name to this report.
  9)Click on Immediate
  Please check whether this report is successfully completed under Configuration Tab->Background Job->Search
  click on search
  If completed successfully, then  go to step 1 as above.
  This time select  All Check Boxes  under Batch Risk Analysis Pane and then select  Management Report check box in the last pane.
  Then schedule the job. After that only you'll be able to see the results in Informer Tab
  Reward  Points if it is useful
  Regards,
  Faisal

• GRC10 Exclude Objects (Roles) - Batch Risk Analysis Job

  All -
  We are setting up some non-production GRC 10.1 systems at this time and are trying to exclude project roles from our dashboards via the "Maintain Exclude Objects for Batch Risk Analysis" table [SPRO --> GRC --> AC --> ARA --> Batch Risk Analysis].
  The problem that we are encountering is that this Batch Risk Analysis is taking an extremely long time to run on our Project Users even though we have excluded the project roles that these users are assigned.
  For example, User A has 3 project roles which hit a very large number of SoD violations in our rule set, however in the exclusion list we have defined the three roles the user is assigned to be in the exclusion table for All systems and for the specific system that the job is running against. With no luck. The job still takes an average of 30 minutes to run on each user even though the roles they are assigned are excluded.
  We have tested that the exclusion table works because we can exclude the users by adding them to this table and we can also exclude the groups that they are in and this also works. However we have instances where there are other users in this groups that have other roles in addition to these excluded roles that need to be checked.
  Does anyone have any recommendations for how to excluded roles so that the job quickly checks the users with these roles? It is my understanding that if the roles are in the exclusion list they should be skipped by the Batch Risk Analysis job which is running to check these users for the dashboards.
  Thanks,
  Darnell

  Hi,
  Was a solution found for this error?
  Thanks,
  Glen

• Risk analysis when integrating 2 R/3 systems

  Hello experts,
  In my existing scenerio I have a R/3 system connected to BW.
  Due to project requirements there is going to be one more R/3 system(running system) merging with my existing R/3 system.
  Please let me know the risk analysis on the following cases:
  1) If their are existing structures(like 2LIS Structures) running in both the systems what will be the effect when we try to merge.
  2) One of the system as a LIS datasource in 7.0 version in BW and other in 3.5 . So what is the effect after the merging?
  With Regards,
  meBI.

  Hi there, as you already depicted: most of problem will be with regard of same DataSources and LIS DataSources. Here you have to consider how both R/3 will be integrated. Either you will have 2 different clients or it will b emerged into one client.
  In both case you gave to adjust data flow. In first case you have to differentiate between data origin - clients. In 2nd case all the data will be of same origin...
  Regarding different version of data flows (3.x / 7.x) most likely it is the right time to aligned them to 7.x style.
  But this is topic can be approached a lot of different directions.