ARA: Excluded Roles considered for Risk Analysis???
Hi,
There are certain role which are to be excluded from risk analysis or some business reasons. To achieve this, I have added entries for these roles in SPRO and saved them.
Actually, these roles are available in all the systems. Therefore, under "System" column I have selected "ALL" and saved the entries.
I ran risk analysis for a specific business process (above roles are belonging to this business group) and surprisingly found that, those roles which are maintained as "Excluded", as shown in the risk analysis report as violating!
Thinking that "ALL" option does not work, I maintained (excluded) these roles for specific systems in SPRO. Ran risk anlaysis, but with no luck.
Then I ran risk analysis for excluded role(s), I am still getting the violations for these excluded roles!
May I know why system is considering these "excluded" roles at the time of risk analysis?
Please advise.
Regards,
Faisal
Alessanrdo,
I think the "excluded" objects in path:
SPRO->GRC->AC->ARA->BRA->Maintain Exclude Objects for Batch Risk Analysis
itself says that the objects will NOT be considered while performing Batch Risk Analysis (Analytic Reports). It seems to be working fine for me.
I dont think that the objects maintained in above path will have any importance while performing Risk Analysis from NWBC->AM->Roles Analysis) and will NOT be considered.
Please correct me, if required.
Secondly, I found 2 relevant posts here on SCN:
SAP GRC Access Control: Offline-Mode Risk Analysis
SAP GRC 10.0 Offline Risk Analysis
Both of them are talking about the offline mode of running risk analysis. Actually I have not used it yet therefore, wanted to know the real usage of it. These posts seem to be giving the details of "Offline" mode analysis.
I believe this will not be used in my scenario as there is no such requirement and real need. Therefore, I think I should disable it (Offline Data) option from the analysis screen just to avoid any confusion.
Currently all our risk analysis is taking place "Online". There is no "real" need to use "Offline".
May you please let me know in which scenario this would be useful?
Regards,
Faisal
Similar Messages
-
Hi All,
I have one question w.r.t. risk analysis of user while raising a request in ARQ.
I have noticed that, when a user is assigned 2 conflicting roles in a request (with "Valid From" and "Valid To" fields being the same), ARQ shows risk violations properly.
This is quite logical, because user is assigned conflicting roles within the same dates.
In another scenario, if a user is assigned 2 conflicting roles in a request (with "Valid From" and "Valid To" fields being different)
Example:
Time Administration : Valid From=15.06.2014 and Valid To= 31.12.2014
Payroll Administrator: Valid From=20.06.2014 and Valid To= 31.12.2014
ARA still shows as violations (in ARQ)! Though the "Valid From" dates are different.
Logically, user is not assigned these roles at the same time to cause a risk violations. However, system is showing violations.
May I know if validity dates are considered while performing risk analysis in ARQ? If no, then what could be the justification?
Please advise.
Regards,
FaisalRafal,
Thanks for your reply.
Does it mean that all future dates will be considered while analysis?
OR
Does ARA consider these dates?
Regards,
Faisal -
Back ground job for Risk Analysis
Dear expert
we have schedule BG for risk analysis at role level for a DEV box and its been 7 days since it is in running state .
I have checked logs but no error .
Is this normal behaviour .I am confused because of DEV box which is having test roles also .
Also we are using logical system as well as physical system for ruleset .
Kindly share your experience .
Thanks & Regards
AsheshHello All,
We are geeting below mentioned error -
WARNING: Job ID:235 : Failed to run Risk Analysis
java.io.IOException: No space left on device (errno:28)
at java.io.FileOutputStream.writeBytes(Native Method)
at java.io.FileOutputStream.write(FileOutputStream.java:260)
at sun.nio.cs.StreamEncoder$CharsetSE.writeBytes(StreamEncoder.java:336)
at sun.nio.cs.StreamEncoder$CharsetSE.implWrite(StreamEncoder.java:395)
at sun.nio.cs.StreamEncoder.write(StreamEncoder.java:136)
at java.io.OutputStreamWriter.write(OutputStreamWriter.java:191)
at java.io.BufferedWriter.flushBuffer(BufferedWriter.java:111)
at java.io.BufferedWriter.write(BufferedWriter.java:206)
at java.io.Writer.write(Writer.java:126)
at com.virsa.cc.xsys.riskanalysis.dao.dto.RAReportDTO.printToSpool(RAReportDTO.java:454)
at com.virsa.cc.xApr 1, 2011 2:08:45 AM com.virsa.cc.xsys.meng.ObjAuthMatcher <init>
Thanks,
Jagat -
ARA: "[P/G]" symbol in Risk Analysis Report???
Hi,
I have noticed a peculiar symbol in Access Risk analysis while performing permission level analysis. The symbol is "[P/G]<TCODE>".
I have not this before. Any idea why this is coming and how I can resolve this?
Please see the screenshot for the same.
Recently, our target system is upgraded. I am sure if this is coming because of that. Earlier, it was working fine.
Also, system is showing unknown risks violations for roles and all of them are preceded by "[P/G]" symbol.
Please advise.
Regards,
FaisalAlessandro,
Thanks for your reply.
Yes, these actions are assigned to functions.
Secondly, I re-generated the rules and the result is same. Also, I used
our quality system (upgrade is not done yet) and analyzed the same role and it gave expected results!
I am using same GRC system but different target systems. ERP Development system is causing problem where as ERP Quality system is not.
Based upon my analysis, I see some problem with our ERP development system which is not showing appropriate results. But not sure what to do.
Any help please?
Regards,
Faisal -
Cannot find any tcodes while creating the Function id in for risk analysis
Hi Friends,
the issues was appeared while I was practising the Risk analysis,
I went access maintainance , then to fuctions , I had given the fuction name , business process , analytical scope
then when I tried to add the t-code , I couldn;t see any t-code to add to the function
is there any pre-requesties to do before this ?
Thanks and Reagrds,
RaghuHi Raghu,
This behaviour is because of your connector group design.
Logical connector group can have multiple connectors and as per the design of application, Logical group always read the authorizations from the connector which is listed as first connector in the list. It is assumed that all the connectors which are part of Logical group should be synchronized with each other and having same authorization model in all the systems.
GRC application is designed in such a manner that the connector which is first in the list of the connectors that are a part of the logical group is only checked. If the Tcode(Action) exists in that system, then the Action can be found for the logicall group.
If the Action is not part of the system which is the first system in the list of systems in the logical group then that Action will not be available for selection for the Logical group.
The intent behind logical group design is to reduce maintenance of rule sets. For example, if you loaded 10 rule sets for 10 physical systems, you would have to maintain them all if a new risk had to be added. Logical groups provide a method to group like systems (components) so that if you make a rule change you do it once for the logical group and when rules are generated the change is updated for all in that group. If you have 10 systems under one (1) logical group, we would pull the transaction from the first connector. You can name your connectors so that the one you want to be the "master system" is at the top. The assumption is all the systems maintained in the connector group should have the same data or the same actions.
Refer to the note - 1802010
Regards,
Muthu -
GRC AC 10.0 Risk Analysis -Risk Terminator Vs BRM-Role Management
Hi All,
After having seen the configuration for Risk Analysis- Risk Terminator and Role Management , I observed that there is very little difference for eg parameters 1085 and 3011 ,3014 . If we configure all three parameters to TRUE which one would take effect ?Can anyone let us know under what circumstances we must configure RT and Role Management . BRM to has a whole lot of new features which supercede RT.
Best Regards,
VishalHi Vishal,
The parameters will be invoked in different scenarios. 1085 is specific to when roles are generated in the SAP Backend system using risk terminator and therefore this will have no impact if you are using BRM to generate the roles.
3011 & 3014 are specific to BRM and govern different behaviours. 3011 will facilitate the risk analysis prior to triggering the generation steps in the methodology and 3014 will allow the roles to be generated despite any permission risks that are returned.
They are not exclusive and actually work together. For instance, you may want to have a block on generation of roles when there are open conflicts identified and therefore you should have 3011 set to YES and 3014 set to NO. If both are set to YES, then you could propagate conflicts in the roles.
You can use Risk Terminator if you wish to continue to develop roles within the SAP system itself rather than to rely on the GRC BRM system wholly.
There are still wide discussions and differing opinions about which represents the best approach for this and so it depends on your organisation as to which process you follow.
The parameter descriptions in question are:
1085 - Stop Role Generation if violations exist
3011 - Conduct Risk Analysis before Role Generation
3014 - Allow role generation with Permission Level violations
Regards, Simon -
Business Roles - Risk analysis
Hi All,
We are on GRC SP13.
We are using business roles for provisioning to end users.
When role owner is performing risk analysis for business roles, results are proper according to defined ruleset only if "SYSTEM" field is empty.
If system is selected, then results shows that "NO VIOLATIONS".
Is this the standard behaviour for risk analysis of business roles or Am i missing anything?
Looking for your advise on this.
Regards,
Sai.Hi Jaya,
Yes I remember this is possible. You can setup a customize attribute in GRC privileges. And put the business role name into this attribute.
Try this URL, but perhaps your GRC consultant should read it instead of you.
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d0e2c628-2690-2e10-0d82-dbf1931db2cd?QuickLink=index&overridelayout=true&51565377381172
After creating the attribute, you need to revise the GRC framework to include this attribute (business role name) in your request.
I don't have a working IDM system (with GRC integration) with me. I could not provide you more details.
Cheers,
Chenyang Xiong -
Schedule of Risk Analysis for every month end
Hi All,
I'm trying to create monthly background job for Risk Analysis in the GRC CC. I notice that there is no option that I can select to create the job, such that it recognise automatically the last working day for the month. Any idea on this how to and if its possible??
Another option that I can think of is maybe to create the job on the first working day of the new month instead of the last working day.
Anyone encounter such request within yuor organisation or whats the best practise that you are exercising now?
Thanks.
RaymondHi Raymond,
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/50cd7177-5c22-2a10-8cba-8e0c64bc4ea8
Regards
Gangadhar -
Issue in ERM - GRC AC 10 - Is risk analysis not mandatory
Hi,
We have defined our Role Methodology in 10 as Define Role - Maintain Authorizations - Analyze access risks - Derive role - approval - generation
When we defined the role and maintained authorization data and proceeding without running risk analysis the role is moving to the next stage without stating any warning that "Risk Analysis is Mandatory". Upon click on Save & COntinue it is proceeding to further stages.
Is there any parameter which needs to be set to throw a warning message for Risk Analysis to be run before the role is moved to next stage.
We arleady set the paramater 3011 as YES - Conduct Risk Analysis before Role Generation.
Thanks and Best Regards,
Srihari.KHi,
Note the definition of the parameter 3011 as per "Maintaining Configuration Settings Guide - SAP AC 10.0":
"Set the value to YES to automatically perform risk analysis when the user generates roles."
This parameter applies only at generation stage.
Cheers,
Diego. -
GRC_10 Risk Analysis Report
Hi,
i should extend the risk analysis report with more details from diffrent tables, they hold special role details.
I havent found an idea how to do this.
Could i extend the standard report for risk analysis with more columns?
Is there something like user.exits or enhancement-points?
thank you very much indeed
best regards
AlexHi Alex,
did you have a chance to look at standard SAP Help information about different types of reports and information available?
If not yet -please take a look at:
Risk Analysis Reports - SAP GRC Access Control - SAP Library
What exactly information you would like to add to reports?
Standard reports can by customized by adding some additional fields which are hidden in standard view.
There is also an option to add custom fields and data,
Lets us know,
Filip -
GRC AC 10 (BRM) Risk Analysis Report type is editable
Hi,
In GRC10 – BRM Risk analysis at “Action Level”, “Permission Level”, “Critical Action”, “Critical Permission” and “Critical Role/Profile” is editable.
When i start to create a role in the Risk Analysis step, Permission Level is always selected .Selection is fine as this is configured this way (Parameter in SPRO 1023 -Default Report Type for Risk Analysis). But exist the option to deselect "Permission Level".
As you can Permission level is always selected and not editable?
RegardsHi,
I guess Cristian mentions attached BRM screen. I have same issue; how to change default values of report type in BRM like parameter 1023 changes in access request.
Also, if we change default value of check box, Cristian can set non-editable fields through SE80. -
Hello experts,
When an approver does risk analysis for adding a role to a user in CUP before approval, the system shows 0 risk(0 risks found), However when the role is added to the user in RAR simulation, there are Risks.
Similarly,
When an approver does risk analysis for a role in CUP before approval, the system shows 0 risk(0 risks found), However when the role is analysed in RAR, there are Risks.
I have checked the Org Rules parameter in RAR (It was set to No as we are not using Org Rules).
When I set the org rule parameter to Yes, I got exception " Risk analysis failed: EXCEPTION_FROM_THE_SERVICEInconsistency Org Rule Analysis Flag Parameter". I reset the parameter to NO.
Many thanks,Hello Raghu
Here is the note number: Note 1168120 - Risk Analysis and Remediation 5.3 Support Package (VIRCC).
Also I would suggest going to:
1. CUP - configuration -Risk analysis - And see if the web service link for Risk analysis is correct.
Better would be to go to Netweaver Administration -Webdynpro console -and get the correct link.
2. CUP -configuration - Mitigation and here also put the correct link for all four options there i.e. (Risk analysis, Mitigation etc),
Hopefully this should solve the problem .I donu2019t think it is related to org level.
If problem still persist, kindly paste the log.
Best Regards
Asheesh -
CUP 5.3 (SP12) Risk Analysis Errors in CUP
Hello Experts,
When I run risk analysis in CUP for user provisioning. I get an error message:
Risk analysis failed: Exception in getting the results from the web service : Service call exception; nested exception is: java.lang.Exception: Incorrect content-type found 'text/html'
Connector names are the same across all the components. We have a CUP test environment with SP11, and we did not have this kind of errors. I virtually tried everything I could.
If you can, please assist me.
HMHello HM,
I had this error when I first upgraded to SP12 but I don't know if it is a SP issue or not.
My CUP --> RAR SOD Analysis works for me on SP12.
You might try double checking the following:
1. Check all CUP configuration Web Service parameters in CUP --> Configuration --> 1) Risk Analysis & 2) Mitigation.
2. Check that you uploaded the latest UME roles that were delivered with SP12.
3. Check the UME user that is configured in CUP for risk analysis to make sure the password is still correct and that it has enough assigned roles.
4. Make sure you uploaded all the required XML configuration files to CUP --> Configuration --> Initial System Data. -
AE 5.2 - Risk Analysis problem
Hello,
I am facing an issue with AE 5.2. When I create a request to assign roles and perform Risk Analysis, I get some SOD violations messages.
I copy the some assigned roles and paste them in CC 5.2 -> Informer -> Risk Analysis -> Role Level and I have no conflict!
Can you please advise why I have conflict with AE and not with CC?
Thank you very much indeed,
Cheers,
AbderrahimHello,
In fact, It was only a false positive issue because:
In CC I perform a risk analysis with Permission Level option.
However, I get risk violation in AE with Critical Transaction for the same role.
The right way is to run risk analysis in CC with Critical Actions.
Thank you for your collaboration.
Regards,
Abderrahim -
ERM: Unable to run risk analysis
Hey, we have recently configured ERM and during role creation when risk analysis is executed, we get the error: page can't be displayed".
I have checked Miscellenous settings and it is updated with RAR web services as per the guide. I have checked the system (in landscape) and it is same as the RAR connector id. Should the landscape name also be same as RAR connector?
Please help.
Thanks,
-SHi Smriti,
Here are few things that you can check:
1. The configuration settings are correct.
2. The ERM workflows are configured correctly.
3. The three initial background jobs were completed successfully (Full Sync, Batch Risk Analysis, and Management Report)
4. The performance of the system is good.
5. The configuration settings for the RAR URL is properly maintained.
If there is an issue with one of the above, you will have issues with performing risk analysis from ERM.
You may additionally refer SAP Note 1136690 - Failed to perform Risk Analysis in ERM that may help you.
Hope this helps!!
Regards,
Raghu
Maybe you are looking for
-
I may have messed up my settings, need help!
I haven't come across these issues ever before and have tried all I know to figure out what I did to cause them! Here are my issues:: 1. I can't change the stroke weight of any line to anything less than 1pt. I can select the options for .25, .5 an
-
Mini to RCA? Yes I did some searching... aud 2
Yes I did some searching and read some previous posts but I'm still a little confused. I have an audigy 2 zs, and from what I read in the sticky and some other posts, I can use a mini-RCA cable to run sound to my surround system. But that sound will
-
Lost music downloaded on Iphone which had to be restored
Hi I downloaded a load of music through itunes on my iphone, and hadnt backed up for a couple of months. My phone died and I had to restore it losing loads of music. Is there a way of redownloading it without having to pay out again? Thanks
-
rary, even though I select pics from photo stream, and then when I go to import to library, it tries to import every picture in my computer, not the ones I selected from the photo stream, and then iPhoto crashes.
-
The best monitor for the mac mini?
Hey Everyone! I am interested in getting the Mac Mini 2012 with 2.5GHz dual-core Intel Core i5 and 4 GB of 1600MHz DDR3 memory and Intel HD Graphics 4000 512 MB. But I'm struggling trying to figure out what monitor will suit me best. I'm looking for