Business Roles - Risk analysis

Hi All,
We are on GRC SP13.
We are using business roles for provisioning to end users.
When role owner is performing risk analysis for business roles, results are proper according to defined ruleset only if "SYSTEM" field is empty.
If system is selected, then results shows that "NO VIOLATIONS".
Is this the standard behaviour for risk analysis of business roles or Am i missing anything?
Looking for your advise on this.
Regards,
Sai.

Hi Jaya,
Yes I remember this is possible. You can setup a customize attribute in GRC privileges. And put the business role name into this attribute.
Try this URL, but perhaps your GRC consultant should read it instead of you.
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d0e2c628-2690-2e10-0d82-dbf1931db2cd?QuickLink=index&overridelayout=true&51565377381172
After creating the attribute, you need to revise the GRC framework to include this attribute (business role name) in your request.
I don't have a working IDM system (with GRC integration) with me. I could not provide you more details.
Cheers,
Chenyang Xiong

Similar Messages

  • Mass role risk analysis issue

    Hello GRC Community,
    I have a following issue:
    When I use mass risk analysis the deactivated authorization objects in the role are displayed as result. At the same time, when I use Role Level Risk Analysis the role with deactivated critical authorization objects doesnt appear.
    Does anybody know how to solve this issue? Is there any configuration parameter to be adjusted?
    thanks
    best regards
    Sabrina

    Prasant,
    here are the screenshots of the Job result:
    1. Mass role Risk Analysis
    2. Risk Analysis on the (Single) Role Level
    Im Backend you can see that the role contains lots of deactivated autorization objects.
    I have run all sync Jobs, but seemingly it doesnt help.
    Thanks,
    Sabrina

  • RAR: Error message while running role risk analysis.

    Hi All,
             We are implementing RAR 5.3. When running permission level risk analysis we get the following error message:
    "Error while executing the Job:Cannot assign a blank-padded string to host variable 1.u201D
    This happens only at permission level for just one single role and for all the composite roles that contain this one.
    The rules were generated without any issue and we cannot find anything unusual on that particular single role.
    Any ideas of what could be the cause of this error?

    Hi Iliya:
              Please find below the job log with the detailed error description:
    Mon Dec 15 10:06:37 GMT-02:00 2008 : -----------------------Scheduling Job =>233---------------------------------------------------------------
    Mon Dec 15 10:06:37 GMT-02:00 2008 : --- Starting Job ID:233 (RISK_ANALYSIS_ADHOC) - mm:user10
    Mon Dec 15 10:06:37 GMT-02:00 2008 : ----------- Background Job History: job id=233, status=1, message=mm:user10 started
    Mon Dec 15 10:06:37 GMT-02:00 2008 :  Job ID:233 : Exec Risk Analysis
    Mon Dec 15 10:06:37 GMT-02:00 2008 : Start Analysis Engine->Risk Analysis .....  memory usage: free=1571M, total=1962M
    Mon Dec 15 10:06:38 GMT-02:00 2008 : Rule Loader Syskey => *
    Mon Dec 15 10:06:38 GMT-02:00 2008 : No of Systems=1
    Mon Dec 15 10:06:51 GMT-02:00 2008 : Action rules cache loaded: memory used in cache=56M, free=1512M, total=1962M
    Mon Dec 15 10:06:51 GMT-02:00 2008 :  Job ID:233 : Rules loaded,  elapsed time: 13694 ms
    Mon Dec 15 10:06:57 GMT-02:00 2008 :  Job ID:233 :
    Mon Dec 15 10:06:57 GMT-02:00 2008 :  Job ID:233 : Analysis starts: MM:USER10
    Mon Dec 15 10:07:16 GMT-02:00 2008 : Auth Map cache reloaded successfully
    Mon Dec 15 10:07:32 GMT-02:00 2008 : Cannot assign a blank-padded string to host variable 1.com.sap.sql.log.Syslog.createAndLogOpenSQLException(Syslog.java:85)
    com.sap.sql.log.Syslog.createAndLogOpenSQLException(Syslog.java:124)
    com.sap.sql.types.VarcharResultColumn.setString(VarcharResultColumn.java:66)
    com.sap.sql.jdbc.common.CommonPreparedStatement.setString(CommonPreparedStatement.java:511)
    com.sap.engine.services.dbpool.wrappers.PreparedStatementWrapper.setString(PreparedStatementWrapper.java:355)
    com.virsa.cc.xsys.util.ObjTextReader.lookupByKey(ObjTextReader.java:353)
    com.virsa.cc.xsys.util.ObjTextReader.getFieldValueDesc(ObjTextReader.java:261)
    com.virsa.cc.xsys.riskanalysis.AnalysisEngine.insertPermReportLines(AnalysisEngine.java:2286)
    com.virsa.cc.xsys.riskanalysis.AnalysisEngine.outputPermissionViolation(AnalysisEngine.java:1858)
    com.virsa.cc.xsys.riskanalysis.AnalysisEngine.performActPermAnalysis(AnalysisEngine.java:1182)
    com.virsa.cc.xsys.riskanalysis.AnalysisEngine.riskAnalysis(AnalysisEngine.java:243)
    com.virsa.cc.xsys.riskanalysis.AnalysisEngine.riskAnalysis(AnalysisEngine.java:207)
    com.virsa.cc.xsys.bg.BgJob.runJob(BgJob.java:305)
    com.virsa.cc.xsys.bg.BgJob.run(BgJob.java:183)
    com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob.scheduleJob(AnalysisDaemonBgJob.java:154)
    com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob.start(AnalysisDaemonBgJob.java:81)
    com.virsa.cc.comp.BgJobInvokerView.wdDoModifyView(BgJobInvokerView.java:434)
    com.virsa.cc.comp.wdp.InternalBgJobInvokerView.wdDoModifyView(InternalBgJobInvokerView.java:1223)
    com.sap.tc.webdynpro.progmodel.generation.DelegatingView.doModifyView(DelegatingView.java:78)
    com.sap.tc.webdynpro.progmodel.view.View.modifyView(View.java:337)
    com.sap.tc.webdynpro.clientserver.cal.ClientComponent.doModifyView(ClientComponent.java:480)
    com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.doModifyView(WindowPhaseModel.java:551)
    com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.processRequest(WindowPhaseModel.java:148)
    com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.processRequest(WebDynproWindow.java:335)
    com.sap.tc.webdynpro.clientserver.cal.AbstractClient.executeTasks(AbstractClient.java:143)
    com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:299)
    com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:711)
    com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:665)
    com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:232)
    com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:152)
    com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
    com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doGet(DispatcherServlet.java:46)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
    com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
    com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
    com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
    com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
    com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
    com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
    com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
    com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
    com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
    com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
    com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
    java.security.AccessController.doPrivileged(Native Method)
    com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
    com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
    Mon Dec 15 10:07:32 GMT-02:00 2008 : Cannot assign a blank-padded string to host variable 1.com.virsa.cc.xsys.bg.BgJob.runJob(BgJob.java:309)
    com.virsa.cc.xsys.bg.BgJob.run(BgJob.java:183)
    com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob.scheduleJob(AnalysisDaemonBgJob.java:154)
    com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob.start(AnalysisDaemonBgJob.java:81)
    com.virsa.cc.comp.BgJobInvokerView.wdDoModifyView(BgJobInvokerView.java:434)
    com.virsa.cc.comp.wdp.InternalBgJobInvokerView.wdDoModifyView(InternalBgJobInvokerView.java:1223)
    com.sap.tc.webdynpro.progmodel.generation.DelegatingView.doModifyView(DelegatingView.java:78)
    com.sap.tc.webdynpro.progmodel.view.View.modifyView(View.java:337)
    com.sap.tc.webdynpro.clientserver.cal.ClientComponent.doModifyView(ClientComponent.java:480)
    com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.doModifyView(WindowPhaseModel.java:551)
    com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.processRequest(WindowPhaseModel.java:148)
    com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.processRequest(WebDynproWindow.java:335)
    com.sap.tc.webdynpro.clientserver.cal.AbstractClient.executeTasks(AbstractClient.java:143)
    com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:299)
    com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:711)
    com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:665)
    com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:232)
    com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:152)
    com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
    com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doGet(DispatcherServlet.java:46)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
    com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
    com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
    com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
    com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
    com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
    com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
    com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
    com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
    com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
    com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
    com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
    java.security.AccessController.doPrivileged(Native Method)
    com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
    com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
    Mon Dec 15 10:07:32 GMT-02:00 2008 : Job ID: 233 Status: Error
    Mon Dec 15 10:07:32 GMT-02:00 2008 : ----------- Background Job History: job id=233, status=2, message=Error while executing the Job:Cannot assign a blank-padded string to host variable 1.
    Mon Dec 15 10:07:32 GMT-02:00 2008 : -----------------------Complted Job =>233---------------------------------------------------------------
    Regards.
    Leandro.

  • GRC AC 10.0 Mass risk analysis vs. Role level analysis

    Hello GRC experts,
    I urgently need your advice on the issue  with deactivated permission objects which are identified as risks in the mass role analysis.
    For example, in one role we have deactivated the permission object: S_ARCHIVE, and there are No activities maintained.
    But in the mass role risk analysis  and in the CUP request this object S_ARCHIVE with the ACTVT 01 is displayed as risk. As you can see in the screenshot, there are no activites maintained at all. We have created the MSMP workflow where all CUP requests with risks should go the the Security Stage. Now we have the situation that even though our roles are clean, they are forwared to the Security stage. It is a huge problem, because our security stage has no even more to to, than before using GRC! Because the dectivated objects are identified as risks.
    Please advise me, how to solve the problem. Did I missed some config parameters or is it a well known problem?
    We are on SP14, AC 10.0.
    At the single role level there are no risks displayed.
    Thanks in advance,
    regards
    Sabrina

    Hi Sabrina,
    check note
    http://service.sap.com/sap/support/notes/2036645
    Please let me know if it works.
    Regards,
    Alessandro

  • Risk Analysis in GRC 10.0

    Dear Experts,
    I have configured RAR in GRC 10.0. Sync jobs are successful. Batch risk analysis is sucessful.
    But when I tried to run a User/Role risk analysis I am not getting any result. I am not sure whether system has run risk analysis or not but I get the confirmation screen with blank result table. Please advise how to fix this issue.
    I appreciate your help.
    Thanks,
    Raj

    Hello Raj,
    Check the below points related to risk analysis
    1.check once the parameter id in configuration settings
    2.BC set activation
    3.while running risk analysis check backend system name and connector which is configured.

  • ARA: Excluded Roles considered for Risk Analysis???

    Hi,
    There are certain role which are to be excluded from risk analysis or some business reasons. To achieve this, I have added entries for these roles in SPRO and saved them.
    Actually, these roles are available in all the systems. Therefore, under "System" column I have selected "ALL" and saved the entries.
    I ran risk analysis for a specific business process (above roles are belonging to this business group) and surprisingly found that, those roles which are maintained as "Excluded", as shown in the risk analysis report as violating!
    Thinking that "ALL" option does not work, I maintained (excluded) these roles for specific systems in SPRO. Ran risk anlaysis, but with no luck.
    Then I ran risk analysis for excluded role(s), I am still getting the violations for these excluded roles!
    May I know why system is considering these "excluded" roles at the time of risk analysis?
    Please advise.
    Regards,
    Faisal

    Alessanrdo,
    I think the "excluded" objects in path:
    SPRO->GRC->AC->ARA->BRA->Maintain Exclude Objects for Batch Risk Analysis
    itself says that the objects will NOT be considered while performing Batch Risk Analysis (Analytic Reports). It seems to be working fine for me.
    I dont think that the objects maintained in above path will have any importance while performing Risk Analysis from NWBC->AM->Roles Analysis) and will NOT be considered.
    Please correct me, if required.
    Secondly, I found 2 relevant posts here on SCN:
    SAP GRC Access Control: Offline-Mode Risk Analysis
    SAP GRC 10.0 Offline Risk Analysis
    Both of them are talking about the offline mode of running risk analysis. Actually I have not used it yet therefore, wanted to know the real usage of it. These posts seem to be giving the details of "Offline" mode analysis.
    I believe this will not be used in my scenario as there is no such requirement and real need. Therefore, I think I should disable it (Offline Data) option from the analysis screen just to avoid any confusion.
    Currently all our risk analysis is taking place "Online". There is no "real" need to use "Offline".
    May you please let me know in which scenario this would be useful?
    Regards,
    Faisal

  • Job Error- Batch Risk Analysis (Role Full Sync)

    Hi Experts,
    I have schedule the background job for Role analysis(Full Sync), but it gives an error- status error.
    all connections are working fine and pasted the error log for your reference.
    Oct 25, 2010 11:56:36 AM com.virsa.cc.common.util.ExceptionUtil logError
    SEVERE: null
    java.lang.NullPointerException
         at com.virsa.cc.comp.wdp.IPublicBackendAccessInterface$IAuthChgRoleInputElement.wdGetObject(IPublicBackendAccessInterface.java)
         at com.sap.tc.webdynpro.progmodel.context.NodeElement.getAttributeAsText(NodeElement.java:888)
         at com.virsa.cc.comp.BackendAccessInterface.execBAPI(BackendAccessInterface.java:401)
         at com.virsa.cc.comp.BackendAccessInterface.executeBAPI(BackendAccessInterface.java:302)
         at com.virsa.cc.comp.wdp.InternalBackendAccessInterface.executeBAPI(InternalBackendAccessInterface.java:4227)
         at com.virsa.cc.comp.BackendAccessInterface.getAuthChangedRoles(BackendAccessInterface.java:3735)
         at com.virsa.cc.comp.BackendAccessInterface.getAuthChangedRoles(BackendAccessInterface.java:3724)
         at com.virsa.cc.comp.BackendAccessInterface.getObjDetails(BackendAccessInterface.java:1428)
         at com.virsa.cc.comp.wdp.InternalBackendAccessInterface.getObjDetails(InternalBackendAccessInterface.java:4327)
         at com.virsa.cc.comp.wdp.InternalBackendAccessInterface$External.getObjDetails(InternalBackendAccessInterface.java:4796)
         at com.virsa.cc.dataextractor.bo.DataExtractorSAP.getObjDetails(DataExtractorSAP.java:630)
         at com.virsa.cc.xsys.riskanalysis.AnalysisEngine.getObjInfoFromSource(AnalysisEngine.java:4140)
         at com.virsa.cc.xsys.riskanalysis.AnalysisEngine.performActPermAnalysis(AnalysisEngine.java:1754)
         at com.virsa.cc.xsys.riskanalysis.AnalysisEngine.riskAnalysis(AnalysisEngine.java:317)
         at com.virsa.cc.xsys.bg.BatchRiskAnalysis.performBatchRiskAnalysis(BatchRiskAnalysis.java:1055)
         at com.virsa.cc.xsys.bg.BatchRiskAnalysis.performBatchSyncAndAnalysis(BatchRiskAnalysis.java:1366)
         at com.virsa.cc.xsys.bg.BgJob.runJob(BgJob.java:559)
         at com.virsa.cc.xsys.bg.BgJob.run(BgJob.java:362)
         at com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob.scheduleJob(AnalysisDaemonBgJob.java:375)
         at com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob.start(AnalysisDaemonBgJob.java:92)
         at com.virsa.cc.comp.BgJobInvokerView.wdDoModifyView(BgJobInvokerView.java:444)
         at com.virsa.cc.comp.wdp.InternalBgJobInvokerView.wdDoModifyView(InternalBgJobInvokerView.java:1236)
         at com.sap.tc.webdynpro.progmodel.generation.DelegatingView.doModifyView(DelegatingView.java:78)
         at com.sap.tc.webdynpro.progmodel.view.View.modifyView(View.java:337)
         at com.sap.tc.webdynpro.clientserver.cal.ClientComponent.doModifyView(ClientComponent.java:481)
         at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.doModifyView(WindowPhaseModel.java:551)
         at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.processRequest(WindowPhaseModel.java:148)
         at com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.processRequest(WebDynproWindow.java:335)
         at com.sap.tc.webdynpro.clientserver.cal.AbstractClient.executeTasks(AbstractClient.java:143)
         at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:333)
         at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:741)
         at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:694)
         at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:253)
         at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
         at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
         at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doGet(DispatcherServlet.java:46)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
         at java.security.AccessController.doPrivileged(Native Method)
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
    Oct 25, 2010 11:56:36 AM com.virsa.cc.xsys.riskanalysis.AnalysisEngine performActPermAnalysis
    INFO:  Job ID:23 : Analysis done: T_00035951_H_IXOSCFGS elapsed time: 666 ms
    Oct 25, 2010 11:56:36 AM com.virsa.cc.xsys.bg.BgJob setStatus
    INFO: Job ID: 23 Status: Error
    Oct 25, 2010 11:56:36 AM com.virsa.cc.xsys.bg.BgJob setStatus
    INFO: Job ID: 23 Status: Error
    Oct 25, 2010 11:56:36 AM com.virsa.cc.xsys.riskanalysis.AnalysisEngine performActPermAnalysis
    INFO: Detailed Analysis Time:
    Risk Analysis Time: Started @:Mon Oct 25 11:56:36 EDT 2010
    Rule Load Time: Started @:Mon Oct 25 11:56:36 EDT 2010
    Rule Load Time:0millisec
    Org Rule Loop Time: Started @:Mon Oct 25 11:56:36 EDT 2010
    Rule Loop Time: Started @:Mon Oct 25 11:56:36 EDT 2010
    Rule Loop Time:648millisec
    Org Rule Loop Time:649millisec
    Risk Analysis Time:686millisec
    Oct 25, 2010 11:56:36 AM com.virsa.cc.xsys.util.Lock lock
    FINEST: Lock:1004
    Oct 25, 2010 11:56:36 AM com.virsa.cc.xsys.util.Lock unlock
    FINEST: Unlock:1004
    Oct 25, 2010 11:56:36 AM com.virsa.cc.xsys.util.Lock lock
    FINEST: Lock:1004
    Oct 25, 2010 11:56:36 AM com.virsa.cc.xsys.util.Lock unlock
    FINEST: Unlock:1004
    Oct 25, 2010 11:56:36 AM com.virsa.cc.xsys.riskanalysis.AnalysisEngine riskAnalysis
    INFO:  Job ID:23 : Exec Risk Analysis
    Oct 25, 2010 11:56:36 AM com.virsa.cc.xsys.riskanalysis.AnalysisEngine performActPermAnalysis
    INFO:  Job ID:23 : Before Rules loading,  elapsed time: 2 ms
    Oct 25, 2010 11:56:36 AM com.virsa.cc.xsys.riskanalysis.AnalysisEngine performActPermAnalysis
    INFO:  Job ID:23 : Analysis starts: T_00035952_H_PMREAD_I
    Oct 25, 2010 11:56:36 AM com.virsa.cc.xsys.util.Lock lock
    FINEST: Lock:1005
    Oct 25, 2010 11:56:36 AM com.virsa.cc.xsys.util.Lock unlock
    FINEST: Unlock:1005
    Oct 25, 2010 11:56:36 AM com.virsa.cc.common.util.ExceptionUtil logError
    SEVERE: null
    java.lang.NullPointerException
         at com.virsa.cc.comp.wdp.IPublicBackendAccessInterface$IAuthForRoleInputElement.wdGetObject(IPublicBackendAccessInterface.java)
         at com.sap.tc.webdynpro.progmodel.context.NodeElement.getAttributeAsText(NodeElement.java:888)
         at com.virsa.cc.comp.BackendAccessInterface.execBAPI(BackendAccessInterface.java:401)
         at com.virsa.cc.comp.BackendAccessInterface.executeBAPI(BackendAccessInterface.java:302)
         at com.virsa.cc.comp.wdp.InternalBackendAccessInterface.executeBAPI(InternalBackendAccessInterface.java:4227)
         at com.virsa.cc.comp.wdp.InternalBackendAccessInterface$External.executeBAPI(InternalBackendAccessInterface.java:4696)
         at com.virsa.cc.dataextractor.bo.DataExtractorSAP.getObjActions(DataExtractorSAP.java:213)
         at com.virsa.cc.dataextractor.bo.DataExtractorSAP.getObjActions(DataExtractorSAP.java:105)
         at com.virsa.cc.xsys.meng.MatchingEngine.getObjActions(MatchingEngine.java:813)
         at com.virsa.cc.xsys.meng.MatchingEngine.matchActRisks(MatchingEngine.java:121)
         at com.virsa.cc.xsys.riskanalysis.AnalysisEngine.performActPermAnalysis(AnalysisEngine.java:1407)
         at com.virsa.cc.xsys.riskanalysis.AnalysisEngine.riskAnalysis(AnalysisEngine.java:317)
         at com.virsa.cc.xsys.bg.BatchRiskAnalysis.performBatchRiskAnalysis(BatchRiskAnalysis.java:1055)
         at com.virsa.cc.xsys.bg.BatchRiskAnalysis.performBatchSyncAndAnalysis(BatchRiskAnalysis.java:1366)
         at com.virsa.cc.xsys.bg.BgJob.runJob(BgJob.java:559)
         at com.virsa.cc.xsys.bg.BgJob.run(BgJob.java:362)
         at com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob.scheduleJob(AnalysisDaemonBgJob.java:375)
         at com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob.start(AnalysisDaemonBgJob.java:92)
         at com.virsa.cc.comp.BgJobInvokerView.wdDoModifyView(BgJobInvokerView.java:444)
         at com.virsa.cc.comp.wdp.InternalBgJobInvokerView.wdDoModifyView(InternalBgJobInvokerView.java:1236)
         at com.sap.tc.webdynpro.progmodel.generation.DelegatingView.doModifyView(DelegatingView.java:78)
         at com.sap.tc.webdynpro.progmodel.view.View.modifyView(View.java:337)
         at com.sap.tc.webdynpro.clientserver.cal.ClientComponent.doModifyView(ClientComponent.java:481)
         at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.doModifyView(WindowPhaseModel.java:551)
         at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.processRequest(WindowPhaseModel.java:148)
         at com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.processRequest(WebDynproWindow.java:335)
         at com.sap.tc.webdynpro.clientserver.cal.AbstractClient.executeTasks(AbstractClient.java:143)
         at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:333)
         at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:741)
         at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:694)
         at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:253)
         at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
         at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
         at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doGet(DispatcherServlet.java:46)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
         at java.security.AccessController.doPrivileged(Native Method)
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
    Oct 25, 2010 11:56:36 AM com.virsa.cc.xsys.meng.ObjAuthMatcher <init>
    FINEST: ObjAuthMatcher constructed: 0ms, #singles=27, #ranges=0, #super=0
    Oct 25, 2010 11:56:37 AM com.virsa.cc.common.util.ExceptionUtil logError
    Kindly do the needful.
    Regards,
    Arjun.

    Hi,
    1.Please check what type of connection is configuired in RAR(Adaptive RFC or SAPJCO). Please switch the connection type to SAPJCO.
    2. Please check the daemon & daemon manager statues.
    3. Check the Job threds in daemon manager after sechudeling job.
    Regards,
    Arjun.

  • GRC AC 10.0  Risk Analysis -Risk Terminator Vs BRM-Role Management

    Hi All,
    After having seen the configuration for Risk Analysis- Risk Terminator and Role Management , I observed that there is very little difference  for eg parameters 1085 and 3011 ,3014 .  If we configure all three parameters to TRUE which one would take effect ?Can anyone let us know under what circumstances we must configure RT and Role Management . BRM to has a whole lot of new features which supercede RT. 
    Best Regards,
    Vishal

    Hi Vishal,
    The parameters will be invoked in different scenarios. 1085 is specific to when roles are generated in the SAP Backend system using risk terminator and therefore this will have no impact if you are using BRM to generate the roles.
    3011 & 3014 are specific to BRM and govern different behaviours. 3011 will facilitate the risk analysis prior to triggering the generation steps in the methodology and 3014 will allow the roles to be generated despite any permission risks that are returned.
    They are not exclusive and actually work together. For instance, you may want to have a block on generation of roles when there are open conflicts identified and therefore you should have 3011 set to YES and 3014 set to NO. If both are set to YES, then you could propagate conflicts in the roles.
    You can use Risk Terminator if you wish to continue to develop roles within the SAP system itself rather than to rely on the GRC BRM system wholly.
    There are still wide discussions and differing opinions about which represents the best approach for this and so it depends on your organisation as to which process you follow.
    The parameter descriptions in question are:  
    1085 - Stop Role Generation if violations exist
    3011 - Conduct Risk Analysis before Role Generation
    3014 - Allow role generation with Permission Level violations
    Regards, Simon

  • Risk Analysis at user level shows nothing in all 3 views though at role level shows risks of global rule set

    I am configuring ARA 10.1 for a ECC 6.0 plug in development system and facing this issue. Risk Analysis at user level shows no data  in all 3 views though at role level shows risks of global rule set. I am using Global rule set. I generated all risks/functions & using connector group as SAP_ECCS_LG not SAP_R3_LG.I activated common, R/3 & ECCS BC sets. Added integration scenario for AUTH. Run all 4 sync jobs multiple times successfully. My system already has decentralised EAM 10.1 implemented & even used in production as BAU. I have checked at both chrome & IE. The misleading thing is that RFC is also working fine & I can see risks in Risk Analysis at role level & risky roles are even assigned to valid users.GRC is at SP4 & accordingly is the ECC 6.0 plug in. Thanks in Advance. Please  consider it urgent.

    Hi,
    Assign ECC connector to SAP_ECCS_LG group.
    Run the programs GRAC_PFCG_AUTHORIZATION_SYNCand GRAC_REPOSITORY_OBJECT_SYNC) in full synch mode(this might take time so better do this in background). Better do it sequentially.Check the logs of the jobs in SLG1 just to ensure everythings fine.
    Run ARA for a specific user and mention the connector for faster output. Ensure this user has the role with risks.Also as explained earlier check the GUID against user id in table GRACUSERROLE and using GRACROLE you can find out the technical name of the role updated in the table. This should be same as the backend role.
    Then run ARA and while doing so please ensure the selection screen doesnt have any unwanted default inputs. If followed correctly , this should be of help.  I am assuming the role analysis yielded correct risks as configured since this would mean that connector have correct actions and basic config is in place.
    Regards,
    Vivek

  • GRC10 Exclude Objects (Roles) - Batch Risk Analysis Job

    All -
    We are setting up some non-production GRC 10.1 systems at this time and are trying to exclude project roles from our dashboards via the "Maintain Exclude Objects for Batch Risk Analysis" table [SPRO --> GRC --> AC --> ARA --> Batch Risk Analysis].
    The problem that we are encountering is that this Batch Risk Analysis is taking an extremely long time to run on our Project Users even though we have excluded the project roles that these users are assigned.
    For example, User A has 3 project roles which hit a very large number of SoD violations in our rule set, however in the exclusion list we have defined the three roles the user is assigned to be in the exclusion table for All systems and for the specific system that the job is running against. With no luck. The job still takes an average of 30 minutes to run on each user even though the roles they are assigned are excluded.
    We have tested that the exclusion table works because we can exclude the users by adding them to this table and we can also exclude the groups that they are in and this also works. However we have instances where there are other users in this groups that have other roles in addition to these excluded roles that need to be checked.
    Does anyone have any recommendations for how to excluded roles so that the job quickly checks the users with these roles? It is my understanding that if the roles are in the exclusion list they should be skipped by the Batch Risk Analysis job which is running to check these users for the dashboards.
    Thanks,
    Darnell

    Hi,
    Was a solution found for this error?
    Thanks,
    Glen

  • Risk Analysis of created or changed Roles automation

    Does anyone know how to automate the risk analysis directly in the backend SAP system when a role is created or changed without implementing Risk Terminator?  We are using GRC AC 10.0 with support pack 16 active and all I can find to activate this ability is to implement Risk Terminator.  In GRC 5.3, there were settings that you could set and the functionality became active at the tcode (transaction) level and then again at the permission level when you attempted to generate the profile.  Can this be doen in GRC 10?
    Thanks --
    Sara B.

    Hello Sandeep,
    Doing Org Lvl Analysis is not so simple in RAR.
    Firstly this is only user based.
    For using it you will have to schedule one job in configuration which will update Org Values for users in the database table. I don't remember name of this Utility however it will be something Orguser, just search in Configuration tab.
    As mentioned by you, org lvl are already enabled and make sure there values is $.......,
    Reason being Org Rules will be generated at runtime and then anlysis will be done.
    It will be better you take help of SAP on this. As they have document which will be very helpful to you.
    Regards,
    Surpreet

  • Risk Analysis shows no Roles or Users!!

    Hi Team,
    Please can you help me, I am configuring GRC AC 10's ARA and I am stuck with the issue when I execute Risk Analysis on Roles or Users, I am getting blank field. No data is getting pulled up from backend system. Although my Repository Sync job finished successfully when I did it for User, Roles and Profiles.
    Please can anybody help.
    Thanks,
    Nick

    Hi Nick,
    please check this thread: GRC AC 10: RAR - no analysis results, or document: GRC AC 10: RAR - no analysis results
    Regards, Andrzej

  • Role Based Risk Analysis Report

    Hello All,
    When I executed the Risk Analysis report for a role with SOD Risk Level = ALL and Report type = SOD at Authorization Object level, the results come back as "NO CONFLICT FOUND".  this is the correct response.
    However, I executed the Risk Analysis report for the same role with SOD Risk Level = HIGH and Report type = SOD at Authorization Object level, the results come back SOD conflicts based on the conflicting transactions.  Is there a bug with analyzing roles using this option?
    Also, when I click on the Detail Report button, I received object data that does not appear correct.
    Please Help.  Thanks.
    Edited by: Michael Johnson on Apr 8, 2009 8:54 PM

    Hi Babiji,
    Are you using any specific tools for SOD's? If you are using GRC tool, then it can be done using compliance calibrator Role level Risk analysis.In addition to what Sneha has said,
    To find out the conflicting roles in CC version 5.2 the path is INFORMER->Risk Analysis->Role level.In Virsa 4.0 you have the option of carrying out risk anaysis at role level by executing the t-code /N/VIRSA/ZVRAT.
    In section Analysis type, choose Roles and enter the list of roles.
    In section SOD Risk level, choose the appropriate risk.
    Then choose the appropriate report type and report format before executing it.
    This will display all the roles with the levels of risk associated with it and then you can mitigate these as per your organizational policies & procedures.
    Thanks,
    Saby..

  • Inconsistency Data between Role Level & User Level Risk Analysis

    Hi,
    When we run Role Level Risk Analysis for a role (Ex: XYZ), there is no SOD conflicts. But when we try to run the user level analysis, this role shows SOD conflicts. I mean, XYZ is assigned with other roles. Combination of other roles access may bring SOD conflict, thats fine, but here the challenge is role XYZ itself has SOD conflicts. The same does not appear when we run Role Level Risk Analysis!!
    How could this happen??
    Thanks,
    Karthik

    Hi Karthik,
    The role might be mitigated at role level.
    In RAR Anayze tool, click -More options to expand the selection options
    Chose "Exclude Mitigated Risks: No"

  • CC 5.2 - Risk Analysis on existing roles

    Hello,
    When I submit a change request via AE 5.2 in order to add a role to an existing user,
    does CC 5.2 perform the risk analysis to the user corresponding roles (existing roles + new one) or only for the role to be added?
    Thank you for your answer.
    Abderrahim

    Hi Abderrahim,
    Yes. It will perform a risk analysis with the existing roles + newly added role. You should enable this in the CUP.
    Go to Configuration --> Risk Analysis -> Set the default risk analysis level.
    Regards,
    Raghu

Maybe you are looking for

  • Unable to open iMovie project?

    I made a simple iMovie 09 project and burned it to a DVD via iDVD.   Then, to save space on my HD, I moved the project to an external HD. Now I want to go back to the project to make some edits.   But when took it out of the external HD and placed it

  • Scheduled report corruption

    Hi, we have been using BO Enterprise 11 for sometime without any problems, but recently scheduled reports are being produced with varying format issues. Sometimes a report is OK, but the next time it runs the layout of the report will be corrupted. C

  • HT1918 how do get my music from my old itunes account

    how can i get my music from my old itunes account

  • MBA Gen2 and 20" external cinema + 10.5.6 same problem as 23"

    I just started hooking up an Apple 20" cinema display to the 2nd Gen MBA and it appears if you allow the display to "sleep" then on wake there is the same tearing and snow issue that was reported in other threads with the larger displays that seems t

  • My earpods broke what do i do?

    my earpods broke what do i do?