Can we do risk analysis at org level

Similar Messages

• Error while performing Risk Analysis at user level for a cross system user

  Dear All,
  I am getting the below error, while performing the risk analysis at user level for a cross system (Oracle) user.
  The error is as follows:
  "ResourceException in method ConnectionFactoryImpl.getConnection(): com.sap.engine.services.connector.exceptions.BaseResourceException: Cannot get connection for 120 seconds. Possible reasons: 1) Connections are cached within SystemThread(can be any server service or any code invoked within SystemThread in the SAP J2EE Engine), 2) The pool size of adapter "SAPJ2EDB" is not enough according to the current load of the system or 3) The specified time to wait for connection is not enough according to the pool size and current load of the system. In case 1) the solution is to check for cached connections using the Connector Service list-conns command, in case 2) to increase the size of the pool and in case 3) to increase the time to wait for connection property. In case of application thread, there is an automatic mechanism which detects unclosed connections and unfinished transactions.RC:1
  Can anyone please help.
  Regards,
  Gurugobinda

  Hi..
  Check the note # SAP Note 1121978
  SAP Note 1121978 - Recommended settings to improve peformance risk analysis.
  Check for the following...
  CONFIGTOOL>SERVER>MANAGERS>THREADMANAGER
  ChangeThreadCountStep =50
  InitialThreadCount= 100
  MaxThreadCount =200
  MinThreadCount =50
  Regards
  Gangadhar

• Running Risk analysis at User Level(CC)

  Hi
  Please Clear my query, wat is the difference between running the risk analysis at userlevel Violation count by Risk and Violation count by Permission.
  violation count by Permission, the total number of violations are 377,569.
  Violation count by Risk,the total number of violations are 11,716.
  Thanks & Regards

  Hi Karuna,
  When you perform Risk Analysis at User level and choose violation count by Permission/Risk. Here are the details of each analysis:
  1. Violation Count by Risk
  This analysis will display the count of how many SOD risks associated with the users existing in each business process like FI, HR, MM, PR, SD.
  It will display as a bar graph or pie chart. If you choose each of the business processes and drill down to the particular SOD risk,P001 then you can display how many users have that risk, P001
  2. Violation Count by Permission
  This analysis will display the count of SOD violations at the action/permission level associated with the users existing in each business process.
  If you choose the conflicting functions inside each SOD risk, and then expand on the permission tab you will understand why the huge number of violations it is showing.
  In the Risk information screen, in Conflicting Functions, click the AP02 u2013 Process Vendor Invoices link to display the SAP transaction codes and the authorization objects. There are 26 different transactions in SAP to Process Vendor Invoices and another 185 authorization object values u2013 all come preconfigured out of the box.
  Choose the Permission tab. Expand Action F-42. Open an authorization object to show field values. By looking at all possible permutations of actions/permissions of one business function with all actions/permissions of the second business function, you can understand how the system arrives at the number of violations.
  Hope this will help you understand better.
  Regards,
  Kiran Kandepalli.

• Risk Analysis at user level shows nothing in all 3 views though at role level shows risks of global rule set

  I am configuring ARA 10.1 for a ECC 6.0 plug in development system and facing this issue. Risk Analysis at user level shows no data  in all 3 views though at role level shows risks of global rule set. I am using Global rule set. I generated all risks/functions & using connector group as SAP_ECCS_LG not SAP_R3_LG.I activated common, R/3 & ECCS BC sets. Added integration scenario for AUTH. Run all 4 sync jobs multiple times successfully. My system already has decentralised EAM 10.1 implemented & even used in production as BAU. I have checked at both chrome & IE. The misleading thing is that RFC is also working fine & I can see risks in Risk Analysis at role level & risky roles are even assigned to valid users.GRC is at SP4 & accordingly is the ECC 6.0 plug in. Thanks in Advance. Please  consider it urgent.

  Hi,
  Assign ECC connector to SAP_ECCS_LG group.
  Run the programs GRAC_PFCG_AUTHORIZATION_SYNCand GRAC_REPOSITORY_OBJECT_SYNC) in full synch mode(this might take time so better do this in background). Better do it sequentially.Check the logs of the jobs in SLG1 just to ensure everythings fine.
  Run ARA for a specific user and mention the connector for faster output. Ensure this user has the role with risks.Also as explained earlier check the GUID against user id in table GRACUSERROLE and using GRACROLE you can find out the technical name of the role updated in the table. This should be same as the backend role.
  Then run ARA and while doing so please ensure the selection screen doesnt have any unwanted default inputs. If followed correctly , this should be of help.  I am assuming the role analysis yielded correct risks as configured since this would mean that connector have correct actions and basic config is in place.
  Regards,
  Vivek

• RAR - Risk Analysis - Permission Level - V_VBAK_AAT||AUART - Error

  I have a trouble related with risk analysis at permission level, when the V_VBAK_AAT||AUART is activated in two functions of my customized GRC rule-set (VIRSA_CC_FUNCPRM) for controlling some "document types" for tcodes VA01 and VA02. When I execute this customization in RAR, the system says "No match / No conflicts" for the risks where these functions appear, however performing some queries in the back-end systems, I have realized there are more than 80 users in conflict for some of them, given the fact that they have value '*' in object/field V_VBAK_AAT||AUART.
  At a first time I thought that most probably would be related with the fact that these functions are part of risks that combine 3 and 4 functions at the same time, with OR logical activated in document types, but when I searched for the rules generated for these risks I noticed that only 34.000 rules were generated and this no overpass the limit of 45566 rules defined at RAR. Anyway, I performed some tests reducing the number of possible combinations and, basically, whenever the following line is activated, the outcome is u201Cno conflictsu201D:
  D VIRSA_CC_FUNCPRM FN15 VA01 GRC-C21 V_VBAK_AAT||AUART ZSO ZSO OR 0 null
  If this line is disabled, then, several users with conflicts are reported. As mentioned above, these users have value '*'   for object/field V_VBAK_AAT||AUART, so I do not understand why those users are not reported when the line above is activated.
  I have done the following checks, all of them correct:
  - The user/role/profile synchro has been done and all the users has been stored in table VIRSA_CC_
  - All the lines in VIRSA_CC_FUNCPRM part of my customized rule-set have been correctly inserted in the same Oracle table
  - All the combinations of rules has been created (including VA01 and VA02 with V_VBAK_AAT||AUART)
  Any suggestions?
  Thanks in advance

  I've detected the same problem for the following authorization objects:
  - F_BKPF_BLA||BRGRU
  - V_VBRK_FKA||FKART
  - M_MSEG_BWE||WERKS
  RAR reports no conflicts (at authoriztion level) when these objects are activated (of course having users with these conflicts in back-end systems)
  This problem has been proved in the installation of different customer with SAP GRC Access Control 5.3 SP12.
  Anybody else has experienced this issue????

• User Analysis at Permission Level - Detail Report (RAR SP12)

  Hello All,
  I have having question regarding the User Level Analysis at Permission level report. Currently, we are on GRC Access control 5.3 SP12.
  Per my understanding when you execute the User level analysis at Action level, you get SOD conflict reports based on T-code level and not on authorization / permission level. But, if you execute the user level analysis at permission level then SOD report is based on the authorization / permission object level.
  But now, when I execute the user level analysis at PERMISSION LEVEL in the Informer tab, in the report I am only able to see "Transaction Code Check at Transaction Start" name in the Permission Object Column and "Transaction Code" name in the Field column.
  Look forward to hear from you all.
  Thanks in advance,
  Regards,
  Angelica

  Hi Angelica,
  This behaviour is ok for those risks in which you have not enabled any Object/Field value. It will pick S_TCODE Object and show you the risk.
  This is useful because -
  1. If you have risks defiend at Tcode level - you can still catch them while running risk analysis at permission level.
  2. If you have Object Values defined in risk and you are running permission level analysis it will show risk only if Object Values meet. In that case permission level risk anlysis will not show risk if there is no actual risk.
  3. Running risk analysis at Action level can show false positives when risk is defined ta Object level. So, it is always better to r
  un alanysis at permission level, it will bring all actual risks skipping false positives.
  4. You can run only one level risk analysis in CUP and ERM and permission level covers all risks.
  If you have risk defined at Object Level and the role/user is not fulfilling all values, it should not show in permission level. In your case, if it is showing only "Transaction code check at start"  and the risk is defined at Object Level, then sure it is a bug.
  Regards,
  Sabita

• Error while doing risk analysis for a user

  Hi ,
  When i did risk analysis at user level for a particular user we are getting this error under level  ."Exception!!. No relavent language message available in database for :0292".I had reuploaded the the messages text file but still the error persists i have restarted the j2ee application but still the error is not going .any pointers please thanx in advance.When checked the file CC5.3_MESSAGES.txt it does not contain any entry corresponding to message code 0292.So how shud i proceed.
  Edited by: Ambarish annapureddy on Jan 21, 2009 12:54 PM

  Hi Ambarish,
      What is the patch level of GRC AC 5.3? Did you apply any service pack recently? Did the service pack contain any message file? There has to be some message file which contains message '0292'. If you can not find the message file then open a message with SAP support and they should be able to provide it to you.
  Regards,
  Alpesh

• CC: Risk Resolution at user level.

  HI All,
  In CC 5.2 with latest patch level, I am facing an issue in Risk Resolution. When I do the Risk analysis at user level for a particular user and then do a detail Report and then try to do the risk resolution; there are standard three options:
  1. Mitigate.
  2. Remove Access.
  3. Delimit Access.
  from the user. Out of these three, the first one is working fine, but second and third are greyed out and I can not proceed with option 2&3. Have any one of you come accross such a situation or have any clues about the same. Also, my user has Admin rights to all the actions in the Admin role provided to me.
  Thanks a lot in advance.
  Have a nice day!!
  Regards,
  Hersh

  Hello Hersh,
  This functionality is not available in 5.2.
  Regards,
  Jagat
  Edited by: Jagat Bir Singh on Jul 31, 2008 3:16 PM
  Edited by: Jagat Bir Singh on Jul 31, 2008 3:17 PM
  Edited by: Jagat Bir Singh on Aug 1, 2008 6:52 AM

• GRC AC 10:How to generate Access Rule? No output from User or Risk Analysis

  Hello Gurus,
  We have done configuration of GRC AC 10, and uploaded files via
  SoD rules -->Upload Rules
  After that we generated SoD rules for Risk Id : B001 and B002
  Now when we go to NWBC --> Reports & Analytics >Access Dashboards>Access Rule Library
  The report shows (for Group Rule level : Action)
  Number of Active rules : 0
  Number of Disabled Rules : 0
  Number of Functions :  151
  Where as for Group Rule level : Action Risk
  The report shows
  Number of Active Risk : 42
  Disabled risk : 161
  Nmr. of functions : 151 .
  When we perform Risk Analysis at User Level or Role Level, the output is empty !!!
  Note: All the background jobs have run successfully.
  Also the SoD files also have been uploaded successfully.
  Will you please guide how can i activate the "rules" for the uploaded risk ??
  regards,
  Victor

  Hello Victor/ Inder,
  For Risk ID B001functions are BS02 and BS11 if you open any one of them you can see system maintained as SAP BASIS which is SAP_BAS_LG (logical connector group).
  Post installation you can check in SPRO>Governance, Risk and Compliance-> common Component---> integration framework-> maintain connector and connector types->select SAP and click Define connector Group.
  BUSINESS     Business Roles     SAP
  SAP_BAS_LG     SAP Basis     SAP
  SAP_CRM_LG     SAP CRM     SAP
  SAP_ECC_LG     SAP ECCS     SAP
  SAP_HR_LG     SAP HR     SAP
  SAP_NHR_LG     SAP R3 - NON HR Basis Logical Group     SAP
  SAP_R3_LG     SAP R3     SAP
  SAP_SRM_LG     SAP SRM     SAP
  (If not present then manually you can create the same)
  Select SAP_BAS_LG and put connector type as SAP,  select SAP_BAS_LG and click Assign Connector group to group types as AM & LG, then click on Assign Connector to connector group and maintain you connector.
  Post this activity re generate SOD for B001 and then check for user level and role level analysis.
  Hope it will resolve your issue.
  Regards,
  Sudesh

• GRC AC 10 (BRM) Risk Analysis Report type is editable

  Hi,
  In  GRC10 – BRM  Risk analysis at “Action Level”, “Permission Level”, “Critical Action”, “Critical Permission” and “Critical Role/Profile” is editable.
  When i start to create a role in the Risk Analysis step, Permission Level is always selected .Selection is fine as this is configured this way (Parameter in SPRO 1023 -Default Report Type for Risk Analysis).  But exist the option to deselect "Permission Level". 
  As you can Permission level is always selected and not editable?
  Regards

  Hi,
  I guess Cristian mentions attached BRM screen. I have same issue; how to change default values of report type in BRM like parameter 1023 changes in access request.
  Also, if we change default value of check box, Cristian can set non-editable fields through SE80.

• AE 5.2 - Risk Analysis problem

  Hello,
  I am facing an issue with AE 5.2. When I create a request to assign roles and perform Risk Analysis, I get some SOD violations messages.
  I copy the some assigned roles and paste them in CC 5.2 -> Informer -> Risk Analysis -> Role Level and I have no conflict!
  Can you please advise why I have conflict with AE and not with CC?
  Thank you very much indeed,
  Cheers,
  Abderrahim

  Hello,
  In fact, It was only a false positive issue because:
  In CC I perform a risk analysis with Permission Level option.
  However, I get risk violation in AE with Critical Transaction for the same role.
  The right way is to run risk analysis in CC with Critical Actions.
  Thank you for your collaboration.
  Regards,
  Abderrahim

• Use of Risk Analysis Webservice without installing CUP

  1)Can we use Risk Analysis (SAPGRC_AC_IDM_RISKANALYSIS) webservice without installing CUP.
  2)This webservice requires request id , which we will not have untlil we create a request in CUP.Besides request id, it has user id and system id as input field.
  Is there a way or any other web service available, which accepts some other fields like role (particularly), analsysis type,etc, and then return us analysis data.

  I have written a lengthy piece on why it is a good idea to use CUP here:
  Re: Integrating inbuilt Access Management application with RAR
  Frank.

• Back ground job for Risk Analysis

  Dear expert
  we have schedule BG for risk analysis at role level for a DEV box and its been 7 days since it is in running state .
  I have checked logs but no error .
  Is this normal behaviour .I am confused because of DEV box which is having test roles also .
  Also we are using logical system as well as physical system for ruleset .
  Kindly share your experience .
  Thanks & Regards
  Ashesh

  Hello All,
  We are geeting below mentioned error -
  WARNING:  Job ID:235 : Failed to run Risk Analysis
  java.io.IOException: No space left on device (errno:28)
       at java.io.FileOutputStream.writeBytes(Native Method)
       at java.io.FileOutputStream.write(FileOutputStream.java:260)
       at sun.nio.cs.StreamEncoder$CharsetSE.writeBytes(StreamEncoder.java:336)
       at sun.nio.cs.StreamEncoder$CharsetSE.implWrite(StreamEncoder.java:395)
       at sun.nio.cs.StreamEncoder.write(StreamEncoder.java:136)
       at java.io.OutputStreamWriter.write(OutputStreamWriter.java:191)
       at java.io.BufferedWriter.flushBuffer(BufferedWriter.java:111)
       at java.io.BufferedWriter.write(BufferedWriter.java:206)
       at java.io.Writer.write(Writer.java:126)
       at com.virsa.cc.xsys.riskanalysis.dao.dto.RAReportDTO.printToSpool(RAReportDTO.java:454)
       at com.virsa.cc.xApr 1, 2011 2:08:45 AM com.virsa.cc.xsys.meng.ObjAuthMatcher <init>
  Thanks,
  Jagat

• Risk Analysis thru Web Service

  I'm trying to get Risk Analysis (SoD violaions) for roles using web service. Current approach we are using is to first use web service SubmitRequest to create service and then use web service RiskAnalysis for SoD checks for that request. However, is there any web service which gives Risk analysis directly without creating request in GRC? If i give 2 conflicting roles then can i get risk analysis without actually creating request in GRC?
  Thanks,

  Hi Alpesh, Ankur,
  Thaks for your answer. As you said, the web service which you mentioned works for existing users with assigned roles/profiles. I was more looking for web service which will give me Risk Analysis before i assign Roles/Profiles.
  I found one service VirsaCCRiskAnalysisService which allows me to do risk analysis before assigning any roles/profiles. Of course, the condition is that User should exist in back-end system.
  Thanks,
  Sanjay shah

• Risk Analysis in CUP not working

  Hello Experts, we are using GRC 5.3. In CUP, I am trying to approve Role Provisioning. One of the requirements is to run Risk Analsys (as it says 'Risk Analysis is Mandatory'). When I hit the 'Risk Analysis' button, the circle keep circling but, nothing seems to happen forever (no error message either). Can you guide me in the right direction? What could be the possible situation? And, where am I better off to start troubleshooting.
  Thank you.

  Well, the problem seems to be that I am connecting from VPN. From my analysis, after I reboot the laptop, I am able to analyze risk for the first 3 or 4 requests and after that I can't do risk analysis for any more requests until I reboot my laptop. If I login to a remote server (say Virsa server), I seem to have no problem at all. i am able to continuoiusly run risk analysis for multiple requests. The problem seems to be VPN or my laptop.