CC 5.2 - Risk Analysis on existing roles

Similar Messages

• GRC AC 10.0 Mass risk analysis vs. Role level analysis

  Hello GRC experts,
  I urgently need your advice on the issue  with deactivated permission objects which are identified as risks in the mass role analysis.
  For example, in one role we have deactivated the permission object: S_ARCHIVE, and there are No activities maintained.
  But in the mass role risk analysis  and in the CUP request this object S_ARCHIVE with the ACTVT 01 is displayed as risk. As you can see in the screenshot, there are no activites maintained at all. We have created the MSMP workflow where all CUP requests with risks should go the the Security Stage. Now we have the situation that even though our roles are clean, they are forwared to the Security stage. It is a huge problem, because our security stage has no even more to to, than before using GRC! Because the dectivated objects are identified as risks.
  Please advise me, how to solve the problem. Did I missed some config parameters or is it a well known problem?
  We are on SP14, AC 10.0.
  At the single role level there are no risks displayed.
  Thanks in advance,
  regards
  Sabrina

  Hi Sabrina,
  check note
  http://service.sap.com/sap/support/notes/2036645
  Please let me know if it works.
  Regards,
  Alessandro

• Risk Analysis shows no Roles or Users!!

  Hi Team,
  Please can you help me, I am configuring GRC AC 10's ARA and I am stuck with the issue when I execute Risk Analysis on Roles or Users, I am getting blank field. No data is getting pulled up from backend system. Although my Repository Sync job finished successfully when I did it for User, Roles and Profiles.
  Please can anybody help.
  Thanks,
  Nick

  Hi Nick,
  please check this thread: GRC AC 10: RAR - no analysis results, or document: GRC AC 10: RAR - no analysis results
  Regards, Andrzej

• Risk Analysis of derived role is not able to fetch organisational values.

  Dear All,
  We have run the Permission level analysis in GRC 5.2 for the ROLES at permission level and
  found that the tool is not reading the ORGANIZATION VALUES maintained
  in the derived roles.
  We had explored in the GRC tool & found that the field BUKRS,KOART,etc
  are ENABLED in the RULES.While the CC tool is fetching value of other authorzation object.
  Please Advice if there is any configuration settings required.
  For your reference I am pasting the part of report.
  Medium     F_BKPF_KOA : Accounting Document: Authorization for Account Types     ACTVT : Activity     Create or generate
  Medium     F_BKPF_KOA : Accounting Document: Authorization for Account Types     KOART : Account Type     $KOART
  Medium     F_BKPF_BUK : Accounting Document: Authorization for Company Codes     ACTVT : Activity     Create or generate
  Medium     F_BKPF_BUK : Accounting Document: Authorization for Company Codes     BUKRS : Company Code     $BUKRS
  Thanks,
  Sandeep Bhatia

  Hello Sandeep,
  Doing Org Lvl Analysis is not so simple in RAR.
  Firstly this is only user based.
  For using it you will have to schedule one job in configuration which will update Org Values for users in the database table. I don't remember name of this Utility however it will be something Orguser, just search in Configuration tab.
  As mentioned by you, org lvl are already enabled and make sure there values is $.......,
  Reason being Org Rules will be generated at runtime and then anlysis will be done.
  It will be better you take help of SAP on this. As they have document which will be very helpful to you.
  Regards,
  Surpreet

• ARA: Excluded Roles considered for Risk Analysis???

  Hi,
  There are certain role which are to be excluded from risk analysis or some business reasons. To achieve this, I have added entries for these roles in SPRO and saved them.
  Actually, these roles are available in all the systems. Therefore, under "System" column I have selected "ALL" and saved the entries.
  I ran risk analysis for a specific business process (above roles are belonging to this business group) and surprisingly found that, those roles which are maintained as "Excluded", as shown in the risk analysis report as violating!
  Thinking that "ALL" option does not work, I maintained (excluded) these roles for specific systems in SPRO. Ran risk anlaysis, but with no luck.
  Then I ran risk analysis for excluded role(s), I am still getting the violations for these excluded roles!
  May I know why system is considering these "excluded" roles at the time of risk analysis?
  Please advise.
  Regards,
  Faisal

  Alessanrdo,
  I think the "excluded" objects in path:
  SPRO->GRC->AC->ARA->BRA->Maintain Exclude Objects for Batch Risk Analysis
  itself says that the objects will NOT be considered while performing Batch Risk Analysis (Analytic Reports). It seems to be working fine for me.
  I dont think that the objects maintained in above path will have any importance while performing Risk Analysis from NWBC->AM->Roles Analysis) and will NOT be considered.
  Please correct me, if required.
  Secondly, I found 2 relevant posts here on SCN:
  SAP GRC Access Control: Offline-Mode Risk Analysis
  SAP GRC 10.0 Offline Risk Analysis
  Both of them are talking about the offline mode of running risk analysis. Actually I have not used it yet therefore, wanted to know the real usage of it. These posts seem to be giving the details of "Offline" mode analysis.
  I believe this will not be used in my scenario as there is no such requirement and real need. Therefore, I think I should disable it (Offline Data) option from the analysis screen just to avoid any confusion.
  Currently all our risk analysis is taking place "Online". There is no "real" need to use "Offline".
  May you please let me know in which scenario this would be useful?
  Regards,
  Faisal

• Business Roles - Risk analysis

  Hi All,
  We are on GRC SP13.
  We are using business roles for provisioning to end users.
  When role owner is performing risk analysis for business roles, results are proper according to defined ruleset only if "SYSTEM" field is empty.
  If system is selected, then results shows that "NO VIOLATIONS".
  Is this the standard behaviour for risk analysis of business roles or Am i missing anything?
  Looking for your advise on this.
  Regards,
  Sai.

  Hi Jaya,
  Yes I remember this is possible. You can setup a customize attribute in GRC privileges. And put the business role name into this attribute.
  Try this URL, but perhaps your GRC consultant should read it instead of you.
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d0e2c628-2690-2e10-0d82-dbf1931db2cd?QuickLink=index&overridelayout=true&51565377381172
  After creating the attribute, you need to revise the GRC framework to include this attribute (business role name) in your request.
  I don't have a working IDM system (with GRC integration) with me. I could not provide you more details.
  Cheers,
  Chenyang Xiong

• Inconsistency Data between Role Level & User Level Risk Analysis

  Hi,
  When we run Role Level Risk Analysis for a role (Ex: XYZ), there is no SOD conflicts. But when we try to run the user level analysis, this role shows SOD conflicts. I mean, XYZ is assigned with other roles. Combination of other roles access may bring SOD conflict, thats fine, but here the challenge is role XYZ itself has SOD conflicts. The same does not appear when we run Role Level Risk Analysis!!
  How could this happen??
  Thanks,
  Karthik

  Hi Karthik,
  The role might be mitigated at role level.
  In RAR Anayze tool, click -More options to expand the selection options
  Chose "Exclude Mitigated Risks: No"

• Running Risk Analysis

  Hi Folks,
     I have installed CC 5.2 and ruleset to ECC are uploaded. Now, when i want to run risk analysis for User/Role from Informer. I dont see any user id from Backend system in User/Role option. I have checked everything,
  SLD is working ine
  JCo connectors are fine.
  RFC destination defined.
  Can someone help me in identifying problem?
  Thanks in acticipation.
  Regards,
  Priyank.

  Hi Priyanka,
  If you have successfully installed Virsa CC5.2 and uploaded Objects ans Rules, the plz follow the following procedure:
  1) Go to Configuration Tab->Background Job
  2)Click on "Schedule Analysis"
  3) In first Pane i.e. Sync Mode select Full Sync
  4)Select *User/Role/Profile Synchronization
  5)Select the system for put ***
  6)Dont select any other thing.
  7)click on Schedule
  8)Give a Valid name to this report.
  9)Click on Immediate
  Please check whether this report is successfully completed under Configuration Tab->Background Job->Search
  click on search
  If completed successfully, then  go to step 1 as above.
  This time select  All Check Boxes  under Batch Risk Analysis Pane and then select  Management Report check box in the last pane.
  Then schedule the job. After that only you'll be able to see the results in Informer Tab
  Reward  Points if it is useful
  Regards,
  Faisal

• Risk Analysis Best Practices using CC

  Hi all,
  A SAP best practice for the risk analysis is:
  1) Run risk analysis against single roles
  >> Remediation for single roles
  2) Risk analysis for composite roles
  >> Remediation for composite roles
  3) Risk analysis for users
  >> Remediation for users
  My question is: How is CC able to take into consideration if the risk analysis performed is done for single or composite roles? When you run a Role Analysis there is no way to filter for such criteria.
  Many thanks in advance. Regards,
     Imanol

  Hi again,
  Thanks for the answer but I still have something in mind I would like some opinions about.
  If we have the following scenario:
  RC 1 (Composite Role 1) = RS1 (Simple Role 1) & RS2 (Simple Role 2)
  RS1= A1 (Action 1) , A2 (Action 2)
  RS2= A3 (Action 3)
  Risk R1= Combination of A1 and A3
  If we apply the risk analysis just to simple roles, we will not identifiy any risk since we don't have available the information from the composite role point of view.
  On the other hand if we consider the action related to RC1 through RS1 and RS2 we get:
  RC1 = A1, A2, A3
  Therefore, in this case we are able to say that the composite RC1 includes a risk since such role includes action A1 and A3.
  What do you think? Thanks for all. Regards,
      Imanol

• Risk Analysis mandatory before approvation?

  Referring to this discussion: How to switch on mandatory risk analysis in Business Role Management?
  I'd like to propose another scenario.
  Now Risk Analysis is before profile generation and it is correct in this way.
  But also Risk Analysis must be mandatory in that step (before approvation) and NOT ONLY during profile generation.
  Is it possible to setup a "specific" configuration in this way?
  Thanks.
  Ettore

  Hi Ettore,
  you need to Create deterrent Methodology.in Access Control > Role Management> Define Methodology Process and Steps >
  Example Methodology 1 for only steps sequence 1,3,4,5 (With Risk Analysis) and
  other Methodology 2 for only steps 1,2,3,5 (Without Risk Analysis)
  Now Assign those Methodology in Access Control > Role Management> Associate Methodology Process to condition Group.
  Now call those condition group name from BRF+ decision table.
  Thanks, Arif

• CUP-RAR Risk Analysis error

  Hello experts,
  When an approver does risk analysis for adding a role to a user in CUP before approval, the system shows 0 risk(0 risks found), However when the role is added to the user in RAR simulation, there are Risks.
  Similarly,
  When an approver does risk analysis for a role in CUP before approval, the system shows 0 risk(0 risks found), However when the role is analysed in RAR, there are Risks.
  I have checked the Org Rules parameter in RAR (It was set to No as we are not using Org Rules).
  When I set the org rule parameter to Yes, I got exception " Risk analysis failed: EXCEPTION_FROM_THE_SERVICEInconsistency Org Rule Analysis Flag Parameter". I reset the parameter to NO.
  Many thanks,

  Hello Raghu
  Here is the note number: Note 1168120 - Risk Analysis and Remediation 5.3 Support Package (VIRCC).
  Also I would suggest going to:
  1. CUP - configuration -Risk analysis - And see if the web service link for Risk analysis is correct.
  Better would be to go to Netweaver Administration -Webdynpro console -and get the correct link.
  2. CUP -configuration - Mitigation and here also put the correct link for all four options there i.e. (Risk analysis, Mitigation etc),
  Hopefully this should solve the problem .I donu2019t think it is related to org level.
  If problem still persist, kindly paste the log.
  Best Regards
  Asheesh

• Mitigation not showing in Risk Analysis

  I have migitated a role and can see the mitigation on the Mitigation tab under Mitigated Roles. I wanted to run a Risk Analysis on the role to make sure the mitigation is in my reports and they not showing.
  I have checked my settings on the configuration tab under "Risk Analysis" on "Exclued Mitigated Risk" and it's set to "No". I run my reports in the Infomer Tab > Risk Analysis > Role Analysis and the Report Type is at the permission level and under "More Options" the "Ignore Migitation" is set to "No".
  I have reran my "sync" jobs and management reports in the order they should be ran and they are still not showing up. The migitation is not showing up in my management reports either. I am on SP9.
  Is there anything else I'm missing?

  I answered my own question on this.

• Risk Analysis fails -  role does not exist or has no authorizations

  Dear all,
  We have added our productive client to the ERP Logical system.
  Then we extracted static and object data from backend and uploaded it to AC.
  We are not able to preform an analasys.
  On role level we get the error message: Warning: ZBC_ALL does not exist or has no authorizations
  When checking in debugger we do find autorizations!
  Actions:12
  LAS     2     ZBC_ALL     ZBC_ALL     T-LV210004     S00     
  LAS     2     ZBC_ALL     ZBC_ALL     T-LV210004     SBWP     
  LAS     2     ZBC_ALL     ZBC_ALL     T-LV210004     SM35     
  LAS     2     ZBC_ALL     ZBC_ALL     T-LV210004     SM36     
  LAS     2     ZBC_ALL     ZBC_ALL     T-LV210004     SMXX     
  LAS     2     ZBC_ALL     ZBC_ALL     T-LV210004     SO01     
  LAS     2     ZBC_ALL     ZBC_ALL     T-LV210004     SP02     
  LAS     2     ZBC_ALL     ZBC_ALL     T-LV210004     SU3     
  LAS     2     ZBC_ALL     ZBC_ALL     T-LV210004     SU51     
  LAS     2     ZBC_ALL     ZBC_ALL     T-LV210004     SU52     
  LAS     2     ZBC_ALL     ZBC_ALL     T-LV210004     SU53     
  LAS     2     ZBC_ALL     ZBC_ALL     T-LV210004     SU56
  Objects/AuthKeys:9
  LAS     ZBC_ALL     2     ZBC_ALL     S_BTCH_ADM||BTCADMIN     15     1     4     *          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_WFAR_OBJ||ACTVT     36     1     22     03          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_ADMI_FCD||S_ADMI_FCD     8     1     1     ' '          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_DATASET||ACTVT     21     1     8     34          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_DATASET||ACTVT     21     1     8     33          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_DEVELOP||ACTVT     1     1     9     03          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_BDC_MONI||BDCAKTI     48     1     2     DELE          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_BDC_MONI||BDCAKTI     48     1     2     FREE          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_BDC_MONI||BDCAKTI     48     1     2     LOCK          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_BDC_MONI||BDCAKTI     48     1     2     REOG          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_BDC_MONI||BDCAKTI     48     1     2     IMPO          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_BDC_MONI||BDCAKTI     48     1     2     EXPO          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_BDC_MONI||BDCAKTI     48     1     2     AONL          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_BDC_MONI||BDCAKTI     48     1     2     ABTC          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_OC_ROLE||OFFADMI     37     1     14     *          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_PROGRAM||P_GROUP     5     2     17     *          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_PROGRAM||P_ACTION     5     1     17     VARIANT          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_PROGRAM||P_ACTION     5     1     17     SUBMIT          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_PROGRAM||P_ACTION     5     1     17     BTCSUBMIT          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_C_FUNCT||CFUNCNAME     12     2     7     *          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_C_FUNCT||ACTVT     12     1     7     16          false
  Total:21 lines
  Total:9 Auth Key Map (key=PG) entries
  Total: 9 Obj Map (key=AK) entries
  What could cause the problem?
  Fast respons = karma
  Kind Regards,
  Vit

  Hi Vit,
  Did you run any job after you added one system to logical systems.
  Please import role : ZBC_ALL   through incremental role sync job for the system you have entered in ERP logical landscape .
  Once it is completed , then schedule batch risk analysis Job for this role.
  Then schedule Management report update .
  run Role Level analysis again and check .
  Thanks
  Jasmine

• GRC AC 10.0  Risk Analysis -Risk Terminator Vs BRM-Role Management

  Hi All,
  After having seen the configuration for Risk Analysis- Risk Terminator and Role Management , I observed that there is very little difference  for eg parameters 1085 and 3011 ,3014 .  If we configure all three parameters to TRUE which one would take effect ?Can anyone let us know under what circumstances we must configure RT and Role Management . BRM to has a whole lot of new features which supercede RT. 
  Best Regards,
  Vishal

  Hi Vishal,
  The parameters will be invoked in different scenarios. 1085 is specific to when roles are generated in the SAP Backend system using risk terminator and therefore this will have no impact if you are using BRM to generate the roles.
  3011 & 3014 are specific to BRM and govern different behaviours. 3011 will facilitate the risk analysis prior to triggering the generation steps in the methodology and 3014 will allow the roles to be generated despite any permission risks that are returned.
  They are not exclusive and actually work together. For instance, you may want to have a block on generation of roles when there are open conflicts identified and therefore you should have 3011 set to YES and 3014 set to NO. If both are set to YES, then you could propagate conflicts in the roles.
  You can use Risk Terminator if you wish to continue to develop roles within the SAP system itself rather than to rely on the GRC BRM system wholly.
  There are still wide discussions and differing opinions about which represents the best approach for this and so it depends on your organisation as to which process you follow.
  The parameter descriptions in question are:  
  1085 - Stop Role Generation if violations exist
  3011 - Conduct Risk Analysis before Role Generation
  3014 - Allow role generation with Permission Level violations
  Regards, Simon

• Mass role risk analysis issue

  Hello GRC Community,
  I have a following issue:
  When I use mass risk analysis the deactivated authorization objects in the role are displayed as result. At the same time, when I use Role Level Risk Analysis the role with deactivated critical authorization objects doesnt appear.
  Does anybody know how to solve this issue? Is there any configuration parameter to be adjusted?
  thanks
  best regards
  Sabrina

  Prasant,
  here are the screenshots of the Job result:
  1. Mass role Risk Analysis
  2. Risk Analysis on the (Single) Role Level
  Im Backend you can see that the role contains lots of deactivated autorization objects.
  I have run all sync Jobs, but seemingly it doesnt help.
  Thanks,
  Sabrina