Critical Action and Role/Profile Analysis

Similar Messages

• Critical Action and Role/Profile Analysis job in not running in GRC 5.3

  Hi Team,
  I  am working for a client where GRC 5.3 is installed( support pack 4 and patch 1).
  The installation is complete and also the post processing is done.
  We have scheduled a periodic ( weekly ) incremental background job for Critical Action and Role/Profile.
  Following are the parameter setting used:
  Task: Risk Analysis -Batch
  Batch Mode : Incremental
  First time it run successfully on 28th June'09 and it is completed with spool also. But next time it is supposed to run on 4th of July'09 . But it does not. And since then it is in same state.
  I am not able to find any reason that why it is behaving this way where other incremental jobs are running successfully.
  It will be helpfull if any one can guide me providing the solution.
  Regards,
  Kakali

  Hi Varun,
  I go to the Job History Button. It shows the following data only :
  2009-06-28 00:00:59 Done Job Completed successfully
  2009-06-27 23:45:00 Started RAR_PE1CLNT100_Critical Action and Role/Profile Analysis started :threadid: 0
  Under the Last Run Colomn it shows 28th June ( Status -completed)
  Under Next Run Date it is showing 4th July
  Follwoing are the list of Updates available From SP05
  When executing the critical roles/profile jobs in background, a message
  "error while executing the Job: null" comes up. ---( this one is for which come under Informer Tab)
  Background job spools are not available after upgrade from 5.2 to 5.3.
  Critical action and critical role/profile analysis cannot be run in
  background by system. --- ( But in my case It ran for once )
  Selection parameters (System, User and User Group) have been provided for
  "Critical Action and Role/Profile Analysis" in Configuration->Background
  Job->Schedule Job. --- ( it means it run usually)
  Critical Actions report in detail view shows no results after executing the
  Risk Analysis Job in the background. The same report shows data when
  executed in the foreground. ( this one is for which come under Informer Tab )
  When there is only one periodic job configured in RAR, this job fails to
  start after the first time in the specified time. ( this is not true, becoz there other periodic jobs running successfuly)
  Unable to run Informer - audit reports - critical role and profiles with
  logical systems. ( this is again under Informer Tab )
  I had gone through this  earlier also, but not able to match any update with my problem. If if have any other suggestion you can provide me the same.
  Is there any way to check for job log so that I can check what is the problem. View Log option is also greyed out as we have sap logger set up as a default logger Parameter. I have made it enable just to check but there is nothing.
  Please Guide.
  Regards,
  Kakali

• Can CUP be configured to ignore Critical Action risks during SOD analysis?

  Hi All,
  We have configured our CUP workflow to take a detour path if SOD violations are found at a stage. RAR has Critical actions defined in the rule set. When  CUP performs the SOD analysis, is there any way we can skip critical action risks and consider only SOD risks?
  We are 5.3 SP 11.1

  Hi,
  If the critical action activated in the same rule set, than you have to define a mitigation control as well, because CUP is going to show these risk after a risk analysis and you have to mitigate that. There is no possiblity to skip that.
  Possible solutions:
  If you want these risks (critical actions) just for reporting aspects in RAR, than you should maybe create a new ruleset just only for these risks, and deactivate it, on the Global ruleset... I wouldn't recommend that, because, if you are going to define critical actions, you have to define mitigation control, from the security aspects as well.
  Cheers,
  Martin

• Doubt about actions.xml with actions and roles

  Hi all,
  we are using a file like actions.xml for use them in Web Dynpro applications describing actions like:
  Is it possible to describe GROUPs assigning roles to them in the same XML instead of doing this using the useradmin application? We need to describe the roles in the XML because we are using around 25 ROLEs and 15 GROUPs.
  We appreciate if you can show us the complete description with an example for defining those GROUPs in the XML with all the tags and properties neccesary.
  Thanks in advance.
  Raú

  This feature is one of the hidden features SAP has for deploying stuff to NW. I'm sure there is a way for that, but its not documented, as the role extension is also not documented. I don't know why SAP is hidding this extremly useful features to normal developers. Especially for product development they are so usefull.
  Did you know, that its possible to deploy database content (not just tables!) with a special DC and an XML file in a special format? Just another example of hidden features in SAP Netweaver.

• Getting domain and role profiles

  i have access to the user profile and the application profile via the public API but i also need to have access to the domain profile ( i need to get some attributes at the domain level ) and found no way of doing that in the public API?
  is there a way to do that via the API or do i need to create my own methods to access the ldap directory and retrieve the information?

  Sreekanth, step 2 of the role has priority over the access profile.

• Critical Actions are not showed in Reports

  I'm having a problem in displaying user analysis report in management view.
  I have uploaded SAP default rulesets and it does contain some defined critical actions. I can also display critical actions by user in risk analysis reports.
  But the problem is in "User analysis Report", the number of critical action&role is always 0. 
  Does anybody know the reason?
  Is there anything that I'm missing?
  Thank you&Regards
  Stellare

  Hi,
  if you are using CC 5.2: have you checked the field Critical Action and role/profile analysis in Configuration->Background job->Schedule Analysis ?
  I suppose you are talking about that there is no critical violation in Informer.
  Hope this help you
  Emilio

• Where are all the UME actions and UME roles stored?

  Hi there,
  I had a look at the SAP<SID>DB.UME* tables, it seems to me that they are not stored there.
  What I wanted to achieve is to build a list of all user, user to role assignment, all UME actions, and role to action assignment so that we can do some analysis of the data.
  Another related question is about the SPML based java API for user management in UME. It only allows you to list all the UME roles. What about the J2EE security roles? It seems to me that by using this API, you can not get a complete picture of user authorization, which includes both UME role and J2EE security role. Any comments?
  Thanks in advance
  GG

  Hi,
  I would suggest to use [UME Java API|http://help.sap.com/javadocs/NW04S/SPS09/se/com/sap/security/api/package-summary.html] instead of reading from the DB tables. You can get all users using methods of the class IUserFactory. The class IRoleFactory has method getRolesOfUser which gives you all roles for each user. Don't forget about roles assigned to user groups. Have a look also at package com.sap.security.api.acl. You should be able to get all ACL entries using [IAclManager|http://help.sap.com/javadocs/NW04S/SPS09/se/com/sap/security/api/acl/IAclManager.html]. Especially, check the code example. I've never done this but from reading javadocs it looks like it should be possible.
  Have a look also at this [document|http://help.sap.com/saphelp_nwce711core/helpdata/en/a4/d39b3e09cdf313e10000000a114084/frameset.htm]. It describes the authorization concept of the AS Java.
  Cheers

• Batch Risk Analysis - Profile Analysis

  Hello Gurus,
  I am running a Full Sync Batch Risk Analysis and in Profile Analysis I am encountering following issues.
  1. I have declared SAP_ALL, SAP_NEW, &_SAP_ALL* as Critical Profiles and choose YES to option Ignore Critical Roles and Profiles. Now, when I run the Full Sync Profile Analysis, profiles ' &_SAP_ALL*' are also getting analyzed and is consuming lot of time. Any ideas how to fix this ?
  2. I am under the impression that: In the Full Sync Profile Analysis job, ONLY the user defined profiles and profiles of generated roles will be analyzed, instead it is analyzing all the SAP predefined profiles. Is it working as it is supposed to work ? If not any ideas how to fix this ?
  Thank you for your time.
  Regards,
  Raj

  Hi,
      What you have done should have worked. But you can also Mitigate the Role and Profile. Create a dummy control and Mitigate Role/Profile. Keep the option exclude Mitigated Risk -yes in configuration tab. Now you can run Management View or other batch Jobs it won't. I am sure this one will work.
  Thanks,
  Darshan

• Critical Actions

  Hi Everyone,
  I'm trying to establish what is a good practice to follow on how to deal with critical actions.
  Our thinking is that even though they are critical actions people will still need to have access to them.
  Here are some options with the cons we have been considering:
  1. Add the actions into Firefighter id's & roles. We don't necessarily want to add actions into a firefighter role that someone is expected to do during their daily/weekly/routine activities.
  2. Disable the Critical Actions rules. This will disable your ability to easily identify when an unwanted user has access to these actions.
  3. Create mitigation controls for these critical actions and assign them to the specific users. This is quite and administrative  burden due to the number of critical actions. We would not want to mitigate at the Higher risk level but rather at the individual rule level.
  We are leaning towards option 3 but would appreciate some other options and input on how to deal with these?
  Kind Regards

  We are going through the same process and are using a combination of your suggestions.  First we are going through the critical actions and determining if our company (business reps and auditors) agrees with SAP standards.  Some of the transactions we don't consider as being critical so those will be disabled.  Next, we will put some critical actions in our firefighter ID's and not allow an end-user to have them in production.  Then, we will mitigate the users who use some of the transactions regularly. And lastly, we will run the critical action notify job weekly or maybe even monthly. 
  Peggy

• Trying to understand "User/Role/Profile Synchronization" and Batch Analysis

  Hello,
  Im trying to understand what exactly and from which tables these jobs are copying to which tables in CC. I have a understanding that these jobs are moving also deleted roles from backend. This is causing unnecessary delay to long lasting job. 
  I would appreasite if some one could explain the logic behind these jobs. What the fullsync and incremental is reading ? What kind of changes are causing a role/user/profile  to be included to the full and incremental jobs?
  How the incremental analysis logic is built ?
  br Janne

  Janne,
  In my current implementation we are going for an offline risk analysis due to the heteregoneus system landscape of our client (several SAP and non SAP systems and several SAP systems under 4.6C). Eventhough within our approach we don't perfrom the backend synchronization (we use CC data extractor to pull data from backend into CC) hope the following info could hel you:
  The tables such jobs you mention access to, are all the SAP backend system tables related with users, roles, profiles, action and permissions. If you check the data mapping appendix of the "user and configuration guide for 5.2" you will see all the data that CC retrieves. For instance, in order to extract user info (UserID, FName, LName, Email, Phone, Email, Department) tables USR21, USR02, ADRP, ADR6 and ADCP must be accessed.
  In terms of CC tables:
  VIRSA_CC_SYSUSR >> UserIDs and Systems ID relationship
  VIRSA_CC_GENOBJ >> User, Role and Profile master data
  VIRSA_CC_GENACT >> User-action, role-action and profile-action data
  VIRSA_CC_GENPRM >> User-permission, role-permission and profile-permission
  VIRSA_CC_SAPOBJ >> Action-permission
  VIRSA_CC_OBJTEXT >> Objects descripcions (ACT, PRM, FLD, VAL, ORG)
  Hope this helps.
  Regards,
     Imanol

• Analysis Authorization (Role, Profile and Direct Assignments)

  <b>Analysis Authorization Question:</b>
  1)     In BW 3.x environment, customers have used Role Maintenance Process to assign proper object level security and then assign to the users.
  2)     Most of the places R/3 security team takes over support/administration function of BI Security and they continue to use Role method to assign “Reporting Authorizations” as per the process defined in BW 3.x system.
  3)     Customer sometime have 100 + Roles to have 3.X “Reporting Authorizations”. This is Managed, assigned, approved using role concept.
  <b>
  Migration Options:</b>
  1)     New Analysis Authorization makes process of Role Maintenance like "hierarchy authorizations" of BW 3.x. You have to create Value in other transactions and assign them in Role as a pointer or link object. With Analysis Authorization concept, Actual value of the Object Assigned “Like Company code 1100” not visible in Role Maintenance PFCG transactions. It is only visible in Transaction code RSECADMIN.
  2)     Analysis Migration Tool - RSEC_MIGRATION does not update “ROLES”. It creates or changes “PROFILES”.
  3)     Profiles are assigned to the users and Roles does not reflect any Impact by Analysis Authorization migration.
  <b>Questions</b>
  a)     This means customer need to update all the roles by hand. If they want to use Roles to manage the assignment of the Security to users. Migration Tool does not update Roles, it only updates PROFILES.
  b)     Does any one use direct assignment to Users? It is good business practice?
  c) Is <b>Profiles</b> recommended method of Authorization Maintenance?
  d) Can we run migration tool to create Analysis Authorizations, but not assign to the users as a Profile. But stop at creating Analysis Authorizations. If Customer wants to use Roles maintenance process then, they can do not have delete profile assignments from all users before updating Roles using Analysis Authorizations.
  Just want to check how other folks have done migration that can be supported going forward.
  Pankaj Gupta

  Hey Pankaj,
  In general, assigning the analysis authorization directly to user makes a lot of sense for granular levels of authorization. For example, if you had 3,000 users, 3,000 specific authorization combinations, and 3,000 roles, using roles is a lot of additional overhead. If you had 12 roles and 3,000 users, your role concept makes a lot of sense.
  Therefore, the recommendation is that it varies on what makes the most sense logically. Authorization groups can be created to group analysis authorizations and combine them. Also, you have the ability to generate analysis authorizations using the Content Datastores for this. That is an option as well.
  RSEC_MIGRATION does use profiles as you've stated. If you want, there would be manual work to convert to roles afterwards. In case you haven't seen Marc's presentation on security, it's pretty good and covers how to generate authorizations from the datastore.
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9ddcb6bce

• GRC AC10 RAR :"Ignore Critical Roles/Profile" option not available in

  Hello Gurus,
  I have configured RAR and the reports are working as usual , but i observed that i could not see two things
  1) Option to select "IGNORE CRITICAL ROLES/PROFILE" during Role/User ANALYSIS under "Reports & Analytic" tab.
  I checked in SPRO>GRC>AC-->Maintain Config Settings
  There is a parameter "Ignore Critical  Roles/ Profiles" which i first set to "Yes" and then checked in NWBC , i was unable to see the option under "Additional Option".
  Later i changed SPRO setting to "NO" , then again it did not show me .
  Where can i find this option , so that if i upload say 10 roles which are assigned to firefighter ID they should not be analyzed for RAR ??
  2) I also could not find any option to upload "DEFAULT roles" which need to be assigned to any "NEW USER" request coming through CUP ??
  Where can we make this setting, so that the basic roles can get assigned to the user when any new user request comes in.
  Will you please put some light on this area ?
  Thanks in advance.
  Regards,
  Victor

  Hi Johanna
  Have you run the synchronization job subsequent to the configuration of critical roles / profiles ? If not so try running the Synchronization job and then try risk analysis.
  Regards
  Swarna

• RAR v5.3 - Ignore Critical Roles & Profiles = No is not Working

  Hello everyone,
  I have SAP_ALL and SAP_NEW configured as critical profiles in Rule Architect.  I changed the Ignore Critical Roles & Profiles option to "No" to see the delta.  Yet, when I run the risk analysis (ad hoc or batch) against users with SAP_ALL, it still says No Conflicts found even though I changed the config to look at SAP_ALL users.
  Do I have to restart the server for the new Config to take effect?  It doesn't say it in the option like some of the other Config options do, but It's the only thing that I can think of.
  Thank you,
  Johonna

  Hi Johanna
  Have you run the synchronization job subsequent to the configuration of critical roles / profiles ? If not so try running the Synchronization job and then try risk analysis.
  Regards
  Swarna

• How to add profiles to critical roles & profiles table in GRC RAR

  Hello,
  As per Note# 1034117, it says Add "SAP_ALL" type security roles and the SAP profiles, see list below for profiles, to the Critical Roles and Critical Profiles table.
  SAP_ALL All Authorizations For The SAP System
  SAP_NEW All Authorizations For Newly Created Objects
  S_A.ADMIN Basis Operator
  How do we add the profiles, to the Critical Roles and Critical Profiles table in RAR.
  Thanks,

  Hi,
  I configured the critical roles & profiles in rule architect.
  But when I schedule the background job for batch risk analysis, it is taking all the users, roles & profiles.
  Is there a way to exclude users, roles & profiles? (I have already configured the excluded users, roles and profiles in exclude option), but still when I schedule the background job and say show parameter, it shows the User Range as '*'. It is not showing the excluded users.
  Can you please update how to exclude the list of users, from the batch risk analysis?
  Thanks,

• RAR: SoD Riskk and Critical Actions risks

  Hi all,
  I would like to get your input regarding different approaches followed in order to load in RAR SoD risk and critical actions risks.
  1) Do you load all of them under the same rule set?
  2) Do you think is convenient to load them under two different rule sets? One for SoD and the other for critical action?
  My decision here since AC modules when calling to RAR are using the default SoD, would be to define everything under the same unique rule set. Agree on that?
  Keep in mind the four GRC AC modules are implemented.
  Thanks for all. Kind regards,
    Imanol

  Hi Imanol,
    It depends on the client requirements. If client wants to see critical risks as well as SoD risks in CUP then same ruleset is the way to go. If client doesn't want to confuse approvers by showing critical risks then separate ruleset is the right way. At my current client, we have separate rulesets for SoD and Critical actions. We ask role owners to reaffirm all the role assignment which contains critical actions quarterly so we are covered from that angle.
  Regards,
  Alpesh