GRC_10 Risk Analysis Report

Similar Messages

• Ad hoc Risk Analysis report is returning incorrect Risk Level for some Risks

  We are running GRC AC 10.0 with SP 16.  After application of Support Pack 16, some of our ad hoc risk analysis reports are returning incorrect risk levels.  For example:  Risk F024 Open closed periods and inappropriately post currency or tax entries is set as High.  When the Ad hoc report is run, the risk F024 will show on a user with a level of Medium.  We have generated our ruleset and have followed the normal procedures used to implement the support pack.  Any ideas what is causing this issue?  I have exhausted my knowledge and search attempts.
  Any help is appreciated.
  Sara B.

  Hi Kevin
  Many thanks for your post, we did run a full BRA but no luck unfortunately. Some Risks still reporting as Medium when they should be Critical or High. Oddly it is reporting correctly against some risks just not for all!
  Cheers
  Hussain

• Issue with risk analysis report in GRC10.0

  Hi All,
  We are running the user risk analysis report from NWBC: Reports and Analytics -> Access Risk Analysis Reports -> User Risk Violation report.
  This report is not fetching all the data even though user has all the required authorizations.
  We are getting the data when we execute the dashboard reports.
  Any one has idea?
  Cheers
  Hari

  Alessandro,
  Thanks for the reply. I am aware of this.
  Problem is when dash board report is showing the risk for the user but risk anaylsis report in Reports and Analytics is not showing the risks to that user.
  As per our investigation, the risk data that is displaying in the risk anaylsis report in Reports and Analytics is incomplete. We didn't find any errors in SLG1. Also there is no issues from authorizations side.
  Regards
  Hari

• Risk analysis Report Error in GRC AC 10.0

  Dear GRC,
  I had problem with Risk analysis Report in GRC Access Request form
  When i run the Risk analysis report on Action Level , Permission Level , Critical Action Level and Critical Permission Level then report showing as "No Violations" but if i run the Risk analysis report only on Critical Action Level and Critical Permission Level then report showing too many Violations.
  I maintained Action Level , Permission Level , Critical Action Level and Critical Permission Level as default risk analysis type in SPRO Configuration Parameters settings.
  i am not understanding why system behaves like this. Could you please help me on this.
  System Details : GRC AC 10.0 , SP-12
  Thanks a lot for swift response.
  Best Regards,
  RK

  Hi GRC Team,
  Please help me on this. I am waiting for your replay.
  Regards,
  KR

• Risk analysis reports in IDM 6.0

  Hi
  I was trying to run risk analysis report to detect deleted users in Red hat linux. I was not sure what report to run. I tried various things like user report, resource accoutn report etc. However these reports gave the the list of users deleted in IDM but not the resource. Can i somehow create a customized report to do this?
  Any help regarding this matter is appreciated
  Thanks
  Man

  Hi,
  Please check following path in easy access
  1) Accounting ->Controlling -> Product Cost Controlling ->Product Cost Planning ->Information System
  2) Accounting ->Financial Accounting ->Fixed Assets ->Information System
  Best Regards,
  Madhu

• Risk Analysis Reports Format

  Hello Experts,
  What is main difference between Risk Analysis Report Formats ....
  Summary
  Detail
  Management Summary
  Executive Summary
  Please explain in depth and which scenarios we are using these reports. Please give a one business example.
  Regards,
  Babu

  Dear Babu,
  trying to help you.
  Summary: gives you an overview of conflicts on action level. Can be used to discuss with business what is causing the risk.
  Detail: gives you an overview of conflicts on authorization level. Can be used to analyze how a conflict can be removed.
  Management summary: gives you an overview of risks on user level. Can be used to report how many risks are currently in the system on user level. E.g. userA has 3 risks, userB has 2 risks, etc.
  Executive Summary: gives you an overview of risks on risk level. Can be used to have a general overview of applicable risks in the system. E.g. riskA has no conflicts, riskB has 7 conflicts, etc.
  Best if you just analyze and you will see the differences. If you have a particular question do not hesitate to contact us.
  Regards,
  Alessandro

• Role Based Risk Analysis Report

  Hello All,
  When I executed the Risk Analysis report for a role with SOD Risk Level = ALL and Report type = SOD at Authorization Object level, the results come back as "NO CONFLICT FOUND".  this is the correct response.
  However, I executed the Risk Analysis report for the same role with SOD Risk Level = HIGH and Report type = SOD at Authorization Object level, the results come back SOD conflicts based on the conflicting transactions.  Is there a bug with analyzing roles using this option?
  Also, when I click on the Detail Report button, I received object data that does not appear correct.
  Please Help.  Thanks.
  Edited by: Michael Johnson on Apr 8, 2009 8:54 PM

  Hi Babiji,
  Are you using any specific tools for SOD's? If you are using GRC tool, then it can be done using compliance calibrator Role level Risk analysis.In addition to what Sneha has said,
  To find out the conflicting roles in CC version 5.2 the path is INFORMER->Risk Analysis->Role level.In Virsa 4.0 you have the option of carrying out risk anaysis at role level by executing the t-code /N/VIRSA/ZVRAT.
  In section Analysis type, choose Roles and enter the list of roles.
  In section SOD Risk level, choose the appropriate risk.
  Then choose the appropriate report type and report format before executing it.
  This will display all the roles with the levels of risk associated with it and then you can mitigate these as per your organizational policies & procedures.
  Thanks,
  Saby..

• AC 5.3 RAR - combined risk analysis reports for regular auth. and SPM auth.

  Dear All,
  we have users that have regular day-today authorization and also FF authorization.
  Does the Batch Risk Analysis takes into account both authorizations when doing the risk analysis for those users ? will we see it in the reports ?
  Thanks
  Yudit

  ok, so basically the answer is no, in the RAR components we do not have risk analysis for the combinations of the roles assigned to the user and to his FF ID.
  in that case, at what stage does the system checks for those combined risks ?
  is it checked when we manage the risk analysis phase in the CUP request that is asking to assign the FF ID to the user ?
  thanks
  Yudit

• GRC AC 10 (BRM) Risk Analysis Report type is editable

  Hi,
  In  GRC10 – BRM  Risk analysis at “Action Level”, “Permission Level”, “Critical Action”, “Critical Permission” and “Critical Role/Profile” is editable.
  When i start to create a role in the Risk Analysis step, Permission Level is always selected .Selection is fine as this is configured this way (Parameter in SPRO 1023 -Default Report Type for Risk Analysis).  But exist the option to deselect "Permission Level". 
  As you can Permission level is always selected and not editable?
  Regards

  Hi,
  I guess Cristian mentions attached BRM screen. I have same issue; how to change default values of report type in BRM like parameter 1023 changes in access request.
  Also, if we change default value of check box, Cristian can set non-editable fields through SE80.

• Can you download RAR Risk Analysis reports to something other than Excel?

  When you run a RAR Risk Analysis and go to export the resulting reports, RAR automatically exports this into an Excel spreadsheet.
  Is it possible to export the reports into some other kind of format/tool?  (SQL would be ideal.)
  We are on GRC 5.3 SP13.
  Thanks.

  Our CMG group runs a company-wide risk analysis 2-3 times a year to use in their SOD Review process.  We are looking into loading this report into QuickView to give them more capabilities with using the report.  QV will work with Excel, but you have to load every spreadsheet and every page separately. 
  We are looking to see if we could download it into some other format that would contain all of the report in just one file.  Would make the QV load easier.  Something like SQL would probably be ideal.
  Thanks.

• ARA: "[P/G]" symbol in Risk Analysis Report???

  Hi,
  I have noticed a peculiar symbol in Access Risk analysis while performing permission level analysis. The symbol is "[P/G]<TCODE>".
  I have not this before. Any idea why this is coming and how I can resolve this?
  Please see the screenshot for the same.
  Recently, our target system is upgraded. I am sure if this is coming because of that. Earlier, it was working fine.
  Also, system is showing unknown risks violations for roles and all of them are preceded by "[P/G]" symbol.
  Please advise.
  Regards,
  Faisal

  Alessandro,
  Thanks for your reply.
  Yes, these actions are assigned to functions.
  Secondly, I re-generated the rules and the result is same. Also, I used
  our quality system (upgrade is not done yet) and analyzed the same role and it gave expected results!
  I am using same GRC system but different target systems. ERP Development system is causing problem where as ERP Quality system is not.
  Based upon my analysis, I see some problem with our ERP development system which is not showing appropriate results. But not sure what to do.
  Any help please?
  Regards,
  Faisal

• GRC Risk analysis reports are not checking all possible risk conflicts set up in the rule set that lead to risks.

  Dear All,
  After running the risk analysis it shows only the first conflict for a risk in the rule set (Rule ID 0001). We have already Generated SOD ruleset. Also during migration from 5.3 to AC10.1 all the rulesets were imported properly.
  What could be reason??
  Thanks for your help.
  Regards,
  Abhisshek

  Abhisshek,
  there is already a thread with the same question:  Dear all I only get result for one rule id and not with others what should be an issue?
  Regards,
  Alessandro

• Org Rule anlaysis when performing mitigation from risk analysis report do not mitigate the user from management summary report message!

  Hi,
  When in the User Level>Mitigation screen this comment appears  (*). When taking the path to  ‘summary’(a) or ‘detail’ (b) doesn't change when we select the button  MITIGATE RISK (**).  What was the intent of the below message?
  What is the intent of the message ?

  Hi Pranjal,
  please see note: http://service.sap.com/sap/support/notes/1972382
  Regards,
  Alessandro

• GRC 10.0 Adhoc Risk Analysis

  Hi Guys,
  Is there any risk or chances of loosing data if the below listed table is cleaned up?
  GRACSODREPDATA
  GRACSODREPINDEX
  GRACSODREPSTATUS
  I just wanted to know if these tables are cleaned up and if we want any historical data may it be tcode analysis report or risk analysis report, can we get the historical data?
  Thanks & Regards
  Ratan

  Dear Ratan,
  you should study the following document: http://service.sap.com/sap/support/notes/1580877
  Regards,
  Alessandro

• Role Analysis Report

  I'm a user of the GRC 10.0 module, and have a question around the role analysis report.  I’ve run a risk analysis violations report, and noted SoD/violations for 1169 roles, out of 35214 total roles (see attached screenshot).  That said, my understanding is that some of these ‘violations’, by risk category, could in fact be false positives? Is this correct? If correct, how do we know for certain that there are role violations for the 1169 roles? Is there another maneuver, report or analysis we can do to assure us that we’re looking at 1169 roles with real violations? Any help would be greatly appreciated. 

  Hi Joe,
  As Alessandro suggested, you need to run Access risk analysis reports on role level.
  It will show you what exactly is the violation and at what level.. at action, permission, critical action, critical permission et al.
  This report will even let you see the corresponding risk IDs, Rule IDs and risk criticality levels like medium/hig/critical and so.
  Hope this is clear now
  Regards,
  Ameet