GRC 5.3: CUP risk analysis VS. RAR risk analysis

Similar Messages

• CUP-RAR Risk Analysis error

  Hello experts,
  When an approver does risk analysis for adding a role to a user in CUP before approval, the system shows 0 risk(0 risks found), However when the role is added to the user in RAR simulation, there are Risks.
  Similarly,
  When an approver does risk analysis for a role in CUP before approval, the system shows 0 risk(0 risks found), However when the role is analysed in RAR, there are Risks.
  I have checked the Org Rules parameter in RAR (It was set to No as we are not using Org Rules).
  When I set the org rule parameter to Yes, I got exception " Risk analysis failed: EXCEPTION_FROM_THE_SERVICEInconsistency Org Rule Analysis Flag Parameter". I reset the parameter to NO.
  Many thanks,

  Hello Raghu
  Here is the note number: Note 1168120 - Risk Analysis and Remediation 5.3 Support Package (VIRCC).
  Also I would suggest going to:
  1. CUP - configuration -Risk analysis - And see if the web service link for Risk analysis is correct.
  Better would be to go to Netweaver Administration -Webdynpro console -and get the correct link.
  2. CUP -configuration - Mitigation and here also put the correct link for all four options there i.e. (Risk analysis, Mitigation etc),
  Hopefully this should solve the problem .I donu2019t think it is related to org level.
  If problem still persist, kindly paste the log.
  Best Regards
  Asheesh

• GRC Access Control 5.3 - RAR Risk Analysis in offline mode

  Hi expert,
  I'm trying to do RAR Risk Analysis in offline mode following this guide (https://www.sdn.sap.com//irj/sdn/go/portal/prtroot/docs/library/uuid/20a06e3f-24b6-2a10-dba0-e8174339c47c). But to generate User Action file the ABAP have a problem when try to get a COMPOSITE ROLE field for a Role that is asociate to many Composite role as the unique record consists of fields IDUSER, ROLE and ACTIONFROM . Someone know how we can solve this conflict?
  Best Regards!

  I'm sorry, I think I haven't made myself clear enough. The thing is that the User Action File has a "Composite Role" field and we don't know how fill it when the Single Role belongs to multiple Composite Roles. This is because of the primary key, we can't make multiple records for each userid/role combination, each one with one different Composite Role, such as the following example:
  USERIDX/ROLEX/ACTIONX/ACTIONX/PROFILEX/COMPOSITEROLE1
  USERIDX/ROLEX/ACTIONX/ACTIONX/PROFILEX/COMPOSITEROLE2
  USERIDX/ROLEX/ACTIONX/ACTIONX/PROFILEX/COMPOSITEROLEN
  Should we instead do only one record with all the composite roles? What character should we use to separate the composite role names? A ",", a ";"? For example:
  USERIDX/ROLEX/ACTIONX/ACTIONX/PROFILEX/COMPOSITEROLE1_,_ COMPOSITEROLE2_,_ COMPOSITEROLE3
  Hope I explained myself. Thanks for your help.

• Can you download RAR Risk Analysis reports to something other than Excel?

  When you run a RAR Risk Analysis and go to export the resulting reports, RAR automatically exports this into an Excel spreadsheet.
  Is it possible to export the reports into some other kind of format/tool?  (SQL would be ideal.)
  We are on GRC 5.3 SP13.
  Thanks.

  Our CMG group runs a company-wide risk analysis 2-3 times a year to use in their SOD Review process.  We are looking into loading this report into QuickView to give them more capabilities with using the report.  QV will work with Excel, but you have to load every spreadsheet and every page separately. 
  We are looking to see if we could download it into some other format that would contain all of the report in just one file.  Would make the QV load easier.  Something like SQL would probably be ideal.
  Thanks.

• SAP GRC 10.0 Risk Management - Forecasting Horizon Scoring Analysis Mode

  Hi everyone,
  In SAP GRC 10.0 Risk Management Support Package 7, we need to assess a corporate risk by performing an automatic analysis aggregation based on a scoring analysis profile.
  The problem is that corporate risks must be created based on a forecasting horizon.
  So, can we create forecasting horizons with scoring analysis mode? How? Must be enabled through customizing or applying a SAP note?
  Best Regards,
  Chema Traveso

  Hi,
  I think this is still user-specific, as it was in 5.X. I have checked the new GRC authorisation object parameters delivered within the roles and also tried to see if a Admin user was able to see all the variants created by the different users, but so far I have not found a solution.
  It may be worthwhile to raise this in "IdeaPlace", hoping it gets enough votes and SAP's attention for implementing in a future Support Pack delivery.

• RAR offline analysis issue

  In our GRC AC 5.3 SP10, we have  RAR config tab -risk analysis -additional option - enable offline risk anlysis is set to YES.
  But when I run a risk anlysis from informer tab - reports shows offline anlysis:NO.
  My queries are:
  1. what are difference between yes and no for affline analysis. How does they affect risk analysis report.
  2. Is the above scenario a problem? does it provide incorrect result of risk analysis? If yes, how this can be rectified?

  If you set offline risk analysis to yes in configuration then when the batch risk analysis background job runs it populates the RAR table virsa_cc_prmvl. So the advantage of offline analysis is you can do  risk analysis based on the last batch risk analysis job making the response time better.
  In case of online analysis from informer tab the backend system should be available. The advantage here is you are dealing with real time data whereas incase of offline analysis your data is as fresh as the last run batch risk analysis job.
  Thank you,
  Partha
  Edited by: PARTHASARATHY NUNNA on Jun 25, 2010 2:36 PM
  Edited by: PARTHASARATHY NUNNA on Jun 25, 2010 2:47 PM

• Risk Resolution in RAR

  hi experts,
  It looks like it is possible in AC RAR to directly chosse a risk resolution after a risk analysis.
  But when I select "remove access " or "delimit access" the button submit is always gray(impossible to click).
  It probably comes from a customizing point but I don't know which one. Thanks for your help,
  Regards,
  Julien

  Hello Julien,
  This functinality is not working till date for any of the releases, and is not even functinal/solved in 5.3 as well.
  Even I had encountered the same issue some time back and had raised a support message for the same. To this, support had confirmed that --> "This functionality is not yet working in any release". That was for 5.2 but now, I see the same for 5.3 as well. Out of the three options for risk resolution, only Mitigate the risk is functional.
  Regards,
  Hersh.
  Edited by: HERSH GUPTA on Oct 20, 2008 1:53 PM

• Custom Fields in GRC 10.0 - CUP

  Dear Experts,
  Please help me in creating Custom fields in GRC 10 - ARM (CUP). I want to create Custom field called Country and assign approvers to that field and Make user of this field in user request form as mandatory field.
  Could you please let me know how to create custom field and assign approvers to the same and make the same mandatory while user is create a request for new account in the sytem.
  I appreciate your help.
  Thanks,
  Raj

  Hello Raj
  As per my knowledge we can create custom fields in SPRO, path is
  IMG>GRC>General settings>User defined fileds
  under this you will get two types
  1.NON HR defined fields
  2.HR Defined filds
  Baithi

• Ad-hoc Risk Analyses returning incorrect Risk Levels against Risks

  We have recently made changes to our ruleset and uploaded them in Development and Production. We have noticed whilst running Ad-Hoc Risk Analyses that the Production system is showing Risks as Medium when they are either critical or high. For example Risk ZA12 is a High risk but the Risk analyses is showing this Risk as a Medium risk.However in Develpment risks are displaying as expected when we run Adhoc risk analyses. We have deleted previous ruleset, uploaded the new ruleset, generated rules and run all the Sync jobs to no avail. In Addition i have gone into NWBC and double checked if the Ruleset had been generated (Rule Setup>Generated Rules>Access Rule Summary) and i can confirm that the risks are appearing as expected here). Oddly even the Management Reports (Reports and Analytics) seem to have the correct Risk Ratings against the violations.
  Strange!

  Hi Kevin
  Many thanks for your post, we did run a full BRA but no luck unfortunately. Some Risks still reporting as Medium when they should be Critical or High. Oddly it is reporting correctly against some risks just not for all!
  Cheers
  Hussain

• GRC 5.3: CUP asks to perform risk analysis even when there are no risks in request

  Hi All,
  We recently upgraded from GRC 5.3 SP13 to SP22.
  The one issue which we are facing after upgrade is that now CUP is forcing approvers to do Risk Analysis, even when there are no risks in the CUP Request, that is Risk Tab is Green.
  Previously approvers were able to approve requests without doing risk analysis, if there were no risks in the request.
  CUP used to force them to do risk analysis only when there were risks associated with requests.
  But now, it is forcing approvers to perform risk analysis, even if there are no risks, i.e. approvers are not able to approve requests without any risks without doing risk analysis.
  Please advise.
  Thanks
  Aditi

  Hi,
  Can you check if any change is made in Configuration -> Workflow -> Stage -> Approvers
  Regards,
  Claudio

• SAP GRC AC 5.3 - RAR Risk analysis Error Log

  Hi
  i have scheduled the background job for full sync risk analysis for the first time . the job ended with status error . critical analysis, user,role and profile action analysis is shown 100% . but the user permission analysis shows 49% , role and profile permission analysis show 97% each . where can i check the log for the errors . do i need to run the whole risk analysis job again ? when i check the management reports , risk violations are shown as zero . Please let me know how i can proceed at this stage . thanks
  Regards
  Prasad

  Thanks.
  First time please do for all users. I assume this was first time and it failed, so i will suggest you scheudle for all.
  once these are done, then periodic jobs should be increamental.
  few tips :
  - schedule user sync separate job and once it finish only then scheudle role sync and when role sync finishes, only then schedule profile sync
  - always select system ids from search help (which is F4 in ABAP)
  - best scheudle one job per system id, so that when failure occurs, so that error analysis is easy
  regards,
  Surpreet

• RAR - Risk Analysis - Permission Level - V_VBAK_AAT||AUART - Error

  I have a trouble related with risk analysis at permission level, when the V_VBAK_AAT||AUART is activated in two functions of my customized GRC rule-set (VIRSA_CC_FUNCPRM) for controlling some "document types" for tcodes VA01 and VA02. When I execute this customization in RAR, the system says "No match / No conflicts" for the risks where these functions appear, however performing some queries in the back-end systems, I have realized there are more than 80 users in conflict for some of them, given the fact that they have value '*' in object/field V_VBAK_AAT||AUART.
  At a first time I thought that most probably would be related with the fact that these functions are part of risks that combine 3 and 4 functions at the same time, with OR logical activated in document types, but when I searched for the rules generated for these risks I noticed that only 34.000 rules were generated and this no overpass the limit of 45566 rules defined at RAR. Anyway, I performed some tests reducing the number of possible combinations and, basically, whenever the following line is activated, the outcome is u201Cno conflictsu201D:
  D VIRSA_CC_FUNCPRM FN15 VA01 GRC-C21 V_VBAK_AAT||AUART ZSO ZSO OR 0 null
  If this line is disabled, then, several users with conflicts are reported. As mentioned above, these users have value '*'   for object/field V_VBAK_AAT||AUART, so I do not understand why those users are not reported when the line above is activated.
  I have done the following checks, all of them correct:
  - The user/role/profile synchro has been done and all the users has been stored in table VIRSA_CC_
  - All the lines in VIRSA_CC_FUNCPRM part of my customized rule-set have been correctly inserted in the same Oracle table
  - All the combinations of rules has been created (including VA01 and VA02 with V_VBAK_AAT||AUART)
  Any suggestions?
  Thanks in advance

  I've detected the same problem for the following authorization objects:
  - F_BKPF_BLA||BRGRU
  - V_VBRK_FKA||FKART
  - M_MSEG_BWE||WERKS
  RAR reports no conflicts (at authoriztion level) when these objects are activated (of course having users with these conflicts in back-end systems)
  This problem has been proved in the installation of different customer with SAP GRC Access Control 5.3 SP12.
  Anybody else has experienced this issue????

• GRC 5.3 CUP auto provisioning of Mitigation Assignment in RAR

  Hello,
  Is there any other workflow that needs to be triggered for the auto provisioning of the Mitigation control id assignment to the userid in RAR system from CUP,  upon request completion?
  I created a request that after the final stage of sox approver, got auto provisioned roles assigned to the user id in the SAP system , but it also stated that auto provisioning failed and got re-routed to the detour path of the security admin as I configured in case of auto provisioning failure. When I look at the error log, it states:
  User Provisioning failed for System(s) : XYZ. Error Message : User type TE is unknown
     Role: ROLEA assigned to user: TESTER1 in System(s): XYZ.
  1). So, even though the approved role is being assigned to the user in the backend system, some other stuff is failing at auto provisioning. And I thought it might be the mitigation control assignment to the userid in RAR. I have the mitigation fields/objects active. But how do I ensure the auto-assignment of mitigation control ids also gets assigned on the same request upon sox approval?
  2). The other question is where is the value of the 'controller' stored when configuring a stage for workflow approver determinator in the sox approver stage? Where is this value picked up from? We don't want to use the RAR mitigation approvers or monitors, we want to use a custom approver id from CUP and then the control id to be assigned upon approval automatically to the userid in RAR via CUP request completion during auto provisioning. Is this possible? The only thing failing for us is trying to determine how to create the custom approver determinator for SOX approver in CUP since it asks for 'attribute' value for workflow type 'Compliant User Provisioning' which doesn't make sense for this.
  And then the above error even though the user role assignment is auto provisioning already but still giving the error as I listed above and re-routing to detour path instead of completing the request. Is it due to auto provisioning failure of mitigation control assignment in RAR?
  Thanks in advance,
  Alley
  Edited by: Alley1 on Sep 20, 2011 1:15 AM

  Hi Karell,
     Here is response to your questions:
  I can use the following CAD in an AE workflow: web service to fetch role approvers. I question this as it is merely a RE workflow service : No. As far as I know the web service is only for RE/ERM.
  Can the Risk Analysis be initiated in stage x automatically once stage (x-1) was completed. So no person involved, it is mandatory however, in my opinion there should be no extra person involved to actually press the button "Risk Analysis" : No. There is no way to automate the risk analysis part. Someone will have to click on the button to check for SoD violations. You can configure to run automatic risk analysis when the request is submitted but this is not 100% perfect. If someone adds or removes role during approval phase, it will invalidate the risk analysis which was run during request submission.
  Can somehow the Risk Owners defined in the RAR componed be asked to approve/reject risk that came out of the Risk Analysis described in my previous point. They should only be contacted when there is a risk indicated. : This is possible by following Babak's workflow.
  Regards,
  Alpesh

• Create user in SAP GRC AC 5.3 for each module (RAR, CUP, SPM, ERM).

  Hello,
  I have a doubt.
  The users of the modules of the SAP GRC AC 5.3 have to created in the UME of the EP Core, is that right?? And thet add the roles of each user for each module (RAR, CUP, SPM, ERM), is that right?
  Best Regards.
  Pablo Mortera.

  Hi Pablo,
  To access GRC AC 5.3 you can create one UME user and assign different roles related to four GRC component.
  Or you can create different GRC user and assign respective components roles.
  The example of GRC Admin role are.
  AEADMIN
  READMIN
  VIRSA_CC_ADMINISTRATOR
  regards,
  Sudip,

• AC10.0 RAR risk analysis

  GRC Gurus,
  I have configured GRC10.0 for AC and trying to run the risk analysis for role/user level but no data is showing up. I could select the connector and roles, but after running the risk analysis no results are coming up.
  Any help is appreciated.
  Thanks.

  Hello Bhanu,
  Will you please let me know the solution ??
  Even we are facing the same problem.
  We can see the system , also see the roles , the users and also ran the background job to execute the risk analysis to perform user, role ,profile analysis from SPRO.
  Also note that we have already uploaded txt files for SOD rules.
  When we run the report for any user or any role the result is nill .
  Please suggest how did you resolve the issue ??
  Can you also tell me how can you generate "rule Id" manually for uploaded risk id ?? from NWBC or SPRO
  We tried via  SPRO>GRC>AC-->Access Risk Analysis >Sod Rules>Generate SOD Rules
  It ran successfully but the rpeort does not give any output !!
  Thanks in advance.
  Regards,
  Victor