GRC 5.3 Risk Critical Action reports return "no matches or conflicts"

Similar Messages

• RAR Alert Monitor - Critical Actions Report - user ID is garbled

  In the above report, the alert generation has data in it, showing that a transaction was executed, from a terminal, but the user ID is garbled.  It appears like this:
  Alert Date Time    8/10/2010 - 10:32:34 AM
  User    +LqvhQveEQJ (+LqvhQveEQJ)
  Risk Violated   BSCF:Basis Configuration Actions
  It then continues to show me the details of the transactions executed, and the date, time and terminal from where they were executed.
  With the user ID being garbled, it's not clear where it's getting this user from, and how to rectify it.  Any ideas?
  Thanks,
  Santosh

  Hi Santosh,
  Add atuhorization object "S_TOOLS_EX " in SAP pre-delivered "/virsa/CC_Default_Role" default role which you have in R/3 and make sure that role is assigned to user account which you are using in JCO connection as well.
  This will resolve your issue.
  Thanks,
  Tavi
  SAP Security & GRC Consultant.

• Critical Action and Role/Profile Analysis job in not running in GRC 5.3

  Hi Team,
  I  am working for a client where GRC 5.3 is installed( support pack 4 and patch 1).
  The installation is complete and also the post processing is done.
  We have scheduled a periodic ( weekly ) incremental background job for Critical Action and Role/Profile.
  Following are the parameter setting used:
  Task: Risk Analysis -Batch
  Batch Mode : Incremental
  First time it run successfully on 28th June'09 and it is completed with spool also. But next time it is supposed to run on 4th of July'09 . But it does not. And since then it is in same state.
  I am not able to find any reason that why it is behaving this way where other incremental jobs are running successfully.
  It will be helpfull if any one can guide me providing the solution.
  Regards,
  Kakali

  Hi Varun,
  I go to the Job History Button. It shows the following data only :
  2009-06-28 00:00:59 Done Job Completed successfully
  2009-06-27 23:45:00 Started RAR_PE1CLNT100_Critical Action and Role/Profile Analysis started :threadid: 0
  Under the Last Run Colomn it shows 28th June ( Status -completed)
  Under Next Run Date it is showing 4th July
  Follwoing are the list of Updates available From SP05
  When executing the critical roles/profile jobs in background, a message
  "error while executing the Job: null" comes up. ---( this one is for which come under Informer Tab)
  Background job spools are not available after upgrade from 5.2 to 5.3.
  Critical action and critical role/profile analysis cannot be run in
  background by system. --- ( But in my case It ran for once )
  Selection parameters (System, User and User Group) have been provided for
  "Critical Action and Role/Profile Analysis" in Configuration->Background
  Job->Schedule Job. --- ( it means it run usually)
  Critical Actions report in detail view shows no results after executing the
  Risk Analysis Job in the background. The same report shows data when
  executed in the foreground. ( this one is for which come under Informer Tab )
  When there is only one periodic job configured in RAR, this job fails to
  start after the first time in the specified time. ( this is not true, becoz there other periodic jobs running successfuly)
  Unable to run Informer - audit reports - critical role and profiles with
  logical systems. ( this is again under Informer Tab )
  I had gone through this  earlier also, but not able to match any update with my problem. If if have any other suggestion you can provide me the same.
  Is there any way to check for job log so that I can check what is the problem. View Log option is also greyed out as we have sap logger set up as a default logger Parameter. I have made it enable just to check but there is nothing.
  Please Guide.
  Regards,
  Kakali

• Can CUP be configured to ignore Critical Action risks during SOD analysis?

  Hi All,
  We have configured our CUP workflow to take a detour path if SOD violations are found at a stage. RAR has Critical actions defined in the rule set. When  CUP performs the SOD analysis, is there any way we can skip critical action risks and consider only SOD risks?
  We are 5.3 SP 11.1

  Hi,
  If the critical action activated in the same rule set, than you have to define a mitigation control as well, because CUP is going to show these risk after a risk analysis and you have to mitigate that. There is no possiblity to skip that.
  Possible solutions:
  If you want these risks (critical actions) just for reporting aspects in RAR, than you should maybe create a new ruleset just only for these risks, and deactivate it, on the Global ruleset... I wouldn't recommend that, because, if you are going to define critical actions, you have to define mitigation control, from the security aspects as well.
  Cheers,
  Martin

• Critical Actions are not showed in Reports

  I'm having a problem in displaying user analysis report in management view.
  I have uploaded SAP default rulesets and it does contain some defined critical actions. I can also display critical actions by user in risk analysis reports.
  But the problem is in "User analysis Report", the number of critical action&role is always 0. 
  Does anybody know the reason?
  Is there anything that I'm missing?
  Thank you&Regards
  Stellare

  Hi,
  if you are using CC 5.2: have you checked the field Critical Action and role/profile analysis in Configuration->Background job->Schedule Analysis ?
  I suppose you are talking about that there is no critical violation in Informer.
  Hope this help you
  Emilio

• RAR: SoD Riskk and Critical Actions risks

  Hi all,
  I would like to get your input regarding different approaches followed in order to load in RAR SoD risk and critical actions risks.
  1) Do you load all of them under the same rule set?
  2) Do you think is convenient to load them under two different rule sets? One for SoD and the other for critical action?
  My decision here since AC modules when calling to RAR are using the default SoD, would be to define everything under the same unique rule set. Agree on that?
  Keep in mind the four GRC AC modules are implemented.
  Thanks for all. Kind regards,
    Imanol

  Hi Imanol,
    It depends on the client requirements. If client wants to see critical risks as well as SoD risks in CUP then same ruleset is the way to go. If client doesn't want to confuse approvers by showing critical risks then separate ruleset is the right way. At my current client, we have separate rulesets for SoD and Critical actions. We ask role owners to reaffirm all the role assignment which contains critical actions quarterly so we are covered from that angle.
  Regards,
  Alpesh

• Critical actions in SPM reports

  Hi all,
  One question in the way SPM retrives data from when reporting:
  I have seen in SPM report "SoD Conflicts Report" that SPM integrates with RAR in order to identifiy SoD Conflicts.
  Regarding, the critical actions filtering applied in SPM reports, where this information validation is it retrieved from? Critical actions defined in RAR OR critical actions maintained in R/3 transaction VFAT? What is to say in frontend (RAR) or backend (R/3)?
  Many thanks in advance. Best regards,
    Imanol

  Hi Imanol,
    It totally depends on your configuration. Go to SPM/FF -> Configuration tab. There is a parameter called 'Critical Transaction Table from Compliance Calibrator (VRAT)'. If the value is not maintained or if the value is 'NO' then SPM/FF will look at it's own critical tcode table. If the value is 'YES' then SPM/FF will look at RAR/CC for critical tcode table and you don't need to maintain critical tcodes in SPM/FF.
  Regards,
  Alpesh

• AC 5.3  Critical Action Alert Emails not being sent

  HI:
  We have set up Critical Action alerts for a couple of transactions and while the on-line alert logs are being generated correctly, the alert email is not being sent to the Risk Owner.
  Does anyone know where I can trouble shoot this issue?
  Thanks,
  Margaret

  >
  Alpesh Parmar wrote:
  > Margaret,
  >
  >     Have you set up the SMTP server in visual admin? RAR needs to use this server details to send out an email.
  >
  > Alpesh
  Hi AlpeshMargaret,
  Where are the instructions for setting up the SMTP server in visual admin for the purpose of Alert Generation? I am not seeing this in the Configuration Guide. Could you point me to the correct documentation?
  Thanks!
  Jes

• Risk Management interactive reports drill up error

  Hi,
  I have been working with Risk Management 10 in SAP GRC recently.  I noticed that when using the Risk Manager Interactive Reports in the Report section (Heat Map and Overview Report), I have received an error when trying to drill back up to the parent organizational unit after I have drilled down to the child sub organization.
  Our current workaround is to click on the <All> unit, close the window, and then reopen the window and drill back down to the parent unit.  While this workaround has been successful when using the reports so far, it is difficult to communicate this error to other users when they attempt to use the reports.
  Are there any fixes to this error, or any plans to fix?  Otherwise, is there a feature that needs to be adjusted in Risk Management?  Thanks.

  Bump

• RAR 5.3: Uploading Critical Actions

  Hi,
  We have already a system with SoD Matrix already loaded and rules generated.
  Our question: Is it possible to upload critical actions (include in functions and these into risks) using "Rule upload" functionality or once the SoD Matriz is loaded not more risks can be uploaded using such functionality and must be entered manually?
  I remember there was a note related with the way rule upload works and the append / insert happening but I can not find it now.
  Any help on this?
  Many thanks in advance. Best regards,
     Imanol

  Hi Imanol,
  You can create txt files for new risks upload and do it. It will append the existing data. Just make sure that tcodes, objects and other required values are in place. Also, if a function / risk is existing, then modified data will not be applicable but it will throw error. But if your txt files are having all new data, then it will be uploaded successfully. We have done it, as our rulebook was prepared in installment and we uploaded SOD first and gave the risk alanysis to business before SAT risks were prepared and uploaded.
  Regards,
  Sabita

• Critical Action and Role/Profile Analysis

  Hi,
  I want to know the purpose of the Batch Risk Analysis back ground job "Critical Action and Role/Profile Analysis" in RAR 5.3.
  I'm assuming that I need not run this job if I do not want the critical roles/profiles like SAP_ALL to be analysed which were defined to be critical in rule architect.
  Please let me know if there is any other purpose to run the BG job "Critical Action and Role/Profile Analysis".
  Thank you,
  Partha

  Hello Partha,
    You got this right. It will analyze the defined critical actions/roles/profiles.
  Regards, Varun

• Critical Actions

  Hi Everyone,
  I'm trying to establish what is a good practice to follow on how to deal with critical actions.
  Our thinking is that even though they are critical actions people will still need to have access to them.
  Here are some options with the cons we have been considering:
  1. Add the actions into Firefighter id's & roles. We don't necessarily want to add actions into a firefighter role that someone is expected to do during their daily/weekly/routine activities.
  2. Disable the Critical Actions rules. This will disable your ability to easily identify when an unwanted user has access to these actions.
  3. Create mitigation controls for these critical actions and assign them to the specific users. This is quite and administrative  burden due to the number of critical actions. We would not want to mitigate at the Higher risk level but rather at the individual rule level.
  We are leaning towards option 3 but would appreciate some other options and input on how to deal with these?
  Kind Regards

  We are going through the same process and are using a combination of your suggestions.  First we are going through the critical actions and determining if our company (business reps and auditors) agrees with SAP standards.  Some of the transactions we don't consider as being critical so those will be disabled.  Next, we will put some critical actions in our firefighter ID's and not allow an end-user to have them in production.  Then, we will mitigate the users who use some of the transactions regularly. And lastly, we will run the critical action notify job weekly or maybe even monthly. 
  Peggy

• Tax Report Returns No Data [Message 131-85]

  Our client has been using SBO for the past few years and run the Standard Tax Report.
  They follow a standard procedure whereby they open the Tax Report enter the period details and click OK, the report returns all Input and Output Tax details.
  This month they have run the report and no matter what dates you enter the report returns No Date [Message 131-85]
  Does anyone have any clues as to what might be causing this?

  I have discovered via a SQL trace that the following script is tun for the tax report
  exec sp_executesql N'
  SELECT      T0.[AbsEntry],
       T0.[Code],
       MIN(T0.[Name]),
       T0.[SrcObjType],
       T0.[DocNum],
       MIN(T0.[Category]),
       MIN(T0.[IsEC]),
       T0.[IsAcq],
       MIN(T0.[VatPercent]),
       MIN(T0.[EqPercent]),
       T0.[DocDate],
       MIN(T0.[TaxDate]),
       MIN(T0.[CANCELED]),
       SUM(T0.[BaseSum]),
       SUM(T0.[VatSum]),
       SUM(T0.[EqSum]),
       SUM(T0.[DeductSum] - T0.[EqSum]),
       MIN(T0.[SrcObjAbs]),
       N''0'',
       0,
       0,
       MIN(T0.[DocDate]),
       0,
       0,
       MIN(T0.[NumAtCard]),
       SUM(T0.[BaseSumSc]),
       SUM(T0.[VatSumSc]),
       SUM(T0.[EqSumSC]),
       SUM(T0.[DedctSumSC] - T0.[EqSumSC]),
       MIN(T0.[TaxType]),
       T0.[CrditDebit],
       MIN(T0.[CardCode]),
       MIN(T0.[CardName]),
       MIN(T0.[SrcLineNum]),
       MIN(T0.[VatDate]),
       MIN(T0.[VatIdUnCmp]),
       MIN(T0.[LicTradNum]),
       MIN(T0.[BPLicTradNum]),
       MIN(T0.[AddID]),
       SUM(T0.[BaseSum])
       FROM  [dbo].[B1_VatView] T0 
       WHERE (T0.[Code] = (@P1)  OR       
       T0.[Code] = (@P2)  OR 
       T0.[Code] = (@P3)  OR 
       T0.[Code] = (@P4)  OR 
       T0.[Code] = (@P5)  OR 
       T0.[Code] = (@P6)  OR 
       T0.[Code] = (@P7)  OR 
       T0.[Code] = (@P8)  OR 
       T0.[Code] = (@P9)  OR 
       T0.[Code] = (@P10)  OR 
       T0.[Code] = (@P11)  OR 
       T0.[Code] = (@P12) ) AND 
       T0.[DocDate] >= (@P13)  AND 
       T0.[DocDate] <= (@P14)  
       GROUP BY T0.[AbsEntry], T0.[Code], T0.[SrcObjType], T0.[DocNum], T0.[IsAcq], T0.[DocDate], T0.[CrditDebit]
       ORDER BY T0.[IsAcq] DESC,T0.[CrditDebit]',N'@P1 nvarchar(30),@P2 nvarchar(30),@P3 nvarchar(30),@P4 nvarchar(30),@P5 nvarchar(30),@P6 nvarchar(30),@P7 nvarchar(30),@P8 nvarchar(30),@P9 nvarchar(30),@P10 nvarchar(30),@P11 nvarchar(30),@P12 nvarchar(30),@P13 datetime2,@P14 datetime2',N'SEXP',N'SFRE',N'SGST',N'SNT',N'PCAF',N'PCAP',N'PFRE',N'PGNR',N'PGST',N'PGSTV',N'PNT',N'PPRI','2010-03-01 00:00:00','2010-03-31 00:00:00'
  If I run this in SQL I get the following error, which mat shed some light on what is happening
  Msg 2715, Level 16, State 3, Line 1
  Column, parameter, or variable #13: Cannot find data type datetime2.
  Parameter or variable '@P13' has an invalid data type.
  Msg 2715, Level 16, State 3, Line 1
  Column, parameter, or variable #14: Cannot find data type datetime2.
  Parameter or variable '@P14' has an invalid data type.

• Report returns wrong data when run on server

  Hi,
  I'm runing CRS XI R2 on Windows Server 2003 SP2.  When I refresh a report in the Crystal Reports XI Designer, I'm getting correct data.  But when I schedule the report to run on the server it returns wrong data.  The data is different from what I see when I refresh it from the designer.  In the report I have running totals set up to count customers that meet a certain criteria.  The report is very large.  It take almost 2 hours to refresh.
  I was wondering what is causing the difference in running total data between refreshing it on the designer and running it on the server.  Is it returning wrong data b/c of it not reading all the records?  Should I be making any changes to the server settings?  I saw that under pageserver, there are options for  setting the 'Minutes Before an Idle Report Job is Closed' and 'Database Records To Read When Previewing Or Refreshing a Report".  Do either of those have anything to do with the report returning incorrect data when being scheduled to run on the server?
  Thanks,
  Kim

  Hi Xuandao,
  You would need to Use Cell Binding and Trigger concept to accomplish this.
  Its simple, however, you would have to work on a trial and error basis to understand this concept as implementing the same is subject to your dashboard and WEBI Design.
  Open you LiveOffice.
  Insert your WEBI, Now, go to Object Properties of your WEBI, select the second tab that says Prompt, Here, it lists the prompts that you have for your WEBI. This would also enlist your BEx variables as well. Select this BEx variable and click on the button that says Prompt at the bottom of this window. Here, select choose Excel Data Range and click on the cell select button on the right (small button that lets you choose what cell you want to bind this prompt to), Now select a free cell that would not be even populated later on when you run the dashboard say A1 (remember the value that you select). Click on OK and again OK. The WEBI Refreshes and you can see all the prompt values at the cell A1. These are all the possible values stored for your BEx prompt variables (these values are fetched from BW system dynamically).
  Now, save this LiveOffice, Go to you dashboard. Connect your dashboard to your Live office. Go to Data-> connections-> Now, select the WEBI and in the right hand pane  go to Usage tab, here, Click on Trigger cell button on the right hand side and select A1 in you LiveOffice.
  It should work fine.
  Let me know.
  Rgds,
  Sreekul Nair

• SAP GRC 10.0 Risk Management - Forecasting Horizon Scoring Analysis Mode

  Hi everyone,
  In SAP GRC 10.0 Risk Management Support Package 7, we need to assess a corporate risk by performing an automatic analysis aggregation based on a scoring analysis profile.
  The problem is that corporate risks must be created based on a forecasting horizon.
  So, can we create forecasting horizons with scoring analysis mode? How? Must be enabled through customizing or applying a SAP note?
  Best Regards,
  Chema Traveso

  Hi,
  I think this is still user-specific, as it was in 5.X. I have checked the new GRC authorisation object parameters delivered within the roles and also tried to see if a Admin user was able to see all the variants created by the different users, but so far I have not found a solution.
  It may be worthwhile to raise this in "IdeaPlace", hoping it gets enough votes and SAP's attention for implementing in a future Support Pack delivery.