GRC AC 10.0 Mass risk analysis vs. Role level analysis

Similar Messages

• Virsa CC Compliance Calibrator 5.2 Role Level Analysis Question

  Part 1
  I would like to know how to run a Role Level Analysis on all of our Role EXCEPT composite roles which all start with ZC:.
  Part 2
  I would also like to know why there is not a copy paste function. What if I have the names of 50 individual roles that I want to run a report on with all different naming conventions? Is there no way to paste these in? I know I can individual select these one at a time and add another add another etc. However if you have a lot of roles for one functional area I would reall y like to not have to type those in one at a time and one line at a time.
  Thanks to all for your help in advance.

  Hi Vince
  Unfortunatley there is no paste option in Netweaver , unlike the CC version 4.0 , not even in 5.3 I heard.
  Either you have run the risk analysis using ranges  where in you can say ZS00* to ZSZZ* ( by running this it should cover all the simple roles ,excluding the composite roles , provided your role naming convention is maintianed well)
  I know its quite annoying to key in each role , specailly when your naming convention is all over the place.
  you can key in the role names once and save variant for the next time to reuse it .
  probably you have noticed already there is custom user group in User analyis tabe ,i wonder why they havent  one in Role Anlysis , it would made a bit easier atleast.
  Regards
  Prem

• Risk Analysis at user level shows nothing in all 3 views though at role level shows risks of global rule set

  I am configuring ARA 10.1 for a ECC 6.0 plug in development system and facing this issue. Risk Analysis at user level shows no data  in all 3 views though at role level shows risks of global rule set. I am using Global rule set. I generated all risks/functions & using connector group as SAP_ECCS_LG not SAP_R3_LG.I activated common, R/3 & ECCS BC sets. Added integration scenario for AUTH. Run all 4 sync jobs multiple times successfully. My system already has decentralised EAM 10.1 implemented & even used in production as BAU. I have checked at both chrome & IE. The misleading thing is that RFC is also working fine & I can see risks in Risk Analysis at role level & risky roles are even assigned to valid users.GRC is at SP4 & accordingly is the ECC 6.0 plug in. Thanks in Advance. Please  consider it urgent.

  Hi,
  Assign ECC connector to SAP_ECCS_LG group.
  Run the programs GRAC_PFCG_AUTHORIZATION_SYNCand GRAC_REPOSITORY_OBJECT_SYNC) in full synch mode(this might take time so better do this in background). Better do it sequentially.Check the logs of the jobs in SLG1 just to ensure everythings fine.
  Run ARA for a specific user and mention the connector for faster output. Ensure this user has the role with risks.Also as explained earlier check the GUID against user id in table GRACUSERROLE and using GRACROLE you can find out the technical name of the role updated in the table. This should be same as the backend role.
  Then run ARA and while doing so please ensure the selection screen doesnt have any unwanted default inputs. If followed correctly , this should be of help.  I am assuming the role analysis yielded correct risks as configured since this would mean that connector have correct actions and basic config is in place.
  Regards,
  Vivek

• Risk Analysis fails -  role does not exist or has no authorizations

  Dear all,
  We have added our productive client to the ERP Logical system.
  Then we extracted static and object data from backend and uploaded it to AC.
  We are not able to preform an analasys.
  On role level we get the error message: Warning: ZBC_ALL does not exist or has no authorizations
  When checking in debugger we do find autorizations!
  Actions:12
  LAS     2     ZBC_ALL     ZBC_ALL     T-LV210004     S00     
  LAS     2     ZBC_ALL     ZBC_ALL     T-LV210004     SBWP     
  LAS     2     ZBC_ALL     ZBC_ALL     T-LV210004     SM35     
  LAS     2     ZBC_ALL     ZBC_ALL     T-LV210004     SM36     
  LAS     2     ZBC_ALL     ZBC_ALL     T-LV210004     SMXX     
  LAS     2     ZBC_ALL     ZBC_ALL     T-LV210004     SO01     
  LAS     2     ZBC_ALL     ZBC_ALL     T-LV210004     SP02     
  LAS     2     ZBC_ALL     ZBC_ALL     T-LV210004     SU3     
  LAS     2     ZBC_ALL     ZBC_ALL     T-LV210004     SU51     
  LAS     2     ZBC_ALL     ZBC_ALL     T-LV210004     SU52     
  LAS     2     ZBC_ALL     ZBC_ALL     T-LV210004     SU53     
  LAS     2     ZBC_ALL     ZBC_ALL     T-LV210004     SU56
  Objects/AuthKeys:9
  LAS     ZBC_ALL     2     ZBC_ALL     S_BTCH_ADM||BTCADMIN     15     1     4     *          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_WFAR_OBJ||ACTVT     36     1     22     03          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_ADMI_FCD||S_ADMI_FCD     8     1     1     ' '          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_DATASET||ACTVT     21     1     8     34          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_DATASET||ACTVT     21     1     8     33          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_DEVELOP||ACTVT     1     1     9     03          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_BDC_MONI||BDCAKTI     48     1     2     DELE          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_BDC_MONI||BDCAKTI     48     1     2     FREE          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_BDC_MONI||BDCAKTI     48     1     2     LOCK          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_BDC_MONI||BDCAKTI     48     1     2     REOG          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_BDC_MONI||BDCAKTI     48     1     2     IMPO          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_BDC_MONI||BDCAKTI     48     1     2     EXPO          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_BDC_MONI||BDCAKTI     48     1     2     AONL          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_BDC_MONI||BDCAKTI     48     1     2     ABTC          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_OC_ROLE||OFFADMI     37     1     14     *          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_PROGRAM||P_GROUP     5     2     17     *          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_PROGRAM||P_ACTION     5     1     17     VARIANT          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_PROGRAM||P_ACTION     5     1     17     SUBMIT          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_PROGRAM||P_ACTION     5     1     17     BTCSUBMIT          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_C_FUNCT||CFUNCNAME     12     2     7     *          false
  LAS     ZBC_ALL     2     ZBC_ALL     S_C_FUNCT||ACTVT     12     1     7     16          false
  Total:21 lines
  Total:9 Auth Key Map (key=PG) entries
  Total: 9 Obj Map (key=AK) entries
  What could cause the problem?
  Fast respons = karma
  Kind Regards,
  Vit

  Hi Vit,
  Did you run any job after you added one system to logical systems.
  Please import role : ZBC_ALL   through incremental role sync job for the system you have entered in ERP logical landscape .
  Once it is completed , then schedule batch risk analysis Job for this role.
  Then schedule Management report update .
  run Role Level analysis again and check .
  Thanks
  Jasmine

• SAP GRC 10.0 Risk Management - Forecasting Horizon Scoring Analysis Mode

  Hi everyone,
  In SAP GRC 10.0 Risk Management Support Package 7, we need to assess a corporate risk by performing an automatic analysis aggregation based on a scoring analysis profile.
  The problem is that corporate risks must be created based on a forecasting horizon.
  So, can we create forecasting horizons with scoring analysis mode? How? Must be enabled through customizing or applying a SAP note?
  Best Regards,
  Chema Traveso

  Hi,
  I think this is still user-specific, as it was in 5.X. I have checked the new GRC authorisation object parameters delivered within the roles and also tried to see if a Admin user was able to see all the variants created by the different users, but so far I have not found a solution.
  It may be worthwhile to raise this in "IdeaPlace", hoping it gets enough votes and SAP's attention for implementing in a future Support Pack delivery.

• SAP GRC AC 5.3 - RAR Risk analysis Error Log

  Hi
  i have scheduled the background job for full sync risk analysis for the first time . the job ended with status error . critical analysis, user,role and profile action analysis is shown 100% . but the user permission analysis shows 49% , role and profile permission analysis show 97% each . where can i check the log for the errors . do i need to run the whole risk analysis job again ? when i check the management reports , risk violations are shown as zero . Please let me know how i can proceed at this stage . thanks
  Regards
  Prasad

  Thanks.
  First time please do for all users. I assume this was first time and it failed, so i will suggest you scheudle for all.
  once these are done, then periodic jobs should be increamental.
  few tips :
  - schedule user sync separate job and once it finish only then scheudle role sync and when role sync finishes, only then schedule profile sync
  - always select system ids from search help (which is F4 in ABAP)
  - best scheudle one job per system id, so that when failure occurs, so that error analysis is easy
  regards,
  Surpreet

• GRC BO AC 10.0 Risk Analisys & Role management from SRM

  Hi Gurus,
  Anyone know if  GRC AC 10.0 can analyze and manage (create/modify) the SAP SRM (Portal Based) Role and User?
  Thank you,
  Luigi

  Hi Vishal,
  The parameters will be invoked in different scenarios. 1085 is specific to when roles are generated in the SAP Backend system using risk terminator and therefore this will have no impact if you are using BRM to generate the roles.
  3011 & 3014 are specific to BRM and govern different behaviours. 3011 will facilitate the risk analysis prior to triggering the generation steps in the methodology and 3014 will allow the roles to be generated despite any permission risks that are returned.
  They are not exclusive and actually work together. For instance, you may want to have a block on generation of roles when there are open conflicts identified and therefore you should have 3011 set to YES and 3014 set to NO. If both are set to YES, then you could propagate conflicts in the roles.
  You can use Risk Terminator if you wish to continue to develop roles within the SAP system itself rather than to rely on the GRC BRM system wholly.
  There are still wide discussions and differing opinions about which represents the best approach for this and so it depends on your organisation as to which process you follow.
  The parameter descriptions in question are:  
  1085 - Stop Role Generation if violations exist
  3011 - Conduct Risk Analysis before Role Generation
  3014 - Allow role generation with Permission Level violations
  Regards, Simon

• Can we do risk analysis at org level

  Hello experts,
                          can we do risk analysis in sap grc at org levels.
  sanjay

  Hi Sanjay,
  In RAR , under the Tab informer -> Risk analysis  , you can trigger the risk analysis at Org Level.
  Regards
  -Ranjiv

• Critical Action and Role/Profile Analysis job in not running in GRC 5.3

  Hi Team,
  I  am working for a client where GRC 5.3 is installed( support pack 4 and patch 1).
  The installation is complete and also the post processing is done.
  We have scheduled a periodic ( weekly ) incremental background job for Critical Action and Role/Profile.
  Following are the parameter setting used:
  Task: Risk Analysis -Batch
  Batch Mode : Incremental
  First time it run successfully on 28th June'09 and it is completed with spool also. But next time it is supposed to run on 4th of July'09 . But it does not. And since then it is in same state.
  I am not able to find any reason that why it is behaving this way where other incremental jobs are running successfully.
  It will be helpfull if any one can guide me providing the solution.
  Regards,
  Kakali

  Hi Varun,
  I go to the Job History Button. It shows the following data only :
  2009-06-28 00:00:59 Done Job Completed successfully
  2009-06-27 23:45:00 Started RAR_PE1CLNT100_Critical Action and Role/Profile Analysis started :threadid: 0
  Under the Last Run Colomn it shows 28th June ( Status -completed)
  Under Next Run Date it is showing 4th July
  Follwoing are the list of Updates available From SP05
  When executing the critical roles/profile jobs in background, a message
  "error while executing the Job: null" comes up. ---( this one is for which come under Informer Tab)
  Background job spools are not available after upgrade from 5.2 to 5.3.
  Critical action and critical role/profile analysis cannot be run in
  background by system. --- ( But in my case It ran for once )
  Selection parameters (System, User and User Group) have been provided for
  "Critical Action and Role/Profile Analysis" in Configuration->Background
  Job->Schedule Job. --- ( it means it run usually)
  Critical Actions report in detail view shows no results after executing the
  Risk Analysis Job in the background. The same report shows data when
  executed in the foreground. ( this one is for which come under Informer Tab )
  When there is only one periodic job configured in RAR, this job fails to
  start after the first time in the specified time. ( this is not true, becoz there other periodic jobs running successfuly)
  Unable to run Informer - audit reports - critical role and profiles with
  logical systems. ( this is again under Informer Tab )
  I had gone through this  earlier also, but not able to match any update with my problem. If if have any other suggestion you can provide me the same.
  Is there any way to check for job log so that I can check what is the problem. View Log option is also greyed out as we have sap logger set up as a default logger Parameter. I have made it enable just to check but there is nothing.
  Please Guide.
  Regards,
  Kakali

• Error while performing Risk Analysis at user level for a cross system user

  Dear All,
  I am getting the below error, while performing the risk analysis at user level for a cross system (Oracle) user.
  The error is as follows:
  "ResourceException in method ConnectionFactoryImpl.getConnection(): com.sap.engine.services.connector.exceptions.BaseResourceException: Cannot get connection for 120 seconds. Possible reasons: 1) Connections are cached within SystemThread(can be any server service or any code invoked within SystemThread in the SAP J2EE Engine), 2) The pool size of adapter "SAPJ2EDB" is not enough according to the current load of the system or 3) The specified time to wait for connection is not enough according to the pool size and current load of the system. In case 1) the solution is to check for cached connections using the Connector Service list-conns command, in case 2) to increase the size of the pool and in case 3) to increase the time to wait for connection property. In case of application thread, there is an automatic mechanism which detects unclosed connections and unfinished transactions.RC:1
  Can anyone please help.
  Regards,
  Gurugobinda

  Hi..
  Check the note # SAP Note 1121978
  SAP Note 1121978 - Recommended settings to improve peformance risk analysis.
  Check for the following...
  CONFIGTOOL>SERVER>MANAGERS>THREADMANAGER
  ChangeThreadCountStep =50
  InitialThreadCount= 100
  MaxThreadCount =200
  MinThreadCount =50
  Regards
  Gangadhar

• Running Risk analysis at User Level(CC)

  Hi
  Please Clear my query, wat is the difference between running the risk analysis at userlevel Violation count by Risk and Violation count by Permission.
  violation count by Permission, the total number of violations are 377,569.
  Violation count by Risk,the total number of violations are 11,716.
  Thanks & Regards

  Hi Karuna,
  When you perform Risk Analysis at User level and choose violation count by Permission/Risk. Here are the details of each analysis:
  1. Violation Count by Risk
  This analysis will display the count of how many SOD risks associated with the users existing in each business process like FI, HR, MM, PR, SD.
  It will display as a bar graph or pie chart. If you choose each of the business processes and drill down to the particular SOD risk,P001 then you can display how many users have that risk, P001
  2. Violation Count by Permission
  This analysis will display the count of SOD violations at the action/permission level associated with the users existing in each business process.
  If you choose the conflicting functions inside each SOD risk, and then expand on the permission tab you will understand why the huge number of violations it is showing.
  In the Risk information screen, in Conflicting Functions, click the AP02 u2013 Process Vendor Invoices link to display the SAP transaction codes and the authorization objects. There are 26 different transactions in SAP to Process Vendor Invoices and another 185 authorization object values u2013 all come preconfigured out of the box.
  Choose the Permission tab. Expand Action F-42. Open an authorization object to show field values. By looking at all possible permutations of actions/permissions of one business function with all actions/permissions of the second business function, you can understand how the system arrives at the number of violations.
  Hope this will help you understand better.
  Regards,
  Kiran Kandepalli.

• Inconsistency Data between Role Level & User Level Risk Analysis

  Hi,
  When we run Role Level Risk Analysis for a role (Ex: XYZ), there is no SOD conflicts. But when we try to run the user level analysis, this role shows SOD conflicts. I mean, XYZ is assigned with other roles. Combination of other roles access may bring SOD conflict, thats fine, but here the challenge is role XYZ itself has SOD conflicts. The same does not appear when we run Role Level Risk Analysis!!
  How could this happen??
  Thanks,
  Karthik

  Hi Karthik,
  The role might be mitigated at role level.
  In RAR Anayze tool, click -More options to expand the selection options
  Chose "Exclude Mitigated Risks: No"

• User Analysis at Permission Level - Detail Report (RAR SP12)

  Hello All,
  I have having question regarding the User Level Analysis at Permission level report. Currently, we are on GRC Access control 5.3 SP12.
  Per my understanding when you execute the User level analysis at Action level, you get SOD conflict reports based on T-code level and not on authorization / permission level. But, if you execute the user level analysis at permission level then SOD report is based on the authorization / permission object level.
  But now, when I execute the user level analysis at PERMISSION LEVEL in the Informer tab, in the report I am only able to see "Transaction Code Check at Transaction Start" name in the Permission Object Column and "Transaction Code" name in the Field column.
  Look forward to hear from you all.
  Thanks in advance,
  Regards,
  Angelica

  Hi Angelica,
  This behaviour is ok for those risks in which you have not enabled any Object/Field value. It will pick S_TCODE Object and show you the risk.
  This is useful because -
  1. If you have risks defiend at Tcode level - you can still catch them while running risk analysis at permission level.
  2. If you have Object Values defined in risk and you are running permission level analysis it will show risk only if Object Values meet. In that case permission level risk anlysis will not show risk if there is no actual risk.
  3. Running risk analysis at Action level can show false positives when risk is defined ta Object level. So, it is always better to r
  un alanysis at permission level, it will bring all actual risks skipping false positives.
  4. You can run only one level risk analysis in CUP and ERM and permission level covers all risks.
  If you have risk defined at Object Level and the role/user is not fulfilling all values, it should not show in permission level. In your case, if it is showing only "Transaction code check at start"  and the risk is defined at Object Level, then sure it is a bug.
  Regards,
  Sabita

• Transport roles and analysis authorization with user assigned

  Hi expert,
  I face with this problem transport roles and analysis authorization with user assigned. When I have created a transport request to move the roles and analysis authorization from development system to test system. I couldnu2019t maintain the user assigned, after transport I have to assigned manually all of user or create a program to fill AGR_USER table or there are other way.
  Thanks for your time,
  Luis

  Hi,
  In role administration, you have the following options for transporting roles:
  You can download the roles from one system and upload them into another  
  You can import the role from a remote system using RFC  
  You can transport the roles with the transport function.
  Role upload loads all role data, including authorization data from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case.
  Transporting Roles with the Role Transport Function
         1.      Start the role administration function by choosing Tools ® Administration ® User Maintenance ® Role Administration ® Roles (transaction PFCG).
         2.      Enter the role to be transported and choose Transport Role.
  The Mass Transport of Roles screen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for roles using Customizing switches (see Role Administration Functions in the section Functions of the Utilities Menu).
  You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate them for the first time, transport the entire role again afterwards.
  For more information go thrpugh the below link
  http://help.sap.com/saphelp_nw70/helpdata/EN/6d/7c8cfd410ea040aadf92e1f78107a4/content.htm
  Regards,
  Marasa.

• Critical Action and Role/Profile Analysis

  Hi,
  I want to know the purpose of the Batch Risk Analysis back ground job "Critical Action and Role/Profile Analysis" in RAR 5.3.
  I'm assuming that I need not run this job if I do not want the critical roles/profiles like SAP_ALL to be analysed which were defined to be critical in rule architect.
  Please let me know if there is any other purpose to run the BG job "Critical Action and Role/Profile Analysis".
  Thank you,
  Partha

  Hello Partha,
    You got this right. It will analyze the defined critical actions/roles/profiles.
  Regards, Varun