GRC AC 10.0  Risk Analysis -Risk Terminator Vs BRM-Role Management

Similar Messages

• Risk Analysis of created or changed Roles automation

  Does anyone know how to automate the risk analysis directly in the backend SAP system when a role is created or changed without implementing Risk Terminator?  We are using GRC AC 10.0 with support pack 16 active and all I can find to activate this ability is to implement Risk Terminator.  In GRC 5.3, there were settings that you could set and the functionality became active at the tcode (transaction) level and then again at the permission level when you attempted to generate the profile.  Can this be doen in GRC 10?
  Thanks --
  Sara B.

  Hello Sandeep,
  Doing Org Lvl Analysis is not so simple in RAR.
  Firstly this is only user based.
  For using it you will have to schedule one job in configuration which will update Org Values for users in the database table. I don't remember name of this Utility however it will be something Orguser, just search in Configuration tab.
  As mentioned by you, org lvl are already enabled and make sure there values is $.......,
  Reason being Org Rules will be generated at runtime and then anlysis will be done.
  It will be better you take help of SAP on this. As they have document which will be very helpful to you.
  Regards,
  Surpreet

• GRC AC 10:How to generate Access Rule? No output from User or Risk Analysis

  Hello Gurus,
  We have done configuration of GRC AC 10, and uploaded files via
  SoD rules -->Upload Rules
  After that we generated SoD rules for Risk Id : B001 and B002
  Now when we go to NWBC --> Reports & Analytics >Access Dashboards>Access Rule Library
  The report shows (for Group Rule level : Action)
  Number of Active rules : 0
  Number of Disabled Rules : 0
  Number of Functions :  151
  Where as for Group Rule level : Action Risk
  The report shows
  Number of Active Risk : 42
  Disabled risk : 161
  Nmr. of functions : 151 .
  When we perform Risk Analysis at User Level or Role Level, the output is empty !!!
  Note: All the background jobs have run successfully.
  Also the SoD files also have been uploaded successfully.
  Will you please guide how can i activate the "rules" for the uploaded risk ??
  regards,
  Victor

  Hello Victor/ Inder,
  For Risk ID B001functions are BS02 and BS11 if you open any one of them you can see system maintained as SAP BASIS which is SAP_BAS_LG (logical connector group).
  Post installation you can check in SPRO>Governance, Risk and Compliance-> common Component---> integration framework-> maintain connector and connector types->select SAP and click Define connector Group.
  BUSINESS     Business Roles     SAP
  SAP_BAS_LG     SAP Basis     SAP
  SAP_CRM_LG     SAP CRM     SAP
  SAP_ECC_LG     SAP ECCS     SAP
  SAP_HR_LG     SAP HR     SAP
  SAP_NHR_LG     SAP R3 - NON HR Basis Logical Group     SAP
  SAP_R3_LG     SAP R3     SAP
  SAP_SRM_LG     SAP SRM     SAP
  (If not present then manually you can create the same)
  Select SAP_BAS_LG and put connector type as SAP,  select SAP_BAS_LG and click Assign Connector group to group types as AM & LG, then click on Assign Connector to connector group and maintain you connector.
  Post this activity re generate SOD for B001 and then check for user level and role level analysis.
  Hope it will resolve your issue.
  Regards,
  Sudesh

• Issue in ERM - GRC AC 10 - Is risk analysis not mandatory

  Hi,
  We have defined our Role Methodology in 10 as Define Role - Maintain Authorizations - Analyze access risks - Derive role - approval - generation
  When we defined the role and maintained authorization data and proceeding without running risk analysis the role is moving to the next stage without stating any warning that "Risk Analysis is Mandatory". Upon click on Save & COntinue it is proceeding to further stages.
  Is there any parameter which needs to be set to throw a warning message for Risk Analysis to be run before the role is moved to next stage.
  We arleady set the paramater 3011 as YES - Conduct Risk Analysis before Role Generation.
  Thanks and Best Regards,
  Srihari.K

  Hi,
  Note the definition of the parameter 3011 as per "Maintaining Configuration Settings Guide - SAP AC 10.0":
  "Set the value to YES to automatically perform risk analysis when the user generates roles."
  This parameter applies only at generation stage.
  Cheers,
  Diego.

• Role Based Risk Analysis Report

  Hello All,
  When I executed the Risk Analysis report for a role with SOD Risk Level = ALL and Report type = SOD at Authorization Object level, the results come back as "NO CONFLICT FOUND".  this is the correct response.
  However, I executed the Risk Analysis report for the same role with SOD Risk Level = HIGH and Report type = SOD at Authorization Object level, the results come back SOD conflicts based on the conflicting transactions.  Is there a bug with analyzing roles using this option?
  Also, when I click on the Detail Report button, I received object data that does not appear correct.
  Please Help.  Thanks.
  Edited by: Michael Johnson on Apr 8, 2009 8:54 PM

  Hi Babiji,
  Are you using any specific tools for SOD's? If you are using GRC tool, then it can be done using compliance calibrator Role level Risk analysis.In addition to what Sneha has said,
  To find out the conflicting roles in CC version 5.2 the path is INFORMER->Risk Analysis->Role level.In Virsa 4.0 you have the option of carrying out risk anaysis at role level by executing the t-code /N/VIRSA/ZVRAT.
  In section Analysis type, choose Roles and enter the list of roles.
  In section SOD Risk level, choose the appropriate risk.
  Then choose the appropriate report type and report format before executing it.
  This will display all the roles with the levels of risk associated with it and then you can mitigate these as per your organizational policies & procedures.
  Thanks,
  Saby..

• Risk Analysis Failing in ERM 5.3

  Hi All -
  I would appreciate some assistance with pin-pointing an issue that I'm having with running Risk Analysis on roles in ERM. Currently I have RAR configured with the appropriate rule set and generating the expected risk/sod conflicts for users & roles. I have also added the appropriate Web Service Info. in th Misc section under the configuration tab (url, user, pwd) for all sections associate with RAR integration.
  Now when I run a risk analysis on a particular role in RAR i get the correct conflicts however when I get the Risk Analysis stage with ERM I receive the following Error:
  Risk analysis failed; Cannot assign NULL to host variable 5. setNull() can only be used if the corresponding column is nullable. The statement is "INSERT INTO VT_RE_RSK_OBJRULES (OBJCODE, OBJDESC, OBJFLDCODE, OBJFLDDESC, VALFRMID, VALTOID, COND, RSKVIOLID) VALUES(?, ?, ?, ?, ?, ?, ?, ?)".
  I also get this error when trying to run Mass Maintenance --> Risk Analysis:
  Risk anaysis for role "XX:XXXXX" failed
  Before I was getting error: "Risk Analysis performed successfully; No Risk Found" so I referenced SAP Note 1265964 and applied all solution steps.
  Lastly here is the error log:
  2010-01-14 14:59:28,768 [SAPEngine_Application_Thread[impl:3]_31] ERROR com.virsa.re.role.actions.RiskAnalysisAction
  java.lang.Throwable: Cannot assign NULL to host variable 5. setNull() can only be used if the corresponding column is nullable. The statement is "INSERT INTO VT_RE_RSK_OBJRULES (OBJCODE, OBJDESC, OBJFLDCODE, OBJFLDDESC, VALFRMID, VALTOID, COND, RSKVIOLID)  VALUES(?, ?, ?, ?, ?, ?, ?, ?)".
       at com.virsa.re.bo.impl.RiskAnalysisBO.saveObjViolations(RiskAnalysisBO.java:906)
       at com.virsa.re.bo.impl.RiskAnalysisBO.performObjLvlRiskAnalysis(RiskAnalysisBO.java:824)
       at com.virsa.re.bo.impl.RiskAnalysisBO.performRiskAnalysisOnSystem(RiskAnalysisBO.java:214)
       at com.virsa.re.role.actions.RiskAnalysisAction.performRiskAnalysisOnMultipleRoles(RiskAnalysisAction.java:609)
       at com.virsa.re.role.actions.RiskAnalysisAction.execute(RiskAnalysisAction.java:112)
       at com.virsa.framework.NavigationEngine.execute(NavigationEngine.java:273)
       at com.virsa.framework.servlet.VFrameworkServlet.service(VFrameworkServlet.java:230)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
       at com.virsa.framework.servlet.VFrameworkServlet.service(VFrameworkServlet.java:286)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.runServlet(FilterChainImpl.java:117)
       at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:62)
       at com.virsa.comp.history.filter.HistoryFilter.doFilter(HistoryFilter.java:43)
       at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:58)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:384)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  Any help would be greatly appreciate it - Thanks in Advance!

  GOing to repost

• CC 5.2 - Risk Analysis on existing roles

  Hello,
  When I submit a change request via AE 5.2 in order to add a role to an existing user,
  does CC 5.2 perform the risk analysis to the user corresponding roles (existing roles + new one) or only for the role to be added?
  Thank you for your answer.
  Abderrahim

  Hi Abderrahim,
  Yes. It will perform a risk analysis with the existing roles + newly added role. You should enable this in the CUP.
  Go to Configuration --> Risk Analysis -> Set the default risk analysis level.
  Regards,
  Raghu

• Risk Analysis in GRC 10.0

  Dear Experts,
  I have configured RAR in GRC 10.0. Sync jobs are successful. Batch risk analysis is sucessful.
  But when I tried to run a User/Role risk analysis I am not getting any result. I am not sure whether system has run risk analysis or not but I get the confirmation screen with blank result table. Please advise how to fix this issue.
  I appreciate your help.
  Thanks,
  Raj

  Hello Raj,
  Check the below points related to risk analysis
  1.check once the parameter id in configuration settings
  2.BC set activation
  3.while running risk analysis check backend system name and connector which is configured.

• GRC AC 10 - risk analysis : No rules were selected

  Hi,
  In GRC AC 10, when I do a risk analysis (user level for example).
  For each userid the result shown in the column action is "No rules were selected "
  any idea ?
  Thanks
  Aurélien.

  Hi Vikas,
  Further to your comment above, I would like to point you to my thread here and specifically ask you about the following statement:...
  3. Open your GRC functions and make sure you have correct back end system updated for them. Check the status of all your GRC functions and make sure they all are active.
  I opened up the Functions from NWBC and realized that all the systems for each function were as follows:
  1. SAP Basis
  2. SAP CRM
  3. SAP ECCS
  4. SAP HR
  5. SAP R3 NON HR Basis Logical Group
  6. SAP R3
  7. Logical Group
  AND ALSO
  8. The DESCRIPTION of my RFC Connector ?!
  Now my question is as follows:
  1. Where in the Pre/Post/GRC300 documents does it say that one must configure each function with the backend system as you state above....should the configurations Connector/Connector/etc etc already mapped the functions to the backend system ?
  2. Also Why is the description of my RFC Connector available as a drop down menu from " System" tab on the function edit mode - see attached screenshot.
  Your advice would be appreciated.
  Best regards,
  Paul

• GRC AC 10.1 - Risk Analysis: No rules were selected

  Hi All,
  I'm currently configuring the ARA module in GRC AC 10.1, and an facing this issue. When I run my User Analysis, its throwing an error message "No rules were selected'.
  As per your suggestions from discussions, i double checked all the below activities
  Activate the BC sets
  Run Sync Jobs
  Run Batch Risk Analysis
  After all this I found that the functions are not mapped to the logical groups(Back-end Systems) I have defined. Can you please let me know how to make sure you have correct back end system(logical Group) updated for the functions in the setup? Doesn't the configurations Connector/Connector Groups etc already mapped the functions to the back-end system? It would be a hell of work to do all the system mapping on function level manually.

  Hi Narsimha
  You need to map your connectors to the logical systems that are used in the function definitions
  Look at your integration framework Setup in the IMG.
  Governance, Risk and Compliance > Common Component Settings > Integration Framework > Maintain Connectors and Connection Types
  Also, for 10.1 there was an issue with logical systems. It may be that your configuration is correct: Re: GRC 10.0 SP14 - Poblems when generating rules for logical systems
  Regards
  Colleen

• Risk analysis Report Error in GRC AC 10.0

  Dear GRC,
  I had problem with Risk analysis Report in GRC Access Request form
  When i run the Risk analysis report on Action Level , Permission Level , Critical Action Level and Critical Permission Level then report showing as "No Violations" but if i run the Risk analysis report only on Critical Action Level and Critical Permission Level then report showing too many Violations.
  I maintained Action Level , Permission Level , Critical Action Level and Critical Permission Level as default risk analysis type in SPRO Configuration Parameters settings.
  i am not understanding why system behaves like this. Could you please help me on this.
  System Details : GRC AC 10.0 , SP-12
  Thanks a lot for swift response.
  Best Regards,
  RK

  Hi GRC Team,
  Please help me on this. I am waiting for your replay.
  Regards,
  KR

• GRC AC 10.0 Mass risk analysis vs. Role level analysis

  Hello GRC experts,
  I urgently need your advice on the issue  with deactivated permission objects which are identified as risks in the mass role analysis.
  For example, in one role we have deactivated the permission object: S_ARCHIVE, and there are No activities maintained.
  But in the mass role risk analysis  and in the CUP request this object S_ARCHIVE with the ACTVT 01 is displayed as risk. As you can see in the screenshot, there are no activites maintained at all. We have created the MSMP workflow where all CUP requests with risks should go the the Security Stage. Now we have the situation that even though our roles are clean, they are forwared to the Security stage. It is a huge problem, because our security stage has no even more to to, than before using GRC! Because the dectivated objects are identified as risks.
  Please advise me, how to solve the problem. Did I missed some config parameters or is it a well known problem?
  We are on SP14, AC 10.0.
  At the single role level there are no risks displayed.
  Thanks in advance,
  regards
  Sabrina

  Hi Sabrina,
  check note
  http://service.sap.com/sap/support/notes/2036645
  Please let me know if it works.
  Regards,
  Alessandro

• SAP GRC 10.0 ARA - Risk Analysis Job naming

  Dear all,
  Once i trigger a risk analysis in background, a job with a very strange name (serial number) is scheduled at backend. But at Business Client i put a specific naming for hits role. It could be possible to change this backends namings? It is impossible for me recognised which job is which...
  thank you in advanced,

  Hi Sara,
  please check table TASKPLAN_GRP_NAM in GRC backend system. This table lists all scheduled background jobs by ID (field TASKPLAN_GRP_ID) and job name per business client (field TASKPLAN_GRP_NAM)
  Regards,
  Markus

• GRC 10 - Risk Analysis in legacy system

  Hi everybody,
  I have a problem with legacy connectors in GRC 10. I implemented the note 1594963. So, I created the legacy files and storage it in GRC server.
  When I run the user synch, the legacy connector only synch the first record.
  Someone can help me? Someone did implement a risk analysis for legacy systems?
  Regards,

  Hi  Claudio Ekel
  Can you share some inputs on the Legacy Risk Analysis.
  We have configured the Legacy Connector as per the note 1594963 ; Placed the files on the server & tried running Synchronization Jobs. But the data is not getting uploaded to GRC10 .
  We made sure that text files are in UTF-8 format
  Is it mandatory to load all the 11 files that are provided in the note 1594963? We have excluded the Profile related files
  Can you share a sample of Legacy file formats that you have used for the sync.
  Can you throw some light on what could be the possible issues for data not getting uplaoded to GRC10?
  Regards,
  Pavan Muthyala

• Risk analysis in GRC 10 error "Subnode COMPONENTCONTROLLER.1.SEARCH.RESULT"

  HI
  We have configured Risk analysis application within GRC 10. Also have executed the sync jobs. Now when i try to do SOD analysis i am getting an error "FPM application started without configuration" . this comes even before opening the link to SOD analysis is even open and this error comes for all type of SOD analysis like for user and role and HR object.
  I check the logs file and in logs system is complaing that "Subnode COMPONENTCONTROLLER.1.SEARCH.RESULT_TABLE" does not exist.
  Any idea why we getting this error message?
  Parven

  HI
  Connector is working fine as sync jobs are running perfectly.
  we have done the mimimum configuration setting as suggested by SAP guide ie Parameter 1023, 1024,1025 and 1026
  For activating BC sets i think we need to do that only when you using out of box SOD rules. In our case we are using customised SOD rules. So i think we dont need to activate the BC set.
  any other suggestion
  Parveen