GRC AC 10.0 Risk Terminator Bug

Similar Messages

• Problem with RFC for Risk Terminator - GRC 5.2 SP12

  We are having a problem with the RFC connection for Risk Terminator in one of our SAP environments.  It is working in our 'DV3' environment, but not in our 'RT3' environment.  Everything is set up just the same in both environments and all SAP Adaptors show green.
  This was working in RT3 when we first upgraded to GRC 5.2 last November, but it now gives me an error when I do an update with PFCG and it calls RT.  The error message and our Basis support group both say the RFC needs to be 'registered', but our SAP Support contact during our upgrade said it does not, and I can't find any documentation that says this is required also.  Plus it was working before even though it was unregistered.
  What is causing this problem and how do I resolve it?
  Also, if these RFCs do not have to be registered, is there some documentation that states this that I can show to our Basis group?
  Thanks.

  What about the question of the RFC needing to be registered?  This is the solution our Basis group thinks is required, so it will be hard to get them to do anything else until this issue has been addressed.
  Thanks.

• GRC AC 10.0  Risk Analysis -Risk Terminator Vs BRM-Role Management

  Hi All,
  After having seen the configuration for Risk Analysis- Risk Terminator and Role Management , I observed that there is very little difference  for eg parameters 1085 and 3011 ,3014 .  If we configure all three parameters to TRUE which one would take effect ?Can anyone let us know under what circumstances we must configure RT and Role Management . BRM to has a whole lot of new features which supercede RT. 
  Best Regards,
  Vishal

  Hi Vishal,
  The parameters will be invoked in different scenarios. 1085 is specific to when roles are generated in the SAP Backend system using risk terminator and therefore this will have no impact if you are using BRM to generate the roles.
  3011 & 3014 are specific to BRM and govern different behaviours. 3011 will facilitate the risk analysis prior to triggering the generation steps in the methodology and 3014 will allow the roles to be generated despite any permission risks that are returned.
  They are not exclusive and actually work together. For instance, you may want to have a block on generation of roles when there are open conflicts identified and therefore you should have 3011 set to YES and 3014 set to NO. If both are set to YES, then you could propagate conflicts in the roles.
  You can use Risk Terminator if you wish to continue to develop roles within the SAP system itself rather than to rely on the GRC BRM system wholly.
  There are still wide discussions and differing opinions about which represents the best approach for this and so it depends on your organisation as to which process you follow.
  The parameter descriptions in question are:  
  1085 - Stop Role Generation if violations exist
  3011 - Conduct Risk Analysis before Role Generation
  3014 - Allow role generation with Permission Level violations
  Regards, Simon

• Risk terminator - Works in one system but not in the other

  Hi
  I have two SAP systems which is connected to one GRC system. Risk Terminator works well for the one system but does not work at all for the other.
  I have done the necessary configuration, set-up the RFC connector, tested the connectors, tested the connections from the GRC system. All seems fine but when I create a role in PFCG risk terminator does not seem to be trigged at all in my one system.
  Please advise
  Regards
  Mo

  I would check the adapter for the other system and that the external program is maintained correctly along with all the settings in /VIRSA/ZRTCNFG

• Risk Terminator ECC 6 - CC 5.2 - RFC  Test: Program not registered

  Dear board,
  I am configuring the risk terminator functionality and stumble accross problems with the setup of the RFC destination from ECC to the CC. The connection test fails with "ERROR: program GRCRTTOCC5X not registered".
  The RFC connection is of type TCP/IP, Registered Server Program, Default Gateway Value and Gateway host/service information I took from another working rfc connection.
  The RFC connection is equal to the one set up in the RT configuration transaction, I have set up a dedicated connector on the CC with direction outound and GRCRTTOCC5X as report.
  I have furthermore noticed that I am not able to active the SAP Adapter in the CC yet, a JCO error appears.
  Any ideas?
  Kind regards and many thanks,
  Richard

  Hi Richard,
  I am sorry to bother you and distract with this query, but couldn't find your email in your profile.
  Could you please contact me regarding your SPNego problem discussed in
  SPNego - Windows integrated Single-Sign On not working - How to debug?
  We are facing the same issue and I was curious whether you had a solution?
  <b>Thanks so much</b>, Emir
  My email is emirce at gmail dotcom.

• RFC issue in RAR 5.3 Risk Terminator

  Hi,
  We have RAR 5.3 with Risk Terminator configured. Since last couple of days, Risk Terminator is not working for one of our back end system.
  Getting below error message :
  "SAP Adapter has a problem, SOD violations will not be checked !!!
  Please check with your system Administrator
  Technical Info:
  senderAgreement not found: lookup of binding via CPA-cache failed for AdapterTyp"
  I have verified the configuration setting and confirmed below things:
  1. Config program do have RFC destination which is defined with registered program GRCRTTOCC5X
  2. The same program name is defined in the RAR connector with Outbount selected
  3. The SAP Adapter is Green. I have turned it off / on
  It was working well till few days back.
  Any suggestion would help a lot.
  Adeep

  Hi Deepak,
  Can you change your Program ID (GRCRTTOCC5X)  to any other name in your back end as well as RAR Report name  also.
  It will work.
  Regards
  Shiva.
  Edited by: Siva K Kumar on Jul 27, 2010 7:36 PM

• Risk Terminator error CPIC-CALL: 'ThSAPCMRCV' : cmR

  Hi,
  I have configured risk terminator. I have tested the RFC connection and it seems fine and referenced this in the configuration. However I get an error when I go to add a role to a user. It attempts to execute a risk analysis and then returns an error.
  connection to partner 'X' broken / CPIC-CALL: 'ThSAPCMRCV' : cmR
  I seem to have all configuration set correctly. Except for one question- do I need a unique report name for each system connector e.g. if I use GRCRTTOCC5X for my R/3 system, can I also use it for SRM system?
  Anyone have any ideas about this error?
  Thanks,
  Niamh

  Hi Sunny,
  after some testing I figured out the problem. Because I am working with an ECC6.0 system that has been upgraded, I needed to check the unicode flag on the risk terminator RFC connection. It now works and I am no longer getting the error.
  Niamh

• GRC AC 10.1 - Risk Analysis: No rules were selected

  Hi All,
  I'm currently configuring the ARA module in GRC AC 10.1, and an facing this issue. When I run my User Analysis, its throwing an error message "No rules were selected'.
  As per your suggestions from discussions, i double checked all the below activities
  Activate the BC sets
  Run Sync Jobs
  Run Batch Risk Analysis
  After all this I found that the functions are not mapped to the logical groups(Back-end Systems) I have defined. Can you please let me know how to make sure you have correct back end system(logical Group) updated for the functions in the setup? Doesn't the configurations Connector/Connector Groups etc already mapped the functions to the back-end system? It would be a hell of work to do all the system mapping on function level manually.

  Hi Narsimha
  You need to map your connectors to the logical systems that are used in the function definitions
  Look at your integration framework Setup in the IMG.
  Governance, Risk and Compliance > Common Component Settings > Integration Framework > Maintain Connectors and Connection Types
  Also, for 10.1 there was an issue with logical systems. It may be that your configuration is correct: Re: GRC 10.0 SP14 - Poblems when generating rules for logical systems
  Regards
  Colleen

• SAP GRC 10.0 ARA - Risk Analysis Job naming

  Dear all,
  Once i trigger a risk analysis in background, a job with a very strange name (serial number) is scheduled at backend. But at Business Client i put a specific naming for hits role. It could be possible to change this backends namings? It is impossible for me recognised which job is which...
  thank you in advanced,

  Hi Sara,
  please check table TASKPLAN_GRP_NAM in GRC backend system. This table lists all scheduled background jobs by ID (field TASKPLAN_GRP_ID) and job name per business client (field TASKPLAN_GRP_NAM)
  Regards,
  Markus

• GRC 5.3: CUP risk analysis VS. RAR risk analysis

  I've installed and configured RAR and CUP.  When I do a risk analysis simulation in RAR on a user for adding a role, it comes back with no conflicts.  When I go into CUP and make a new request for adding the same role to the same user, it comes back with risk violations, but it looks like they are critical actions that are being flagged.  Why is there a discrepancy, and how do I go about getting the same risks in CUP as I do in RAR?

  >
  Frank Koehntopp wrote:
  > I guess the behaviour is on purpose.
  >
  > In RAR, you can do a selective analysis on only one kind of risk. You usually only need to do that in the remediation process, where this kind of selection is helpful to track down the root cause (although I'd like to have an ALL option in RAR as well...)
  >
  > In CUP, you do want to see any kind of risk that might arise from a role assignement to a user.
  >
  > I have to say, I can not really understand why you'd want to switch off critical action or permission risks here. The user analysis in RAR and CUP serve two different purposes, hence I cannot see a bug here. If you have defined critical risks, why would you not want to see them???
  Hi Frank,
  I understand your point, but we are in the same situation as the others. We do not want to see Critical Action Risks in CUP because this is a separate process (for us) than Permission Level Risks Analysis piece. With our current structure, our Security Admins use RAR to run Permission Level Risk Analysis and mitigates appropriately. A separate compliance group uses the Critical Action reports to see who has what Critical tcodes, etc. We do not mitigate these "risks," we more or less use it as a report.
  I do not understand what you mean when you say "The user analysis in RAR and CUP serve two different purposes" - I feel it should be the same purpose, to ultimatley simulate if adding security to a user will cause SOD violations. If I have CUP configured to do Permission Level Analysis, that's all I want to be seeing in CUP.
  Let me know if I need to clarify further.

• GRC AC 10- ARA Risk violation does not show any thing

  Hi Expert,
  GRC AC 10.0 SP14
  Steps to reproduce error
  Reports and Analytic -> Risk violations. The dialog opens up but does not show any thing. Please see the attachment for your information
  We have installed Abode flash player already.
  Any suggestion will be of great help.
  Thanks,
  Kailsh

  Hi Kailash,
  Does this issue occur with other dashboard reports too or only with risk violations?
  Also, can you check if the batch risk analysis has been successfully completed?
  Thanks
  Sammukh

• Issue in ERM - GRC AC 10 - Is risk analysis not mandatory

  Hi,
  We have defined our Role Methodology in 10 as Define Role - Maintain Authorizations - Analyze access risks - Derive role - approval - generation
  When we defined the role and maintained authorization data and proceeding without running risk analysis the role is moving to the next stage without stating any warning that "Risk Analysis is Mandatory". Upon click on Save & COntinue it is proceeding to further stages.
  Is there any parameter which needs to be set to throw a warning message for Risk Analysis to be run before the role is moved to next stage.
  We arleady set the paramater 3011 as YES - Conduct Risk Analysis before Role Generation.
  Thanks and Best Regards,
  Srihari.K

  Hi,
  Note the definition of the parameter 3011 as per "Maintaining Configuration Settings Guide - SAP AC 10.0":
  "Set the value to YES to automatically perform risk analysis when the user generates roles."
  This parameter applies only at generation stage.
  Cheers,
  Diego.

• GRC 10.0 Adhoc Risk Analysis

  Hi Guys,
  Is there any risk or chances of loosing data if the below listed table is cleaned up?
  GRACSODREPDATA
  GRACSODREPINDEX
  GRACSODREPSTATUS
  I just wanted to know if these tables are cleaned up and if we want any historical data may it be tcode analysis report or risk analysis report, can we get the historical data?
  Thanks & Regards
  Ratan

  Dear Ratan,
  you should study the following document: http://service.sap.com/sap/support/notes/1580877
  Regards,
  Alessandro

• GRC AC 10 - batch risk analysis does not bring results

  Hi all,
            When I perform a batch RA the job ends quickly and bring no results. It takes like a sec per user.
  I am running it from rules that became from a Logical group. When I upload the rules to a physical system it brings results.
  What can I do??

  Hi Kailash,
  Does this issue occur with other dashboard reports too or only with risk violations?
  Also, can you check if the batch risk analysis has been successfully completed?
  Thanks
  Sammukh

• GRC AC 10 (BRM) Risk Analysis Report type is editable

  Hi,
  In  GRC10 – BRM  Risk analysis at “Action Level”, “Permission Level”, “Critical Action”, “Critical Permission” and “Critical Role/Profile” is editable.
  When i start to create a role in the Risk Analysis step, Permission Level is always selected .Selection is fine as this is configured this way (Parameter in SPRO 1023 -Default Report Type for Risk Analysis).  But exist the option to deselect "Permission Level". 
  As you can Permission level is always selected and not editable?
  Regards

  Hi,
  I guess Cristian mentions attached BRM screen. I have same issue; how to change default values of report type in BRM like parameter 1023 changes in access request.
  Also, if we change default value of check box, Cristian can set non-editable fields through SE80.