GRC AC 10.1 - Risk Analysis: No rules were selected

Similar Messages

• GRC AC 10 - risk analysis : No rules were selected

  Hi,
  In GRC AC 10, when I do a risk analysis (user level for example).
  For each userid the result shown in the column action is "No rules were selected "
  any idea ?
  Thanks
  Aurélien.

  Hi Vikas,
  Further to your comment above, I would like to point you to my thread here and specifically ask you about the following statement:...
  3. Open your GRC functions and make sure you have correct back end system updated for them. Check the status of all your GRC functions and make sure they all are active.
  I opened up the Functions from NWBC and realized that all the systems for each function were as follows:
  1. SAP Basis
  2. SAP CRM
  3. SAP ECCS
  4. SAP HR
  5. SAP R3 NON HR Basis Logical Group
  6. SAP R3
  7. Logical Group
  AND ALSO
  8. The DESCRIPTION of my RFC Connector ?!
  Now my question is as follows:
  1. Where in the Pre/Post/GRC300 documents does it say that one must configure each function with the backend system as you state above....should the configurations Connector/Connector/etc etc already mapped the functions to the backend system ?
  2. Also Why is the description of my RFC Connector available as a drop down menu from " System" tab on the function edit mode - see attached screenshot.
  Your advice would be appreciated.
  Best regards,
  Paul

• SAP GRC 10.0 ARA - Risk Analysis Job naming

  Dear all,
  Once i trigger a risk analysis in background, a job with a very strange name (serial number) is scheduled at backend. But at Business Client i put a specific naming for hits role. It could be possible to change this backends namings? It is impossible for me recognised which job is which...
  thank you in advanced,

  Hi Sara,
  please check table TASKPLAN_GRP_NAM in GRC backend system. This table lists all scheduled background jobs by ID (field TASKPLAN_GRP_ID) and job name per business client (field TASKPLAN_GRP_NAM)
  Regards,
  Markus

• GRC AC 10.0  Risk Analysis -Risk Terminator Vs BRM-Role Management

  Hi All,
  After having seen the configuration for Risk Analysis- Risk Terminator and Role Management , I observed that there is very little difference  for eg parameters 1085 and 3011 ,3014 .  If we configure all three parameters to TRUE which one would take effect ?Can anyone let us know under what circumstances we must configure RT and Role Management . BRM to has a whole lot of new features which supercede RT. 
  Best Regards,
  Vishal

  Hi Vishal,
  The parameters will be invoked in different scenarios. 1085 is specific to when roles are generated in the SAP Backend system using risk terminator and therefore this will have no impact if you are using BRM to generate the roles.
  3011 & 3014 are specific to BRM and govern different behaviours. 3011 will facilitate the risk analysis prior to triggering the generation steps in the methodology and 3014 will allow the roles to be generated despite any permission risks that are returned.
  They are not exclusive and actually work together. For instance, you may want to have a block on generation of roles when there are open conflicts identified and therefore you should have 3011 set to YES and 3014 set to NO. If both are set to YES, then you could propagate conflicts in the roles.
  You can use Risk Terminator if you wish to continue to develop roles within the SAP system itself rather than to rely on the GRC BRM system wholly.
  There are still wide discussions and differing opinions about which represents the best approach for this and so it depends on your organisation as to which process you follow.
  The parameter descriptions in question are:  
  1085 - Stop Role Generation if violations exist
  3011 - Conduct Risk Analysis before Role Generation
  3014 - Allow role generation with Permission Level violations
  Regards, Simon

• GRC AC 10 - batch risk analysis does not bring results

  Hi all,
            When I perform a batch RA the job ends quickly and bring no results. It takes like a sec per user.
  I am running it from rules that became from a Logical group. When I upload the rules to a physical system it brings results.
  What can I do??

  Hi Kailash,
  Does this issue occur with other dashboard reports too or only with risk violations?
  Also, can you check if the batch risk analysis has been successfully completed?
  Thanks
  Sammukh

• Issue in ERM - GRC AC 10 - Is risk analysis not mandatory

  Hi,
  We have defined our Role Methodology in 10 as Define Role - Maintain Authorizations - Analyze access risks - Derive role - approval - generation
  When we defined the role and maintained authorization data and proceeding without running risk analysis the role is moving to the next stage without stating any warning that "Risk Analysis is Mandatory". Upon click on Save & COntinue it is proceeding to further stages.
  Is there any parameter which needs to be set to throw a warning message for Risk Analysis to be run before the role is moved to next stage.
  We arleady set the paramater 3011 as YES - Conduct Risk Analysis before Role Generation.
  Thanks and Best Regards,
  Srihari.K

  Hi,
  Note the definition of the parameter 3011 as per "Maintaining Configuration Settings Guide - SAP AC 10.0":
  "Set the value to YES to automatically perform risk analysis when the user generates roles."
  This parameter applies only at generation stage.
  Cheers,
  Diego.

• GRC 10.0 Adhoc Risk Analysis

  Hi Guys,
  Is there any risk or chances of loosing data if the below listed table is cleaned up?
  GRACSODREPDATA
  GRACSODREPINDEX
  GRACSODREPSTATUS
  I just wanted to know if these tables are cleaned up and if we want any historical data may it be tcode analysis report or risk analysis report, can we get the historical data?
  Thanks & Regards
  Ratan

  Dear Ratan,
  you should study the following document: http://service.sap.com/sap/support/notes/1580877
  Regards,
  Alessandro

• GRC 5.3: CUP risk analysis VS. RAR risk analysis

  I've installed and configured RAR and CUP.  When I do a risk analysis simulation in RAR on a user for adding a role, it comes back with no conflicts.  When I go into CUP and make a new request for adding the same role to the same user, it comes back with risk violations, but it looks like they are critical actions that are being flagged.  Why is there a discrepancy, and how do I go about getting the same risks in CUP as I do in RAR?

  >
  Frank Koehntopp wrote:
  > I guess the behaviour is on purpose.
  >
  > In RAR, you can do a selective analysis on only one kind of risk. You usually only need to do that in the remediation process, where this kind of selection is helpful to track down the root cause (although I'd like to have an ALL option in RAR as well...)
  >
  > In CUP, you do want to see any kind of risk that might arise from a role assignement to a user.
  >
  > I have to say, I can not really understand why you'd want to switch off critical action or permission risks here. The user analysis in RAR and CUP serve two different purposes, hence I cannot see a bug here. If you have defined critical risks, why would you not want to see them???
  Hi Frank,
  I understand your point, but we are in the same situation as the others. We do not want to see Critical Action Risks in CUP because this is a separate process (for us) than Permission Level Risks Analysis piece. With our current structure, our Security Admins use RAR to run Permission Level Risk Analysis and mitigates appropriately. A separate compliance group uses the Critical Action reports to see who has what Critical tcodes, etc. We do not mitigate these "risks," we more or less use it as a report.
  I do not understand what you mean when you say "The user analysis in RAR and CUP serve two different purposes" - I feel it should be the same purpose, to ultimatley simulate if adding security to a user will cause SOD violations. If I have CUP configured to do Permission Level Analysis, that's all I want to be seeing in CUP.
  Let me know if I need to clarify further.

• GRC AC 10 (BRM) Risk Analysis Report type is editable

  Hi,
  In  GRC10 – BRM  Risk analysis at “Action Level”, “Permission Level”, “Critical Action”, “Critical Permission” and “Critical Role/Profile” is editable.
  When i start to create a role in the Risk Analysis step, Permission Level is always selected .Selection is fine as this is configured this way (Parameter in SPRO 1023 -Default Report Type for Risk Analysis).  But exist the option to deselect "Permission Level". 
  As you can Permission level is always selected and not editable?
  Regards

  Hi,
  I guess Cristian mentions attached BRM screen. I have same issue; how to change default values of report type in BRM like parameter 1023 changes in access request.
  Also, if we change default value of check box, Cristian can set non-editable fields through SE80.

• GRC 5.3: CUP asks to perform risk analysis even when there are no risks in request

  Hi All,
  We recently upgraded from GRC 5.3 SP13 to SP22.
  The one issue which we are facing after upgrade is that now CUP is forcing approvers to do Risk Analysis, even when there are no risks in the CUP Request, that is Risk Tab is Green.
  Previously approvers were able to approve requests without doing risk analysis, if there were no risks in the request.
  CUP used to force them to do risk analysis only when there were risks associated with requests.
  But now, it is forcing approvers to perform risk analysis, even if there are no risks, i.e. approvers are not able to approve requests without any risks without doing risk analysis.
  Please advise.
  Thanks
  Aditi

  Hi,
  Can you check if any change is made in Configuration -> Workflow -> Stage -> Approvers
  Regards,
  Claudio

• GRC10 Exclude Objects (Roles) - Batch Risk Analysis Job

  All -
  We are setting up some non-production GRC 10.1 systems at this time and are trying to exclude project roles from our dashboards via the "Maintain Exclude Objects for Batch Risk Analysis" table [SPRO --> GRC --> AC --> ARA --> Batch Risk Analysis].
  The problem that we are encountering is that this Batch Risk Analysis is taking an extremely long time to run on our Project Users even though we have excluded the project roles that these users are assigned.
  For example, User A has 3 project roles which hit a very large number of SoD violations in our rule set, however in the exclusion list we have defined the three roles the user is assigned to be in the exclusion table for All systems and for the specific system that the job is running against. With no luck. The job still takes an average of 30 minutes to run on each user even though the roles they are assigned are excluded.
  We have tested that the exclusion table works because we can exclude the users by adding them to this table and we can also exclude the groups that they are in and this also works. However we have instances where there are other users in this groups that have other roles in addition to these excluded roles that need to be checked.
  Does anyone have any recommendations for how to excluded roles so that the job quickly checks the users with these roles? It is my understanding that if the roles are in the exclusion list they should be skipped by the Batch Risk Analysis job which is running to check these users for the dashboards.
  Thanks,
  Darnell

  Hi,
  Was a solution found for this error?
  Thanks,
  Glen

• AC10.0 RAR risk analysis

  GRC Gurus,
  I have configured GRC10.0 for AC and trying to run the risk analysis for role/user level but no data is showing up. I could select the connector and roles, but after running the risk analysis no results are coming up.
  Any help is appreciated.
  Thanks.

  Hello Bhanu,
  Will you please let me know the solution ??
  Even we are facing the same problem.
  We can see the system , also see the roles , the users and also ran the background job to execute the risk analysis to perform user, role ,profile analysis from SPRO.
  Also note that we have already uploaded txt files for SOD rules.
  When we run the report for any user or any role the result is nill .
  Please suggest how did you resolve the issue ??
  Can you also tell me how can you generate "rule Id" manually for uploaded risk id ?? from NWBC or SPRO
  We tried via  SPRO>GRC>AC-->Access Risk Analysis >Sod Rules>Generate SOD Rules
  It ran successfully but the rpeort does not give any output !!
  Thanks in advance.
  Regards,
  Victor

• Getting "Risk Analysis Failed " error while raising request from IDM

  Hi friends,
  Some of the User to Role mapping requests from IDM did not reach CUP (request ID = null) . When noticed the VDS log , we found the error from GRC webservice to be Risk Analysis Failed . We thought it might be an RAR issue , however , the request just got through CUP when submitted from GRC webservice directly . From RAR perspective also, everything looks ok .
  Please provide your thoughts as to whether this error is pertaining to some other issue or suggest me what I can check in Identity center to correct this .
  Thanks in advance for your help .

  The connector set up are all looking correct . However the requests are not getting raised in many cases .
  At one point we identified that , since our SAP systems have been migrated to DB2, some of the systems were down .
  So when the system is down we decided , Risk analysis is failing . however , now the systems are up and running and still the risk analysis is failing .

• Different Risk Analysis Results with 10.0 and 10.1

  Hello,
  I do not understand why I get different results with 10.0 and 10.1. Exactly the same ruleset is applied!
  Definition in 10.0 and 10.1:
  Analyzed Role (which definitely contains the SOD):
  Version GRC 10.0 finds the SOD S_FI14 and displays it. In 10.1 nothing is displayed...Any ideas what's the problem?
  Regards
  Peter

  We had similar issues with 10 and 10.1.
  We applied an SAP Note about logical groups and the ruleset, it did not work.
  What did work:
  When performing Risk Analysis, remove the Ruleset selection criteria (use the minus button).

• ARA: Excluded Roles considered for Risk Analysis???

  Hi,
  There are certain role which are to be excluded from risk analysis or some business reasons. To achieve this, I have added entries for these roles in SPRO and saved them.
  Actually, these roles are available in all the systems. Therefore, under "System" column I have selected "ALL" and saved the entries.
  I ran risk analysis for a specific business process (above roles are belonging to this business group) and surprisingly found that, those roles which are maintained as "Excluded", as shown in the risk analysis report as violating!
  Thinking that "ALL" option does not work, I maintained (excluded) these roles for specific systems in SPRO. Ran risk anlaysis, but with no luck.
  Then I ran risk analysis for excluded role(s), I am still getting the violations for these excluded roles!
  May I know why system is considering these "excluded" roles at the time of risk analysis?
  Please advise.
  Regards,
  Faisal

  Alessanrdo,
  I think the "excluded" objects in path:
  SPRO->GRC->AC->ARA->BRA->Maintain Exclude Objects for Batch Risk Analysis
  itself says that the objects will NOT be considered while performing Batch Risk Analysis (Analytic Reports). It seems to be working fine for me.
  I dont think that the objects maintained in above path will have any importance while performing Risk Analysis from NWBC->AM->Roles Analysis) and will NOT be considered.
  Please correct me, if required.
  Secondly, I found 2 relevant posts here on SCN:
  SAP GRC Access Control: Offline-Mode Risk Analysis
  SAP GRC 10.0 Offline Risk Analysis
  Both of them are talking about the offline mode of running risk analysis. Actually I have not used it yet therefore, wanted to know the real usage of it. These posts seem to be giving the details of "Offline" mode analysis.
  I believe this will not be used in my scenario as there is no such requirement and real need. Therefore, I think I should disable it (Offline Data) option from the analysis screen just to avoid any confusion.
  Currently all our risk analysis is taking place "Online". There is no "real" need to use "Offline".
  May you please let me know in which scenario this would be useful?
  Regards,
  Faisal