GRC Access Control 5.3 - RAR Risk Analysis in offline mode
Hi expert,
I'm trying to do RAR Risk Analysis in offline mode following this guide (https://www.sdn.sap.com//irj/sdn/go/portal/prtroot/docs/library/uuid/20a06e3f-24b6-2a10-dba0-e8174339c47c). But to generate User Action file the ABAP have a problem when try to get a COMPOSITE ROLE field for a Role that is asociate to many Composite role as the unique record consists of fields IDUSER, ROLE and ACTIONFROM . Someone know how we can solve this conflict?
Best Regards!
I'm sorry, I think I haven't made myself clear enough. The thing is that the User Action File has a "Composite Role" field and we don't know how fill it when the Single Role belongs to multiple Composite Roles. This is because of the primary key, we can't make multiple records for each userid/role combination, each one with one different Composite Role, such as the following example:
USERIDX/ROLEX/ACTIONX/ACTIONX/PROFILEX/COMPOSITEROLE1
USERIDX/ROLEX/ACTIONX/ACTIONX/PROFILEX/COMPOSITEROLE2
USERIDX/ROLEX/ACTIONX/ACTIONX/PROFILEX/COMPOSITEROLEN
Should we instead do only one record with all the composite roles? What character should we use to separate the composite role names? A ",", a ";"? For example:
USERIDX/ROLEX/ACTIONX/ACTIONX/PROFILEX/COMPOSITEROLE1_,_ COMPOSITEROLE2_,_ COMPOSITEROLE3
Hope I explained myself. Thanks for your help.
Similar Messages
-
GRC Access Controls v5.3 RAR Batch Job Risk Analysis Incr Analysis
Hi All!
re: GRC Access Controls v5.3 RAR Batch Job Risk Analysis Incr Analysis
Can anyone list or direct me to a help link that has the progress list of processes that are contained in this batch job?
Thanks!Hi All,
I have answered my own question. The processes are:
User Permission Analysis
Profile Action Analysis
Role Action Analysis
User Action Analysis
Role Permission Analysis
-john -
Are GRC Access Control, Process Control and Risk Management separate?
Are these 3 different modules that you have to purchase separately or are they included in one suite?
Hi Anne,
If you are refering to GRC Access Controls 5.3, Process Control 3.0 and Risk Management 3.0 - All 3 are separate.
A new version of GRC 10.0 has been launched which is currently in ramp up. This has all the above 3 in one suite.
Thanks and Best Regards,
Srihari.K -
RAR - Risk Analysis - Permission Level - V_VBAK_AAT||AUART - Error
I have a trouble related with risk analysis at permission level, when the V_VBAK_AAT||AUART is activated in two functions of my customized GRC rule-set (VIRSA_CC_FUNCPRM) for controlling some "document types" for tcodes VA01 and VA02. When I execute this customization in RAR, the system says "No match / No conflicts" for the risks where these functions appear, however performing some queries in the back-end systems, I have realized there are more than 80 users in conflict for some of them, given the fact that they have value '*' in object/field V_VBAK_AAT||AUART.
At a first time I thought that most probably would be related with the fact that these functions are part of risks that combine 3 and 4 functions at the same time, with OR logical activated in document types, but when I searched for the rules generated for these risks I noticed that only 34.000 rules were generated and this no overpass the limit of 45566 rules defined at RAR. Anyway, I performed some tests reducing the number of possible combinations and, basically, whenever the following line is activated, the outcome is u201Cno conflictsu201D:
D VIRSA_CC_FUNCPRM FN15 VA01 GRC-C21 V_VBAK_AAT||AUART ZSO ZSO OR 0 null
If this line is disabled, then, several users with conflicts are reported. As mentioned above, these users have value '*' for object/field V_VBAK_AAT||AUART, so I do not understand why those users are not reported when the line above is activated.
I have done the following checks, all of them correct:
- The user/role/profile synchro has been done and all the users has been stored in table VIRSA_CC_
- All the lines in VIRSA_CC_FUNCPRM part of my customized rule-set have been correctly inserted in the same Oracle table
- All the combinations of rules has been created (including VA01 and VA02 with V_VBAK_AAT||AUART)
Any suggestions?
Thanks in advanceI've detected the same problem for the following authorization objects:
- F_BKPF_BLA||BRGRU
- V_VBRK_FKA||FKART
- M_MSEG_BWE||WERKS
RAR reports no conflicts (at authoriztion level) when these objects are activated (of course having users with these conflicts in back-end systems)
This problem has been proved in the installation of different customer with SAP GRC Access Control 5.3 SP12.
Anybody else has experienced this issue???? -
Users in different systems GRC Access Controls
Hello
Today we have more than 40 systems (dev, quality, prod)
We use access enforcer for provisioning to all these 40 systems.
Is there a way for us to find out if a user account exists in these 40 systems (connectors)?
Example:
User RAMSEY exists in quality, fix, prod r3
exists in prod bw etc.,
Can we find this information in any of the GRC Access Controls products?
ThanksSorry, Prakash. This fuctionality does not exist in CUP. It used to exist in early versions of Access Enforcer (AE.NET). This is a good feature and lots of cutomers want this feature. I hope SAP includes it.
You can find the user using RAR (CC) but again it will be maunal process. You can go to informer -> risk analysis. Over there you can select the system and search for user. If the user exists, it will show up. This will not work, if you have not done user sync from SAP system to RAR.
Regards,
Alpesh Parmar
SAP GRC Manager (PwC) -
Error GRC Access Control 10.0
We have a problem when execute the next steps in GRC Access Control 10.0
SPRO-->Governance, Risk and Compliance>Access Control--> Access Risk Analysis--> Batch RisK Analysis
We applied the next note, but problem is the same.
1563583 - SYSTEM_NO_TASK_STORAGE dump on AIX
Category
ABAP Programming Error
Runtime Errors
ASSERTION_FAILED
ABAP Program
CL_GRRM_DASHBOARD_MENU_AUTH===CP
Application Component GRC-RM
Date and Time
13.03.2013 11:50:04
|Short text
|
|
The ASSERT condition was violated.
|
|What happened?
|
|
In the running application program, the ASSERT statement recognized a
|
|
situation that should not have occurred.
|
|
The runtime error was triggered for one of these reasons:
|
|
- For the checkpoint group specified with the ASSERT statement, the
|
|
activation mode is set to "abort".
|
|
- Via a system variant, the activation mode is globally set to "abort"
|
|
for checkpoint groups in this system.
|
|
- The activation mode is set to "abort" on program level.
|
|
- The ASSERT statement is not assigned to any checkpoint group.
|
|What can you do?
|
|
Note down which actions and inputs caused the error.
|
|
|
|
|
|
To process the problem further, contact you SAP system
|
|
administrator.
|
|
|
|
Using Transaction ST22 for ABAP Dump Analysis, you can look
|
|
at and manage termination messages, and you can also
|
|
keep them for a long time.
|
|Error analysis
|
|
The following checkpoint group was used: "No checkpoint group specified"
|
|
|
|
If in the ASSERT statement the addition FIELDS was used, you can find
|
|
the content of the first 8 specified fields in the following overview:
|
|
" (not used) "
|
|
" (not used) "
|
|
" (not used) "
|
|
" (not used) "
|
|
" (not used) "
|
|
" (not used) "
|
|
" (not used) "
|
|
" (not used) "
|
|How to correct the error
|
|
Probably the only way to eliminate the error is to correct the program.
|
|
|
|
|
|
If the error occures in a non-modified SAP program, you may be able to
|
|
find an interim solution in an SAP Note.
|
|
If you have access to SAP Notes, carry out a search with the following
|
|
keywords:
|
|
|
|
"ASSERTION_FAILED" " "
|
|
"CL_GRRM_DASHBOARD_MENU_AUTH===CP" or "CL_GRRM_DASHBOARD_MENU_AUTH===CM001"
|
|
"IF_GRFN_MENU_ITEM_AUTH~IS_AUTHORIZED"
|
|
|
|
If you cannot solve the problem yourself and want to send an error
|
|
notification to SAP, include the following information:
|
|
|
|
1. The description of the current problem (short dump)
|
|
|
|
To save the description, choose "System->List->Save->Local File
|
|
(Unconverted)".
|
|
|
|
2. Corresponding system log
|
|
|
|
Display the system log by calling transaction SM21.
|
|
Restrict the time interval to 10 minutes before and five minutes
|
|
after the short dump. Then choose "System->List->Save->Local File
|
|
(Unconverted)".
|
|
|
|
3. If the problem occurs in a problem of your own or a modified SAP
|
|
program: The source code of the program
|
|
In the editor, choose "Utilities->More
|
|
Utilities->Upload/Download->Download".
|
|
|
|
4. Details about the conditions under which the error occurred or which
|
|
actions and input led to the error.
|
|
|
|
|
|System environment
|
|
SAP Release..... 702
|
|
SAP Basis Level. 0012
|
|
|
|
Application server... "KIO13701"
|
|
Network address...... "172.20.1.137"
|
|
Operating system..... "AIX"
|
|
Release.............. "7.1"
|
|
Hardware type........ "00F6C78E4C00"
|
|
Character length.... 16 Bits
|
|
Pointer length....... 64 Bits
|
|
Work process number.. 10
|
|
Shortdump setting.... "full"
|
|
|
|
Database server... "KIO13701"
|
|
Database type..... "DB6"
|
|
Database name..... "DGR"
|
|
Database user ID.. "SAPDGR"
|
|
|
|
Terminal.......... "192.168.0.5"
|
|
|
|
Char.set.... "C"
|
|
|
|
SAP kernel....... 720
|
|
created (date)... "Jul 8 2012 19:43:01"
|
|
create on........ "AIX 2 5 00092901D600"
|
|
Database version. "DB6_81 "
|
|
|
|
Patch level. 300
|
|
Patch text.. " "
|
|
|
|
Database............. "DB6 08.02.*, DB6 09.*, DB6 10.*"
|
|
SAP database version. 720
|
|
Operating system..... "AIX 2 5, AIX 3 5, AIX 1 6, AIX 1 7"
|
|
|
|
Memory consumption
|
|
Roll.... 0
|
|
EM...... 8379584
|
|
Heap.... 0
|
|
Page.... 16384
|
|
MM Used. 6205712
|
|
MM Free. 2170976
|
|User and Transaction
|
|
Client.............. 100
|
|
User................ "LVELASCO"
|
|
Language key........ "E"
|
|
Transaction......... " "
|
|
Transaction ID...... "51400164B1F00C40E1008000AC140189"
|
|
|
|
EPP Whole Context ID.... "5140015EB1F00C40E1008000AC140189"
|
|
EPP Connection ID....... "5140F9B0B19C1150E1008000AC140189"
|
|
EPP Caller Counter...... 1
|
|
|
|
Program............. "CL_GRRM_DASHBOARD_MENU_AUTH===CP"
|
|
Screen.............. "SAPMHTTP 0010"
|
|
Screen Line......... 2
|
|
Debugger Active..... "none"
|
|Server-Side Connection Information
|
|
Information on Caller of "HTTPS" Connection:
|
|
Plug-in Type.......... "HTTPS"
|
|
Caller IP............. "192.168.0.5"
|
|
Caller Port........... 44300
|
|
Universal Resource ID. "/sap/bc/webdynpro/sap/grfn_service_map"
|
|
|
|
Program............. "CL_GRRM_DASHBOARD_MENU_AUTH===CP"
|
|
Screen.............. "SAPMHTTP 0010"
|
|
Screen Line......... 2
|
|
|
|
Information on Caller ofr "HTTPS" Connection:
|
|
Plug-in Type.......... "HTTPS"
|
|
Caller IP............. "192.168.0.5"
|
|
Caller Port........... 44300
|
|
Universal Resource Id. "/sap/bc/webdynpro/sap/grfn_service_map"
|
|Information on where terminated
|
|
Termination occurred in the ABAP program "CL_GRRM_DASHBOARD_MENU_AUTH===CP" -
|
|
in "IF_GRFN_MENU_ITEM_AUTH~IS_AUTHORIZED".
|
|
The main program was "SAPMHTTP ".
|
|
|
|
In the source code you have the termination point in line 59
|
|
of the (Include) program "CL_GRRM_DASHBOARD_MENU_AUTH===CM001".
|
|Source Code Extract (Source code has changed)
|
|Line |SourceCde
|
| 29|
lv_dashboard = lv_value.
|
| 30|
|
| 31|
TRANSLATE lv_dashboard TO UPPER CASE.
|
| 32|
|
| 33|
CASE lv_dashboard.
|
| 34|
WHEN 'HEATMAP'.
|
| 35|
lv_report = 'GRRM_HEATMAP'.
|
| 36|
|
| 37|
WHEN 'LOSS_OVERVIEW' OR 'LOSS_STRUCTURE' OR 'OB_LOSS_OVERVIEW' OR 'OB_LOSS_STRUCTU|
| 38|
lv_report = 'GRRM_LOSS_ANALYSIS'.
|
| 39|
|
| 40|
WHEN 'OVERVIEW'.
|
| 41|
lv_report = 'GRRM_OVERVIEW'.
|
| 42|
|
| 43|
WHEN OTHERS.
|
| 44|
ASSERT 1 = 2.
|
| 45|
|
| 46|
ENDCASE.
|
| 47|
|
| 48|
EXIT.
|
| 49|
|
| 50|
ENDLOOP.
|
| 51|
|
| 52|
WHEN 'GRRM_LOSS_MATRIX' OR 'GRRM_LOSS_MATRIX_NEW'.
|
| 53|
lv_report = 'GRRM_LOSS_ANALYSIS'.
|
| 54|
|
| 55|
WHEN 'GRRM_HEATMAP_REPORT'.
|
| 56|
lv_report = 'GRRM_HEATMAP'.
|
| 57|
|
| 58|
WHEN OTHERS.
|
|>>>>>|
ASSERT 1 = 2.
|
| 60|
|
| 61| ENDCASE.
|
| 62|
|
| 63| TRY.
|
| 64|
lv_regulation_id = cl_grfn_api_regulation=>if_grfn_api_regulation~get_regulation_id( i|
| 65|
|
| 66|
ev_authorized = cl_grfn_util_rep_auth=>has_rep_auth(
|
| 67|
io_session
= io_session
|
| 68|
iv_regulation_id = lv_regulation_id
|
| 69|
iv_report
= lv_report
|
| 70|
iv_activity
= grfn0_c_activity-print
|
| 71|
|
| 72|
|
| 73|
CATCH cx_grfn_exception.
|
| 74|
ev_authorized = abap_false.
|
| 75|
|
| 76| ENDTRY.
|
| 77|
|
| 78|ENDMETHOD.
|
|Contents of system fields
|
|Name
|Val.
|
|SY-SUBRC|4
|
|SY-INDEX|2
|
|SY-TABIX|1
|
|SY-DBCNT|1
|
|SY-FDPOS|0
|
|SY-LSIND|0
|
|SY-PAGNO|0
|
|SY-LINNO|1
|
|SY-COLNO|1
|
|SY-PFKEY|
|
|SY-UCOMM|
|
|SY-TITLE|HTTP Control
|
|SY-MSGTY|
|
|SY-MSGID|
|
|SY-MSGNO|000
|
|SY-MSGV1|
|
|SY-MSGV2|
|
|SY-MSGV3|
|
|SY-MSGV4|
|
|SY-MODNO|0
|
|SY-DATUM|20130313
|
|SY-UZEIT|115004
|
|SY-XPROG|SAPCNVE
|
|SY-XFORM|CONVERSION_EXIT
|
|Active Calls/Events
|
|No. Ty.
Program
Include
Line |
|
Name
|
| 34 METHOD
CL_GRRM_DASHBOARD_MENU_AUTH===CP
CL_GRRM_DASHBOARD_MENU_AUTH===CM001
59 |
|
CL_GRRM_DASHBOARD_MENU_AUTH=>IF_GRFN_MENU_ITEM_AUTH~IS_AUTHORIZED
|
| 33 METHOD
CL_GRFN_API_MENU_ITEM_ELA=====CP
CL_GRFN_API_MENU_ITEM_ELA=====CM001 126 |
|
CL_GRFN_API_MENU_ITEM_ELA=>IF_GRFN_MENU_AUTH~ITEM_AUTH
|
| 32 METHOD
CL_GRFN_API_MENU==============CP
CL_GRFN_API_MENU==============CM003
34 |
|
CL_GRFN_API_MENU=>IF_GRFN_MENU_AUTH~ITEM_AUTH
|
| 31 METHOD
CL_GRFN_LAUNCHPAD_UIBB========CP
CL_GRFN_LAUNCHPAD_UIBB========CM006
60 |
|
CL_GRFN_LAUNCHPAD_UIBB=>IF_FPM_GUIBB_LAUNCHPAD~MODIFY
|
| 30 METHOD
CL_FPM_LAUNCHPAD_UIBB_ASSIST==CP
CL_FPM_LAUNCHPAD_UIBB_ASSIST==CM001
76 |
|
CL_FPM_LAUNCHPAD_UIBB_ASSIST=>INIT_FEEDER
|
| 29 METHOD
/1BCWDY/T2POSMRSKMLY9L6LJP5Z==CP
/1BCWDY/B_T2POSBAR6C8HPR0XTR4P
410 |
|
CL_COMPONENTCONTROLLER_CTR=>WDDOINIT
|
|
Web Dynpro Component
FPM_LAUNCHPAD_UIBB
|
|
Controller
COMPONENTCONTROLLER
|
| 28 METHOD
/1BCWDY/T2POSMRSKMLY9L6LJP5Z==CP
/1BCWDY/B_T2POSBAR6C8HPR0XTR4P
181 |
|
CLF_COMPONENTCONTROLLER_CTR=>IF_WDR_COMPONENT_DELEGATE~WD_DO_INIT
|
|
Web Dynpro Component
FPM_LAUNCHPAD_UIBB
|
|
Controller
COMPONENTCONTROLLER
|
| 27 METHOD
CL_WDR_DELEGATING_COMPONENT===CP
CL_WDR_DELEGATING_COMPONENT===CM004
9 |
|
CL_WDR_DELEGATING_COMPONENT=>DO_INIT
|
| 26 METHOD
CL_WDR_CONTROLLER=============CP
CL_WDR_CONTROLLER=============CM00V
3 |
|
CL_WDR_CONTROLLER=>INIT_CONTROLLER
|
| 25 METHOD
CL_WDR_COMPONENT==============CP
CL_WDR_COMPONENT==============CM019
24 |
|
CL_WDR_COMPONENT=>INIT_CONTROLLER
|
| 24 METHOD
CL_WDR_CONTROLLER=============CP
CL_WDR_CONTROLLER=============CM002
7 |
|
CL_WDR_CONTROLLER=>INIT
|
| 23 METHOD
CL_WDR_CLIENT_COMPONENT=======CP
CL_WDR_CLIENT_COMPONENT=======CM00E
24 |
|
CL_WDR_CLIENT_COMPONENT=>INIT
|
| 22 METHOD
CL_WDR_CLIENT_COMPONENT=======CP
CL_WDR_CLIENT_COMPONENT=======CM00A
42 |
|
CL_WDR_CLIENT_COMPONENT=>IF_WDR_COMPONENT_FACTORY~CREATE_COMPONENT
|
| 21 METHOD
CL_WDR_COMPONENT_USAGE========CP
CL_WDR_COMPONENT_USAGE========CM009
67 |
|
CL_WDR_COMPONENT_USAGE=>IF_WD_COMPONENT_USAGE~CREATE_COMPONENT
|
| 20 METHOD
CL_FPM_COMPONENT_MANAGER======CP
CL_FPM_COMPONENT_MANAGER======CM003
81 |
|
CL_FPM_COMPONENT_MANAGER=>ADD_COMPONENT
|
| 19 METHOD
CL_FPM_COMPONENT_MANAGER======CP
CL_FPM_COMPONENT_MANAGER======CM004
19 |
|
CL_FPM_COMPONENT_MANAGER=>ATTACH_COMPONENT_TO_USAGE
|
| 18 METHOD
CL_FPM========================CP
CL_FPM========================CM005
89 |
|
CL_FPM=>PROCESS_EVENT
|
| 17 METHOD
CL_FPM========================CP
CL_FPM========================CM00C
34 |
|
CL_FPM=>RUN_EVENT_LOOP
|
| 16 METHOD
CL_FPM========================CP
CL_FPM========================CM002
5 |
|
CL_FPM=>IF_FPM~RAISE_EVENT
|
| 15 METHOD
CL_FPM========================CP
CL_FPM========================CM003
11 |
|Hi Alberto,
The below Notes should resolve!
1428775
1744179
Hope this helps,
Luciana -
Composition of business team in GRC Access control project
Hi
Can I get any information about the composition of business team in a GRC access control project?
What type of people form this team?
Please provide some clarity on the role of business people in this type of projects.
Regards
AbhijeetHi,
Idealy the team should comprise of
1] A representative of the IT Governance team -he ensures that the IT delivers value to the business,the risks have been analysed and fully addressed to.
2] The Buiness process owners -these people only define the access restrictions for various activities like purchase,payment,etc.
3] Application specialist -in charge of SOD-he defines the roles and profiles for the access control.
4] If required a member from "Assurance" - these will be auditing the "access control " on a regular basis after the implementation.
5] The configuration team.-they configure the controls in the Appln.sysytem
Regards.
Ramesh. -
Access Control 5.3 RAR - BW Reporting 0GCC_UPV
Hi experts,
I have activated the SAP GRC Access Control content and everything works fine so far. However, I can't report risks by users properly, as mitigated controls are not taken into account in cube 0GCC_UPV. Mitigated users are stored in 0GCC_MTUS.
Has anyone experience with this ? Of course we want to report on users which are not mitigated and still have risks.
The query select * from virsa_cc_prmvl on Java Stack says that MITREFNO is always empty. However, there is the possibility on the java stack to report on users and select/deselect mitigation. I don't believe they join two tables during runtime !
Any help is appreciated !
Thanks,
MaxHi Annie,
For your first question check this thread -
GRC 5.3 Zero Violations & unable to exclude critical profiles
Question 2:
When I change the background job parameters for Batch Risk Analysis with specific usergroup and specific role range, why it doesnt reflect in the mgt view->risk violations? it still show me all the users in the systems and not the range of users that i specified.
As per my uderstanding mgt-risk violation will show you the results based upon the selected criteria in the view and not based upon the background job you selected. Once Full Batch Risk Analysis is done, the data is there in GRC database. After that it keeps syncing each time you run a new batch risk analysis and adds any new changes.
Showing in mgmt report is based upon what you select to see.
Regards,
Sabita -
How To Performance Optimize GRC Access Control 5.3
Hi Everyone,
GRC RIG published in BPX the following How-To-Guide:
How To Performance Optimize GRC Access Control 5.3
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/90aa3190-8386-2b10-c4ba-ced67322ea6d
We appreciate any feedback and will keep track of all suggestions to improve future versions of this guide.
Frank Rambo
Director RIG EMEA
SAP Governance, Risk and Complicanceto access CUP:
http://<hostname>:<portnumber>/AE
To access RAR:
http://<hostname>:<portnumber>/webdynpro/dispatcher/sap.com/grc~ccappcomp/ComplianceCalibrator
to access SPM
http://<hostname>:<port>/webdynpro/dispatcher/sap.com/grc~ffappcomp/Firefighter
to access ERM:
http://<hostname>:<portnumber>/RE
Launch pad link:
http://<server name>:5<instance>00/webdynpro/dispatcher/sap.com/grc~acappcomp/AC
NW start page:
http://<hostname>:<portnumber>/index.html -
SAP GRC Access Control 5.3 intergration with orcale
Good Day GRC Gurus,
We want to integrate SAP GRC Access Control 5.3 with ORACLE.
It would be great if someone could share some documents, presentation and experience on the same.
Thanks in advance!!!!!!!!!!!!!
Thanks and Regards,
JagatHello Hersh,
RTA for Oracle is basically a set of PL/SQL stored procedures to create grc schema, grant access and object creation. The package was created using oracle 11.5.10.2 version. I am not sure about the compatibility of the package with the new versions of oracle but still batch mode risk analysis is achievable even if the RTA is not compatible.
I do not really like batch mode but it does serve the purpose. If I get a chance to test oracle RTA on new version I will surely share it with you.
Best Regards,
Amol Bharti
http://amudee.com -
GRC Access Control 5.3 installation
Hello all,
I'm planning the installation of SAP GRC Access Control 5.3 and have a few questions. In the software download section of SAP Service Marketplace, the most recent installation files are for Virsa 5.2. Under SAP GRC Access Control, there are no installation files that I can see. (I tried several different OSS IDs including partner ID, so I do not think it is a licensing issue) Could someone please confirm that the Virsa 5.2 files represent GRC Access control 5.3?
One reason for this question is that in Solution Manager, under Business Blueprint (SOLAR01), SAP GRC Access Control 5.3 is displayed as the default selection for Internal Controls. Is SAP planning to release installation files in the near future for SAP GRC Access Control 5.3? If so, when?
Thanks in advance,
Glen Hoaglund
Capgemini Basis Consultant
Edited by: Glen Hoaglund on Jun 3, 2008 3:13 PMJohn & Glen-
Right now Compliance Calibrator 5.3, now Risk Analysis and Remediation, which is part of Access Control 5.3 is currently in Ramp Up, and will be available in October 2008.
You can download the User manuals for 5.3 from SAP Marketplace. That will give you an idea of what functionalities 5.3 has and how it is structured.
From my observation of 5.3, and having implemented 5.2 for some clients, 5.3 does have some functionalities which are missing in 5.2. But for setup and sizing, it is always recommended that you allocate GRC on its own server with a lot of space. The applications are very memory-intensive.
I believe FireFighter, or Superuser Privileged Access in 5.3, will still reside in the ABAP stack, with the reporting done on both ABAP and Java stacks. The bulk of the functionality of 5.3 is the same as 5.2.
Let me know if you have any questions...
Ankur
GRC Consultant -
Impliment GRC Access control in difffrent landscape
Hi Friends,
In our company we have different landscapes in SAP and now we are planning to implement Access control in all landscape.
R/3 landscapes with out any Java stack( both ECC6 and 4.7 EE)
Solution manager landscape
XI landscape.
BW
and EP.
Our first target is R/3 Landscape. Can you please guide me. what will be the best approach to implement AC in R/3 systems as they don't have any Java stack.
I will appreciate if you can guide me with other landscape also.
Thanks,
SatyabratSatyabrat
The GRC landscape is technically separate from the different SAP Application components you mention so technically, you can connect the GRC system to any of the other components but creating the appropriate JCOs and SLD entries.
You will need to instal the RTAs in each of the required source systems (ERP, ECC, BW, XI, SM, CRM, SRM etc!) but they can all link to the sepearate GRC systems.
The exact landscape setup is dependant on what you wish to use GRC for. For example, you may wish to only link production GRC to production backend systems for Risk analysis and SoD. However, if you wish to use ERM or use Role bases analysis, you may find it useful to connect your production GRC system to your development backend systems where the roles are actually defined!
The architecture is deliverately flexible to allow you to do this.
For the initial use cases, it may make sense to keep Production segregated away from Pre-production systems but in the future, you may find that you wish to re-assess this as your useage grows.
Regards, Simon -
Is Compliance Calibrator the same as GRC Access Control?
I have been asked to look at<b> Compliance Calibrator </b>and am getting confused about what functionality is offered. I have done the basic e-learning course for Compliance Calibrator (GRC200): this was all about separation of duties etc. Fair enough. But I also have a Document called "<b>SAP GRC Access Control</b>" which talks about the same S.O.D compliance functionality but also talks of "roles triggering workflows", "users creating roles", "automated approvals for roles" eg:
"SAP GRC Access Control streamlines access requests by filling each request automatically with user identity information from a lightweight directory access protocol (LDAP) directory or HR database, thereby eliminating the need for user intervention. Approvers receive an e-mail with a direct hyperlink to the request inside the application, where they can easily view and approve the request. The application then checks for security violations before updating accounts automatically."
None of this was covered on the Compliance Calibrator course, so what product offers this? I can see another product by Virsa called <b>Access Enforcer</b> but have no info on this... can anyone enlighten me?SAP GRC Access Control is the SAP application that comprises the former Virsa products Compliance Calibrator, Access Enforcer, Risk Terminator, Firefighter and Role Expert.
-
Applying Support Packs at GRC Access Control 5.3 overall solution level
Hi All
I recently noticed something at a customer, that GRC Access Controls 5.3 launch pad shows a different SP level e.g. version8, while the components, Compliant User Provisioning shown SP10, RAR shown SP12 etc.
My questions are;
1. Should SP updates be applied at a component level i.e. at RAR, CUP, ERM, and SPM level?
2. Would this customer scenario cause an issue in the future, when for example RAR is sitting on a different SP level than CUP etc.?
3. If GRC Access Controls launch pad shows SP level/version, does this SP level/version represent the SP level/version that applies to all components? or does this represent SP level/version of the launchpad only?
4. Are the Support Packs required to be applied on the ABAP stack as well?
Thanks
OdwaHi Odwa,
Please see my replies below.
1. Should SP updates be applied at a component level i.e. at RAR, CUP, ERM, and SPM level? NO, Just apply them to the entire GRC-AC from the JSPM
2. Would this customer scenario cause an issue in the future, when for example RAR is sitting on a different SP level than CUP etc.? Yes, one of these days there is going to be a problem becuas eof this
3. If GRC Access Controls launch pad shows SP level/version, does this SP level/version represent the SP level/version that applies to all components? or does this represent SP level/version of the launchpad only?
4. Are the Support Packs required to be applied on the ABAP stack as well? Yes they need to be applied on all the ABAP stacks as well, it is very omportant that support packs remain in sync everywhere.
Thanks!
Chinmaya
Edited by: chinmaya prakash on Dec 6, 2010 4:10 PM -
SAP GRC Access Control 5.3 .TXT - where to upload it
Hi Experts,
can anyone please tell me, I have to deploy/upload the patch:
SAP GRC Access Control 5.3 .TXT SP04
As I am new to GRC, can somebody please tell me where I upload/deploy this file.
Is it on the server at operating system level, or through the application in the Web Browser ?
Thanks and regards,
Petr.HI ,
As sahad said that is the right way to extract the *.SAR files the syntax is given below .
for unix : SAPCAR -xvf /<path>/<filename>
windows : SAPCAR -xvf <volume>:\<path>\<filename>
If you donot specify the path then it would get extracted in the path where you are right now means the same location where you the *.SAR file is present and then you can upload .
Then you can login into RAR portal and then go to configuration tab then click on utilities which would be the last option and then click on import and give the file location.
Maybe you are looking for
-
Visual age problem - importing packages
Hello, I have created a Java client NT application on Visual Age which interacts with Oracle database thru JDBC driver. when i give import oracle.jdbc.driver.*; the visual age editor is not able to find the above package, whereas when i export the sa
-
Ios7, can't show photos on map in Photoapp
Hi, Got an iphone 5 with ios7. Location service is turned on for the camera. I can view the photos in the Photoapp, view by year, collection, moment In moment view only the dates are shown. I have not found any way to show the locations on map within
-
How do I reduce the space between headlines in Firefox via DW?
Hi all, I have a website up and running, I can send the URL to anyone who thinks s/he may be able to help me. The webpages look great in Explorer Internet. However in Firefox, there's a lot of unslight gaps between the main headline, the sub-heading
-
BOBJ 4.1 SP01 Web Intelligence Rich Client - "An Error Occurred at Session Creation"
Hi All I just installed BOBJ Client Tools 4.1 SP01 on my client's computer. However, when launching Web Intelligence Rich Client, we receive an error saying "An error occurred at session creation." Once the error box is closed, Rich Client stops load
-
Bonjour, Tout est installé. Malheureusement, je n'arrive pas à transférer les données de mon i phone 3 vers mon pc windows 7. Sur mon PC dans ICloud tout est vide. Merci de votre aide.