GRC10 Risk Description

Similar Messages

• RAR5.3 - SoD Report Not Showing Full Risk Description

  Hello,
  In a Sandbox environment, I'm playing around with/testing a new ruleset. The environment has our Production ruleset and I've added some risks to this ruleset via file upload in Configuration. The risks look great. Both the description and detailed description got imported correctly. The rules generated perfectly for these new risks I uploaded. Everything related to the risk, the way the risk is built, the rules, looks perfect. When I run Risk Analysis on test users that I know have the risk, they show on the report just as expected. However, the risk "description" is essentially missing. For example, in Management Summary View, here is what Risk B001* looks like:
  B001:   Basis Development & System Administration
  Medium Basis TEST_USER(TEST_USER) USSPCJH40_E3
  I've bolded the Risk Description.
  However, here is what one of my new risks shows up like (F031, a risk we haven't put in production yet for various reasons):
  F031:   F031
  Medium Finance TEST_USER(TEST_USER) USSPCJH40_E3
  The Risk Description only says "F031." It still is hyperlinked so it still works, but I want to see the full Risk Description, obviously. When I look at the Risk in Rule Architect, both descriptions are there.
  I then extracted the Rules via Rule Export and looked in the VIRSA_CC_RISKT table - the F031 description is there!
  B001 (which looks fine) and F031 (which has the description missing) has entries in ALL of the same tables (unless there's a table that I'm not getting with the export?)
  Can anyone help me out? Has anyone experienced a similiar issue? Why would all my newly imported risks not show a Risk Description when running Risk Analysis?
  Thanks in advance!
  Jes Behrens
  Edited by: Jes Behrens on Feb 26, 2009 8:26 AM

  Hi !
  This report shows the schedule line items , group schedule line items and rental contact (billing plan) lines when particular checkbox is checked. The checkboxs p_all(non-schedule line) , p_group(group schedule line items) are working in my above alv report and showing  result but unfortunately when p_rental is checked it dosent give me result , it says  no data selected. This when checked has to show result based on a different set of selections as I have done, but its not shwoing me the result .
  Kindly help please.
  Thanks

• Risk Descriptions in Japanese

  Hi Gurus:
  I uploaded my ruleset into GRC AC RAR 5.3, generated the rule job and followed the config guide.
  When I search for the functions and risks they appear in english.
  When I perform a risk analysis via the informer tab, the risk violations appear in Japanese.
  My question is - where is this pulling from? My ID in the UME has the default language set to EN.
  Please advise!
  Thanks,
  Grace Rae

  When working on any language other than EN, remember (say DE)
  - user id (XYZ) used in JCO connection has default language DE in PFCG (default tab)
  - XYZ exist in UME also (may be without any permission) and it's default language in UME is also DE
  Regards,
  Surpreet

• Virsa table containing Risk detailed description

  Dear,
  I would like to know witch table contains the information related to the Detailed Risk description.
  The table VIRSA_CC_RISKT contains the following fields RISKID, LANG, DESCN.
  DESCN refers to the short description. I would expect to have in that table a long /detailed description field.
  Thank you and kind regards
  Vincent

  I foud the solution by myself :
  I've to look into table VIRSA_CC_DETDESC
  Thank you and kind regards
  Vincent

• New Risk id's not showing in ruleset in production

  Hi Experts,
  We have created new risk id's in GRC development and it is working fine and is present in the ruleset but when we transported the ruleset to production the Risk Id's are not showing up in the Setup -> Access Risks path. All old risk id's are present except for the new ones.
  But, when I run the risk analysis report the New Risk Id's are visible but their risk description is not present (old risk id's description is present) so I clicked on new risk id and it is showing completely same as development.
  Risk Analysis reports are running fine and new risk id's are working in production but their risk description is not empty.
  Can anyone please advise if I need to perform any step or this is a bug ?
  PS: I generated the SOD rules in production after importing the transport.
  Regards,
  Salman

  Hello Salman,
  Can you please check inside the GRC AC Tables, if the description is defined properly or not for the new Risks in your production system.
  GRACSODRISK – Risk Description Table
  You already have mentioned that you generated the Rules, so I wont be taking benefit of the doubt to ask you for that.
  But, however I would like to point, if you have checked for the descriptions in the Access Rules Summary?
  Also as you mention that you transported the Rules (New ones) from DEV to PRD. What do you imply by transports? Are you suggesting the Download/Upload SoD Rules method you followed?
  Regards,
  Akshay

• RAR: Risk resolution options , Remove access from user is disabled

  Hi All,
  In RAR , After risk analysis, if we click on risk description 3 Risk resolution options are there.
  Mitigate Risk
  Remove access from user
  Delimit access for user
  In these options mitigate risk only working.I am using GRC SP 5.
  How about other two options , save button is disabled.How to enable this?
  can we remove/delimit access to  user using these options? any body  tested these options?
  Thanks n Regards,
  Joseph

  Joseph,
     These functionalities do not exist in the tool and these buttons have been in the RAR for past 2 years. SAP wants clients to use CUP for removing or delemiting access so I highly doubt this will ever work.
  Alpesh

• RAR: Upload risk owners

  Hi,
  Is it possible to assign risk owners to risks via an upload file of some sort? I would have thought that this should be part of the Risk Description Template found in the configuration guide. This does not seem to be the case.
  Any ideas of how I can do this?
  Regards,
  Mo

  Hi Muhammad,
  You can upload Risk Owners using Mitigation template. As Risk owners has to be created under administrators of mitigation and then only can be assigned to Risks under Risk ID of Rule Architect
  Once you upload the Risk owners using mitigation template, the drop down will allow you to assign the Risk owners to the Risk IDs.
  Thanks and Best Regards,
  Srihari.K

• Migration from VIRSA 4.0 to GRC 10.0 (ARA)

  Hi Guys,
  We've just migrated from VIRSA 4.0 to GRC 10.0. We have only two connectors configured ECC and Finace System.
  Rules have been generated and we're using the standard "global" ruleset. The rules seem to be generated successfully ( I've checked in the NWBC that the permissions appear after the risk generation and also I've checked some tables like GRACSYSRULE and GRACACTRULE and risks appear there).
  When running  a risk analysis report at user level in both the system VIRSA 4.0 and GRC 10.0 the no. of conflicts matches where as no. of mitigation doesnot match.Due to this mis-match we are not in a position to go 100% LIVE with GRC and decommisioning VIRSA. We use concept of mitigated roles and not users. Raised the concern with SAP too 2 weeks back and no luck yet.
  Does anyone faced a similar issue? can you give me some light in order to solve the issue?
  Many Thanks!
  Ratan Roy

  Hi Andrzej,
  Thanks for the reply.
  I have one more simple question: how can I change the Violation or Mitigation counts to any RISK Ids?
  Say for example:I wanted to make changes in violation and mitigation counts in below mentioned risk.
  Access Risk ID
  Risk Description
  No. of Conflict
  No. of Mitigation
  SOD Object
  F020
  Open closed periods previously enter incoming payments
  72
  45

• Spanish accents not displayed correctly

  Hi, Gurus,
  I'd like to ask you if anybody knows how to make my spanish accents correctly diplayed.
  We have uploaded RAR Functions and our descriptions contain accent written words.
  Any help our guidance will be appreciated.
  Thanks very much in advance.

  Hi amigo
  Could you please let me know exactly which are the files you would like to reload because of the spanish accents issue (i.e: Risk description)?
  To re-upload the files that contain description is not a problem for the rules eventhough they are already generated.
  The rules are created based on function-action and function-permission files and such files do not contain descriptions.
  Hope it helps. Best regards,
     Imanol

• One role - One transaction - SoD errors

  I have a single role with just one transaction in it (F-44).  When I run this singel role through Risk Analysis, I get the following SoD risks.
  Risk Description:  P0030LI01 : Create fictitious vendor invoice and initiate payment for it
  Conflicting Action:  Clear Vendor (F-44)  and   Clear Vendor (F-44)
  This doesn't make any sense.  It only has an "01" under object  F_BKPF_BUK. 
  I can see a transaction conflicting with another transaction, but against itself? How can I remediate this role?  Our goal is to remediate, not mitigate whenever possible.
  Thanks,
  Peggy

  I can't agree with your suggestion because I would want F-44 in both AP01 and AP02 to catch any of the other violations that would exist.  For example, if we had F-44 with F.13, it would be an SoD violation and AP01 would catch it.  And if we had F-44 with FB01 it too would be a violation which AP02 would catch.  So I can't see disabling it from either AP01 or AP02 and I need the objects to be as they are.
  We have a number of these SoD errors with other transactions such as  FB02 with FB02 and FBV0 with FBV0 for risk F028 (Both are in AP02 and GL01).
  I'm thinking we need to create one mitigation for these types of SoD violations (which really aren't violations).  This should make the auditors happy and we aren't disabling or changing anything that would allow an SoD to get missed.
  Do you agree with my thinking?  Does anyone know what the best practice is for these?
  Thanks,
  Peggy

• Compliance Calibrator SOD Conflict (FI01 and FB05)

  I was hoping that someone could provide some insight as to why the "FI01 - Create Bank" and "FI02 - Change Bank" transactions would create a risk (in Compliance Calibrator) when coupled in the same security role with the "FB05 - Post with Clearing" transaction.  The risk description given by Compliance Calibrator is "Maintain bank account and post a payment from it".
    The FI01 and FI02 t-codes appear to only create/change routing numbers or addresses for banks.  There is no ability to create or change an actual bank account.  This alone doesn't seem to create a conflict when coupled with a posting transaction.  Is there possibly some functionality that I am missing?

  Hi Joshua,
  I strongly agree with you that there is no SOD conflict technically with FI01, FI02 with FB05 although the wording of the SOD conflict in a business sense meaning Maintain Bank Accounts vs Posting Payments sounds more like a Conflict.
  I dont see by anyway how you can maintain actual bank account in either FI01, FI02.
  FI01 and FI02 - Maintain Bank Info like Bank Address, Bank Key and soforth.
  FB05 - Make Payments to various accounts.
  Regards,
  Kiran Kandepalli.

• How to migrate Master Data (Rule set etc.) from GRC 5.3 to 10.1 without using the "Migration Tool"

  Greetings,
  We are currently on GRC 5.3 SP 18 (Java ONLY) and migrating to GRC 10.1. I referred the Migration Guide which outlines that GRC 5.3 needs to be upgraded to SP 20 as pre-requisite for using the "Migration Tool" . Our BASIS team is reluctant to perform this upgrade from SP 18 to SP 20.
  Having said thus, I'm exploring options of migrating data from 5.3 to 10.1 without using the "Migration Tool:.
  Rule set Migration:
  I'm in the process of preparing the 9 different files (listed below) and later utilize the "Upload Rule" option for migrating the Rule set data from 5.3 to 10.1.
  While I'm able to gather data for most of the files I'm not sure how can I obtain the data pertaining to the two files (Function Actions and Function Permissions) underlined and highlighted in Red below.
  1. Business Process
  2. Function
  3. Function Business Process
  4. Function Actions
  5 .Function Permissions
  6. Rule Set
  7. Risk
  8. Risk Description
  9. Risk Rule Set Relationship
  10. Risk Owner Relationship
  Can someone please enlighten me and share their experience with regards to this exercise. Really appreciate your help !
  - Janantik.

  I have done this successfully before.  Because you are having issues, I would NOT recommend using the migration tool to move the ruleset.  Instead:
  1. Download the ruleset files from 5.3
  2. The 5.3 tcode-permission file, which defines which tcode permissions from SU24 need to be checked during risk analysis, needs to be split into the two files you mention above in red.
  FUNCTION_ACTION : this file represents S_TCODE objects and TCD fields mapped to each function (Function to Tcode relationship).  In the 5.3 file, you will filter on object S_TCODE and field TCD, and you will get a complete list that now represents "FUNCTION_ACTION".  BUT instead of having all the jumbled permission info, you will just have 3 columns: Function - Tcode - Status.
  3. The remaining permissions that are left over, after taking out the S_TCODE -TCD items, represent the "FUNCTION_PERMISSION" file in GRC 10.
  4. Manually create the excel spreadsheets for each file.
  5. Copy and past each sheet to a unique .txt file.
  6. Upload the ruleset manually through SPRO-->GRC-->Access Control-->Access Risk Analysis-->SoD Rules-->Upload SoD Rules.
  7. Select each file and then upload to the correct Logical Group.
  This is a huge pain, but it works.  Let me know how this goes and if you need any assistance.
  -Ken

• RAR - Rules Upload

  Hi Experts,
  From the RAR, I can see the default "Global" ruleset. I went to the Configuration tab, navigated to Rule Upload > Generare Rules, and clicked on the Foreground button, and I see a list of Risk Description, conflicting conflicts etc etc.
  However, I did not want to use the Global ruleset, as I have a customized ruleset which addresses my client's SoD concerns very specifically. What I did first was to export the all components of the rules (as a backup) and then I navigated to the Rule Architect Tab, and manually deleted all the Risks, Functions, Rule Sets and Business Process (in that order).
  I then proceeded to the Configuration tab > Rule Upload and uploaded the Business process, Function, Function Authorisation, Rule Set and Risk. No error messages encountered as I followed the Rule File Templates as per the configuration guide. But it also does not tell me if I was successful in importing those files. (so I assumed no error message = import successful)
  However, when I navigated to Rule Upload > Generate Rules, and clicked on the Foreground button, I was unable to see any list generated this time. I tried to export all the components of the rules (based on what I imported) to troubleshoot, and I found that the "function_permission.txt" and the "Risk_desc.txt" portions were missing from the exported textfile. However, all the other information from other text files are in that exported text file.
  From initial analysis, this seems like the Function Authorisation and the Risk files may not have been imported successfully. Would like to know if anyone has encountered this problem and what actions should be taken to rectify it?
  Thanks!

  Hi Experts,
  Thanks for your response.
  I followed the Rule Set Template from the configuration guide to the letter.
  Upon closer inspection of the contents in what I exported, I discovered that for the "function_action.txt" portion, the Tcodes of some of the business process were not found, for e.g.
  Business Process FA may have tcodes under function action Tab, but business process IM seems to have no tcodes under the function action Tab. I suspect that during the import, certain business processes were not "picked up", whereas others were. It was a clean omission of tcodes from IM business process. Does the naming convention of business process follow some reserved words (i.e. financial accounting must be FA, procurement Must be PR etc to be same as the global ruleset)?
  In addition, for those business process which have tcodes reflected in the function action Tab, I tried to click on the "+" to expand and see the objects, fields and values under the function permission Tab, but it cannot be expanded (i.e. blank).

• Migarting from Approva to SAP GRC AC 5.3

  Hello All,
  One of our client using Approva applications now they are planning to move to SAP GRC Access Controls 5.3, so kindly help me or guide he how I proceed.
  Key doubts u2013
  1-How we upload rules in RAR, because we downloaded the rules from Approva.
  2-Creation of mitigation controls etc.
  It would be great if some share some documents related to above.
  Thanks,
  Jagat

  Hi Jagat,
  Once your GRC system is configured. You have to follow the following steps:
  1. Create system connector
  2. Define Master User Source
  3. Upload text & authorization objects. (Follow the AC53 Configuration guide to download these files from backend)
  4. Now as Frank has suggested you have to convert the downloaded Apporava files to .txt files. There are 9 .txt files you have to create:
  1. Business Process
  BusinessProcessId (CHAR 4)     LANGUAGE  (CHAR 2)     DESCRIPTION LANGUAGE  (CHAR 120)
  *fileds are TAB seperated
  2. Function
  FUNCTION ID (CHAR 8)     LANGUAGE  (CHAR 2)     DESCRIPTION LANGUAGE  (CHAR 120)     FUNCTION SCOPE (CHAR 1 (S:Single System, C: Cross System))
  3. Function-Business Process
  FUNCTION ID (CHAR 8)     BusinessProcessId (CHAR 4)
  4. Function-Action
  FUNCTION ID (CHAR 8)    TRANSACTION(CHAR 20)     STATUS (NUMC 1 (0 or 1))
  5. Function-Permission
  FUNCTION ID (CHAR 8)     T-CODE (CHAR 20)     OBJECT(CHAR 10)     FIELD(CHAR 10)     FROM VALUE(CHAR 40)     TO VALUE(CHAR 40)     SEARCH TYPE(CHAR3 (AND,OR,NOT))       STATUS (NUMC 1 (0 or 1))       
  6. Rule Set
  RuleSetId (CHAR 8)     LANGUAGE  (CHAR 2)     DESCRIPTION (CHAR 132)
  7. Risk ID
  RISKID (CHAR 4)     FUNCTION_1_ID  (CHAR 8)     FUNCTION_2_ID  (CHAR 8)     FUNCTION_3_ID  (CHAR 8)     FUNCTION_4_ID  (CHAR 8)     FUNCTION_5_ID  (CHAR 8)     BusinessProcessId (CHAR 4)       PRIORITYDESCRIPTION (NUMC 1 (0=Medium
  1=High 2=Low 3=Critical))      STATUS (NUMC 1 (0 or 1))        RISKTYPE (CHAR 1 (1=SoD 2=Critical Action 3=Critical Permission))
  8. Risk Description
  RISKID (CHAR 4)       LANGUAGE  (CHAR 2)     RISKDESCRIPTION (CHAR 132)     DETAILDESCRIPTION (CHAR 1000)     CONTROLOBJECTIVE (CHAR 1000)
  9. RISK_RULESET
  RISKID (CHAR 4)       RuleSetId (CHAR 8)
  For more information on templates follow the configuration guide.
  Upload these files and generate the rules.
  Hope with this you will be able to continue.
  Thanks & Regards,
  Jitan

• Applying Business View format of ARA into Job Monitoring of Process Control

  Hi Gurus,
  I have an issue regarding with the Job Result of when using SOD sub-scenario in Process Control. We have integrated AC and PC and the controls that have been set for automation, however, the fields (User ID, Name, Group, Risk Description, etc.) are not showing on the PC Job result like the ARA can do. Below information are given:
  1. In ARA --> User Level --> Simulate the risk analysis with Business View format --> Result --> choosing Management Summary --> above mentioned fields are shown.
  2. In Automated Monitoring --> Choosing Management Summary --> onlyfields of technical view format are the only ones that can be shown (User ID,Risk ID and Control ID).
  Thus with this, is there any possibility that the Result of the Job Monitoring of the PC can be manipulated? If yes, can you provide some steps?
  Hope you can help me on this.
  Kindly refer on the attached file for more info.
  Thanks!
  Mackoy

  Christopher,
  Re-generating the transfer structure does not need InfoPacks to be re-created. if you are still getting the old error, two possibilities:
  1) You created a new DataSource with new transfer structure, etc. but the InfoPack in the process chain still points to the old trsnfer structure.
  2) The data in the table has some records as MM/YYYY and some as YYYYMM.
  You don't need to re-create the InfoPacks if your transfer structure is re-generated. They should work off the latest definition always.
  Cheers
  Aneesh