Inconsistency Data between Role Level & User Level Risk Analysis

Similar Messages

• Differences between Roles, Schemas, Users and Logins.

  I need differences between Roles, Schemas, Users and Logins. Can anyone help me. Thanks in advance

  Roles:
  I think of creating roles in the database to group users of like
  function.  Roles are granted certain permissions in the database.  You
  should become familiar with the fixed database roles since these will be
  utilized once you start creating users within the database.  Also, once
  you see the type of permissions that are granted to each role, is makes
  more sense.
  Schema: there can be several schemas in a database,
  which will house different types of objects such as tables, indexes,
  stored procedures, functions,  etc.  Users own schemas.  Looking into
  the AdventureWorks database illustrates this concept, with several
  schemas like HR, Production, etc.
  Login: Think about login as
  gaining access to the SQL Server instance.  If a user account is not
  granted any permissions within the instance, you basically just were
  able to unlock the door and enter the room, by creating a user you then
  grant access to the database objects or principals, and can begin to
  work with them. 
  Users:  Users own schemas, and as such will be
  able to manipulate the objects they own.  Some of the manunipulations
  are very permissive, such as creating tables, indexes, stored
  procedures, functions, etc.  These are developers and administrators.
  Users
  are created and granted permissions for application use, which will
  have select, update, insert, and delete and execute permissions  to a
  finite set of objects in the schema, for which the application will need
  to function properly.
  In a client server database, as an
  example, of the structure.  Roles were defined which provides the
  permissions to the database objects in the database, which only has one
  schema 'dbo'. One SQL server login was created with the same username,
  and dbo is the assigned default schema, and the roles assigned to that
  username. 
  In the application, each specific user is given there own
  "application" login which is mapped to the one defined sql server
  login.
  Ahsan Kabir Please remember to click Mark as Answer and Vote as Helpful on posts that help you. This can be beneficial to other community members reading the thread. http://www.aktechforum.blogspot.com/

• Role and User level Risk Analysis is not displaying any output or report.

  Hello,
  I have a problem when I run risk analysis, both in foreground and background. The issue is that no report is displayed and I have followed all the instructions carefully.
  I have done the following:
  Maintained Access Risk table to contain functions and assigned it to a rule set.
  The functions contains actions and permissions that are explicitly assigned to my ERP connector in the system field in both action and permission tabs.
  I have run the sync job to update the roles in the GRC server from the ERP backend. I am surprise that no report is displayed as I have a test role that I am sure has conflict as per my function definition.
  Please advice me if there is something I am missing.
  Thank you.

  Hello John,
  Good Morning !!
  Sorry for the late reply , but to my surprise , i do not see any tab containing "Actions & Permission".
  This are the tabs that i have in NWBC
  My Home
  Master Data
  Access Management
  Rule Setup
  Reports & Analytics
  Assessments
  Setup
  I am currently on SAPK-V1005INGRCFNDA support package for GRCFND_A .
  Is there something wrong that's hapenning?? or i am looking at wrong place !!
  Under Setups , i have an option "Access Rule Maintenance" which has
  Rule Sets
  Functions
  Access Risks
  When i click Accesas rule sets , i see Risk IDS : e.g. B001, B002 etc and when i click "generate rule" in foregroubd/background",
  it does not generate any rules ,when i click
  View Action Rules
  View Permission Rules
  It shows "Table does not contain any data".
  Please guide.
  Thanks
  Regards,
  Victor

• Sharing data between two separate user sessions

  Hi all!
  I have been trawling my brain for a solution to this - any help will be appreciated!
  I would like to create a single instance of a class but share that instance over more than one user session (two separate users but both running concurrently).
  Just as you can pass data between sessions using ABAP memory - I would like to pass data (specifically an object reference) between two separate users that could even be logged in to two separate application servers...
  Even a mini Client/server solution would suffice but I cannot figure one out!
  Is this possible?
  Many thanks for your thoughts in advance...
  N

  Hello N K,
  sorry thats not possible. Sharing a data item / object instance requires at least a common physical memory. As this is not guaranteed between different app. server this is technical not possible.
  With release 640 ABAP offers the new feature Shared Objects. These mechanism allows access by different users and some propagation to differnt servers.There is an interesting article on the ABAP SDN homepage
  https://www.sdn.sap.com/sdn/developerareas/abap.sdn
  For relases below more or less the database is the only chance to store data accross application servers (known to me). One exception might be the ENQUEUES which might (mis)used to store some Flags.
  Kind Regards
  Klaus
  Link to Shared Objects PDF
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/documents/a1-8-4/shared objects in abap

• GRC AC 10:How to generate Access Rule? No output from User or Risk Analysis

  Hello Gurus,
  We have done configuration of GRC AC 10, and uploaded files via
  SoD rules -->Upload Rules
  After that we generated SoD rules for Risk Id : B001 and B002
  Now when we go to NWBC --> Reports & Analytics >Access Dashboards>Access Rule Library
  The report shows (for Group Rule level : Action)
  Number of Active rules : 0
  Number of Disabled Rules : 0
  Number of Functions :  151
  Where as for Group Rule level : Action Risk
  The report shows
  Number of Active Risk : 42
  Disabled risk : 161
  Nmr. of functions : 151 .
  When we perform Risk Analysis at User Level or Role Level, the output is empty !!!
  Note: All the background jobs have run successfully.
  Also the SoD files also have been uploaded successfully.
  Will you please guide how can i activate the "rules" for the uploaded risk ??
  regards,
  Victor

  Hello Victor/ Inder,
  For Risk ID B001functions are BS02 and BS11 if you open any one of them you can see system maintained as SAP BASIS which is SAP_BAS_LG (logical connector group).
  Post installation you can check in SPRO>Governance, Risk and Compliance-> common Component---> integration framework-> maintain connector and connector types->select SAP and click Define connector Group.
  BUSINESS     Business Roles     SAP
  SAP_BAS_LG     SAP Basis     SAP
  SAP_CRM_LG     SAP CRM     SAP
  SAP_ECC_LG     SAP ECCS     SAP
  SAP_HR_LG     SAP HR     SAP
  SAP_NHR_LG     SAP R3 - NON HR Basis Logical Group     SAP
  SAP_R3_LG     SAP R3     SAP
  SAP_SRM_LG     SAP SRM     SAP
  (If not present then manually you can create the same)
  Select SAP_BAS_LG and put connector type as SAP,  select SAP_BAS_LG and click Assign Connector group to group types as AM & LG, then click on Assign Connector to connector group and maintain you connector.
  Post this activity re generate SOD for B001 and then check for user level and role level analysis.
  Hope it will resolve your issue.
  Regards,
  Sudesh

• Exclusion of separated users in Risk analysis

  Dear All
  While running User Risks analysis, I need to exclude all the separated users in the Mgt report. We have already configured HR triggers for locking the Users on separation, but how GRC is able to distinguish whether the locked user is because of separation or incorrect logons.
  Please suggest
  Thanks
  Abhijeet

  Hi Abhijit,
     RAR will exclude all the loced users if you configure RAR to exclude them. If you want to exclude only separated users then may be you can exclude only the user group of those users (if you have a different user grooup when user is separated).
  Regards,
  Alpesh

• Business Roles - Risk analysis

  Hi All,
  We are on GRC SP13.
  We are using business roles for provisioning to end users.
  When role owner is performing risk analysis for business roles, results are proper according to defined ruleset only if "SYSTEM" field is empty.
  If system is selected, then results shows that "NO VIOLATIONS".
  Is this the standard behaviour for risk analysis of business roles or Am i missing anything?
  Looking for your advise on this.
  Regards,
  Sai.

  Hi Jaya,
  Yes I remember this is possible. You can setup a customize attribute in GRC privileges. And put the business role name into this attribute.
  Try this URL, but perhaps your GRC consultant should read it instead of you.
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d0e2c628-2690-2e10-0d82-dbf1931db2cd?QuickLink=index&overridelayout=true&51565377381172
  After creating the attribute, you need to revise the GRC framework to include this attribute (business role name) in your request.
  I don't have a working IDM system (with GRC integration) with me. I could not provide you more details.
  Cheers,
  Chenyang Xiong

• Risk analysis Report Error in GRC AC 10.0

  Dear GRC,
  I had problem with Risk analysis Report in GRC Access Request form
  When i run the Risk analysis report on Action Level , Permission Level , Critical Action Level and Critical Permission Level then report showing as "No Violations" but if i run the Risk analysis report only on Critical Action Level and Critical Permission Level then report showing too many Violations.
  I maintained Action Level , Permission Level , Critical Action Level and Critical Permission Level as default risk analysis type in SPRO Configuration Parameters settings.
  i am not understanding why system behaves like this. Could you please help me on this.
  System Details : GRC AC 10.0 , SP-12
  Thanks a lot for swift response.
  Best Regards,
  RK

  Hi GRC Team,
  Please help me on this. I am waiting for your replay.
  Regards,
  KR

• Risk Analysis at user level shows nothing in all 3 views though at role level shows risks of global rule set

  I am configuring ARA 10.1 for a ECC 6.0 plug in development system and facing this issue. Risk Analysis at user level shows no data  in all 3 views though at role level shows risks of global rule set. I am using Global rule set. I generated all risks/functions & using connector group as SAP_ECCS_LG not SAP_R3_LG.I activated common, R/3 & ECCS BC sets. Added integration scenario for AUTH. Run all 4 sync jobs multiple times successfully. My system already has decentralised EAM 10.1 implemented & even used in production as BAU. I have checked at both chrome & IE. The misleading thing is that RFC is also working fine & I can see risks in Risk Analysis at role level & risky roles are even assigned to valid users.GRC is at SP4 & accordingly is the ECC 6.0 plug in. Thanks in Advance. Please  consider it urgent.

  Hi,
  Assign ECC connector to SAP_ECCS_LG group.
  Run the programs GRAC_PFCG_AUTHORIZATION_SYNCand GRAC_REPOSITORY_OBJECT_SYNC) in full synch mode(this might take time so better do this in background). Better do it sequentially.Check the logs of the jobs in SLG1 just to ensure everythings fine.
  Run ARA for a specific user and mention the connector for faster output. Ensure this user has the role with risks.Also as explained earlier check the GUID against user id in table GRACUSERROLE and using GRACROLE you can find out the technical name of the role updated in the table. This should be same as the backend role.
  Then run ARA and while doing so please ensure the selection screen doesnt have any unwanted default inputs. If followed correctly , this should be of help.  I am assuming the role analysis yielded correct risks as configured since this would mean that connector have correct actions and basic config is in place.
  Regards,
  Vivek

• Running Risk analysis at User Level(CC)

  Hi
  Please Clear my query, wat is the difference between running the risk analysis at userlevel Violation count by Risk and Violation count by Permission.
  violation count by Permission, the total number of violations are 377,569.
  Violation count by Risk,the total number of violations are 11,716.
  Thanks & Regards

  Hi Karuna,
  When you perform Risk Analysis at User level and choose violation count by Permission/Risk. Here are the details of each analysis:
  1. Violation Count by Risk
  This analysis will display the count of how many SOD risks associated with the users existing in each business process like FI, HR, MM, PR, SD.
  It will display as a bar graph or pie chart. If you choose each of the business processes and drill down to the particular SOD risk,P001 then you can display how many users have that risk, P001
  2. Violation Count by Permission
  This analysis will display the count of SOD violations at the action/permission level associated with the users existing in each business process.
  If you choose the conflicting functions inside each SOD risk, and then expand on the permission tab you will understand why the huge number of violations it is showing.
  In the Risk information screen, in Conflicting Functions, click the AP02 u2013 Process Vendor Invoices link to display the SAP transaction codes and the authorization objects. There are 26 different transactions in SAP to Process Vendor Invoices and another 185 authorization object values u2013 all come preconfigured out of the box.
  Choose the Permission tab. Expand Action F-42. Open an authorization object to show field values. By looking at all possible permutations of actions/permissions of one business function with all actions/permissions of the second business function, you can understand how the system arrives at the number of violations.
  Hope this will help you understand better.
  Regards,
  Kiran Kandepalli.

• CC: Risk Resolution at user level.

  HI All,
  In CC 5.2 with latest patch level, I am facing an issue in Risk Resolution. When I do the Risk analysis at user level for a particular user and then do a detail Report and then try to do the risk resolution; there are standard three options:
  1. Mitigate.
  2. Remove Access.
  3. Delimit Access.
  from the user. Out of these three, the first one is working fine, but second and third are greyed out and I can not proceed with option 2&3. Have any one of you come accross such a situation or have any clues about the same. Also, my user has Admin rights to all the actions in the Admin role provided to me.
  Thanks a lot in advance.
  Have a nice day!!
  Regards,
  Hersh

  Hello Hersh,
  This functionality is not available in 5.2.
  Regards,
  Jagat
  Edited by: Jagat Bir Singh on Jul 31, 2008 3:16 PM
  Edited by: Jagat Bir Singh on Jul 31, 2008 3:17 PM
  Edited by: Jagat Bir Singh on Aug 1, 2008 6:52 AM

• Error while performing Risk Analysis at user level for a cross system user

  Dear All,
  I am getting the below error, while performing the risk analysis at user level for a cross system (Oracle) user.
  The error is as follows:
  "ResourceException in method ConnectionFactoryImpl.getConnection(): com.sap.engine.services.connector.exceptions.BaseResourceException: Cannot get connection for 120 seconds. Possible reasons: 1) Connections are cached within SystemThread(can be any server service or any code invoked within SystemThread in the SAP J2EE Engine), 2) The pool size of adapter "SAPJ2EDB" is not enough according to the current load of the system or 3) The specified time to wait for connection is not enough according to the pool size and current load of the system. In case 1) the solution is to check for cached connections using the Connector Service list-conns command, in case 2) to increase the size of the pool and in case 3) to increase the time to wait for connection property. In case of application thread, there is an automatic mechanism which detects unclosed connections and unfinished transactions.RC:1
  Can anyone please help.
  Regards,
  Gurugobinda

  Hi..
  Check the note # SAP Note 1121978
  SAP Note 1121978 - Recommended settings to improve peformance risk analysis.
  Check for the following...
  CONFIGTOOL>SERVER>MANAGERS>THREADMANAGER
  ChangeThreadCountStep =50
  InitialThreadCount= 100
  MaxThreadCount =200
  MinThreadCount =50
  Regards
  Gangadhar

• GRC AC 10.0 Mass risk analysis vs. Role level analysis

  Hello GRC experts,
  I urgently need your advice on the issue  with deactivated permission objects which are identified as risks in the mass role analysis.
  For example, in one role we have deactivated the permission object: S_ARCHIVE, and there are No activities maintained.
  But in the mass role risk analysis  and in the CUP request this object S_ARCHIVE with the ACTVT 01 is displayed as risk. As you can see in the screenshot, there are no activites maintained at all. We have created the MSMP workflow where all CUP requests with risks should go the the Security Stage. Now we have the situation that even though our roles are clean, they are forwared to the Security stage. It is a huge problem, because our security stage has no even more to to, than before using GRC! Because the dectivated objects are identified as risks.
  Please advise me, how to solve the problem. Did I missed some config parameters or is it a well known problem?
  We are on SP14, AC 10.0.
  At the single role level there are no risks displayed.
  Thanks in advance,
  regards
  Sabrina

  Hi Sabrina,
  check note
  http://service.sap.com/sap/support/notes/2036645
  Please let me know if it works.
  Regards,
  Alessandro

• Ideas for Providing User Level Data Backup and Restore

  I'm looking for ideas for implementing a user level application data backup and restore in an Apex app.
  What would be great is to have a user be provided an export file and a way to import this file. A bit overkill but hopefully never needed.
  Another option that is perfectly doable is a report that simply provides a means to create an export of the data. Since I already have an interface I can use an export to interface an export.
  Any thoughts?
  Hopefully I'm missing something already there for an end user to use.

  jlincoln wrote:
  "Do you mean "export" and "import" colloquially, or in the specific sense of the exp/imp/datapump utilities?"': I mean as in imp/exp Oracle utilities. Generally speaking, it would be neat to be able to export and import via an Apex an application. In this hosted environment I don't have that access but would this be a bad idea if you don't care about the existing data in the schema in which the data resides?I can envisage a mechanism using <tt>exp/imp</tt>, but since it requires <tt>dbms_scheduler</tt> external jobs and access to the file system it's highly unlikely to be possible in a hosted environment. (Unless you're doing the hosting?)
  Backup: Necessary for piece of mind and flexibility. I am working on a VB/Access user who does this today to get to the point when they can be comfortable with the backups occurring regularly and by the hosting site's DBA group.
  Restore: Like I said. I am working on a VB/Access user who does this today to get to the point when they can be comfortable with the backups occurring regularly and by the hosting site's DBA group. This is a very small data set. A restore would simply remove existing data and replace it with the new data.My opinion is that time would be better spent working on the user rather than a redundant backup and restore feature. Involve them in a disaster recovery exercise with whoever is hosting the environment to prove that their data is safe. Normally the inclusion of data in regular, effective database backups is sold as a major feature of APEX solutions.
  "What about security/privacy when this data ends up in uncontrolled environments?": I don't understand the point of this question. The data should not end up in uncontrolled environments. Just like the data in the database or its backups.Again, having data in a central, shared location protected by multiple levels of application, database, and OS security is usually seen as a plus for APEX over VB/Access. Exporting the data in toto to a PC/laptop that can be stolen or lost, and where it can be copied to USB drives/phones/email loses this protection.
  User Level: Because the end user must have access to the backup and restore mechanisms of the application.
  Application Data: The application data. Less than 10MB. Very small. It can be exported in a flat file downloaded by the end user. This file can then be used to upload and import via an existing application interface. For example.
  "I'm struggling to parse this for meaning.": When I say I have an existing interface I am referring to a program residing in the Apex application that will take data from a flat table structure (i.e. interface table), validate the data, derive data, and load into the target table structure.Other than the report export capability linked to above, there's nothing built-in to APEX that comes close to your requirement. If the data is simple enough that it can be handled in such a report, and you have a process that can read and recreate this export, then you have your backup/restore capability. If the data can't be handled in a simple report, then you'll need a more complex PL/SQL process to generate the file.

• Comman to take user level backup(tables and data in table for a particular)

  Hi ,
  I need to create a sql script to take user level back up i.e i need to take back up ,(export the tables and data in those tables in particular user) to my pc..
  i am able to do the same from unix command ,but not able to do the samq in sql script
  Please advice.

  Hi ,
  I need to create a sql script to take user level back up i.e i need to export the tables and data in those tables in particular user to my pc..
  i am able to do the same from unix command ,but not able to do the samq in sql script
  Please advice