Is it possible to conduct IT Risk Analysis with BPA?

Similar Messages

• AE 5.2 cross system risk analysis with CC 4.0

  Hi,
  We have an unique situation.
  We have CC 4.0 (central) set up in ECC system where the rules and risks are defined for systems such as R/3, HR and SRM
  We need AE to use this central CC system to do the risk analysis when an access request for HR or SRM is submitted in AE 5.2. Right now for a request to a HR system, risk analysis is being done in HR system where there are no rules and hence no risks are identified.
  Environment :
  CC 4.0 in  ECC 5.0 with VIRSANH RTA 520_640 Level 3 and VIRSAHR RTA 520_640 Level 2
  AE 5.2 JAVA in NW 7.0 SP level 2
  Risk analysis for Access requests to ECC system is done with out any issues and the connectors in AE are defined as well as CC 4.0 configuration for cross system is enabled.
  Please give your suggestions and also tell me if this below scenario is possible.
  Use CC 5.2 Java stand alone system and define logical/cross system to connect to multiple systems such as HR and SRM and use those specific rules to do the risk analysis.
  Thanks

  Hi RM,
  You can setup Risk Analysis inside AE Configuration.
  You can identify the level of risk analysis and specify the Compliance Calibrator version for processing risks.
  See the details from the AE Configuration Manual
  In the Select Compliance Calibrator Version pane, from the Version drop-down list, select the version of Compliance Calibrator.
  In the URI field, enter the appropriate URI address for the web services.
  In the User Name field, enter your User ID. Your User ID must have security access
  to web service.
  In the Password field, type your password.
  Select the Perform Org Rule Analysis option to perform org. rule analysis at risk
  analysis time.
  Note: There are two selectable versions of Compliance Calibrator. If you select 5.0 Web Service, three additional fields appear (URI, User Name, and Password). For the URI field, you need to navigate to the
  SAP NetWeaver Web Application Server Home page > Web Services Navigator > CCRiskAnalysisService > WSDLs > Standard link of Document, where you will see a list of all web
  services in the server. Select the desired URI address.
  If you select Compliance Calibrator 4.0, there is no need to connect to a URI address
  So the answer is YES, you can connect AE  5.2 with CC 4.0 for Risk Analysis.
  Hope this helps,
  Regards,
  Kiran Kandepalli.

• AE 5.2 remote risk analysis with CC 520_640

  Hi,
  Can anyone please tell me if this scenario is possible.
  AE to do risk analysis in remote system by using CC rules defined in a central system.
  Eg. ECC system has mitigation rules defined for HR. ECC also has rules defined for Finance, MM etc
        AE 5.2 will connect to the CC (ECC system) when processing a request and check the HR rules for the  
        roles in AE to do a remote risk analysis before provisioning the access in HR box.
       ECC box has CC 520_640 - ECC 5.0
       HR box has CC 520_700  - ECC 6.0
        Is this possible at all? CC configuration parameters are enabled and defined to do a remote analysis.
        Risk analysis shows risks when a remote analysis is done in CC. But AE risk analysis shows no risks.
  Thanks

  Good question but quite confusing way to ask but anyways..
  As you said you are able to perform risk analysis in RAR/CC on the considered system (remote system as you mentioned) but not able to perform the same in CUP/AE
  from the symptoms It seems like the web service in AE for integration with CC to perform Risk Analysis is not configured.
  Please go to Configuration tab > Risk Analysis menu > Select CC version
  and enter the URL for the web service, it may be something like
  hostaddres:portno/VirsaCCRiskAnalysisService/config?wsdl&style=document
  or you can find it through following method.
  Go to Web Services Navigator (same location as for UME) and drill down to VirsaCCRiskAnalysisService and get the URL from there. Finally enter the URL on the above mention location.
  Then try performing the Risk Analysis on the considered system, if it is still not working and in case the web service is already configured and working for other systems let me know. We will think in some other direction.
  Best Regards,
  Amol Bharti

• Risk Analysis with "ALL" systems

  Gurus,
       I have a scenario where we have a rule set (not global) built on a logical system with 8 systems in it. We are trying to run the analysis with "ALL" systems instead of individual systems as we are hoping that the analysis will be performed only on the systems that are part of the logical systems. My understanding on how the risk analysis run may be wrong but I need a second opinion on my assumption. Please do let me know if any one needs more explanation.

  Hi Varma,
  The Risk Analysis System "ALL" is really all connectors and is not tied to the Logical System (LS). The LS defines which systems are applicable for the rules. If your LS has fewer systems than all the connectors, just keep in mind that this impacts the results.
  Example:
  Existing connectors = A, B, C, D, E, F (ALL = A-F)
  LS-1 = A, B, D, F
  Run the report for "ALL" systems/connectors and lets assume that every system has SOD issues. Your results would look like this:
  A = SOD violations
  B = SOD violations
  C = "no violations found"
  D = SOD violations
  E = "no violations found"
  F = SOD violations
  You would either need to add C & E to LS-1 or create a LS-2 with connectors C & E and create/upload rules for LS-2. Then ALL would find SOD violations for connectors A - F.
  Hopefully I didn't over explain the question. Short answer is system "ALL" = all connectors and there is no choice to run the SOD report based on a specific LS.
  -Dylan

• PRA settings for quantitative risk analysis

  Can anyone help identify where the settings are in P6 v8 in order to conduct a risk analysis?
  Edited by: 839975 on 26-Feb-2011 13:47

  Hi there,
  There are no specific setting n P6. You export the schedule and import it in PRA, map risks in the register to activities, then run the analysis. Hope this helps.
  Regards,
  H

• GRC_10 Risk Analysis Report

  Hi,
  i should extend the risk analysis report with more details from diffrent tables, they hold special role details.
  I havent found an idea how to do this.
  Could i extend the standard report for risk analysis with more columns?
  Is there something like user.exits or enhancement-points?
  thank you very much indeed
  best regards
  Alex

  Hi Alex,
  did you have a chance to look at standard SAP Help information about different types of reports and information available?
  If not yet -please take a look at:
  Risk Analysis Reports - SAP GRC Access Control - SAP Library
  What exactly information you would like to add to reports?
  Standard reports can by customized by adding some additional fields which are hidden in standard view.
  There is also an option to add custom fields and data,
  Lets us know,
  Filip

• CC 5.2 - Risk Analysis on existing roles

  Hello,
  When I submit a change request via AE 5.2 in order to add a role to an existing user,
  does CC 5.2 perform the risk analysis to the user corresponding roles (existing roles + new one) or only for the role to be added?
  Thank you for your answer.
  Abderrahim

  Hi Abderrahim,
  Yes. It will perform a risk analysis with the existing roles + newly added role. You should enable this in the CUP.
  Go to Configuration --> Risk Analysis -> Set the default risk analysis level.
  Regards,
  Raghu

• AE 5.2 - Risk Analysis problem

  Hello,
  I am facing an issue with AE 5.2. When I create a request to assign roles and perform Risk Analysis, I get some SOD violations messages.
  I copy the some assigned roles and paste them in CC 5.2 -> Informer -> Risk Analysis -> Role Level and I have no conflict!
  Can you please advise why I have conflict with AE and not with CC?
  Thank you very much indeed,
  Cheers,
  Abderrahim

  Hello,
  In fact, It was only a false positive issue because:
  In CC I perform a risk analysis with Permission Level option.
  However, I get risk violation in AE with Critical Transaction for the same role.
  The right way is to run risk analysis in CC with Critical Actions.
  Thank you for your collaboration.
  Regards,
  Abderrahim

• GRC Risk analysis reports are not checking all possible risk conflicts set up in the rule set that lead to risks.

  Dear All,
  After running the risk analysis it shows only the first conflict for a risk in the rule set (Rule ID 0001). We have already Generated SOD ruleset. Also during migration from 5.3 to AC10.1 all the rulesets were imported properly.
  What could be reason??
  Thanks for your help.
  Regards,
  Abhisshek

  Abhisshek,
  there is already a thread with the same question:  Dear all I only get result for one rule id and not with others what should be an issue?
  Regards,
  Alessandro

• Error while performing Risk Analysis at user level for a cross system user

  Dear All,
  I am getting the below error, while performing the risk analysis at user level for a cross system (Oracle) user.
  The error is as follows:
  "ResourceException in method ConnectionFactoryImpl.getConnection(): com.sap.engine.services.connector.exceptions.BaseResourceException: Cannot get connection for 120 seconds. Possible reasons: 1) Connections are cached within SystemThread(can be any server service or any code invoked within SystemThread in the SAP J2EE Engine), 2) The pool size of adapter "SAPJ2EDB" is not enough according to the current load of the system or 3) The specified time to wait for connection is not enough according to the pool size and current load of the system. In case 1) the solution is to check for cached connections using the Connector Service list-conns command, in case 2) to increase the size of the pool and in case 3) to increase the time to wait for connection property. In case of application thread, there is an automatic mechanism which detects unclosed connections and unfinished transactions.RC:1
  Can anyone please help.
  Regards,
  Gurugobinda

  Hi..
  Check the note # SAP Note 1121978
  SAP Note 1121978 - Recommended settings to improve peformance risk analysis.
  Check for the following...
  CONFIGTOOL>SERVER>MANAGERS>THREADMANAGER
  ChangeThreadCountStep =50
  InitialThreadCount= 100
  MaxThreadCount =200
  MinThreadCount =50
  Regards
  Gangadhar

• AC 5.3 Risk Analysis to SRM 7.0

  Hi SAP experts.
  I would like to know if its posible to execute a Risk Analysis through a SRM 7.0 module, and instead of transacctions if it is posible to use the webdynpro links like actions or tcodes.
  My doubt is based on the fact that in SRM 7.0 the proper tcodes like BPP* are not use in this release, and these are changed by webdynpro links. Is it possible to use that links as tcodes for the SoD Matrix?
  Thanks in advance.
  Regards.

  Hi Kunal.
  Firstly, thanks a lot for your support.
  In addition, I know that with the previous release of SRM, is posible to conect SAP GRC AC with SRM. But if I create a conector like to a SAP system from GRC to SRM, do you think that is imposible to associate that kind of webdynpro links as an AC action?
  On the other hand, instead of create a conector SAP, I create a conector, like a NON SAP system from GRC to SRM, could be this a possible way to match Access control actions with SRM webdynpro links?.
  And finally, is possible to execute a RAR analysis to a posible Cross-System between ECC and ERM (configured as NON SAP system)?
  Thanks in advance.
  Regards.

• Issue in ERM - GRC AC 10 - Is risk analysis not mandatory

  Hi,
  We have defined our Role Methodology in 10 as Define Role - Maintain Authorizations - Analyze access risks - Derive role - approval - generation
  When we defined the role and maintained authorization data and proceeding without running risk analysis the role is moving to the next stage without stating any warning that "Risk Analysis is Mandatory". Upon click on Save & COntinue it is proceeding to further stages.
  Is there any parameter which needs to be set to throw a warning message for Risk Analysis to be run before the role is moved to next stage.
  We arleady set the paramater 3011 as YES - Conduct Risk Analysis before Role Generation.
  Thanks and Best Regards,
  Srihari.K

  Hi,
  Note the definition of the parameter 3011 as per "Maintaining Configuration Settings Guide - SAP AC 10.0":
  "Set the value to YES to automatically perform risk analysis when the user generates roles."
  This parameter applies only at generation stage.
  Cheers,
  Diego.

• SAP GRC 10.0 ARA - Risk Analysis Job naming

  Dear all,
  Once i trigger a risk analysis in background, a job with a very strange name (serial number) is scheduled at backend. But at Business Client i put a specific naming for hits role. It could be possible to change this backends namings? It is impossible for me recognised which job is which...
  thank you in advanced,

  Hi Sara,
  please check table TASKPLAN_GRP_NAM in GRC backend system. This table lists all scheduled background jobs by ID (field TASKPLAN_GRP_ID) and job name per business client (field TASKPLAN_GRP_NAM)
  Regards,
  Markus

• GRC 10 - Risk Analysis in legacy system

  Hi everybody,
  I have a problem with legacy connectors in GRC 10. I implemented the note 1594963. So, I created the legacy files and storage it in GRC server.
  When I run the user synch, the legacy connector only synch the first record.
  Someone can help me? Someone did implement a risk analysis for legacy systems?
  Regards,

  Hi  Claudio Ekel
  Can you share some inputs on the Legacy Risk Analysis.
  We have configured the Legacy Connector as per the note 1594963 ; Placed the files on the server & tried running Synchronization Jobs. But the data is not getting uploaded to GRC10 .
  We made sure that text files are in UTF-8 format
  Is it mandatory to load all the 11 files that are provided in the note 1594963? We have excluded the Profile related files
  Can you share a sample of Legacy file formats that you have used for the sync.
  Can you throw some light on what could be the possible issues for data not getting uplaoded to GRC10?
  Regards,
  Pavan Muthyala

• Q&A for Live Expert Session "Enhanced Risk Analysis on AC 10.0"

  Hi,
  Please find below the questions that we could not address during yesterdays sessions. If you have any further question please create a new discussion in the forum.
  Thanks,
  Luis
  Q: Is it still possible to filter by user group using all rule sets at once?
  A: Yes, in 10.0 you can combine as many conditions as needed. In this case you would select all rulesets that apply and also the user groups.
  Q: Are user groups linked to users per system, or still as in 5.3 only the first system the user is found
  A: In the user information screen only the user group from the details deta source will be shown.
  Q:: Have there been any enhancements made to the simulation functionality?
  A: Yes, the simulation allows to use multiple combination of fields like in the new risk analysis. We can do now simulation on Business Roles. Also a new UI providing a step-by-step process for defining the simulation criteria, allowing to easily simulate changes at action, role and profile level in a single run.
  Q: Is it possible to restrict access to risk analysis or changing risks, functions on a organisational level for these employees (eg. HR, Marketing, Finance etc.)
  A: You can restict access to specific componets using standard authorizations, please refer to the Security Guide. Also such changes can be subject to workflow which can be customized to specific approvers.
  Q: How the offline risk analysis is done on 10.0?
  A: The process is the same as in 5.3. A Batch Risk Analysis must be scheduled and the "Offline Data" flag in the risk analysis must be checked.

  Hi GRC Team,
  Please help me on this. I am waiting for your replay.
  Regards,
  KR