Issue in ERM - GRC AC 10 - Is risk analysis not mandatory
Hi,
We have defined our Role Methodology in 10 as Define Role - Maintain Authorizations - Analyze access risks - Derive role - approval - generation
When we defined the role and maintained authorization data and proceeding without running risk analysis the role is moving to the next stage without stating any warning that "Risk Analysis is Mandatory". Upon click on Save & COntinue it is proceeding to further stages.
Is there any parameter which needs to be set to throw a warning message for Risk Analysis to be run before the role is moved to next stage.
We arleady set the paramater 3011 as YES - Conduct Risk Analysis before Role Generation.
Thanks and Best Regards,
Srihari.K
Hi,
Note the definition of the parameter 3011 as per "Maintaining Configuration Settings Guide - SAP AC 10.0":
"Set the value to YES to automatically perform risk analysis when the user generates roles."
This parameter applies only at generation stage.
Cheers,
Diego.
Similar Messages
-
GRC AC 10.1 - Risk Analysis: No rules were selected
Hi All,
I'm currently configuring the ARA module in GRC AC 10.1, and an facing this issue. When I run my User Analysis, its throwing an error message "No rules were selected'.
As per your suggestions from discussions, i double checked all the below activities
Activate the BC sets
Run Sync Jobs
Run Batch Risk Analysis
After all this I found that the functions are not mapped to the logical groups(Back-end Systems) I have defined. Can you please let me know how to make sure you have correct back end system(logical Group) updated for the functions in the setup? Doesn't the configurations Connector/Connector Groups etc already mapped the functions to the back-end system? It would be a hell of work to do all the system mapping on function level manually.Hi Narsimha
You need to map your connectors to the logical systems that are used in the function definitions
Look at your integration framework Setup in the IMG.
Governance, Risk and Compliance > Common Component Settings > Integration Framework > Maintain Connectors and Connection Types
Also, for 10.1 there was an issue with logical systems. It may be that your configuration is correct: Re: GRC 10.0 SP14 - Poblems when generating rules for logical systems
Regards
Colleen -
SAP GRC 10.0 ARA - Risk Analysis Job naming
Dear all,
Once i trigger a risk analysis in background, a job with a very strange name (serial number) is scheduled at backend. But at Business Client i put a specific naming for hits role. It could be possible to change this backends namings? It is impossible for me recognised which job is which...
thank you in advanced,Hi Sara,
please check table TASKPLAN_GRP_NAM in GRC backend system. This table lists all scheduled background jobs by ID (field TASKPLAN_GRP_ID) and job name per business client (field TASKPLAN_GRP_NAM)
Regards,
Markus -
GRC AC 10.0 Risk Analysis -Risk Terminator Vs BRM-Role Management
Hi All,
After having seen the configuration for Risk Analysis- Risk Terminator and Role Management , I observed that there is very little difference for eg parameters 1085 and 3011 ,3014 . If we configure all three parameters to TRUE which one would take effect ?Can anyone let us know under what circumstances we must configure RT and Role Management . BRM to has a whole lot of new features which supercede RT.
Best Regards,
VishalHi Vishal,
The parameters will be invoked in different scenarios. 1085 is specific to when roles are generated in the SAP Backend system using risk terminator and therefore this will have no impact if you are using BRM to generate the roles.
3011 & 3014 are specific to BRM and govern different behaviours. 3011 will facilitate the risk analysis prior to triggering the generation steps in the methodology and 3014 will allow the roles to be generated despite any permission risks that are returned.
They are not exclusive and actually work together. For instance, you may want to have a block on generation of roles when there are open conflicts identified and therefore you should have 3011 set to YES and 3014 set to NO. If both are set to YES, then you could propagate conflicts in the roles.
You can use Risk Terminator if you wish to continue to develop roles within the SAP system itself rather than to rely on the GRC BRM system wholly.
There are still wide discussions and differing opinions about which represents the best approach for this and so it depends on your organisation as to which process you follow.
The parameter descriptions in question are:
1085 - Stop Role Generation if violations exist
3011 - Conduct Risk Analysis before Role Generation
3014 - Allow role generation with Permission Level violations
Regards, Simon -
GRC AC 10 - batch risk analysis does not bring results
Hi all,
When I perform a batch RA the job ends quickly and bring no results. It takes like a sec per user.
I am running it from rules that became from a Logical group. When I upload the rules to a physical system it brings results.
What can I do??Hi Kailash,
Does this issue occur with other dashboard reports too or only with risk violations?
Also, can you check if the batch risk analysis has been successfully completed?
Thanks
Sammukh -
GRC AC 10 (BRM) Risk Analysis Report type is editable
Hi,
In GRC10 – BRM Risk analysis at “Action Level”, “Permission Level”, “Critical Action”, “Critical Permission” and “Critical Role/Profile” is editable.
When i start to create a role in the Risk Analysis step, Permission Level is always selected .Selection is fine as this is configured this way (Parameter in SPRO 1023 -Default Report Type for Risk Analysis). But exist the option to deselect "Permission Level".
As you can Permission level is always selected and not editable?
RegardsHi,
I guess Cristian mentions attached BRM screen. I have same issue; how to change default values of report type in BRM like parameter 1023 changes in access request.
Also, if we change default value of check box, Cristian can set non-editable fields through SE80. -
GRC 10.0 Adhoc Risk Analysis
Hi Guys,
Is there any risk or chances of loosing data if the below listed table is cleaned up?
GRACSODREPDATA
GRACSODREPINDEX
GRACSODREPSTATUS
I just wanted to know if these tables are cleaned up and if we want any historical data may it be tcode analysis report or risk analysis report, can we get the historical data?
Thanks & Regards
RatanDear Ratan,
you should study the following document: http://service.sap.com/sap/support/notes/1580877
Regards,
Alessandro -
GRC 5.3: CUP risk analysis VS. RAR risk analysis
I've installed and configured RAR and CUP. When I do a risk analysis simulation in RAR on a user for adding a role, it comes back with no conflicts. When I go into CUP and make a new request for adding the same role to the same user, it comes back with risk violations, but it looks like they are critical actions that are being flagged. Why is there a discrepancy, and how do I go about getting the same risks in CUP as I do in RAR?
>
Frank Koehntopp wrote:
> I guess the behaviour is on purpose.
>
> In RAR, you can do a selective analysis on only one kind of risk. You usually only need to do that in the remediation process, where this kind of selection is helpful to track down the root cause (although I'd like to have an ALL option in RAR as well...)
>
> In CUP, you do want to see any kind of risk that might arise from a role assignement to a user.
>
> I have to say, I can not really understand why you'd want to switch off critical action or permission risks here. The user analysis in RAR and CUP serve two different purposes, hence I cannot see a bug here. If you have defined critical risks, why would you not want to see them???
Hi Frank,
I understand your point, but we are in the same situation as the others. We do not want to see Critical Action Risks in CUP because this is a separate process (for us) than Permission Level Risks Analysis piece. With our current structure, our Security Admins use RAR to run Permission Level Risk Analysis and mitigates appropriately. A separate compliance group uses the Critical Action reports to see who has what Critical tcodes, etc. We do not mitigate these "risks," we more or less use it as a report.
I do not understand what you mean when you say "The user analysis in RAR and CUP serve two different purposes" - I feel it should be the same purpose, to ultimatley simulate if adding security to a user will cause SOD violations. If I have CUP configured to do Permission Level Analysis, that's all I want to be seeing in CUP.
Let me know if I need to clarify further. -
Risk Analysis not performed when using IDM WS
Hi ,
We are using the SAP delivered IDM WebService for submitting Access requests to CUP 5.3 SP8 Patch1.
We have defined the properties:
1. Perform Risk Analysis on Request Submission - YES
2. Risk Analysis Mandatory (approval stage) - YES, When Access Changed
3. Approve Request Despite Risks - NO
(This setting will enable the approver to approve the access request without performing a Risk Analysis, if the initial risk analysis doesn't identify any risk with the access request. But if there are risks, the approver need to mitigate the same before he can approve it.)
But we have found out that when submitting a request through the SAP Delivered IDM WS -'SAPGRC_AC_IDM_SUBMITREQUEST', the system DOESN'T perform RA during request submission. But when the request is submitted directly in CUP, it does.
We've referred the Note:1168508 where it's mentioned that this issue is being fixed with SP7 Patch 1. But we are already on SP8.
The Note says:
"The following issues are resolved as part of Support Package 7 Patch 1:"
and the last bullet point states that:
"While submitting a CUP Request from web service, if the flag for Risk Analysis on submission is set not performing the Risk Analysis on submission."
This feature was not working before and hence thought SAP has fixed it as mentioned in the Note. Has anybody suceeeded in getting this feature working???
Thanks & Regards,
AnilYes Dries, we have tried both and we happen to see some exceptions on request submission thru WS.
But the request is still getting created. I've an open tkt with SAP to follow it up..I'll update once i get this fixed.
Exception Details:
Exception during EJB call, Ignoring and trying Webservice Call [EXCEPTION] com.virsa.ae.service.ServiceException: Exception in getting the results from the EJB service : com/virsa/cc/xsys/ejb/RiskAnalysis.execRiskAnalysis(Lcom/virsa/cc/xsys/webservices/dto/WSRAInputParamDTO;)Lcom/virsa/cc/xsys/w...
Full Message Text
Exception during EJB call, Ignoring and trying Webservice Call
com.virsa.ae.service.ServiceException: Exception in getting the results from the EJB service : com/virsa/cc/xsys/ejb/RiskAnalysis.execRiskAnalysis(Lcom/virsa/cc/xsys/webservices/dto/WSRAInputParamDTO;)Lcom/virsa/cc/xsys/webservices/dto/RAResultDTO;
at com.virsa.ae.service.sap.RiskAnalysisEJB53DAO.getViolations(RiskAnalysisEJB53DAO.java:294)
at com.virsa.ae.service.sap.RiskAnalysisEJB53DAO.getViolations(RiskAnalysisEJB53DAO.java:418)....
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
Caused by: java.lang.VerifyError: com/virsa/cc/xsys/ejb/RiskAnalysis.execRiskAnalysis(Lcom/virsa/cc/xsys/webservices/dto/WSRAInputParamDTO;)Lcom/virsa/cc/xsys/webservices/dto/RAResultDTO;
at com.virsa.ae.service.sap.RiskAnalysisEJB53DAO.execRiskAnalysis(RiskAnalysisEJB53DAO.java:304)
at com.virsa.ae.service.sap.RiskAnalysisEJB53DAO.getViolations(RiskAnalysisEJB53DAO.java:276)
... 44 more
Thx,
Anil -
Risk Analysis not highlighting SODs for critical transactions
Hi,
I am currently experiencing a problem when running risk analysis for critical transactions.
SOD conflicts are not always being detected for critical transactions. This is happening both in role expert while creating a role and during role simulation in CC. For example risk BSSC, SU01 does not produce a violation when added to a role, but SOY1 does.
It seems to be happening consistently. If a transaction in risk BSSC has a permission object associated with it in the ruleset, a violation(at tcode or object level) is not detected by the risk analysis even when this authorisation object is maintained with the same value as in the rule set. If the transaction has no permission objects specified in the ruleset, then a violation is detected at tcode level analysis.
These transactions are standard transactions in the ruleset and have not been changed in any way. I have checked the rules and there are critical action rules for both transactions.
Has anybody experienced similiar problems?Hi..
Check the note # SAP Note 1121978
SAP Note 1121978 - Recommended settings to improve peformance risk analysis.
Check for the following...
CONFIGTOOL>SERVER>MANAGERS>THREADMANAGER
ChangeThreadCountStep =50
InitialThreadCount= 100
MaxThreadCount =200
MinThreadCount =50
Regards
Gangadhar -
Org Level Risk Analysis not running in 5.2
I have installed Compliance Calibrator 5.2 and most of the functionality is working fine except for the Org. Level analysis. When I run this in foreground or background I get "No match/conflict found" which would be great except I know full well there are conflicts.
When I looked at the log of the background job I spotted this:
INFO: Job ID:35 : # objects to analyse: 0
It looks like the job doesn't look at any users. I presume this is a problem with my configuration. Has anybody had a similar problem or know what I need to change?
Thanks,
MarkHi Mark,
Have you executed the User Synchornization in order to retrieve Users ID from backend into CC database?
Please, keep in mind that you also need to execute the Org. User Mapping functionality.
Furthermore, set within Configuration tab, the option to take into consideration Org. Rules.
Hope it helps. Best regards,
Imanol -
Risk Analysis Failing in ERM 5.3
Hi All -
I would appreciate some assistance with pin-pointing an issue that I'm having with running Risk Analysis on roles in ERM. Currently I have RAR configured with the appropriate rule set and generating the expected risk/sod conflicts for users & roles. I have also added the appropriate Web Service Info. in th Misc section under the configuration tab (url, user, pwd) for all sections associate with RAR integration.
Now when I run a risk analysis on a particular role in RAR i get the correct conflicts however when I get the Risk Analysis stage with ERM I receive the following Error:
Risk analysis failed; Cannot assign NULL to host variable 5. setNull() can only be used if the corresponding column is nullable. The statement is "INSERT INTO VT_RE_RSK_OBJRULES (OBJCODE, OBJDESC, OBJFLDCODE, OBJFLDDESC, VALFRMID, VALTOID, COND, RSKVIOLID) VALUES(?, ?, ?, ?, ?, ?, ?, ?)".
I also get this error when trying to run Mass Maintenance --> Risk Analysis:
Risk anaysis for role "XX:XXXXX" failed
Before I was getting error: "Risk Analysis performed successfully; No Risk Found" so I referenced SAP Note 1265964 and applied all solution steps.
Lastly here is the error log:
2010-01-14 14:59:28,768 [SAPEngine_Application_Thread[impl:3]_31] ERROR com.virsa.re.role.actions.RiskAnalysisAction
java.lang.Throwable: Cannot assign NULL to host variable 5. setNull() can only be used if the corresponding column is nullable. The statement is "INSERT INTO VT_RE_RSK_OBJRULES (OBJCODE, OBJDESC, OBJFLDCODE, OBJFLDDESC, VALFRMID, VALTOID, COND, RSKVIOLID) VALUES(?, ?, ?, ?, ?, ?, ?, ?)".
at com.virsa.re.bo.impl.RiskAnalysisBO.saveObjViolations(RiskAnalysisBO.java:906)
at com.virsa.re.bo.impl.RiskAnalysisBO.performObjLvlRiskAnalysis(RiskAnalysisBO.java:824)
at com.virsa.re.bo.impl.RiskAnalysisBO.performRiskAnalysisOnSystem(RiskAnalysisBO.java:214)
at com.virsa.re.role.actions.RiskAnalysisAction.performRiskAnalysisOnMultipleRoles(RiskAnalysisAction.java:609)
at com.virsa.re.role.actions.RiskAnalysisAction.execute(RiskAnalysisAction.java:112)
at com.virsa.framework.NavigationEngine.execute(NavigationEngine.java:273)
at com.virsa.framework.servlet.VFrameworkServlet.service(VFrameworkServlet.java:230)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
at com.virsa.framework.servlet.VFrameworkServlet.service(VFrameworkServlet.java:286)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.runServlet(FilterChainImpl.java:117)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:62)
at com.virsa.comp.history.filter.HistoryFilter.doFilter(HistoryFilter.java:43)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:58)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:384)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
Any help would be greatly appreciate it - Thanks in Advance!GOing to repost
-
Getting "Risk Analysis Failed " error while raising request from IDM
Hi friends,
Some of the User to Role mapping requests from IDM did not reach CUP (request ID = null) . When noticed the VDS log , we found the error from GRC webservice to be Risk Analysis Failed . We thought it might be an RAR issue , however , the request just got through CUP when submitted from GRC webservice directly . From RAR perspective also, everything looks ok .
Please provide your thoughts as to whether this error is pertaining to some other issue or suggest me what I can check in Identity center to correct this .
Thanks in advance for your help .The connector set up are all looking correct . However the requests are not getting raised in many cases .
At one point we identified that , since our SAP systems have been migrated to DB2, some of the systems were down .
So when the system is down we decided , Risk analysis is failing . however , now the systems are up and running and still the risk analysis is failing . -
ARA: Excluded Roles considered for Risk Analysis???
Hi,
There are certain role which are to be excluded from risk analysis or some business reasons. To achieve this, I have added entries for these roles in SPRO and saved them.
Actually, these roles are available in all the systems. Therefore, under "System" column I have selected "ALL" and saved the entries.
I ran risk analysis for a specific business process (above roles are belonging to this business group) and surprisingly found that, those roles which are maintained as "Excluded", as shown in the risk analysis report as violating!
Thinking that "ALL" option does not work, I maintained (excluded) these roles for specific systems in SPRO. Ran risk anlaysis, but with no luck.
Then I ran risk analysis for excluded role(s), I am still getting the violations for these excluded roles!
May I know why system is considering these "excluded" roles at the time of risk analysis?
Please advise.
Regards,
FaisalAlessanrdo,
I think the "excluded" objects in path:
SPRO->GRC->AC->ARA->BRA->Maintain Exclude Objects for Batch Risk Analysis
itself says that the objects will NOT be considered while performing Batch Risk Analysis (Analytic Reports). It seems to be working fine for me.
I dont think that the objects maintained in above path will have any importance while performing Risk Analysis from NWBC->AM->Roles Analysis) and will NOT be considered.
Please correct me, if required.
Secondly, I found 2 relevant posts here on SCN:
SAP GRC Access Control: Offline-Mode Risk Analysis
SAP GRC 10.0 Offline Risk Analysis
Both of them are talking about the offline mode of running risk analysis. Actually I have not used it yet therefore, wanted to know the real usage of it. These posts seem to be giving the details of "Offline" mode analysis.
I believe this will not be used in my scenario as there is no such requirement and real need. Therefore, I think I should disable it (Offline Data) option from the analysis screen just to avoid any confusion.
Currently all our risk analysis is taking place "Online". There is no "real" need to use "Offline".
May you please let me know in which scenario this would be useful?
Regards,
Faisal -
GRC10 Exclude Objects (Roles) - Batch Risk Analysis Job
All -
We are setting up some non-production GRC 10.1 systems at this time and are trying to exclude project roles from our dashboards via the "Maintain Exclude Objects for Batch Risk Analysis" table [SPRO --> GRC --> AC --> ARA --> Batch Risk Analysis].
The problem that we are encountering is that this Batch Risk Analysis is taking an extremely long time to run on our Project Users even though we have excluded the project roles that these users are assigned.
For example, User A has 3 project roles which hit a very large number of SoD violations in our rule set, however in the exclusion list we have defined the three roles the user is assigned to be in the exclusion table for All systems and for the specific system that the job is running against. With no luck. The job still takes an average of 30 minutes to run on each user even though the roles they are assigned are excluded.
We have tested that the exclusion table works because we can exclude the users by adding them to this table and we can also exclude the groups that they are in and this also works. However we have instances where there are other users in this groups that have other roles in addition to these excluded roles that need to be checked.
Does anyone have any recommendations for how to excluded roles so that the job quickly checks the users with these roles? It is my understanding that if the roles are in the exclusion list they should be skipped by the Batch Risk Analysis job which is running to check these users for the dashboards.
Thanks,
DarnellHi,
Was a solution found for this error?
Thanks,
Glen
Maybe you are looking for
-
I can no longer add files to Pages, Keynote or Numbers via iTunes to sync
Before jumoing to a novice type answer (like, 'did you make sure that, . . .'), please understand I'm a software engineer & very savvy. When I got my iPad, I immediately bought the thee iWork apps for it. Syncing files from my iMac to it was easy wit
-
My hard drive recently crashed, and required replacement. Although I had made a back up copy, I have been unable to recover my itunes library. All I was able to get was my recently purchased music. I have most of my library on my ipad, and was hop
-
Removing duplicated messages in Apple Mail
Is there any way to do that automatically? I don't want to browse through thousands of e-mails to remove duplicates manually?
-
I have built all of my process in v9.0.2.62.3 except for once the row is loaded into my staging table, I want to delete this row from the source. I was trying to use the post-mapping process to call a procedure that would perform the deletion. Howeve
-
How to Change The Pan and Volume
Hi I wondered how you can change the pan and volume for the audio tracks? Thanks