Need to exclude certain risks in Risk Analysis and Remediation (5.2)

Similar Messages

• Convert from Compliance Calibrator 4.0 to Risk Analysis and Remediation 5.2

  Hello Forum,
  I'm looking for other opinions on converting Compliance Calibrator (CC) 4.0 to Risk Analysis and Remediation (RAR) 5.2 (formerly CC)
  I have inherited responsibility for RAR and need to upgrade it to the 5.2 level; our current ECC level prevents us from going to 5.3
  I found a process that will unload the data from CC 4.0 and be imported into RAR 5.2
  I want to understand the definitions that comprise the RAR and was thinking about recreating the definitions in 5.2 based on what is already defined in the CC 4.0 system; I have time to do this since there is no definitive deadline that would make it impossible to meet
  Currently, I have the following definitions:
  Business Process 6 entries
  Functions 47 entries
  Risks 147 entries
  Mitigating Controls 40 entries
  Would others find this approach acceptable and reasonable even though I would be entering all the information? Basically, it would be like defining the data for the very first time if this was NEW software
  I would expect to come away with a good understanding of how everything ties together; at this point, I am only looking to create the necessary data that would allow for producing SOD reports that show all users with "risks" have been mitigated with acceptable controls
  Thanks for your responses in advance
  Jerry
  Ryerson, Inc
  630-758-2021

  Thanks for the reply
  I have the migration guide and have reviewed it; I have actually played around a bit with obtaining the file from CC 4.0; I found that the data records may need some adjustments to be compatible with RAR 5.2; one of the reasons that may be leading me to do everything from scratch
  The definitions currently defined were completed by an outside source and the mitigated controls were defined by the Internal Audit area
  I'm not sure if they were mixed with the defaults
  I'm not sure at this point what impact or changes I would experience if I use the "default" supplied rules set but I expect to find out
  Thanks again for your reply
  Jerry

• Cannot find CCRTAWS at Access Control Risk Analysis and Remediation?

  I am looking for the Web service CCRTAWS  in Access Control Risk Analysis and Remediation.
  But I cannot find it.
  Could you help? Thanks a lot!

  Ashley,
     Go to main page of WAS (Web application server) where AC 5.3 is installed. It would be
  http://(servername):(port)/index.html [Replace servername and port with the actual servername and port number]
  Click on Web service navigator (First link on right side). This link will show you all the web services installed. Search for CCRTAWS. I can see it in my AC installation.
  Regards,
  Alpesh

• Stopping Background job in Risk Analysis and Remediation

  Hi,
  We have scheduled background job for Batch Risk Analysis in CC 5.3. Later we have terminated that job for some reasons. But that terminated job status is showing as Stopping from past 3 days. How we can cancel that job?
  We have restated the J2E server but the job is still running. Please suggest me how we can stop that job immediately.
  Regards,
  KKRao.
  Edited by: KKRao_2020 on May 12, 2009 9:14 AM

  Hi,
  If you have access to oracle backend then I can tell an work arround for this issue,
  when the job is in stoping status then you can delete an entry from VIRSA_CC_JOBHST table.
  The command is
  SQL> delete from  VIRSA_CC_JOBHST where jobid=your jobid and status=3;
  After running this command the job in the RAR will show aborted status then the delete button will be enabled and if you want then you can delete that job from RAR screen.
  Regards,
  Sudip.

• Risk Analysis and Remediation Mitigating Control Monitoring Alerts

  Hello,
  We have configured an alert for a Mitigating Control.  The Monitor must execute the report every day (report frequency = 1) or an alert email is sent to the Risk Owner.
  The Risk Owner recieves the Alert email and the Alert is logged on the Alerts tab only for the first two days after the report is not executed by the Monitor.  Is there a setting somewhere that controls why the alert is not generated after two days?
  thanks
  Tammi

  Correction.
  The email is only sent for 2 days.  The alert is logged on the Alert Monitor tab every day.

• Custom Tabs in Risk Analysis and Remediation

  In the configuration Tab of the RAR, one has the ability to add 3 custom tabs. These custom tabs appear to the right of the Configuration Tab. The name which brings up the tab is appended at the end of the url as mentioned in the configuration guide. For example if you append "CCdebugger" the Debugger tab is appended.
  Does anyone know what other tabs can be added and how does go about finding the names of the tabs that can be appended like the one example shown above? The configuration guide does not provide any list of tabs that can be attached in this way. (Granted the maximum at a time is 3).
  Would appreciate your help and input on this.
  Thanks

  Hello Arun,
  You can add in custom tabs any webservice (webservices urls can be found in UME Web Services Navigator) or any other link even external (as a webmail or a google search bar!).
  You are free to configure your custom tabs according to your needs, but do keep in mind that custom tabs are common to all users!
  For information here are 3 tabs we have chosen to configure:
  debug mode : .../webdynpro/dispatcher/sap.com/grc~ccappcomp/BgJobStart?debug=1
  CC Background deamon : .../sap/CCBgStatus.jsp
  Thread follow up : .../sap/CCADStatus.jsp
  Hope this helps,
  Kind regards,
  Sophie Planchais
  Edited by: Sophie Planchais on Sep 3, 2008 1:52 PM

• Under F110 t-code, I need to exclude certain vendor #'s in this range. How

  Hi,
      Under F110 t-code I generally pull in a range of vendor #'s (ex: 850000-999999) and have come across a situation where I need to exclude certain vendor #'s in this range.  Need to know if we can get get an exclusion parameter.
  Pls let me know what could be the procedure to come out from this type of situation.
  Please let me know what can be done or if there is currently a way within F110 to do this without skipping vendor on proposals.

  hi,
  After entering the company code and Vendor number Execute it and u can see all the vendor balance Invoices and select the Invoices which u want to clear the amount.After this u run the APP, the only opn invoices can be cleared......
  OR
  In F110 while running the Payment Proposal click on that and u can see the list of the invoices Or to which Vendor u want to clear the amount and Double click on it. Again get back to the previious page and press enter .
  Hope this solution is enough.....
  Ranjit

• SAP GRC AC: Organizational rules at Batch risks analysis and Dashboards

  Dear All.
  I would like to know GRC AC is able to consider the organizational rules defined (for example: risk only affected to Company, BUKRS 0001) at the Batch risks analysis and at the Dashboard. I already know that for the ad-hoc reporting you can filter by the Org.rules created but i would like to know if this filter is also able for the Batch risks analysis.
  Thanks and regards.

  Dear all.
  As per my knowledge this parameter only sets the flag of Consider Org.Rules at the filters. This is what the guide indicates:
  "Setting the value to YES automatically selects the Consider Org Rule checkbox on the Risk Violations tab of the Access Request and
  Role Maintenance screens."
  So how are you so sure about that indicating this flag to YES will take into consideration the org rules at the Dashboards?
  Regards

• AC10 - Auto risk analysis and auto mitigation

  Hi,
  I was wondering if it is possible to
  - run an automatic risk analysis at the end of an approval stage of the workflow, the same way it is possible to configure at the time of request sending?
  - automatically put a mitigating control in the request for the risks found?
    In our case, there is only one mitigating control for each risk and the assignment of the control is an unnecessary manual task to perform. The mitigation assignment will be approved in a seperate WF by the mitigation owner.
  It seems there is no out of the box solution to this, so any alternative suggestions are welcome.
  Thanks,
  Daniela

  Hi Daniela,
  If I may give my opinion, I would probably break your question down into 2 parts.
  1) Auto Risk analysis at the end of a stage - Making "Risk Analysis Mandatory" at that stage is probably the method. Unfortunately this does mean clicking one or two buttons (so not fully automated). Think AC uses this method to ensure the reviewer is aware of the conflicts caused etc.
  2) Auto Mitigation - For a business access workflow in a 'Live' situation, this is probably not a good idea,  as analysing and making the decision on whether to proceed with the request should really be performed by an actual person responsible for that stage in the work flow e.g. Role Owner or Security Lead etc. You would not want to mitigate all risks automatically (if I have understood correctly that you have a mitigation per risk ID). In theory, an automated mitigation process would mitigate all risks without discrimination.
  On a side note, there is a configuration setting under SPRO for Access controls as follows
  "Risk Analysis- Access Request : Param ID 1072 - Mitigation of critical risk required before approving the request". By enabling this configuration, you could force a mitigating control to be applied to any user requesting Critical Access.
  Hope this helps.

• I need to save crash logs locally for analysis, and not send to Mozilla

  I would like to find a way to save crash logs locally, and not have them sent to Mozilla. Is this possible?

  Is there a reason you don't want to send them to Mozilla? There is no personally identifiable information in the logs, and they are incredibly helpful in diagnosing crashes. There is a way you can generate crash dumps locally, but it's not nearly as easy as sending them to our servers to processing and then reading the logs there.
  Also, update to the latest version of Firefox (21)

• Error Creating Request - Risk Analysis in CUP

  Initially, we had the issue of not being able to create requests in CUP. I read around and found out that I needed to go to Configuration > Risk analysis and change the "Perform Risk Analysis on Request" to No. I tested and I was able to create a request. This tells me that SOMETHING is wrong with the Risk Analysis in CUP. So since its a Risk Analysis error, I when into a requested and selected Run Risk Analysis and go the following error.
  "Risk analysis failed: Exception in getting the results from the web service : Service call exception; nested exception is: java.lang.Exception: Incorrect content-type found 'text/html' "
  But before anything. I just want to verify if its an authorization error with our webserivces id. Any input?
  Thank you,

  1. In the CUP Configuration-> Risk Analysis.
  Under the section "Select Risk Analysis and Remediation Version"( or "Select Compliance Calibrator Version" for version below CUP 5.3) make sure that the following web service is given in the URI, if the "Version" selected is above 4.0.
  "http://<servername>:<portnumber>/VirsaCCRiskAnalysisService/Config1?wsdl&style=document"
                                                              In the server name and port number, enter the corresponding entries of the Compliance Calibrator (CC) or (Risk Analysis and Remediation (RAR)) server entries on which it is installed.
  The User given under this section should have the administrator access for the CUP and RAR.
  CUP is 5.3 and we have the correct URL. The user is given the following roles:
  AEADMIN
  CC_Administrator
  VIRSA_CC_ADMINISTRATOR
  Please review the attachment for the list of actions in these roles. Please let me know if there is an action that the webservice id should have. In the link below, be careful of all the download buttons. Choose the "Save file to your PC: click here" link and open the file. (not save)
  http://www.2shared.com/document/8dOC7v6E/actions.html
  2. Make sure that the user provided in the CUP connector has the access for connecting to RAR and it should also have the administrator rights of the RAR.
  Should the access be provided from the roles/actions from above?
  3. Make sure that the password of both the users given in the above points is not expired i.e. they have been reset in UME.
  You can check the same by once logging into the UME through that users. In case it asks for the password change, then the password is expired and you need to change the password and give the new password in the CUP.
  Should the password ever expire for this ID? I will double check on the password.
  4. The logon language of both the above users should be maintained in UME.
  I am not sure how to check this, please advise.
  5. Also check that the connector in the RAR is working and is able to connect to the backend SAP system.
  I tested the connection in CUP and connection was successful. How can I test the connection for RAR?
  Thank you in advance,
  Edited by: Eric Lau on May 17, 2010 6:41 PM

• CUP-RAR Risk Analysis error

  Hello experts,
  When an approver does risk analysis for adding a role to a user in CUP before approval, the system shows 0 risk(0 risks found), However when the role is added to the user in RAR simulation, there are Risks.
  Similarly,
  When an approver does risk analysis for a role in CUP before approval, the system shows 0 risk(0 risks found), However when the role is analysed in RAR, there are Risks.
  I have checked the Org Rules parameter in RAR (It was set to No as we are not using Org Rules).
  When I set the org rule parameter to Yes, I got exception " Risk analysis failed: EXCEPTION_FROM_THE_SERVICEInconsistency Org Rule Analysis Flag Parameter". I reset the parameter to NO.
  Many thanks,

  Hello Raghu
  Here is the note number: Note 1168120 - Risk Analysis and Remediation 5.3 Support Package (VIRCC).
  Also I would suggest going to:
  1. CUP - configuration -Risk analysis - And see if the web service link for Risk analysis is correct.
  Better would be to go to Netweaver Administration -Webdynpro console -and get the correct link.
  2. CUP -configuration - Mitigation and here also put the correct link for all four options there i.e. (Risk analysis, Mitigation etc),
  Hopefully this should solve the problem .I donu2019t think it is related to org level.
  If problem still persist, kindly paste the log.
  Best Regards
  Asheesh

• ARA: Excluded Roles considered for Risk Analysis???

  Hi,
  There are certain role which are to be excluded from risk analysis or some business reasons. To achieve this, I have added entries for these roles in SPRO and saved them.
  Actually, these roles are available in all the systems. Therefore, under "System" column I have selected "ALL" and saved the entries.
  I ran risk analysis for a specific business process (above roles are belonging to this business group) and surprisingly found that, those roles which are maintained as "Excluded", as shown in the risk analysis report as violating!
  Thinking that "ALL" option does not work, I maintained (excluded) these roles for specific systems in SPRO. Ran risk anlaysis, but with no luck.
  Then I ran risk analysis for excluded role(s), I am still getting the violations for these excluded roles!
  May I know why system is considering these "excluded" roles at the time of risk analysis?
  Please advise.
  Regards,
  Faisal

  Alessanrdo,
  I think the "excluded" objects in path:
  SPRO->GRC->AC->ARA->BRA->Maintain Exclude Objects for Batch Risk Analysis
  itself says that the objects will NOT be considered while performing Batch Risk Analysis (Analytic Reports). It seems to be working fine for me.
  I dont think that the objects maintained in above path will have any importance while performing Risk Analysis from NWBC->AM->Roles Analysis) and will NOT be considered.
  Please correct me, if required.
  Secondly, I found 2 relevant posts here on SCN:
  SAP GRC Access Control: Offline-Mode Risk Analysis
  SAP GRC 10.0 Offline Risk Analysis
  Both of them are talking about the offline mode of running risk analysis. Actually I have not used it yet therefore, wanted to know the real usage of it. These posts seem to be giving the details of "Offline" mode analysis.
  I believe this will not be used in my scenario as there is no such requirement and real need. Therefore, I think I should disable it (Offline Data) option from the analysis screen just to avoid any confusion.
  Currently all our risk analysis is taking place "Online". There is no "real" need to use "Offline".
  May you please let me know in which scenario this would be useful?
  Regards,
  Faisal

• AE 5.2 cross system risk analysis with CC 4.0

  Hi,
  We have an unique situation.
  We have CC 4.0 (central) set up in ECC system where the rules and risks are defined for systems such as R/3, HR and SRM
  We need AE to use this central CC system to do the risk analysis when an access request for HR or SRM is submitted in AE 5.2. Right now for a request to a HR system, risk analysis is being done in HR system where there are no rules and hence no risks are identified.
  Environment :
  CC 4.0 in  ECC 5.0 with VIRSANH RTA 520_640 Level 3 and VIRSAHR RTA 520_640 Level 2
  AE 5.2 JAVA in NW 7.0 SP level 2
  Risk analysis for Access requests to ECC system is done with out any issues and the connectors in AE are defined as well as CC 4.0 configuration for cross system is enabled.
  Please give your suggestions and also tell me if this below scenario is possible.
  Use CC 5.2 Java stand alone system and define logical/cross system to connect to multiple systems such as HR and SRM and use those specific rules to do the risk analysis.
  Thanks

  Hi RM,
  You can setup Risk Analysis inside AE Configuration.
  You can identify the level of risk analysis and specify the Compliance Calibrator version for processing risks.
  See the details from the AE Configuration Manual
  In the Select Compliance Calibrator Version pane, from the Version drop-down list, select the version of Compliance Calibrator.
  In the URI field, enter the appropriate URI address for the web services.
  In the User Name field, enter your User ID. Your User ID must have security access
  to web service.
  In the Password field, type your password.
  Select the Perform Org Rule Analysis option to perform org. rule analysis at risk
  analysis time.
  Note: There are two selectable versions of Compliance Calibrator. If you select 5.0 Web Service, three additional fields appear (URI, User Name, and Password). For the URI field, you need to navigate to the
  SAP NetWeaver Web Application Server Home page > Web Services Navigator > CCRiskAnalysisService > WSDLs > Standard link of Document, where you will see a list of all web
  services in the server. Select the desired URI address.
  If you select Compliance Calibrator 4.0, there is no need to connect to a URI address
  So the answer is YES, you can connect AE  5.2 with CC 4.0 for Risk Analysis.
  Hope this helps,
  Regards,
  Kiran Kandepalli.

• GRC AC 10.0 Mass risk analysis vs. Role level analysis

  Hello GRC experts,
  I urgently need your advice on the issue  with deactivated permission objects which are identified as risks in the mass role analysis.
  For example, in one role we have deactivated the permission object: S_ARCHIVE, and there are No activities maintained.
  But in the mass role risk analysis  and in the CUP request this object S_ARCHIVE with the ACTVT 01 is displayed as risk. As you can see in the screenshot, there are no activites maintained at all. We have created the MSMP workflow where all CUP requests with risks should go the the Security Stage. Now we have the situation that even though our roles are clean, they are forwared to the Security stage. It is a huge problem, because our security stage has no even more to to, than before using GRC! Because the dectivated objects are identified as risks.
  Please advise me, how to solve the problem. Did I missed some config parameters or is it a well known problem?
  We are on SP14, AC 10.0.
  At the single role level there are no risks displayed.
  Thanks in advance,
  regards
  Sabrina

  Hi Sabrina,
  check note
  http://service.sap.com/sap/support/notes/2036645
  Please let me know if it works.
  Regards,
  Alessandro