Offline-Mode Risk Analysis
Hello,
We are planning for Offline-Mode Risk Analysis. I read a few documents and links, but I couldn't find the method(Tcode) to extract data from the ERP system.
Could someone tell me the process to extratc the data from the ERP system?
Regards,
Gautam.
Hi Gautam,
The fact is that the document doesn't contain the detailed steps to extract the data, but provides information on which data is required to perform offline mode risk analysis.
You may use the standard GRC programs to download the basic information:
/VIRSA_ZCC_DOWNLOAD_DESC - Static Text (Transaction, Field Descriptions, Organizational level, Object descroptions, and field value descriptions.
/VIRSA/ZCC_DOWNLOAD_SAPOBJ - SU24 data
If GRC is not configured in the box, then you have to look manually in the USR, USH, and AGR*, USORG, USOBT_C, USOBX_C tables. Extract the data and prepare the files manually.
I know it is a tedious and tough task. So the challenge is either to get GRC up or do all these tasks manually.
Last recommendation - Your comment in the article may help others too. Please spare time to leave it.
Regards,
Raghu
Similar Messages
-
Offline & Online Risk Analysis
Hello experts,
What is Offline Risk Analysis and Online Risk Analysis in SAP GRC and which case are we using..? Please let us know the difference between both..?
Regards
BabuDear Babu,
offline means that the analysis is based on the last risk analysis (for example if you schedule once per day you will get this information in your report). Online means you are checking on-time in the systems (current situation) and system considers real time information. You can choose "Offline Data" in risk analysis screen to run with offline data.
With parameter 1027 you can enable or disable offline risk analysis.
Regards,
Alessandro -
ARA: Excluded Roles considered for Risk Analysis???
Hi,
There are certain role which are to be excluded from risk analysis or some business reasons. To achieve this, I have added entries for these roles in SPRO and saved them.
Actually, these roles are available in all the systems. Therefore, under "System" column I have selected "ALL" and saved the entries.
I ran risk analysis for a specific business process (above roles are belonging to this business group) and surprisingly found that, those roles which are maintained as "Excluded", as shown in the risk analysis report as violating!
Thinking that "ALL" option does not work, I maintained (excluded) these roles for specific systems in SPRO. Ran risk anlaysis, but with no luck.
Then I ran risk analysis for excluded role(s), I am still getting the violations for these excluded roles!
May I know why system is considering these "excluded" roles at the time of risk analysis?
Please advise.
Regards,
FaisalAlessanrdo,
I think the "excluded" objects in path:
SPRO->GRC->AC->ARA->BRA->Maintain Exclude Objects for Batch Risk Analysis
itself says that the objects will NOT be considered while performing Batch Risk Analysis (Analytic Reports). It seems to be working fine for me.
I dont think that the objects maintained in above path will have any importance while performing Risk Analysis from NWBC->AM->Roles Analysis) and will NOT be considered.
Please correct me, if required.
Secondly, I found 2 relevant posts here on SCN:
SAP GRC Access Control: Offline-Mode Risk Analysis
SAP GRC 10.0 Offline Risk Analysis
Both of them are talking about the offline mode of running risk analysis. Actually I have not used it yet therefore, wanted to know the real usage of it. These posts seem to be giving the details of "Offline" mode analysis.
I believe this will not be used in my scenario as there is no such requirement and real need. Therefore, I think I should disable it (Offline Data) option from the analysis screen just to avoid any confusion.
Currently all our risk analysis is taking place "Online". There is no "real" need to use "Offline".
May you please let me know in which scenario this would be useful?
Regards,
Faisal -
GRC Access Control 5.3 - RAR Risk Analysis in offline mode
Hi expert,
I'm trying to do RAR Risk Analysis in offline mode following this guide (https://www.sdn.sap.com//irj/sdn/go/portal/prtroot/docs/library/uuid/20a06e3f-24b6-2a10-dba0-e8174339c47c). But to generate User Action file the ABAP have a problem when try to get a COMPOSITE ROLE field for a Role that is asociate to many Composite role as the unique record consists of fields IDUSER, ROLE and ACTIONFROM . Someone know how we can solve this conflict?
Best Regards!I'm sorry, I think I haven't made myself clear enough. The thing is that the User Action File has a "Composite Role" field and we don't know how fill it when the Single Role belongs to multiple Composite Roles. This is because of the primary key, we can't make multiple records for each userid/role combination, each one with one different Composite Role, such as the following example:
USERIDX/ROLEX/ACTIONX/ACTIONX/PROFILEX/COMPOSITEROLE1
USERIDX/ROLEX/ACTIONX/ACTIONX/PROFILEX/COMPOSITEROLE2
USERIDX/ROLEX/ACTIONX/ACTIONX/PROFILEX/COMPOSITEROLEN
Should we instead do only one record with all the composite roles? What character should we use to separate the composite role names? A ",", a ";"? For example:
USERIDX/ROLEX/ACTIONX/ACTIONX/PROFILEX/COMPOSITEROLE1_,_ COMPOSITEROLE2_,_ COMPOSITEROLE3
Hope I explained myself. Thanks for your help. -
User risk analysis offline mode in RAR
Hello colleagues
We are in AC SP14 and trying to perform RA via risk analysis-> user level. When the offline analysis parameter is set to YES we don't receive results, when the offline analysis parameter is set to NO we receive results but they are partiialy in comparison the the results we receive for the same user in the management view -> user violation report.
So our question is:
1. Why the offline analysis=YES is not showing any data when all the prerequisites were performed (the background RAR sync/risk analysis/management view jobs are finished successfully and the configuration parameter of offline analysis is set to yes)?
2. Why the offline analysis=NO is not showing the same results as in the management view user violation report that was updated a just 10 minutes before?
We viewed notes number 1544338 and 1126251 and all is configured an maintained as needed.
Best Regards,
ShiraHi Saurabh,
Kindly check the below SAP notes.
SAP note 1731579-- RAR 5.3 BRA job fails after about 4% - 6% of completion
1727751 - Alert generation job fails with message "Error in Alert Generation
Hope this helps.
Best Regards,
Saksham -
Error while executing Batch Risk Analysis job in full sync mode
Hi Gurus,
I am getting following error while executing Batch Risk Analysis job in full sync mode for the first time, please help me out.
May 12, 2011 3:57:26 AM com.virsa.cc.multi.node.dao.NodeDAO deleteMTGenObjTable
INFO: In deleteMTGenObjTable() deleting from VIRSA_CC_MTGENOBJ for jobid = 100
May 12, 2011 3:59:53 AM com.virsa.cc.multi.node.dao.NodeDAO deleteMTGenObjTable
INFO: In deleteMTGenObjTable() deleting from VIRSA_CC_MTGENOBJ for jobid = 100
May 12, 2011 3:59:53 AM com.virsa.cc.xsys.bg.BatchRiskAnalysis performBatchSyncAndAnalysis
INFO: --- Batch Sync/Analysis/Mgmt Report completed --- elapsed time: 104907817 ms
May 12, 2011 3:59:53 AM com.virsa.cc.xsys.bg.BgJob setStatus
INFO: Job ID: 100 Status: Error
May 12, 2011 3:59:53 AM com.virsa.cc.xsys.bg.BgJob updateJobHistory
FINEST: --- @@@@@@@@@@@ Updating the Job History -
2@@Msg is Error Job not completed
May 12, 2011 3:59:53 AM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
INFO: -
Background Job History: job id=100, status=2, message=Error Job not completed
May 12, 2011 3:59:53 AM com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob scheduleJob
INFO: -
Complted Job =>100----
May 12, 2011 3:59:53 AM com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob scheduleJob
INFO: Daemon idle time longer than RFC time out, terminating daemon [211288050]/usr/sap/DAC/JC21/j2ee/cluster/server0/. Thread ID 0
May 12, 2011 3:59:53 AM com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob start
INFO: Analysis Daemon ID [211288050]/usr/sap/DAC/JC21/j2ee/cluster/server0/. Thread ID 0 terminiated
May 12, 2011 4:00:35 AM com.virsa.cc.xsys.bg.AnalysisDaemonThread run
FINEST: Analysis Daemon Thread: Invoking (HTTP): http://10.66.218.68:52100/webdynpro/dispatcher/sap.com/grc~ccappcomp/BgJobStart?daemonId=[211288050]/usr/sap/DAC/JC21/j2ee/cluster/server0/.&threadId=0&daemonType=BG
May 12, 2011 4:01:36 AM com.virsa.cc.xsys.bg.AnalysisDaemonThread run
FINEST: Analysis Daemon Thread: Invoking (HTTP): http://10.66.218.68:52100/webdynpro/dispatcher/sap.com/grc~ccappcomp/BgJobStart?daemonId=[211288050]/usr/sap/DAC/JC21/j2ee/cluster/server0/.&threadId=0&daemonType=BG
May 12, 2011 4:02:37 AM com.virsa.cc.xsys.bg.AnalysisDaemonThread run
FINEST: Analysis Daemon Thread: Invoking (HTTP): http://10.66.218.68:52100/webdynpro/dispatcher/sap.com/grc~ccappcomp/BgJobStart?daemonId=[211288050]/usr/sap/DAC/JC21/j2ee/cluster/server0/.&threadId=0&daemonType=BG
May 12, 2011 4:02:37 AM com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob start
INFO: Analysis Daemon ID [211288050]/usr/sap/DAC/JC21/j2ee/cluster/server0/. Thread ID 0 started
May 12, 2011 4:02:38 AM com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob start
FINEST: Another Analysis Daemon ID [211288050]/usr/sap/DAC/JC21/j2ee/cluster/server0/. Thread ID 0 is already runningHi,
May be it worked in your case How the job names going to affect the execution of the job. The issue is purely because of RFC timeout (As per the logs). I recommend to change the parameter in the configuration tab as recommended by Sunny in the previous thread.
Regards,
Raghu -
RAR Risk Analysis Issue in Background Mode - "Failed to Display Result"
Hi,
I have strange problem in RAR.
When I run risk analysis for 20 users in background mode, the job got successful but the spool file is empty. But at the bottom of page there is a message: "Failed to Display Result".
The Job log is showing the following message couple of times:
WARNING: ./virsa/bgJobSpool/19.i (No such file or directory)
java.io.FileNotFoundException: ./virsa/bgJobSpool/19.i (No such file or directory)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.<init>(FileInputStream.java:129)
at java.io.FileInputStream.<init>(FileInputStream.java:89)
at java.io.FileReader.<init>(FileReader.java:62)
But When I try to run for few users (like 6 memebrs where selection criteria is AUDIT*) in same way, the spool details got displayed this time. But the log is showing strange error messages this time:
Nov 15, 2010 3:53:53 PM com.virsa.cc.common.util.ExceptionUtil logError
SEVERE: null
java.lang.NullPointerException
at com.virsa.cc.comp.wdp.IPublicBackendAccessInterface$IAuthForUserInputElement.wdGetObject(IPublicBackendAccessInterface.java)
at com.sap.tc.webdynpro.progmodel.context.NodeElement.getAttributeAsText(NodeElement.java:888)
Nov 15, 2010 3:53:55 PM com.virsa.cc.dataextractor.bo.DataExtractorSAP getObjPermissions
FINEST: getObjPermissions: elapsed time=1436ms
Nov 15, 2010 3:53:55 PM com.virsa.cc.common.message.util.MessagingHelper getMessage
INFO:
********msg: 'com.virsa.cc.common.message.dao.dto.MessageDTO@34d834d8'
Any ideas please?Hi Alpesh,
You are correct. The issue is due to multi node environment.
But when I tried to define a custom spool folder path: usr/sap/<SID>/<Instance No>/log/virsa/bgJobSpool (in RAR - Miscellaneous - spool files location for background jobs) & run the risk analysis report in background mode, still RAR is saving the spool files in default location only.
Can you suggest me if I am wrongly defining the location of folder?
Should we define the complete location of the folder i.e starting with drive letter or path starting with user/* is sufficient?
Regards,
Dasarad -
Program batch risk analysis offline GRC AC 10.0
Hello consultant:
We have configurated GRC AC 10.0 RAR , when we executed risk analysis for Tx:NWBC , the system run analysis(foreground or background) correctly but when we executed analysis for Tx:SPRO->Governance Risk and compliance->Access control->Batch Risk Analysis , the system run two jobs E:GRAC_SOD and GRAC_SOD but the jobs run only 1 second and finished sucesffully but the system no run analysis.
Please could you help me?
Thank you very muchPlease check view details in NWBC.
or go to abap and select option and run it..
and u can monitor the same using
the tcode batch job for GRc monitor tcode dont remember u can check in guide.
there it can show details.
need tcodes and all ,please post
Regards,
Prasant -
Batch Risk Analysis in Full Sync mode with special user groups not working
Dear All,
we start Batch Risk Analyse Job in Full Sync with special User groups (use Range). In the Joblog I can see, that he selecet lesser users as in jobs before. But after all is finished (also managment job) when I go in Informer, he shows me also this user groups I have no analysed in Backgroudjob... Also he shows me in the detailed anlayse the date from a run before.. And we have deactivated some Risk - these are still in the analysis.
Have some one a information for me what here is wrong..
Best Regards
Gabriele Herrto old..
-
No result /report when weu00B4re running a risk analysis in background
Dear forum,
We are running several risk analysis in background (from configuration tab) and we cannot see any result
in the column called "result". However, when we run a offline analysis (from informer tab) we can see that the column "result" is containing a file.
Hope you can help us.
Thanks in advance.Running risk analysis in background from the configuration tab does not produce a report by design. This background job is really just performing a system maintenence activity and is not intended for report generation. This background job preps data for performing offline analysis as well as the underlying data that supports the management reports in the informer tab (among other things). Generally, anything in the configuration tab is system maintenance related.
It sounds like you're attempting to perform typical analysis of end user access, not system maintenance activities. The informer tab is what you need to be using to perform the analysis.
Within the informer tab, whether you choose to perform online analysis or offline analysis, a report result is always generated. In my experience, there has not been a compelling reason to use offline analysis capabilities within the informer tab. Online analysis (real-time analysis of the SAP system rather than the offline data from the last configuration tab background risk analysis) is naturally always current, which is a plus. -
GRC AC 10 - risk analysis : No rules were selected
Hi,
In GRC AC 10, when I do a risk analysis (user level for example).
For each userid the result shown in the column action is "No rules were selected "
any idea ?
Thanks
Aurélien.Hi Vikas,
Further to your comment above, I would like to point you to my thread here and specifically ask you about the following statement:...
3. Open your GRC functions and make sure you have correct back end system updated for them. Check the status of all your GRC functions and make sure they all are active.
I opened up the Functions from NWBC and realized that all the systems for each function were as follows:
1. SAP Basis
2. SAP CRM
3. SAP ECCS
4. SAP HR
5. SAP R3 NON HR Basis Logical Group
6. SAP R3
7. Logical Group
AND ALSO
8. The DESCRIPTION of my RFC Connector ?!
Now my question is as follows:
1. Where in the Pre/Post/GRC300 documents does it say that one must configure each function with the backend system as you state above....should the configurations Connector/Connector/etc etc already mapped the functions to the backend system ?
2. Also Why is the description of my RFC Connector available as a drop down menu from " System" tab on the function edit mode - see attached screenshot.
Your advice would be appreciated.
Best regards,
Paul -
Q&A for Live Expert Session "Enhanced Risk Analysis on AC 10.0"
Hi,
Please find below the questions that we could not address during yesterdays sessions. If you have any further question please create a new discussion in the forum.
Thanks,
Luis
Q: Is it still possible to filter by user group using all rule sets at once?
A: Yes, in 10.0 you can combine as many conditions as needed. In this case you would select all rulesets that apply and also the user groups.
Q: Are user groups linked to users per system, or still as in 5.3 only the first system the user is found
A: In the user information screen only the user group from the details deta source will be shown.
Q:: Have there been any enhancements made to the simulation functionality?
A: Yes, the simulation allows to use multiple combination of fields like in the new risk analysis. We can do now simulation on Business Roles. Also a new UI providing a step-by-step process for defining the simulation criteria, allowing to easily simulate changes at action, role and profile level in a single run.
Q: Is it possible to restrict access to risk analysis or changing risks, functions on a organisational level for these employees (eg. HR, Marketing, Finance etc.)
A: You can restict access to specific componets using standard authorizations, please refer to the Security Guide. Also such changes can be subject to workflow which can be customized to specific approvers.
Q: How the offline risk analysis is done on 10.0?
A: The process is the same as in 5.3. A Batch Risk Analysis must be scheduled and the "Offline Data" flag in the risk analysis must be checked.Hi GRC Team,
Please help me on this. I am waiting for your replay.
Regards,
KR -
Hi Folks,
I have installed CC 5.2 and ruleset to ECC are uploaded. Now, when i want to run risk analysis for User/Role from Informer. I dont see any user id from Backend system in User/Role option. I have checked everything,
SLD is working ine
JCo connectors are fine.
RFC destination defined.
Can someone help me in identifying problem?
Thanks in acticipation.
Regards,
Priyank.Hi Priyanka,
If you have successfully installed Virsa CC5.2 and uploaded Objects ans Rules, the plz follow the following procedure:
1) Go to Configuration Tab->Background Job
2)Click on "Schedule Analysis"
3) In first Pane i.e. Sync Mode select Full Sync
4)Select *User/Role/Profile Synchronization
5)Select the system for put ***
6)Dont select any other thing.
7)click on Schedule
8)Give a Valid name to this report.
9)Click on Immediate
Please check whether this report is successfully completed under Configuration Tab->Background Job->Search
click on search
If completed successfully, then go to step 1 as above.
This time select All Check Boxes under Batch Risk Analysis Pane and then select Management Report check box in the last pane.
Then schedule the job. After that only you'll be able to see the results in Informer Tab
Reward Points if it is useful
Regards,
Faisal -
I am configuring ARA 10.1 for a ECC 6.0 plug in development system and facing this issue. Risk Analysis at user level shows no data in all 3 views though at role level shows risks of global rule set. I am using Global rule set. I generated all risks/functions & using connector group as SAP_ECCS_LG not SAP_R3_LG.I activated common, R/3 & ECCS BC sets. Added integration scenario for AUTH. Run all 4 sync jobs multiple times successfully. My system already has decentralised EAM 10.1 implemented & even used in production as BAU. I have checked at both chrome & IE. The misleading thing is that RFC is also working fine & I can see risks in Risk Analysis at role level & risky roles are even assigned to valid users.GRC is at SP4 & accordingly is the ECC 6.0 plug in. Thanks in Advance. Please consider it urgent.
Hi,
Assign ECC connector to SAP_ECCS_LG group.
Run the programs GRAC_PFCG_AUTHORIZATION_SYNCand GRAC_REPOSITORY_OBJECT_SYNC) in full synch mode(this might take time so better do this in background). Better do it sequentially.Check the logs of the jobs in SLG1 just to ensure everythings fine.
Run ARA for a specific user and mention the connector for faster output. Ensure this user has the role with risks.Also as explained earlier check the GUID against user id in table GRACUSERROLE and using GRACROLE you can find out the technical name of the role updated in the table. This should be same as the backend role.
Then run ARA and while doing so please ensure the selection screen doesnt have any unwanted default inputs. If followed correctly , this should be of help. I am assuming the role analysis yielded correct risks as configured since this would mean that connector have correct actions and basic config is in place.
Regards,
Vivek -
Risk Analysis Button Grayed Out
Hello All,
we upgraded to SP15 on GRC10.0 and Run Risk Analysis button is grayed out while trying to look at risk violations for chnage request approval. Any ideas? It was working previously.Hi Bhanu,
thanks for your message, but please let us discuss this topic here so that others can also bring in some ideas.
Go to SE80 and open Package GRAC_ACCESS_REQUEST. You'll find the GRAC_OIF_REQUEST_APPROVAL in the web dynpro applications. Right click and Change.
In the browser you add the following string to the link: &SAP-CONFIG-MODE=X&OBJECT_ID=ACCREQ/<request id>
Replace <request id> with a valid request ID from your system (SE16 > GRACREQ).
You will now be able to see the access request approval screen. Check in the Risk Violation tab if the button is deactivated. You can right click and go to Settings for Current Configuration.
Hope this helps to fix the issue. Please keep us updated.
Regards,
Alessandro
Maybe you are looking for
-
Separating two phones on one iTunes account
My wife and I have iPhone 4s. During the back up, we have encountered a problem with cross mingling our contacts, apps, etc. Ideally, I would like to create a separate iTunes account for her so our phone info doesn't get merged. If I create an accoun
-
Any website I try to visit using Firefox won't load, it just keeps saying that it is unable to connect. I tried other web browsers, and they work no problem. I tried following the proxy steps provided, but did not help.
-
Suddenly I can't iMessage or use face time, I get an error message
CCan't use iMessage or FaceTime suddenly on ipad 4. I'm all updated to newest iOS as they suggested and still can't use ut
-
Clipping paths inverting in CS3
I see that this has been discussed previously, (http://www.adobeforums.com/webx/.3c05af0b/12) but the topic is now archived so I wondered if there are any new thoughts on the matter. Images with clipping paths that work perfectly in CS and CS2 are co
-
Ps 3d and filters and save for web are not working the way they should
At work we just put cs6 on a w7 machine running 64 bit which has more than that required mem and or ram to run cs6 - unfortunately I have to use a windows based machine at work (cheapskates). Anyways. I see the 3d menus and the filter menu in PS but