Offline-Mode Risk Analysis

Hello,
We are planning for Offline-Mode Risk Analysis. I read a few documents and links, but I couldn't find the method(Tcode) to extract data from the ERP system.
Could someone tell me the process to extratc the data from the ERP system?
Regards,
Gautam.

Hi Gautam,
The fact is that the document doesn't contain the detailed steps to extract the data, but provides information on which data is required to perform offline mode risk analysis.
You may use the standard GRC programs to download the basic information:
/VIRSA_ZCC_DOWNLOAD_DESC - Static Text (Transaction, Field Descriptions, Organizational level, Object descroptions, and field value descriptions.
/VIRSA/ZCC_DOWNLOAD_SAPOBJ - SU24 data
If GRC is not configured in the box, then you have to look manually in the USR, USH, and AGR*, USORG, USOBT_C, USOBX_C tables. Extract the data and prepare the files manually.
I know it is a tedious and tough task. So the challenge is either to get GRC up or do all these tasks manually.
Last recommendation - Your comment in the article may help others too. Please spare time to leave it.
Regards,
Raghu

Similar Messages

  • Offline & Online Risk Analysis

    Hello experts,
    What is Offline Risk Analysis and Online Risk Analysis in SAP GRC and which case are we using..?  Please let us know the difference between both..?
    Regards
    Babu

    Dear Babu,
    offline means that the analysis is based on the last risk analysis (for example if you schedule once per day you will get this information in your report). Online means you are checking on-time in the systems (current situation) and system considers real time information. You can choose "Offline Data" in risk analysis screen to run with offline data.
    With parameter 1027 you can enable or disable offline risk analysis.
    Regards,
    Alessandro

  • ARA: Excluded Roles considered for Risk Analysis???

    Hi,
    There are certain role which are to be excluded from risk analysis or some business reasons. To achieve this, I have added entries for these roles in SPRO and saved them.
    Actually, these roles are available in all the systems. Therefore, under "System" column I have selected "ALL" and saved the entries.
    I ran risk analysis for a specific business process (above roles are belonging to this business group) and surprisingly found that, those roles which are maintained as "Excluded", as shown in the risk analysis report as violating!
    Thinking that "ALL" option does not work, I maintained (excluded) these roles for specific systems in SPRO. Ran risk anlaysis, but with no luck.
    Then I ran risk analysis for excluded role(s), I am still getting the violations for these excluded roles!
    May I know why system is considering these "excluded" roles at the time of risk analysis?
    Please advise.
    Regards,
    Faisal

    Alessanrdo,
    I think the "excluded" objects in path:
    SPRO->GRC->AC->ARA->BRA->Maintain Exclude Objects for Batch Risk Analysis
    itself says that the objects will NOT be considered while performing Batch Risk Analysis (Analytic Reports). It seems to be working fine for me.
    I dont think that the objects maintained in above path will have any importance while performing Risk Analysis from NWBC->AM->Roles Analysis) and will NOT be considered.
    Please correct me, if required.
    Secondly, I found 2 relevant posts here on SCN:
    SAP GRC Access Control: Offline-Mode Risk Analysis
    SAP GRC 10.0 Offline Risk Analysis
    Both of them are talking about the offline mode of running risk analysis. Actually I have not used it yet therefore, wanted to know the real usage of it. These posts seem to be giving the details of "Offline" mode analysis.
    I believe this will not be used in my scenario as there is no such requirement and real need. Therefore, I think I should disable it (Offline Data) option from the analysis screen just to avoid any confusion.
    Currently all our risk analysis is taking place "Online". There is no "real" need to use "Offline".
    May you please let me know in which scenario this would be useful?
    Regards,
    Faisal

  • GRC Access Control 5.3 - RAR Risk Analysis in offline mode

    Hi expert,
    I'm trying to do RAR Risk Analysis in offline mode following this guide (https://www.sdn.sap.com//irj/sdn/go/portal/prtroot/docs/library/uuid/20a06e3f-24b6-2a10-dba0-e8174339c47c). But to generate User Action file the ABAP have a problem when try to get a COMPOSITE ROLE field for a Role that is asociate to many Composite role as the unique record consists of fields IDUSER, ROLE and ACTIONFROM . Someone know how we can solve this conflict?
    Best Regards!

    I'm sorry, I think I haven't made myself clear enough. The thing is that the User Action File has a "Composite Role" field and we don't know how fill it when the Single Role belongs to multiple Composite Roles. This is because of the primary key, we can't make multiple records for each userid/role combination, each one with one different Composite Role, such as the following example:
    USERIDX/ROLEX/ACTIONX/ACTIONX/PROFILEX/COMPOSITEROLE1
    USERIDX/ROLEX/ACTIONX/ACTIONX/PROFILEX/COMPOSITEROLE2
    USERIDX/ROLEX/ACTIONX/ACTIONX/PROFILEX/COMPOSITEROLEN
    Should we instead do only one record with all the composite roles? What character should we use to separate the composite role names? A ",", a ";"? For example:
    USERIDX/ROLEX/ACTIONX/ACTIONX/PROFILEX/COMPOSITEROLE1_,_ COMPOSITEROLE2_,_ COMPOSITEROLE3
    Hope I explained myself. Thanks for your help.

  • User risk analysis offline mode in RAR

    Hello colleagues
    We are in AC SP14 and trying to perform RA via risk analysis-> user level. When the offline analysis parameter is set to YES we don't receive results, when the offline analysis parameter is set to NO we receive results but they are partiialy in comparison the the results we receive for the same user in the management view -> user violation report.
    So our question is:
    1.     Why the offline analysis=YES is not showing any data when all the prerequisites were performed (the background RAR sync/risk analysis/management view jobs are finished successfully and the configuration parameter of offline analysis is set to yes)?
    2.     Why the offline analysis=NO is not showing the same results as in the management view user violation report that was updated a just 10 minutes before?
    We viewed notes number 1544338 and 1126251 and all is configured an maintained as needed.
    Best Regards,
    Shira

    Hi Saurabh,
    Kindly check the below SAP notes.
    SAP note 1731579-- RAR 5.3 BRA job fails after about 4% - 6% of completion
    1727751 - Alert generation job fails with message "Error in  Alert Generation
    Hope this helps.
    Best Regards,
    Saksham

  • Error while executing Batch Risk Analysis job in full sync mode

    Hi Gurus,
    I am getting following error while executing Batch Risk Analysis job in full sync mode for the first time, please help me out.
    May 12, 2011 3:57:26 AM com.virsa.cc.multi.node.dao.NodeDAO deleteMTGenObjTable
    INFO: In deleteMTGenObjTable() deleting from VIRSA_CC_MTGENOBJ for jobid = 100
    May 12, 2011 3:59:53 AM com.virsa.cc.multi.node.dao.NodeDAO deleteMTGenObjTable
    INFO: In deleteMTGenObjTable() deleting from VIRSA_CC_MTGENOBJ for jobid = 100
    May 12, 2011 3:59:53 AM com.virsa.cc.xsys.bg.BatchRiskAnalysis performBatchSyncAndAnalysis
    INFO: --- Batch Sync/Analysis/Mgmt Report completed ---  elapsed time: 104907817 ms
    May 12, 2011 3:59:53 AM com.virsa.cc.xsys.bg.BgJob setStatus
    INFO: Job ID: 100 Status: Error
    May 12, 2011 3:59:53 AM com.virsa.cc.xsys.bg.BgJob updateJobHistory
    FINEST: --- @@@@@@@@@@@ Updating the Job History -
    2@@Msg is Error Job not completed
    May 12, 2011 3:59:53 AM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
    INFO: -
    Background Job History: job id=100, status=2, message=Error Job not completed
    May 12, 2011 3:59:53 AM com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob scheduleJob
    INFO: -
    Complted Job =>100----
    May 12, 2011 3:59:53 AM com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob scheduleJob
    INFO: Daemon idle time longer than RFC time out, terminating daemon [211288050]/usr/sap/DAC/JC21/j2ee/cluster/server0/. Thread ID 0
    May 12, 2011 3:59:53 AM com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob start
    INFO: Analysis Daemon ID [211288050]/usr/sap/DAC/JC21/j2ee/cluster/server0/. Thread ID 0 terminiated
    May 12, 2011 4:00:35 AM com.virsa.cc.xsys.bg.AnalysisDaemonThread run
    FINEST: Analysis Daemon Thread: Invoking (HTTP): http://10.66.218.68:52100/webdynpro/dispatcher/sap.com/grc~ccappcomp/BgJobStart?daemonId=[211288050]/usr/sap/DAC/JC21/j2ee/cluster/server0/.&threadId=0&daemonType=BG
    May 12, 2011 4:01:36 AM com.virsa.cc.xsys.bg.AnalysisDaemonThread run
    FINEST: Analysis Daemon Thread: Invoking (HTTP): http://10.66.218.68:52100/webdynpro/dispatcher/sap.com/grc~ccappcomp/BgJobStart?daemonId=[211288050]/usr/sap/DAC/JC21/j2ee/cluster/server0/.&threadId=0&daemonType=BG
    May 12, 2011 4:02:37 AM com.virsa.cc.xsys.bg.AnalysisDaemonThread run
    FINEST: Analysis Daemon Thread: Invoking (HTTP): http://10.66.218.68:52100/webdynpro/dispatcher/sap.com/grc~ccappcomp/BgJobStart?daemonId=[211288050]/usr/sap/DAC/JC21/j2ee/cluster/server0/.&threadId=0&daemonType=BG
    May 12, 2011 4:02:37 AM com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob start
    INFO: Analysis Daemon ID [211288050]/usr/sap/DAC/JC21/j2ee/cluster/server0/. Thread ID 0 started
    May 12, 2011 4:02:38 AM com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob start
    FINEST: Another Analysis Daemon ID [211288050]/usr/sap/DAC/JC21/j2ee/cluster/server0/. Thread ID 0 is already running

    Hi,
    May be it worked in your case How the job names going to affect the execution of the job. The issue is purely because of RFC timeout (As per the logs). I recommend to change the parameter in the configuration tab as recommended by Sunny in the previous thread.
    Regards,
    Raghu

  • RAR Risk Analysis Issue in Background Mode - "Failed to Display Result"

    Hi,
    I have strange problem in RAR.
    When I run risk analysis for 20 users in background mode, the job got successful but the spool file is empty. But at the bottom of page there is a message:  "Failed to Display Result".
    The Job log is showing the following message couple of times:
    WARNING: ./virsa/bgJobSpool/19.i (No such file or directory)
    java.io.FileNotFoundException: ./virsa/bgJobSpool/19.i (No such file or directory)
         at java.io.FileInputStream.open(Native Method)
         at java.io.FileInputStream.<init>(FileInputStream.java:129)
         at java.io.FileInputStream.<init>(FileInputStream.java:89)
         at java.io.FileReader.<init>(FileReader.java:62)
    But When I try to run for few users (like 6 memebrs where selection criteria is AUDIT*) in same way, the spool details got displayed this time. But the log is showing strange error messages this time:
    Nov 15, 2010 3:53:53 PM com.virsa.cc.common.util.ExceptionUtil logError
    SEVERE: null
    java.lang.NullPointerException
         at com.virsa.cc.comp.wdp.IPublicBackendAccessInterface$IAuthForUserInputElement.wdGetObject(IPublicBackendAccessInterface.java)
         at com.sap.tc.webdynpro.progmodel.context.NodeElement.getAttributeAsText(NodeElement.java:888)
    Nov 15, 2010 3:53:55 PM com.virsa.cc.dataextractor.bo.DataExtractorSAP getObjPermissions
    FINEST: getObjPermissions: elapsed time=1436ms
    Nov 15, 2010 3:53:55 PM com.virsa.cc.common.message.util.MessagingHelper getMessage
    INFO:
    ********msg: 'com.virsa.cc.common.message.dao.dto.MessageDTO@34d834d8'
    Any ideas please?

    Hi Alpesh,
    You are correct. The issue is due to multi node environment.
    But when I tried to define a custom spool folder path: usr/sap/<SID>/<Instance No>/log/virsa/bgJobSpool (in RAR - Miscellaneous - spool files location for background jobs) & run the risk analysis report in background mode, still RAR is saving the spool files in default location only.
    Can you suggest me if I am wrongly defining the location of folder?
    Should we define the complete location of the folder i.e starting with drive letter or path starting with user/* is sufficient?
    Regards,
    Dasarad

  • Program batch risk analysis offline GRC AC 10.0

    Hello consultant:
    We have configurated GRC AC 10.0 RAR , when we executed risk analysis for Tx:NWBC  , the system run analysis(foreground or background) correctly but when we executed analysis for Tx:SPRO->Governance Risk and compliance->Access control->Batch Risk Analysis , the system run two jobs E:GRAC_SOD and GRAC_SOD but the jobs run only 1 second and finished sucesffully but the system no run analysis.
    Please could you help me?
    Thank you very much

    Please check view details in NWBC.
    or go to abap and select option and run it..
    and u can monitor the same using
    the tcode batch job for GRc monitor tcode dont remember u can check in guide.
    there it can show details.
    need tcodes and all ,please post
    Regards,
    Prasant

  • Batch Risk Analysis in Full Sync mode with special user groups not working

    Dear All,
    we start Batch Risk Analyse Job in Full Sync with special User groups (use Range). In the Joblog I can see, that he selecet lesser users as in jobs before. But after all is finished (also managment job) when I go in Informer, he shows me also this user groups I have no analysed in Backgroudjob... Also he shows me in the detailed anlayse the date from a run before.. And we have deactivated some Risk - these are still in the analysis.
    Have some one a information for me what here is wrong..
    Best Regards
    Gabriele Herr

    to old..

  • No result /report when weu00B4re running a risk analysis in background

    Dear forum,
    We are running several risk analysis in background (from configuration tab) and we cannot see any result
    in the column called "result". However, when we run a offline analysis (from informer tab) we can see that the column "result" is containing a file.
    Hope you can help us.
    Thanks in advance.

    Running risk analysis in background from the configuration tab does not produce a report by design.  This background job is really just performing a system maintenence activity and is not intended for report generation.  This background job preps data for performing offline analysis as well as the underlying data that supports the management reports in the informer tab (among other things).  Generally, anything in the configuration tab is system maintenance related.
    It sounds like you're attempting to perform typical analysis of end user access, not system maintenance activities.  The informer tab is what you need to be using to perform the analysis.
    Within the informer tab, whether you choose to perform online analysis or offline analysis, a report result is always generated.  In my experience, there has not been a compelling reason to use offline analysis capabilities within the informer tab.  Online analysis (real-time analysis of the SAP system rather than the offline data from the last configuration tab background risk analysis) is naturally always current, which is a plus.

  • GRC AC 10 - risk analysis : No rules were selected

    Hi,
    In GRC AC 10, when I do a risk analysis (user level for example).
    For each userid the result shown in the column action is "No rules were selected "
    any idea ?
    Thanks
    Aurélien.

    Hi Vikas,
    Further to your comment above, I would like to point you to my thread here and specifically ask you about the following statement:...
    3. Open your GRC functions and make sure you have correct back end system updated for them. Check the status of all your GRC functions and make sure they all are active.
    I opened up the Functions from NWBC and realized that all the systems for each function were as follows:
    1. SAP Basis
    2. SAP CRM
    3. SAP ECCS
    4. SAP HR
    5. SAP R3 NON HR Basis Logical Group
    6. SAP R3
    7. Logical Group
    AND ALSO
    8. The DESCRIPTION of my RFC Connector ?!
    Now my question is as follows:
    1. Where in the Pre/Post/GRC300 documents does it say that one must configure each function with the backend system as you state above....should the configurations Connector/Connector/etc etc already mapped the functions to the backend system ?
    2. Also Why is the description of my RFC Connector available as a drop down menu from " System" tab on the function edit mode - see attached screenshot.
    Your advice would be appreciated.
    Best regards,
    Paul

  • Q&A for Live Expert Session "Enhanced Risk Analysis on AC 10.0"

    Hi,
    Please find below the questions that we could not address during yesterdays sessions. If you have any further question please create a new discussion in the forum.
    Thanks,
    Luis
    Q: Is it still possible to filter by user group using all rule sets at once?
    A: Yes, in 10.0 you can combine as many conditions as needed. In this case you would select all rulesets that apply and also the user groups.
    Q: Are user groups linked to users per system, or still as in 5.3 only the first system the user is found
    A: In the user information screen only the user group from the details deta source will be shown.
    Q:: Have there been any enhancements made to the simulation functionality?
    A: Yes, the simulation allows to use multiple combination of fields like in the new risk analysis. We can do now simulation on Business Roles. Also a new UI providing a step-by-step process for defining the simulation criteria, allowing to easily simulate changes at action, role and profile level in a single run.
    Q: Is it possible to restrict access to risk analysis or changing risks, functions on a organisational level for these employees (eg. HR, Marketing, Finance etc.)
    A: You can restict access to specific componets using standard authorizations, please refer to the Security Guide. Also such changes can be subject to workflow which can be customized to specific approvers.
    Q: How the offline risk analysis is done on 10.0?
    A: The process is the same as in 5.3. A Batch Risk Analysis must be scheduled and the "Offline Data" flag in the risk analysis must be checked.

    Hi GRC Team,
    Please help me on this. I am waiting for your replay.
    Regards,
    KR

  • Running Risk Analysis

    Hi Folks,
       I have installed CC 5.2 and ruleset to ECC are uploaded. Now, when i want to run risk analysis for User/Role from Informer. I dont see any user id from Backend system in User/Role option. I have checked everything,
    SLD is working ine
    JCo connectors are fine.
    RFC destination defined.
    Can someone help me in identifying problem?
    Thanks in acticipation.
    Regards,
    Priyank.

    Hi Priyanka,
    If you have successfully installed Virsa CC5.2 and uploaded Objects ans Rules, the plz follow the following procedure:
    1) Go to Configuration Tab->Background Job
    2)Click on "Schedule Analysis"
    3) In first Pane i.e. Sync Mode select Full Sync
    4)Select *User/Role/Profile Synchronization
    5)Select the system for put ***
    6)Dont select any other thing.
    7)click on Schedule
    8)Give a Valid name to this report.
    9)Click on Immediate
    Please check whether this report is successfully completed under Configuration Tab->Background Job->Search
    click on search
    If completed successfully, then  go to step 1 as above.
    This time select  All Check Boxes  under Batch Risk Analysis Pane and then select  Management Report check box in the last pane.
    Then schedule the job. After that only you'll be able to see the results in Informer Tab
    Reward  Points if it is useful
    Regards,
    Faisal

  • Risk Analysis at user level shows nothing in all 3 views though at role level shows risks of global rule set

    I am configuring ARA 10.1 for a ECC 6.0 plug in development system and facing this issue. Risk Analysis at user level shows no data  in all 3 views though at role level shows risks of global rule set. I am using Global rule set. I generated all risks/functions & using connector group as SAP_ECCS_LG not SAP_R3_LG.I activated common, R/3 & ECCS BC sets. Added integration scenario for AUTH. Run all 4 sync jobs multiple times successfully. My system already has decentralised EAM 10.1 implemented & even used in production as BAU. I have checked at both chrome & IE. The misleading thing is that RFC is also working fine & I can see risks in Risk Analysis at role level & risky roles are even assigned to valid users.GRC is at SP4 & accordingly is the ECC 6.0 plug in. Thanks in Advance. Please  consider it urgent.

    Hi,
    Assign ECC connector to SAP_ECCS_LG group.
    Run the programs GRAC_PFCG_AUTHORIZATION_SYNCand GRAC_REPOSITORY_OBJECT_SYNC) in full synch mode(this might take time so better do this in background). Better do it sequentially.Check the logs of the jobs in SLG1 just to ensure everythings fine.
    Run ARA for a specific user and mention the connector for faster output. Ensure this user has the role with risks.Also as explained earlier check the GUID against user id in table GRACUSERROLE and using GRACROLE you can find out the technical name of the role updated in the table. This should be same as the backend role.
    Then run ARA and while doing so please ensure the selection screen doesnt have any unwanted default inputs. If followed correctly , this should be of help.  I am assuming the role analysis yielded correct risks as configured since this would mean that connector have correct actions and basic config is in place.
    Regards,
    Vivek

  • Risk Analysis Button Grayed Out

    Hello All,
    we upgraded to SP15 on GRC10.0 and Run Risk Analysis button is grayed out while trying to look at risk violations for chnage request approval. Any ideas? It was working previously.

    Hi Bhanu,
    thanks for your message, but please let us discuss this topic here so that others can also bring in some ideas.
    Go to SE80 and open Package GRAC_ACCESS_REQUEST. You'll find the GRAC_OIF_REQUEST_APPROVAL in the web dynpro applications. Right click and Change.
    In the browser you add the following string to the link: &SAP-CONFIG-MODE=X&OBJECT_ID=ACCREQ/<request id>
    Replace <request id> with a valid request ID from your system (SE16 > GRACREQ).
    You will now be able to see the access request approval screen. Check in the Risk Violation tab if the button is deactivated. You can right click and go to Settings for Current Configuration.
    Hope this helps to fix the issue. Please keep us updated.
    Regards,
    Alessandro

Maybe you are looking for