Offline & Online Risk Analysis
Hello experts,
What is Offline Risk Analysis and Online Risk Analysis in SAP GRC and which case are we using..? Please let us know the difference between both..?
Regards
Babu
Dear Babu,
offline means that the analysis is based on the last risk analysis (for example if you schedule once per day you will get this information in your report). Online means you are checking on-time in the systems (current situation) and system considers real time information. You can choose "Offline Data" in risk analysis screen to run with offline data.
With parameter 1027 you can enable or disable offline risk analysis.
Regards,
Alessandro
Similar Messages
-
Hello,
We are planning for Offline-Mode Risk Analysis. I read a few documents and links, but I couldn't find the method(Tcode) to extract data from the ERP system.
Could someone tell me the process to extratc the data from the ERP system?
Regards,
Gautam.Hi Gautam,
The fact is that the document doesn't contain the detailed steps to extract the data, but provides information on which data is required to perform offline mode risk analysis.
You may use the standard GRC programs to download the basic information:
/VIRSA_ZCC_DOWNLOAD_DESC - Static Text (Transaction, Field Descriptions, Organizational level, Object descroptions, and field value descriptions.
/VIRSA/ZCC_DOWNLOAD_SAPOBJ - SU24 data
If GRC is not configured in the box, then you have to look manually in the USR, USH, and AGR*, USORG, USOBT_C, USOBX_C tables. Extract the data and prepare the files manually.
I know it is a tedious and tough task. So the challenge is either to get GRC up or do all these tasks manually.
Last recommendation - Your comment in the article may help others too. Please spare time to leave it.
Regards,
Raghu -
ARA: Excluded Roles considered for Risk Analysis???
Hi,
There are certain role which are to be excluded from risk analysis or some business reasons. To achieve this, I have added entries for these roles in SPRO and saved them.
Actually, these roles are available in all the systems. Therefore, under "System" column I have selected "ALL" and saved the entries.
I ran risk analysis for a specific business process (above roles are belonging to this business group) and surprisingly found that, those roles which are maintained as "Excluded", as shown in the risk analysis report as violating!
Thinking that "ALL" option does not work, I maintained (excluded) these roles for specific systems in SPRO. Ran risk anlaysis, but with no luck.
Then I ran risk analysis for excluded role(s), I am still getting the violations for these excluded roles!
May I know why system is considering these "excluded" roles at the time of risk analysis?
Please advise.
Regards,
FaisalAlessanrdo,
I think the "excluded" objects in path:
SPRO->GRC->AC->ARA->BRA->Maintain Exclude Objects for Batch Risk Analysis
itself says that the objects will NOT be considered while performing Batch Risk Analysis (Analytic Reports). It seems to be working fine for me.
I dont think that the objects maintained in above path will have any importance while performing Risk Analysis from NWBC->AM->Roles Analysis) and will NOT be considered.
Please correct me, if required.
Secondly, I found 2 relevant posts here on SCN:
SAP GRC Access Control: Offline-Mode Risk Analysis
SAP GRC 10.0 Offline Risk Analysis
Both of them are talking about the offline mode of running risk analysis. Actually I have not used it yet therefore, wanted to know the real usage of it. These posts seem to be giving the details of "Offline" mode analysis.
I believe this will not be used in my scenario as there is no such requirement and real need. Therefore, I think I should disable it (Offline Data) option from the analysis screen just to avoid any confusion.
Currently all our risk analysis is taking place "Online". There is no "real" need to use "Offline".
May you please let me know in which scenario this would be useful?
Regards,
Faisal -
What are the components of Risk Analysis & Remediation (Compliance Calibrator)?
-- SOD online risk analysis
-- Mitigation of conflicts
-- Alert generation for conflicting tcodes executed
-- Management report of violation in concerned system
contact Reginal Implementation team of SAP, if you are planning to implement SAP GRC AC 5.3 in your organization.
regards,
Surpreet -
GRC Access Control 5.3 - RAR Risk Analysis in offline mode
Hi expert,
I'm trying to do RAR Risk Analysis in offline mode following this guide (https://www.sdn.sap.com//irj/sdn/go/portal/prtroot/docs/library/uuid/20a06e3f-24b6-2a10-dba0-e8174339c47c). But to generate User Action file the ABAP have a problem when try to get a COMPOSITE ROLE field for a Role that is asociate to many Composite role as the unique record consists of fields IDUSER, ROLE and ACTIONFROM . Someone know how we can solve this conflict?
Best Regards!I'm sorry, I think I haven't made myself clear enough. The thing is that the User Action File has a "Composite Role" field and we don't know how fill it when the Single Role belongs to multiple Composite Roles. This is because of the primary key, we can't make multiple records for each userid/role combination, each one with one different Composite Role, such as the following example:
USERIDX/ROLEX/ACTIONX/ACTIONX/PROFILEX/COMPOSITEROLE1
USERIDX/ROLEX/ACTIONX/ACTIONX/PROFILEX/COMPOSITEROLE2
USERIDX/ROLEX/ACTIONX/ACTIONX/PROFILEX/COMPOSITEROLEN
Should we instead do only one record with all the composite roles? What character should we use to separate the composite role names? A ",", a ";"? For example:
USERIDX/ROLEX/ACTIONX/ACTIONX/PROFILEX/COMPOSITEROLE1_,_ COMPOSITEROLE2_,_ COMPOSITEROLE3
Hope I explained myself. Thanks for your help. -
User risk analysis offline mode in RAR
Hello colleagues
We are in AC SP14 and trying to perform RA via risk analysis-> user level. When the offline analysis parameter is set to YES we don't receive results, when the offline analysis parameter is set to NO we receive results but they are partiialy in comparison the the results we receive for the same user in the management view -> user violation report.
So our question is:
1. Why the offline analysis=YES is not showing any data when all the prerequisites were performed (the background RAR sync/risk analysis/management view jobs are finished successfully and the configuration parameter of offline analysis is set to yes)?
2. Why the offline analysis=NO is not showing the same results as in the management view user violation report that was updated a just 10 minutes before?
We viewed notes number 1544338 and 1126251 and all is configured an maintained as needed.
Best Regards,
ShiraHi Saurabh,
Kindly check the below SAP notes.
SAP note 1731579-- RAR 5.3 BRA job fails after about 4% - 6% of completion
1727751 - Alert generation job fails with message "Error in Alert Generation
Hope this helps.
Best Regards,
Saksham -
Program batch risk analysis offline GRC AC 10.0
Hello consultant:
We have configurated GRC AC 10.0 RAR , when we executed risk analysis for Tx:NWBC , the system run analysis(foreground or background) correctly but when we executed analysis for Tx:SPRO->Governance Risk and compliance->Access control->Batch Risk Analysis , the system run two jobs E:GRAC_SOD and GRAC_SOD but the jobs run only 1 second and finished sucesffully but the system no run analysis.
Please could you help me?
Thank you very muchPlease check view details in NWBC.
or go to abap and select option and run it..
and u can monitor the same using
the tcode batch job for GRc monitor tcode dont remember u can check in guide.
there it can show details.
need tcodes and all ,please post
Regards,
Prasant -
No result /report when weu00B4re running a risk analysis in background
Dear forum,
We are running several risk analysis in background (from configuration tab) and we cannot see any result
in the column called "result". However, when we run a offline analysis (from informer tab) we can see that the column "result" is containing a file.
Hope you can help us.
Thanks in advance.Running risk analysis in background from the configuration tab does not produce a report by design. This background job is really just performing a system maintenence activity and is not intended for report generation. This background job preps data for performing offline analysis as well as the underlying data that supports the management reports in the informer tab (among other things). Generally, anything in the configuration tab is system maintenance related.
It sounds like you're attempting to perform typical analysis of end user access, not system maintenance activities. The informer tab is what you need to be using to perform the analysis.
Within the informer tab, whether you choose to perform online analysis or offline analysis, a report result is always generated. In my experience, there has not been a compelling reason to use offline analysis capabilities within the informer tab. Online analysis (real-time analysis of the SAP system rather than the offline data from the last configuration tab background risk analysis) is naturally always current, which is a plus. -
Q&A for Live Expert Session "Enhanced Risk Analysis on AC 10.0"
Hi,
Please find below the questions that we could not address during yesterdays sessions. If you have any further question please create a new discussion in the forum.
Thanks,
Luis
Q: Is it still possible to filter by user group using all rule sets at once?
A: Yes, in 10.0 you can combine as many conditions as needed. In this case you would select all rulesets that apply and also the user groups.
Q: Are user groups linked to users per system, or still as in 5.3 only the first system the user is found
A: In the user information screen only the user group from the details deta source will be shown.
Q:: Have there been any enhancements made to the simulation functionality?
A: Yes, the simulation allows to use multiple combination of fields like in the new risk analysis. We can do now simulation on Business Roles. Also a new UI providing a step-by-step process for defining the simulation criteria, allowing to easily simulate changes at action, role and profile level in a single run.
Q: Is it possible to restrict access to risk analysis or changing risks, functions on a organisational level for these employees (eg. HR, Marketing, Finance etc.)
A: You can restict access to specific componets using standard authorizations, please refer to the Security Guide. Also such changes can be subject to workflow which can be customized to specific approvers.
Q: How the offline risk analysis is done on 10.0?
A: The process is the same as in 5.3. A Batch Risk Analysis must be scheduled and the "Offline Data" flag in the risk analysis must be checked.Hi GRC Team,
Please help me on this. I am waiting for your replay.
Regards,
KR -
Risk Analysis for Third party ERP system
We want to perform offline risk analysis for third party ERP(SRM) system.... We have already GRC system installed with Global rule set for SAP ERP & want to have another ruleset for offline risk analysis.
Just would like to have a confirmation for below steps & estimated time for this.
Activities Need to be performed from Our side(Client) :-
1) Send the RAR format for Users/Roles/Actions & Permissions.
2) Cross Verify the format.
3) Create the connector for stored files.
4) Upload the files via Data Extraction utility.
5) Generate the ruleset for SRM(third party).
6) Schedule the various background jobs.
Activities Need to be Performed from Third Party - HUBWOO(Owns SRM ERP system) :-
1) Convert users/action/roles and permissions files to RAR format.
Activities need to be Performed from SAP :-
1) Provide the ruleset for HUBWOO SRM system.
Please let me know if I missed any step above & estimated time to complete from our end & did anyone has come across ruleset for HUBWOO system..?
Thanks in Advance!!Thanks all for your reply,
Alpesh, but still I have small concern here, when SAP provide the ruleset files, it also provides for Oracle, People soft & JDE ERP.
Though these are also third party ERP's for SAP...?
Does it mean that we can'task for ruleset for other third party ERP from SAP...? or does SAP Charge something for it..?
Thanks -
Has anyone noticed performance issues with the newer versions of Risk Analysis ?
I just upgraded from 8.5 to 8.6 and noticed a severe drop in graphical performance, such as rescaling the timescale, scrolling the Gantt chart etc.
Edited by: [email protected] on 2009-sep-18 05:29AMA,
As I remember, it was only an online download that I performed in 2009. Found at the Oracle/Primavera site.
My current version = 8.6.0018 -
In CC User Analysis, there is additional option to run analysis 'offline'. Can someone explain how is this achieved?
is there some programs which will download the data from SAP and then uploaded into CC ?
Please advise.
Cheers!Hello,
The 'programs' which download the data from SAP and upload CC are the background jobs 'User/Role/Profile Synchronization' and 'Batch Risk Analysis'(Configuration Tab --> Background Job --> Schedule Analysis).
It is 'mandatory' to perform a full synchro of these jobs at the CC implementation (and after an incremental synchro., periodically), these data, uploaded and stored into CC, will update Informer Management Views and keep CC synchronized with your SAP database in case of offline analysis.
You can have a look on OSS note n° 1034117, for more details.
Best Regards,
Catherine -
Risk analysis failed: Exception from the service : Invalid System
I'm trying to get the risk analysis performed for CUP requests. When I'm in the process of creating a request, and I add roles to the request and then click on the risk analysis button, I get the above error.
I checked the URI that I've included in the Risk Analysis section of the configuration and I believe it is correct:
http://<server>:<port>/VirsaCCRiskAnalysisService/Config1?wsdl&style=document
I've selected 5.3 web service, and I have provided a user ID that has admin rights.
What do you think is the reason this error is being thrown?
The error in the log is:
2009-11-19 15:04:31,821 [SAPEngine_Application_Thread[impl:3]_39] ERROR com.virsa.ae.core.BOException: Exception from the service : Invalid System
com.virsa.ae.core.BOException: Exception from the service : Invalid System
Thanks,
SantoshFrank,
Thanks for your response. I was thinking along these lines already and so I have tried to do as you suggest. However it didn't work and the log indicated that it didn't like my connector name (even though the connector name is now the same as in RAR).
Caused by: com.sap.tc.webdynpro.services.exceptions.WDRuntimeException: Failed to resolve JCO destination name 'SANDBOX' in the SLD. No such JCO destination is defined in the SLD.
However, I looked at one of the online post installation checklists for CUP and I gathered that it might be necessary to have the JCo itself renamed at the backend to reflect the name used in RAR, and that should populate into my connector list within CUP (when you click on the magnifying glass).
I'm waiting to try that out, but I'm not sure about any secondary impact of making a change to the JCo name.
Let me know what you think about that move.
Thanks,
Santosh -
Ad hoc Risk Analysis report is returning incorrect Risk Level for some Risks
We are running GRC AC 10.0 with SP 16. After application of Support Pack 16, some of our ad hoc risk analysis reports are returning incorrect risk levels. For example: Risk F024 Open closed periods and inappropriately post currency or tax entries is set as High. When the Ad hoc report is run, the risk F024 will show on a user with a level of Medium. We have generated our ruleset and have followed the normal procedures used to implement the support pack. Any ideas what is causing this issue? I have exhausted my knowledge and search attempts.
Any help is appreciated.
Sara B.Hi Kevin
Many thanks for your post, we did run a full BRA but no luck unfortunately. Some Risks still reporting as Medium when they should be Critical or High. Oddly it is reporting correctly against some risks just not for all!
Cheers
Hussain -
Issue with risk analysis report in GRC10.0
Hi All,
We are running the user risk analysis report from NWBC: Reports and Analytics -> Access Risk Analysis Reports -> User Risk Violation report.
This report is not fetching all the data even though user has all the required authorizations.
We are getting the data when we execute the dashboard reports.
Any one has idea?
Cheers
HariAlessandro,
Thanks for the reply. I am aware of this.
Problem is when dash board report is showing the risk for the user but risk anaylsis report in Reports and Analytics is not showing the risks to that user.
As per our investigation, the risk data that is displaying in the risk anaylsis report in Reports and Analytics is incomplete. We didn't find any errors in SLG1. Also there is no issues from authorizations side.
Regards
Hari
Maybe you are looking for
-
Does anyone manged to call an asynch' WS from PL/SQL? I'm trying to call a bpel process and I get an error in the response, after the service was executed. thanks Riko
-
JSF:how to get value from dinamically generated HtmlInputText components�H�H
<h:panelGroup binding="#{dynamicInputGroupBean.group}"/> public HtmlPanelGroup getGroup() { if (this.getSelectedComp() == null) { return this.group; FacesContext facesContext = FacesContext.getCurrentInstance();
-
I sat up all night, last night, editing a movie for a school project which is due Friday. I am extremely busy, and as i opened the file this morning to show the progress to a partner, Premiere, told me "Premiere pro has encountered an error" - "[c:\M
-
How to use Web Serivce for not jsr 172 phone
Hi: Is anyone know, how to use web service for phones that only have standard J2ME package installed (without jsr 172 web service packagenstalled)? thank you
-
I received an email to ask for renew, I went to my skype account and click my number but there's no renew button or else the payment details are there, but why is skype threatening to remove my skype number when the renew option is not available?