RAR 5.3 Alerts

Similar Messages

• Generating RAR Alerts for just certain user groups

  Is there any way to limit a RAR Critical Actions Alert to just certain users?  Or, only if these users access certain data?
  We've had a request to monitor and send out a notification for some transactions, but only for certain users.  These transactions are available to many employees, but it is only a concern if someone from a certain group uses them.  Even then, it's only a concern if they access certain data.
  As an example (this is not the actual request), you have a transaction like say XD 03 (Customer Display) and its available to most everyone in the company.  You also have customers assigned to different company codes.  The issue then is that you have a certain group of users that are only supposed to look at customers for just one specific company code.  Ideally, you would want to be notified if they use this transaction to look at customers for other company codes.  At the very least, you want to know when they use this transaction so you would know to check on their usage.
  If this can't be done using the RAR Alerts, is there maybe another way to perform this montoring/notification?
  Thanks.

  Hi Bob,
  GRC RAR would not help you in this case. However you can restrict the Users through Roles which are assigned to them.
  For example : for tcode XD03 check maintain the authorization object F_KNA1_BUK with Activity 03 and Company code 1000 (depending upon your requirement). Assign the Role to User who require the access to view the Customers for the company 1000.
  Hopefully this may meet your expectations.
  Regards,
  Nikita Sharma.

• Conflicting Action Alert in RAR

  Hi All
  Has anyone got such a strange symbols/notations while checking the conflicting action alerts in GRC RAR> Informer tab> Alerts ?
  3/13/2009 - 1:23:54 PM  
  User BI team HCLTBI01 (HCLTBI01)  
  Risk Violated B003: Basis Development & Client Administration
  I could not understand what means?
  Regards
  Abhijeet

  Hi Abhijeet
  Check thread https://forums.sdn.sap.com/click.jspa?searchID=23633733&messageID=7005670
  Regards,
  Vit

• Activating action usage report in RAR

  Hi,
  I want to configure the Action usage report in AC 5.3 RAR. However after reading all of the configuration documents I am still not clear on the steps to achieve this.
  Specifically how is the transaction data gathered?
  Is there a job that runs on the SAP system?
  I have looked at the options for configuration under alerts generate jobs, however I do not want to gather data on transaction related to a specific risk, I want to gather data on all transactions used. I cannot see an option to set this up.
  I want to use this report for remediation purposes.
  Thanks,

  Hi,
    Action usage job runs on RAR (Java front-end) side and basically, collects the data from SAP system and populates the RAR database.
  Alert is only supposed to work at SoD risk level or critical action risk level. The reason why SAP doesn't allow you to generate alert for all the transactions as that would be too much of data.
  Alpesh

• RAR: Alerts tables understanding

  Hi,
  After running alert generation role specifying just critical actions flag and a specific risk that includes a few transactions we have identified that the following tables are containing data:
  VIRSA_CC_ALLASTRUN: Dates and time when alert generation job finished
  VIRSA_CC_ALLISTHDR: Header data that is shown under alers' reports.
  VIRSA_CC_ALLISTDTL: Details for the alerts identified (in our case critical trnasactions)
  VIRSA_CC_ALTCDLOG: Last time a user executed a transaction within the period alert generation was executed
  VIRSA_CC_ACTUSAGE: All transactions executed by users (transactions are shown several times but differs on time) within the period alert generation was executed
  Our questions:
  1) When and where tables VIRSA_CC_ALTCDLOG and VIRSA_CC_ACTUSAGE are used within SAP GRC AC?
  2) Since we are executing alert generation job on a daily basis, tables VIRSA_CC_ALTCDLOG and VIRSA_CC_ACTUSAGE are increasing very fast. Which is the best practice and procees to manage this information? Is deletion performed? Is archiving performed?
  Many thanks in advance. Kind regards,
    Imanol

  Hello Imanol !
  I've never heard of deleting Alerts per say, but you can delete the Action Usage that is used to generate the alerts. in RAR, go to: Configuration --> Ulitities --> Purge Action Usage.
  I've never used the functionality yet, but my assumption is that deleting the action usage, would also impact the alerts and might possibly delete them too. There is some good information about positive/negative impact in the Configuation Guide "AC53_CG_Final_en_Aug_2010.pdf" on page 64.
  Per your original question, if I understood correctly, the collected action usage is used a lot in AC. The following reports make use of Action Usage:
  1. RAR --> Informer --> Security Reports --> Miscellaneous --> Action Usage by Role & Profile
  2. RAR --> Informer --> Security Reports --> Miscellaneous --> Action Usage by User
  3. ERM --> Informer --> Transaction Usage
  The third report is my favorite since it collects usage counts and which really helps for role re-enginneering.
  The UAR and SOD Review processes make use of action usage too.
  -Dylan

• GRC RAR Alert Email Sender

  Hi,
  I am trying to work out how GRC RAR determines which email address to use when sending out RAR Alerts.  I have a risk which has 3 Risk Owners, I have tried various combinations of assigning Risk Owners to the Risk, but cannot see any logic as to how RAR picks which one to send the email alert from.
  If I just have one Risk Owner, then the Alert is sent from that user, however when multiple owners are attached there does not appear to be any logic as to which one from the list is chosen.
  Any help would be much appreciated.
  Thanks & Regards,
  Stephen

  Hi Stephen,
  In GRC ARA 5.3, following is the logic which determines that who is sending the notification if there are multiple role owners.
  The logic goes like this while sending the emails:-
  1. It re-orders the role owner list so that alphabetically the last e-mail is treated as first.
  For example:-
  email of C01   say email is C01@ XYZ.com
  email of B01   say email is B01@ XYZ.com
  email of Z01    say email is A01@ XYZ.com
  ** Alphabetically C01 is last and will send the mails.
  2. Now this last email of C01 becomes the e-mail id who will be set to send the mail to all other owners in list.
  I hope this information helps.
  Regards,
  Yukti

• Mass Delete of old RAR Alerts

  Hi I have a client who averages 3,500 Alerts per month in RAR.  They have only just mitigated some users / positions which are entitled to use the particular transactions so this should significantly reduce the number of new Alerts, but they want to clear the old Alerts.
  I know you can manually go into the Alert Monitor TAB to clear them one at a time, but is there a Mass clear function hidden somewhere in AC5.3 SP11?
  Thanks,
  Stephen

  Hi Stephen,
  I must say I haven't seen such a feature yet.
  Best,
  Frank

• RAR Alert Monitor - Critical Actions Report - user ID is garbled

  In the above report, the alert generation has data in it, showing that a transaction was executed, from a terminal, but the user ID is garbled.  It appears like this:
  Alert Date Time    8/10/2010 - 10:32:34 AM
  User    +LqvhQveEQJ (+LqvhQveEQJ)
  Risk Violated   BSCF:Basis Configuration Actions
  It then continues to show me the details of the transactions executed, and the date, time and terminal from where they were executed.
  With the user ID being garbled, it's not clear where it's getting this user from, and how to rectify it.  Any ideas?
  Thanks,
  Santosh

  Hi Santosh,
  Add atuhorization object "S_TOOLS_EX " in SAP pre-delivered "/virsa/CC_Default_Role" default role which you have in R/3 and make sure that role is assigned to user account which you are using in JCO connection as well.
  This will resolve your issue.
  Thanks,
  Tavi
  SAP Security & GRC Consultant.

• Control monitoring alerts- RAR 5.3

  I've few mitigating controls in palce with frequency in reports tab as 1. I'm sure that the action given in the reports tab was not executed in the backend system by the monitor but still I do not get alterts for control monitoring in Alert monitor tab. Please advise

  Plz. note the correction:
  It is not 9 character or 5 character risk id that makes the difference. I was not getting control monitoring alert because the 9 character riskid I specified in the mitigating control was a permission level rule id and SAP says that from 5.3 onwards permission rules are not considered for any analysis. So we have to mention the riskid with * or we can specify the action level rule id to receive the control monitoring alerts.

• AC 5.3  Critical Action Alert Emails not being sent

  HI:
  We have set up Critical Action alerts for a couple of transactions and while the on-line alert logs are being generated correctly, the alert email is not being sent to the Risk Owner.
  Does anyone know where I can trouble shoot this issue?
  Thanks,
  Margaret

  >
  Alpesh Parmar wrote:
  > Margaret,
  >
  >     Have you set up the SMTP server in visual admin? RAR needs to use this server details to send out an email.
  >
  > Alpesh
  Hi AlpeshMargaret,
  Where are the instructions for setting up the SMTP server in visual admin for the purpose of Alert Generation? I am not seeing this in the Configuration Guide. Could you point me to the correct documentation?
  Thanks!
  Jes

• Action Usage Report In RAR

  Hello Everyone,
  I have scheduled a job for alert generation in RAR periodically every 1 day and after the job is completed successfully. I want to get the report for Action Usage for Users it is giving me data upto September 2010, and nothing after this date. I appreciate if somebody can provide me with an answer.
  Regards
  Khan

  Hello Diego.
  First of all I would like to thank and appreciate for the your quick reply.
  Yes I have recently performed User\Role\Profile sync and also changed some parameters in RAR and in the JCo destinations and asked my Basis person to restart the instace.
  I would like to run it again but the problem which I am seeing is there is nothing getting written on the Alert folder created as /sap/sid/grc_qa3/qa3_alerts. The following are the parameters set in RAR --> Config --> Miscellaneous
  Background Job Spool File Location  = /sap/acd/grc_qa3
  Alert Log File Name and Location  = /sap/acd/grc_qa3/alerts
  We checked the spool file there is data written but not in the Alert log.
  Also can you explain what needs to be checked in the table "VIRSA_CC_ACTUSAGE" which I checked in debugger If you can elobrate a little more on this matter.
  Regards,
  Khan

• How to make use of notify-send to get alerted when a chat-message arrives?

  I would like to get notified, if a chat-message arrives. I tried two add-ons, both will play a sound, but not show a notification-window, as promised, so I'd like to do it myself, using `notify-send`. I suppose, that'll take to listen to a fitting event and execute notify-send, can someone please give me a hint, how to do that? Docs are rare.
  Using Thunderbird 24.4.0 on Ubuntu 12.04
  TIA, ida

  Hi Matt and sfhowes,
  I have tried several-addons with no success and suspect a problem with my Ubuntu, as they don't show any problem-reports of other users.
  Writing a Thunderbird-add-on is a little bit challenging and not as well supported than writing a Firefox-Add-on. Also the used JS-func for alerting, when messages arrive, shows a lot of bug reports.
  So I decided to go for a shell-script-solution now, listening to a fitting child-process and sent notificia. I will post it , when it's finished.
  Thanks for your replies
  Ida

• GRC AC 5.3 - RAR Parameters

  Hello,
  I have the following 8 queries related to GRC AC 5.3 RAR parameters
  When I go into RAR -> Configuration -> Miscellaneous, I see the following entries.
  Maximum Display Lines For Print Preview 
  This parameter specifies the maximum number of lines to be displayed in print preview mode; the default value is 500
  1- What is the Print Preview of the lines for? Can I make it 10000 instead of 500. Is there a performance impact?
  Background Job Spool File Location 
  This parameter specifies the location where the background job spool files are stored Note: You need to restart the server
  2- Why do I need the Background Job Spool File location? Is it when I use Default Logger parameter as SAP Logger? Currently we are using the Default Logger parameter as Java Logger
  Alert Log File Name and Location 
  This parameter specifies the location where the action usage purged data files are stored
  3- Whey do I need this Alert Log file parameter for? I mean how is the Alert Log file generated in RAR 5.3
  SAP Application Server Location 
  Enter SAP application server location here
  4- Why do I need SAP Application Server Location, when I have installed SAP GRC 5.3 on standalone SAP JAVA Stack?
  FTP Site Location 
  Enter FTP site location here
  5- What should the FTP site location be given as? Should I give a fully qualified domain for a particular host for the FTP of above RAR background job log files and RAR Alert log files?
  6- Do we have the background job log files FTP into another host, if Default Logger parameter is chosen as SAP Logger?
  FTP Site User Name 
  Enter FTP site User Name here
  7- What is the best practice for specifying a FTP User? I mean what is the username normally given in RAR environment?
  8- Is there any OSS Note, SAP Help URL which  describes about RAR parameters in detail?
  Thanks,
  Haleem

  Hi,
  > Maximum Display Lines For Print Preview 
  >  This parameter specifies the maximum number of lines to be displayed in print preview mode; the default value is 500
  >
  > 1- What is the Print Preview of the lines for? Can I make it 10000 instead of 500. Is there a performance impact?
  > 
  You should used 500 only.
  > Background Job Spool File Location 
  > This parameter specifies the location where the background job spool files are stored Note: You need to restart the server
  >
  > 2- Why do I need the Background Job Spool File location? Is it when I use Default Logger parameter as SAP Logger? >Currently we are using the Default Logger parameter as Java Logger
  > 
  No, background job spool file location is something different from logger. Background spool file location is the location where
  spool file of your background job will be generated.
  Diferent between Java Logger and SAP Logger is that if you choose SAP Logger then log file of your RAR will be generated in NWA. But if you will choose as Java Logger then log file will be generated as separate file as ccappcomp.<n>.log which you will see in CC debugger.
  > Alert Log File Name and Location 
  > This parameter specifies the location where the action usage purged data files are stored
  > 
  > 3- Whey do I need this Alert Log file parameter for? I mean how is the Alert Log file generated in RAR 5.3
  >
  check below link:
  Compliance Calibrator Alert Generation Issue
  > SAP Application Server Location 
  >  Enter SAP application server location here
  > 
  > 4- Why do I need SAP Application Server Location, when I have installed SAP GRC 5.3 on standalone SAP JAVA Stack?
  >
  > FTP Site Location 
  >  Enter FTP site location here
  >
  > 5- What should the FTP site location be given as? Should I give a fully qualified domain for a particular host for the FTP of above RAR background job log files and RAR Alert log files?
  > 6- Do we have the background job log files FTP into another host, if Default Logger parameter is chosen as SAP Logger?
  >
  > FTP Site User Name 
  >  Enter FTP site User Name here
  >
  > 7- What is the best practice for specifying a FTP User? I mean what is the username normally given in RAR environment?
  The following new reports can have long runtimes:
  - User Authorization Count
  - Role Authorization Count
  - List Expired and Expiring Roles for Users
  - For that reason These jobs run on ABAP side and produce a spool file. An icon is displayed on the front-end for the jobs that complete. (If you run jobs on all systems and it finishes on one system before another the icon will display for the finished system first)
  - The report directory on the SAP Enterprise Resource Planning (ERP) application servers. This is the temporary storage location for spool files generated by these background jobs.
  - The same directory name is used for all SAP backend systems.
  - The location, user name, and password for FTP of security reports generated by backend SAP ERP systems.
  > 8- Is there any OSS Note, SAP Help URL which  describes about RAR parameters in detail?
  Note 1121978 - Recommended settings to improve peformance risk analysis
  Check below link for performance optimization of RAR:
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/90aa3190-8386-2b10-c4ba-ced67322ea6d?quicklink=index&overridelayout=true
  Thanks
  Sunny

• GRC AC RAR: Comprehension question Mitigating Controls

  Hello all,
  I have a small comprehension question regarding Mitigating Controls.
  Situation:
  We have identified some authorization roles that contained lots of risks and we decided that they should not be used anymore. I therefore had our admins remove those roles from all the userIDs and update the role descriptions so it is clear that these roles are obsolete and must not be used anymore. For specific reasons we are currently not able to archive those roles in order to remove them from the system (can't delete them either for unclarified data retention questions).
  What has been done:
  1. I have created the necessary userIDs for Management Approver, Monitor, etc. in tab Mitigation -> Administrators -> Create
  2. I have created the necessary business unit and assigned to userIDs created in 1. in tab Mitigation -> Business Units -> Create
  3. I have created a Mitigation Control "Obsolete Roles" in tab Mitigation -> Mitigating Controls -> Create
  4. Within the Mitigatin Control I have mitigated all associated risks in tab "Associated Risks", added a userID in tab "Monitors" and I have added all the obsolete roles using the button "Mitigate roles"
  What I want to achieve:
  - Roles should not show up in the analysis anymore -> I've checked that and it works as expected
  - I now want the userID I added in tab "Monitors" and when mitigating the roles to regularly check in the SAP system whether the mitigated roles have been assigned to any userIDs again (using PFCG or any other suitable report in the system).
  Can I achieve that by using tab "Reports" within the Mitigating Control ?
  If I provide the system in column "System", provide "PFCG" in column "Action", "Use PFCG to check is role is assigned again" in "Description", add the userID in tab "Monitor" and set Frequency to "4" this would mean that that userID needs to check whether the roles have been used again at least every 4 weeks ?
  Will the system automatically send a reminder eMail to that userID every 4 weeks or does the user have to check the RAR manually in order to see "his/her" tasks ?
  Regards,
  Benjamin

  Hi Jwalant,
  sorry for my late reply, but I have waited for a few weeks to make be sure wheather the way you described works or not.
  - The background job gets executed once a week and finishes without any error.
  - The only thing that doesn't work is that the userID that I maintained in clolumn "monitor" and for which I defined a mitigation control which has to be executed every 2-weeks (using column "report") does NOT get a mail from the system that reminds him/her to execute the mitigating control.
  Log of background job execution:
  INFO: -
  Scheduling Job =>16----
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob run
  INFO: --- Starting Job ID:16 (GENERATE_ALERT) - Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob setStatus
  INFO: Job ID: 16 Status: Running
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob updateJobHistory
  FINEST: --- @@@@@@@@@@@ Updating the Job History -
  1@@Msg is Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION started :threadid: 2
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
  INFO: -
  Background Job History: job id=16, status=1, message=Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION started :threadid: 2
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Alert Generation Started @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Conflict Risk Input has 1 records @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Critical Risk Input has 1 records @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Mitigation Monitor Control Input has 1 records @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
  INFO:  @@@@@ Backend Access Interface execution has been started @@@@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.common.util.ExceptionUtil logError
  SEVERE: null
  java.lang.NullPointerException
       at com.virsa.cc.comp.wdp.IPublicBackendAccessInterface$IStatRecInputElement.wdGetObject(IPublicBackendAccessInterface.java)
       at com.sap.tc.webdynpro.progmodel.context.NodeElement.getAttributeAsText(NodeElement.java:888)
       at com.virsa.cc.comp.BackendAccessInterface.execBAPI(BackendAccessInterface.java:401)
       at com.virsa.cc.comp.BackendAccessInterface.executeBAPI(BackendAccessInterface.java:302)
       at com.virsa.cc.comp.BackendAccessInterface.get_TcodeLog_Rec(BackendAccessInterface.java:2800)
       at com.virsa.cc.comp.BackendAccessInterface.alertGenerate(BackendAccessInterface.java:1940)
       at com.virsa.cc.comp.wdp.InternalBackendAccessInterface.alertGenerate(InternalBackendAccessInterface.java:4355)
       at com.virsa.cc.comp.wdp.InternalBackendAccessInterface$External.alertGenerate(InternalBackendAccessInterface.java:4824)
       at com.virsa.cc.xsys.bg.BgJob.alertGen(BgJob.java:1666)
       at com.virsa.cc.xsys.bg.BgJob.runJob(BgJob.java:697)
       at com.virsa.cc.xsys.bg.BgJob.run(BgJob.java:362)
  here it keeps ranting on for pages about Null Pointer Exceptions
  I'll just leave that part out
  Mar 28, 2011 4:00:29 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
  INFO:  -
  No of Records Inserted in ALTCDLOG =>16 For System =>XXX_xxx -
  Mar 28, 2011 4:00:29 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
  INFO: ==$$$===Notif Current Date=>2011-03-28==$$$==Notif Current Time=>04:00:00===$$$===
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.mgmbground.dao.AlertStats execute
  INFO: Start AlertStats.............
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@=== Alert Generation Completed Successfully!===@@@
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob setStatus
  INFO: Job ID: 16 Status: Complete
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob updateJobHistory
  FINEST: --- @@@@@@@@@@@ Updating the Job History -
  0@@Msg is Job Completed successfully
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
  INFO: -
  Background Job History: job id=16, status=0, message=Job Completed successfully
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob scheduleJob
  INFO: -
  Complted Job =>16----
  - Anothjer thing I noticed is that the job always adds some entries to table "ALTCDLOG" which I guess means something like "Alert T-Code Log".
  It always adds entries like:
  581 XXX_XXX userID#1 SE16 2011-03-21 07:49:44 xxx 5
  582 XXX_XXX userID#1 SM37 2011-03-21 07:55:44 xxx 5
  Where does the system get the information which T-Codes are "bad" and for which it needs to create those entries ? I have never configured anything like that in the system.
  Or is this an indicator that the authorization roles I mitigated have been used again ?
  Regards,
  Benjamin

• User risk analysis offline mode in RAR

  Hello colleagues
  We are in AC SP14 and trying to perform RA via risk analysis-> user level. When the offline analysis parameter is set to YES we don't receive results, when the offline analysis parameter is set to NO we receive results but they are partiialy in comparison the the results we receive for the same user in the management view -> user violation report.
  So our question is:
  1.     Why the offline analysis=YES is not showing any data when all the prerequisites were performed (the background RAR sync/risk analysis/management view jobs are finished successfully and the configuration parameter of offline analysis is set to yes)?
  2.     Why the offline analysis=NO is not showing the same results as in the management view user violation report that was updated a just 10 minutes before?
  We viewed notes number 1544338 and 1126251 and all is configured an maintained as needed.
  Best Regards,
  Shira

  Hi Saurabh,
  Kindly check the below SAP notes.
  SAP note 1731579-- RAR 5.3 BRA job fails after about 4% - 6% of completion
  1727751 - Alert generation job fails with message "Error in  Alert Generation
  Hope this helps.
  Best Regards,
  Saksham