Risk Analysis for 2 open request in CUP

Similar Messages

• Risk Analysis for Third party ERP system

  We want to perform offline risk analysis for third party ERP(SRM) system.... We have already GRC system installed with Global rule set for SAP ERP & want to have another ruleset for offline risk analysis.
  Just would like to have a confirmation for below steps & estimated time for this.
  Activities Need to be performed from Our side(Client) :-
  1) Send the RAR format for Users/Roles/Actions & Permissions.
  2) Cross Verify the format.
  3) Create the connector for stored files.
  4) Upload the files via Data Extraction utility.
  5) Generate the ruleset for SRM(third party).
  6) Schedule the various background jobs.
  Activities Need to be Performed from Third Party - HUBWOO(Owns SRM ERP system) :-
  1) Convert users/action/roles and permissions files to RAR format.
  Activities need to be Performed  from SAP :-
  1) Provide the ruleset for HUBWOO SRM system.
  Please let me know if I missed any step above & estimated time to complete from our end & did anyone has come across ruleset for HUBWOO system..?
  Thanks in Advance!!

  Thanks all for your reply,
  Alpesh, but still I have small concern here, when SAP provide the ruleset files, it also provides for Oracle, People soft & JDE ERP.
  Though these are also third party ERP's for SAP...?
  Does it mean that we can'task for ruleset for other third party ERP from SAP...? or does SAP Charge something for it..?
  Thanks

• While doing risk analysis for profiles the web service is taking 20 minutes

  Hi All
  Iam using SAP GRC 5.2 ( As per clients requirement)
  Iam using  VirsaCCRiskAnalysisService web service
  For roles it is working fine
  But when iam doing risk analysis for profiles( S_A.DEVELOP and  S_CUS_CMP)  it is taking upto 20 minutes to give results back
  Is there any way in which we can reduce the time taken to fetch the results
  Thanks

  Hello Mph,
  This is mainly bcz these profiles are a bit heavy and have huge number of authorizations in each of them. Also since these are critical, these would be having a large number of risks which explains the reason for the delay.
  Now, besides what Harleen mentioned, what I would also recommend to you is to check the number of threads etc in the config you have done. These are the parameters which you can often change and update as per your requirements and have a great impact on the performance as well, without the need to deploy extra hardware, which is usually a pain for most organizations.
  Regards,
  Hersh.
  http://www.linkedin.com/in/hersh13

• Error while doing risk analysis for a user

  Hi ,
  When i did risk analysis at user level for a particular user we are getting this error under level  ."Exception!!. No relavent language message available in database for :0292".I had reuploaded the the messages text file but still the error persists i have restarted the j2ee application but still the error is not going .any pointers please thanx in advance.When checked the file CC5.3_MESSAGES.txt it does not contain any entry corresponding to message code 0292.So how shud i proceed.
  Edited by: Ambarish annapureddy on Jan 21, 2009 12:54 PM

  Hi Ambarish,
      What is the patch level of GRC AC 5.3? Did you apply any service pack recently? Did the service pack contain any message file? There has to be some message file which contains message '0292'. If you can not find the message file then open a message with SAP support and they should be able to provide it to you.
  Regards,
  Alpesh

• Schedule of Risk Analysis for every month end

  Hi All,
  I'm trying to create monthly background job for Risk Analysis in the GRC CC. I notice that there is no option that I can select to create the job, such that it recognise automatically the last working day for the month. Any idea on this how to and if its possible??
  Another option that I can think of is maybe to create the job on the first working day of the new month instead of the last working day.
  Anyone encounter such request within yuor organisation or whats the best practise that you are exercising now?
  Thanks.
  Raymond

  Hi Raymond,
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/50cd7177-5c22-2a10-8cba-8e0c64bc4ea8
  Regards
  Gangadhar

• Drill down report for due date analysis for customer open items

  Hi, in transaction FDI0 i am using report 0SAPDUEAN-01 Due Date Analysis for Open Items .The reason i am using this is that s_alr_87012178 caters for only 6 intervals. With this report , i get 8 intervals:
  daily intervals Due Not Due Total OI
  0 - 30 0,00 0,00 0,00
  31 - 60 67.000,00- 0,00 67.000,00-
  61 - 90 0,00 0,00 0,00
  91 - 120 20.020,86 0,00 20.020,86
  121 - 150 3.270,00 0,00 3.270,00
  151 - 180 0,00 0,00 0,00
  181 - 210 0,00 0,00 0,00
  211 - 99999 0,00 0,00 0,00
  Total open items 43.709,14- 0,00 43.709,14-
  Is it possible to change the intervals through custo? i need intervals:
  0 - 30
  31 - 60
  91-120
  121-150
  151-365
  >365

  Hi AA
  refer this link where in I have given the screen shots
  http://img233.imageshack.us/g/86081486.jpg/
  The 1st screen shot is COPY of the Std Form
  The 2nd scren shot shows how to add new interval
  Br, Ajay M

• Risk Analysis for SAP HR structural authorization

  Hi experts, for those who are familiar with SAP HR structural authorization setup, can you advice what tools out there are able to implement risk based on Structural Authorization as well.
  SAP RAR/CC is not able to do this at the moment, but i am not sure if tools like CSI has the capabilities.
  Appreciate the advice.

  Hi,
  Structural Authorizations "sits" on Standard authorizations. These Structural Authorizations   will need to be defined manually ( as far as I know) depending on the "Evaluation Path".
  Award points if answer was useful.
  Thanks

• Risk Analysis in CUP not working

  Hello Experts, we are using GRC 5.3. In CUP, I am trying to approve Role Provisioning. One of the requirements is to run Risk Analsys (as it says 'Risk Analysis is Mandatory'). When I hit the 'Risk Analysis' button, the circle keep circling but, nothing seems to happen forever (no error message either). Can you guide me in the right direction? What could be the possible situation? And, where am I better off to start troubleshooting.
  Thank you.

  Well, the problem seems to be that I am connecting from VPN. From my analysis, after I reboot the laptop, I am able to analyze risk for the first 3 or 4 requests and after that I can't do risk analysis for any more requests until I reboot my laptop. If I login to a remote server (say Virsa server), I seem to have no problem at all. i am able to continuoiusly run risk analysis for multiple requests. The problem seems to be VPN or my laptop.

• How to verify Risk Analysis done for CUP request?

  We are on GRC 5.3 SP 13.
  Is there a way to verify whether a Risk Analysis was performed during a stage for a CUP request?
  We have a CUP request that should have generated a SOD Risk when it was processed.  However the closed request shows no risk or mitigations on it.  The approvers say they ran a Risk Analysis, and the workflow stage does have that set as mandatory.  Also, you do get SODs if you run a User Analysis for this userid in RAR directly, so it looks like the request should have had them also.
  Is there any way to verify whether a Risk Analysis was actually performed in the CUP request workflow stage?
  At this point I don't know if this is a problem with the CUP Risk Analysis, or if the user just didn't run one and the system let that  slip thru somehow.
  Thanks.

  I bellieve you can log into RAR>RAR Debugger>View Server Log>You can search on Analysis.  If your are getting any errors they will also show up here. 
  Example: 
  INFO: Foreground : Analysis starts:
  Mar 9, 2012 3:44:23 PM com.virsa.cc.xsys.meng.ObjAuthMatcher <init>
  FINEST: ObjAuthMatcher constructed: 0ms, #singles=11, #ranges=0, #super=0
  Mar 9, 2012 3:44:23 PM com.virsa.cc.xsys.riskanalysis.AnalysisEngine performActPermAnalysis
  INFO: Foreground : Analysis done: 55550000 elapsed time: 49 ms
  Mar 9, 2012 3:44:23 PM com.virsa.cc.xsys.riskanalysis.AnalysisEngine performActPermAnalysis
  INFO: Foreground : 1 out of 1 (100%) done
  Mar 9, 2012 3:44:23 PM com.virsa.cc.xsys.riskanalysis.AnalysisEngine performActPermAnalysis
  INFO: Foreground : All Analysis done,  elapsed time: 64 ms , memory usage: free=782M, total=2048M
  Mar 9, 2012 3:44:23 PM com.virsa.cc.xsys.riskanalysis.AnalysisEngine performActPermAnalysis

• Risk Analysis in a CUP request

  Is there any way to run a Risk Analysis in a CUP request on different Rule Sets?
  Letu2019s say you have 3 different Rule Sets like US - EU u2013 Global defined in RAR. Each one includes its own risks. In a CUP
  request, it shows risks based on the u201CVirsaCCRiskAnalysisServiceu201D defined in your CUP config.
  In our case we use the global Rule Set but the problem is for an EU request you can have US risks appearing that must be mitigated even if those risks are not relevant for EU.
  It would be great if we could link the attributes Company or Functional Area directly to a specific rule set.
  Please help/comment on this issue.
  Regards

  Hi,
  When we perform risk analysis on the request, ruleset for the risk analysis for CUP request is picked from RAR default values.
  RAR-> Configuration-> Default Values-> Default rule set for risk analysis.
  This rule set is picked by CUP to perform the risk analysis.
  With the current design it is not possible to link  the attributes Company or Functional Area directly to a specific rule set.
  Kind Regards,
  Srinivasan

• AC 5.3 RAR - combined risk analysis reports for regular auth. and SPM auth.

  Dear All,
  we have users that have regular day-today authorization and also FF authorization.
  Does the Batch Risk Analysis takes into account both authorizations when doing the risk analysis for those users ? will we see it in the reports ?
  Thanks
  Yudit

  ok, so basically the answer is no, in the RAR components we do not have risk analysis for the combinations of the roles assigned to the user and to his FF ID.
  in that case, at what stage does the system checks for those combined risks ?
  is it checked when we manage the risk analysis phase in the CUP request that is asking to assign the FF ID to the user ?
  thanks
  Yudit

• Did CUP risk analysis change with SP7?

  Dear GRC experts,
  I am pretty sure when we tested CUP 5.3 SP4 when doing risk analysis it would only show new risks caused by new roles selected in request (like Risks from Simulation Only YES in RAR). Exisitng risks for that user would not be shown.
  Now with CUP 5.3 SP7 fix1 we get the existing risks shown as well not in any way related to the role(s) selected, which will be confusing to the role approvers. E.g. role request is display role, approver needs to run risk analysis and gets existing risks shown. He/she can not deselect roles to remove risks as only display role is in request. There might be no mitigating controls for those risks (creation of new mitigating controls is blocked). This would end up in requests with risks even though the requested role is not risk relevant, or even request gets stuck because no mitigatign control exists and config is set to do not allow approval of requests with risks.
  Please confirm if indeed only new risks where shown in CUP risk analysis in previous support pack levels or rel. 5.2, or that I am mistaken and all risks where always shown at risk analysis in CUP.
  Principally I think existing risks should be focus of GET CLEAN effort. Risk analysis in CUP should focus on preventing new risks at part of STAY CLEAN phase.

  Hi,
  When we run Risk Analysis for the user, it will show the existing violations as well as the violation which are there with new roles also.
  When we click on Risk Analysis under Simulation tab we can find Risk Violation details.
  Here I have a doubt, how to deselect violation role while approving request. I m unable to find that option. Please advice.
  Thanks & regards,
  KKRao.
  Edited by: KKRao_2020 on Oct 9, 2009 9:22 AM
  Edited by: KKRao_2020 on Oct 9, 2009 9:27 AM

• Risk analysis after approval in CUP

  Hi,
  Can it be possible? CUP to do automatic risk analysis after the request is approved by the role approvers.  If there are no risks, roles will get provisioned. If risks exist based on the risk ID to have the request forwarded to the risk owner where the mitigation control, monitor details are entered.
  Please provide your inputs.
  Thanks
  R R

  Not a good idea, generally.
  What you can do is have the risk analysis performed automatically on request submission. The approvers would see the risks, but you can allow them to ignore them and have a detour on the last approval step.
  This has a few quirks:
  - if your last approval is a role approver, i.e. there may be a split approval to several people, the detour is tricky.
  - if one of the approvers changes something in the request, the risk analysis is invalid.
  I would also question the general idea - usually in case of risks, one of the approvers should also take action. If all they do is approve, get them out of the way.
  Unfortunately there is no step that says "automatic risk analysis, no manual approval required". That's an enhancement I would also welcome.
  Frank.

• CUP-RAR Risk Analysis error

  Hello experts,
  When an approver does risk analysis for adding a role to a user in CUP before approval, the system shows 0 risk(0 risks found), However when the role is added to the user in RAR simulation, there are Risks.
  Similarly,
  When an approver does risk analysis for a role in CUP before approval, the system shows 0 risk(0 risks found), However when the role is analysed in RAR, there are Risks.
  I have checked the Org Rules parameter in RAR (It was set to No as we are not using Org Rules).
  When I set the org rule parameter to Yes, I got exception " Risk analysis failed: EXCEPTION_FROM_THE_SERVICEInconsistency Org Rule Analysis Flag Parameter". I reset the parameter to NO.
  Many thanks,

  Hello Raghu
  Here is the note number: Note 1168120 - Risk Analysis and Remediation 5.3 Support Package (VIRCC).
  Also I would suggest going to:
  1. CUP - configuration -Risk analysis - And see if the web service link for Risk analysis is correct.
  Better would be to go to Netweaver Administration -Webdynpro console -and get the correct link.
  2. CUP -configuration - Mitigation and here also put the correct link for all four options there i.e. (Risk analysis, Mitigation etc),
  Hopefully this should solve the problem .I donu2019t think it is related to org level.
  If problem still persist, kindly paste the log.
  Best Regards
  Asheesh

• ARA: Excluded Roles considered for Risk Analysis???

  Hi,
  There are certain role which are to be excluded from risk analysis or some business reasons. To achieve this, I have added entries for these roles in SPRO and saved them.
  Actually, these roles are available in all the systems. Therefore, under "System" column I have selected "ALL" and saved the entries.
  I ran risk analysis for a specific business process (above roles are belonging to this business group) and surprisingly found that, those roles which are maintained as "Excluded", as shown in the risk analysis report as violating!
  Thinking that "ALL" option does not work, I maintained (excluded) these roles for specific systems in SPRO. Ran risk anlaysis, but with no luck.
  Then I ran risk analysis for excluded role(s), I am still getting the violations for these excluded roles!
  May I know why system is considering these "excluded" roles at the time of risk analysis?
  Please advise.
  Regards,
  Faisal

  Alessanrdo,
  I think the "excluded" objects in path:
  SPRO->GRC->AC->ARA->BRA->Maintain Exclude Objects for Batch Risk Analysis
  itself says that the objects will NOT be considered while performing Batch Risk Analysis (Analytic Reports). It seems to be working fine for me.
  I dont think that the objects maintained in above path will have any importance while performing Risk Analysis from NWBC->AM->Roles Analysis) and will NOT be considered.
  Please correct me, if required.
  Secondly, I found 2 relevant posts here on SCN:
  SAP GRC Access Control: Offline-Mode Risk Analysis
  SAP GRC 10.0 Offline Risk Analysis
  Both of them are talking about the offline mode of running risk analysis. Actually I have not used it yet therefore, wanted to know the real usage of it. These posts seem to be giving the details of "Offline" mode analysis.
  I believe this will not be used in my scenario as there is no such requirement and real need. Therefore, I think I should disable it (Offline Data) option from the analysis screen just to avoid any confusion.
  Currently all our risk analysis is taking place "Online". There is no "real" need to use "Offline".
  May you please let me know in which scenario this would be useful?
  Regards,
  Faisal