Risk Analysis - Ignored Users
I have a client who wants to have ignored users (in User Level Risk Analysis) set to Loacked OR Expired....not just Locked, not just Expired, not Locked AND expired....is there a "hidden" selection somewhere?
Hi Jack,
i have made a quick test (RAR 5.3 SP11) and the option "Locked and Expired" ignores these users:
1) Locked and Expired
2) Locked
3) Expired
So i would say that "Locked and Expired" is "Locked or Expired" too.
You can make a quick test with your SPxx and you will see.
Regards
Pavel
Similar Messages
-
Error while performing Risk Analysis at user level for a cross system user
Dear All,
I am getting the below error, while performing the risk analysis at user level for a cross system (Oracle) user.
The error is as follows:
"ResourceException in method ConnectionFactoryImpl.getConnection(): com.sap.engine.services.connector.exceptions.BaseResourceException: Cannot get connection for 120 seconds. Possible reasons: 1) Connections are cached within SystemThread(can be any server service or any code invoked within SystemThread in the SAP J2EE Engine), 2) The pool size of adapter "SAPJ2EDB" is not enough according to the current load of the system or 3) The specified time to wait for connection is not enough according to the pool size and current load of the system. In case 1) the solution is to check for cached connections using the Connector Service list-conns command, in case 2) to increase the size of the pool and in case 3) to increase the time to wait for connection property. In case of application thread, there is an automatic mechanism which detects unclosed connections and unfinished transactions.RC:1
Can anyone please help.
Regards,
GurugobindaHi..
Check the note # SAP Note 1121978
SAP Note 1121978 - Recommended settings to improve peformance risk analysis.
Check for the following...
CONFIGTOOL>SERVER>MANAGERS>THREADMANAGER
ChangeThreadCountStep =50
InitialThreadCount= 100
MaxThreadCount =200
MinThreadCount =50
Regards
Gangadhar -
Running Risk analysis at User Level(CC)
Hi
Please Clear my query, wat is the difference between running the risk analysis at userlevel Violation count by Risk and Violation count by Permission.
violation count by Permission, the total number of violations are 377,569.
Violation count by Risk,the total number of violations are 11,716.
Thanks & RegardsHi Karuna,
When you perform Risk Analysis at User level and choose violation count by Permission/Risk. Here are the details of each analysis:
1. Violation Count by Risk
This analysis will display the count of how many SOD risks associated with the users existing in each business process like FI, HR, MM, PR, SD.
It will display as a bar graph or pie chart. If you choose each of the business processes and drill down to the particular SOD risk,P001 then you can display how many users have that risk, P001
2. Violation Count by Permission
This analysis will display the count of SOD violations at the action/permission level associated with the users existing in each business process.
If you choose the conflicting functions inside each SOD risk, and then expand on the permission tab you will understand why the huge number of violations it is showing.
In the Risk information screen, in Conflicting Functions, click the AP02 u2013 Process Vendor Invoices link to display the SAP transaction codes and the authorization objects. There are 26 different transactions in SAP to Process Vendor Invoices and another 185 authorization object values u2013 all come preconfigured out of the box.
Choose the Permission tab. Expand Action F-42. Open an authorization object to show field values. By looking at all possible permutations of actions/permissions of one business function with all actions/permissions of the second business function, you can understand how the system arrives at the number of violations.
Hope this will help you understand better.
Regards,
Kiran Kandepalli. -
I am configuring ARA 10.1 for a ECC 6.0 plug in development system and facing this issue. Risk Analysis at user level shows no data in all 3 views though at role level shows risks of global rule set. I am using Global rule set. I generated all risks/functions & using connector group as SAP_ECCS_LG not SAP_R3_LG.I activated common, R/3 & ECCS BC sets. Added integration scenario for AUTH. Run all 4 sync jobs multiple times successfully. My system already has decentralised EAM 10.1 implemented & even used in production as BAU. I have checked at both chrome & IE. The misleading thing is that RFC is also working fine & I can see risks in Risk Analysis at role level & risky roles are even assigned to valid users.GRC is at SP4 & accordingly is the ECC 6.0 plug in. Thanks in Advance. Please consider it urgent.
Hi,
Assign ECC connector to SAP_ECCS_LG group.
Run the programs GRAC_PFCG_AUTHORIZATION_SYNCand GRAC_REPOSITORY_OBJECT_SYNC) in full synch mode(this might take time so better do this in background). Better do it sequentially.Check the logs of the jobs in SLG1 just to ensure everythings fine.
Run ARA for a specific user and mention the connector for faster output. Ensure this user has the role with risks.Also as explained earlier check the GUID against user id in table GRACUSERROLE and using GRACROLE you can find out the technical name of the role updated in the table. This should be same as the backend role.
Then run ARA and while doing so please ensure the selection screen doesnt have any unwanted default inputs. If followed correctly , this should be of help. I am assuming the role analysis yielded correct risks as configured since this would mean that connector have correct actions and basic config is in place.
Regards,
Vivek -
Error while doing risk analysis for a user
Hi ,
When i did risk analysis at user level for a particular user we are getting this error under level ."Exception!!. No relavent language message available in database for :0292".I had reuploaded the the messages text file but still the error persists i have restarted the j2ee application but still the error is not going .any pointers please thanx in advance.When checked the file CC5.3_MESSAGES.txt it does not contain any entry corresponding to message code 0292.So how shud i proceed.
Edited by: Ambarish annapureddy on Jan 21, 2009 12:54 PMHi Ambarish,
What is the patch level of GRC AC 5.3? Did you apply any service pack recently? Did the service pack contain any message file? There has to be some message file which contains message '0292'. If you can not find the message file then open a message with SAP support and they should be able to provide it to you.
Regards,
Alpesh -
GRC AC 10:How to generate Access Rule? No output from User or Risk Analysis
Hello Gurus,
We have done configuration of GRC AC 10, and uploaded files via
SoD rules -->Upload Rules
After that we generated SoD rules for Risk Id : B001 and B002
Now when we go to NWBC --> Reports & Analytics >Access Dashboards>Access Rule Library
The report shows (for Group Rule level : Action)
Number of Active rules : 0
Number of Disabled Rules : 0
Number of Functions : 151
Where as for Group Rule level : Action Risk
The report shows
Number of Active Risk : 42
Disabled risk : 161
Nmr. of functions : 151 .
When we perform Risk Analysis at User Level or Role Level, the output is empty !!!
Note: All the background jobs have run successfully.
Also the SoD files also have been uploaded successfully.
Will you please guide how can i activate the "rules" for the uploaded risk ??
regards,
VictorHello Victor/ Inder,
For Risk ID B001functions are BS02 and BS11 if you open any one of them you can see system maintained as SAP BASIS which is SAP_BAS_LG (logical connector group).
Post installation you can check in SPRO>Governance, Risk and Compliance-> common Component---> integration framework-> maintain connector and connector types->select SAP and click Define connector Group.
BUSINESS Business Roles SAP
SAP_BAS_LG SAP Basis SAP
SAP_CRM_LG SAP CRM SAP
SAP_ECC_LG SAP ECCS SAP
SAP_HR_LG SAP HR SAP
SAP_NHR_LG SAP R3 - NON HR Basis Logical Group SAP
SAP_R3_LG SAP R3 SAP
SAP_SRM_LG SAP SRM SAP
(If not present then manually you can create the same)
Select SAP_BAS_LG and put connector type as SAP, select SAP_BAS_LG and click Assign Connector group to group types as AM & LG, then click on Assign Connector to connector group and maintain you connector.
Post this activity re generate SOD for B001 and then check for user level and role level analysis.
Hope it will resolve your issue.
Regards,
Sudesh -
Issue with risk analysis report in GRC10.0
Hi All,
We are running the user risk analysis report from NWBC: Reports and Analytics -> Access Risk Analysis Reports -> User Risk Violation report.
This report is not fetching all the data even though user has all the required authorizations.
We are getting the data when we execute the dashboard reports.
Any one has idea?
Cheers
HariAlessandro,
Thanks for the reply. I am aware of this.
Problem is when dash board report is showing the risk for the user but risk anaylsis report in Reports and Analytics is not showing the risks to that user.
As per our investigation, the risk data that is displaying in the risk anaylsis report in Reports and Analytics is incomplete. We didn't find any errors in SLG1. Also there is no issues from authorizations side.
Regards
Hari -
ARQ: Are "Valid From" and "Valid To" dates are considered for risk analysis???
Hi All,
I have one question w.r.t. risk analysis of user while raising a request in ARQ.
I have noticed that, when a user is assigned 2 conflicting roles in a request (with "Valid From" and "Valid To" fields being the same), ARQ shows risk violations properly.
This is quite logical, because user is assigned conflicting roles within the same dates.
In another scenario, if a user is assigned 2 conflicting roles in a request (with "Valid From" and "Valid To" fields being different)
Example:
Time Administration : Valid From=15.06.2014 and Valid To= 31.12.2014
Payroll Administrator: Valid From=20.06.2014 and Valid To= 31.12.2014
ARA still shows as violations (in ARQ)! Though the "Valid From" dates are different.
Logically, user is not assigned these roles at the same time to cause a risk violations. However, system is showing violations.
May I know if validity dates are considered while performing risk analysis in ARQ? If no, then what could be the justification?
Please advise.
Regards,
FaisalRafal,
Thanks for your reply.
Does it mean that all future dates will be considered while analysis?
OR
Does ARA consider these dates?
Regards,
Faisal -
Hi Folks,
I have installed CC 5.2 and ruleset to ECC are uploaded. Now, when i want to run risk analysis for User/Role from Informer. I dont see any user id from Backend system in User/Role option. I have checked everything,
SLD is working ine
JCo connectors are fine.
RFC destination defined.
Can someone help me in identifying problem?
Thanks in acticipation.
Regards,
Priyank.Hi Priyanka,
If you have successfully installed Virsa CC5.2 and uploaded Objects ans Rules, the plz follow the following procedure:
1) Go to Configuration Tab->Background Job
2)Click on "Schedule Analysis"
3) In first Pane i.e. Sync Mode select Full Sync
4)Select *User/Role/Profile Synchronization
5)Select the system for put ***
6)Dont select any other thing.
7)click on Schedule
8)Give a Valid name to this report.
9)Click on Immediate
Please check whether this report is successfully completed under Configuration Tab->Background Job->Search
click on search
If completed successfully, then go to step 1 as above.
This time select All Check Boxes under Batch Risk Analysis Pane and then select Management Report check box in the last pane.
Then schedule the job. After that only you'll be able to see the results in Informer Tab
Reward Points if it is useful
Regards,
Faisal -
CC: Risk Resolution at user level.
HI All,
In CC 5.2 with latest patch level, I am facing an issue in Risk Resolution. When I do the Risk analysis at user level for a particular user and then do a detail Report and then try to do the risk resolution; there are standard three options:
1. Mitigate.
2. Remove Access.
3. Delimit Access.
from the user. Out of these three, the first one is working fine, but second and third are greyed out and I can not proceed with option 2&3. Have any one of you come accross such a situation or have any clues about the same. Also, my user has Admin rights to all the actions in the Admin role provided to me.
Thanks a lot in advance.
Have a nice day!!
Regards,
HershHello Hersh,
This functionality is not available in 5.2.
Regards,
Jagat
Edited by: Jagat Bir Singh on Jul 31, 2008 3:16 PM
Edited by: Jagat Bir Singh on Jul 31, 2008 3:17 PM
Edited by: Jagat Bir Singh on Aug 1, 2008 6:52 AM -
We have installed GRC 5.3 AC and using it with CUA. Connector names are same as names in CUA.
While doing Risk Analysis for user in Master system, it shows violations. For same user, when I do risk analysis in child system (which has same roles) it does not show any violations.
Are we missing anything?
Thanks,Thanks,
I checked those notes but it talks about Analysis from CUP where as I'm currently looking into Risk Analysis from RAR only.
I checked with another user-id with different roles but it shows violation in both Master and Child system. Wehre as earlier user-id still shows violation in Master system only even though roles are same in both systems.
So, i suspect some of rules are not generated (i ran rule generation again).
Is there any way to check/generate rules for particular system? -
Risk Analysis Best Practices using CC
Hi all,
A SAP best practice for the risk analysis is:
1) Run risk analysis against single roles
>> Remediation for single roles
2) Risk analysis for composite roles
>> Remediation for composite roles
3) Risk analysis for users
>> Remediation for users
My question is: How is CC able to take into consideration if the risk analysis performed is done for single or composite roles? When you run a Role Analysis there is no way to filter for such criteria.
Many thanks in advance. Regards,
ImanolHi again,
Thanks for the answer but I still have something in mind I would like some opinions about.
If we have the following scenario:
RC 1 (Composite Role 1) = RS1 (Simple Role 1) & RS2 (Simple Role 2)
RS1= A1 (Action 1) , A2 (Action 2)
RS2= A3 (Action 3)
Risk R1= Combination of A1 and A3
If we apply the risk analysis just to simple roles, we will not identifiy any risk since we don't have available the information from the composite role point of view.
On the other hand if we consider the action related to RC1 through RS1 and RS2 we get:
RC1 = A1, A2, A3
Therefore, in this case we are able to say that the composite RC1 includes a risk since such role includes action A1 and A3.
What do you think? Thanks for all. Regards,
Imanol -
Different Risk Analysis Results with the same user from 2 different RAR
Hi..
I've loaded the same Risks, Rules, etc, into 2 GRC RAR environments (Sandbox and Quality systems); both of them are connected with the same SAP ECC system. But when I do a User Risk analysis (authorization level), the result from Sandbox is different from Quality system. I donu2019t have users or roles mitigated yet, users are synchronized, rules are exactly the same and I donu2019t know what happen??... Please, help me.
Thanks...Hi...
If I do a Full Sync of users to the same ECC system from both RAR boxes, I got different number of users loaded (i.e. 18757 vs. 18141), similar case with the full sync of roles. (13100 vs. 13150).
If I load exactly the same set of functions to both RAR systems and I generate the rules, I got the same problem, different number of rules is generated.
I've verified both RAR configuration and they are the same (excluded users, roles mitigated, etc.)
Is it a normal behavior? What could be wrong?
Thanks in advance!! -
User risk analysis offline mode in RAR
Hello colleagues
We are in AC SP14 and trying to perform RA via risk analysis-> user level. When the offline analysis parameter is set to YES we don't receive results, when the offline analysis parameter is set to NO we receive results but they are partiialy in comparison the the results we receive for the same user in the management view -> user violation report.
So our question is:
1. Why the offline analysis=YES is not showing any data when all the prerequisites were performed (the background RAR sync/risk analysis/management view jobs are finished successfully and the configuration parameter of offline analysis is set to yes)?
2. Why the offline analysis=NO is not showing the same results as in the management view user violation report that was updated a just 10 minutes before?
We viewed notes number 1544338 and 1126251 and all is configured an maintained as needed.
Best Regards,
ShiraHi Saurabh,
Kindly check the below SAP notes.
SAP note 1731579-- RAR 5.3 BRA job fails after about 4% - 6% of completion
1727751 - Alert generation job fails with message "Error in Alert Generation
Hope this helps.
Best Regards,
Saksham -
Risk Analysis shows no Roles or Users!!
Hi Team,
Please can you help me, I am configuring GRC AC 10's ARA and I am stuck with the issue when I execute Risk Analysis on Roles or Users, I am getting blank field. No data is getting pulled up from backend system. Although my Repository Sync job finished successfully when I did it for User, Roles and Profiles.
Please can anybody help.
Thanks,
NickHi Nick,
please check this thread: GRC AC 10: RAR - no analysis results, or document: GRC AC 10: RAR - no analysis results
Regards, Andrzej
Maybe you are looking for
-
Instead of opening on my homepage, firefox opens on blank page, it says new tab. If I open it and open a second browser instance while the first is still open, the second instance will go to my home page as it should. I have tried reinstalling firefo
-
What would you like to see in Aperture in the future? Some things i'd definately like to see: - The ability to control the camera from Aperture. Very useful in a studio environment - Some simple kind of masking - Adjustable levels - Better dual scree
-
Using Adobe Photoshop CS 5.5. Menu and text are too small on my 4k Display.
I am running Adobe Photoshop CS 5.5 on my windows 8.1 laptop with 4K display. Where is the option to increase the size of menu and font? The menu looks fine on my mac book pro retina display at work, so I know it has to be possible. Please help.
-
Retrieve CS5 and CS5.5 installation path from registry
Hello, I have Photoshop CS5 and CS5.5 (5.1) installed on my PC. I want to retrieve installation path for both but in registry i am able to see only CS5.5 (5.1) path. From where i can retrieve CS5 installation path? I think registry entry for CS5 is r
-
Prerequisite PRMs for RHEL 5 to install E-Business Suite 12.1.1
Hi, I am trying to install Oracle E-Business Suite R12.1.1 on RHEL5. For that where can i get the prerequisite RPMs. Even though some of the RPMs are there in my RHEL DVD but some of those are old versions. I tried in http://rpm.pbone.net/ . But this