Risk Analysis in GRC 10.0

Similar Messages

• Remote Risk Analysis in GRC 10

  Dear Experts,
  I am trying to configure Remote Risk Analysis in GRC 10.0.
  Could you please let me know if there are any standard programs that extracts data from ERP system. Like we have below standard programs in 5.3 to extract from ERP system.
  /VIRSA/DLOAD_AUTH_OBJS
  /VIRSA/DLOAD_ROLE_AUTH_OBJS
  /VIRSA/DLOAD_ROLES
  /VIRSA/DLOAD_USRS.
  If programs are not there in GRC 10.0, please advise how to get data for remote risk analysis.
  Thanks,
  Raj

  Hi Raj,
  Check this programs:
  /GRCPI/GRIA_DLOAD_AUTH_OBJS Download Authorization object
  /GRCPI/GRIA_DLOAD_ROLE_AU_OBJS Role Authorization Object
  /GRCPI/GRIA_DNLDROLES Download Roles
  /GRCPI/GRIA_DOWNLOAD_SAPOBJ Download objects
  /GRCPI/GRIA_R_DOWNLOAD_DESC Program /GRCPI/GRIA_R_DOWNLOAD_DESC
  /GRCPI/GRIA_R_DOWNLOAD_USRS Program /GRCPI/GRIA_R_DOWNLOAD_USRS
  /GRCPI/GRIA_ZVRAT_UPDWNLOAD updownload data
  Cheers,
  Diego.

• Risk analysis in GRC 10 error "Subnode COMPONENTCONTROLLER.1.SEARCH.RESULT"

  HI
  We have configured Risk analysis application within GRC 10. Also have executed the sync jobs. Now when i try to do SOD analysis i am getting an error "FPM application started without configuration" . this comes even before opening the link to SOD analysis is even open and this error comes for all type of SOD analysis like for user and role and HR object.
  I check the logs file and in logs system is complaing that "Subnode COMPONENTCONTROLLER.1.SEARCH.RESULT_TABLE" does not exist.
  Any idea why we getting this error message?
  Parven

  HI
  Connector is working fine as sync jobs are running perfectly.
  we have done the mimimum configuration setting as suggested by SAP guide ie Parameter 1023, 1024,1025 and 1026
  For activating BC sets i think we need to do that only when you using out of box SOD rules. In our case we are using customised SOD rules. So i think we dont need to activate the BC set.
  any other suggestion
  Parveen

• Program batch risk analysis offline GRC AC 10.0

  Hello consultant:
  We have configurated GRC AC 10.0 RAR , when we executed risk analysis for Tx:NWBC  , the system run analysis(foreground or background) correctly but when we executed analysis for Tx:SPRO->Governance Risk and compliance->Access control->Batch Risk Analysis , the system run two jobs E:GRAC_SOD and GRAC_SOD but the jobs run only 1 second and finished sucesffully but the system no run analysis.
  Please could you help me?
  Thank you very much

  Please check view details in NWBC.
  or go to abap and select option and run it..
  and u can monitor the same using
  the tcode batch job for GRc monitor tcode dont remember u can check in guide.
  there it can show details.
  need tcodes and all ,please post
  Regards,
  Prasant

• Running Analysis in GRC AC 5.3  - RAR

  Hi,
  Can anyone let me know how to resolve the issue.
  When i run the Risk Analysis in GRC AC 5.3 - RAR
  Informer>Risk Analysis> Role Analysis--> Execute
  This is the error message it gives:-
  *VIRSAHR_01: Cannot execute BAPI RoleList: Error connecting using JCO.Client: null: Could not create JCOClientConnection for logical System: VIRSAHR_01_MODEL - Model: class com.virsa.cc.modelvirsahr_01.BAPI_VIRSAHR_01. Please assure that you have configured the RFC connections and/or logical system name properly for this model!: Error while obtaining JCO connection.: Failed to resolve JCO destination name 'VIRSAHR_01_MODEL' in the SLD. No such JCO destination is defined in the SLD. *
  Please indicate what could be the possible solution for it.
  Thanks in advance.
  Nazeer

  HI ,
  Why dont you check the SLD is running fine or not.These are the steps to be followed ,
  Check out the URL : http:
  <localhost>:50000/sld
  When you enter the sld screen then click on administration and there you will see whether sld server is running or not.If it is stopped then start.
  Then check whether in visual administrator check for sld data supplier under server node under services node.There on the top there will be a button as trigger sld data supplier .We should get a succesul message.
  In the Jco connections click on test option one should get a test message succeful.To see the JCo connections path launch j2ee home page URL : http:
  <localhost>:50000/.After that click on web dynpro then on content administrator and then maintain JCo connections.There check out the JCo connections.IF the JCo connections are not working fine then check out the RFC 'c configured in the backend system are testing successfully.
  SLD_UC
  SLD_NUC
  LCRSAPRFC
  SAPSLDAPI
  If u still face any problem plz let me know.

• ARA: Excluded Roles considered for Risk Analysis???

  Hi,
  There are certain role which are to be excluded from risk analysis or some business reasons. To achieve this, I have added entries for these roles in SPRO and saved them.
  Actually, these roles are available in all the systems. Therefore, under "System" column I have selected "ALL" and saved the entries.
  I ran risk analysis for a specific business process (above roles are belonging to this business group) and surprisingly found that, those roles which are maintained as "Excluded", as shown in the risk analysis report as violating!
  Thinking that "ALL" option does not work, I maintained (excluded) these roles for specific systems in SPRO. Ran risk anlaysis, but with no luck.
  Then I ran risk analysis for excluded role(s), I am still getting the violations for these excluded roles!
  May I know why system is considering these "excluded" roles at the time of risk analysis?
  Please advise.
  Regards,
  Faisal

  Alessanrdo,
  I think the "excluded" objects in path:
  SPRO->GRC->AC->ARA->BRA->Maintain Exclude Objects for Batch Risk Analysis
  itself says that the objects will NOT be considered while performing Batch Risk Analysis (Analytic Reports). It seems to be working fine for me.
  I dont think that the objects maintained in above path will have any importance while performing Risk Analysis from NWBC->AM->Roles Analysis) and will NOT be considered.
  Please correct me, if required.
  Secondly, I found 2 relevant posts here on SCN:
  SAP GRC Access Control: Offline-Mode Risk Analysis
  SAP GRC 10.0 Offline Risk Analysis
  Both of them are talking about the offline mode of running risk analysis. Actually I have not used it yet therefore, wanted to know the real usage of it. These posts seem to be giving the details of "Offline" mode analysis.
  I believe this will not be used in my scenario as there is no such requirement and real need. Therefore, I think I should disable it (Offline Data) option from the analysis screen just to avoid any confusion.
  Currently all our risk analysis is taking place "Online". There is no "real" need to use "Offline".
  May you please let me know in which scenario this would be useful?
  Regards,
  Faisal

• GRC AC 10 - risk analysis : No rules were selected

  Hi,
  In GRC AC 10, when I do a risk analysis (user level for example).
  For each userid the result shown in the column action is "No rules were selected "
  any idea ?
  Thanks
  Aurélien.

  Hi Vikas,
  Further to your comment above, I would like to point you to my thread here and specifically ask you about the following statement:...
  3. Open your GRC functions and make sure you have correct back end system updated for them. Check the status of all your GRC functions and make sure they all are active.
  I opened up the Functions from NWBC and realized that all the systems for each function were as follows:
  1. SAP Basis
  2. SAP CRM
  3. SAP ECCS
  4. SAP HR
  5. SAP R3 NON HR Basis Logical Group
  6. SAP R3
  7. Logical Group
  AND ALSO
  8. The DESCRIPTION of my RFC Connector ?!
  Now my question is as follows:
  1. Where in the Pre/Post/GRC300 documents does it say that one must configure each function with the backend system as you state above....should the configurations Connector/Connector/etc etc already mapped the functions to the backend system ?
  2. Also Why is the description of my RFC Connector available as a drop down menu from " System" tab on the function edit mode - see attached screenshot.
  Your advice would be appreciated.
  Best regards,
  Paul

• GRC AC 10.1 - Risk Analysis: No rules were selected

  Hi All,
  I'm currently configuring the ARA module in GRC AC 10.1, and an facing this issue. When I run my User Analysis, its throwing an error message "No rules were selected'.
  As per your suggestions from discussions, i double checked all the below activities
  Activate the BC sets
  Run Sync Jobs
  Run Batch Risk Analysis
  After all this I found that the functions are not mapped to the logical groups(Back-end Systems) I have defined. Can you please let me know how to make sure you have correct back end system(logical Group) updated for the functions in the setup? Doesn't the configurations Connector/Connector Groups etc already mapped the functions to the back-end system? It would be a hell of work to do all the system mapping on function level manually.

  Hi Narsimha
  You need to map your connectors to the logical systems that are used in the function definitions
  Look at your integration framework Setup in the IMG.
  Governance, Risk and Compliance > Common Component Settings > Integration Framework > Maintain Connectors and Connection Types
  Also, for 10.1 there was an issue with logical systems. It may be that your configuration is correct: Re: GRC 10.0 SP14 - Poblems when generating rules for logical systems
  Regards
  Colleen

• Risk analysis Report Error in GRC AC 10.0

  Dear GRC,
  I had problem with Risk analysis Report in GRC Access Request form
  When i run the Risk analysis report on Action Level , Permission Level , Critical Action Level and Critical Permission Level then report showing as "No Violations" but if i run the Risk analysis report only on Critical Action Level and Critical Permission Level then report showing too many Violations.
  I maintained Action Level , Permission Level , Critical Action Level and Critical Permission Level as default risk analysis type in SPRO Configuration Parameters settings.
  i am not understanding why system behaves like this. Could you please help me on this.
  System Details : GRC AC 10.0 , SP-12
  Thanks a lot for swift response.
  Best Regards,
  RK

  Hi GRC Team,
  Please help me on this. I am waiting for your replay.
  Regards,
  KR

• GRC AC 10.0 Mass risk analysis vs. Role level analysis

  Hello GRC experts,
  I urgently need your advice on the issue  with deactivated permission objects which are identified as risks in the mass role analysis.
  For example, in one role we have deactivated the permission object: S_ARCHIVE, and there are No activities maintained.
  But in the mass role risk analysis  and in the CUP request this object S_ARCHIVE with the ACTVT 01 is displayed as risk. As you can see in the screenshot, there are no activites maintained at all. We have created the MSMP workflow where all CUP requests with risks should go the the Security Stage. Now we have the situation that even though our roles are clean, they are forwared to the Security stage. It is a huge problem, because our security stage has no even more to to, than before using GRC! Because the dectivated objects are identified as risks.
  Please advise me, how to solve the problem. Did I missed some config parameters or is it a well known problem?
  We are on SP14, AC 10.0.
  At the single role level there are no risks displayed.
  Thanks in advance,
  regards
  Sabrina

  Hi Sabrina,
  check note
  http://service.sap.com/sap/support/notes/2036645
  Please let me know if it works.
  Regards,
  Alessandro

• SAP GRC 10.0 ARA - Risk Analysis Job naming

  Dear all,
  Once i trigger a risk analysis in background, a job with a very strange name (serial number) is scheduled at backend. But at Business Client i put a specific naming for hits role. It could be possible to change this backends namings? It is impossible for me recognised which job is which...
  thank you in advanced,

  Hi Sara,
  please check table TASKPLAN_GRP_NAM in GRC backend system. This table lists all scheduled background jobs by ID (field TASKPLAN_GRP_ID) and job name per business client (field TASKPLAN_GRP_NAM)
  Regards,
  Markus

• GRC 10 - Risk Analysis in legacy system

  Hi everybody,
  I have a problem with legacy connectors in GRC 10. I implemented the note 1594963. So, I created the legacy files and storage it in GRC server.
  When I run the user synch, the legacy connector only synch the first record.
  Someone can help me? Someone did implement a risk analysis for legacy systems?
  Regards,

  Hi  Claudio Ekel
  Can you share some inputs on the Legacy Risk Analysis.
  We have configured the Legacy Connector as per the note 1594963 ; Placed the files on the server & tried running Synchronization Jobs. But the data is not getting uploaded to GRC10 .
  We made sure that text files are in UTF-8 format
  Is it mandatory to load all the 11 files that are provided in the note 1594963? We have excluded the Profile related files
  Can you share a sample of Legacy file formats that you have used for the sync.
  Can you throw some light on what could be the possible issues for data not getting uplaoded to GRC10?
  Regards,
  Pavan Muthyala

• SAP GRC 10.0 - Risk Analysis - Define global variant

  Hi Experts,
  We are implementing SAP GRC 10.0 and we have a question about variant management in Access Risk Analysis.
  When we saved a variant, it seems that this variant is user specific.
  Is it to possible to define this variant as default for all users?
  Thanks.
  Best regards,
  Nicolas RICHARD

  Hi,
  I think this is still user-specific, as it was in 5.X. I have checked the new GRC authorisation object parameters delivered within the roles and also tried to see if a Admin user was able to see all the variants created by the different users, but so far I have not found a solution.
  It may be worthwhile to raise this in "IdeaPlace", hoping it gets enough votes and SAP's attention for implementing in a future Support Pack delivery.

• GRC AC 10.0  Risk Analysis -Risk Terminator Vs BRM-Role Management

  Hi All,
  After having seen the configuration for Risk Analysis- Risk Terminator and Role Management , I observed that there is very little difference  for eg parameters 1085 and 3011 ,3014 .  If we configure all three parameters to TRUE which one would take effect ?Can anyone let us know under what circumstances we must configure RT and Role Management . BRM to has a whole lot of new features which supercede RT. 
  Best Regards,
  Vishal

  Hi Vishal,
  The parameters will be invoked in different scenarios. 1085 is specific to when roles are generated in the SAP Backend system using risk terminator and therefore this will have no impact if you are using BRM to generate the roles.
  3011 & 3014 are specific to BRM and govern different behaviours. 3011 will facilitate the risk analysis prior to triggering the generation steps in the methodology and 3014 will allow the roles to be generated despite any permission risks that are returned.
  They are not exclusive and actually work together. For instance, you may want to have a block on generation of roles when there are open conflicts identified and therefore you should have 3011 set to YES and 3014 set to NO. If both are set to YES, then you could propagate conflicts in the roles.
  You can use Risk Terminator if you wish to continue to develop roles within the SAP system itself rather than to rely on the GRC BRM system wholly.
  There are still wide discussions and differing opinions about which represents the best approach for this and so it depends on your organisation as to which process you follow.
  The parameter descriptions in question are:  
  1085 - Stop Role Generation if violations exist
  3011 - Conduct Risk Analysis before Role Generation
  3014 - Allow role generation with Permission Level violations
  Regards, Simon

• SAP GRC AC: Organizational rules at Batch risks analysis and Dashboards

  Dear All.
  I would like to know GRC AC is able to consider the organizational rules defined (for example: risk only affected to Company, BUKRS 0001) at the Batch risks analysis and at the Dashboard. I already know that for the ad-hoc reporting you can filter by the Org.rules created but i would like to know if this filter is also able for the Batch risks analysis.
  Thanks and regards.

  Dear all.
  As per my knowledge this parameter only sets the flag of Consider Org.Rules at the filters. This is what the guide indicates:
  "Setting the value to YES automatically selects the Consider Org Rule checkbox on the Risk Violations tab of the Access Request and
  Role Maintenance screens."
  So how are you so sure about that indicating this flag to YES will take into consideration the org rules at the Dashboards?
  Regards