Risk Analysis not highlighting SODs for critical transactions

Similar Messages

• Error while performing Risk Analysis at user level for a cross system user

  Dear All,
  I am getting the below error, while performing the risk analysis at user level for a cross system (Oracle) user.
  The error is as follows:
  "ResourceException in method ConnectionFactoryImpl.getConnection(): com.sap.engine.services.connector.exceptions.BaseResourceException: Cannot get connection for 120 seconds. Possible reasons: 1) Connections are cached within SystemThread(can be any server service or any code invoked within SystemThread in the SAP J2EE Engine), 2) The pool size of adapter "SAPJ2EDB" is not enough according to the current load of the system or 3) The specified time to wait for connection is not enough according to the pool size and current load of the system. In case 1) the solution is to check for cached connections using the Connector Service list-conns command, in case 2) to increase the size of the pool and in case 3) to increase the time to wait for connection property. In case of application thread, there is an automatic mechanism which detects unclosed connections and unfinished transactions.RC:1
  Can anyone please help.
  Regards,
  Gurugobinda

  Hi..
  Check the note # SAP Note 1121978
  SAP Note 1121978 - Recommended settings to improve peformance risk analysis.
  Check for the following...
  CONFIGTOOL>SERVER>MANAGERS>THREADMANAGER
  ChangeThreadCountStep =50
  InitialThreadCount= 100
  MaxThreadCount =200
  MinThreadCount =50
  Regards
  Gangadhar

• Materail not fully maintained for this transaction/event

  Dear All,
  When i am extending material to new storage Location using MMSC i am getting below error msg.
  "materail not fully maintained for this transaction/event" wht may be the reason.
  regards
  venu gopal

  Hi
  Check whether material has plant level data ie:any views like MRP, purchasing .
  i suppose if material has only basic data 1 and 2 then u may get the below error.
  Chk and revert
  Reg
  Raja

• Issue in ERM - GRC AC 10 - Is risk analysis not mandatory

  Hi,
  We have defined our Role Methodology in 10 as Define Role - Maintain Authorizations - Analyze access risks - Derive role - approval - generation
  When we defined the role and maintained authorization data and proceeding without running risk analysis the role is moving to the next stage without stating any warning that "Risk Analysis is Mandatory". Upon click on Save & COntinue it is proceeding to further stages.
  Is there any parameter which needs to be set to throw a warning message for Risk Analysis to be run before the role is moved to next stage.
  We arleady set the paramater 3011 as YES - Conduct Risk Analysis before Role Generation.
  Thanks and Best Regards,
  Srihari.K

  Hi,
  Note the definition of the parameter 3011 as per "Maintaining Configuration Settings Guide - SAP AC 10.0":
  "Set the value to YES to automatically perform risk analysis when the user generates roles."
  This parameter applies only at generation stage.
  Cheers,
  Diego.

• Risk Analysis not performed when using IDM WS

  Hi ,
  We are using the SAP delivered IDM WebService for submitting Access requests to CUP 5.3 SP8 Patch1.
  We have defined the properties:
  1. Perform Risk Analysis on Request Submission - YES
  2. Risk Analysis Mandatory (approval stage) - YES, When Access Changed
  3. Approve Request Despite Risks - NO
  (This setting will enable the approver to approve the access request without performing a Risk Analysis, if the initial risk analysis doesn't identify any risk with the access request. But if there are risks, the approver need to mitigate the same before he can approve it.)
  But we have found out that when submitting a request through the SAP Delivered IDM WS -'SAPGRC_AC_IDM_SUBMITREQUEST', the system DOESN'T perform RA during request submission. But when the request is submitted directly in CUP, it does.
  We've referred the Note:1168508 where it's mentioned that this issue is being fixed with SP7 Patch 1. But we are already on SP8.
  The Note says:
  "The following issues are resolved as part of Support Package 7 Patch 1:"
  and the last bullet point states that:
  "While submitting a CUP Request from web service, if the flag for Risk Analysis on submission is set not performing the Risk Analysis on submission."
  This feature was not working before and hence thought SAP has fixed it as mentioned in the Note.  Has anybody suceeeded in getting this feature working???
  Thanks & Regards,
  Anil

  Yes Dries, we have tried both and we happen to see some exceptions on request submission thru WS.
  But the request is still getting created. I've an open tkt with SAP to follow it up..I'll update once i get this fixed.
  Exception Details:
  Exception during EJB call, Ignoring and trying Webservice Call 
[EXCEPTION]
com.virsa.ae.service.ServiceException: Exception in getting the results from the EJB service : com/virsa/cc/xsys/ejb/RiskAnalysis.execRiskAnalysis(Lcom/virsa/cc/xsys/webservices/dto/WSRAInputParamDTO;)Lcom/virsa/cc/xsys/w...
  Full Message Text
  Exception during EJB call, Ignoring and trying Webservice Call
   com.virsa.ae.service.ServiceException: Exception in getting the results from the EJB service : com/virsa/cc/xsys/ejb/RiskAnalysis.execRiskAnalysis(Lcom/virsa/cc/xsys/webservices/dto/WSRAInputParamDTO;)Lcom/virsa/cc/xsys/webservices/dto/RAResultDTO;
  at com.virsa.ae.service.sap.RiskAnalysisEJB53DAO.getViolations(RiskAnalysisEJB53DAO.java:294)
  at com.virsa.ae.service.sap.RiskAnalysisEJB53DAO.getViolations(RiskAnalysisEJB53DAO.java:418)....
  at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  Caused by: java.lang.VerifyError: com/virsa/cc/xsys/ejb/RiskAnalysis.execRiskAnalysis(Lcom/virsa/cc/xsys/webservices/dto/WSRAInputParamDTO;)Lcom/virsa/cc/xsys/webservices/dto/RAResultDTO;
  at com.virsa.ae.service.sap.RiskAnalysisEJB53DAO.execRiskAnalysis(RiskAnalysisEJB53DAO.java:304)
  at com.virsa.ae.service.sap.RiskAnalysisEJB53DAO.getViolations(RiskAnalysisEJB53DAO.java:276)
  ... 44 more
  Thx,
  Anil

• Policy Agent 2.2 release notes highlight need for 32 bit -  SPARC?

  Just to be clear, I don't really believe the release notes in this case, but I would like to hear from someone who knows.
  Basically this document :
  http://docs.sun.com/app/docs/doc/819-2796/adtcb?a=view
  Contains the following entry :
  Besides Agent for Apache HTTP Server 2.0.54, web agents do not support the 64-bit version of a deployment container (6474344)
  For example, Agent for Sun Java System Web Server 6.1 does not support the 64-bit release of Sun Java System Web Server 6.1.
  Workaround:Except when using Agent for Apache HTTP Server 2.0.54, do not use a web agent with a 64-bit version of the supported web container.
  I am trying to work out how to comply with this requirement. There seems to be no separate download of a 32 bit version of any server for sparc at present. Nor is there any production of 32 bit sparc hardware ...
  respectfully
  BJ

  This note is applicable to agents for various web servers like Apache, Sun WS6, IIS, Sun Proxy 4, Lotus Domino etc servers. These agents are 32-bit ones by default. 64-bit support is not there yet for all the agents.
  -Subba

• Speech analysis not working, even for english - CC 7.0.1, OSX

  My research around the forum suggests that there IS a bug for this, but only for languages OTHER than english. I beg to differ...
  In my case, I have not installed any additional language packs, and the "Analyze..." button in the speech analysis part of the metadata panel is eternally grayed out.
  I CAN right click clips in the project panel and select "analyze content" which loads up a speech analysis prompt. Every language but English is grayed out. So, I leave it on english. Click "OK," which opens up media encoder - then nothing. Nothing happens.
  Is this a legitimate bug that I should report? Or is there something I'm missing?

  Hi Keith,
  Thanks for posting the questions. The speech analysis model has a problem in Premiere pro CC, inspite of installing the language packs all other options, except English, are greyed out. The problem has been reported and unfortunately there is no work-around available for it.
  For you second query, please mention the work flow that you are trying to follow because as I can understand you are launching media encoder and not addng any files in the Queue for transcoding. If you want to check it you can open any project in Premiere Pro CC and then queue the sequence in export window which will in turn launch media encoder CC and you will notice the transcoding in the queue window.
  Thanks and Regards,
  Vinay

• CUP Risk analysis bad error message for TooManyViolationsException

  Hello,
  We are running CUP GRC-SAC-SAE 5.3_13.0 ( Build ID:04080510 ) with Compliance Calibrator 4.0 in our R/3 systems. We recently had a situation where the number of conflicts identified by CC was too large for CUP to handle. Instead of getting a serious error message that was meaningful, we got "x Access to all actions".  The request was approved (manually) for SODs, and the user ended up with an account that was outlandish.
  Has anyone else had this problem? Is there some threshhold that we could raise in CC?
  Any help or advice would be appreciated.
  Thank you.
  Jennifer
  The log shows the following:
  2011-04-25 19:03:15,023 [SAPEngine_Application_Thread[impl:3]_7] ERROR com.virsa.ae.service.TooManyViolationsException: Too many violations found.
  com.virsa.ae.service.TooManyViolationsException: Too many violations found.
       at com.virsa.ae.service.sap.RiskAnalysisDAO.determineRisks(RiskAnalysisDAO.java:224)
       at com.virsa.ae.accessrequests.bo.RiskAnalysisBO.findViolations(RiskAnalysisBO.java:182)
       at com.virsa.ae.accessrequests.actions.RiskAnalysisAction.doRiskAnalysis(RiskAnalysisAction.java:1161)
       at com.virsa.ae.accessrequests.actions.RiskAnalysisAction.doAnalysis(RiskAnalysisAction.java:381)
       at com.virsa.ae.accessrequests.actions.RiskAnalysisAction.execute(RiskAnalysisAction.java:118)
       at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:295)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(AccessController.java:219)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)

  CUP denies requests with SAP_ALL, the message Access to all actions is typically the one you get when you have a user with SAP_ALL. When you say the request was approved manually do you mean you handeled it out of the CUP system or CUP approved the request despite giving you  the error message?
  Regards,
  Chinmaya

• Org Level Risk Analysis not running in 5.2

  I have installed Compliance Calibrator 5.2 and most of the functionality is working fine except for the Org. Level analysis. When I run this in foreground or background I get "No match/conflict found" which would be great except I know full well there are conflicts.
  When I looked at the log of the background job I spotted this:
  INFO:  Job ID:35 : # objects to analyse: 0
  It looks like the job doesn't look at any users. I presume this is a problem with my configuration. Has anybody had a similar problem or know what I need to change?
  Thanks,
  Mark

  Hi Mark,
  Have you executed the User Synchornization in order to retrieve Users ID from backend into CC database?
  Please, keep in mind that you also need to execute the Org. User Mapping functionality.
  Furthermore, set within Configuration tab, the option to take into consideration Org. Rules.
  Hope it helps. Best regards,
     Imanol

• FFLOGCRT Send Log Report with Critical Transactions Only

  Hi ,
  I have configured FF (SPM) where in Controllers are getting FF ID login notifications through Emails. Now I have a requirement to stop these notifications and send them only for critical transactions.I have configured critical transactions in table /VIRSA/ZVIRTCODE.
  In order to get notifications only for critical transactions I have updated the configuration as below.
  CHGLOG Retrieve Change Log     YES
  FFAUTH Firefighter Owner Additional Authorization     YES
  FFCNTL Firefighter Controller Additional Authorization     YES
  FFLOGCRT Send Log Report with Critical Transactions Only     YES
  FFLOGIM Send Log Report Execution Notification Immediately     NO
  FFLOGNOTI Send Log Report Execution Notification     NO
  FFNOTIM Send Firefighter Login Notification Immediately     NO
  MAIL Send FirefightId Login Notification     NO
  RFC Remote Function Call     LOCAL
  My controllers are not getting notified for critical transactions with above config. Please can you suggest where am I going wrong.
  SOST/SCOT working fine.
  ps: I have gone through the note Note 1065048 - Firefighter Log Not sent in Email to Controller.pdf
  Thanks!!
  ARD
  Edited by: Abhijeet Deshmukh on Sep 17, 2010 5:20 PM

  Hi Simon,
  I am not using risk analysis and remediation's critical transactions table. My FF (SPM) specific crtitcal transactions are in table
  /VIRSA/ZVIRTCODE.
  CTRAN Critical Transaction Table from Compliance Calibrator(VRAT)     NO.
  I am under impression that table /VIRSA/ZVIRTCODE is used by FF for critical transactions.
  Thanks!!
  ARD

• Error while doing risk analysis for a user

  Hi ,
  When i did risk analysis at user level for a particular user we are getting this error under level  ."Exception!!. No relavent language message available in database for :0292".I had reuploaded the the messages text file but still the error persists i have restarted the j2ee application but still the error is not going .any pointers please thanx in advance.When checked the file CC5.3_MESSAGES.txt it does not contain any entry corresponding to message code 0292.So how shud i proceed.
  Edited by: Ambarish annapureddy on Jan 21, 2009 12:54 PM

  Hi Ambarish,
      What is the patch level of GRC AC 5.3? Did you apply any service pack recently? Did the service pack contain any message file? There has to be some message file which contains message '0292'. If you can not find the message file then open a message with SAP support and they should be able to provide it to you.
  Regards,
  Alpesh

• Back ground job for Risk Analysis

  Dear expert
  we have schedule BG for risk analysis at role level for a DEV box and its been 7 days since it is in running state .
  I have checked logs but no error .
  Is this normal behaviour .I am confused because of DEV box which is having test roles also .
  Also we are using logical system as well as physical system for ruleset .
  Kindly share your experience .
  Thanks & Regards
  Ashesh

  Hello All,
  We are geeting below mentioned error -
  WARNING:  Job ID:235 : Failed to run Risk Analysis
  java.io.IOException: No space left on device (errno:28)
       at java.io.FileOutputStream.writeBytes(Native Method)
       at java.io.FileOutputStream.write(FileOutputStream.java:260)
       at sun.nio.cs.StreamEncoder$CharsetSE.writeBytes(StreamEncoder.java:336)
       at sun.nio.cs.StreamEncoder$CharsetSE.implWrite(StreamEncoder.java:395)
       at sun.nio.cs.StreamEncoder.write(StreamEncoder.java:136)
       at java.io.OutputStreamWriter.write(OutputStreamWriter.java:191)
       at java.io.BufferedWriter.flushBuffer(BufferedWriter.java:111)
       at java.io.BufferedWriter.write(BufferedWriter.java:206)
       at java.io.Writer.write(Writer.java:126)
       at com.virsa.cc.xsys.riskanalysis.dao.dto.RAReportDTO.printToSpool(RAReportDTO.java:454)
       at com.virsa.cc.xApr 1, 2011 2:08:45 AM com.virsa.cc.xsys.meng.ObjAuthMatcher <init>
  Thanks,
  Jagat

• Risk Analysis Best Practices using CC

  Hi all,
  A SAP best practice for the risk analysis is:
  1) Run risk analysis against single roles
  >> Remediation for single roles
  2) Risk analysis for composite roles
  >> Remediation for composite roles
  3) Risk analysis for users
  >> Remediation for users
  My question is: How is CC able to take into consideration if the risk analysis performed is done for single or composite roles? When you run a Role Analysis there is no way to filter for such criteria.
  Many thanks in advance. Regards,
     Imanol

  Hi again,
  Thanks for the answer but I still have something in mind I would like some opinions about.
  If we have the following scenario:
  RC 1 (Composite Role 1) = RS1 (Simple Role 1) & RS2 (Simple Role 2)
  RS1= A1 (Action 1) , A2 (Action 2)
  RS2= A3 (Action 3)
  Risk R1= Combination of A1 and A3
  If we apply the risk analysis just to simple roles, we will not identifiy any risk since we don't have available the information from the composite role point of view.
  On the other hand if we consider the action related to RC1 through RS1 and RS2 we get:
  RC1 = A1, A2, A3
  Therefore, in this case we are able to say that the composite RC1 includes a risk since such role includes action A1 and A3.
  What do you think? Thanks for all. Regards,
      Imanol

• Generation of numerous archivelogs when running a batch risk analysis

  Is it a normal process to generate so many ARCHIVELOGS when running a batch risk analysis?  If the jobs are broken up into three seperate processes, we use approximately 7GB.  If we run all the processes into one, we use 100+GB. What storage requirements should we anticipate is needed in DEV and PRD for the generation of ARCHIVELOGS ?

  I found a forum question that has information that resolved our issue.  The following is the link:  https://forums.sdn.sap.com/click.jspa?searchID=14313475&messageID=5373262
  Q: Background jobs to analyze users against our rules are taking forever. Our feeling is that the problem lies in the R/3 backend, however we need to know how to improve performance.
  A: Step 1
  Please ask your SAP BASIS to apply the following notes:
  Note: 1044174 - Recommendation for CC 5.x running on Oracle 10G Database
  Note: 1121978 - Recommended settings to improve performance risk analysis
  Note: 1044173 - Recommended NetWeaver Setting for Access Control 5.x
  Note: 723909 - Java VM settings for J2EE 6.40/7.0
  Step 2
  Once you applied all of the above SAP notes. Please ask your SAP DBA/BASIS to do the following actions:
  Truncate table virsa_cc_prmvl; this is the table which stores all the analysis results.
  Execute stats on all virsa_cc* tables. Example: exec dbms_stats.gather_table_stats ('SAPSR3DB',VIRSA_CC_PRMVL)

• Mass role risk analysis issue

  Hello GRC Community,
  I have a following issue:
  When I use mass risk analysis the deactivated authorization objects in the role are displayed as result. At the same time, when I use Role Level Risk Analysis the role with deactivated critical authorization objects doesnt appear.
  Does anybody know how to solve this issue? Is there any configuration parameter to be adjusted?
  thanks
  best regards
  Sabrina

  Prasant,
  here are the screenshots of the Job result:
  1. Mass role Risk Analysis
  2. Risk Analysis on the (Single) Role Level
  Im Backend you can see that the role contains lots of deactivated autorization objects.
  I have run all sync Jobs, but seemingly it doesnt help.
  Thanks,
  Sabrina