Risk Analysis of created or changed Roles automation

Similar Messages

• CC 5.2 - Risk Analysis on existing roles

  Hello,
  When I submit a change request via AE 5.2 in order to add a role to an existing user,
  does CC 5.2 perform the risk analysis to the user corresponding roles (existing roles + new one) or only for the role to be added?
  Thank you for your answer.
  Abderrahim

  Hi Abderrahim,
  Yes. It will perform a risk analysis with the existing roles + newly added role. You should enable this in the CUP.
  Go to Configuration --> Risk Analysis -> Set the default risk analysis level.
  Regards,
  Raghu

• Role Based Risk Analysis Report

  Hello All,
  When I executed the Risk Analysis report for a role with SOD Risk Level = ALL and Report type = SOD at Authorization Object level, the results come back as "NO CONFLICT FOUND".  this is the correct response.
  However, I executed the Risk Analysis report for the same role with SOD Risk Level = HIGH and Report type = SOD at Authorization Object level, the results come back SOD conflicts based on the conflicting transactions.  Is there a bug with analyzing roles using this option?
  Also, when I click on the Detail Report button, I received object data that does not appear correct.
  Please Help.  Thanks.
  Edited by: Michael Johnson on Apr 8, 2009 8:54 PM

  Hi Babiji,
  Are you using any specific tools for SOD's? If you are using GRC tool, then it can be done using compliance calibrator Role level Risk analysis.In addition to what Sneha has said,
  To find out the conflicting roles in CC version 5.2 the path is INFORMER->Risk Analysis->Role level.In Virsa 4.0 you have the option of carrying out risk anaysis at role level by executing the t-code /N/VIRSA/ZVRAT.
  In section Analysis type, choose Roles and enter the list of roles.
  In section SOD Risk level, choose the appropriate risk.
  Then choose the appropriate report type and report format before executing it.
  This will display all the roles with the levels of risk associated with it and then you can mitigate these as per your organizational policies & procedures.
  Thanks,
  Saby..

• GRC AC 10:How to generate Access Rule? No output from User or Risk Analysis

  Hello Gurus,
  We have done configuration of GRC AC 10, and uploaded files via
  SoD rules -->Upload Rules
  After that we generated SoD rules for Risk Id : B001 and B002
  Now when we go to NWBC --> Reports & Analytics >Access Dashboards>Access Rule Library
  The report shows (for Group Rule level : Action)
  Number of Active rules : 0
  Number of Disabled Rules : 0
  Number of Functions :  151
  Where as for Group Rule level : Action Risk
  The report shows
  Number of Active Risk : 42
  Disabled risk : 161
  Nmr. of functions : 151 .
  When we perform Risk Analysis at User Level or Role Level, the output is empty !!!
  Note: All the background jobs have run successfully.
  Also the SoD files also have been uploaded successfully.
  Will you please guide how can i activate the "rules" for the uploaded risk ??
  regards,
  Victor

  Hello Victor/ Inder,
  For Risk ID B001functions are BS02 and BS11 if you open any one of them you can see system maintained as SAP BASIS which is SAP_BAS_LG (logical connector group).
  Post installation you can check in SPRO>Governance, Risk and Compliance-> common Component---> integration framework-> maintain connector and connector types->select SAP and click Define connector Group.
  BUSINESS     Business Roles     SAP
  SAP_BAS_LG     SAP Basis     SAP
  SAP_CRM_LG     SAP CRM     SAP
  SAP_ECC_LG     SAP ECCS     SAP
  SAP_HR_LG     SAP HR     SAP
  SAP_NHR_LG     SAP R3 - NON HR Basis Logical Group     SAP
  SAP_R3_LG     SAP R3     SAP
  SAP_SRM_LG     SAP SRM     SAP
  (If not present then manually you can create the same)
  Select SAP_BAS_LG and put connector type as SAP,  select SAP_BAS_LG and click Assign Connector group to group types as AM & LG, then click on Assign Connector to connector group and maintain you connector.
  Post this activity re generate SOD for B001 and then check for user level and role level analysis.
  Hope it will resolve your issue.
  Regards,
  Sudesh

• Issue in ERM - GRC AC 10 - Is risk analysis not mandatory

  Hi,
  We have defined our Role Methodology in 10 as Define Role - Maintain Authorizations - Analyze access risks - Derive role - approval - generation
  When we defined the role and maintained authorization data and proceeding without running risk analysis the role is moving to the next stage without stating any warning that "Risk Analysis is Mandatory". Upon click on Save & COntinue it is proceeding to further stages.
  Is there any parameter which needs to be set to throw a warning message for Risk Analysis to be run before the role is moved to next stage.
  We arleady set the paramater 3011 as YES - Conduct Risk Analysis before Role Generation.
  Thanks and Best Regards,
  Srihari.K

  Hi,
  Note the definition of the parameter 3011 as per "Maintaining Configuration Settings Guide - SAP AC 10.0":
  "Set the value to YES to automatically perform risk analysis when the user generates roles."
  This parameter applies only at generation stage.
  Cheers,
  Diego.

• Risk Analysis Error

  Hello All,
  Does anyone got this error while runing risk analysis on business owner stage ( where runing risk analysis is mandotory).
  "Risk Analysis filed: Exception voilation exceeds the treshhold limit : THERESOLD : 1000DETAIL:17275:SUMM 1354:MGMT:3
  THANKS MUCH IN ADVANCE

  Hi,
  Go to RAR->Configuration(tab)->Risk Analysis->Performance Tuning and change the value of "Web service violation limit " accordingly.
  As mentioned in the parameter desc- if set this value  to 0 (zero) then there is no upper or lower limit.
  I did the same to avoid any limitation on the error count.
  Regards,

• Error Creating Request - Risk Analysis in CUP

  Initially, we had the issue of not being able to create requests in CUP. I read around and found out that I needed to go to Configuration > Risk analysis and change the "Perform Risk Analysis on Request" to No. I tested and I was able to create a request. This tells me that SOMETHING is wrong with the Risk Analysis in CUP. So since its a Risk Analysis error, I when into a requested and selected Run Risk Analysis and go the following error.
  "Risk analysis failed: Exception in getting the results from the web service : Service call exception; nested exception is: java.lang.Exception: Incorrect content-type found 'text/html' "
  But before anything. I just want to verify if its an authorization error with our webserivces id. Any input?
  Thank you,

  1. In the CUP Configuration-> Risk Analysis.
  Under the section "Select Risk Analysis and Remediation Version"( or "Select Compliance Calibrator Version" for version below CUP 5.3) make sure that the following web service is given in the URI, if the "Version" selected is above 4.0.
  "http://<servername>:<portnumber>/VirsaCCRiskAnalysisService/Config1?wsdl&style=document"
                                                              In the server name and port number, enter the corresponding entries of the Compliance Calibrator (CC) or (Risk Analysis and Remediation (RAR)) server entries on which it is installed.
  The User given under this section should have the administrator access for the CUP and RAR.
  CUP is 5.3 and we have the correct URL. The user is given the following roles:
  AEADMIN
  CC_Administrator
  VIRSA_CC_ADMINISTRATOR
  Please review the attachment for the list of actions in these roles. Please let me know if there is an action that the webservice id should have. In the link below, be careful of all the download buttons. Choose the "Save file to your PC: click here" link and open the file. (not save)
  http://www.2shared.com/document/8dOC7v6E/actions.html
  2. Make sure that the user provided in the CUP connector has the access for connecting to RAR and it should also have the administrator rights of the RAR.
  Should the access be provided from the roles/actions from above?
  3. Make sure that the password of both the users given in the above points is not expired i.e. they have been reset in UME.
  You can check the same by once logging into the UME through that users. In case it asks for the password change, then the password is expired and you need to change the password and give the new password in the CUP.
  Should the password ever expire for this ID? I will double check on the password.
  4. The logon language of both the above users should be maintained in UME.
  I am not sure how to check this, please advise.
  5. Also check that the connector in the RAR is working and is able to connect to the backend SAP system.
  I tested the connection in CUP and connection was successful. How can I test the connection for RAR?
  Thank you in advance,
  Edited by: Eric Lau on May 17, 2010 6:41 PM

• GRC AC 10.0 Mass risk analysis vs. Role level analysis

  Hello GRC experts,
  I urgently need your advice on the issue  with deactivated permission objects which are identified as risks in the mass role analysis.
  For example, in one role we have deactivated the permission object: S_ARCHIVE, and there are No activities maintained.
  But in the mass role risk analysis  and in the CUP request this object S_ARCHIVE with the ACTVT 01 is displayed as risk. As you can see in the screenshot, there are no activites maintained at all. We have created the MSMP workflow where all CUP requests with risks should go the the Security Stage. Now we have the situation that even though our roles are clean, they are forwared to the Security stage. It is a huge problem, because our security stage has no even more to to, than before using GRC! Because the dectivated objects are identified as risks.
  Please advise me, how to solve the problem. Did I missed some config parameters or is it a well known problem?
  We are on SP14, AC 10.0.
  At the single role level there are no risks displayed.
  Thanks in advance,
  regards
  Sabrina

  Hi Sabrina,
  check note
  http://service.sap.com/sap/support/notes/2036645
  Please let me know if it works.
  Regards,
  Alessandro

• Business Roles - Risk analysis

  Hi All,
  We are on GRC SP13.
  We are using business roles for provisioning to end users.
  When role owner is performing risk analysis for business roles, results are proper according to defined ruleset only if "SYSTEM" field is empty.
  If system is selected, then results shows that "NO VIOLATIONS".
  Is this the standard behaviour for risk analysis of business roles or Am i missing anything?
  Looking for your advise on this.
  Regards,
  Sai.

  Hi Jaya,
  Yes I remember this is possible. You can setup a customize attribute in GRC privileges. And put the business role name into this attribute.
  Try this URL, but perhaps your GRC consultant should read it instead of you.
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d0e2c628-2690-2e10-0d82-dbf1931db2cd?QuickLink=index&overridelayout=true&51565377381172
  After creating the attribute, you need to revise the GRC framework to include this attribute (business role name) in your request.
  I don't have a working IDM system (with GRC integration) with me. I could not provide you more details.
  Cheers,
  Chenyang Xiong

• Mass role risk analysis issue

  Hello GRC Community,
  I have a following issue:
  When I use mass risk analysis the deactivated authorization objects in the role are displayed as result. At the same time, when I use Role Level Risk Analysis the role with deactivated critical authorization objects doesnt appear.
  Does anybody know how to solve this issue? Is there any configuration parameter to be adjusted?
  thanks
  best regards
  Sabrina

  Prasant,
  here are the screenshots of the Job result:
  1. Mass role Risk Analysis
  2. Risk Analysis on the (Single) Role Level
  Im Backend you can see that the role contains lots of deactivated autorization objects.
  I have run all sync Jobs, but seemingly it doesnt help.
  Thanks,
  Sabrina

• Job Error- Batch Risk Analysis (Role Full Sync)

  Hi Experts,
  I have schedule the background job for Role analysis(Full Sync), but it gives an error- status error.
  all connections are working fine and pasted the error log for your reference.
  Oct 25, 2010 11:56:36 AM com.virsa.cc.common.util.ExceptionUtil logError
  SEVERE: null
  java.lang.NullPointerException
       at com.virsa.cc.comp.wdp.IPublicBackendAccessInterface$IAuthChgRoleInputElement.wdGetObject(IPublicBackendAccessInterface.java)
       at com.sap.tc.webdynpro.progmodel.context.NodeElement.getAttributeAsText(NodeElement.java:888)
       at com.virsa.cc.comp.BackendAccessInterface.execBAPI(BackendAccessInterface.java:401)
       at com.virsa.cc.comp.BackendAccessInterface.executeBAPI(BackendAccessInterface.java:302)
       at com.virsa.cc.comp.wdp.InternalBackendAccessInterface.executeBAPI(InternalBackendAccessInterface.java:4227)
       at com.virsa.cc.comp.BackendAccessInterface.getAuthChangedRoles(BackendAccessInterface.java:3735)
       at com.virsa.cc.comp.BackendAccessInterface.getAuthChangedRoles(BackendAccessInterface.java:3724)
       at com.virsa.cc.comp.BackendAccessInterface.getObjDetails(BackendAccessInterface.java:1428)
       at com.virsa.cc.comp.wdp.InternalBackendAccessInterface.getObjDetails(InternalBackendAccessInterface.java:4327)
       at com.virsa.cc.comp.wdp.InternalBackendAccessInterface$External.getObjDetails(InternalBackendAccessInterface.java:4796)
       at com.virsa.cc.dataextractor.bo.DataExtractorSAP.getObjDetails(DataExtractorSAP.java:630)
       at com.virsa.cc.xsys.riskanalysis.AnalysisEngine.getObjInfoFromSource(AnalysisEngine.java:4140)
       at com.virsa.cc.xsys.riskanalysis.AnalysisEngine.performActPermAnalysis(AnalysisEngine.java:1754)
       at com.virsa.cc.xsys.riskanalysis.AnalysisEngine.riskAnalysis(AnalysisEngine.java:317)
       at com.virsa.cc.xsys.bg.BatchRiskAnalysis.performBatchRiskAnalysis(BatchRiskAnalysis.java:1055)
       at com.virsa.cc.xsys.bg.BatchRiskAnalysis.performBatchSyncAndAnalysis(BatchRiskAnalysis.java:1366)
       at com.virsa.cc.xsys.bg.BgJob.runJob(BgJob.java:559)
       at com.virsa.cc.xsys.bg.BgJob.run(BgJob.java:362)
       at com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob.scheduleJob(AnalysisDaemonBgJob.java:375)
       at com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob.start(AnalysisDaemonBgJob.java:92)
       at com.virsa.cc.comp.BgJobInvokerView.wdDoModifyView(BgJobInvokerView.java:444)
       at com.virsa.cc.comp.wdp.InternalBgJobInvokerView.wdDoModifyView(InternalBgJobInvokerView.java:1236)
       at com.sap.tc.webdynpro.progmodel.generation.DelegatingView.doModifyView(DelegatingView.java:78)
       at com.sap.tc.webdynpro.progmodel.view.View.modifyView(View.java:337)
       at com.sap.tc.webdynpro.clientserver.cal.ClientComponent.doModifyView(ClientComponent.java:481)
       at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.doModifyView(WindowPhaseModel.java:551)
       at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.processRequest(WindowPhaseModel.java:148)
       at com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.processRequest(WebDynproWindow.java:335)
       at com.sap.tc.webdynpro.clientserver.cal.AbstractClient.executeTasks(AbstractClient.java:143)
       at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:333)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:741)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:694)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:253)
       at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
       at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
       at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doGet(DispatcherServlet.java:46)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  Oct 25, 2010 11:56:36 AM com.virsa.cc.xsys.riskanalysis.AnalysisEngine performActPermAnalysis
  INFO:  Job ID:23 : Analysis done: T_00035951_H_IXOSCFGS elapsed time: 666 ms
  Oct 25, 2010 11:56:36 AM com.virsa.cc.xsys.bg.BgJob setStatus
  INFO: Job ID: 23 Status: Error
  Oct 25, 2010 11:56:36 AM com.virsa.cc.xsys.bg.BgJob setStatus
  INFO: Job ID: 23 Status: Error
  Oct 25, 2010 11:56:36 AM com.virsa.cc.xsys.riskanalysis.AnalysisEngine performActPermAnalysis
  INFO: Detailed Analysis Time:
  Risk Analysis Time: Started @:Mon Oct 25 11:56:36 EDT 2010
  Rule Load Time: Started @:Mon Oct 25 11:56:36 EDT 2010
  Rule Load Time:0millisec
  Org Rule Loop Time: Started @:Mon Oct 25 11:56:36 EDT 2010
  Rule Loop Time: Started @:Mon Oct 25 11:56:36 EDT 2010
  Rule Loop Time:648millisec
  Org Rule Loop Time:649millisec
  Risk Analysis Time:686millisec
  Oct 25, 2010 11:56:36 AM com.virsa.cc.xsys.util.Lock lock
  FINEST: Lock:1004
  Oct 25, 2010 11:56:36 AM com.virsa.cc.xsys.util.Lock unlock
  FINEST: Unlock:1004
  Oct 25, 2010 11:56:36 AM com.virsa.cc.xsys.util.Lock lock
  FINEST: Lock:1004
  Oct 25, 2010 11:56:36 AM com.virsa.cc.xsys.util.Lock unlock
  FINEST: Unlock:1004
  Oct 25, 2010 11:56:36 AM com.virsa.cc.xsys.riskanalysis.AnalysisEngine riskAnalysis
  INFO:  Job ID:23 : Exec Risk Analysis
  Oct 25, 2010 11:56:36 AM com.virsa.cc.xsys.riskanalysis.AnalysisEngine performActPermAnalysis
  INFO:  Job ID:23 : Before Rules loading,  elapsed time: 2 ms
  Oct 25, 2010 11:56:36 AM com.virsa.cc.xsys.riskanalysis.AnalysisEngine performActPermAnalysis
  INFO:  Job ID:23 : Analysis starts: T_00035952_H_PMREAD_I
  Oct 25, 2010 11:56:36 AM com.virsa.cc.xsys.util.Lock lock
  FINEST: Lock:1005
  Oct 25, 2010 11:56:36 AM com.virsa.cc.xsys.util.Lock unlock
  FINEST: Unlock:1005
  Oct 25, 2010 11:56:36 AM com.virsa.cc.common.util.ExceptionUtil logError
  SEVERE: null
  java.lang.NullPointerException
       at com.virsa.cc.comp.wdp.IPublicBackendAccessInterface$IAuthForRoleInputElement.wdGetObject(IPublicBackendAccessInterface.java)
       at com.sap.tc.webdynpro.progmodel.context.NodeElement.getAttributeAsText(NodeElement.java:888)
       at com.virsa.cc.comp.BackendAccessInterface.execBAPI(BackendAccessInterface.java:401)
       at com.virsa.cc.comp.BackendAccessInterface.executeBAPI(BackendAccessInterface.java:302)
       at com.virsa.cc.comp.wdp.InternalBackendAccessInterface.executeBAPI(InternalBackendAccessInterface.java:4227)
       at com.virsa.cc.comp.wdp.InternalBackendAccessInterface$External.executeBAPI(InternalBackendAccessInterface.java:4696)
       at com.virsa.cc.dataextractor.bo.DataExtractorSAP.getObjActions(DataExtractorSAP.java:213)
       at com.virsa.cc.dataextractor.bo.DataExtractorSAP.getObjActions(DataExtractorSAP.java:105)
       at com.virsa.cc.xsys.meng.MatchingEngine.getObjActions(MatchingEngine.java:813)
       at com.virsa.cc.xsys.meng.MatchingEngine.matchActRisks(MatchingEngine.java:121)
       at com.virsa.cc.xsys.riskanalysis.AnalysisEngine.performActPermAnalysis(AnalysisEngine.java:1407)
       at com.virsa.cc.xsys.riskanalysis.AnalysisEngine.riskAnalysis(AnalysisEngine.java:317)
       at com.virsa.cc.xsys.bg.BatchRiskAnalysis.performBatchRiskAnalysis(BatchRiskAnalysis.java:1055)
       at com.virsa.cc.xsys.bg.BatchRiskAnalysis.performBatchSyncAndAnalysis(BatchRiskAnalysis.java:1366)
       at com.virsa.cc.xsys.bg.BgJob.runJob(BgJob.java:559)
       at com.virsa.cc.xsys.bg.BgJob.run(BgJob.java:362)
       at com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob.scheduleJob(AnalysisDaemonBgJob.java:375)
       at com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob.start(AnalysisDaemonBgJob.java:92)
       at com.virsa.cc.comp.BgJobInvokerView.wdDoModifyView(BgJobInvokerView.java:444)
       at com.virsa.cc.comp.wdp.InternalBgJobInvokerView.wdDoModifyView(InternalBgJobInvokerView.java:1236)
       at com.sap.tc.webdynpro.progmodel.generation.DelegatingView.doModifyView(DelegatingView.java:78)
       at com.sap.tc.webdynpro.progmodel.view.View.modifyView(View.java:337)
       at com.sap.tc.webdynpro.clientserver.cal.ClientComponent.doModifyView(ClientComponent.java:481)
       at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.doModifyView(WindowPhaseModel.java:551)
       at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.processRequest(WindowPhaseModel.java:148)
       at com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.processRequest(WebDynproWindow.java:335)
       at com.sap.tc.webdynpro.clientserver.cal.AbstractClient.executeTasks(AbstractClient.java:143)
       at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:333)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:741)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:694)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:253)
       at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
       at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
       at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doGet(DispatcherServlet.java:46)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  Oct 25, 2010 11:56:36 AM com.virsa.cc.xsys.meng.ObjAuthMatcher <init>
  FINEST: ObjAuthMatcher constructed: 0ms, #singles=27, #ranges=0, #super=0
  Oct 25, 2010 11:56:37 AM com.virsa.cc.common.util.ExceptionUtil logError
  Kindly do the needful.
  Regards,
  Arjun.

  Hi,
  1.Please check what type of connection is configuired in RAR(Adaptive RFC or SAPJCO). Please switch the connection type to SAPJCO.
  2. Please check the daemon & daemon manager statues.
  3. Check the Job threds in daemon manager after sechudeling job.
  Regards,
  Arjun.

• RAR: Error message while running role risk analysis.

  Hi All,
           We are implementing RAR 5.3. When running permission level risk analysis we get the following error message:
  "Error while executing the Job:Cannot assign a blank-padded string to host variable 1.u201D
  This happens only at permission level for just one single role and for all the composite roles that contain this one.
  The rules were generated without any issue and we cannot find anything unusual on that particular single role.
  Any ideas of what could be the cause of this error?

  Hi Iliya:
            Please find below the job log with the detailed error description:
  Mon Dec 15 10:06:37 GMT-02:00 2008 : -----------------------Scheduling Job =>233---------------------------------------------------------------
  Mon Dec 15 10:06:37 GMT-02:00 2008 : --- Starting Job ID:233 (RISK_ANALYSIS_ADHOC) - mm:user10
  Mon Dec 15 10:06:37 GMT-02:00 2008 : ----------- Background Job History: job id=233, status=1, message=mm:user10 started
  Mon Dec 15 10:06:37 GMT-02:00 2008 :  Job ID:233 : Exec Risk Analysis
  Mon Dec 15 10:06:37 GMT-02:00 2008 : Start Analysis Engine->Risk Analysis .....  memory usage: free=1571M, total=1962M
  Mon Dec 15 10:06:38 GMT-02:00 2008 : Rule Loader Syskey => *
  Mon Dec 15 10:06:38 GMT-02:00 2008 : No of Systems=1
  Mon Dec 15 10:06:51 GMT-02:00 2008 : Action rules cache loaded: memory used in cache=56M, free=1512M, total=1962M
  Mon Dec 15 10:06:51 GMT-02:00 2008 :  Job ID:233 : Rules loaded,  elapsed time: 13694 ms
  Mon Dec 15 10:06:57 GMT-02:00 2008 :  Job ID:233 :
  Mon Dec 15 10:06:57 GMT-02:00 2008 :  Job ID:233 : Analysis starts: MM:USER10
  Mon Dec 15 10:07:16 GMT-02:00 2008 : Auth Map cache reloaded successfully
  Mon Dec 15 10:07:32 GMT-02:00 2008 : Cannot assign a blank-padded string to host variable 1.com.sap.sql.log.Syslog.createAndLogOpenSQLException(Syslog.java:85)
  com.sap.sql.log.Syslog.createAndLogOpenSQLException(Syslog.java:124)
  com.sap.sql.types.VarcharResultColumn.setString(VarcharResultColumn.java:66)
  com.sap.sql.jdbc.common.CommonPreparedStatement.setString(CommonPreparedStatement.java:511)
  com.sap.engine.services.dbpool.wrappers.PreparedStatementWrapper.setString(PreparedStatementWrapper.java:355)
  com.virsa.cc.xsys.util.ObjTextReader.lookupByKey(ObjTextReader.java:353)
  com.virsa.cc.xsys.util.ObjTextReader.getFieldValueDesc(ObjTextReader.java:261)
  com.virsa.cc.xsys.riskanalysis.AnalysisEngine.insertPermReportLines(AnalysisEngine.java:2286)
  com.virsa.cc.xsys.riskanalysis.AnalysisEngine.outputPermissionViolation(AnalysisEngine.java:1858)
  com.virsa.cc.xsys.riskanalysis.AnalysisEngine.performActPermAnalysis(AnalysisEngine.java:1182)
  com.virsa.cc.xsys.riskanalysis.AnalysisEngine.riskAnalysis(AnalysisEngine.java:243)
  com.virsa.cc.xsys.riskanalysis.AnalysisEngine.riskAnalysis(AnalysisEngine.java:207)
  com.virsa.cc.xsys.bg.BgJob.runJob(BgJob.java:305)
  com.virsa.cc.xsys.bg.BgJob.run(BgJob.java:183)
  com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob.scheduleJob(AnalysisDaemonBgJob.java:154)
  com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob.start(AnalysisDaemonBgJob.java:81)
  com.virsa.cc.comp.BgJobInvokerView.wdDoModifyView(BgJobInvokerView.java:434)
  com.virsa.cc.comp.wdp.InternalBgJobInvokerView.wdDoModifyView(InternalBgJobInvokerView.java:1223)
  com.sap.tc.webdynpro.progmodel.generation.DelegatingView.doModifyView(DelegatingView.java:78)
  com.sap.tc.webdynpro.progmodel.view.View.modifyView(View.java:337)
  com.sap.tc.webdynpro.clientserver.cal.ClientComponent.doModifyView(ClientComponent.java:480)
  com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.doModifyView(WindowPhaseModel.java:551)
  com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.processRequest(WindowPhaseModel.java:148)
  com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.processRequest(WebDynproWindow.java:335)
  com.sap.tc.webdynpro.clientserver.cal.AbstractClient.executeTasks(AbstractClient.java:143)
  com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:299)
  com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:711)
  com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:665)
  com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:232)
  com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:152)
  com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
  com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doGet(DispatcherServlet.java:46)
  javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
  javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
  com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
  com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
  com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
  com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
  com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
  com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
  com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
  com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
  com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
  com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
  java.security.AccessController.doPrivileged(Native Method)
  com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
  com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
  Mon Dec 15 10:07:32 GMT-02:00 2008 : Cannot assign a blank-padded string to host variable 1.com.virsa.cc.xsys.bg.BgJob.runJob(BgJob.java:309)
  com.virsa.cc.xsys.bg.BgJob.run(BgJob.java:183)
  com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob.scheduleJob(AnalysisDaemonBgJob.java:154)
  com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob.start(AnalysisDaemonBgJob.java:81)
  com.virsa.cc.comp.BgJobInvokerView.wdDoModifyView(BgJobInvokerView.java:434)
  com.virsa.cc.comp.wdp.InternalBgJobInvokerView.wdDoModifyView(InternalBgJobInvokerView.java:1223)
  com.sap.tc.webdynpro.progmodel.generation.DelegatingView.doModifyView(DelegatingView.java:78)
  com.sap.tc.webdynpro.progmodel.view.View.modifyView(View.java:337)
  com.sap.tc.webdynpro.clientserver.cal.ClientComponent.doModifyView(ClientComponent.java:480)
  com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.doModifyView(WindowPhaseModel.java:551)
  com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.processRequest(WindowPhaseModel.java:148)
  com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.processRequest(WebDynproWindow.java:335)
  com.sap.tc.webdynpro.clientserver.cal.AbstractClient.executeTasks(AbstractClient.java:143)
  com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:299)
  com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:711)
  com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:665)
  com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:232)
  com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:152)
  com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
  com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doGet(DispatcherServlet.java:46)
  javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
  javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
  com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
  com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
  com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
  com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
  com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
  com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
  com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
  com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
  com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
  com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
  java.security.AccessController.doPrivileged(Native Method)
  com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
  com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
  Mon Dec 15 10:07:32 GMT-02:00 2008 : Job ID: 233 Status: Error
  Mon Dec 15 10:07:32 GMT-02:00 2008 : ----------- Background Job History: job id=233, status=2, message=Error while executing the Job:Cannot assign a blank-padded string to host variable 1.
  Mon Dec 15 10:07:32 GMT-02:00 2008 : -----------------------Complted Job =>233---------------------------------------------------------------
  Regards.
  Leandro.

• GRC AC 10.0  Risk Analysis -Risk Terminator Vs BRM-Role Management

  Hi All,
  After having seen the configuration for Risk Analysis- Risk Terminator and Role Management , I observed that there is very little difference  for eg parameters 1085 and 3011 ,3014 .  If we configure all three parameters to TRUE which one would take effect ?Can anyone let us know under what circumstances we must configure RT and Role Management . BRM to has a whole lot of new features which supercede RT. 
  Best Regards,
  Vishal

  Hi Vishal,
  The parameters will be invoked in different scenarios. 1085 is specific to when roles are generated in the SAP Backend system using risk terminator and therefore this will have no impact if you are using BRM to generate the roles.
  3011 & 3014 are specific to BRM and govern different behaviours. 3011 will facilitate the risk analysis prior to triggering the generation steps in the methodology and 3014 will allow the roles to be generated despite any permission risks that are returned.
  They are not exclusive and actually work together. For instance, you may want to have a block on generation of roles when there are open conflicts identified and therefore you should have 3011 set to YES and 3014 set to NO. If both are set to YES, then you could propagate conflicts in the roles.
  You can use Risk Terminator if you wish to continue to develop roles within the SAP system itself rather than to rely on the GRC BRM system wholly.
  There are still wide discussions and differing opinions about which represents the best approach for this and so it depends on your organisation as to which process you follow.
  The parameter descriptions in question are:  
  1085 - Stop Role Generation if violations exist
  3011 - Conduct Risk Analysis before Role Generation
  3014 - Allow role generation with Permission Level violations
  Regards, Simon

• ARA: Excluded Roles considered for Risk Analysis???

  Hi,
  There are certain role which are to be excluded from risk analysis or some business reasons. To achieve this, I have added entries for these roles in SPRO and saved them.
  Actually, these roles are available in all the systems. Therefore, under "System" column I have selected "ALL" and saved the entries.
  I ran risk analysis for a specific business process (above roles are belonging to this business group) and surprisingly found that, those roles which are maintained as "Excluded", as shown in the risk analysis report as violating!
  Thinking that "ALL" option does not work, I maintained (excluded) these roles for specific systems in SPRO. Ran risk anlaysis, but with no luck.
  Then I ran risk analysis for excluded role(s), I am still getting the violations for these excluded roles!
  May I know why system is considering these "excluded" roles at the time of risk analysis?
  Please advise.
  Regards,
  Faisal

  Alessanrdo,
  I think the "excluded" objects in path:
  SPRO->GRC->AC->ARA->BRA->Maintain Exclude Objects for Batch Risk Analysis
  itself says that the objects will NOT be considered while performing Batch Risk Analysis (Analytic Reports). It seems to be working fine for me.
  I dont think that the objects maintained in above path will have any importance while performing Risk Analysis from NWBC->AM->Roles Analysis) and will NOT be considered.
  Please correct me, if required.
  Secondly, I found 2 relevant posts here on SCN:
  SAP GRC Access Control: Offline-Mode Risk Analysis
  SAP GRC 10.0 Offline Risk Analysis
  Both of them are talking about the offline mode of running risk analysis. Actually I have not used it yet therefore, wanted to know the real usage of it. These posts seem to be giving the details of "Offline" mode analysis.
  I believe this will not be used in my scenario as there is no such requirement and real need. Therefore, I think I should disable it (Offline Data) option from the analysis screen just to avoid any confusion.
  Currently all our risk analysis is taking place "Online". There is no "real" need to use "Offline".
  May you please let me know in which scenario this would be useful?
  Regards,
  Faisal

• Risk Analysis at user level shows nothing in all 3 views though at role level shows risks of global rule set

  I am configuring ARA 10.1 for a ECC 6.0 plug in development system and facing this issue. Risk Analysis at user level shows no data  in all 3 views though at role level shows risks of global rule set. I am using Global rule set. I generated all risks/functions & using connector group as SAP_ECCS_LG not SAP_R3_LG.I activated common, R/3 & ECCS BC sets. Added integration scenario for AUTH. Run all 4 sync jobs multiple times successfully. My system already has decentralised EAM 10.1 implemented & even used in production as BAU. I have checked at both chrome & IE. The misleading thing is that RFC is also working fine & I can see risks in Risk Analysis at role level & risky roles are even assigned to valid users.GRC is at SP4 & accordingly is the ECC 6.0 plug in. Thanks in Advance. Please  consider it urgent.

  Hi,
  Assign ECC connector to SAP_ECCS_LG group.
  Run the programs GRAC_PFCG_AUTHORIZATION_SYNCand GRAC_REPOSITORY_OBJECT_SYNC) in full synch mode(this might take time so better do this in background). Better do it sequentially.Check the logs of the jobs in SLG1 just to ensure everythings fine.
  Run ARA for a specific user and mention the connector for faster output. Ensure this user has the role with risks.Also as explained earlier check the GUID against user id in table GRACUSERROLE and using GRACROLE you can find out the technical name of the role updated in the table. This should be same as the backend role.
  Then run ARA and while doing so please ensure the selection screen doesnt have any unwanted default inputs. If followed correctly , this should be of help.  I am assuming the role analysis yielded correct risks as configured since this would mean that connector have correct actions and basic config is in place.
  Regards,
  Vivek