Risk Analysis & Remediation

Similar Messages

• Convert from Compliance Calibrator 4.0 to Risk Analysis and Remediation 5.2

  Hello Forum,
  I'm looking for other opinions on converting Compliance Calibrator (CC) 4.0 to Risk Analysis and Remediation (RAR) 5.2 (formerly CC)
  I have inherited responsibility for RAR and need to upgrade it to the 5.2 level; our current ECC level prevents us from going to 5.3
  I found a process that will unload the data from CC 4.0 and be imported into RAR 5.2
  I want to understand the definitions that comprise the RAR and was thinking about recreating the definitions in 5.2 based on what is already defined in the CC 4.0 system; I have time to do this since there is no definitive deadline that would make it impossible to meet
  Currently, I have the following definitions:
  Business Process 6 entries
  Functions 47 entries
  Risks 147 entries
  Mitigating Controls 40 entries
  Would others find this approach acceptable and reasonable even though I would be entering all the information? Basically, it would be like defining the data for the very first time if this was NEW software
  I would expect to come away with a good understanding of how everything ties together; at this point, I am only looking to create the necessary data that would allow for producing SOD reports that show all users with "risks" have been mitigated with acceptable controls
  Thanks for your responses in advance
  Jerry
  Ryerson, Inc
  630-758-2021

  Thanks for the reply
  I have the migration guide and have reviewed it; I have actually played around a bit with obtaining the file from CC 4.0; I found that the data records may need some adjustments to be compatible with RAR 5.2; one of the reasons that may be leading me to do everything from scratch
  The definitions currently defined were completed by an outside source and the mitigated controls were defined by the Internal Audit area
  I'm not sure if they were mixed with the defaults
  I'm not sure at this point what impact or changes I would experience if I use the "default" supplied rules set but I expect to find out
  Thanks again for your reply
  Jerry

• Need to exclude certain risks in Risk Analysis and Remediation (5.2)

  Hello Experts,
  My requirement is I need to exclude certain unwanted risks whenever I execute the simulation for a user or an SAP role. We had this provision in the ABAP version of compliance calibrator 4.0. But we are not able to do the same in the upgraded 5.2 risk analysis and remediation.
  Can anyone please provide a solution to this problem or some workaround. Thanks in advance.
  Best Regds,
  Suyog Chakot...

  Hi,
  there are several options:
  - you can disable single risks in rule architect.
  - you can create a seond rule set that only checks the roles you want to check on
  - you can mitigate certain roles or users to exclude them from analysis
  The options are all there - depends on what exactly you want to do.
  Frank.

• Cannot find CCRTAWS at Access Control Risk Analysis and Remediation?

  I am looking for the Web service CCRTAWS  in Access Control Risk Analysis and Remediation.
  But I cannot find it.
  Could you help? Thanks a lot!

  Ashley,
     Go to main page of WAS (Web application server) where AC 5.3 is installed. It would be
  http://(servername):(port)/index.html [Replace servername and port with the actual servername and port number]
  Click on Web service navigator (First link on right side). This link will show you all the web services installed. Search for CCRTAWS. I can see it in my AC installation.
  Regards,
  Alpesh

• Stopping Background job in Risk Analysis and Remediation

  Hi,
  We have scheduled background job for Batch Risk Analysis in CC 5.3. Later we have terminated that job for some reasons. But that terminated job status is showing as Stopping from past 3 days. How we can cancel that job?
  We have restated the J2E server but the job is still running. Please suggest me how we can stop that job immediately.
  Regards,
  KKRao.
  Edited by: KKRao_2020 on May 12, 2009 9:14 AM

  Hi,
  If you have access to oracle backend then I can tell an work arround for this issue,
  when the job is in stoping status then you can delete an entry from VIRSA_CC_JOBHST table.
  The command is
  SQL> delete from  VIRSA_CC_JOBHST where jobid=your jobid and status=3;
  After running this command the job in the RAR will show aborted status then the delete button will be enabled and if you want then you can delete that job from RAR screen.
  Regards,
  Sudip.

• GRC 5.3: CUP risk analysis VS. RAR risk analysis

  I've installed and configured RAR and CUP.  When I do a risk analysis simulation in RAR on a user for adding a role, it comes back with no conflicts.  When I go into CUP and make a new request for adding the same role to the same user, it comes back with risk violations, but it looks like they are critical actions that are being flagged.  Why is there a discrepancy, and how do I go about getting the same risks in CUP as I do in RAR?

  >
  Frank Koehntopp wrote:
  > I guess the behaviour is on purpose.
  >
  > In RAR, you can do a selective analysis on only one kind of risk. You usually only need to do that in the remediation process, where this kind of selection is helpful to track down the root cause (although I'd like to have an ALL option in RAR as well...)
  >
  > In CUP, you do want to see any kind of risk that might arise from a role assignement to a user.
  >
  > I have to say, I can not really understand why you'd want to switch off critical action or permission risks here. The user analysis in RAR and CUP serve two different purposes, hence I cannot see a bug here. If you have defined critical risks, why would you not want to see them???
  Hi Frank,
  I understand your point, but we are in the same situation as the others. We do not want to see Critical Action Risks in CUP because this is a separate process (for us) than Permission Level Risks Analysis piece. With our current structure, our Security Admins use RAR to run Permission Level Risk Analysis and mitigates appropriately. A separate compliance group uses the Critical Action reports to see who has what Critical tcodes, etc. We do not mitigate these "risks," we more or less use it as a report.
  I do not understand what you mean when you say "The user analysis in RAR and CUP serve two different purposes" - I feel it should be the same purpose, to ultimatley simulate if adding security to a user will cause SOD violations. If I have CUP configured to do Permission Level Analysis, that's all I want to be seeing in CUP.
  Let me know if I need to clarify further.

• Risk Analysis Best Practices using CC

  Hi all,
  A SAP best practice for the risk analysis is:
  1) Run risk analysis against single roles
  >> Remediation for single roles
  2) Risk analysis for composite roles
  >> Remediation for composite roles
  3) Risk analysis for users
  >> Remediation for users
  My question is: How is CC able to take into consideration if the risk analysis performed is done for single or composite roles? When you run a Role Analysis there is no way to filter for such criteria.
  Many thanks in advance. Regards,
     Imanol

  Hi again,
  Thanks for the answer but I still have something in mind I would like some opinions about.
  If we have the following scenario:
  RC 1 (Composite Role 1) = RS1 (Simple Role 1) & RS2 (Simple Role 2)
  RS1= A1 (Action 1) , A2 (Action 2)
  RS2= A3 (Action 3)
  Risk R1= Combination of A1 and A3
  If we apply the risk analysis just to simple roles, we will not identifiy any risk since we don't have available the information from the composite role point of view.
  On the other hand if we consider the action related to RC1 through RS1 and RS2 we get:
  RC1 = A1, A2, A3
  Therefore, in this case we are able to say that the composite RC1 includes a risk since such role includes action A1 and A3.
  What do you think? Thanks for all. Regards,
      Imanol

• CUP-RAR Risk Analysis error

  Hello experts,
  When an approver does risk analysis for adding a role to a user in CUP before approval, the system shows 0 risk(0 risks found), However when the role is added to the user in RAR simulation, there are Risks.
  Similarly,
  When an approver does risk analysis for a role in CUP before approval, the system shows 0 risk(0 risks found), However when the role is analysed in RAR, there are Risks.
  I have checked the Org Rules parameter in RAR (It was set to No as we are not using Org Rules).
  When I set the org rule parameter to Yes, I got exception " Risk analysis failed: EXCEPTION_FROM_THE_SERVICEInconsistency Org Rule Analysis Flag Parameter". I reset the parameter to NO.
  Many thanks,

  Hello Raghu
  Here is the note number: Note 1168120 - Risk Analysis and Remediation 5.3 Support Package (VIRCC).
  Also I would suggest going to:
  1. CUP - configuration -Risk analysis - And see if the web service link for Risk analysis is correct.
  Better would be to go to Netweaver Administration -Webdynpro console -and get the correct link.
  2. CUP -configuration - Mitigation and here also put the correct link for all four options there i.e. (Risk analysis, Mitigation etc),
  Hopefully this should solve the problem .I donu2019t think it is related to org level.
  If problem still persist, kindly paste the log.
  Best Regards
  Asheesh

• Error Creating Request - Risk Analysis in CUP

  Initially, we had the issue of not being able to create requests in CUP. I read around and found out that I needed to go to Configuration > Risk analysis and change the "Perform Risk Analysis on Request" to No. I tested and I was able to create a request. This tells me that SOMETHING is wrong with the Risk Analysis in CUP. So since its a Risk Analysis error, I when into a requested and selected Run Risk Analysis and go the following error.
  "Risk analysis failed: Exception in getting the results from the web service : Service call exception; nested exception is: java.lang.Exception: Incorrect content-type found 'text/html' "
  But before anything. I just want to verify if its an authorization error with our webserivces id. Any input?
  Thank you,

  1. In the CUP Configuration-> Risk Analysis.
  Under the section "Select Risk Analysis and Remediation Version"( or "Select Compliance Calibrator Version" for version below CUP 5.3) make sure that the following web service is given in the URI, if the "Version" selected is above 4.0.
  "http://<servername>:<portnumber>/VirsaCCRiskAnalysisService/Config1?wsdl&style=document"
                                                              In the server name and port number, enter the corresponding entries of the Compliance Calibrator (CC) or (Risk Analysis and Remediation (RAR)) server entries on which it is installed.
  The User given under this section should have the administrator access for the CUP and RAR.
  CUP is 5.3 and we have the correct URL. The user is given the following roles:
  AEADMIN
  CC_Administrator
  VIRSA_CC_ADMINISTRATOR
  Please review the attachment for the list of actions in these roles. Please let me know if there is an action that the webservice id should have. In the link below, be careful of all the download buttons. Choose the "Save file to your PC: click here" link and open the file. (not save)
  http://www.2shared.com/document/8dOC7v6E/actions.html
  2. Make sure that the user provided in the CUP connector has the access for connecting to RAR and it should also have the administrator rights of the RAR.
  Should the access be provided from the roles/actions from above?
  3. Make sure that the password of both the users given in the above points is not expired i.e. they have been reset in UME.
  You can check the same by once logging into the UME through that users. In case it asks for the password change, then the password is expired and you need to change the password and give the new password in the CUP.
  Should the password ever expire for this ID? I will double check on the password.
  4. The logon language of both the above users should be maintained in UME.
  I am not sure how to check this, please advise.
  5. Also check that the connector in the RAR is working and is able to connect to the backend SAP system.
  I tested the connection in CUP and connection was successful. How can I test the connection for RAR?
  Thank you in advance,
  Edited by: Eric Lau on May 17, 2010 6:41 PM

• Ad hoc Risk Analysis report is returning incorrect Risk Level for some Risks

  We are running GRC AC 10.0 with SP 16.  After application of Support Pack 16, some of our ad hoc risk analysis reports are returning incorrect risk levels.  For example:  Risk F024 Open closed periods and inappropriately post currency or tax entries is set as High.  When the Ad hoc report is run, the risk F024 will show on a user with a level of Medium.  We have generated our ruleset and have followed the normal procedures used to implement the support pack.  Any ideas what is causing this issue?  I have exhausted my knowledge and search attempts.
  Any help is appreciated.
  Sara B.

  Hi Kevin
  Many thanks for your post, we did run a full BRA but no luck unfortunately. Some Risks still reporting as Medium when they should be Critical or High. Oddly it is reporting correctly against some risks just not for all!
  Cheers
  Hussain

• Issue with risk analysis report in GRC10.0

  Hi All,
  We are running the user risk analysis report from NWBC: Reports and Analytics -> Access Risk Analysis Reports -> User Risk Violation report.
  This report is not fetching all the data even though user has all the required authorizations.
  We are getting the data when we execute the dashboard reports.
  Any one has idea?
  Cheers
  Hari

  Alessandro,
  Thanks for the reply. I am aware of this.
  Problem is when dash board report is showing the risk for the user but risk anaylsis report in Reports and Analytics is not showing the risks to that user.
  As per our investigation, the risk data that is displaying in the risk anaylsis report in Reports and Analytics is incomplete. We didn't find any errors in SLG1. Also there is no issues from authorizations side.
  Regards
  Hari

• Mass role risk analysis issue

  Hello GRC Community,
  I have a following issue:
  When I use mass risk analysis the deactivated authorization objects in the role are displayed as result. At the same time, when I use Role Level Risk Analysis the role with deactivated critical authorization objects doesnt appear.
  Does anybody know how to solve this issue? Is there any configuration parameter to be adjusted?
  thanks
  best regards
  Sabrina

  Prasant,
  here are the screenshots of the Job result:
  1. Mass role Risk Analysis
  2. Risk Analysis on the (Single) Role Level
  Im Backend you can see that the role contains lots of deactivated autorization objects.
  I have run all sync Jobs, but seemingly it doesnt help.
  Thanks,
  Sabrina

• No result /report when weu00B4re running a risk analysis in background

  Dear forum,
  We are running several risk analysis in background (from configuration tab) and we cannot see any result
  in the column called "result". However, when we run a offline analysis (from informer tab) we can see that the column "result" is containing a file.
  Hope you can help us.
  Thanks in advance.

  Running risk analysis in background from the configuration tab does not produce a report by design.  This background job is really just performing a system maintenence activity and is not intended for report generation.  This background job preps data for performing offline analysis as well as the underlying data that supports the management reports in the informer tab (among other things).  Generally, anything in the configuration tab is system maintenance related.
  It sounds like you're attempting to perform typical analysis of end user access, not system maintenance activities.  The informer tab is what you need to be using to perform the analysis.
  Within the informer tab, whether you choose to perform online analysis or offline analysis, a report result is always generated.  In my experience, there has not been a compelling reason to use offline analysis capabilities within the informer tab.  Online analysis (real-time analysis of the SAP system rather than the offline data from the last configuration tab background risk analysis) is naturally always current, which is a plus.

• CUP 5.3: risk analysis in workflow impossible due to web service performance?

  Hello experts,
  We are facing a huge challenge within a AC 5.3 implementation.
  Here, AC has been used successfully with CUP and RAR for quite some time now. However, the RAR analysis has not yet been integrated into the CUP workflow. We would like to integrate the RAR analyis in CUP now.
  Based on the existing role concept (that uses functional master roles and derived roles per company code, with ca. 30 company codes in place) and the shared service operations in some areas such as FI, there is a large number of users with many roles and consequently, many SoD risks (of course, they are all "repeat" risk per company code).
  This leads to a long RAR analysis run time, but it's still acceptable. Analysis on permission level for such "power users" runs about 1 minute, on action level about 5-6 seconds.
  However, the web service between RAR und CUP is a problem and cannot cope with our violations. We have currently set the threshold to 75000. In this case, the analysis + web service runs 1-2 minutes. However, we have some users with 200-300.000 violations. In this case, if we deactivate the threshold, we will experience a web service time-out eventually, even with analysis on action level because the amount of violations the web service has to process is the same (or even higher with some false positives).
  We also have compensating controls in place for these power users, which will of course reduce the web service run-time considerably. However, this is not applicable to NEW user requests because for those, the compensating controls will be assigned only AFTER the risk analysis has taken place and the risk manager receives the workflow item.
  Has anyone experienced this in the past and found a viable solution or work-around? We are basically short of options and considering dropping the project.
  Note: An upgrade to 10.X is not (currently) a solution because this upgrade is scheduled and budgeted only for later.
  Thanks a lot and best regards
  Patrick

  Any opinions on this?
  Cheers and thanks
  Patrick

• Error while executing the Job for Objects :null  Batch Risk Analysis

  Hi All,
  We've recently upgraded Virsa to version  5.3_14 .  I'm encountering a problem when executing the Batch Risk Analysis job for users, roles and profiles.  The job does not complete for some objects and it seems to be sporadic and shows this error: -
  Background Job History: job id=395, status=2, message=Error while executing the Job for Object(s) :ABROWN:null                                                                               
  I've attached the log for your review.
  Thanks in advance for your help.                                                                               
  Linda Lewis                                                                               
  Feb 9, 2011 1:47:53 PM com.virsa.cc.xsys.meng.ObjAuthMatcher <init>
  FINEST: ObjAuthMatcher constructed: 4ms, #singles=2141, #ranges=0, #super=0
  Feb 9, 2011 1:47:54 PM com.virsa.cc.xsys.riskanalysis.AnalysisEngine riskAnalysis
  WARNING:  Job ID:395 : Failed to run Risk Analysis
  java.lang.StringIndexOutOfBoundsException at java.lang.String.substring(String.java:1019)
  at com.virsa.cc.xsys.util.RuleLoader.getPermRule(RuleLoader.java:573)
  at com.virsa.cc.xsys.riskanalysis.AnalysisEngine.performActPermAnalysis(AnalysisEngine.java:1609)
  at com.virsa.cc.xsys.riskanalysis.AnalysisEngine.riskAnalysis(AnalysisEngine.java:321)
  at com.virsa.cc.xsys.bg.BatchRiskAnalysis.performBatchRiskAnalysis(BatchRiskAnalysis.java:1166)
  at com.virsa.cc.xsys.bg.BatchRiskAnalysis.performBatchSyncAndAnalysis(BatchRiskAnalysis.java:1464)
  at com.virsa.cc.xsys.bg.BgJob.runJob(BgJob.java:560)
  at com.virsa.cc.xsys.bg.BgJob.run(BgJob.java:363)
  at com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob.scheduleJob(AnalysisDaemonBgJob.java:375)
  at com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob.start(AnalysisDaemonBgJob.java:92)
  at com.virsa.cc.comp.BgJobInvokerView.wdDoModifyView(BgJobInvokerView.java:444)
  at com.virsa.cc.comp.wdp.InternalBgJobInvokerView.wdDoModifyView(InternalBgJobInvokerView.java:1236)
  at com.sap.tc.webdynpro.progmodel.generation.DelegatingView.doModifyView(DelegatingView.java:78)
  at com.sap.tc.webdynpro.progmodel.view.View.modifyView(View.java:337)
  at com.sap.tc.webdynpro.clientserver.cal.ClientComponent.doModifyView(ClientComponent.java:481)
  at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.doModifyView(WindowPhaseModel.java:551)
  at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.processRequest(WindowPhaseModel.java:148)
  at com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.processRequest(WebDynproWindow.java:335)
  at com.sap.tc.webdynpro.clientserver.cal.AbstractClient.executeTasks(AbstractClient.java:143)
  at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:332)
  at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:741)
  at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:694)
  at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:253)
  at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
  at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
  at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doGet(DispatcherServlet.java:46)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
  at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
  at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
  at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
  at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
  at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
  at java.security.AccessController.doPrivileged(AccessController.java:207)
  at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
  at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  Feb 9, 2011 1:47:54 PM com.virsa.cc.xsys.util.Lock lock
  FINEST: Lock:1004
  Feb 9, 2011 1:47:54 PM com.virsa.cc.xsys.util.Lock unlock
  FINEST: Unlock:1004
  Feb 9, 2011 1:47:54 PM com.virsa.cc.xsys.bg.BatchRiskAnalysis performBatchRiskAnalysis
  WARNING: Error: while executing BatchRiskAnalysis for JobId=395 and object(s):ABROWN: Skipping error to continue with next object: null Feb 9, 2011 1:47:54 PM com.virsa.cc.xsys.bg.BgJob updateJobHistory
  FINEST: --- @@@@@@@@@@@ Updating the Job History -
  2@@Msg is Error while executing the Job for Object(s) :ABROWN:null
  Feb 9, 2011 1:47:54 PM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
  INFO: -
  Background Job History: job id=395, status=2, message=Error while executing the Job for Object(s) :ABROWN:null
  Feb 9, 2011 1:47:54 PM com.virsa.cc.xsys.util.Lock lock
  FINEST: Lock:1004
  Feb 9, 2011 1:47:54 PM com.virsa.cc.xsys.util.Lock unlock
  FINEST: Unlock:1004
  Feb 9, 2011 1:47:54 PM com.virsa.cc.xsys.bg.BatchRiskAnalysis performBatchRiskAnalysis
  INFO: --- BKG User Permission Analysis (System: P20:020) completed ---  elapsed time: 4522 ms
  Feb 9, 2011 1:47:54 PM com.virsa.cc.xsys.util.Lock lock
  Edited by: Linda Lewis on Feb 9, 2011 9:08 PM

  Hi,
  Was a solution found for this error?
  Thanks,
  Glen