Risk Analysis shows no Roles or Users!!
Hi Team,
Please can you help me, I am configuring GRC AC 10's ARA and I am stuck with the issue when I execute Risk Analysis on Roles or Users, I am getting blank field. No data is getting pulled up from backend system. Although my Repository Sync job finished successfully when I did it for User, Roles and Profiles.
Please can anybody help.
Thanks,
Nick
Hi Nick,
please check this thread: GRC AC 10: RAR - no analysis results, or document: GRC AC 10: RAR - no analysis results
Regards, Andrzej
Similar Messages
-
Different Risk Analysis Results with the same user from 2 different RAR
Hi..
I've loaded the same Risks, Rules, etc, into 2 GRC RAR environments (Sandbox and Quality systems); both of them are connected with the same SAP ECC system. But when I do a User Risk analysis (authorization level), the result from Sandbox is different from Quality system. I donu2019t have users or roles mitigated yet, users are synchronized, rules are exactly the same and I donu2019t know what happen??... Please, help me.
Thanks...Hi...
If I do a Full Sync of users to the same ECC system from both RAR boxes, I got different number of users loaded (i.e. 18757 vs. 18141), similar case with the full sync of roles. (13100 vs. 13150).
If I load exactly the same set of functions to both RAR systems and I generate the rules, I got the same problem, different number of rules is generated.
I've verified both RAR configuration and they are the same (excluded users, roles mitigated, etc.)
Is it a normal behavior? What could be wrong?
Thanks in advance!! -
CC 5.2 - Risk Analysis on existing roles
Hello,
When I submit a change request via AE 5.2 in order to add a role to an existing user,
does CC 5.2 perform the risk analysis to the user corresponding roles (existing roles + new one) or only for the role to be added?
Thank you for your answer.
AbderrahimHi Abderrahim,
Yes. It will perform a risk analysis with the existing roles + newly added role. You should enable this in the CUP.
Go to Configuration --> Risk Analysis -> Set the default risk analysis level.
Regards,
Raghu -
GRC AC 10.0 Mass risk analysis vs. Role level analysis
Hello GRC experts,
I urgently need your advice on the issue with deactivated permission objects which are identified as risks in the mass role analysis.
For example, in one role we have deactivated the permission object: S_ARCHIVE, and there are No activities maintained.
But in the mass role risk analysis and in the CUP request this object S_ARCHIVE with the ACTVT 01 is displayed as risk. As you can see in the screenshot, there are no activites maintained at all. We have created the MSMP workflow where all CUP requests with risks should go the the Security Stage. Now we have the situation that even though our roles are clean, they are forwared to the Security stage. It is a huge problem, because our security stage has no even more to to, than before using GRC! Because the dectivated objects are identified as risks.
Please advise me, how to solve the problem. Did I missed some config parameters or is it a well known problem?
We are on SP14, AC 10.0.
At the single role level there are no risks displayed.
Thanks in advance,
regards
SabrinaHi Sabrina,
check note
http://service.sap.com/sap/support/notes/2036645
Please let me know if it works.
Regards,
Alessandro -
Risk Analysis of derived role is not able to fetch organisational values.
Dear All,
We have run the Permission level analysis in GRC 5.2 for the ROLES at permission level and
found that the tool is not reading the ORGANIZATION VALUES maintained
in the derived roles.
We had explored in the GRC tool & found that the field BUKRS,KOART,etc
are ENABLED in the RULES.While the CC tool is fetching value of other authorzation object.
Please Advice if there is any configuration settings required.
For your reference I am pasting the part of report.
Medium F_BKPF_KOA : Accounting Document: Authorization for Account Types ACTVT : Activity Create or generate
Medium F_BKPF_KOA : Accounting Document: Authorization for Account Types KOART : Account Type $KOART
Medium F_BKPF_BUK : Accounting Document: Authorization for Company Codes ACTVT : Activity Create or generate
Medium F_BKPF_BUK : Accounting Document: Authorization for Company Codes BUKRS : Company Code $BUKRS
Thanks,
Sandeep BhatiaHello Sandeep,
Doing Org Lvl Analysis is not so simple in RAR.
Firstly this is only user based.
For using it you will have to schedule one job in configuration which will update Org Values for users in the database table. I don't remember name of this Utility however it will be something Orguser, just search in Configuration tab.
As mentioned by you, org lvl are already enabled and make sure there values is $.......,
Reason being Org Rules will be generated at runtime and then anlysis will be done.
It will be better you take help of SAP on this. As they have document which will be very helpful to you.
Regards,
Surpreet -
Inconsistency Data between Role Level & User Level Risk Analysis
Hi,
When we run Role Level Risk Analysis for a role (Ex: XYZ), there is no SOD conflicts. But when we try to run the user level analysis, this role shows SOD conflicts. I mean, XYZ is assigned with other roles. Combination of other roles access may bring SOD conflict, thats fine, but here the challenge is role XYZ itself has SOD conflicts. The same does not appear when we run Role Level Risk Analysis!!
How could this happen??
Thanks,
KarthikHi Karthik,
The role might be mitigated at role level.
In RAR Anayze tool, click -More options to expand the selection options
Chose "Exclude Mitigated Risks: No" -
Business Roles - Risk analysis
Hi All,
We are on GRC SP13.
We are using business roles for provisioning to end users.
When role owner is performing risk analysis for business roles, results are proper according to defined ruleset only if "SYSTEM" field is empty.
If system is selected, then results shows that "NO VIOLATIONS".
Is this the standard behaviour for risk analysis of business roles or Am i missing anything?
Looking for your advise on this.
Regards,
Sai.Hi Jaya,
Yes I remember this is possible. You can setup a customize attribute in GRC privileges. And put the business role name into this attribute.
Try this URL, but perhaps your GRC consultant should read it instead of you.
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d0e2c628-2690-2e10-0d82-dbf1931db2cd?QuickLink=index&overridelayout=true&51565377381172
After creating the attribute, you need to revise the GRC framework to include this attribute (business role name) in your request.
I don't have a working IDM system (with GRC integration) with me. I could not provide you more details.
Cheers,
Chenyang Xiong -
Mitigation not showing in Risk Analysis
I have migitated a role and can see the mitigation on the Mitigation tab under Mitigated Roles. I wanted to run a Risk Analysis on the role to make sure the mitigation is in my reports and they not showing.
I have checked my settings on the configuration tab under "Risk Analysis" on "Exclued Mitigated Risk" and it's set to "No". I run my reports in the Infomer Tab > Risk Analysis > Role Analysis and the Report Type is at the permission level and under "More Options" the "Ignore Migitation" is set to "No".
I have reran my "sync" jobs and management reports in the order they should be ran and they are still not showing up. The migitation is not showing up in my management reports either. I am on SP9.
Is there anything else I'm missing?I answered my own question on this.
-
ARA: Excluded Roles considered for Risk Analysis???
Hi,
There are certain role which are to be excluded from risk analysis or some business reasons. To achieve this, I have added entries for these roles in SPRO and saved them.
Actually, these roles are available in all the systems. Therefore, under "System" column I have selected "ALL" and saved the entries.
I ran risk analysis for a specific business process (above roles are belonging to this business group) and surprisingly found that, those roles which are maintained as "Excluded", as shown in the risk analysis report as violating!
Thinking that "ALL" option does not work, I maintained (excluded) these roles for specific systems in SPRO. Ran risk anlaysis, but with no luck.
Then I ran risk analysis for excluded role(s), I am still getting the violations for these excluded roles!
May I know why system is considering these "excluded" roles at the time of risk analysis?
Please advise.
Regards,
FaisalAlessanrdo,
I think the "excluded" objects in path:
SPRO->GRC->AC->ARA->BRA->Maintain Exclude Objects for Batch Risk Analysis
itself says that the objects will NOT be considered while performing Batch Risk Analysis (Analytic Reports). It seems to be working fine for me.
I dont think that the objects maintained in above path will have any importance while performing Risk Analysis from NWBC->AM->Roles Analysis) and will NOT be considered.
Please correct me, if required.
Secondly, I found 2 relevant posts here on SCN:
SAP GRC Access Control: Offline-Mode Risk Analysis
SAP GRC 10.0 Offline Risk Analysis
Both of them are talking about the offline mode of running risk analysis. Actually I have not used it yet therefore, wanted to know the real usage of it. These posts seem to be giving the details of "Offline" mode analysis.
I believe this will not be used in my scenario as there is no such requirement and real need. Therefore, I think I should disable it (Offline Data) option from the analysis screen just to avoid any confusion.
Currently all our risk analysis is taking place "Online". There is no "real" need to use "Offline".
May you please let me know in which scenario this would be useful?
Regards,
Faisal -
SAP GRC AC 5.3 - RAR Risk analysis Error Log
Hi
i have scheduled the background job for full sync risk analysis for the first time . the job ended with status error . critical analysis, user,role and profile action analysis is shown 100% . but the user permission analysis shows 49% , role and profile permission analysis show 97% each . where can i check the log for the errors . do i need to run the whole risk analysis job again ? when i check the management reports , risk violations are shown as zero . Please let me know how i can proceed at this stage . thanks
Regards
PrasadThanks.
First time please do for all users. I assume this was first time and it failed, so i will suggest you scheudle for all.
once these are done, then periodic jobs should be increamental.
few tips :
- schedule user sync separate job and once it finish only then scheudle role sync and when role sync finishes, only then schedule profile sync
- always select system ids from search help (which is F4 in ABAP)
- best scheudle one job per system id, so that when failure occurs, so that error analysis is easy
regards,
Surpreet -
Hello experts,
When an approver does risk analysis for adding a role to a user in CUP before approval, the system shows 0 risk(0 risks found), However when the role is added to the user in RAR simulation, there are Risks.
Similarly,
When an approver does risk analysis for a role in CUP before approval, the system shows 0 risk(0 risks found), However when the role is analysed in RAR, there are Risks.
I have checked the Org Rules parameter in RAR (It was set to No as we are not using Org Rules).
When I set the org rule parameter to Yes, I got exception " Risk analysis failed: EXCEPTION_FROM_THE_SERVICEInconsistency Org Rule Analysis Flag Parameter". I reset the parameter to NO.
Many thanks,Hello Raghu
Here is the note number: Note 1168120 - Risk Analysis and Remediation 5.3 Support Package (VIRCC).
Also I would suggest going to:
1. CUP - configuration -Risk analysis - And see if the web service link for Risk analysis is correct.
Better would be to go to Netweaver Administration -Webdynpro console -and get the correct link.
2. CUP -configuration - Mitigation and here also put the correct link for all four options there i.e. (Risk analysis, Mitigation etc),
Hopefully this should solve the problem .I donu2019t think it is related to org level.
If problem still persist, kindly paste the log.
Best Regards
Asheesh -
AE 5.2 remote risk analysis with CC 520_640
Hi,
Can anyone please tell me if this scenario is possible.
AE to do risk analysis in remote system by using CC rules defined in a central system.
Eg. ECC system has mitigation rules defined for HR. ECC also has rules defined for Finance, MM etc
AE 5.2 will connect to the CC (ECC system) when processing a request and check the HR rules for the
roles in AE to do a remote risk analysis before provisioning the access in HR box.
ECC box has CC 520_640 - ECC 5.0
HR box has CC 520_700 - ECC 6.0
Is this possible at all? CC configuration parameters are enabled and defined to do a remote analysis.
Risk analysis shows risks when a remote analysis is done in CC. But AE risk analysis shows no risks.
ThanksGood question but quite confusing way to ask but anyways..
As you said you are able to perform risk analysis in RAR/CC on the considered system (remote system as you mentioned) but not able to perform the same in CUP/AE
from the symptoms It seems like the web service in AE for integration with CC to perform Risk Analysis is not configured.
Please go to Configuration tab > Risk Analysis menu > Select CC version
and enter the URL for the web service, it may be something like
hostaddres:portno/VirsaCCRiskAnalysisService/config?wsdl&style=document
or you can find it through following method.
Go to Web Services Navigator (same location as for UME) and drill down to VirsaCCRiskAnalysisService and get the URL from there. Finally enter the URL on the above mention location.
Then try performing the Risk Analysis on the considered system, if it is still not working and in case the web service is already configured and working for other systems let me know. We will think in some other direction.
Best Regards,
Amol Bharti -
Risk Analysis Best Practices using CC
Hi all,
A SAP best practice for the risk analysis is:
1) Run risk analysis against single roles
>> Remediation for single roles
2) Risk analysis for composite roles
>> Remediation for composite roles
3) Risk analysis for users
>> Remediation for users
My question is: How is CC able to take into consideration if the risk analysis performed is done for single or composite roles? When you run a Role Analysis there is no way to filter for such criteria.
Many thanks in advance. Regards,
ImanolHi again,
Thanks for the answer but I still have something in mind I would like some opinions about.
If we have the following scenario:
RC 1 (Composite Role 1) = RS1 (Simple Role 1) & RS2 (Simple Role 2)
RS1= A1 (Action 1) , A2 (Action 2)
RS2= A3 (Action 3)
Risk R1= Combination of A1 and A3
If we apply the risk analysis just to simple roles, we will not identifiy any risk since we don't have available the information from the composite role point of view.
On the other hand if we consider the action related to RC1 through RS1 and RS2 we get:
RC1 = A1, A2, A3
Therefore, in this case we are able to say that the composite RC1 includes a risk since such role includes action A1 and A3.
What do you think? Thanks for all. Regards,
Imanol -
Risk analysis reports in IDM 6.0
Hi
I was trying to run risk analysis report to detect deleted users in Red hat linux. I was not sure what report to run. I tried various things like user report, resource accoutn report etc. However these reports gave the the list of users deleted in IDM but not the resource. Can i somehow create a customized report to do this?
Any help regarding this matter is appreciated
Thanks
ManHi,
Please check following path in easy access
1) Accounting ->Controlling -> Product Cost Controlling ->Product Cost Planning ->Information System
2) Accounting ->Financial Accounting ->Fixed Assets ->Information System
Best Regards,
Madhu -
Risk Analysis mandatory before approvation?
Referring to this discussion: How to switch on mandatory risk analysis in Business Role Management?
I'd like to propose another scenario.
Now Risk Analysis is before profile generation and it is correct in this way.
But also Risk Analysis must be mandatory in that step (before approvation) and NOT ONLY during profile generation.
Is it possible to setup a "specific" configuration in this way?
Thanks.
EttoreHi Ettore,
you need to Create deterrent Methodology.in Access Control > Role Management> Define Methodology Process and Steps >
Example Methodology 1 for only steps sequence 1,3,4,5 (With Risk Analysis) and
other Methodology 2 for only steps 1,2,3,5 (Without Risk Analysis)
Now Assign those Methodology in Access Control > Role Management> Associate Methodology Process to condition Group.
Now call those condition group name from BRF+ decision table.
Thanks, Arif
Maybe you are looking for
-
Shuffle locks up computer while syncing
I have a shuffle. Never had an issue till the other day I tried to sync it. It opens I tunes but it then locks up the computer. I have an I phone and two I pads no problems with them syncing.
-
The toolbar in the adobe app that allows you to choose the brightness level and the page layout doesn't hide. Because of that, i of course am unable to read the top part of the page. I cannot find anything in the settings that will make it go away. W
-
ISE PSN node won't join cluster
Hi All, Has anyone seen an issue where a PSN can't join the cluster ? We join PSN Node -Node is registered sucessfully (sync in progress) - 1hr later - Replication to node failed. - Replication Sync failed due to Secondary Database is down I have a c
-
Both my iPad 4 and MacBook Pro are affected - if I turn off JavaScript the problem goes but then I can't access gmail etc. I have deleted all cookies and web data and it keeps coming back. Words are highlighted green and annoying little pop up ads.
-
Maximum number of lines / text in a cell
I am compiling information in a spreadsheet. One column is for URLs. I'm entering multiple URLs (i.e. www.webiste.com) in the same cell. In order to go the next line (from within the same cell), I press "Option-Return" and type the next line of text