Risk Violation at User level in SAP

Similar Messages

• Running Risk analysis at User Level(CC)

  Hi
  Please Clear my query, wat is the difference between running the risk analysis at userlevel Violation count by Risk and Violation count by Permission.
  violation count by Permission, the total number of violations are 377,569.
  Violation count by Risk,the total number of violations are 11,716.
  Thanks & Regards

  Hi Karuna,
  When you perform Risk Analysis at User level and choose violation count by Permission/Risk. Here are the details of each analysis:
  1. Violation Count by Risk
  This analysis will display the count of how many SOD risks associated with the users existing in each business process like FI, HR, MM, PR, SD.
  It will display as a bar graph or pie chart. If you choose each of the business processes and drill down to the particular SOD risk,P001 then you can display how many users have that risk, P001
  2. Violation Count by Permission
  This analysis will display the count of SOD violations at the action/permission level associated with the users existing in each business process.
  If you choose the conflicting functions inside each SOD risk, and then expand on the permission tab you will understand why the huge number of violations it is showing.
  In the Risk information screen, in Conflicting Functions, click the AP02 u2013 Process Vendor Invoices link to display the SAP transaction codes and the authorization objects. There are 26 different transactions in SAP to Process Vendor Invoices and another 185 authorization object values u2013 all come preconfigured out of the box.
  Choose the Permission tab. Expand Action F-42. Open an authorization object to show field values. By looking at all possible permutations of actions/permissions of one business function with all actions/permissions of the second business function, you can understand how the system arrives at the number of violations.
  Hope this will help you understand better.
  Regards,
  Kiran Kandepalli.

• Error while performing Risk Analysis at user level for a cross system user

  Dear All,
  I am getting the below error, while performing the risk analysis at user level for a cross system (Oracle) user.
  The error is as follows:
  "ResourceException in method ConnectionFactoryImpl.getConnection(): com.sap.engine.services.connector.exceptions.BaseResourceException: Cannot get connection for 120 seconds. Possible reasons: 1) Connections are cached within SystemThread(can be any server service or any code invoked within SystemThread in the SAP J2EE Engine), 2) The pool size of adapter "SAPJ2EDB" is not enough according to the current load of the system or 3) The specified time to wait for connection is not enough according to the pool size and current load of the system. In case 1) the solution is to check for cached connections using the Connector Service list-conns command, in case 2) to increase the size of the pool and in case 3) to increase the time to wait for connection property. In case of application thread, there is an automatic mechanism which detects unclosed connections and unfinished transactions.RC:1
  Can anyone please help.
  Regards,
  Gurugobinda

  Hi..
  Check the note # SAP Note 1121978
  SAP Note 1121978 - Recommended settings to improve peformance risk analysis.
  Check for the following...
  CONFIGTOOL>SERVER>MANAGERS>THREADMANAGER
  ChangeThreadCountStep =50
  InitialThreadCount= 100
  MaxThreadCount =200
  MinThreadCount =50
  Regards
  Gangadhar

• Management report doesnt show violations at user level.

  Dear all,
  I have a problem that the management report in 5.3 SP04 doesnt show violations at user level. At role level it works fine.
  I've tried full sync and generated a new management report. The problem remains.
  No. of Users Analyzed 859
  Users with no Violations 859 100%
  Users with Violations 0 0%
  Number of Roles Analyzed 2,986
  Roles with no Violations 2,510 84%
  Roles with Violations 476 16%

  Hi Vit,
    Follow both the notes mentioned by Sahad. Check the data in virsa_cc_prmvl table. Run the following script and see if you can see any data:
  select * from virsa_cc_prmvl where genobjtp=1
  If you don't have any data then there was some issue with user analysis so you will have to run the analysis again. If there is data then run the management report again and you should see the data.
  Regards,
  Alpesh

• CC: Risk Resolution at user level.

  HI All,
  In CC 5.2 with latest patch level, I am facing an issue in Risk Resolution. When I do the Risk analysis at user level for a particular user and then do a detail Report and then try to do the risk resolution; there are standard three options:
  1. Mitigate.
  2. Remove Access.
  3. Delimit Access.
  from the user. Out of these three, the first one is working fine, but second and third are greyed out and I can not proceed with option 2&3. Have any one of you come accross such a situation or have any clues about the same. Also, my user has Admin rights to all the actions in the Admin role provided to me.
  Thanks a lot in advance.
  Have a nice day!!
  Regards,
  Hersh

  Hello Hersh,
  This functionality is not available in 5.2.
  Regards,
  Jagat
  Edited by: Jagat Bir Singh on Jul 31, 2008 3:16 PM
  Edited by: Jagat Bir Singh on Jul 31, 2008 3:17 PM
  Edited by: Jagat Bir Singh on Aug 1, 2008 6:52 AM

• Risk Analysis at user level shows nothing in all 3 views though at role level shows risks of global rule set

  I am configuring ARA 10.1 for a ECC 6.0 plug in development system and facing this issue. Risk Analysis at user level shows no data  in all 3 views though at role level shows risks of global rule set. I am using Global rule set. I generated all risks/functions & using connector group as SAP_ECCS_LG not SAP_R3_LG.I activated common, R/3 & ECCS BC sets. Added integration scenario for AUTH. Run all 4 sync jobs multiple times successfully. My system already has decentralised EAM 10.1 implemented & even used in production as BAU. I have checked at both chrome & IE. The misleading thing is that RFC is also working fine & I can see risks in Risk Analysis at role level & risky roles are even assigned to valid users.GRC is at SP4 & accordingly is the ECC 6.0 plug in. Thanks in Advance. Please  consider it urgent.

  Hi,
  Assign ECC connector to SAP_ECCS_LG group.
  Run the programs GRAC_PFCG_AUTHORIZATION_SYNCand GRAC_REPOSITORY_OBJECT_SYNC) in full synch mode(this might take time so better do this in background). Better do it sequentially.Check the logs of the jobs in SLG1 just to ensure everythings fine.
  Run ARA for a specific user and mention the connector for faster output. Ensure this user has the role with risks.Also as explained earlier check the GUID against user id in table GRACUSERROLE and using GRACROLE you can find out the technical name of the role updated in the table. This should be same as the backend role.
  Then run ARA and while doing so please ensure the selection screen doesnt have any unwanted default inputs. If followed correctly , this should be of help.  I am assuming the role analysis yielded correct risks as configured since this would mean that connector have correct actions and basic config is in place.
  Regards,
  Vivek

• Common problems on User Level for SAP Support

  We are working on an RFP for SAP support. The client is having an existing helpdesk where key users or super users try to resolve the issues. If the same are not resolved at this level, these issues are escalated to Level-2 ‘Q’ which is specific to the SAP functionality and / or component. For identifying the correct functionality and / or SAP component, scripts are to be used so that the issue gets escalated to the right ‘Q’.
  We are looking for a list of common problems that occur at the User level so that the same may be translated into a hierarchical model for logging on the user requests to the relevant support ‘Q’. Anybody having worked on a similar proposal or having any insight on the subject, may please contact me.

  Hi,
  It sounds like you hit the wrong forum?!
  This is the Forum for questions around the SAP Business One SDK!
  Please give it one more try to find the right one!
  Thanks & sorry,
  Frank

• User/Profile Risk Violation Report table is empty

  Dear community,
  I am struggeling to find the solution for a quite simple problem: the user and profile risk violation report tables show no results (are empty). And this, although the associated tables (in the backend) contain entries for the same selection criteria (eg. GRACPROFILEACTVL etc.). What could be the reason for that? I started again the batch risk analysis very carefully (manually) on User and Profile Level, for the correct rule set and the correct system, it completed successfully, but I still can't see any results (not even a message like "No violations" or something). As an example, I took the profile SAP_ALL for a target system, which should obviously return a lot of risks/violations.
  I have also checked that this is not an authorization issue. To be more precise, actually, this functionality is working fine on the development and UAT GRC system, but not in production.
  Any help is highly appreciated. Thanks in advance.

  Hi Erik,
  The problem you are facing with only due to the SoD rule sets, which are in active as you might not have generated in Production system
  Generate the SoD rule sets, run the jobs and then run the risks reports, you will get the results as expected.
  Regards,
  Ameet

• Inconsistency Data between Role Level & User Level Risk Analysis

  Hi,
  When we run Role Level Risk Analysis for a role (Ex: XYZ), there is no SOD conflicts. But when we try to run the user level analysis, this role shows SOD conflicts. I mean, XYZ is assigned with other roles. Combination of other roles access may bring SOD conflict, thats fine, but here the challenge is role XYZ itself has SOD conflicts. The same does not appear when we run Role Level Risk Analysis!!
  How could this happen??
  Thanks,
  Karthik

  Hi Karthik,
  The role might be mitigated at role level.
  In RAR Anayze tool, click -More options to expand the selection options
  Chose "Exclude Mitigated Risks: No"

• GRC 10.1 SP06 - ARA shows no violations at permission Level

  Hi Guys,
  We've just installed SP06 and we came across the issue described in the title of the discussion.
  Rules have been generated and we're using the standard "global" ruleset. The rules seem to be generated successfully ( I've checked in the NWBC that the permissions appear after the risk generation and also I've checked some tables like GRACSYSRULE and GRACACTRULE and risks appear there).
  Risk analysis seem to work fine at action level but we don't have violations at permission level even when we now that user should have violations (for example a user with SAP_ALL). for some cases some risks seem to appear at permission level but only with the object S_TCODE.
  Just to discard problems with the connector we've created a Legacy connector, upload the files and ran the synch. The analysis at permission level still show "no violations". We tested with THE SAME files and ruleset in a system with SP05 and it worked as expected showing violations at permission level.
  Does anyone faced a similar issue? can you give me some light in order to solve the issue?
  Many Thanks!
  Diego.

  Hi!
  We still don't have a SAP official response but we think that the error is because of the note:
  2014811 - Risk Analysis Dump in case of huge data
  That we've implemented some days ago as part of the advance corrections of SP07.
  The error seems to be related to the following class:
  But there are many changes related to such note...So we're not sure about the exact details.
  We DE-implemented the note mentioned above and after that the analysis at permission level worked as expected.
  Hope to have a SAP response soon, but meanwhile I do not recommend to implement such note.
  Thanks!
  Diego.

• Issue in User Level Simulation in GRC 10.0

  Hello Every one,
  Before i Jump into the question, please find below the screen shot which tells about the B.P(Business process),Functions created in test system(GRC 10.0), where as the roles and corresponding users which have been created in back end system connecting to GRC 10.0.
  Now when i am trying to run a risk analysis on user TEST_RISK(TEST_ROLE_RISK role is assigned and pfa the authorizations in the role), i will be shown the Risk R001.
  Now i am trying to run user Level Simulation on the above user TEST_RISK and i am trying to simulate by adding a new role TEST_ROLE_RISK3 as shown in the below screenshot at Action level,Permission Level,Critical Action level ,Critical permission level.
  Even though i select the option, Risk from Simulation only, when i try to execute at action level , it is also showing me the risk which coming from the actual role assigned but not from the simulating one.
  Thanks and Regards,
  Naga.

  Hi Naga,
  there are some notes which might help to fix the problem. Especially the first might fix your problem.
  http://service.sap.com/sap/support/notes/1895502
  http://service.sap.com/sap/support/notes/1953347
  Please let us know if it helped.
  Regards,
  Alessandro

• Issue with Total Number of SODs at user level.

  Friends,
  Quick question -
  We are using GRC 5.3 Production on NT 20003 server. and back end systems are ECC 6.0
  1.We added the Additional Role to one of the business users in ECC 6.0
  2.We ran the FULL synch after adding this role in backend.
  Issue : The total number of SODs did not change for users, even though the SODs for this business users did increase about 300.
  Locations of Screen
  Informer Tab ->> Risk Violoations.
  Analysis Type -> Users
  Does anyone has any idea how this numbers get interpreted?
  The Total number of Violations for permission should increase, if user level SOD gets increased, as per our understanding.
  PT

  It should be in below sequence -
  1. Full or incremental sync for user/role/profile
  2. Full or incremental batch risk analysis for role/user/profile
  3. Management report
  The view you see is management report, which is based upon above jobs. FIrst jobs does high level sync like user/role/profile addition/deletion etc. Second job actually does risk analysis. Third one fills up the management view. If your batch risk analysis was run on  Aug 30 aug 10 and management report after completion of the same, the report will show the same data till you run these jobs again even there are many changes in backend authorization.
  Hope it clarifies your query.
  Regards,
  Sabita

• ARQ: How to Specify specific system in "System" Field in "Risk Violations" Tab in Access Request???

  Hi,
  I would like restrict users from selection systems from the drop down in "Risk Violations" Tab. In order to achieve this, I opened  GRAC_OIF_RQUEST_SUBMISSION" application in Admin mode and disabled. As a result, this field is disabled. But this is blank. I am unable to maintain any value in it. I tried to select a value from the drop down and then disabling the field. I saved with the selected value. But later when Access Request application accessed, it is again showed blank.
  However, when a user performs risk analysis, application still performs for all the connectors!
  user is authorized to perform risk analysis for specific connector (controlled using GRAC_SYS object). But not sure where from application is picking up different connectors?
  Secondly, I also noticed that this "System" drop down has multiple entries in it along with "ALL". I dont have any clue where these values are coming from!
  Can anybody help me in understanding and addressing this?
  Also, may I know how other are tackling this? I mean, is "System" drop down disabled with specific value as default or enabled with ONLY specific value?
  Please advise.
  Regards,
  Faisal

  Hi Faishal,
  I went through the challenge you have described. On top of mentioned issues - do you know that if a user select a system (has requested a role for it) but you have no sod rule book defined for it - grc will identify no sod risks for request and will mark all roles (even those for other systems for which rulebook is defined) as 'green' on access approver screen. The expected behavior would be only selected role would be marked as green and others would be still red. We have tried also with option 'ALL' however results provided in our case were not accurate (we did recons to single systems)
  This strange system behavior (SP14) was reported to SAP. In this case if you have path defined for SoD detour - system will not go on detour as there is no risk defined.
  What we did -was we setup a fix value in this field (our production system with rulebook) an put this system as parameter TVARV (system depended) and using the value of this parameter we fixed the system against which the analysis are executed.
  Filip

• Risk Violation Data Not found

  Dear Expert,
  We are facing the problem  where we are not getting data from ""Risk Violations by Process"
  after compliting the batch risk analysis job successfully.
  Thing is happening when we  check Management Report View : See the following steps I have done properly :Select  informer tab --> Management View --> Risk Violation
  Month Year : 02/2009
  System: ECQCLNT360
  Analysis Type : Role 
  Clieck On Go
  Got the result from "RISK VIOLATION BY PROCESS"
  Z_Production Planning 22,339 16%
  Z_Finance 4,493 3%
  Z_Quality Management 39,988 28%
  Z_Controlling 418 0%
  Z_Project Systems 4,610 3%
  Z_Order to Cash 12,570 9%
  Z_Plant Maintenance 19,548 14%
  Z_Procure to Pay 39,519 27%
  Now the problem is that according to result we are getting the violation report also is in a Graphical Mode, and if I click on this graph it has  been showing the result "No match nor conflict found" with respect of "Risk Violations by Process". But the graphical data has come properly and we got the successfull result in other case exccept  via "Risk Violations by Process".
  But when we have checked from the DB level we found DATA is already exist into table.
  We ran bellow mention SQL Statement successfully and got proper result
  SELECT MIN(S.YEARMONTH) AS YEARMONTH, MIN(S.VIOLTYPE) AS VIOLTYPE,
  MIN(S.VSYSKEY) AS VSYSKEY, S.ANLTYPE, MIN(S.USERGROUP)
  AS USERGROUP, S.RISKID, MIN(S.BZPRCID) AS BZPRCID, MIN(S.RISKLEVEL)
  AS RISKLEVEL, SUM(S.RISKCOUNT) AS RISKCOUNT,
  R.DESCN AS RISKDESC, B.DESCN AS BZPRCDESC
  FROM SAPSR3DB.VIRSA_CC_MGRISKS S LEFT OUTER JOIN
  SAPSR3DB.VIRSA_CC_RISKT R ON R.LANG = 'EN' AND S.RISKID = R.RISKID
  LEFT OUTER JOIN
  SAPSR3DB.VIRSA_CC_BUSPRCT B ON B.LANG = 'EN' AND S.BZPRCID = B.BZPRCID
  WHERE (S.YEARMONTH LIKE '200901') AND (S.VIOLTYPE = 'PERMISSION')
  AND (S.VSYSKEY LIKE 'ECQCLNT360') AND (S.ANLTYPE = 2)
  GROUP BY S.ANLTYPE, S.RISKID, R.DESCN, B.DESCN
  ORDER BY S.RISKID
  But Anotther issue matter is that if I change User Account English to German from User Management Engine then I have got the data from RAR, again if I turn it back English again getting the same pprobs.
  Whay does it happening. any one is there have experienced with the same issue. Pleas let me know the solution.
  Thanks & Regards
  Pavel Das
  PwC - India
  +919874886293
  Edited by: Pavel Das on Feb 9, 2009 7:57 AM
  Edited by: Pavel Das on Feb 9, 2009 8:03 AM

  Hello Pavel,
  Management report save detail data for only one month, which is the latest one.
  Apart from that can you confirm if you had not run any delete script to remove any Connector (System).
  Regards,
  Surpreet Singh Bal

• Make all the forms at a user level or responsibility level to be read only

  Hi,
  Please suggest me to make all the forms at a user level or responsibility level to be read only. So that when a particular user logs in, he gets all the form in read only mode or at a particular responsibility all the forms are read only so that we can attach this responsibility to the user for the same purpose.
  Any ideas will be highly appreciated.

  check this blog,
  http://www.oracleappshub.com/11i/oracleapps-responsibility-vs-sap-functions/
  Re: How to change OM responsibility as read-only in oracle applications 11i
  read only responsibility-user