Role Based Risk Analysis Report

Hello All,
When I executed the Risk Analysis report for a role with SOD Risk Level = ALL and Report type = SOD at Authorization Object level, the results come back as "NO CONFLICT FOUND".  this is the correct response.
However, I executed the Risk Analysis report for the same role with SOD Risk Level = HIGH and Report type = SOD at Authorization Object level, the results come back SOD conflicts based on the conflicting transactions.  Is there a bug with analyzing roles using this option?
Also, when I click on the Detail Report button, I received object data that does not appear correct.
Please Help.  Thanks.
Edited by: Michael Johnson on Apr 8, 2009 8:54 PM

Hi Babiji,
Are you using any specific tools for SOD's? If you are using GRC tool, then it can be done using compliance calibrator Role level Risk analysis.In addition to what Sneha has said,
To find out the conflicting roles in CC version 5.2 the path is INFORMER->Risk Analysis->Role level.In Virsa 4.0 you have the option of carrying out risk anaysis at role level by executing the t-code /N/VIRSA/ZVRAT.
In section Analysis type, choose Roles and enter the list of roles.
In section SOD Risk level, choose the appropriate risk.
Then choose the appropriate report type and report format before executing it.
This will display all the roles with the levels of risk associated with it and then you can mitigate these as per your organizational policies & procedures.
Thanks,
Saby..

Similar Messages

  • GRC_10 Risk Analysis Report

    Hi,
    i should extend the risk analysis report with more details from diffrent tables, they hold special role details.
    I havent found an idea how to do this.
    Could i extend the standard report for risk analysis with more columns?
    Is there something like user.exits or enhancement-points?
    thank you very much indeed
    best regards
    Alex

    Hi Alex,
    did you have a chance to look at standard SAP Help information about different types of reports and information available?
    If not yet -please take a look at:
    Risk Analysis Reports - SAP GRC Access Control - SAP Library
    What exactly information you would like to add to reports?
    Standard reports can by customized by adding some additional fields which are hidden in standard view.
    There is also an option to add custom fields and data,
    Lets us know,
    Filip

  • Ad hoc Risk Analysis report is returning incorrect Risk Level for some Risks

    We are running GRC AC 10.0 with SP 16.  After application of Support Pack 16, some of our ad hoc risk analysis reports are returning incorrect risk levels.  For example:  Risk F024 Open closed periods and inappropriately post currency or tax entries is set as High.  When the Ad hoc report is run, the risk F024 will show on a user with a level of Medium.  We have generated our ruleset and have followed the normal procedures used to implement the support pack.  Any ideas what is causing this issue?  I have exhausted my knowledge and search attempts.
    Any help is appreciated.
    Sara B.

    Hi Kevin
    Many thanks for your post, we did run a full BRA but no luck unfortunately. Some Risks still reporting as Medium when they should be Critical or High. Oddly it is reporting correctly against some risks just not for all!
    Cheers
    Hussain

  • Issue with risk analysis report in GRC10.0

    Hi All,
    We are running the user risk analysis report from NWBC: Reports and Analytics -> Access Risk Analysis Reports -> User Risk Violation report.
    This report is not fetching all the data even though user has all the required authorizations.
    We are getting the data when we execute the dashboard reports.
    Any one has idea?
    Cheers
    Hari

    Alessandro,
    Thanks for the reply. I am aware of this.
    Problem is when dash board report is showing the risk for the user but risk anaylsis report in Reports and Analytics is not showing the risks to that user.
    As per our investigation, the risk data that is displaying in the risk anaylsis report in Reports and Analytics is incomplete. We didn't find any errors in SLG1. Also there is no issues from authorizations side.
    Regards
    Hari

  • Risk analysis Report Error in GRC AC 10.0

    Dear GRC,
    I had problem with Risk analysis Report in GRC Access Request form
    When i run the Risk analysis report on Action Level , Permission Level , Critical Action Level and Critical Permission Level then report showing as "No Violations" but if i run the Risk analysis report only on Critical Action Level and Critical Permission Level then report showing too many Violations.
    I maintained Action Level , Permission Level , Critical Action Level and Critical Permission Level as default risk analysis type in SPRO Configuration Parameters settings.
    i am not understanding why system behaves like this. Could you please help me on this.
    System Details : GRC AC 10.0 , SP-12
    Thanks a lot for swift response.
    Best Regards,
    RK

    Hi GRC Team,
    Please help me on this. I am waiting for your replay.
    Regards,
    KR

  • Risk analysis reports in IDM 6.0

    Hi
    I was trying to run risk analysis report to detect deleted users in Red hat linux. I was not sure what report to run. I tried various things like user report, resource accoutn report etc. However these reports gave the the list of users deleted in IDM but not the resource. Can i somehow create a customized report to do this?
    Any help regarding this matter is appreciated
    Thanks
    Man

    Hi,
    Please check following path in easy access
    1) Accounting ->Controlling -> Product Cost Controlling ->Product Cost Planning ->Information System
    2) Accounting ->Financial Accounting ->Fixed Assets ->Information System
    Best Regards,
    Madhu

  • Risk Analysis Reports Format

    Hello Experts,
    What is main difference between Risk Analysis Report Formats ....
    Summary
    Detail
    Management Summary
    Executive Summary
    Please explain in depth and which scenarios we are using these reports. Please give a one business example.
    Regards,
    Babu

    Dear Babu,
    trying to help you.
    Summary: gives you an overview of conflicts on action level. Can be used to discuss with business what is causing the risk.
    Detail: gives you an overview of conflicts on authorization level. Can be used to analyze how a conflict can be removed.
    Management summary: gives you an overview of risks on user level. Can be used to report how many risks are currently in the system on user level. E.g. userA has 3 risks, userB has 2 risks, etc.
    Executive Summary: gives you an overview of risks on risk level. Can be used to have a general overview of applicable risks in the system. E.g. riskA has no conflicts, riskB has 7 conflicts, etc.
    Best if you just analyze and you will see the differences. If you have a particular question do not hesitate to contact us.
    Regards,
    Alessandro

  • Does "Access Enforcer" only support "role" based SOD analyse?

    Hi Expert,
    In the demo script, when the user create the "Access Request Form", he can choose the "Role" he wanted from "Select roles" list, I'm just wondering whether each role here is corresponding to the role in the backend system? for example,
    If I choose role "Z_AP_ACCOUNTANT" actualy at that time there is a role called "Z_AP_ACCOUNTANT" already in the backend system if the system is a SAP ECC system.
    Another question is, if so, does that mean it can only support "Role" based SOD analyse? as you know, each role may contain several "authorization objects", can it be done from "authorization object" level?
    Thanks and best regards.

    Hi,
    The Roles are normally determined based on the SOD.Using T/code:PFCG the roles are mapped to the system.These Roles are common to all the system,regardless of R3,Virsa etc.
    The roles also can be determined without SOD [but this is not recommended.].
    The SOD is only to ensure that there exist no internal control weaknesses while creating the Roles at an organizational level.Thus it is only an excercise outside the System,be it SAP,Virsa or else.
    At the system level we map only the roles [ using :PFCG].We dont map SOD here.So,SOD or No SOD,the system supports the Roles.
    Hope this helps.
    Regards,
    Ramesh.

  • AC 5.3 RAR - combined risk analysis reports for regular auth. and SPM auth.

    Dear All,
    we have users that have regular day-today authorization and also FF authorization.
    Does the Batch Risk Analysis takes into account both authorizations when doing the risk analysis for those users ? will we see it in the reports ?
    Thanks
    Yudit

    ok, so basically the answer is no, in the RAR components we do not have risk analysis for the combinations of the roles assigned to the user and to his FF ID.
    in that case, at what stage does the system checks for those combined risks ?
    is it checked when we manage the risk analysis phase in the CUP request that is asking to assign the FF ID to the user ?
    thanks
    Yudit

  • ARA: "[P/G]" symbol in Risk Analysis Report???

    Hi,
    I have noticed a peculiar symbol in Access Risk analysis while performing permission level analysis. The symbol is "[P/G]<TCODE>".
    I have not this before. Any idea why this is coming and how I can resolve this?
    Please see the screenshot for the same.
    Recently, our target system is upgraded. I am sure if this is coming because of that. Earlier, it was working fine.
    Also, system is showing unknown risks violations for roles and all of them are preceded by "[P/G]" symbol.
    Please advise.
    Regards,
    Faisal

    Alessandro,
    Thanks for your reply.
    Yes, these actions are assigned to functions.
    Secondly, I re-generated the rules and the result is same. Also, I used
    our quality system (upgrade is not done yet) and analyzed the same role and it gave expected results!
    I am using same GRC system but different target systems. ERP Development system is causing problem where as ERP Quality system is not.
    Based upon my analysis, I see some problem with our ERP development system which is not showing appropriate results. But not sure what to do.
    Any help please?
    Regards,
    Faisal

  • GRC AC 10 (BRM) Risk Analysis Report type is editable

    Hi,
    In  GRC10 – BRM  Risk analysis at “Action Level”, “Permission Level”, “Critical Action”, “Critical Permission” and “Critical Role/Profile” is editable.
    When i start to create a role in the Risk Analysis step, Permission Level is always selected .Selection is fine as this is configured this way (Parameter in SPRO 1023 -Default Report Type for Risk Analysis).  But exist the option to deselect "Permission Level". 
    As you can Permission level is always selected and not editable?
    Regards

    Hi,
    I guess Cristian mentions attached BRM screen. I have same issue; how to change default values of report type in BRM like parameter 1023 changes in access request.
    Also, if we change default value of check box, Cristian can set non-editable fields through SE80.

  • GRC10 Exclude Objects (Roles) - Batch Risk Analysis Job

    All -
    We are setting up some non-production GRC 10.1 systems at this time and are trying to exclude project roles from our dashboards via the "Maintain Exclude Objects for Batch Risk Analysis" table [SPRO --> GRC --> AC --> ARA --> Batch Risk Analysis].
    The problem that we are encountering is that this Batch Risk Analysis is taking an extremely long time to run on our Project Users even though we have excluded the project roles that these users are assigned.
    For example, User A has 3 project roles which hit a very large number of SoD violations in our rule set, however in the exclusion list we have defined the three roles the user is assigned to be in the exclusion table for All systems and for the specific system that the job is running against. With no luck. The job still takes an average of 30 minutes to run on each user even though the roles they are assigned are excluded.
    We have tested that the exclusion table works because we can exclude the users by adding them to this table and we can also exclude the groups that they are in and this also works. However we have instances where there are other users in this groups that have other roles in addition to these excluded roles that need to be checked.
    Does anyone have any recommendations for how to excluded roles so that the job quickly checks the users with these roles? It is my understanding that if the roles are in the exclusion list they should be skipped by the Batch Risk Analysis job which is running to check these users for the dashboards.
    Thanks,
    Darnell

    Hi,
    Was a solution found for this error?
    Thanks,
    Glen

  • Can you download RAR Risk Analysis reports to something other than Excel?

    When you run a RAR Risk Analysis and go to export the resulting reports, RAR automatically exports this into an Excel spreadsheet.
    Is it possible to export the reports into some other kind of format/tool?  (SQL would be ideal.)
    We are on GRC 5.3 SP13.
    Thanks.

    Our CMG group runs a company-wide risk analysis 2-3 times a year to use in their SOD Review process.  We are looking into loading this report into QuickView to give them more capabilities with using the report.  QV will work with Excel, but you have to load every spreadsheet and every page separately. 
    We are looking to see if we could download it into some other format that would contain all of the report in just one file.  Would make the QV load easier.  Something like SQL would probably be ideal.
    Thanks.

  • GRC Risk analysis reports are not checking all possible risk conflicts set up in the rule set that lead to risks.

    Dear All,
    After running the risk analysis it shows only the first conflict for a risk in the rule set (Rule ID 0001). We have already Generated SOD ruleset. Also during migration from 5.3 to AC10.1 all the rulesets were imported properly.
    What could be reason??
    Thanks for your help.
    Regards,
    Abhisshek

    Abhisshek,
    there is already a thread with the same question:  Dear all I only get result for one rule id and not with others what should be an issue?
    Regards,
    Alessandro

  • Org Rule anlaysis when performing mitigation from risk analysis report do not mitigate the user from management summary report message!

    Hi,
    When in the User Level>Mitigation screen this comment appears  (*). When taking the path to  ‘summary’(a) or ‘detail’ (b) doesn't change when we select the button  MITIGATE RISK (**).  What was the intent of the below message?
    What is the intent of the message ?

    Hi Pranjal,
    please see note: http://service.sap.com/sap/support/notes/1972382
    Regards,
    Alessandro

Maybe you are looking for

  • I would like to add a new Canon camera profile to the RAW interface

    Hi,  I would like to add a new Canon camera profile to the RAW interface. I have recently installed the new camera profile 'Studio Portrait' which i download from here: http://www.canon.co.jp/imaging/picturestyle/file/studio-portrait.html When I open

  • Payment term new field

    Hi my client want 4 fields in payment term.but we have only 3 fields.could you tell me the procedure for creation of new field. please help me .

  • Setting up a transition by using Fade, Move, RemoveAction and AddAction

    Hi, I've been working on a transition for a few days now but I can't seem to get it to animate how I envisioned it. I'm pretty new at Flex so I decided to check with you guys here just to see if I'm approaching the issue from the right angle. After f

  • Captions in Lightbox Slideshow Widget

    The metadata in my files have both a Title and a Caption, yet when i Add Images to the Lightbox Slideshow Widget, I am stuck with Lorem Ipsum on every photo. Do I have to add the Captions manually for every image?!

  • Watchguard XTM 515 SNMP not working

    Mine scan fine, and I have a mix of models including a 535. Here's how you set them up. In your snmp setup in policy manager, use version 3. Lets go with a snmp username of watchguardv3. Select SHA1 and DES. For all 4 password boxes, use the same pas