SoD Review
Hi.
I have problemes while generating SoD-Review-requests.
No requests are generating, although I have made all changes like mentioned in the ConfigGuide.
Any ideas?
Thanks.
Alexa,
Can you please provide list of rule files you had uploaded.
what's values in table VIRSA_CC_RISK*
Regards,
Surpreet
Similar Messages
-
SAP GRC 10.0 - SOD REVIEW
Dear All,
We are having a doubt related to the SoD review process available in GRC. Let us send you a couple of questions:
We guess that the SOD review performs an analysis over the hole users at the target system. Is that correct? Or it is just limited to the users requested by the Access Request menu. That is toy say to the users created/modified through GRC?
If we generate the data once and then the tasks are sent to the reviewers. If the Generate the Data again – just one minute later – will be send the same users to be reviewed to the Reviewer?
Thanks in advance!!!!!!Jebeni,
we haven't done any SOD review but from the user access review my experience is that..
1.You should have an option to include a set of users for whom the review should be done.i.e only dialog.
2.Yes..it will resend if you re-run the job again.
we will wait to know more form the experts. -
Dear Forum goers,
It has been a long time coming, but we just released the SoD Review Guide on BPX.
You can find it here:
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f01947f3-80d6-2c10-36a6-d4dad7cf1649?quicklink=index&overridelayout=true
Thanks!
Ankur
SAP GRC RIGAlpesh,
To answer your questions,
Page 17: 1. Admin
Changes are not accepted from 'Track Changes' feature of Word. The changes still show up in 'RED'.
I do not understand this response. The document looks fine to me on Page 17.
**Page 20: Lock, Forward To Next Stage:**
*Is "Lock, Forward To Next Stage" same as "Deactivate; Forward To Next Stage" or the users are only locked in "Lock, Forward To Next Stage"?
Yes, you are correct, the users are only locked in "Lock, Forward to Next Stage." "Deactivate, Forward To Next Stage" sets the User assignment to the current date.
Page 43: Are the links for config guide etc. under Related Content suppossed to work?
We submit our documents to BPX as a word document, and then they convert it to PDF, so the links do not work after the conversion is done. If you are interested in a link, let me know, and I will point you to the correct place.
Thanks!
Ankur
SAP GRC RIG -
MSMP Work flow in GRC 10.0
Hi Experts,
I have a work flow requirement and would appreciate if you guys can please help me here . The actual requirement is to design a CUP Workflow and If there are SOD issues identified, the workflow will need to go to a central team for them to address each issue. If there is no SOD issue found, the workflow should end. The requirement is to configure the access request so that the end goal of work flow is just facilitation of an SOD review. There would be no actual provisioning of users at the end of the path.
I am wondering if this would work flow can be initiated with an function module based rule or i would have to create a BRF Rule for this . As per my understanding the flow should be Start > Access Request > Sod Analysis done > If Sod , Go to Central team otherwise end > Central team will decide on the assignment of SoD Resolution > This Team will either Assign MC or wont approve the Role assignment > Both Cases the work flow ends and request is closed.
Would really appreciate if you guys can assist me as i am new to work flow and this is one of project deliverables . Thank for your valuable time and help .
VikasHi Ashish ,
Thanks for your time . Let me explain you my requirement and would really appreciate if you would have some inputs here which would help me to design this .
The actual client requirement is to design a CUP Workflow and If there are SOD issues identified, the workflow will need to go to a central team for them to address each issue. If this group decides to apply mitigating controls to the issues, the workflow must then go to the compliance group for them to review for appropriateness. Requirement is do a SoD analysis for every role change/add request , so that this group takes the appropriate action based on the SoD Analysis . For all my CUP request raised , i want system to do a SoD analysis and let this group know whenever there is a SoD found or just end the workflow if there is no risk.
I am aware of the Risk analysis process for GRC 10.0 , however i want it to happen as a part of this work flow requirement.
The requirement is to configure the access request work flow so that the end goal of work flow is just facilitation of an SOD review. I hope i was able to explain my requirement . Thanks again for your help.
Your valuable guidance would be really appreciated.
Vikas -
Mulltiple Rule Sets in GRC 10.0 for one System
Hi All,
We do have 2 different companies working on one system and by that 2 different rule sets that are applicable.
Due to that we are facing different problems we don't know how to solve yet but lets start with the first one dealing with the rule set that should be used in the access request.
We want to determin which rule set should be used over the requested role (e.g. if role name contains 0001 use rule set 0001, if role name contains 0002 use rule set 0002).
We have alerady tried several different senarios in BRF+ without success.
Does anybody have a solution or at least an idea for this topic?
Thank you all very much in advance!
EvaHi Ashish ,
Thanks for your time . Let me explain you my requirement and would really appreciate if you would have some inputs here which would help me to design this .
The actual client requirement is to design a CUP Workflow and If there are SOD issues identified, the workflow will need to go to a central team for them to address each issue. If this group decides to apply mitigating controls to the issues, the workflow must then go to the compliance group for them to review for appropriateness. Requirement is do a SoD analysis for every role change/add request , so that this group takes the appropriate action based on the SoD Analysis . For all my CUP request raised , i want system to do a SoD analysis and let this group know whenever there is a SoD found or just end the workflow if there is no risk.
I am aware of the Risk analysis process for GRC 10.0 , however i want it to happen as a part of this work flow requirement.
The requirement is to configure the access request work flow so that the end goal of work flow is just facilitation of an SOD review. I hope i was able to explain my requirement . Thanks again for your help.
Your valuable guidance would be really appreciated.
Vikas -
GRC 10 Work Inbox Notification or Universal Work List instead of SMTP
Hi,
I wanted to check with you all if there is a possibility to get SAP internal Work Inbox or UWL notification instead of outlook/SMTP notification.
The scenarios this will be required for us are
1. User ID details communication at the end of the request.
2. Notification if access is approved/ rejected.
3. Notification for Firefighter approved or rejected.
4. BRM role approval notification
Kindly let me know if we can pull the notification from Outlook/SMTP to internal SAP Mailbox.
Regards,
Prasad ChaudhariHi Guru,
If I am not wrong the items mentioned send notification to outlook/smtp and not work inbox. The work inbox will get request for approval and uar/sod review.
Are you talking of some parameter/settings to change this behaviour?
Thanks,
Prasad Chaudhari -
Creating Mitigation Control from CUP
Hi Guys,
Is this feature implemented in Access Control???? Or Stills as enhancementHi Alpesh
In order to your answer... Can you help me to identify what I doing wrong when I want to approve a mitigate control in CUP.
Path 1 : Approve request
Stage 1: Request
Stage 2: Security
Stage 3: Role Owner
Detour Path:
Type: CUP
Stage: Role Owner
Condition: SoD Review
Detour Path: Path 2
Path 2:
Stage 1: Approval -- > CAD : Mitigation Monitor
The request is send to the Mitigation Monitor but when we try to approve request show the next error:
2010-03-30 14:10:26,390 [SAPEngine_Application_Thread[impl:3]_25] ERROR Mitigation control TEST_5.1 could not be saved for user PRUEBAGRC_6
com.virsa.ae.core.BOException: Exception from the service : Mitigation record doesn't exist
at com.virsa.ae.accessrequests.bo.MitigationControlBO.insertMitigationControl(MitigationControlBO.java:207)
at com.virsa.ae.accessrequests.bo.MitigationControlBO.saveMitigationControls(MitigationControlBO.java:321)
at com.virsa.ae.accessrequests.bo.RequestBO.callAEExitService(RequestBO.java:6993)
at com.virsa.ae.accessrequests.bo.RequestBO.callExitService(RequestBO.java:6748)
at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:6600)
at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:6393)
at com.virsa.ae.accessrequests.actions.RequestViewAction.confirmRequestApproval(RequestViewAction.java:949)
at com.virsa.ae.accessrequests.actions.RequestViewAction.execute(RequestViewAction.java:104)
at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:295)
at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
Caused by: com.virsa.ae.service.ServiceException: Exception from the service : Mitigation record doesn't exist
at com.virsa.ae.service.sap.MitigationControlWS52DAO.checkForSuccess(MitigationControlWS52DAO.java:832)
at com.virsa.ae.service.sap.MitigationControlWS52DAO.executeUpdateUserMitigation(MitigationControlWS52DAO.java:287)
at com.virsa.ae.service.sap.MitigationControlWS52DAO.insertUserMitigation(MitigationControlWS52DAO.java:309)
at com.virsa.ae.accessrequests.bo.MitigationControlBO.insertMitigationControl(MitigationControlBO.java:195)
Can you help me please?? All URI are OK.
Thanks !!!!
Edited by: Karen_sans on Mar 31, 2010 7:45 PM -
RAR: Alerts tables understanding
Hi,
After running alert generation role specifying just critical actions flag and a specific risk that includes a few transactions we have identified that the following tables are containing data:
VIRSA_CC_ALLASTRUN: Dates and time when alert generation job finished
VIRSA_CC_ALLISTHDR: Header data that is shown under alers' reports.
VIRSA_CC_ALLISTDTL: Details for the alerts identified (in our case critical trnasactions)
VIRSA_CC_ALTCDLOG: Last time a user executed a transaction within the period alert generation was executed
VIRSA_CC_ACTUSAGE: All transactions executed by users (transactions are shown several times but differs on time) within the period alert generation was executed
Our questions:
1) When and where tables VIRSA_CC_ALTCDLOG and VIRSA_CC_ACTUSAGE are used within SAP GRC AC?
2) Since we are executing alert generation job on a daily basis, tables VIRSA_CC_ALTCDLOG and VIRSA_CC_ACTUSAGE are increasing very fast. Which is the best practice and procees to manage this information? Is deletion performed? Is archiving performed?
Many thanks in advance. Kind regards,
ImanolHello Imanol !
I've never heard of deleting Alerts per say, but you can delete the Action Usage that is used to generate the alerts. in RAR, go to: Configuration --> Ulitities --> Purge Action Usage.
I've never used the functionality yet, but my assumption is that deleting the action usage, would also impact the alerts and might possibly delete them too. There is some good information about positive/negative impact in the Configuation Guide "AC53_CG_Final_en_Aug_2010.pdf" on page 64.
Per your original question, if I understood correctly, the collected action usage is used a lot in AC. The following reports make use of Action Usage:
1. RAR --> Informer --> Security Reports --> Miscellaneous --> Action Usage by Role & Profile
2. RAR --> Informer --> Security Reports --> Miscellaneous --> Action Usage by User
3. ERM --> Informer --> Transaction Usage
The third report is my favorite since it collects usage counts and which really helps for role re-enginneering.
The UAR and SOD Review processes make use of action usage too.
-Dylan -
SAP GRC AC 5.3 integrated with BW
Hi all,
Has anyone of you implemented integration between SAP GRC AC 5.3 and BW and develop custom reports?
Thanks in advance. Regards,
ImanolImanol,
There is documentation available for the integration. You can find that here:
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/e05a9879-d204-2c10-54a9-ebc94eaddc4e?quicklink=index&overridelayout=true
Also, there are numerous pre-delivered queries already developed. However, if you wish to develop your own reports, then you will need a BW resource to do so.
Pre-delivered queries:
For RAR:
Alert Detail Listing
Alert Header Listing
Critical Action Violations by User
Critical Role Viols Analysis with Long Portal IDs
Current User Permission Risk-Perm Violation Analysis Breakdowns
Current User Permission Risk Violation Analysis Breakdowns
Management Summary Total Listing
Mitigated Users Analysis
Risk Long Descriptions
Risk-Rule Set Relationship Listing
Role Permission Risk Violation Analysis
Role (Portals) Permission Risk Violation Analysis
Supplementary Rule Detail Listing
Supplementary Rule Header Listing
User Permission Risk Violation with Functions
User Permission Risk Violation with Remediation by User
User Permission Risk Violation with Remediation by User (Top 10)
User Permission Violation with Remediation by Risk
User Permission Violation with Remediation by Risk (Top 10)
For CUP:
Access Requests
Risk Violations
Role Provisioning
Service Levels
SOD Review
User Access Review
User Provisioning
Thanks!
Ankur
SAP GRC RIG -
Effort to upgrade from GRC 5.2 to GRC 5.3
Hi,
We're looking to begin an upgrade of GRC 5.2 to GRC 5.3 and I've been going through all of the upgrade documentation and the associated notes for the current GRC 5.3 version. I was wondering for those that have done this upgrade if you can tell me approximately how many hours it took to not only install but test and deploy. I'm starting to build the project plan and want to know what I'm going to be looking at from an effort standpoint.
Any help that can be provided is appreciated.
Thanks!
ElizabethElizabeth,
It does not take much time to install and deploy, since you are only replacing the front-end application. If you have an experienced Basis person, then it should not take more than 1 day to install, and maybe 2 days for post-installation.
Breakdown (assumes best-case scenarios):
Replace 5.2 with 5.3 front-end: 1 day
Upgrade to 5.3 RTA's in target systems: 1 day
Post-install configuration: 2 days
Testing: will depend on customer and what functionalities they are using and want to use in AC5.3
AC5.3 possesses new functionality, like UAR/SoD Review. So if that needs to be configured, you will have to build that into your project plan. In addition, you will need to build your testing scenarios and that will depend on your customer/client.
Ankur
SAP GRC RIG -
Hi together,
I didn't find any config guide or input for the configuration of UserAccessReview UAR.
Can anybody mention the most import steps and jobs?
The RKT info is not that detailed.
Thanks,
AlexaHi Alexa,
I am not sure how much I'll be able to help you without a proper documentation.I'll try my best.
Go to SPRO->GRC0->Access Control->Maintain Configuration settings. Please maintain these values as required.
Parm Group ParmID Parm value Description
UAR Review 2004 011 Request Type for UAR
UAR Review 2005 004 Default Priority
UAR Review 2006 MANAGER Who are the reviewers?
UAR Review 2007 YES Admin. review required before sending tasks to reviewers
SOD Review 2016 010 Request Type for SoD
SOD Review 2018 RISK OWNER Who are the reviewers?
SOD Review 2023 YES Is actual removal of role allowed
Then go to Go to SPRO->GRC0->Access Control->Workflow for Access Control-> Maintain MSMP workflow. Customize the Processid SAP_GRAC_USER_ACCESS_REVIEW. Maintain all the required details. Save and activate it. Now you are ready for review.
For issues follow the SAP Notes: Note 1620495 - GRC 10.0 UAR - Submission failure of request & 1620493 - GRC 10.0 UAR Background Job stuck
Don't forget to implement the note 1622281 after your configuration. Get back if you have any issues further.
All the very best
Regards,
Guru -
User Access Management(UAM) in SAP
What are the various options to perform UAM for SAP solutions from an external application? For example can we create Users, groups, assign roles etc within SAP?
1) Is webservice an option? If so, is it RESTful or SOAP based?
2) Is an RFC call available?
3) Can we use any other mechanism such as a BAPI wrapped with our own custom module exposed as an RFC?I have looked at your screeenshots, and not too concerned with the MSMP settings yet as we are trying to first fix your Generation job
I would enable the admin review in your setting to just see if all the necessary data is being generated, i.e. in case there are blank role owners for some roles, this could be causing an issue.
As for your criteria selection, ensure no blank fields were left in the selection made.
I would have a read of the following WIKI and see if any of the points mentioned are applicable. The first mistake made by many is to not perform the sync jobs in the correct order.
Troubleshooting UAR Request Generation - Governance, Risk and Compliance - SCN Wiki
From my memory, I know for SOD reviews "offline risk analysis" had to be enabled, but unsure if this is also necessary for UAR.
Also refer to the following general wiki User Access Review(UAR) Workflow Configuration and Description - Governance, Risk and Compliance - SCN Wiki -
Can you download RAR Risk Analysis reports to something other than Excel?
When you run a RAR Risk Analysis and go to export the resulting reports, RAR automatically exports this into an Excel spreadsheet.
Is it possible to export the reports into some other kind of format/tool? (SQL would be ideal.)
We are on GRC 5.3 SP13.
Thanks.Our CMG group runs a company-wide risk analysis 2-3 times a year to use in their SOD Review process. We are looking into loading this report into QuickView to give them more capabilities with using the report. QV will work with Excel, but you have to load every spreadsheet and every page separately.
We are looking to see if we could download it into some other format that would contain all of the report in just one file. Would make the QV load easier. Something like SQL would probably be ideal.
Thanks. -
Anyone know what these are used for??
Hi All,
I am putting together some documentation for a CUP implemenation and I have come accross three configuration options in CUP that I have no idea what they pertain to and I can't find any documenation on them.
1. What is the "SAP EP LDAP" connection type used for?
2. What are SOD Review Process Rejected and UAR Review Process Rejected background jobs used for?About "What are SOD Review Process Rejected and UAR Review Process Rejected background jobs used for?", I just talked to an SAP person today to explained to me that this is a job your sec admin would run for example in a UAR review when a particular user in a request had been "rejected" (e.g. "this person doesn't work for me, so I need to reject him so he can get sent to the right mgr"). When the reviewer (mgr) rejects the user, then the admin figures out based on the reason (e.g. changed jobs, terminated, etc) what action to take. For instance may be to cancel the request for termination. If the user has changed jobs, then the sec admin would need to go to the LDAP (or whatever source you use) to fix up the mgr<->employee relationship info, then run this "Process Rejected" job. The rejected user will then be put into a new request, and the rest of the original request can be processed by the 1st mgr. I haven't tried all this yet, but sounded reasonable to me...
-
Alert Generation, Control Monitoring
Hi,
I am trying to understand how the Alert Monitoring background jobs work. I understand that Alert monitoring for Confliction Actions and Critical Actions will generate allerts when conflicting actions or critical actions actually are performed, but how is this for the Control Monitoring? Will it create allerts when users/roles with conflicts are actually assigned a mitigating control, or will alerts also be created when mitigating controls are created but not assigned to a specific users/roles risk violation?
Thank you!
Ingar SteinsvikDid you check the documenation on this ("Scheduling Alert Generation" section in GRC 5.3 config guide):
Control Monitoring:
This alert type is a mitigation level analysis, which generates mitigation alerts.
During the generation of alerts, the user and transaction information is passed to the risk
analysis. If you select the Consider Mitigated Users option, alerts are generated on user who
are associated with a mitigated risk. The generation of these alert types are useful for
transaction usage in Segregation of Duties (SoD) Review and User Access Review (UAR).
You can also set up a background job for sending alert notification via email based on the
alert type. By selecting Conflicting Actions and/or Critical Actions alert types, notifications are
sent to Risk Owners. Selecting Control Monitoring alert type sends notification to the
Management Approver of the Mitigating Control.
Thanks
Himadama
Maybe you are looking for
-
Dear friends, Whta is the exact configuration for leaving action to delimit records.Did we assign LIS9 Operation to all infotypes or any specific infotypes. Once i did leaving action emp should not come under payroll process for every month Please gi
-
Two different page numbers in the same line in my Table of Contents
Hi, I'm having trouble finding a solution to this problem. My table of contents entries are showing two numbers instead of one. I don't understand how this happened. The entries should look like this: These are my Table of Contents settings: I've bee
-
How to transfer from time domain data to FFT domain
I have built Labview program to acquire data, which in time domain I would like to change it to frequency domain in the same program for further processing,
-
How a SELECT statement can return the results in XML format
That's it... I want to execute a query that returns all rowset in XML format. How can I do it? I have Oracle 9i Thanks Jaime
-
After Security Update 2009-002 no connection to server
After running Security update 2009-002 I can not connect to a server, e.g. a webdisk with Apple+K command. Rebooting does not help, nor entering fresh login data. Does anybody have a clue? thanks in advance, Flip