SoD Review

Hi.
I have problemes while generating SoD-Review-requests.
No requests are generating, although I have made all changes like mentioned in the ConfigGuide.
Any ideas?
Thanks.

Alexa,
Can you please provide list of rule files you had uploaded.
what's values in table VIRSA_CC_RISK*
Regards,
Surpreet

Similar Messages

  • SAP GRC 10.0 - SOD REVIEW

    Dear All,
    We are having a doubt related to the SoD review process available in GRC. Let us send you a couple of questions:
    We guess that the SOD review performs an analysis over the hole users at the target system. Is that correct? Or it is just limited to the users requested by the Access Request menu. That is toy say to the users created/modified through GRC?
    If we generate the data once and then the tasks are sent to the reviewers. If the Generate the Data again – just one minute later – will be send the same users to be reviewed to the Reviewer?
    Thanks in advance!!!!!!

    Jebeni,
    we haven't done any SOD review but from the user access review my experience is that..
    1.You should have an option to include a set of users for whom the review should be done.i.e only dialog.
    2.Yes..it will resend if you re-run the job again.
    we will wait to know more form the experts.

  • SoD Review Guide

    Dear Forum goers,
    It has been a long time coming, but we just released the SoD Review Guide on BPX.
    You can find it here:
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f01947f3-80d6-2c10-36a6-d4dad7cf1649?quicklink=index&overridelayout=true
    Thanks!
    Ankur
    SAP GRC RIG

    Alpesh,
    To answer your questions,
    Page 17: 1. Admin
    Changes are not accepted from 'Track Changes' feature of Word. The changes still show up in 'RED'.
    I do not understand this response.  The document looks fine to me on Page 17.
    **Page 20: Lock, Forward To Next Stage:**
    *Is "Lock, Forward To Next Stage" same as "Deactivate; Forward To Next Stage" or the users are only locked in "Lock, Forward To Next Stage"?
    Yes, you are correct, the users are only locked in "Lock, Forward to Next Stage."  "Deactivate, Forward To Next Stage" sets the User assignment to the current date.
    Page 43: Are the links for config guide etc. under Related Content suppossed to work?
    We submit our documents to BPX as a word document, and then they convert it to PDF, so the links do not work after the conversion is done.  If you are interested in a link, let me know, and I will point you to the correct place.
    Thanks!
    Ankur
    SAP GRC RIG

  • MSMP Work flow in GRC 10.0

    Hi Experts,
    I have a work flow requirement and would appreciate if you guys can please help me here . The actual requirement is to design a CUP Workflow and If there are SOD issues identified, the workflow will need to go to a central team for them to address each issue. If there is no SOD issue found, the workflow should end. The requirement is to configure the access request so that the end goal of work flow is just facilitation of an SOD review.  There would be no actual provisioning of users at the end of the path.
    I am wondering if this would work flow can be initiated with an function module based rule or i would have to create a BRF Rule for this . As per my understanding the flow should be Start > Access Request > Sod Analysis done > If Sod , Go to Central team otherwise end > Central team will decide on the assignment of SoD Resolution > This Team will either Assign MC or wont approve the Role assignment > Both Cases the work flow ends and request is closed.
    Would really appreciate if you guys can assist me as i am new to work flow and this is one of project deliverables . Thank for your valuable time and help .
    Vikas

    Hi Ashish ,
    Thanks for your time . Let me explain you my requirement and would really appreciate if you would have some inputs here which would help me to design this .
    The actual client requirement is to design a CUP Workflow and If there are SOD issues identified, the workflow will need to go to a central team for them to address each issue. If this group decides to apply mitigating controls to the issues, the workflow must then go to the compliance group for them to review for appropriateness. Requirement is do a SoD analysis for every role change/add request , so that this group takes the appropriate action based on the SoD Analysis . For all my CUP request raised , i want system to do a SoD analysis and let this group know whenever there is a SoD found or just end the workflow if there is no risk.
    I am aware of the Risk analysis process for GRC 10.0 , however i want it to happen as a part of this work flow requirement.
    The requirement is to configure the access request work flow so that the end goal of work flow is just facilitation of an SOD review.  I hope i was able to explain my requirement . Thanks again for your help.
    Your valuable guidance would be really appreciated.
    Vikas

  • Mulltiple Rule Sets in GRC 10.0 for one System

    Hi All,
    We do have 2 different companies working on one system and by that 2 different rule sets that are applicable.
    Due to that we are facing different problems we don't know how to solve yet but lets start with the first one dealing with the rule set that should be used in the access request.
    We want to determin which rule set should be used over the requested role (e.g. if role name contains 0001 use rule set 0001, if role name contains 0002 use rule set 0002).
    We have alerady tried several different senarios in BRF+ without success.
    Does anybody have a solution or at least an idea for this topic?
    Thank you all very much in advance!
    Eva

    Hi Ashish ,
    Thanks for your time . Let me explain you my requirement and would really appreciate if you would have some inputs here which would help me to design this .
    The actual client requirement is to design a CUP Workflow and If there are SOD issues identified, the workflow will need to go to a central team for them to address each issue. If this group decides to apply mitigating controls to the issues, the workflow must then go to the compliance group for them to review for appropriateness. Requirement is do a SoD analysis for every role change/add request , so that this group takes the appropriate action based on the SoD Analysis . For all my CUP request raised , i want system to do a SoD analysis and let this group know whenever there is a SoD found or just end the workflow if there is no risk.
    I am aware of the Risk analysis process for GRC 10.0 , however i want it to happen as a part of this work flow requirement.
    The requirement is to configure the access request work flow so that the end goal of work flow is just facilitation of an SOD review.  I hope i was able to explain my requirement . Thanks again for your help.
    Your valuable guidance would be really appreciated.
    Vikas

  • GRC 10 Work Inbox Notification or Universal Work List instead of SMTP

    Hi,
    I wanted to check with you all if there is a possibility to get SAP internal Work Inbox or UWL notification instead of outlook/SMTP notification.
    The scenarios this will be required for us are
    1. User ID details communication at the end of the request.
    2. Notification if access is approved/ rejected.
    3. Notification for Firefighter approved or rejected.
    4. BRM role approval notification
    Kindly let me know if we can pull the notification from Outlook/SMTP to internal SAP Mailbox.
    Regards,
    Prasad Chaudhari

    Hi Guru,
    If I am not wrong the items mentioned send notification to outlook/smtp and not work inbox. The work inbox will get request for approval and uar/sod review.
    Are you talking of some parameter/settings to change this behaviour?
    Thanks,
    Prasad Chaudhari

  • Creating Mitigation Control from CUP

    Hi Guys,
    Is this feature implemented in Access Control???? Or Stills as enhancement

    Hi Alpesh
    In order to your answer... Can you help me to identify what I doing wrong when I want to approve a mitigate control in CUP.
    Path 1 : Approve request
    Stage 1: Request
    Stage 2: Security
    Stage 3: Role Owner
    Detour Path:
    Type: CUP
    Stage: Role Owner
    Condition: SoD Review
    Detour Path: Path 2
    Path 2:
    Stage 1: Approval -- > CAD : Mitigation Monitor
    The request is send to the Mitigation Monitor but when we try to approve request show the next error:
    2010-03-30 14:10:26,390 [SAPEngine_Application_Thread[impl:3]_25] ERROR  Mitigation control TEST_5.1 could not be saved for user PRUEBAGRC_6
    com.virsa.ae.core.BOException: Exception from the service : Mitigation record doesn't exist
         at com.virsa.ae.accessrequests.bo.MitigationControlBO.insertMitigationControl(MitigationControlBO.java:207)
         at com.virsa.ae.accessrequests.bo.MitigationControlBO.saveMitigationControls(MitigationControlBO.java:321)
         at com.virsa.ae.accessrequests.bo.RequestBO.callAEExitService(RequestBO.java:6993)
         at com.virsa.ae.accessrequests.bo.RequestBO.callExitService(RequestBO.java:6748)
         at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:6600)
         at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:6393)
         at com.virsa.ae.accessrequests.actions.RequestViewAction.confirmRequestApproval(RequestViewAction.java:949)
         at com.virsa.ae.accessrequests.actions.RequestViewAction.execute(RequestViewAction.java:104)
         at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:295)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
         at java.security.AccessController.doPrivileged(Native Method)
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
    Caused by: com.virsa.ae.service.ServiceException: Exception from the service : Mitigation record doesn't exist
         at com.virsa.ae.service.sap.MitigationControlWS52DAO.checkForSuccess(MitigationControlWS52DAO.java:832)
         at com.virsa.ae.service.sap.MitigationControlWS52DAO.executeUpdateUserMitigation(MitigationControlWS52DAO.java:287)
         at com.virsa.ae.service.sap.MitigationControlWS52DAO.insertUserMitigation(MitigationControlWS52DAO.java:309)
         at com.virsa.ae.accessrequests.bo.MitigationControlBO.insertMitigationControl(MitigationControlBO.java:195)
    Can you help me please?? All URI are OK.
    Thanks !!!!
    Edited by: Karen_sans on Mar 31, 2010 7:45 PM

  • RAR: Alerts tables understanding

    Hi,
    After running alert generation role specifying just critical actions flag and a specific risk that includes a few transactions we have identified that the following tables are containing data:
    VIRSA_CC_ALLASTRUN: Dates and time when alert generation job finished
    VIRSA_CC_ALLISTHDR: Header data that is shown under alers' reports.
    VIRSA_CC_ALLISTDTL: Details for the alerts identified (in our case critical trnasactions)
    VIRSA_CC_ALTCDLOG: Last time a user executed a transaction within the period alert generation was executed
    VIRSA_CC_ACTUSAGE: All transactions executed by users (transactions are shown several times but differs on time) within the period alert generation was executed
    Our questions:
    1) When and where tables VIRSA_CC_ALTCDLOG and VIRSA_CC_ACTUSAGE are used within SAP GRC AC?
    2) Since we are executing alert generation job on a daily basis, tables VIRSA_CC_ALTCDLOG and VIRSA_CC_ACTUSAGE are increasing very fast. Which is the best practice and procees to manage this information? Is deletion performed? Is archiving performed?
    Many thanks in advance. Kind regards,
      Imanol

    Hello Imanol !
    I've never heard of deleting Alerts per say, but you can delete the Action Usage that is used to generate the alerts. in RAR, go to: Configuration --> Ulitities --> Purge Action Usage.
    I've never used the functionality yet, but my assumption is that deleting the action usage, would also impact the alerts and might possibly delete them too. There is some good information about positive/negative impact in the Configuation Guide "AC53_CG_Final_en_Aug_2010.pdf" on page 64.
    Per your original question, if I understood correctly, the collected action usage is used a lot in AC. The following reports make use of Action Usage:
    1. RAR --> Informer --> Security Reports --> Miscellaneous --> Action Usage by Role & Profile
    2. RAR --> Informer --> Security Reports --> Miscellaneous --> Action Usage by User
    3. ERM --> Informer --> Transaction Usage
    The third report is my favorite since it collects usage counts and which really helps for role re-enginneering.
    The UAR and SOD Review processes make use of action usage too.
    -Dylan

  • SAP GRC AC 5.3 integrated with BW

    Hi all,
    Has anyone of you implemented integration between SAP GRC AC 5.3 and BW and develop custom reports?
    Thanks in advance. Regards,
       Imanol

    Imanol,
    There is documentation available for the integration.  You can find that here:
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/e05a9879-d204-2c10-54a9-ebc94eaddc4e?quicklink=index&overridelayout=true
    Also, there are numerous pre-delivered queries already developed.  However, if you wish to develop your own reports, then you will need a BW resource to do so.
    Pre-delivered queries:
    For RAR:
    Alert Detail Listing
    Alert Header Listing
    Critical Action Violations by User
    Critical Role Viols Analysis with Long Portal IDs
    Current User Permission Risk-Perm Violation Analysis Breakdowns
    Current User Permission Risk Violation Analysis Breakdowns
    Management Summary Total Listing
    Mitigated Users Analysis
    Risk Long Descriptions
    Risk-Rule Set Relationship Listing
    Role Permission Risk Violation Analysis
    Role (Portals) Permission Risk Violation Analysis
    Supplementary Rule Detail Listing
    Supplementary Rule Header Listing
    User Permission Risk Violation with Functions
    User Permission Risk Violation with Remediation by User
    User Permission Risk Violation with Remediation by User (Top 10)
    User Permission Violation with Remediation by Risk
    User Permission Violation with Remediation by Risk (Top 10)
    For CUP:
    Access Requests
    Risk Violations
    Role Provisioning
    Service Levels
    SOD Review
    User Access Review
    User Provisioning
    Thanks!
    Ankur
    SAP GRC RIG

  • Effort to upgrade from GRC 5.2 to GRC 5.3

    Hi,
    We're looking to begin an upgrade of GRC 5.2 to GRC 5.3 and I've been going through all of the upgrade documentation and the associated notes for the current GRC 5.3 version.  I was wondering for those that have done this upgrade if you can tell me approximately how many hours it took to not only install but test and deploy.  I'm starting to build the project plan and want to know what I'm going to be looking at from an effort standpoint.
    Any help that can be provided is appreciated.
    Thanks!
    Elizabeth

    Elizabeth,
    It does not take much time to install and deploy, since you are only replacing the front-end application.  If you have an experienced Basis person, then it should not take more than 1 day to install, and maybe 2 days for post-installation.
    Breakdown (assumes best-case scenarios):
    Replace 5.2 with 5.3 front-end: 1 day
    Upgrade to 5.3 RTA's in target systems: 1 day
    Post-install configuration: 2 days
    Testing: will depend on customer and what functionalities they are using and want to use in AC5.3
    AC5.3 possesses new functionality, like UAR/SoD Review.  So if that needs to be configured, you will have to build that into your project plan.  In addition, you will need to build your testing scenarios and that will depend on your customer/client.
    Ankur
    SAP GRC RIG

  • GRC AC V10 - UAR config steps

    Hi together,
    I didn't find any config guide or input for the configuration of UserAccessReview UAR.
    Can anybody mention the most import steps and jobs?
    The RKT info is not that detailed.
    Thanks,
    Alexa

    Hi Alexa,
    I am not sure how much I'll be able to help you without a proper documentation.I'll try my best.
    Go to SPRO->GRC0->Access Control->Maintain Configuration settings. Please maintain these values as required.
    Parm Group        ParmID     Parm value                            Description
    UAR Review        2004     011             Request Type for UAR
    UAR Review        2005     004             Default Priority
    UAR Review        2006     MANAGER             Who are the reviewers?
    UAR Review        2007     YES             Admin. review required before sending tasks to reviewers
    SOD Review     2016     010             Request Type for SoD
    SOD Review     2018     RISK OWNER      Who are the reviewers?
    SOD Review     2023     YES             Is actual removal of role allowed
    Then go to Go to SPRO->GRC0->Access Control->Workflow for Access Control-> Maintain MSMP workflow. Customize the Processid SAP_GRAC_USER_ACCESS_REVIEW. Maintain all the required details. Save and activate it. Now you are ready for review.
    For issues follow the SAP Notes: Note 1620495 - GRC 10.0 UAR - Submission failure of request &   1620493 - GRC 10.0 UAR Background Job stuck
    Don't forget to implement the note 1622281 after your configuration.  Get back if you have any issues further.
    All the very best
    Regards,
    Guru

  • User Access Management(UAM) in SAP

    What are the various options to perform UAM for SAP solutions from an external application? For example can we create Users, groups, assign roles etc within SAP?
    1) Is webservice an option? If so, is it RESTful or SOAP based?
    2) Is an RFC call available?
    3) Can we use any other mechanism such as a BAPI wrapped with our own custom module exposed as an RFC?​

    I have looked at your screeenshots, and not too concerned with the MSMP settings yet as we are trying to first fix your Generation job
    I would enable the admin review in your setting to just see if all the necessary data is being generated, i.e. in case there are blank role owners for some roles, this could be causing an issue.
    As for your criteria selection, ensure no blank fields were left in the selection made.
    I would have a read of the following WIKI and see if any of the points mentioned are applicable. The first mistake made by many is to not perform the sync jobs in the correct order.
    Troubleshooting UAR Request Generation - Governance, Risk and Compliance - SCN Wiki
    From my memory, I know for SOD reviews "offline risk analysis" had to be enabled, but unsure if this is also necessary for UAR.
    Also refer to the following general wiki User Access Review(UAR) Workflow Configuration and Description - Governance, Risk and Compliance - SCN Wiki

  • Can you download RAR Risk Analysis reports to something other than Excel?

    When you run a RAR Risk Analysis and go to export the resulting reports, RAR automatically exports this into an Excel spreadsheet.
    Is it possible to export the reports into some other kind of format/tool?  (SQL would be ideal.)
    We are on GRC 5.3 SP13.
    Thanks.

    Our CMG group runs a company-wide risk analysis 2-3 times a year to use in their SOD Review process.  We are looking into loading this report into QuickView to give them more capabilities with using the report.  QV will work with Excel, but you have to load every spreadsheet and every page separately. 
    We are looking to see if we could download it into some other format that would contain all of the report in just one file.  Would make the QV load easier.  Something like SQL would probably be ideal.
    Thanks.

  • Anyone know what these are used for??

    Hi All,
         I am putting together some documentation for a CUP implemenation and I have come accross three configuration options in CUP that I have no idea what they pertain to and I can't find any documenation on them.
    1.  What is the "SAP EP LDAP" connection type used for?
    2.  What are SOD Review Process Rejected and UAR Review Process Rejected background jobs used for?

    About "What are SOD Review Process Rejected and UAR Review Process Rejected background jobs used for?", I just talked to an SAP person today to explained to me that this is a job your sec admin would run for example in a UAR review when a particular user in a request had been "rejected" (e.g. "this person doesn't work for me, so I need to reject him so he can get sent to the right mgr").   When the reviewer (mgr) rejects the user, then the admin figures out based on the reason (e.g. changed jobs, terminated, etc) what action to take.  For instance may be to cancel the request for termination.  If the user has changed jobs, then the sec admin would need to go to the LDAP (or whatever source you use) to fix up the mgr<->employee relationship info, then run this "Process Rejected" job.  The rejected user will then be put into a new request, and the rest of the original request can be processed by the 1st mgr.   I haven't tried all this yet, but sounded reasonable to me...

  • Alert Generation, Control Monitoring

    Hi,
    I am trying to understand how the Alert Monitoring background jobs work. I understand that Alert monitoring for Confliction Actions and Critical Actions will generate allerts when conflicting actions or critical actions actually are performed, but how is this for the Control Monitoring? Will it create allerts when users/roles with conflicts are actually assigned a mitigating control, or will alerts also be created when mitigating controls are created but not assigned to a specific users/roles risk violation?
    Thank you!
    Ingar Steinsvik

    Did you check the documenation on this ("Scheduling Alert Generation" section in GRC 5.3 config guide):
    Control Monitoring:
    This alert type is a mitigation level analysis, which generates mitigation alerts.
    During the generation of alerts, the user and transaction information is passed to the risk
    analysis. If you select the Consider Mitigated Users option, alerts are generated on user who
    are associated with a mitigated risk. The generation of these alert types are useful for
    transaction usage in Segregation of Duties (SoD) Review and User Access Review (UAR).
    You can also set up a background job for sending alert notification via email based on the
    alert type. By selecting Conflicting Actions and/or Critical Actions alert types, notifications are
    sent to Risk Owners. Selecting Control Monitoring alert type sends notification to the
    Management Approver of the Mitigating Control.
    Thanks
    Himadama

Maybe you are looking for