on 06-29-2014 11:11 AM
Hi,
I have noticed that a role having conflicting transaction codes assigned in the back end system is not propelry analyzed and in ARA application. When this role is analyzed, "No Violations" message is shown though there are conflicing transaction codes assigned.
As far risk definitaion is concerned, conflicting actions are properly defined in respective conflicting actions and thse actions are grouped in a risk, which is applicable to a logical group (which in turn has the connector included causing this problem) and they are active.
Rule are properly generated for the all the risks and functions. However, at the time of running risk analysis for this role, ARA is not showing as risk.
May any one please advise on this?
Regards,
Rehan
Hi Rehan,
Are you running the analysis from "reports and analytics" or "access management" tab?
If from reports and analytics, then has the batch risk analysis on the backend system completed successfully?
Make sure you are not running an offline report without batch risk analysis completed.
Thanks
Sammukh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Rehan
3 step check for ur issue:
1 are you able to search for your role in GRC 10 in role analysis screen rather then just paste the role?
2 check k the object values related to tcodes added, check for 03 and 3 difference.
3 can you delete the profile and regenerate it, if not solved by it recreate the role and then try.
Rajesh
Message was edited by: Rajesh Nanda
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Rajesh,
I have downloaded the rules for both SAP_R3_LG logical group and respective physical system. I have noticed that, I can find function_action rules for SAP_R3_LG in the downloaded file. However, I dont find FUN_ACT and FUN_PERM details for respective physical system I am analyzing this role for!
I can find all other details like, business processes, functions etc. But FUN_ACT and FUN_PERM files are empty. Do you think is can be the issue?
If we generate rules, simply we select all risks from NWBC and then run the background job. But I did not find a way to generate rules for a specific physical system.
Do you think that generating rule from back end will populate the rules for physical system also?
Can you please advise?
Regards,
Rehan
Neeraj,
I have uploaded the rules for one the physical systems (which is already defined in SAP_R3_LG logical group) and then generated the rules.
After that I performed risk analysis for one of the roles and it showed the violations accurately!
It means that do I need to maintain all physical systems individually? Then what is the use of having SAP_R3_LG logical group?
I have also this GRC system defined in the SAP_R3_LG logical group. If I perform risk analysis for one of the roles having violations for this system, it is showing correctly!
I think the rules available in SAP_R3_LG are not getting applied to "all" the physical systems.
Can you please advise how I can enforce this rules to be applicable to all the connectors defined in the SAP_R3_LG logical group?
Rhn
HI Rehan,
Its not required to upload rule set for each physical system, if you are defining all your connector under the logical group SAP_R3_LG then its enough, previously the Func_Action & Func_Pernision files were missing from your rule book thats why you were not getting any results.
Now you try to run risk analysis for any connector under the same logical group you must get the result.
Hope it helps.
Regards,
Neeraj
Neeraj,
Yes, it is not required to upload the rules for each physical system as I am using SAP_R3_LG logical group.
But as I said, I uploaded the rules for one of the systems defined in logical group for testing purpose. If I try to analyze the roles for this connector, I am getting appropriate violations report.
But if I try to analyze the roles belonging to other connectors (which are defined in the same logical group), system is saying "No Violations"
I am not sure why system is NOT enforcing the rules defined for SAP_R3_LG logical group!
Can you please advise?
Rhn
Neeraj,
I tried with permission only, still no luck.
In GRACACTRULE table, I can only find entries for SAP_R3_LG logical group. But there are not entries for any other physical systems except the one physical system I had uploaded the rules for. (for testing purpose and this is showing fine for this system).
can you advise?
Rhn
Hi Rehan
What support pack are you on? Sorry I had been busy to respond back to the thread but I do recall there was an issue with risk analysis and logical systems. As you demonstrated that you can successfully run risk analysis for a physical system defined rule possibly the following note may apply to your system?
955032 | Rule generation issue with logical system groups |
Fix is delivered in SP14 or 10.1 SP04
Regards
Colleen
In addition to selection criteria, also please ensure that you have executed the programs programs GRAC_PFCG_AUTHORIZATION_SYNC and GRAC_REPOSITORY_OBJECT_SYNC in full sync mode at least once.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Ok.. might be a silly question but the risk isnt mitigated for the roles right? i mean have you checked "Include mitigated risks" in selection criteria option if that is showing the risk?
Also, is this happening for a particular role in question or none of the roles show risks despite having the same?
This role in question is not mitigated! Therefore, this option "Include Mitigated" risks is not included in the selection criteria.
I have noticed so far, this is happening with 2 roles.
Secondly, I have created a test risk with test functions. A role is created in the back end system and conflicting tcodes are added. This role is synchronized and then analyzed. Surprisingly, This is showing correct result!
I am not sure why this sporadic behavior is being shown by the tool. This is quite confusing. If it has shown "No Violations" for all the roles, then it would have been easy to understand.
But as I explained above, this is happening with some roles and does not happen with some other roles.
Really not sure how to crack it.
Please advise.
Regards,
Rehan
Hi Rehan
did you run risk analysis for action or permission level? What was your selection criteria?
regards
Colleen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.