cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Roles showing with incorrect T-code assignment while running risk Analysis

former_member6368
Explorer

on ‎2020 May 03 11:11 AM

0 Kudos
1,629

Hi All,

We are facing a issue where I am trying to run risk analysis at user level (Permission level) and in the results we are receiving such roles as well which doesn't have the Tcodes but only the Auth objects of such Tcodes.

Before this we were only getting the roles which had the T-codes in it causing risk.

We had recently upgraded to GRC 12.0 SP7 and Risk library was modified too.

Could anyone please suggest the solution at earliest?

Thanks

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (4)

Answers (4)

pau_torregrosa
Participant
‎2020 May 12 7:02 AM
0 Kudos

Hi Santosh,

Instead of looking at the menu of the role, could you please check the authorizations inside the role, in the authorizations tab, and see if the tcode showing in the Risk Analysis is one of the values inside the authorization object S_TCODE? It could be possible that one of the tcodes added in the menu of the role was pulling the tcode showing in the risk analysis (SU24). Or, maybe someone added the object S_TCODE manually and filled it with the tcode showing in the analysis. You can also use table agr_1251 for the same purpose.

Regards,

Pau.

Show replies
Show replies
former_member6368
Explorer
‎2020 May 27 4:12 PM
0 Kudos

Hi Pau,

I have checked the authorization within the role in ECC system and mentioned T-code is not maintained under Auth object S_TCODE.

This is happening while running risk analysis for multiple users and roles.

Please suggest.

pau_torregrosa
Participant
‎2020 May 29 8:52 AM
0 Kudos

Hi Santosh,

It looks like a data synchronization issue. Could you check if your sync jobs for Risk Analysis are properly set up and finishing with no errors? These are the programs you should have scheduled in your background jobs:

GRAC_PFCG_AUTHORIZATION_SYNC (Daily or Weekly)

GRAC_REPOSITORY_OBJECT_SYNC (Hourly or Daily)

GRAC_BATCH_RISK_ANALYSIS Incremental mode (Daily)

GRAC_BATCH_RISK_ANALYSIS Full mode (Weekly or Monthly)

For troubleshooting errors, check transaction SLG1. Also, you could try to compare Online Risk Analysis vs Offline Risk Analysis and check if there are any differences.

Regards,

Pau.

RameshVithanala
Active Participant
‎2020 May 04 8:40 PM
0 Kudos

Hi Santosh,

It would be great if you could provide some screenshots of the error and also can you let us know what BC sets are activated for the ruleset,I am suspecting it might be related to S4HANA_ALL Ruleset which includes Fiori apps etc.

Thanks

Ramesh

Show replies
Show replies
former_member6368
Explorer
‎2020 May 05 12:32 PM
0 Kudos

Hi Ramesh,

I have attached the screen-shots for your reference.

Also BC Set GRAC_RA_RULESET_S4HANA_ALL is not activated.

RameshVithanala
Active Participant
‎2020 May 20 2:00 PM
0 Kudos

Hi Santosh,

Check the table TCDCOUPLES for the calling and called tcodes,If ME21N is called for any of the following tcodes?

ME2L
ME2M
ME2N
ME2S
ME2W

Thanks

Ramesh

former_member6368
Explorer
‎2020 May 27 4:15 PM
0 Kudos

Hi Ramesh,

None of the mentioned T-codes are calling ME21N in our ECC system.

Please suggest.

Thanks

former_member6368
Explorer
‎2020 May 04 3:12 PM
0 Kudos

Hi Colleen,

Thanks for your reply.

Here are the answers to your queries:

1. We are running risk analysis at User level (Permission level) with Detail view, roles visible are assigned to user however certain roles which are showing risk conflict doesn't have the mentioned T-codes in them but only the Authorization object. We have been running the report with same parameters and this has happened for first time after upgradation.

2. We inactivated few Risk IDs earlier and generated the rules as well else there is no change in ruleset.

Show replies
Show replies
Colleen
Product and Topic Expert
Product and Topic Expert
‎2020 May 05 9:06 AM
0 Kudos

okay in (1)... do you have other lined items for the risk violation showing another role have the S_TCODE permission? If so this would make sense in a user level report as the user has the risk due to a combination of roles

former_member6368
Explorer
‎2020 May 06 6:00 AM
0 Kudos

Hi Colleen,

For additional roles, Auth object S_TCODE is not listed.

The mentioned auth objects and field values are related to T-code listed in Action column.

Colleen
Product and Topic Expert
Product and Topic Expert
‎2020 May 04 12:51 AM
0 Kudos

Hi Santosh

When you run the user permission report can you look at the detailed view. Does it show several roles for the user? Possibly, one role gives them them the auth/permission whilst another role is giving them the tcode? This can happen with cross-inheritance: 2 or more roles create an SoD risk for a user.

If you run the role risk analysis at permission level then you should not see the report role without the tcode on the report as the role doesn't have the inherent conflict.

If this didn't have a risk violation before upgrading, have you looked at the ruleset changes?

Regards

Colleen

Show replies
Show replies
Ask a Question