cancel
Showing results for 
Search instead for 
Did you mean: 

SAP GRC 10.0 Offline Risk Analysis

Former Member
0 Kudos

Hi,

We know that we can do "Offline Risk Analysis" in SAP GRC Aceess Control 5.3, by uploading text files in data extraction tab. Now the question is, how the offline risk takes place in SAP GRC AC 10.0, how we upload the data and what format it should be?? Can anyone please help me on this?

Regards,

Sandeep

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
0 Kudos

Hello,

I have the same problem.

I can answer which programs are needed to download information from the backend:

SE38 >> /VIRSA/DLOAD_USRS

Delimiter:blank

C:\user.user.txt

SE38 >> /VIRSA/DLOAD_AUTH_OBJS

parameter A & F

Delimiter:blank

C\:user.action.txt

/VIRSA/DLOAD_AUTH_OBJS

parameter P & F

Delimiter:blank

C\:user.permission.txt

/VIRSA/DLOAD_ROLES

Delimiter:blank

C\:role.role.txt

/VIRSA/DLOAD_ROLE_AUTH_OBJS

parameter A & F

Delimiter:blank

C\:role.action.txt

/VIRSA/DLOAD_ROLE_AUTH_OBJS

parameter P & F

Delimiter:blank

C\:role.permission.txt

/VIRSA/ZCC_DOWNLOAD_DESC

C\:text.txt

/VIRSA/ZCC_DOWNLOAD_SAPOBJ

C:\auth.txt

Unfortunately, whereas within GRC 5.3 the upload was managed via Front end, GRC 10.0 does not seem to offer this functionality. Please correct me if I am wrong.

I also need a way how to implement offline risk analysis in GRC 10.0, not simply covered by the Config Setting "Enable Offline Risk Anaylsis" but instead requiring us to enable an UPLOAD of all relevant information for Risk Analysis. Thus, we want to be able to analyse Roles without actually having a physical connection to the System that contains these Roles.

Best Regards.,

Adrian

Former Member
0 Kudos

Hi Adrian,

In GRC10.0 the data extractar functionality is replaced by just creating a Lagacy connector and then doing the Repository sync on that and running the risk analysis.

If you want detailed information on this then ref the below SAP Note

# 1594963: GRC Access Controls 10 - How to configure Legacy

In this note there is a proper guide attached which explains you about this functionality.

Regards

Shaily

Former Member
0 Kudos

Hi Shaily,

According to SAP Note 1594963, it shows which is the mandatory structure to configure and then to perform an offline analysis as it says the attached document RiskAnalysisForLegacyConnector.pdf

Well, in this document explains the maximun size per field (i.e UserId => Field size 50 character) and the job /GRCPI/GRIA_R_DOWNLOAD_USRS in this case exports all the users from ERP System but my question is: Is necessary adapt that kind of reports to upload to server? Do you have any kind of example of legacy files?

Thanks in advance.

Regards.

Former Member
0 Kudos

Hi Chemi,

I've tried using the download programs as mentioned here and in Note 1613632 - Download Files for Legacy Risk Analysis.

With these programs I obtained 6 of the 11 files mentioned in the guide:

LEGACY_ROLE/GRCPI/GRIA_R_DOWNLOAD_ROLESN/A
LEGACY_DEFAULT_USER/GRCPI/GRIA_R_DOWNLOAD_USRSAll users
LEGACY_USER_ACTION/GRCPI/GRIA_DLOAD_AUTH_OBJSAction/full scan/
LEGACY_USER_PERMISSION/GRCPI/GRIA_DLOAD_AUTH_OBJSPermission/full scan/
LEGACY_ROLE_ACTION/GRCPI/GRIA_DLOAD_ROLE_AU_OBJSAction/full scan/
LEGACY_ROLE_PERMISION/GRCPI/GRIA_DLOAD_ROLE_AU_OBJSPermission/full scan/

The following files are required if you want a profile analysis:

LEGACY_PROFILE
LEGACY_PROFILE_ACTION
LEGACY_PROFILE_PERMISSION

But they are not necessary if you don't assign profiles the the user directly. I've found a nice explanation here: http://scn.sap.com/docs/DOC-1578

"..There is no need to include profiles, if you aren’t assigning profiles to your users. Each SAP system comes with a considerable number of per-delivered profiles; in addition, profile analysis will not only analyze old style SU02-profiles, but also all generated profiles that were already analyzed during the role analysis...."

Then you have two files left:

LEGACY_PERMISSION
LEGACY_ACTIONS

You can get those by working with tables TSTC and TOBJT for example.

I've tested with the 6 files mentioned first that I downloaded from the system and I managed to run the syncs and perform a test risk analysis.

I haven't changed anything from the files, I just save them as UTF-8 as per :Note 1624124 - AC 10.0 - Download Programs for Legacy Risk Analysis

Hope it helps.

Cheers!

Diego.

Former Member
0 Kudos

Hi Diego,

I don't receive any violations while running the offline risk analysis in our grc system, although SOD risks on action level for legacy systems are defined.

we are on ac- release 10.0 sp 13
I did the following steps, as you mentioned in your documentation before:

1. I downloaded the offline data with the following programs:
/GRCPI/GRIA_R_DOWNLOAD_ROLES
/GRCPI/GRIA_R_DOWNLOAD_USRS
/GRCPI/GRIA_DLOAD_AUTH_OBJS
/GRCPI/GRIA_DLOAD_AUTH_OBJS
/GRCPI/GRIA_DLOAD_ROLE_AU_OBJS
/GRCPI/GRIA_DLOAD_ROLE_AU_OBJS
I saved the data in UTF-8 format and saved them under the file
directory D:\usr\sap\trans\offline<FILENAME> of WINDOWS NT installation.


2. I configured the file transaction and did the connector config as it
is mentioned in the note 1594963

3. I run the jobs grac_pfcg_authorization_sync and
GRAC_REPOSITORY_OBJECT_SYNC to synchronize the data of su24 and roles
and users. Jobs are completely synchronized for connector (SM37 and SLG1).

4. I created a sod risk for legacy_connector

5: I run the risk analysis for the legacy_connector and role
SAP_BC_BASIS_ADMIN

I get no results in risk analysis.


It seems as if the offline risk analysis isn't able to collect the file data, particularly no action or permission data is available. Do you know if the offline analysis collects the data from the downloaded files during run time? Or do I need to synchronize the data of the files in the repository?

Do you have any suggestions what configuration I missed?
It would help me a lot to get in touch with somebody who implemented offline risk analysis successfully.

Thanks for your advice.

Best regards,

Manuela

dyaryura
Active Participant
0 Kudos

Hi Manuela,

We're curently using FILE connectors but we're not using such jobs to obtain the files, We've created our own scipts to work with tables as USR02, AGR_1251, AGR_USERS, etc. to generate the corresponding files.

First of all, I'd check the format of the files you have with the described in the guide. Also it's very important to use UTF-8 without BOM encoding. With programs like Notepad++ or Ultraedit you can remove the BOM.

After the synch you should check table GRACOBJECTAUTH. There, you should be able to see al the information you have uploaded via file. For example, you could check that particular role to determine if the authorizations were properly loaded.

Hope it helps,

Diego.

Former Member
0 Kudos

Hi Diego,

could you please provide me some information, how you programmed your skript to create the txt. files?

How did you define the empty lines between the colums? In the Role file I am not sure how are the dependencies between the role name and the role description.

It would be very helpful to get so some advice.

Thanks,

Manuela

dyaryura
Active Participant
0 Kudos

Hi Manuela,

The scripts are very simple, you can get the information by joining some tables. For empty values you have skip them, do not complete with spaces, but keep the "tab".

Role name and description can b easily  obtained from AGR_DEFINE table.

Cheers,

Diego.

Former Member
0 Kudos

Hi Diego,

I don't know why, but the upload doesn't work on our side. I copied the plugin-download files and filled in with new role values, actions and permissions. But when I try to sync with Repository_Object_Sync in the System I cannot fill in any value in GRACOBJECTAUTH.

Thanks for your help.

Regards,

Manuela

frank_bannert
Active Participant
0 Kudos

Hi Sandeep,

AC 10.0 is currently in ramp-up therefore I would suggest you trigger your request through your ramp-up coach.

But high level it's this way:

Plugin system has programs to

1. Download User, User Actions, User Permissions(ony SAP system, for Non SAP custom programs are required)

2. Download Role, Role Actions, Action Permissions(same as above)

3. Download Profile, Profile Actions, Profiule Permissions (same as above)

GRC Box

1. Create a Logical connector in SM59

2. in transaction File create connectors to each file downloaded from plugin system

3. In connector settings associate all these files to the system created in SM59

Now use the repository sync and authorization sync programs which would internally extract all data from the associated files

GRAC_UPLOAD_RULES formats are exactly same as those of 5.3

Best,

Frank

Former Member
0 Kudos

Hi Frank,

Thanks for the response,

As mentioned by you on the programs in the plugin system, i could find below mentioned programs, but can you please mention which program is used to download what, i mean for User/Role/Profile action and permission files??

/GRCPI/GRIA_DLOAD_AUTH_OBJS Download Authorization object

/GRCPI/GRIA_DLOAD_ROLE_AU_OBJS Role Authorization Object

/GRCPI/GRIA_DNLDROLES Download Roles

/GRCPI/GRIA_DOWNLOAD_SAPOBJ Download objects

/GRCPI/GRIA_R_DOWNLOAD_DESC Program /GRCPI/GRIA_R_DOWNLOAD_DESC

/GRCPI/GRIA_R_DOWNLOAD_USRS Program /GRCPI/GRIA_R_DOWNLOAD_USRS

/GRCPI/GRIA_ZVRAT_UPDWNLOAD updownload data

Secondly, as you mentioned in FILE transaction do we need to place the file in Application server or will it pick this extracted files from local path? and for the non SAP system can we use same RRA template as we used for 5.3?

Regards,

Sandeep

Edited by: Sandeep Poojary on May 25, 2011 11:49 AM