6 Replies Latest reply: Nov 5, 2012 7:47 PM by Luis Aguilera RSS

GRC AC 10.0 User risk analysis

Luis Aguilera
Currently Being Moderated

Dear friends

 

When we run a risk analysis of users in background job, this takes a long time and it´s canceled, we have 1950 risk and 850 users in SAP,

The latest analysis took 20 hours, and it was canceled.

 

It is normal for this analysis takes so long?

if this is not normal, what could be happening?

 

thanks for your help

  • Re: GRC AC 10.0 User risk analysis
    Madhusudan Bansal
    Currently Being Moderated

    There are few things you can do to improve the run time.

     

    1. check out the note Note 1580877 - Best practices in
    storage management for SoD analysis jobs

    2. make sure you have exclude objects configured (profiles like SAP_ALL, SAP_NEW)

    3. make sure to maintain the parellel processing configuration.

    • Re: GRC AC 10.0 User risk analysis
      Luis Aguilera
      Currently Being Moderated

      Dear Madhusudan:

       

      We have problems with the user  batch_risk_analysis job, I attached screen shots for better understanding,

       

      When the job finishes running after 20 hours, reviewing the job delivered the following information with errors in the package number 9

       

      1 ana.JPG

       

      but when you open the package 9 shows that all the user were processed without errors

      2 ana.JPG

       

       

       

      3 ana.JPG

      we cheked the SLG1 log and found the following messages

      4 ana.JPG

       

       

      5 ana.JPG

       

      so we thought there was a problem with RFC user permissions. but ,as you can see, permission are correctly granted.

      6 ana.JPG

       

      7 ana.JPG

       

       

      8 ana.JPG

      what could be the reason of this apparent status error?

       

      Thanks very much

      • Re: GRC AC 10.0 User risk analysis
        Vit Vesely
        Currently Being Moderated

        Hi Luis,

         

        To rule out all authorization related problems you can assign SAP_ALL profile to the the "test" users at the beginning of the project. You can always remove/fine tune the authorizations when everything works as intended and when more critical systems are hooked up.

         

        Also, please ensure that SAP_ALL & SAP_NEW are excluded from the scope of analysis. Otherwise these profiles will generate all tonnes violations.

         

        Cheers,

        Vit

      • Re: GRC AC 10.0 User risk analysis
        Madhusudan Bansal
        Currently Being Moderated

        Luis,

         

        are you running this risk analysis for 1 connector or multiple? you can check the SM59 connection for authorization to make sure everything is working fine.

        Also, I would recommend you run the Action and permission analysis separably.. also as suggested earlier, make the below config setting:

        1.     SPRO -> Governance, Risk and Compliance -> Access Control -> Access Risk Analysis -> Maintain Exclude Object for Batch Risk Analysis

        add the SAP_ALL, SAP_NEW here and any other user/role/profile which you want to exclude from the risk analysis run

         

        2.     SPRO -> Governance, Risk and Compliance -> Access Control -> Distribute Jobs for Parallel Processing

        you can have it  to 3 processes, but you should gradually increase it depend upon the runtime and the system memory.

Actions