32 Replies Latest reply: Mar 25, 2014 12:13 AM by Colleen Lee RSS

GRC AC 10: RAR - no analysis results

Edgar Hettmann
Currently Being Moderated

Hello,

 

i configured my system accoring the configuration guides.

But when I start e.g.  Access Risk Analysis for User Level/Role Level/Profile Level... no output data will be displayed!?

 

i ran all the Sync Jobs and SLG1 doesn't give me any errors.

 

FF and PSS both works fine.

 

FYI: Also in Business Role Management (BRM) no roles are displayed... maybe these two issues could be caused by the same problem?!

 

Thank you in advance

 

regards

Edgar

  • Re: GRC AC 10: RAR - no analysis results
    Colleen Lee
    Currently Being Moderated

    Hi Edgar

     

    For the ruleset  - are you using the SAP standard as delivered in the BC Sets? If so, after activating them, did you generate them.?

     

    also, which SP are you on as there have been a few notes recently relating to No Violations displaying such as below:

     

    Note 1824956 - User Analysis Report shows "No violations"

    Note 1817251 - User Analysis Report shows "No violations"

     

     

    On you FYI comment about the BRM with NO roles are displaying....

    1. Is this on the role repository in NWBC?
    2. Did you complete the Role Import in NWBC to pull the role definitions into the repository (this is not the same as a they synch)

     

    For both issues-  have you competed Maintain Connection Settings in the Integration Framework for ROLEMG, PROV, AUTH and SUPGM?

    • Re: GRC AC 10: RAR - no analysis results
      Edgar Hettmann
      Currently Being Moderated

      Hi Colleen,

       

      thanks for your helpfull response!

       

      Yes, i use the pre-delivered BC Sets/rulesets.

      Yes, after activation, I generated the SoD Rules in Governance, Risk and Compliance > Access Risk Analysis > SoD Rules > Generate SoD Rules (slide 13 of AC 10.0 Pre-Implementation From Post-Installation to First Risk Analysis.pdf), if u mean that.

      I am running GRC on SP12. so Note 1817251 is already implemented.

       

      Now I have implemented Note 182456.

      But still NO Risk Analysis result in Access Management > Access Risk Analysis > User/Role/Profile Level (screenshot)

      Unbenannt.JPG

      accorind to my BRM issue:

      I didn't know that I have to import all the roles first... and thought a sync would be enough.

      Now i imported the roles from my backend systems and now they show up in BRM :-) thank you!

       

      Any other suggestions for my RAR issue?

       

      Thanks in advance

      • Re: GRC AC 10: RAR - no analysis results
        Colleen Lee
        Currently Being Moderated

        Hi

         

        Other things to check

        Configuration parameters for risk analysis - see of you are excluding any users (eg locked)

        Look at the functions in the rule set for the connector group they are against and check to see if your connectors are in the same group?

        Rerun your full object synch since importing roles

         

         

        Sorry messaging from phone so can't provide steps

        • Re: GRC AC 10: RAR - no analysis results
          Edgar Hettmann
          Currently Being Moderated

          Hi Colleen,

           

          I found something weird. Maybe i just dont get the sense of the filed "System" (in Function/Action details) or there is something wrong.

          In the screenshot u can see, that my 2 backend System "GRC->..." are available in the dropdown list.

          The Functions are NOT assigned to them, they are assigned e.g. to SAP R3.

           

          Just for understanding... should the Action assigned to my backend system oder only to e.g. SAP R3 (and my backend system to the group SAP r3).

          Because I think, my backend system should be visible in this dropdown list, do they?

          weird.jpg

          I dont know, where i customized this, so they are visible in the dropdown list...

        • Re: GRC AC 10: RAR - no analysis results
          Rajesh GRC
          Currently Being Moderated

          Hi Colleen,

           

           

          I am running the ad hoc user risk analysis and it's working for some users and not working for other users. For the non-working users, I am not getting any results at all. when I run the analysis at the permission level/action . We are on SP10. All rules have been generated and all jobs have been schdueled. I also ran it by including mitigated risks for just one risk. Any ideas on what could be  possibly wrong. We are doing a migration from Virsa to GRC 10 and just trying to validate/compare the user analysis results we got from Virsa to GRC 10. Virsa shows the user's violations but AC 10 is coming up BLANK for this user but I see that this user's riks are gnerated when I go to GRACACTRULE and also in NWBC. All the batch jobs and synchm jobs were sucessfully completeed as well. Any ideas?

           

           

          This is very urgent for me...I will appreciate if anyone has a feedback.

           

          My second question is unrelated. Currently we have only ONE ruleset - our customized ruleset that we migrated from our Virsa system.  When you go into GRC NWBC. our permissions and rules are pointing at our physical connector which was created in Sm59 but my question is 1) should we create a custom connector group for this connector and assign the connector to the custom connector group? or should we assign it to the SAP_BAS_LG connector group? or SAP NHR_LG connector group? Why or why not? What does the connector group control or impact:?

           

          2) We would like to house our custom rules as described above and GLOBAL rules as well in AC 10. Should we create another physical connector for our global rules ? or should we use the same connector that we used in  (1) above for the custom rules but assign the connector to a different connector group e.g SAP_BAS_LG and SAP_NHR_LG.

      • Re: GRC AC 10: RAR - no analysis results
        Prashant Kumar
        Currently Being Moderated

        Hi,

         

        I see that you have selected as * for Custom group. Kindly check if there is any custom group is maintained in GRC box, if not I woul drequest you to remove the Custom group field from selction criteria or keep it blank instead of * .  This is because * is not valid enrty for custom group.

         

        Kindly try running the risk analysis after making the above correction.

         

        let me know if you are successfull

         

        Regards,

         

        Prashant Kumar

    • Re: GRC AC 10: RAR - no analysis results
      Pradeep Agarwal
      Currently Being Moderated

      Hi Colleen

       

      I am trying to upload the custom rulebook .I have modified all the 9 files and kept only Z Risks with Z functions.

      When I run execute button for upload it stucks at the Risk file giving an error message "Cannot Interpret the data in the file".Also what are these codes denotes in that file.

       

      Regards

      Pradeep

  • Re: GRC AC 10: RAR - no analysis results
    Japneet Singh
    Currently Being Moderated

    Hi Edgar,

     

    Do you have the users and the roles in the repository tables.Please check the following tables

     

    GRACUSERCONN

    GRACRLCONN

     

    Please make sure that the entries for the specific connector exist in these tables.

     

    Also make sure that the rules for the risks are generated, Check for the entries in the table GRACACTRULE.

     

    If you have recently upgraded to the SP 11, Impliment the notes mentioned by colleen, This was a known bug in SP11.

     

     

    For the BRM Role, yoiu will have to import all the roles from the backend to the BRM using the Role import functionality.Once this is done, Run the Sync job again.

     

    I hope this will help.

     

    Thanks & Regards

    Japneet Singh

    • Re: GRC AC 10: RAR - no analysis results
      Edgar Hettmann
      Currently Being Moderated

      Hi Japneet.

       

      after importing the roles, now the roles show up in BRM :-) thanks.

       

      But my RAR issue still exist :-( (see screenshot above)

      • Re: GRC AC 10: RAR - no analysis results
        Japneet Singh
        Currently Being Moderated

        Hi Edgar,

         

        Looking at the screenshot,There are 2 possiabilities

         

        1. There are no users in the GRC Repository.Please use the Tcode Se16 and check the entries in the tables GRACUSERCONN.


        2.The rules are not generated. Please check the table GRACACTRULE.

         

        Please provide the screenshot of both the tables.

         

        Thanks & Regards

        Japneet Singh

        • Re: GRC AC 10: RAR - no analysis results
          Edgar Hettmann
          Currently Being Moderated

          Hi Japneet,

           

          GRACUSERCONN: all Users from all backend systems are stored in table GRACUSERCONN.

          GRACACTRULE: altough i generated alls Risk IDs, in table GRACACTRULE there are only entries for Risk ID=B001

           

          i dont get it... i even rerun all the jobs... still no results (still like in screenshot)

          • Re: GRC AC 10: RAR - no analysis results
            Japneet Singh
            Currently Being Moderated

            Dear Edgar,

             

            The issue here is the rules.The rules are not generated.

             

            The tables GRACACTRULE stores the action rules.You will have to regenrate the rules as the table does not have any entries apart from the Risk ID B001.

             

            Once the rules are generated properily,You will get the violations.

             

            Thanks & Regards

            Japneet singh

            • Re: GRC AC 10: RAR - no analysis results
              Edgar Hettmann
              Currently Being Moderated

              Hi Japneet,

               

              to be sure, i activated again all the BC Rule Sets:

               

              GRAC_RA_RULESET_COMMON (OK)

              GRAC_RA_RULESET_SAP_R3 (warnings)

              GRAC_RA_RULESET_SAP_HR (warnings)

              GRAC_RA_RULESET_SAP_NHR (warnings)

              GRAC_RA_RULESET_SAP_BASIS (warnings)

              GRAC_RA_RULESET_SAP_APO (warnings)

              GRAC_RA_RULESET_SAP_CRM (warnings)

              GRAC_RA_RULESET_SAP_ECCS (warnings)

              GRAC_RA_RULESET_SAP_SRM (warnings)

              GRAC_RA_RULESET_JDE (warnings)

              GRAC_RA_RULESET_ORACLE (warnings)

              GRAC_RA_RULESET_PSOFT (warnings)

               

              ONLY GRAC_RA_RULESET_COMMON could be activated without any warning.

              The activation of the other Rule Sets ended with warnings!

               

              e.g. "GRAC_RA_RULESET_SAP_R3 Activation ended with
              warnings:

              GRFNVC_CCI_TS_CONNECTOR

              View V_GRFNCONNTYPE: View cluster GRFNVC_CCI_TS_CONNECTOR does not contain data at all levels

              View V_GRFNCCICONNECT: View cluster GRFNVC_CCI_TS_CONNECTOR does not contain data at all levels

              View V_GRFNCCISSEQCON: View cluster GRFNVC_CCI_TS_CONNECTOR does not contain data at all levels

              View V_GRFNCONNGRP: View cluster GRFNVC_CCI_TS_CONNECTOR does not contain data at all levels

              View V_GRFNCGRPCONLNK: View cluster GRFNVC_CCI_TS_CONNECTOR does not contain data at all levels

              Activation of customizing object GRFNVC_CCI_TS_CONNECTOR ended with warning

               

              GRAC_RA_RULESET_SAP_R3

              View V_GRFNCONNTYPE: View cluster VC_GRFN_CCI_TS_CONNECTOR does not contain data at all levels

              View V_GRFNCCICONNECT: View cluster VC_GRFN_CCI_TS_CONNECTOR does not contain data at all levels

              View V_GRFNCONNGRPTYP: View cluster VC_GRFN_CCI_TS_CONNECTOR does not contain data at all levels

              View V_GRFNCGRPCONLNK: View cluster VC_GRFN_CCI_TS_CONNECTOR does not contain data at all levels

              Activation of customizing object VC_GRFN_CCI_TS_CONNECTOR ended with warning"

               

              Also see attachment for the whole Activation Log

               

              Maybe thats the reason, why the Rules wont be generated?!

              • Re: GRC AC 10: RAR - no analysis results
                Colleen Lee
                Currently Being Moderated

                Hi Edgar

                 

                These tables should be populated with the BC Sets you are trying to activate.

                 

                VC_GRFN_CCI_TS_CONNECTOR is all of the views merged together to make up the IMG screen below

                 

                Please go to IMG > Governance, Risk and Compliance > Common Component Settings > Integration Framework > Maintain Connectors and Connection Types

                 

                For View V_GRFNCONNTYPE please check you have these values on the first screen:

                Note: BUSINESS may not exist but if you intend to create Business roles in ERM you will need this connector type (there was a SAP note providing this information).

                 

                 

                For Views V_GRFNCCICONNECT  and V_GRFNCCISSEQCON- These are the connectors you create and define under "Define Connectors" and "Define Subsequent Connectors"

                 

                For View V_GRFNCONNGRP this is Define Connector Groups. You should have the following values:

                 

                For View V_GRFNCGRPCONLNK this is the "Assign Connectors to Connector Groups" - thisis where you map your connector to the Connection Group. This is also the link for SAP to know your system belongs to that group for the Risk.

                 

                I would recommend you review this configuration (integration framework) to ensure you have it all in place

                 

                In addition, you also need to ensure that you have completed IMG step "Maintain Connection Settings" to map your connectors to the integration scenarios of AUTH, ROLMG, SUPMG and PROV

                 

                 

                Did you activate the BC sets in the same order you listed above? I recall in a post the COMMON set must be done first.

                • Re: GRC AC 10: RAR - no analysis results
                  Edgar Hettmann
                  Currently Being Moderated

                  Hi Colleen,

                   

                  I still dont know, why the activation of the BC sets end with warnings... and yes, I activated them in the same order I listed above.

                   

                  Well, I managed, that the table GRACACTRULE now contains all entries from all Risk IDs.

                  But still, no results in the reports (user/role/profile level), even though some dashboards (e.g. Access Dashboards > Role Analysis) give me results!

                   

                  To make sure, 1 role contains a SoD violation, i created a role using GRC ERM containing functions BS04 & BS11 (that mean, this role should give a SoD violation for Risk ID B005).

                  Therefore i simply added those two functions during ERM step "Maintain Authorizations".

                   

                  The creation of this role (single role) was successfully and i reran all the sync jobs.

                  But when i start again the Access Risk Analysis for Role Level, no results are displayed!!!

                  So it doesnt show, that this new role violate Risk ID B005?!?!?!

                   

                  Do i have to ensure anything else? maybe some role specifics?

                  Because somehow i also cannot request this new role via Access Request Management (role isnt  available for selection)?!

                  • Re: GRC AC 10: RAR - no analysis results
                    Colleen Lee
                    Currently Being Moderated

                    Hi Edgar

                     

                    I'm probably repeating a large portion already mentioned in this thread but easier to keep it altogether. I'm assuming your connector group is SAP_R3_LG based on functions and risks you listed

                     

                    CONFIGURATION IN IMG

                     

                    Integration Framework

                    • Create Connectors - you created your SM59 connector, tested it works, etc
                    • Maintain Connectors and Connection Types -
                      • Connection type definition - there is a connection type entry for SAP
                      • Define Connectors - You have added your Connector and mapped it to connector type SAP with Logical Port (value from BD54 - most likely your RFC Name); max number of background work process. Define Subsequent Connectors not required for SAP
                      • Define Connector Groups - You have the Connector Group SAP_R3_LG
                        • Assign Connector Groups to Group  Types - Connector Group SAP_R3_LG has Logical Group Mapped
                        • Assign Connectors to Connector Groups - Your connector is mapped for Connection Type SAP
                    • Maintain Connection Settings - For Each Scenario: AUTH, ROLMG, PROV and SUPM - you have the Scenario-Connector Link completed to add your Connector for Connection Type SAP

                     

                     

                    Access Controls Configuration relating to Connectors

                    • Maintain Connector Settings
                      • Your Target Connector (RFC Connection) has Application Type 01 for SAP. Attributes do not need to be assigned
                    • Maintain Mapping for Actions and Connector Groups:
                      • You have a connection group entry for SAP_R3_LG marked as Active and mapped to Application 001 - SAP
                      • Assign default connector to connector group:
                        • Maintain Connector Group Status: Connection Group SAP_R3_LG should be active for Application Type 001 (SAP)
                        • Assign default connector to connector group: check the SAP_R3_LG group has your target connectors mapped for Action 0002 - Role Risk Analysis (also suggest actions 0001 to 0004; add 0005 if you have HR Trigger). No Group Field Mapping or parameter mapping would be required

                     

                    Othe IMG Configuration

                    • Maintain Access Risk Levels - You have the Risk Levels for Low, Medium, High and Critical (I think are included as part of Add On)
                    • Maintain Business Processes - You have business process values to match the risk

                     

                     

                    Configuration Parameters

                    The following Configuration Parameters will impact RAR (Group 03). Values in bold may impact exclusions for results. GRACCONFIG table contains the defaults. GRACCONFIGSET are any values you have entered in the Maintain Configuration Parameters

                     

                    1021    Consider Org Rules for other applications

                    1022    Connector for which Object Ids may be maintained case sensitive

                    1023    Default report type for risk analysis

                    1024    Default risk level for risk analysis

                    1025    Default rule set for risk analysis

                    1026    Default user type for risk analysis

                    1027    Enable Offline Risk Analysis [Make NO or you need to complete the batch analysis]

                    1028    Include Expired Users

                    1029    Include Locked Users

                    1030    Include Mitigated Risks

                    1031    Ignore Critical Roles & Profiles

                    1032    Include Reference user when doing user analysis

                    1033    Include Role/Profile Mitigating Controls in Risk Analysis

                    1034    Max number of objects in a package for parallel processing

                    1035    Send email notification to the monitor of the updated mitigated object

                    1036    Show All Objects in Risk Analysis

                    1037    Use SoD Supplementary Table for Analysis.

                    1046    Extended objects enabled connector

                    1048    Business View for Risk Analysis is enabled

                     

                    particular ones to check would be:

                    1012    Consider Rule Id also for mitigation assignment

                    1013    Consider System for mitigation assignment

                    1022    Connector for which Object Ids may be maintained case sensitive

                    1026    Default user type for risk analysis

                    1027    Enable Offline Risk Analysis

                    1051    Max number of objects in a file or database record

                    1100    Enable the authorization logging

                     

                     

                    Rule set and NWBC Data

                    • You have the rule set activated - I would recommend your Active the two functions and risk via NWBC again
                    • Your SoD Risk is mapped to the rule set that you are using in your report
                    • Do you have mitigating controls built and assigned?

                     

                    Synch Jobs

                    • You have executed the synch job for object repository for users, roles and profiles for the Connector mapped to SAP_R3_LG

                     

                    Your Report Information

                    What does your initial selection criteria look like? Are you leaving any fields blank (if so remove them). Also, do you have users and roles mitigated result in exclusion from results - tick box on selection criteria? Can you try running the report for the specific role and risk?

                     

                    Key Tables checked in the report (based on ST05 trace for Single Role analysis for specific system)

                    GRACACTIONSYST    Action Connector Text Table

                    GRACBPROC    Business Process

                    GRACBPROCT    Business Process Text

                    GRACCRPROFILE    Critical Profile Rule

                    GRACCRROLE    Critical Role Rule

                    GRACMITROLE    Role mitigating control assignment

                    GRACRISKLEVELT    Risk Level Descriptions

                    GRACRLCONN    Store roles in backend system, incl roles not maint. in ERM

                    GRACRLCONNT    Table to store role description in backend system

                    GRACSODREPDATA    SOD Reporting Framework content

                    GRACSODREPINDEX    SOD Reporting Framework index

                    GRACSODREPSTATUS    Report status

                    GRACSYSRULE    System Specific Rule Mapping

                    GRFNCCICONNECTOR    CCI Connector

                    GRFNCGRPCONLK    Connector Group and Connector Type Link

                    GRFNCONNGRP    Connector Group definition

                    GRFNCONNGRPT    Connector Group Description

                    GRFNCONNGRPTYPE    Connector Group Type Definition

                    GRFNCONNSCNLK    Connector Scenario Link

                    GRFNFLDHR    HR Configurable Fields

                    GRFNFREQUENCYS    Timeframe Frequencies - SAP delivered entries

                    GRFNSCNCTYPLK    Sub Scenario Definition

                    HRP5354    DB Table for Infotype 5354

              • Re: GRC AC 10: RAR - no analysis results
                Paul Matthews
                Currently Being Moderated

                Hi Edgar,

                 

                Did you resolve the Warning issues for the BC activations and if not did it affect your results or have any consequences later ?

                 

                Cheers

  • Re: GRC AC 10: RAR - no analysis results
    Nandita Varshney
    Currently Being Moderated

    Hi Edgar,

     

    Kindly review/implemnt the sap note-1824956 .This should help in resolving this issue as there were few issues with the Risk Analysis results reported in SP11.

     

    Best Regaads,

     

    Nandita

  • Re: GRC AC 10: RAR - no analysis results
    Paul Matthews
    Currently Being Moderated

    Hi,

     

    I have a very similar problem, in that the results do not show. I did post another thread but it seems to have disappeared.I'm going to go through this and other similar threads once more and thoroughly check my all my configurations and then give you guys more details - so bear with me .

     

     

    Regards

    Paul

  • Re: GRC AC 10: RAR - no analysis results
    Picho Hernandez
    Currently Being Moderated

    Hello, i am also having the same issue, even if i all fields are in blank, it doesnt display.

    Could you help me on this? i would like to perform a role analysis for Z Roles only.

    Thanks

    Picho

    • Re: GRC AC 10: RAR - no analysis results
      Colleen Lee
      Currently Being Moderated

      all fields are in blank

       

      Hi Picho

       

      do not leave the fields as blank

       

      What have you done so far to configure your ruleset and map connectors? Also, what SP are you one as there were some issues recently for SP upgrade to 14 (I think)

       

      Regards

      Colleen

      • Re: GRC AC 10: RAR - no analysis results
        Picho Hernandez
        Currently Being Moderated

        Hello Colleen, i am trying to launch risk analysis but it is not working, i have perfomrmed all actions above but when i try to simulate analysis, it does not work.

        Connectors are ok because every day job is running to get all new ecc roles, so i don´t know what else i can test or review in spro.

        IEven if i don´t levae fields in blank does not get anything.

        I am using default rule set and all bc sets are activated propertly.

        Thanks

        Picho

        • Re: GRC AC 10: RAR - no analysis results
          Colleen Lee
          Currently Being Moderated

          Hi Picho

           

          Did you generate the rule set. And does the logical systems in the rule set match the logical systems that you connectors are mapped to?

           

          Possibly try creating a function for a system and assigning to risk and then generate. Run risks analysis against this risk. It would then at least tell you if the issue is with your rule set or the report/connectors?

           

          Regards

          Colleen