cancel
Showing results for 
Search instead for 
Did you mean: 

GRC AC 10: RAR - no analysis results

Former Member
0 Kudos

Hello,

i configured my system accoring the configuration guides.

But when I start e.g.  Access Risk Analysis for User Level/Role Level/Profile Level... no output data will be displayed!?

i ran all the Sync Jobs and SLG1 doesn't give me any errors.

FF and PSS both works fine.

FYI: Also in Business Role Management (BRM) no roles are displayed... maybe these two issues could be caused by the same problem?!

Thank you in advance

regards

Edgar

Accepted Solutions (1)

Accepted Solutions (1)

Colleen
Advisor
Advisor
0 Kudos

Hi Edgar

For the ruleset  - are you using the SAP standard as delivered in the BC Sets? If so, after activating them, did you generate them.?

also, which SP are you on as there have been a few notes recently relating to No Violations displaying such as below:

Note 1824956 - User Analysis Report shows "No violations"

Note 1817251 - User Analysis Report shows "No violations"

On you FYI comment about the BRM with NO roles are displaying....

  1. Is this on the role repository in NWBC?
  2. Did you complete the Role Import in NWBC to pull the role definitions into the repository (this is not the same as a they synch)

For both issues-  have you competed Maintain Connection Settings in the Integration Framework for ROLEMG, PROV, AUTH and SUPGM?

Former Member
0 Kudos

Hi Colleen,

thanks for your helpfull response!

Yes, i use the pre-delivered BC Sets/rulesets.

Yes, after activation, I generated the SoD Rules in Governance, Risk and Compliance > Access Risk Analysis > SoD Rules > Generate SoD Rules (slide 13 of AC 10.0 Pre-Implementation From Post-Installation to First Risk Analysis.pdf), if u mean that.

I am running GRC on SP12. so Note 1817251 is already implemented.

Now I have implemented Note 182456.

But still NO Risk Analysis result in Access Management > Access Risk Analysis > User/Role/Profile Level (screenshot)

accorind to my BRM issue:

I didn't know that I have to import all the roles first... and thought a sync would be enough.

Now i imported the roles from my backend systems and now they show up in BRM 🙂 thank you!

Any other suggestions for my RAR issue?

Thanks in advance

Colleen
Advisor
Advisor
0 Kudos

Hi

Other things to check

Configuration parameters for risk analysis - see of you are excluding any users (eg locked)

Look at the functions in the rule set for the connector group they are against and check to see if your connectors are in the same group?

Rerun your full object synch since importing roles

Sorry messaging from phone so can't provide steps

Former Member
0 Kudos

Hi Colleen,

I found something weird. Maybe i just dont get the sense of the filed "System" (in Function/Action details) or there is something wrong.

In the screenshot u can see, that my 2 backend System "GRC->..." are available in the dropdown list.

The Functions are NOT assigned to them, they are assigned e.g. to SAP R3.

Just for understanding... should the Action assigned to my backend system oder only to e.g. SAP R3 (and my backend system to the group SAP r3).

Because I think, my backend system should be visible in this dropdown list, do they?

I dont know, where i customized this, so they are visible in the dropdown list...

Former Member
0 Kudos

Dear Edgar,

I guess the SAP R3 is the logical group. Just make sure that

1.The physical system(Connector) for which you are running the riks analysis i spart of the logical group.

2. The rules exist for the logical group.(GRACACTRULE).

Thanks & Regards

Japneet singh

Former Member
0 Kudos

Hi Colleen,

I am running the ad hoc user risk analysis and it's working for some users and not working for other users. For the non-working users, I am not getting any results at all. when I run the analysis at the permission level/action . We are on SP10. All rules have been generated and all jobs have been schdueled. I also ran it by including mitigated risks for just one risk. Any ideas on what could be  possibly wrong. We are doing a migration from Virsa to GRC 10 and just trying to validate/compare the user analysis results we got from Virsa to GRC 10. Virsa shows the user's violations but AC 10 is coming up BLANK for this user but I see that this user's riks are gnerated when I go to GRACACTRULE and also in NWBC. All the batch jobs and synchm jobs were sucessfully completeed as well. Any ideas?

This is very urgent for me...I will appreciate if anyone has a feedback.

My second question is unrelated. Currently we have only ONE ruleset - our customized ruleset that we migrated from our Virsa system.  When you go into GRC NWBC. our permissions and rules are pointing at our physical connector which was created in Sm59 but my question is 1) should we create a custom connector group for this connector and assign the connector to the custom connector group? or should we assign it to the SAP_BAS_LG connector group? or SAP NHR_LG connector group? Why or why not? What does the connector group control or impact:?

2) We would like to house our custom rules as described above and GLOBAL rules as well in AC 10. Should we create another physical connector for our global rules ? or should we use the same connector that we used in  (1) above for the custom rules but assign the connector to a different connector group e.g SAP_BAS_LG and SAP_NHR_LG.

Colleen
Advisor
Advisor
0 Kudos

Hi Rajesh

Have you looked at which users fail and why? Configuration parameters can exclude objects

Secondly, when you run the report do not have an blank fields - remove them if you don't use them.

for the comparison - also check that your Ruleset - Risks and Functions are the same and are generated.

In mentioning SP10, did you look at the notes?

Note 1824956 - User Analysis Report shows "No violations"

Note 1817251 - User Analysis Report shows "No violations"

Anything else, I recommend a new thread and post some pictures and steps of what you have  attempted to do.

Former Member
0 Kudos

Hi,

I see that you have selected as * for Custom group. Kindly check if there is any custom group is maintained in GRC box, if not I woul drequest you to remove the Custom group field from selction criteria or keep it blank instead of * .  This is because * is not valid enrty for custom group.

Kindly try running the risk analysis after making the above correction.

let me know if you are successfull

Regards,

Prashant Kumar

Former Member
0 Kudos

Hi Colleen

I am trying to upload the custom rulebook .I have modified all the 9 files and kept only Z Risks with Z functions.

When I run execute button for upload it stucks at the Risk file giving an error message "Cannot Interpret the data in the file".Also what are these codes denotes in that file.

Regards

Pradeep

Colleen
Advisor
Advisor
0 Kudos

Hi Pradeep

How did you maintain the file - notepad verse Excel

I recommend you download a copy and then upload again to rule out any program issues. After that take care with maintenance so it stays in the format you downloaded

Regards

Colleen

Answers (4)

Answers (4)

Former Member
0 Kudos

Hello, i am also having the same issue, even if i all fields are in blank, it doesnt display.

Could you help me on this? i would like to perform a role analysis for Z Roles only.

Thanks

Picho

Colleen
Advisor
Advisor
0 Kudos

all fields are in blank

Hi Picho

do not leave the fields as blank

What have you done so far to configure your ruleset and map connectors? Also, what SP are you one as there were some issues recently for SP upgrade to 14 (I think)

Regards

Colleen

Former Member
0 Kudos

Hello Colleen, i am trying to launch risk analysis but it is not working, i have perfomrmed all actions above but when i try to simulate analysis, it does not work.

Connectors are ok because every day job is running to get all new ecc roles, so i don´t know what else i can test or review in spro.

IEven if i don´t levae fields in blank does not get anything.

I am using default rule set and all bc sets are activated propertly.

Thanks

Picho

Colleen
Advisor
Advisor
0 Kudos

Hi Picho

Did you generate the rule set. And does the logical systems in the rule set match the logical systems that you connectors are mapped to?

Possibly try creating a function for a system and assigning to risk and then generate. Run risks analysis against this risk. It would then at least tell you if the issue is with your rule set or the report/connectors?

Regards

Colleen

Former Member
0 Kudos

Hi Everyone,

I am also facing the same issues. I have configured GRC AC 10.1 with SP10. Migrated the data from 5.3 system to 10.1.

No results while i run the risk analysis for users and roles in technical view and the whole webpage is blank for remediation view.

I have thoroughly checked all the steps mentioned by Colleen. But Still the issue exists. Also, I am not able to see the Actions when i try to create the custom functions.

All the Sync Jobs and SLG1 doesn't give me any errors. All the SOD rules have generated. currently I am using only one connector and connections have been done to R3 logical group. Mapping has also been done.

Please suggest me where am I missing.

Regards,

Latha

plaban_sahoo6
Contributor
0 Kudos

hi,

Is your connector group for the custom function, diff. from pre-delivered ones. if so, have you done FULL AUTH sync. this will import the actions. then you will be able to find the action for the connector,

Regards

plaban

Former Member
0 Kudos

Hi Plaban,

I am using same connector group SAP_R3_LG for custom function as well. Full Auth sync job has also been ran several times. Any more suggestions pls.

Regards,

Latha

Former Member
0 Kudos

Hello Latha,

I am also facing same issue. If you sorted this issue, can you please help me to do so ...?

Former Member
0 Kudos

Hi,

I have a very similar problem, in that the results do not show. I did post another thread but it seems to have disappeared.I'm going to go through this and other similar threads once more and thoroughly check my all my configurations and then give you guys more details - so bear with me .

Regards

Paul

rudolf_dums2
Explorer
0 Kudos

Hi

I encountered the same problem...

Solution I found in http://scn.sap.com/thread/3446988

with Note 186073 - Complete data is not visible in Dashboard Pie chart

Regards

   Rudi

Former Member
0 Kudos

Hi Edgar,

Kindly review/implemnt the sap note-1824956 .This should help in resolving this issue as there were few issues with the Risk Analysis results reported in SP11.

Best Regaads,

Nandita

Former Member
0 Kudos

Hi Edgar,

Do you have the users and the roles in the repository tables.Please check the following tables

GRACUSERCONN

GRACRLCONN

Please make sure that the entries for the specific connector exist in these tables.

Also make sure that the rules for the risks are generated, Check for the entries in the table GRACACTRULE.

If you have recently upgraded to the SP 11, Impliment the notes mentioned by colleen, This was a known bug in SP11.

For the BRM Role, yoiu will have to import all the roles from the backend to the BRM using the Role import functionality.Once this is done, Run the Sync job again.

I hope this will help.

Thanks & Regards

Japneet Singh

Former Member
0 Kudos

Hi Japneet.

after importing the roles, now the roles show up in BRM 🙂 thanks.

But my RAR issue still exist 😞 (see screenshot above)

Former Member
0 Kudos

Hi Edgar,

Looking at the screenshot,There are 2 possiabilities

1. There are no users in the GRC Repository.Please use the Tcode Se16 and check the entries in the tables GRACUSERCONN.


2.The rules are not generated. Please check the table GRACACTRULE.

Please provide the screenshot of both the tables.

Thanks & Regards

Japneet Singh

Former Member
0 Kudos

Hi Japneet,

GRACUSERCONN: all Users from all backend systems are stored in table GRACUSERCONN.

GRACACTRULE: altough i generated alls Risk IDs, in table GRACACTRULE there are only entries for Risk ID=B001

i dont get it... i even rerun all the jobs... still no results (still like in screenshot)

Former Member
0 Kudos

Dear Edgar,

The issue here is the rules.The rules are not generated.

The tables GRACACTRULE stores the action rules.You will have to regenrate the rules as the table does not have any entries apart from the Risk ID B001.

Once the rules are generated properily,You will get the violations.

Thanks & Regards

Japneet singh

Former Member
0 Kudos

Hi Japneet,

to be sure, i activated again all the BC Rule Sets:

GRAC_RA_RULESET_COMMON (OK)

GRAC_RA_RULESET_SAP_R3 (warnings)

GRAC_RA_RULESET_SAP_HR (warnings)

GRAC_RA_RULESET_SAP_NHR (warnings)

GRAC_RA_RULESET_SAP_BASIS (warnings)

GRAC_RA_RULESET_SAP_APO (warnings)

GRAC_RA_RULESET_SAP_CRM (warnings)

GRAC_RA_RULESET_SAP_ECCS (warnings)

GRAC_RA_RULESET_SAP_SRM (warnings)

GRAC_RA_RULESET_JDE (warnings)

GRAC_RA_RULESET_ORACLE (warnings)

GRAC_RA_RULESET_PSOFT (warnings)

ONLY GRAC_RA_RULESET_COMMON could be activated without any warning.

The activation of the other Rule Sets ended with warnings!

e.g. "GRAC_RA_RULESET_SAP_R3 Activation ended with
warnings:

GRFNVC_CCI_TS_CONNECTOR

View V_GRFNCONNTYPE: View cluster GRFNVC_CCI_TS_CONNECTOR does not contain data at all levels

View V_GRFNCCICONNECT: View cluster GRFNVC_CCI_TS_CONNECTOR does not contain data at all levels

View V_GRFNCCISSEQCON: View cluster GRFNVC_CCI_TS_CONNECTOR does not contain data at all levels

View V_GRFNCONNGRP: View cluster GRFNVC_CCI_TS_CONNECTOR does not contain data at all levels

View V_GRFNCGRPCONLNK: View cluster GRFNVC_CCI_TS_CONNECTOR does not contain data at all levels

Activation of customizing object GRFNVC_CCI_TS_CONNECTOR ended with warning

GRAC_RA_RULESET_SAP_R3

View V_GRFNCONNTYPE: View cluster VC_GRFN_CCI_TS_CONNECTOR does not contain data at all levels

View V_GRFNCCICONNECT: View cluster VC_GRFN_CCI_TS_CONNECTOR does not contain data at all levels

View V_GRFNCONNGRPTYP: View cluster VC_GRFN_CCI_TS_CONNECTOR does not contain data at all levels

View V_GRFNCGRPCONLNK: View cluster VC_GRFN_CCI_TS_CONNECTOR does not contain data at all levels

Activation of customizing object VC_GRFN_CCI_TS_CONNECTOR ended with warning"

Also see attachment for the whole Activation Log

Maybe thats the reason, why the Rules wont be generated?!

Colleen
Advisor
Advisor
0 Kudos

Hi Edgar

These tables should be populated with the BC Sets you are trying to activate.

VC_GRFN_CCI_TS_CONNECTOR is all of the views merged together to make up the IMG screen below

Please go to IMG > Governance, Risk and Compliance > Common Component Settings > Integration Framework > Maintain Connectors and Connection Types

For View V_GRFNCONNTYPE please check you have these values on the first screen:

Note: BUSINESS may not exist but if you intend to create Business roles in ERM you will need this connector type (there was a SAP note providing this information).

For Views V_GRFNCCICONNECT  and V_GRFNCCISSEQCON- These are the connectors you create and define under "Define Connectors" and "Define Subsequent Connectors"

For View V_GRFNCONNGRP this is Define Connector Groups. You should have the following values:

For View V_GRFNCGRPCONLNK this is the "Assign Connectors to Connector Groups" - thisis where you map your connector to the Connection Group. This is also the link for SAP to know your system belongs to that group for the Risk.

I would recommend you review this configuration (integration framework) to ensure you have it all in place

In addition, you also need to ensure that you have completed IMG step "Maintain Connection Settings" to map your connectors to the integration scenarios of AUTH, ROLMG, SUPMG and PROV

Did you activate the BC sets in the same order you listed above? I recall in a post the COMMON set must be done first.

Former Member
0 Kudos

Hi Colleen,

I still dont know, why the activation of the BC sets end with warnings... and yes, I activated them in the same order I listed above.

Well, I managed, that the table GRACACTRULE now contains all entries from all Risk IDs.

But still, no results in the reports (user/role/profile level), even though some dashboards (e.g. Access Dashboards > Role Analysis) give me results!

To make sure, 1 role contains a SoD violation, i created a role using GRC ERM containing functions BS04 & BS11 (that mean, this role should give a SoD violation for Risk ID B005).

Therefore i simply added those two functions during ERM step "Maintain Authorizations".

The creation of this role (single role) was successfully and i reran all the sync jobs.

But when i start again the Access Risk Analysis for Role Level, no results are displayed!!!

So it doesnt show, that this new role violate Risk ID B005?!?!?!

Do i have to ensure anything else? maybe some role specifics?

Because somehow i also cannot request this new role via Access Request Management (role isnt  available for selection)?!

Colleen
Advisor
Advisor
0 Kudos

Hi Edgar

I'm probably repeating a large portion already mentioned in this thread but easier to keep it altogether. I'm assuming your connector group is SAP_R3_LG based on functions and risks you listed

CONFIGURATION IN IMG

Integration Framework

  • Create Connectors - you created your SM59 connector, tested it works, etc
  • Maintain Connectors and Connection Types -
    • Connection type definition - there is a connection type entry for SAP
    • Define Connectors - You have added your Connector and mapped it to connector type SAP with Logical Port (value from BD54 - most likely your RFC Name); max number of background work process. Define Subsequent Connectors not required for SAP
    • Define Connector Groups - You have the Connector Group SAP_R3_LG
      • Assign Connector Groups to Group  Types - Connector Group SAP_R3_LG has Logical Group Mapped
      • Assign Connectors to Connector Groups - Your connector is mapped for Connection Type SAP
  • Maintain Connection Settings - For Each Scenario: AUTH, ROLMG, PROV and SUPM - you have the Scenario-Connector Link completed to add your Connector for Connection Type SAP

Access Controls Configuration relating to Connectors

  • Maintain Connector Settings
    • Your Target Connector (RFC Connection) has Application Type 01 for SAP. Attributes do not need to be assigned
  • Maintain Mapping for Actions and Connector Groups:
    • You have a connection group entry for SAP_R3_LG marked as Active and mapped to Application 001 - SAP
    • Assign default connector to connector group:
      • Maintain Connector Group Status: Connection Group SAP_R3_LG should be active for Application Type 001 (SAP)
      • Assign default connector to connector group: check the SAP_R3_LG group has your target connectors mapped for Action 0002 - Role Risk Analysis (also suggest actions 0001 to 0004; add 0005 if you have HR Trigger). No Group Field Mapping or parameter mapping would be required

Othe IMG Configuration

  • Maintain Access Risk Levels - You have the Risk Levels for Low, Medium, High and Critical (I think are included as part of Add On)
  • Maintain Business Processes - You have business process values to match the risk

Configuration Parameters

The following Configuration Parameters will impact RAR (Group 03). Values in bold may impact exclusions for results. GRACCONFIG table contains the defaults. GRACCONFIGSET are any values you have entered in the Maintain Configuration Parameters

1021    Consider Org Rules for other applications

1022    Connector for which Object Ids may be maintained case sensitive

1023    Default report type for risk analysis

1024    Default risk level for risk analysis

1025    Default rule set for risk analysis

1026    Default user type for risk analysis

1027    Enable Offline Risk Analysis [Make NO or you need to complete the batch analysis]

1028    Include Expired Users

1029    Include Locked Users

1030    Include Mitigated Risks

1031    Ignore Critical Roles & Profiles

1032    Include Reference user when doing user analysis

1033    Include Role/Profile Mitigating Controls in Risk Analysis

1034    Max number of objects in a package for parallel processing

1035    Send email notification to the monitor of the updated mitigated object

1036    Show All Objects in Risk Analysis

1037    Use SoD Supplementary Table for Analysis.

1046    Extended objects enabled connector

1048    Business View for Risk Analysis is enabled

particular ones to check would be:

1012    Consider Rule Id also for mitigation assignment

1013    Consider System for mitigation assignment

1022    Connector for which Object Ids may be maintained case sensitive

1026    Default user type for risk analysis

1027    Enable Offline Risk Analysis

1051    Max number of objects in a file or database record

1100    Enable the authorization logging

Rule set and NWBC Data

  • You have the rule set activated - I would recommend your Active the two functions and risk via NWBC again
  • Your SoD Risk is mapped to the rule set that you are using in your report
  • Do you have mitigating controls built and assigned?

Synch Jobs

  • You have executed the synch job for object repository for users, roles and profiles for the Connector mapped to SAP_R3_LG

Your Report Information

What does your initial selection criteria look like? Are you leaving any fields blank (if so remove them). Also, do you have users and roles mitigated result in exclusion from results - tick box on selection criteria? Can you try running the report for the specific role and risk?

Key Tables checked in the report (based on ST05 trace for Single Role analysis for specific system)

GRACACTIONSYST    Action Connector Text Table

GRACBPROC    Business Process

GRACBPROCT    Business Process Text

GRACCRPROFILE    Critical Profile Rule

GRACCRROLE    Critical Role Rule

GRACMITROLE    Role mitigating control assignment

GRACRISKLEVELT    Risk Level Descriptions

GRACRLCONN    Store roles in backend system, incl roles not maint. in ERM

GRACRLCONNT    Table to store role description in backend system

GRACSODREPDATA    SOD Reporting Framework content

GRACSODREPINDEX    SOD Reporting Framework index

GRACSODREPSTATUS    Report status

GRACSYSRULE    System Specific Rule Mapping

GRFNCCICONNECTOR    CCI Connector

GRFNCGRPCONLK    Connector Group and Connector Type Link

GRFNCONNGRP    Connector Group definition

GRFNCONNGRPT    Connector Group Description

GRFNCONNGRPTYPE    Connector Group Type Definition

GRFNCONNSCNLK    Connector Scenario Link

GRFNFLDHR    HR Configurable Fields

GRFNFREQUENCYS    Timeframe Frequencies - SAP delivered entries

GRFNSCNCTYPLK    Sub Scenario Definition

HRP5354    DB Table for Infotype 5354

Former Member
0 Kudos

Hi Colleen,

thank you very much for your helpful and detailed posts, really appreciated 🙂

all the configuration steps you mentioned were already set correctly.

I got the "issue" fixed, even it wasn't really an issue.

The point is, the default fields "System" and "User"/"Role"/Object ID" musn't be empty. When they are empty, the reports don't show any results.

If you want to analyze ALL Objects, u have to fill in '*' (not blank!)

BUT - just for understanding:

The analysis in Access Management > Access Risk Analysis > User/Role/Profile Level WORK!

The analysis reports in Reports and Analytics > Access Risk Analysis Reports > User/Role/Profile Risk Violation DON'T WORK (no results)!

why? Because for me they ("Access Risk Analysis" & "Access Risk Analysis Reports") do the same

Colleen
Advisor
Advisor
0 Kudos

Glad to hear working. I'm not sure on differences - possibly selection of data for tables

I treat moments like these as "SAP is a special beast"

Former Member
0 Kudos

Excellent thread - should be a sticky !

Once again great advice Colleen. I'm wading through this to sort out my similar issue for which I've posted a thread too .

Great job guys ! Now let me delve into my issue....and get to the bottom of it.

Former Member
0 Kudos

Hi Edgar,

Did you resolve the Warning issues for the BC activations and if not did it affect your results or have any consequences later ?

Cheers

Former Member
0 Kudos

Hi Paul,

no, there are still warnings... I don't know if those warnings could have any consequences later, because I am working on a sandbox GRC machine which is still under "construction".

regards

Colleen
Advisor
Advisor
0 Kudos

thanks Paul

good luck with resolving your issues - hopefully you'll figure it out