i configured my system accoring the configuration guides.
But when I start e.g. Access Risk Analysis for User Level/Role Level/Profile Level... no output data will be displayed!?
i ran all the Sync Jobs and SLG1 doesn't give me any errors.
FF and PSS both works fine.
FYI: Also in Business Role Management (BRM) no roles are displayed... maybe these two issues could be caused by the same problem?!
Thank you in advance
For the ruleset - are you using the SAP standard as delivered in the BC Sets? If so, after activating them, did you generate them.?
also, which SP are you on as there have been a few notes recently relating to No Violations displaying such as below:
|Note 1817251 - User Analysis Report shows "No violations"|
On you FYI comment about the BRM with NO roles are displaying....
For both issues- have you competed Maintain Connection Settings in the Integration Framework for ROLEMG, PROV, AUTH and SUPGM?
thanks for your helpfull response!
Yes, i use the pre-delivered BC Sets/rulesets.
Yes, after activation, I generated the SoD Rules in Governance, Risk and Compliance > Access Risk Analysis > SoD Rules > Generate SoD Rules (slide 13 of AC 10.0 Pre-Implementation From Post-Installation to First Risk Analysis.pdf), if u mean that.
I am running GRC on SP12. so Note 1817251 is already implemented.
Now I have implemented Note 182456.
But still NO Risk Analysis result in Access Management > Access Risk Analysis > User/Role/Profile Level (screenshot)
accorind to my BRM issue:
I didn't know that I have to import all the roles first... and thought a sync would be enough.
Now i imported the roles from my backend systems and now they show up in BRM :-) thank you!
Any other suggestions for my RAR issue?
Thanks in advance
Other things to check
Configuration parameters for risk analysis - see of you are excluding any users (eg locked)
Look at the functions in the rule set for the connector group they are against and check to see if your connectors are in the same group?
Rerun your full object synch since importing roles
Sorry messaging from phone so can't provide steps
I found something weird. Maybe i just dont get the sense of the filed "System" (in Function/Action details) or there is something wrong.
In the screenshot u can see, that my 2 backend System "GRC->..." are available in the dropdown list.
The Functions are NOT assigned to them, they are assigned e.g. to SAP R3.
Just for understanding... should the Action assigned to my backend system oder only to e.g. SAP R3 (and my backend system to the group SAP r3).
Because I think, my backend system should be visible in this dropdown list, do they?
I dont know, where i customized this, so they are visible in the dropdown list...
I am running the ad hoc user risk analysis and it's working for some users and not working for other users. For the non-working users, I am not getting any results at all. when I run the analysis at the permission level/action . We are on SP10. All rules have been generated and all jobs have been schdueled. I also ran it by including mitigated risks for just one risk. Any ideas on what could be possibly wrong. We are doing a migration from Virsa to GRC 10 and just trying to validate/compare the user analysis results we got from Virsa to GRC 10. Virsa shows the user's violations but AC 10 is coming up BLANK for this user but I see that this user's riks are gnerated when I go to GRACACTRULE and also in NWBC. All the batch jobs and synchm jobs were sucessfully completeed as well. Any ideas?
This is very urgent for me...I will appreciate if anyone has a feedback.
My second question is unrelated. Currently we have only ONE ruleset - our customized ruleset that we migrated from our Virsa system. When you go into GRC NWBC. our permissions and rules are pointing at our physical connector which was created in Sm59 but my question is 1) should we create a custom connector group for this connector and assign the connector to the custom connector group? or should we assign it to the SAP_BAS_LG connector group? or SAP NHR_LG connector group? Why or why not? What does the connector group control or impact:?
2) We would like to house our custom rules as described above and GLOBAL rules as well in AC 10. Should we create another physical connector for our global rules ? or should we use the same connector that we used in (1) above for the custom rules but assign the connector to a different connector group e.g SAP_BAS_LG and SAP_NHR_LG.
Have you looked at which users fail and why? Configuration parameters can exclude objects
Secondly, when you run the report do not have an blank fields - remove them if you don't use them.
for the comparison - also check that your Ruleset - Risks and Functions are the same and are generated.
In mentioning SP10, did you look at the notes?
Anything else, I recommend a new thread and post some pictures and steps of what you have attempted to do.
I see that you have selected as * for Custom group. Kindly check if there is any custom group is maintained in GRC box, if not I woul drequest you to remove the Custom group field from selction criteria or keep it blank instead of * . This is because * is not valid enrty for custom group.
Kindly try running the risk analysis after making the above correction.
let me know if you are successfull
I am trying to upload the custom rulebook .I have modified all the 9 files and kept only Z Risks with Z functions.
When I run execute button for upload it stucks at the Risk file giving an error message "Cannot Interpret the data in the file".Also what are these codes denotes in that file.
Do you have the users and the roles in the repository tables.Please check the following tables
Please make sure that the entries for the specific connector exist in these tables.
Also make sure that the rules for the risks are generated, Check for the entries in the table GRACACTRULE.
If you have recently upgraded to the SP 11, Impliment the notes mentioned by colleen, This was a known bug in SP11.
For the BRM Role, yoiu will have to import all the roles from the backend to the BRM using the Role import functionality.Once this is done, Run the Sync job again.
I hope this will help.
Thanks & Regards
Looking at the screenshot,There are 2 possiabilities
1. There are no users in the GRC Repository.Please use the Tcode Se16 and check the entries in the tables GRACUSERCONN.
2.The rules are not generated. Please check the table GRACACTRULE.
Please provide the screenshot of both the tables.
Thanks & Regards
GRACUSERCONN: all Users from all backend systems are stored in table GRACUSERCONN.
GRACACTRULE: altough i generated alls Risk IDs, in table GRACACTRULE there are only entries for Risk ID=B001
i dont get it... i even rerun all the jobs... still no results (still like in screenshot)
The issue here is the rules.The rules are not generated.
The tables GRACACTRULE stores the action rules.You will have to regenrate the rules as the table does not have any entries apart from the Risk ID B001.
Once the rules are generated properily,You will get the violations.
Thanks & Regards
to be sure, i activated again all the BC Rule Sets:
ONLY GRAC_RA_RULESET_COMMON could be activated without any warning.
The activation of the other Rule Sets ended with warnings!
e.g. "GRAC_RA_RULESET_SAP_R3 Activation ended with
View V_GRFNCONNTYPE: View cluster GRFNVC_CCI_TS_CONNECTOR does not contain data at all levels
View V_GRFNCCICONNECT: View cluster GRFNVC_CCI_TS_CONNECTOR does not contain data at all levels
View V_GRFNCCISSEQCON: View cluster GRFNVC_CCI_TS_CONNECTOR does not contain data at all levels
View V_GRFNCONNGRP: View cluster GRFNVC_CCI_TS_CONNECTOR does not contain data at all levels
View V_GRFNCGRPCONLNK: View cluster GRFNVC_CCI_TS_CONNECTOR does not contain data at all levels
Activation of customizing object GRFNVC_CCI_TS_CONNECTOR ended with warning
View V_GRFNCONNTYPE: View cluster VC_GRFN_CCI_TS_CONNECTOR does not contain data at all levels
View V_GRFNCCICONNECT: View cluster VC_GRFN_CCI_TS_CONNECTOR does not contain data at all levels
View V_GRFNCONNGRPTYP: View cluster VC_GRFN_CCI_TS_CONNECTOR does not contain data at all levels
View V_GRFNCGRPCONLNK: View cluster VC_GRFN_CCI_TS_CONNECTOR does not contain data at all levels
Activation of customizing object VC_GRFN_CCI_TS_CONNECTOR ended with warning"
Also see attachment for the whole Activation Log
Maybe thats the reason, why the Rules wont be generated?!
These tables should be populated with the BC Sets you are trying to activate.
VC_GRFN_CCI_TS_CONNECTOR is all of the views merged together to make up the IMG screen below
Please go to IMG > Governance, Risk and Compliance > Common Component Settings > Integration Framework > Maintain Connectors and Connection Types
For View V_GRFNCONNTYPE please check you have these values on the first screen:
Note: BUSINESS may not exist but if you intend to create Business roles in ERM you will need this connector type (there was a SAP note providing this information).
For Views V_GRFNCCICONNECT and V_GRFNCCISSEQCON- These are the connectors you create and define under "Define Connectors" and "Define Subsequent Connectors"
For View V_GRFNCONNGRP this is Define Connector Groups. You should have the following values:
For View V_GRFNCGRPCONLNK this is the "Assign Connectors to Connector Groups" - thisis where you map your connector to the Connection Group. This is also the link for SAP to know your system belongs to that group for the Risk.
I would recommend you review this configuration (integration framework) to ensure you have it all in place
In addition, you also need to ensure that you have completed IMG step "Maintain Connection Settings" to map your connectors to the integration scenarios of AUTH, ROLMG, SUPMG and PROV
Did you activate the BC sets in the same order you listed above? I recall in a post the COMMON set must be done first.
I still dont know, why the activation of the BC sets end with warnings... and yes, I activated them in the same order I listed above.
Well, I managed, that the table GRACACTRULE now contains all entries from all Risk IDs.
But still, no results in the reports (user/role/profile level), even though some dashboards (e.g. Access Dashboards > Role Analysis) give me results!
To make sure, 1 role contains a SoD violation, i created a role using GRC ERM containing functions BS04 & BS11 (that mean, this role should give a SoD violation for Risk ID B005).
Therefore i simply added those two functions during ERM step "Maintain Authorizations".
The creation of this role (single role) was successfully and i reran all the sync jobs.
But when i start again the Access Risk Analysis for Role Level, no results are displayed!!!
So it doesnt show, that this new role violate Risk ID B005?!?!?!
Do i have to ensure anything else? maybe some role specifics?
Because somehow i also cannot request this new role via Access Request Management (role isnt available for selection)?!
I'm probably repeating a large portion already mentioned in this thread but easier to keep it altogether. I'm assuming your connector group is SAP_R3_LG based on functions and risks you listed
CONFIGURATION IN IMG
Access Controls Configuration relating to Connectors
Othe IMG Configuration
The following Configuration Parameters will impact RAR (Group 03). Values in bold may impact exclusions for results. GRACCONFIG table contains the defaults. GRACCONFIGSET are any values you have entered in the Maintain Configuration Parameters
1021 Consider Org Rules for other applications
1022 Connector for which Object Ids may be maintained case sensitive
1023 Default report type for risk analysis
1024 Default risk level for risk analysis
1025 Default rule set for risk analysis
1026 Default user type for risk analysis
1027 Enable Offline Risk Analysis [Make NO or you need to complete the batch analysis]
1028 Include Expired Users
1029 Include Locked Users
1030 Include Mitigated Risks
1031 Ignore Critical Roles & Profiles
1032 Include Reference user when doing user analysis
1033 Include Role/Profile Mitigating Controls in Risk Analysis
1034 Max number of objects in a package for parallel processing
1035 Send email notification to the monitor of the updated mitigated object
1036 Show All Objects in Risk Analysis
1037 Use SoD Supplementary Table for Analysis.
1046 Extended objects enabled connector
1048 Business View for Risk Analysis is enabled
particular ones to check would be:
1012 Consider Rule Id also for mitigation assignment
1013 Consider System for mitigation assignment
1022 Connector for which Object Ids may be maintained case sensitive
1026 Default user type for risk analysis
1027 Enable Offline Risk Analysis
1051 Max number of objects in a file or database record
1100 Enable the authorization logging
Rule set and NWBC Data
Your Report Information
What does your initial selection criteria look like? Are you leaving any fields blank (if so remove them). Also, do you have users and roles mitigated result in exclusion from results - tick box on selection criteria? Can you try running the report for the specific role and risk?
Key Tables checked in the report (based on ST05 trace for Single Role analysis for specific system)
GRACACTIONSYST Action Connector Text Table
GRACBPROC Business Process
GRACBPROCT Business Process Text
GRACCRPROFILE Critical Profile Rule
GRACCRROLE Critical Role Rule
GRACMITROLE Role mitigating control assignment
GRACRISKLEVELT Risk Level Descriptions
GRACRLCONN Store roles in backend system, incl roles not maint. in ERM
GRACRLCONNT Table to store role description in backend system
GRACSODREPDATA SOD Reporting Framework content
GRACSODREPINDEX SOD Reporting Framework index
GRACSODREPSTATUS Report status
GRACSYSRULE System Specific Rule Mapping
GRFNCCICONNECTOR CCI Connector
GRFNCGRPCONLK Connector Group and Connector Type Link
GRFNCONNGRP Connector Group definition
GRFNCONNGRPT Connector Group Description
GRFNCONNGRPTYPE Connector Group Type Definition
GRFNCONNSCNLK Connector Scenario Link
GRFNFLDHR HR Configurable Fields
GRFNFREQUENCYS Timeframe Frequencies - SAP delivered entries
GRFNSCNCTYPLK Sub Scenario Definition
HRP5354 DB Table for Infotype 5354
thank you very much for your helpful and detailed posts, really appreciated :-)
all the configuration steps you mentioned were already set correctly.
I got the "issue" fixed, even it wasn't really an issue.
The point is, the default fields "System" and "User"/"Role"/Object ID" musn't be empty. When they are empty, the reports don't show any results.
If you want to analyze ALL Objects, u have to fill in '*' (not blank!)
BUT - just for understanding:
The analysis in Access Management > Access Risk Analysis > User/Role/Profile Level WORK!
The analysis reports in Reports and Analytics > Access Risk Analysis Reports > User/Role/Profile Risk Violation DON'T WORK (no results)!
why? Because for me they ("Access Risk Analysis" & "Access Risk Analysis Reports") do the same
I have a very similar problem, in that the results do not show. I did post another thread but it seems to have disappeared.I'm going to go through this and other similar threads once more and thoroughly check my all my configurations and then give you guys more details - so bear with me .
Hello Colleen, i am trying to launch risk analysis but it is not working, i have perfomrmed all actions above but when i try to simulate analysis, it does not work.
Connectors are ok because every day job is running to get all new ecc roles, so i don´t know what else i can test or review in spro.
IEven if i don´t levae fields in blank does not get anything.
I am using default rule set and all bc sets are activated propertly.
Did you generate the rule set. And does the logical systems in the rule set match the logical systems that you connectors are mapped to?
Possibly try creating a function for a system and assigning to risk and then generate. Run risks analysis against this risk. It would then at least tell you if the issue is with your rule set or the report/connectors?