cancel
Showing results for 
Search instead for 
Did you mean: 

ARA report

former_member193066
Active Contributor
0 Kudos

Hello,

Just configured GRC 10.1 system

done all prerequisite.

I need few help

1) when i run Risk analysis for a user if i select for permission level work fine,for action level also fine, for critical action also fine.But when i select critical action and permission both it only show me risk which are with critical action nothing for permission level.

2)In remediation view i have selected role remove option it created access request for role removal.But when i cancelled that request it still shows in report that a request with Request number is already created for role removal, even though i cancelled the request .

Regards,

Prasant

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi Prashant,

Here is my finding on your concerns.

1) I don't think you can define any Permission based on the critical level. So yes, by running the reports only at "critical permission" level you won't see any violations.

Even if you use SAP delivered rule sets or the customized version, you won't find violations at critical permission level.

At the time of creating a risk, we define the critical level of risk as Low/High/Medium/Critical and in this risk ID you add the functions which would be having Actions and permissions. So based on the criticality level of the defined risk IDs we would see the violations and so not at the permission level.

In fact, the option to run the risk violations reports at "Critical Permission" shouldn't be there, as we don't have any functionality (as per my knowledge) to define permission at low/medium or other levels.

2) At remediation view, for the role removal request, are you sure that you canceled the instance of that particular request.

Regards,

Ameet

former_member193066
Active Contributor
0 Kudos

Hello Ameet,

My question is related to Enhanced Access Risk analysis framework, where is SAP says you can combine and run the risk analysis.

In Access Risk Analysis screen

When executing a risk analysis it is now possible to perform multiple risk analysis types at the same time

This does not give proper result

Yes i have cancelled the request.. i have not rejected or approved(cancelled the instance)

Removed role manually from user and sync it again .. still say a request and request number already raised for the user.


Regards,

Prasant

Former Member
0 Kudos

Hi Prashant,

Yes, we have options to run the risk reports with various combinations with the parameters.

But running the reports on critical permission level will not show any violations.

If you run the access risk analysis reports with combination of Critical actions and Critical permission levels, you would definitely see the results but only for critical actions and not for Critical permissions.

Permissions are not defined at any critical order (to my knowledge) so we can't see the same in reports.

Even I am using AC 10.1 with SP06 and getting to see the same on my system as well.

For request cancellation, you can give a try as per Arun's suggestions. This must help.

Regards,

Ameet

former_member193066
Active Contributor
0 Kudos

Hello Ameet,

'

Critical permission can be defined in SAP GRC for that you need to create a function id, which should only consists permission.

Regarding request Cancellation.

well i have cancelled the request,which i have already mentioned and you are asking whether i am sure about it or not. THEN I AM SURE I HAVE CANCELLED THE REQUEST.

and Arun suggestion is about how to cancel request, which i have already said i have cancelled..

Seems you both responding without reading the content properly.

Prasant

Former Member
0 Kudos

Hi Prashant,

SAP delivered rule set doesn't contain any critical permission so if you are running the risk violations reports on standard one, you won't see any risks on the same.

So, yes you are right about creating a function ID which would contain only permission but no actions and while mapping this function to the risk ID you can define the risk as "critical permission" and then you would see the reports only critical permission level.

The first time you mentioned you are unable to see the risk reports at critical permission, I realized that you are using SAP delivered rule set and not the custom one.

About cancellation of the request:

I have very well gone through with your post. But after cancelling the instance there can't be any possibility that you could still see the request at not cancelled status; as I am also using AC10.1 with SP06 (not sure which SP are you on) so sometimes by cancelling the requests' instance manually, in order to enforce this action I check with the report: GRFNMW_MANUAL_INSTANCE_CANCEL and if this shows that the request is cancelled then it is cancelled for sure. So, my advice was just to run this report and check for your request once.


Could you kindly furnish the snap shot for your request status under this report...?



Regards,

Ameet

former_member193066
Active Contributor
0 Kudos

Yes, SAP Delivered may not have it, so when you run risk analysis you wont see that.

when i select everything ..

action,permission, critical action, critical permission , report is not as desired.

it only show critical ones , non critical is not showing..

and again the status is aborted in GRFNMW_MANUAL_INSTANCE_CANCEL .

Regards,

Prasant

Former Member
0 Kudos

Coming to your original post over your issues:

1) You are unable to see violations at critical permission:

It will not show any violations, as you are using SAP standards (I presume). SAP delivered SoD's don't contain critical risks at critical permission level.

2) Even after cancelling the instance of request via NWBC and by running the mentioned reports, you still don't see the request as cancelled (Request number is already created for role removal). Could you please tell me what SP level you are on?

I used AC 10.1 at SP04 and SP06 and never encountered with such strange behavior.

If you are at some other SP level, then it might be a bug and you need to contact SAP.

We will also get to know the real reason and the solutions.

Regards,

Ameet

Former Member
0 Kudos

Hi Prashant,

Did you get anywhere with the issues with the cancellation of the request..?

I guess, now this is clear with the violations reports related to the critical permission

It might be a bug and it would be better if you contact SAP as this issue is really strange and getting some solutions for it would be very helpful.

Regards,

Ameet

former_member193066
Active Contributor
0 Kudos

No update from SAP yet.

request cancellation did you try.

i am struck with few other issues. came for migration of GRC now doing role redesign and user id conversion aswell.

my project has users with their own naming convention in 1 system lastname and another with something else few user have multiple ids

this issue may be with gateway service as well, will check this week end.

regarding ARA report , my issue is if i select permission at critical permission or critical actionllevel along with permission level only critical is showing in report not both.

it should show both .

Regards,

Prasant

Former Member
0 Kudos

Yes, I have tried request cancellation with the report and it works out as expected and I don't see any discrepancy.

Whoa!! Naming convention is different across systems, you might need to prepare well enough to get issues' strokes

From my experience, if you use SAP delivered SoD rule sets, then no matters what all parameters you select for the risk reports generation, it will show violations only at critical actions and not at critical permission level. Reason is well known that SAP rule set doesn't contain risk ID at critical permissions level.

But if you customize it and create Function ID, Risk ID where you map the critical permission then post running the risk violation reports you must be able to see risks violations at critical permission level as well.

The same, I have mentioned in

You have already gone through with it.

Will keep my eyes on over this thread to see updates from SAP.

Regards,

Ameet

Answers (1)

Answers (1)

Former Member
0 Kudos

Hi Prasant,

2. Go to NWBC > Access Mgmt > Search Request

Put the request no. here and check the 'status' of your request.

If the status is not 'Cancel' then try cancelling from here.

If still you are not able to cancel from here. You can Abort the request. Here is the detail for the same:

Steps: open t-code se38 > put the program name 'GRFNMW_MANUAL_INSTANCE_CANCEL' > Execute or press F8 > press F4 in MSMP Instance ID and put request no. to be cancelled in the External key display field' . Now select the MSMP Instance and cancel the request.

Regards,

Arun