on 06-27-2016 2:47 PM
Hi GRC folks,
I am creating roles with separation of duties risk violations for testing. I am approaching this by first going to the Global Rule Set, selecting high risks (for example H001) and then from the functions listed (HR03 & PY04), adding T-codes from them to a role. I have tried this using Role Level Simulation within Access Maintenance to avoid having to execute a background update of the Access Control Repository. When I execute a simulation the results indicate no risks. But when I add the risks to the role in the development system, the risks show up in the report. I came to the conclusion that only the simulation part is not working here.
I have generated the rule sets multiple times and the Access risk analysis works great. Just the simulation is the issue here. I have checked other posts and did the initial problem solving but there are no results.
Could someone help me get the simulation to start working. GRC version is 10.0. Our ECC is the development environment and GRC is not connected to a prod environment yet.
Thanks!
Apoorva
Hi Apoorva,
My initial thought is that you are simulating the addition of tcodes from the system "GRC Testing" when you should be adding tcodes for the simulation from the ECC system. You should also remove the report criteria Type = Action Level, and only have Permission Level selected, although the Action Level should still return results (even thought they are likely false positives as they do not check for the authorization object level permissions).
Let me know if this helps, and if not I can continue to think on it.
-Ken
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Try removing all report criteria except System, Role, and Ruleset. Try Business View instead of Technical View. Check your Risk Analysis Parameter Group in "Maintain Configuration Settings" of SPRO, there may be restrictions on risk analysis. Try searching for the actions and selecting them instead of typing in manually or copy/paste.
Try simulating the addition of SAP_ALL profile instead of actions. If it is broken, you will still get no results. SAP_ALL should cause ALL risks if added.
Hello Apoorva,
Treating that you have activated BC sets and also regenerated all the rules, please verify the following.
Let me know if you need further details.
Regards,
Rakesh Ram
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Approva,
Please generate the ruleset before you run the simulation. Then you can get the violations if any.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Apoorva,
Can you please try executing it with SAP_ALL and with "Risks from Simulation only" ?
And, please check if the simulation working for user level?
I believe the ad-hoc risk analysis is working fine for the same connector, correct?
Kind regards,
Yashasvi
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Yashasvi,
Yes, the risk analysis is working as expected both for ad-hoc and global. When we ran SAP_ALL with only risks from simulation only, we get 'No Violations'.
And we checked the user level simulation and that doesn't work as well. It simply says n'No Violations' for everything.
Thanks,
Apoorva
Are you trying to add SAP_ALL as "Role", because this should be added as a "Profile" in the simulation.
When you uploaded or generated the ruleset, are you leveraging Logical Groups? What is your Logical Group configuration in SPRO? Is your system included in the logical groups?
Check table GRACACTRULE in SE16 of GRC and check which connector the rules have been generated for. For example, I have my rules uploaded and generated for Logical Groups SAP_BAS_LG (containing the IT/Basis rules), and for SAP_NHR_LG (containing my ECC rules). Then, in my connector configuration I have my ECC system mapped to both of these logical groups.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.