cancel
Showing results for 
Search instead for 
Did you mean: 

SOD violation as per sizing guide

Former Member
0 Kudos

Hi All,

I have a query regarding sizing for GRC server. As per sizing guide, there are few inputs like total roles and total users in system landscape, which are to be connected to GRC and total violations during per peak hour etc.

I want to know what violation count means in this context -

Is it SOD violation before GRC implementation occuring in system?

Or is it SOD voilation count when GRC is established and we assume that either most of the risks are mitigated and / or remediations are done.

Does this count SATs as well?

Thanks & Regards,

Sabita

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
0 Kudos

Sabita,

In AC 5.3, CC/RAR is the most performance centric module and SoD violations is the biggest culprit. Before sizing the system consultant/client has to guess the number of SoD violation in particular SAP system/landscape. I know this number won't be accurate but closest match should be enough.

After RAR initial configuration, when you run risk analysis, depending upon the number of violation, RAR would need the respective number of SAPs to perform efficiently.

Regards,

Alpesh

Former Member
0 Kudos

Hi Alpesh and Harleen,

Thanks for your reply. I have one more query regarding violations during Risk Analysis-

After mitigating Roles and Users, how the system performs risk analysis - e.g. does it scan all risks against Role/User and then checks mitigations or both activities go parellal?

The question is related to the report coming in RAR-> Informer -> Management view->Risk violations -

Here even if system is showing very few violations due to mitigations, does that mean system has now less load during risk analysis or it is increased due to mitigations?

Regards-Sabita

Former Member
0 Kudos

Hi Experts,

Please excuse me for re-opening this message. Our client wants clear understaning on sizing and I want confirmation before I can convince them.

Here are my queries-

1. When we do sizing for RAR, what activities are covered under " Daily Transactional Sizing per hour". We do incremental Sync and Batch risk Analysis, but they run in nights when system is less loaded. So what does it mean"during peak hour"? What else are under transactional sizing-do webservice calls from ERM or CUP are included in it and does Alert Monitor job also falls under it?

2. What does it mean voilations in context of Risk Analysis? Does it mean actual violations in daily backend transactions or it is only voilations based upon Role/User authorizations? What kind of voilation it includes-permission level all line items(like ME21N ACTVT 01, 02, 03 are 4 voilations or it is only one for one risk?

3. Under which criteria or parametr should we do sizing for Adhoc risk analysis ( run from Informer tab) .

4. There is parameter for "initial load" in RAR and CUP. We would like to know why there are two parameters for "initial load" and "daily transactional". They may overlap for sizing purpose because when we do initial it means system is not ready to perform daily tasks. And when we say " Transactional" it means initial load is done. So in this case, the SAPS used in initial load is released for daily transactional task.

Thanks in advace.

Regards,

Sabita

hkaur
Advisor
Advisor
0 Kudos

Hello Sabita,

Sizing is done based on the expected number of violation count that your system may have before GRC implementation.

This is because the sizing requirements have to considered even when you will run batch risk analysis for the first time.

Harleen

SAP GRC RIG