on 06-17-2010 1:46 PM
Hallo, experts!
my problem is that system couldn't find any violatons after analys users and permisions.
I am first time installin Access Control and have some problems during configuration of RAR.
I have done all the steps that are included in
SAP GRC
Access Control 5.3
Post-Installation Slide Deck
Risk Analysis And Remediation
I was looking throught configuration guide, but couldn't find more. I have configured connector (I can see users in my system)
-create a logical system
- Upload the authorization objects / Text files you extracted with the /VIRSA/ZCC_DOANLOAD_DESC and ..._SAPOBJ to
the connector
- upload the risk definition files, using the logical system as the target for the
function_action/function_permission files/
- generate the rules
- run a full sync for users and roles for your system
run 2 background jobs, one after anoter
any ideas
Thanks!
Hard to say - what do the log files say? (Background Job - View Log)?
You did assign your connector to the logical system and then generate the rules...?
Frank.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I am not in office right now, and I could't reach the system. I will send you a log later. could you please tell more details about the step where I have to assign connector to a logical system. may be this was done, but I couldn't be sure right now. when we create a logical system we assign a connector to it, during the process of creation? or it has to be done somwhere else?
Here's what you do:
- Configure and test the connector
- Create a logical system
- Add the connector to the logical system
- Upload rule files
- Generate rules
Then
- Run full sync jobs (check that they're successful - you can also check the connection through CCDebugger)
- Run Analysis (preferrably direct analysis first before starting a large batch job)
Frank.
Let'd do this:
- Go to Configuration - Miscellaneous and set the Logging to "Java Logger", then the "View Log" button will be active. Restart the server. (In the meantime, you can see the current logs with Netweaver Standalone Logviewer - the logs ARE there!)
- After restart, please do a search for rules for your system connector.
- Create an example role with violations. For example, put in SU10, SU01 and PFCG and give "*" for all open fields. That one should violate the standard risk B019.
- Go to the RAR debugger http://<server>:<port>/webdynpro/dispatcher/sap.com/grc~ccappcomp/CCDebugger
- Switch the object to role and do a "Get Actions" for your test role to see if the RTA can actually talk to the backend system. You should see the 3 TCodes. Try do do the same for the objects
- Then go to Informer - Risk Analysis - Role Analysis and do a direct analysis for that role (_Not_ Batch!). Type in the role name manually.
If any of these steps fail, look in the logs and tell us what's in there.
Frank.
Thancks, Frank! now what we have:
I changed user to Java Logger, and now I can see logs.
I crated the role with this tranzactions. After pressing "get actions" button I can see this result:
Actions:3
S11 2 TEST_RISK TEST_RISK T-S1490026 PFCG
S11 2 TEST_RISK TEST_RISK T-S1490026 SU01
S11 2 TEST_RISK TEST_RISK T-S1490026 SU10
Elapsed time: 3ms
After that I am going to rysk analys -role level. typing role name and getting result - "no violations found"
you said that it have to violate the standart risk B019. when I am going to logical system - generate rules. I can see the standart 18 risk that are aviliable in my system. but there is no B019. they all hava format like this "A0**"
may be this will help to find out what is wrong.
Thancks, Frank!
I think about this to. I don'n realy know how much risks it have to be. I added files once again and now I have 221 risk in system. I checked the role that you advise me to create and find violations inside!!!
Now I run background job and hope that will get result. I will let you know. They are still working.
I don't realy understand why it was not working before, but I hope it was for the last time )))
Thancks!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.