cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RAR configuration problem.Couldn't find any violatons after analys users an

Go to solution
Former Member

on ‎06-17-2010 1:46 PM

0 Kudos

Hallo, experts!

my problem is that system couldn't find any violatons after analys users and permisions.

I am first time installin Access Control and have some problems during configuration of RAR.

I have done all the steps that are included in

SAP GRC

Access Control 5.3

Post-Installation Slide Deck

Risk Analysis And Remediation

I was looking throught configuration guide, but couldn't find more. I have configured connector (I can see users in my system)

-create a logical system

- Upload the authorization objects / Text files you extracted with the /VIRSA/ZCC_DOANLOAD_DESC and ..._SAPOBJ to

the connector

- upload the risk definition files, using the logical system as the target for the

function_action/function_permission files/

- generate the rules

- run a full sync for users and roles for your system

run 2 background jobs, one after anoter

any ideas

Thanks!

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

koehntopp
Product and Topic Expert
Product and Topic Expert
‎06-17-2010 2:26 PM
0 Kudos

Hard to say - what do the log files say? (Background Job - View Log)?

You did assign your connector to the logical system and then generate the rules...?

Frank.

Show replies
Show replies
Former Member
‎06-17-2010 2:33 PM
0 Kudos

I am not in office right now, and I could't reach the system. I will send you a log later. could you please tell more details about the step where I have to assign connector to a logical system. may be this was done, but I couldn't be sure right now. when we create a logical system we assign a connector to it, during the process of creation? or it has to be done somwhere else?

koehntopp
Product and Topic Expert
Product and Topic Expert
‎06-17-2010 4:26 PM
0 Kudos

Here's what you do:

- Configure and test the connector

- Create a logical system

- Add the connector to the logical system

- Upload rule files

- Generate rules

Then

- Run full sync jobs (check that they're successful - you can also check the connection through CCDebugger)

- Run Analysis (preferrably direct analysis first before starting a large batch job)

Frank.

Former Member
‎06-18-2010 4:00 PM
0 Kudos

no..... ((( result is same. background job are done but very quickly. and the View Log function is not active.... may I missed up something before. may be some configuration on ABAP side?

koehntopp
Product and Topic Expert
Product and Topic Expert
‎06-19-2010 10:53 AM
0 Kudos

Let'd do this:

- Go to Configuration - Miscellaneous and set the Logging to "Java Logger", then the "View Log" button will be active. Restart the server. (In the meantime, you can see the current logs with Netweaver Standalone Logviewer - the logs ARE there!)

- After restart, please do a search for rules for your system connector.

- Create an example role with violations. For example, put in SU10, SU01 and PFCG and give "*" for all open fields. That one should violate the standard risk B019.

- Go to the RAR debugger http://<server>:<port>/webdynpro/dispatcher/sap.com/grc~ccappcomp/CCDebugger

- Switch the object to role and do a "Get Actions" for your test role to see if the RTA can actually talk to the backend system. You should see the 3 TCodes. Try do do the same for the objects

- Then go to Informer - Risk Analysis - Role Analysis and do a direct analysis for that role (_Not_ Batch!). Type in the role name manually.

If any of these steps fail, look in the logs and tell us what's in there.

Frank.

Former Member
‎06-20-2010 1:23 PM
0 Kudos

Thancks, Frank! now what we have:

I changed user to Java Logger, and now I can see logs.

I crated the role with this tranzactions. After pressing "get actions" button I can see this result:

  1. Actions:3

S11 2 TEST_RISK TEST_RISK T-S1490026 PFCG

S11 2 TEST_RISK TEST_RISK T-S1490026 SU01

S11 2 TEST_RISK TEST_RISK T-S1490026 SU10

Elapsed time: 3ms

After that I am going to rysk analys -role level. typing role name and getting result - "no violations found"

you said that it have to violate the standart risk B019. when I am going to logical system - generate rules. I can see the standart 18 risk that are aviliable in my system. but there is no B019. they all hava format like this "A0**"

may be this will help to find out what is wrong.

koehntopp
Product and Topic Expert
Product and Topic Expert
‎06-20-2010 2:30 PM
0 Kudos

It seems there's something wrong with your risk definitions.

Did you upload the standard SAP rule set, or are you using something else? What do you see in Rule Architect?

Frank.

Former Member
‎06-20-2010 7:53 PM
0 Kudos

yes, I am using standart SAP rule set. I can see there this

Number of Active Rules 18

Number of Disabled Rules 0

Number of Functions 150

koehntopp
Product and Topic Expert
Product and Topic Expert
‎06-20-2010 8:44 PM
0 Kudos

If that's what you're deeing you're NOT using the standard rule set, let me tell you

The standard rule set has about 200something risks and 45000+ rules.

Please try to re-upload the rule set again, and make sure you follow the procedures exactly. Please use the "R3_risks" etc. files.

Frank.

Former Member
‎06-20-2010 8:51 PM
0 Kudos

Thancks, Frank!

I think about this to. I don'n realy know how much risks it have to be. I added files once again and now I have 221 risk in system. I checked the role that you advise me to create and find violations inside!!!

Now I run background job and hope that will get result. I will let you know. They are still working.

I don't realy understand why it was not working before, but I hope it was for the last time )))

Thancks!

Former Member
‎06-20-2010 9:48 PM
0 Kudos

Now it is ok! thancks!

Answers (0)

Ask a Question