on 11-18-2010 10:48 AM
Hi,
After running alert generation role specifying just critical actions flag and a specific risk that includes a few transactions we have identified that the following tables are containing data:
VIRSA_CC_ALLASTRUN: Dates and time when alert generation job finished
VIRSA_CC_ALLISTHDR: Header data that is shown under alers' reports.
VIRSA_CC_ALLISTDTL: Details for the alerts identified (in our case critical trnasactions)
VIRSA_CC_ALTCDLOG: Last time a user executed a transaction within the period alert generation was executed
VIRSA_CC_ACTUSAGE: All transactions executed by users (transactions are shown several times but differs on time) within the period alert generation was executed
Our questions:
1) When and where tables VIRSA_CC_ALTCDLOG and VIRSA_CC_ACTUSAGE are used within SAP GRC AC?
2) Since we are executing alert generation job on a daily basis, tables VIRSA_CC_ALTCDLOG and VIRSA_CC_ACTUSAGE are increasing very fast. Which is the best practice and procees to manage this information? Is deletion performed? Is archiving performed?
Many thanks in advance. Kind regards,
Imanol
Hi Dylan,
Great to hear from you. Hope you are doing fine.
Many thanks for your useful response. I have tried the Action usage pruge and it just remove data from table VIRSA_CC_ACTUSAGE. No impact on the other ones related with alerts.
One further question: The report you mention RAR --> Informer --> Security Reports --> Miscellaneous --> Action Usage by Role & Profile. Where does it gets information from? I have tried to execute it and getting no data.
Thanks for all. Kind regards,
Imanol
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
So, is it something like using these tables as a base for alerts generation?
1) Register all data in VIRSA_CC_ACTUSAGE
2) Agregate data from VIRSA_CC_ACTUSAGE into VIRSA_CC_ALTCDLOG
3) Agregate data from VIRSA_CC_ALTCDLOG into VIRSA_CC_ALLISTHDR and VIRSA_CC_ALLISTTDTL
What about deletion? Should be done at DB level or at application level?
Many thanks in advance.
Imanol
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Imanol !
I've never heard of deleting Alerts per say, but you can delete the Action Usage that is used to generate the alerts. in RAR, go to: Configuration --> Ulitities --> Purge Action Usage.
I've never used the functionality yet, but my assumption is that deleting the action usage, would also impact the alerts and might possibly delete them too. There is some good information about positive/negative impact in the Configuation Guide "AC53_CG_Final_en_Aug_2010.pdf" on page 64.
Per your original question, if I understood correctly, the collected action usage is used a lot in AC. The following reports make use of Action Usage:
1. RAR --> Informer --> Security Reports --> Miscellaneous --> Action Usage by Role & Profile
2. RAR --> Informer --> Security Reports --> Miscellaneous --> Action Usage by User
3. ERM --> Informer --> Transaction Usage
The third report is my favorite since it collects usage counts and which really helps for role re-enginneering.
The UAR and SOD Review processes make use of action usage too.
-Dylan
VIRSA_CC_ACTUSAGE contain data directly from STAT file
this data is used for generating alerts
VIRSA_CC_ALTCDLOG and VIRSA_CC_ACTUSAGE used for generating alerts
this is TXT file, i doubt how big it can be (depends on no of PRD boxes )
best way is you clear / delete the alerts after review...
no idea of archieve option
regards,
Surpreet
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.