cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

sapserviceNPP SAP* - Reporting Question

Former Member

on ‎08-18-2011 8:46 PM

0 Kudos

Hello,

My company has been looking to update our global rule-set to one more aligned with SOX. We have 2 environments: one for production, (PRD) and one for development (DEV); and 2 rule-sets: global, and SOX. Before changes are made to PRD, they are made in DEV in order to see the variance of the user level risk analysis at the permission level once the changes are made.

Now, we use the Global rule-set as our active rule-set for reporting purposes, and our SOX rule-set is currently undergoing a fine-tuning to understand why our PRD and DEV reports are not the same.

The issue we are having is that our PRD reports from the SOX rule-set do not match our DEV reports from the SOX rule-set. The difference comes from only 1 user - sapserviceNPP SAP*.

In the DEV report, this user's roles all look like:

&_SAP_ALL_14 : &_SAP_ALL_14

or

&_SAP_ALL_5 : &_SAP_ALL_5

this type of syntax.

In the PRD report, this user has the same roles:

&_SAP_ALL_14 : &_SAP_ALL_14

but also "generated partial profiles" such as:

&_SAP_ALL_14 : Generated partial profile for SAP_ALL

My question is, why would the PRD report contain "generated partial profiles" when the DEV report does not?

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (5)

Answers (5)

Former Member
‎08-23-2011 8:33 PM
0 Kudos

The only roles in DDIC are SAP_ALL, but they have different numbers;

&_SAP_ALL_5 : &_SAP_ALL_5

&_SAP_ALL_14 : &_SAP_ALL_14

&_SAP_ALL_4 : &_SAP_ALL_4

etc.

Regenerating it from SU21 will get rid of the Generated Partial Profiles?

Thanks!

Rob

Show replies
Show replies
Former Member
‎08-24-2011 9:38 AM
0 Kudos

Hi,

Where do you see these? Under roles tab or Profiles tab.

If you see this under the roles tab, you may have have to go to individual role and generate the profile again. I infer these are assigned from a role, and is not a direct SAP_ALL profile assignment.

If SAP_ALL profile is directly assigned (under profles tab), yes, re-generating the profile should solve the issue.

Regards,

Raghu

Former Member
‎08-25-2011 9:06 AM
0 Kudos

Hi Rob,

I've just checked in the system. The partial profiles are related to the below profiles:

&_SAP_ALL_5 : &_SAP_ALL_5

&_SAP_ALL_14 : &_SAP_ALL_14

&_SAP_ALL_4 : &_SAP_ALL_4

etc.

You may assign SAP_ALL instead of these profiles which will resolve the issue. (You may look at the description of these profiles. They say partial profile for SAP_ALL)

Regards,

Raghu

Former Member
‎08-23-2011 3:30 PM
0 Kudos

I ran a new report - the Generated Partial Profiles are still occurring, but only within the DDIC user... not from sapserviceNPP SAP*

Does this change anything?

Thanks in advance!

Rob

Show replies
Show replies
Former Member
‎08-23-2011 6:45 PM
0 Kudos

Hi,

The issue might be with the profiles assigned to DDIC user.

What profiles you see to DDIC users?? If it is SAP_ALL only, regenerate it from SU21. You can click Regenerate SAP_ALL button and re-run the sync.

Regards,

Raghu

Former Member
‎08-22-2011 3:40 PM
0 Kudos

Raghu,

The last sync for both DEV and PRD was on 8/16/2011 - The day after this sync was completed, the full report was run in both DEV and PRD (8/17/2011)

Both DEV and PRD syncs were:

Sync Mode: Full Sync

User Sync

Role Sync

Profile Sync

Batch Mode: Full Sync

Report Type: Permission Level Analysis

User Analysis

Role Analysis

Profile Analysis

Critical Action and Role/Profile Analysis

Management Reports

The only thing unchecked is "Action Level Analysis"

Any ideas?

Show replies
Show replies
Former Member
‎08-19-2011 3:56 PM
0 Kudos

Raghu,

Thank you for your response.

To clarify your points:

1 - We are evaluating 2 rulesets in one SAP GRC environment. Therefore, the two rulesets are looking at the exact same profile. What we don't understand is why one ruleset has "Generated Partial Profiles" and the other does not.

2 - We do run the reports as Dialog Only. sapserviceNPP SAP* should be run as a service, and not as dialog, however this still does not explain the difference we see in our report.

What would cause GRC ruleset 1 to have these "Generated Partial Profiles" (GPP) while GRC ruleset 2 does not? They evaluate the exact same profiles/users, the only difference is these GPP's showing up in the report from 1 ruleset and not in the other.

Thanks in advance,

Rob

Show replies
Show replies
Former Member
‎08-19-2011 10:13 PM
0 Kudos

Hi Rob,

Got your point and yes, they should display the same information. Are you sure that both the rulesets have the exact information. I hope the role/profile/user data that one of the ruleset is not updated.When was the last sync happened??

Regards,

Raghu

Former Member
‎08-19-2011 8:19 AM
0 Kudos

Hi Rob,

2 points:

1. Did you check the &_SAP_ALL_14 role. It might have profile inconsistencies, since it contains composite profiles (more than one profile).

2. sapserviceNPP SAP*. should not be actually in the list of conflicting users, since you assigned almost all authorizations. I infer it should be a service user ID. Do you run risk analysis for service type users too?

Regards,

Raghu

Show replies
Show replies
Ask a Question