- SAP Community
- Products and Technology
- Additional Q&A
- GRC-AC 5.3 RAR Management view error - Expired use...
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
GRC-AC 5.3 RAR Management view error - Expired users not cleaned-up.
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 10-05-2011 3:34 PM
Hello Gurus,
I have a problem in RAR Management View: Users who was valid have been analyzed and their conflicts considered in statistics, but when they become expired, their conflicts remain in the statistics forever, because they are not re-analyzed neither in Full nor in Incremental sync. Even if all roles are removed from the user in backend, the conflicts remain in Management View.
I think the Full Batch Risk Analysis should clean-up all users violations from current period statistics before recording the new analysis results.
Did you have this problem too? Am I missing something?
I appreciate your thoughts about it.
Vaner
Accepted Solutions (1)
Accepted Solutions (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Vaner
Whenever you want to display Management reports correctly, then you should first run your Batch risk analysis jobs and then management report jobs.
if you dont run batch risk analysis jobs the Management reports shows the risks even if they removed because the MGT reports job populated using the stored generated with the Batch risk analysis jobs.
if you set the Exclude expired and locked users excluded from the risk analysis then those userid risks are excluded from the report
Regards
Hari
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
hello Hari,
Thanks for your comments.
I double checked and the users are still there after a Background Job with all steps with "Full" .
I have Exclude Expired Users option set to "Yes" as well as Exclude Mitigated users. Only Exclude Locked Users is set to "no"
Analyzing more in more detail, I also found users expired and processed correctly, so I am trying to figure out what is the difference. My guess is that there is some trick related to the way the user is created or modified. It seems to me that GRC relies on Change Documents to do the synchronization, and in some cases, it does not detect the change and do not see the user anymore to decide to clean up the history. I think I can reproduce this issue in test system but will need a couple of days to test the whole process.
I will keep it posted in the forum
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi,
Setup the exclusion options, and then run a full sync to update the table and setup the excluded users.
They will not disapear from the table, but they will have the flag excluded active and will not be included in the BRA.
Setup the exclusion options
Run Full Sync
Run BRA (permission selected)
Run Management.
logoff, logon, and the reports should be updated.
Regards,
N
Edited by: Nuno Jesus on Oct 10, 2011 12:25 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hello Nuno,
Many thanks for the tip. I tried and it worked fine.
I still need to get to the root cause of this problem. I opened a message in SAP for this. Though it is a nice workaround it has some shortcomings:
1. I have to identify previously each user. It is not very simple because we already have 6 SAP backend with different templates and basis team. I don't even have a login in some of these systems.
2. I cannot exclude users for a specific system. It is not rare to have users valid in one system but expired in others.
Regards,
Vaner
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hello Nuno,
Thanks for your comments.
My release is 5.3 SP 16.2.
I also think the full sync should be enough but I already find about 20 users with problems, in 4 different backend and in 2 GRC (Tests and Production)
I think that depending on some procedures done in the back-end the full sync do neither re-analyze the user nor clean-up previuos statistics, for example:
1. A user was delete and recreated again with option to maintain old data, and he already had expiration date.
2. A sand-box environment was created as copy of production, users were created valid but already with expiration date.
I observed that for these scenarios, there was no Change Document for field "valid to", my guess is that Full Sync process relies on Change Documents to do its job.
I already opened a message in SAP for this, first level could not solve it, It is in Development Team now.
Vaner
Answers (0)
- Consuming SAP with SAP Build Apps - Mobile Apps for iOS and Android in Technology Blogs by SAP
- Single Sign On to SAP Cloud Integration (CPI runtime) from an external Identity Provider in Technology Blogs by SAP
- Unable to log in to SAP BusinessObjects CMC in Technology Blogs by Members
- Beyond Basic (1): Certificate-Based Authentication in Enterprise Resource Planning Blogs by SAP
- Boost SCM Efficiency: Mat. Shelf Life Mgmt App Empowers Intelligent Decision-Making for Enterprises in Enterprise Resource Planning Blogs by SAP
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.