cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Is GRC-AC 5.3 SP18 strong enough to support our Rule Set?

Go to solution
Former Member

on ‎03-27-2012 4:03 PM

0 Kudos

Hi experts,

Our question is simple. We believe that GRC-AC 5.3 SP18 is not strong enough for our Rule Set. That is because we have a very powerfull server and GRC-AC 5.3 SP18 cant run background jobs and user/role analysis in reasonable times.

We are considering the possibility to drop out the tool but first want to make sure or at least have comments from experts that this tool does not fit our needs.

As an example, a background job for a risk analysis on JUST ONE USER takes a couple of hours to finish. And running it online is impossible.

We have already tried splitting the jobs. We have already read and implemented SAP performance optimize guide recommendations and we have finally upgraded to the latest SP.

We have the following scenario:

-7600 roles
-4000 users
-60,000 risks aprox.
-766 business functions
-2,101,002 action rules

Thanks very much in advance.

Kind regards,

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎03-27-2012 4:46 PM
0 Kudos

As said, as you sure you are using RAR correctly? We started with the standard SAP ruleset, disabled a few rules, added a few new ones and ended up with:

  • 400 risks
  • 33k action-level rules
  • 106k permission level rules


Your ruleset is approximately 2 orders of magnitude bigger than mine. I really can't imagine how you got to your current ruleset. It sounds way more complex than it needs to be.

Show replies
Show replies
koehntopp
Product and Topic Expert
Product and Topic Expert
‎03-28-2012 9:02 AM
0 Kudos

I have been doing RAR projects for more than 5 years, with lots of small & large international customers. I have NEVER seen one even remotely this complex.

We've had listed international companies getting along well with less than 50 risks.

The number of transaction should not increase the number of risks, they just might make functions bigger. As said, there is a limited amount of main business processes a company might have. In your case, each...

I would really like to see some other GRC folks chime in with their opinion - Former Member

Frank.

kevin_tucholke1
Contributor
‎03-28-2012 11:35 AM
0 Kudos

Mabel:

I totally agree with Frank.  I am too surprised at the number of Risks that you report that you have.

Above you state that you have many different divisions in different part of the country.  Can you explain if you feel that has multiplied the number of risks and why?

I have been involved with many GRC projects / Risk Remediation projects over the last 8 years and have never come remotely close to the number of risks your report.  As both Frank and Steve have said above,  I would say that there is a need to review how you have set up your risks.

Thanks,

Kevin Tucholke

Former Member
‎03-28-2012 2:44 PM
0 Kudos

I  also agree with Frank's recommendation to reconsider the risk definitions. Good luck, Mabel!

Gretchen Lindquist

Answers (2)

Answers (2)

Former Member
‎03-28-2012 1:42 PM
0 Kudos

Everybody, thanks very much for your inputs.

We are evaluating the possibility to strongly reduce the amount of risks.

Kind regards,

Show replies
Show replies
koehntopp
Product and Topic Expert
Product and Topic Expert
‎03-27-2012 4:09 PM
0 Kudos

You're holding it wrong

Seriously, you have 60.000 risks defined? And you want me to believe if RAR gave you the output of those 2 Million Action Rules (are there also permission level rules?) you'd be able to deal with it?

Sorry, I don't buy that. At least not with the information you're giving here. Can you maybe elaborate what got you into this mess in the first place?

In short, I'd liek to throw the question back at you: is your organization strong enough to cope with the output of your rule set?

Frank.

Show replies
Show replies
Former Member
‎03-27-2012 4:48 PM
0 Kudos

Dear Frank,

We do have so many risks. This is a company that have a huge amount of zeta transactions and authorization objects. We have also many divisions located in different parts of the country. We use almost every standard SAP module, etc.

And regarding to your question: Yes, our organization has at least 3 risk owners for each business process and a complete IT division with an expert for every SAP module.

Thnaks anyway for your concern,

Kind regards,

Former Member
‎03-27-2012 5:02 PM
0 Kudos

In the standard ruleset, the business process with the largest number of risks is the purchase to pay process, which has 60. Mine is an old ruleset - lets round it up to 100 for simplicity. You're saying you have the equivalent of 600 business processes as complex (risky) as purchase to pay. Even if you had just 6000 risks, 10%, I'd be starting to question if you've got things set up right. But 60k?

If you really are sure that you've got things right, then I guess there's no solution but to throw more hardware at the problem. It does sound like you need a lot more hardware, though, and maybe your set-up really is just too complex for RAR?

Which version of GRC are you running? Without wanting to be too critical of SAP's Java stack, I would expect to get a little more performance from the ABAP-based GRC 10.0. If you are still running 5.x, maybe an upgrade might help? Even so, I can't see it making enough of a difference to solve your problem. It might scale a little better, maybe, and so respond better to being given more hardware?

koehntopp
Product and Topic Expert
Product and Topic Expert
‎03-28-2012 8:43 AM
0 Kudos

In terms of risk analysis performance 10.0 really has made another giant leap, and should speed things up considerably.

Still, I think that risk definition needs reconsideration...

Frank.

Former Member
‎03-28-2012 1:53 PM
0 Kudos

I've not had my hands on a 10.0 system yet (upgrade planned for next month:-) so it is good to know analysis performance is better. I don't particularly have issues, but I never say no to better performance!!

Ask a Question