cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC AC 10.0 Access Risk Analysis Error

Go to solution
Former Member

on ‎05-08-2013 5:08 PM

0 Kudos

Hello all,

Just so you are aware I've been racking my brain to get this working and I have read all the posts that I can find on SCN and elsewhere and yet I have not solved the issue, hence I would appreciate if you could kindly take some time from your busy schedule and provide any advice.

No Results for Risk Analysis (yes another one of these threads!)

System: GRC AC 10.0 installed with ECC 6.0 backend EPH5 (SAP_BASIS 702  006 SAPKB70206)

I have used the following resources to get to this stage :

1.GRC 10.0 Pre-Installation Customer Solution Adoption April 4th 2011


2. Installation Guide SAP Access Control™ 10.0, Process Control™ 10.0, and Risk Management™ 10.0

3. Installation Checklist for Access Control 10.0

4. GRC 10.0 Post-Installation Customer Solution Adoption June 27th2011

5. AC 10.0 Pre-Implementation From Post-Installation to First Risk Analysis Customer Solution Adoption April 11th 2011

6. AC 10.0 Post-Installation Customer Solution Adoption April 6th2011

7.GRC300 SAP Business Objects Access Control Implementation and Configuration

The Problem:

1. I am trying to run our first User, Role and or Profile level Risk Analysis in a test environment but no results appear once risk analysis is executed (See screenshot as attached) .

I have done the following:

1. Installation complete.

2. Post configuration, upto ARA (according to doc number 4 above) as well as some MSMP, BRM, EAM.

3. Configured Shared GRC Settings including integration scenarios, connector settings, BC activations etc

4. Synchronisations done and works

3. Configurations completed according to Maintaining Configuration  Settings in Access Control (SP11 - Jan 2013 - I know this is a higher SP than ours)

A full synchronisation has been done (see my thread here regarding the Sync issue, which was solved). I've read this , this , this and this thread from SCN along with others not worth mentioning.

What I've Done:

1. Carry out a Risk Analysis on User, Role or Profile level.

2. Using NWBC, via Access Management.

3. Removed any parameters not selected as per se advice from other threads

4. Ruleset is Global.

5. Action, permission, critical, and everything else is selected along with Include Mitigated Risks.

I have an idea what the problem might be so experimenting and no luck so far but any advice would be highly appreciated and thank you once again for taking the time out to read this.

Please see the attached screenshot - I don't think it's very useful.

In the meantime, I'm going to go through the configurations and setup once again until I stumble upon something.

Best regards,

Paul


Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎05-16-2013 9:32 PM
0 Kudos

Hello,

FYI the following steps have been carried out so far:

Post-Install

1. Client Copy

2. Activated the components - all three AC, PC & RM

3. Activated SAP ICF Services

4. Activated BC Sets -

WARNINGS on all except GRAC_RA_RULESET_COMMON. Could someone shed some light or point me in the right direction as to what the BC sets actually do in the GRC system. I've checked all the relevant tables for all the BC Sets to ensure that they have been activated or exists in the relevant tables as outlined in GRC300 (you can find all tables from the relevant unit).

Used SLG1 to see errors. The BC Set errors are similar, if not same as this thread. Warnings for BASIS, CRM, ECCS, HR, R3 rulesets....ARM, BRM & COMMON Ruleset activated without errors.

5. Activated Common Workflows - as per se instructions in relevant Post & Pre Implementation Docs.

6. Task specific customizations done to AC Plugin.

COMMON COMPONENTS SETTINGS - INTEGRATIONS FRAMEWORK.

1. Created ONE RFC Connector called CON1 via SM59 and tested - works. RFC User has all correct authorisations. An error occurred previously, but has been fixed - see this thread

2. Logical Port via BD54 created, same as RFC.

3. MAINTAIN CONNECTORS & CONNECTION TYPE

    3.1: Connection Type Definition - SAP Connection.

There are other LDAP, FILE, EP Connection that have existed, - SAP Created I suppose ?

     3.2 DEFINE CONNECTORS: Added Connector and mapped it to connector type SAP with Logical port, max BG work processes (3) and no Subsequent Connectors.

    3.3 DEFINE CONNECTOR GROUPS - I have the following:

Connector Groups: SAP_BAS_LG, SAP_CRM_LG, SAP_ECCS_LG, SAP_NHR_LG, SAP_R3_LG, SOD-CROSS, SOD-LOG

Group Text; relevant text

CONNECTION TYPE: SAP (for all Conn Groups)

Connection Group Type: Logical Group (for all)

Connector to Connection Groups (All of these have the SAME CONNECTOR CON1 - could this be an issue?  Should each table entry (i.e SAP_BAS, LG, SAP_R3_LG, etc) have a SEPARATE, INDEPENDENT RFC Connector?

    3.4 ASSIGN CONNECTOR GROUPS TO GROUP TYPES and ASSIGN CONNECTORS TO CONNECTOR GROUPS is done as outlined above.

I feel from the above onwards (no. 3) I may have got lost a bit.

4. MAINTAIN CONNECTIONS SETTINGS

For each Scenario, AUTH, ROLMG, PROV & SUPM I have completed the Scenario-Connector Link to add Connector for Connection type SAP.

5. The target RFC Connector (CON1) has application type 1. System DOES NOT have ACTIVE as an option.

6. Assign Default Connector to Connector Group - done; Maintain Connector Group Status; all the possible actions for each have been selected from 0001 to 0005.

7. Carried out all AC Parameter Configurations - followed Maintaining Configuration Settings in Access Control  SP11 Jan 2013)

8. I have Activated Ruleset via IMG  (GRAC_GENERATE_RULES)

9. Carried out FULL Synchronisations, several times. Action usage didn't execute for some reason. Synch has been successful because I can search and find users, roles and profiles in Risk Analysis. 

10. I I have run Batch Risk Analysis. Tried the Risk Analysis both with offline and online data as well the correct config on AC Parameter settings.

 

11. In NWBC, I tried to carry out  USER, ROLE, PROFILE Risk Analysis. And this is where the errors appear for each Risk Analyis for User, Role,

Profile - NO RULES SELECTED error.

I've checked SLG1 and nothing there regarding ARA.

Judging by what I've done and my suspicions are it's Connector-related (or groups, settings, types

etc), or Scenario or the SoD rules have not been....what ? I just can't put my fingers on

it...but I will get to the bottom of it.

Any advice would be greatly appreciated.

Best regards,

Paul

Show replies
Show replies

Answers (3)

Answers (3)

Former Member
‎05-20-2013 6:06 PM
0 Kudos

This is indeed interesting see this thread  ...I clearly have gone wrong somwhere...do you need to manually add your backend system to each function ? Do the connector settings do that ?

Regards

Show replies
Show replies
former_member136769
Employee
Employee
‎05-16-2013 5:48 PM
0 Kudos

Hi Paul, is it logging any message in SLG1? If so, please paste here the screenshot.

I would guess this error message is due to LDAp connector. SLG1 would tells us some clues, about RFC errors, like "Error in when opening a RFC connection"..

Other possibility is a duplicate entry in table GRNFCONNGRPTYPE for the system you are performing the analysis. Please check.

Let us know,

Thanks.

Show replies
Show replies
Former Member
‎05-16-2013 6:41 PM
0 Kudos

Hi Luciana,

Many thanks for your response.

I checked table GRFNCONNGRPTYPE (Connetor Group Type Definition)  and I have the following entries:

  1. SAP_BAS_LG ; SAP_CRM_LG ; SAP_ECC_LG ; SAP_HR_LG; SAP_NHR_LG; SAP_R3_LG; SOD-LOG as CONNNECTOR_GRP and for CONN_GRP_TYPE all of them as SOD-LOG.

  2. It's not logging any messages on SLG1 - it did before, which I manage to resolve by looking at another thread on SCN. In essence the RFC user password required changing and so I made those changes in SU01/SM59 and as such no errors are logged in SLG1 anymore.
  3. I don't have any LDAP connectors, should all be RFC connectors to the ECC system and or the CRM system.
  4. I am actually, not 100% solid in my knowledge of the connection group and their related activities even though I have completed them - I was just following the pre, post, GRC300 notes so I do feel there the issue lies with the connector/connection/group/etc

Thanks again for your response and let me know what I could do and in the meantime, let me continue tinkering with the beast.

Best regards,

Paul

Former Member
‎05-16-2013 3:33 PM
0 Kudos

OK, I posted this last week and funny enough only appeared a week later on SCN !

Anyhow, I have solved and moved on from the above problem by checking the SLG1 (App Log file) and changing the PW for the RFC user for the RFC Connector - somehow there were too many incorrect login attempts.

However, I am still unable to carry out a successful Risk Analysis on User, Role or Profile levels !

The error currently is: "No Rules Selected".

I've combed through the IMG configuration settings but no luck yet. I'm pretty sure it's either the connector settings (SAP could have done a better job in their connection/connector setting configurations as it's very confusing terminology etc) The other thing could be BC Sets, as I got some errors on activating some of them.

I've looked at some similar threads here on SCN but have not been able to solve my problem yet in running a successful Risk Analysis, even though I've solved a number of issues to get here.

Any help would be highly appreciated. I can post exactly every step if required.

Best regards,

Paul

Show replies
Show replies
Ask a Question