cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SOD Review not working in quality

Go to solution
Former Member

on ‎06-19-2014 5:37 AM

0 Kudos

Hi Friends,

I have activated SOD review WF.

when I run job generate data for SOD review, the job runs successfully and user too has SOD, but it actually does not create SOD review risk.

19.06.2014 06:18:25 GRCADMIN Job scheduled successfully 

19.06.2014 06:18:30 GRCADMIN Job ID : 09482500 created 

19.06.2014 06:18:30 GRCADMIN Extraction of user-risk data started 

19.06.2014 06:18:30 GRCADMIN Total Number of Users:1 

19.06.2014 06:18:30 GRCADMIN Extraction of user-risk data completed 

19.06.2014 06:18:30 GRCADMIN Request to be group by risk owners 

19.06.2014 06:18:30 GRCADMIN Request generation started 

19.06.2014 06:18:30 GRCADMIN Request generation completed 

19.06.2014 06:18:30 GRCADMIN Total number of request created: 0

Batch job has been run.

This user shows risk in "Access Management" and "Reports and analytics"

Any help would be great.

BR,

Mangesh

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

alessandr0
Active Contributor
‎06-19-2014 6:48 AM
0 Kudos

Dear Mangesh,

before running the SOD review workflow you have to ensure that a the prerequisites are done:

  • batch risk analysis must be executed and completed (check management report)
  • risk owners assigned to risks
  • sync jobs in the correct order:
    • 1. profile sync
    • 2. role sync
    • 3. user sync
    • 4. batch risk analysis
    • 5. action usage sync
    • 6. role usage sync

Keep me updated if it works.

Regards,

Alessandro


Show replies
Show replies
Former Member
‎06-19-2014 8:12 AM
0 Kudos

Dear Alessandro,

Thanks for your time first.

I ran the reports in sequence you suggested.

My workflow is not based on Risk Owner approval, review request will be directly send to one team which is user group based agent.

So I did not had risk owner assigned, but now I assigned one user to risk F028.

User is available in management report and show it in medium risk list through pie chart.

I ran my background job to generate SOD with following criteria,

Connector: XYZ-100

User ID: Z*

Job ran successfully but no request created,

19.06.2014 06:18:25 GRCADMIN Job scheduled successfully 

19.06.2014 06:18:30 GRCADMIN Job ID : 17111700 created 

19.06.2014 06:18:30 GRCADMIN Extraction of user-risk data started 

19.06.2014 06:18:30 GRCADMIN Total Number of Users: 2

19.06.2014 06:18:30 GRCADMIN Extraction of user-risk data completed 

19.06.2014 06:18:30 GRCADMIN Request to be group by risk owners 

19.06.2014 06:18:30 GRCADMIN Request generation started 

19.06.2014 06:18:30 GRCADMIN Request generation completed 

19.06.2014 06:18:30 GRCADMIN Total number of request created: 0

Anything else I should check?

I can create request with these scenarios for risks which do not have risk owner assigned.

But not luck in QAS.

Configuration shows same parameters for SOD RISK review process in DEV and QAS, only difference is version, as 0008 in DEV and 0004 in QAS. As I had generated many versions in DEV during my initial configuration.

When I had transported SOD review, I checked through "Generate MSMP Process Versions" in simulation mode, it showed one entry as yellow "No active version available for this process ID" after that I have generated 4 versions in QAS to check.

Any idea?

BR,

Mangesh

BR,

Mangesh

Colleen
Advisor
Advisor
‎06-19-2014 9:10 AM
0 Kudos

HI Mangesh

I had issues recently with SoD Review WF and am not  using Risk Owners as the reviewers either

However, because I ran the job with group by Risk it still looked for the Risk Owner and then also wanted the risk owner to have a Coordinator assigned. If not no entry would appear in GRACREQ

Maybe try those two data mappings (assign risk a risk owner and assign the risk owner a coordinator in Maintain Coordinators) to see if it generates

I'm unsure if this is design or not but if design not happy with it being inflexible as I didn't want to have to assign a risk owner to each risk (prefer manage via central criteria)

Regards

Colleen

Former Member
‎06-19-2014 9:39 AM
0 Kudos

Dear Colleen,

I have no words to express my thanks.

Yes, it went like a charm. You saved my day. really

But very strange, I have not assigned any cordinator to risk owner but still it is producing SOD  review request.

Could you please help me with understanding the troubleshooting tools in SAP GRC AC10.0, any link to such docs, would be great help.

Sometimes you feel so sad that it work in DEV but not in QAS and you really can't give explaination to client saying "My configuration is right but it is not working in QAS"

But really really a BIIIIIIIIIIIIIIIIIIIIIIIIIIIGGGGGGG thank you for the solution.

BR,

Mangesh

Colleen
Advisor
Advisor
‎06-19-2014 9:46 AM
0 Kudos

Hi Mangesh



But very strange, I have not assigned any cordinator to risk owner but still it is producing SOD  review request.

I had to do that for mine but that may not be required (I'm still figuring that out)

Consider my correct answer fate for you as I only spent 4-6 hours in the last week debugging to figure out the requests weren't getting created for me Glad to hear someone else benefited from my frustration

most of the tools I used is SCN. I have not had access to a GRC system for over a year so I have read and particpated in SCN (a lot less recently due to system access and experience compared to others). However, when on a system, the key tools i use is:

  • MSMP issues (one request generated) - Instance Runtime or Administration view in NWBC
  • SLG1 for most log issues (especially authorisations)
  • A lot of ST05 and ST01/STAUTHTRACE just to track the data and sequence as well as which configuration parameters are used
  • Debug of the code -  I am not a developer but I try to navigate and put a break point in the code and then step through each line to see what is happening - that is how I solved this one as I found where it did the select for the risk owner
  • Trial and Error (as well as a lot of ranting and red wine when things are not going my way on the system

In short, practice and experience will get us both there

Regards

Colleen

Former Member
‎06-19-2014 10:03 AM
0 Kudos

Dear Colleen,

Thanks for the guidance on tools It is great help to start with right direction.

I can understand how fustrating it can be when system does not work as documented.

Well I have few more issues, may be you can give some insights,

I have set parameter 1072 (Mitigation of critical risk required before approving the request) to YES, I was expecting risk defined as critical will be checked through this parameter, but though the access request has Critical risk (through Role) but still role owner can approve the risk (Without assigning mitigation control)

So it means system allowing approval, without mitigating risk.

Did I understand Critical risk means risk of type Critical or it means something else.

UAR problem,

I have 4 users all has4 separate roles assigned, and role owner assigned, my UAR is on role owner approval.

So Ideally it should create request for all 4 users, but it is creating them for only 2.

Any idea? Hope I am not troubling you too much.

BR,

Mangesh

Colleen
Advisor
Advisor
‎06-19-2014 10:26 AM
0 Kudos

Hi Mangesh

For your follow up questions I suggest a new question for each (assuming you have already searched SCN and not found the topic)

UAR Review may be similar to SoD Review. There is configuration parameter 2006 to group by MANAGER or ROLE OWNER. Which one is yours grouped by?

Regards

Colleen

P.s. - you are not wasting my time but remember you with good questions and explanations in SCN you get more than just my time in this community

Former Member
‎06-19-2014 1:16 PM
0 Kudos

Dear Colleen,

Yes, I went through forum already, I tried those but did not work, so asked

I know about 2006, it is set to Role Owner in my systems.

BR,

Mangesh

Answers (0)

Ask a Question