cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP GRC AC v10 ARA: Issue with HCM Infotype Violations Not Working

Go to solution
Former Member

on ‎07-10-2014 11:57 PM

0 Kudos

Hi Experts!

System: GRC AC v10 SP12

I am attempting to make sure our ARA system is reporting HCM SoDs correctly. I have proved it out at the single role level.

However, at the Composite role level, it does not seem to be working. We have multiple single roles and all of the Infotypes are in a single role without transactions. It does not seem to be producing the correct SoD violations for this type.

Any ideas? Have you seen this before.

Thanks.

-john

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

alessandr0
Active Contributor
‎07-11-2014 3:43 PM
0 Kudos

Hi John,

we cannot give you an answer as we don't know either your role nor your rule set. Please provide us more information to check whats the root cause of your problem.

Basically what we need to know: definition of your functions defined for your risk so that we can check what's causing a violation.

I am wondering a bit that it works for your single roles but not for your composite roles. Did you run all the sync jobs properly? If you have assigned roles which have violations they also show up in composite. If not, you are missing synchronization or correct assignment of the single to master roles in BRM. Best to run all the sync jobs, check the composite roles in BRM and run the risk analysis again.

Regards,

Alessandro

Show replies
Show replies
Former Member
‎07-11-2014 4:25 PM
0 Kudos

Alessandro,

Which BRM Report should I be looking at in NWBC on the GRC system for that relationship?

Also, is there a sync job for BRM that I am missing? I have done the following in order:

  • Authorization Synch
  • Repository Object Synch
  • Action Usage Synch
  • Role Usage Synch
  • Batch Risk Analysis

Thanks,

-john

Former Member
‎07-11-2014 8:01 PM
0 Kudos

Could it be that there are no transactions in the single role? That it just has the HR Infotypes. And the system can't match it up with out the transactions being there?

-john

alessandr0
Active Contributor
‎07-14-2014 8:16 AM
0 Kudos

Hi John,

as mentioned that depends on the definition of your rule set. Can you please share the two functions for your access risk? See my document about to understand how a violation occurs.

You can easily check the assignment in BRM (NWBC > Access Management > Role Management > Search Role). Open a composite role and check if the single roles showing correctly.

If all the roles appear in the composite then it seems to be correct from that side. Hence you have to check the rule set, but as mentioned in my previous post, if it shows for the single role it has also to show for the composite (if everything is synced and configured accordingly).

I assume you didn't mitigated any role? If you have set a mitigation that can also affect your analysis. Therefore run the analysis with option "include mitigated roles" and also "show all objects".

Regards,

Alessandro

alessandr0
Active Contributor
‎07-14-2014 8:19 AM
0 Kudos

I've found also some notes, please also check depending on your SP level:

http://service.sap.com/sap/support/notes/1688747

http://service.sap.com/sap/support/notes/1724895

Let me know your SP level.

Regards,

Alessandro

Former Member
‎07-15-2014 5:05 PM
0 Kudos

Issue solved. When P_ORGIN and P_ORGINCON are placed together in a single "Permission Group", both Permissions have to be violated in order to report a violation on Role Level and User Level SoD Review.

Thanks for your help.

-john

Answers (0)

Ask a Question