cancel
Showing results for 
Search instead for 
Did you mean: 

Risk Analysis - User Level issue

Former Member
0 Kudos


Hello All,

When i am trying to run the Risk Analysis at User Level,I am getting "No Violations" for all users.For eg. User X has Y role assigned.I am getting 'No Violations" for user X.However, while performing Role level risk analysis for role Y,I am getting violations.

So,Ideally i should get violations for user X too.Please correct me if i am wrong.

My role level risk analysis is working fine but i have issue with User level risk analysis.

Please let me know any solution to my issue.

Regards,

Antargami Gauda.

Accepted Solutions (0)

Answers (1)

Answers (1)

madhusap
Active Contributor
0 Kudos

Hi Antargami,

Please check below mentioned details and confirm if everything is fine.

1. Do you have the users and the roles in the repository tables.Please check the following tables

GRACUSERCONN

GRACRLCONN

Please make sure that the entries for the specific connector exist in these tables.

Also make sure that the rules for the risks are generated, Check for the entries in the table GRACACTRULE.

2. Please make sure that the user is not locked or expired. I would sugggest you to include the locked

and expired users while running the user level risk analysis.

3. when you run risk analysis do not keep any selection field blank.

4.

Note 1824956 - User Analysis Report shows "No violations"

Note 1817251 - User Analysis Report shows "No violations"

Regards,

Madhu.

Former Member
0 Kudos

Hi Madhu,

Tables GRACUSERCONN & GRACRLCONN have data updated in it in the system for the required connector.

However,there is no data for the specific connector in the table GRACACTRULE.

Is it that the connector and the connector group name should be same as the target logical system name?

Also,does GRAC_GENERATE_RULES updates the table GRACACTRULE for the specific connector?

Regards,

Antargami Gauda.

madhusap
Active Contributor
0 Kudos

Hi Antargami,

Follow below steps:

Your connector name created in SM59 and Logical Port name maintained in BD54 should be the same.

Also in the path Maintain Connectors and Connection Types


Add your connector as


Target Connector( Your SM59 connector)

Connection Type (SAP)

Logical Port (Same as in your BD54, of course your connector will be also with the same name)


Then Create Connector Group - Any name as per your naming convention


Assign Connector group  to Group Type - Logical Group.


Now add your Connector to Connector Group created. Then complete all below steps


Maintain Connection Settings

Maintain Connector Settings

Maintain Mapping for Actions and Connector Groups

IMG parameters Config


Make sure your Ruleset is already loaded in system and make sure that logical systems in the rule set match the logical systems that you connectors are mapped to.


Then run all the sync jobs for the connector which is created above and mapped to your connector group.


Once done, generate rules from backend or from front end NWBC


Regards,

Madhu.

Former Member
0 Kudos

Hi Madhu,

Your connector name created in SM59 and Logical Port name maintained in BD54 should be the same - Its same

Also in the path Maintain Connectors and Connection Types - Its Done


Add your connector as


Target Connector( Your SM59 connector) - Done

Connection Type (SAP) - Done

Logical Port (Same as in your BD54, of course your connector will be also with the same name) - Done


Then Create Connector Group - Any name as per your naming convention - Done


Assign Connector group  to Group Type - Logical Group - Done


Now add your Connector to Connector Group created. Then complete all below steps - Done


Maintain Connection Settings - Done

Maintain Connector Settings - Done

Maintain Mapping for Actions and Connector Groups - Done

IMG parameters Config - Done


Make sure your Ruleset is already loaded in system and make sure that logical systems in the rule set match the logical systems that you connectors are mapped to - In which tables or configuration should i check this?


Then run all the sync jobs for the connector which is created above and mapped to your connector group - Done

madhusap
Active Contributor
0 Kudos

Hi Antargami,

Are you using standard SAP provided ruleset?

Are you using standard SAP provided logical group SAP_R3_LG?

Upload your rules using Upload rules option in SPRO against the logical group in which your connector is maintained. In my case my connector group is ECC_LVT_LG

Then generate the rules.

Regards,

Madhu.

Former Member
0 Kudos

Hi Madhu,

I am generating the rules.

Meanwhile, please let me know which job updates the table GRACUSERPRMVL

Also, is it that for violations to reflect for a user there should be entries in this table for the respective user.

Regards,

Antargami Gauda.

madhusap
Active Contributor
0 Kudos

Hi Antargami,

When your run risk analysis for a user, based on the roles assigned to him in target system and rules maintained in GRC system, these rules evaluate against the user access and shows the risks associated with that user.

GRACUSERPRMVL - This table gets updated if you run batch risk analysis.

Batch risk analysis will run risk analysis against all the users in the target system you mentioned and stores the SOD violations data for those users in GRC tables. This information would be used for SOD review workflow. GRACUSERPRMVL entries are not mandatory for running risk analysis against the user. Mandatory is your rules should exist in GRC system in table GRACACTRULE

In your case if you upload the rules as mentioned earlier and generate the rules you can see the rules for different risks in GRACACTRULE table. If the rules are there and all synch jobs are completed, then run risk analysis for user and check.

Regards,

Madhu.

Former Member
0 Kudos

Hi Madhu,

I can now find entries for my connector in table GRACACTRULE.

I have executed the batch risk analysis job.

I had a question that which table system refers for the role level risk analysis.

My role level risk analysis is working fine.Its only the user level risk analysis which fails.

Regards,

Antargami Gauda.

Former Member
0 Kudos

Hi Antargami,

What kind of issues you get the see while running the user level risk analysis? Some snap shots will help us understand your issue in detail. SLG1 reports.

You are running risk reports on one user or user group..?

You can refer: http://service.sap.com/sap/support/notes/1715729

Did you successfully run job: GRAC_ROLEREP_USER_SYNC

Regards,

Ameet

Former Member
0 Kudos

Hi Ameet and Madhu,

The issue is resolved.

I uploaded all the rulesets for my connector,generated the rules(It reflected the rules and risks in the table GRCACTRULE) and then after successfull execution of all jobs along with Batch Risk Analysis,I am getting the required result for User Level Risk Analysis too.

I believe that for the risks to reflect while simulation(@user or role level) or while executing risk analysis, it is important that the rules shoud be reflected in the table GRACACTRULE which will happen after you upload the rules into your respective connector,generate the rules and successfull execution of jobs along with Batch Risk Analysis.

Regards,

Antargami Gauda.

madhusap
Active Contributor
0 Kudos

Hi Antargami,

Glad that your issue has been resolved.

Please close the thread and mark it as answered.

Regards,

Madhu.