on 04-21-2015 3:08 PM
Hello,
We are configured the system GRC AC 10.1 according the configuration guides.
After configure the Access Risk Analysis for User Level/Role Level/Profile Level... no output data will be displayed. We use a user test with roles and rules created for test this situation and no results are displayed. The same happens for the rest of real users.
We try to execute the risk analysis both in on line or offline mode but with the same result.
What could be missing? I found a lot of SAP notes for this particular problem specially for GRC 10.0 nut none for GRC 10.1.
Follow I send some information points:
Components
SAP GRC AC 10.1
SP v007
GRCFND_A V1100 SAPK-V1107INGRCFNDA
GRCPINW V1100_731 SAPK-11507INGRCPINW
Configuration steps
This tables contain entries:
GRACUSERCONN
GRACRLCONN
GRACACTRULE
This tables does not contain entries:
GRACUSERACTVL
GRACUSERPRMVL
Jobs executed:
GRAC_PFCG_AUTHORIZATION_SYNC
GRAC_REPOSITORY_OBJECT_SYNC
GRAC_ACTION_USAGE_SYNC
GRAC_ROLE_USAGE_SYNC
Best Regards for all.
PC
Dear Pedro,
seems that your rule set is not working properly. Can you please check if the functions are maintained for the correct system or connector group?
After that you can for example try to analyze the profile SAP_ALL, which should definitely have risks. Therefore use the profile level risk analysis.
If you are unsure please post a screenshot from a risk/function(s) that should have risks so that we can check if it's correctly maintained.
Regards,
Alessandro
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Alessandro for your answer,
Analyzing SAP_all profile with profile level risk analysis, the system returns results.
Although, if I using user level risk analysis for a user with SAP_all profile no violations are displayed (the same happens for the regular users synchronized from the plug in system, with regular functions).
We implemented the follow rulesets in the system:
GRAC_RA_RULESET_SAP_HR
GRAC_RA_RULESET_SAP_NHR
GRAC_RA_RULESET_SAP_R3
Here is a screenshot of the rules sets and a screenshot from a custom rule created to test this functionality:
Best Regards
and the system SE1 is in the connector group "SAP R3"?
If the profile SAP_ALL results any risks then you might have no risk applicable for the user you are analyzing.
On top your risk is a cross system risk. Are you aware of that? Did you try if it works for single system?
Personally I recommend to check one step after the other. If single system works properly then you can move on to more complex scenarios like cross system.
Let us know.
Regards,
Alessandro
Hi Janantik,
By one side in our case we have a configuration that we just deleted:
Governance > Risk and Compliance > Access Control > Maintain Plug-in Settings.
You can check this by: Goto se11 and select view and add view name – GRACV_NONGRCPI > Open content (shft+ctrl+f10), then add your system and press enter. Then you will see active entry of SE1. Just delete this entry. That’s the only reason, it is not picking authorization from backend system and no violations are coming on ad-hoc screen.
By other side we notice that the system was not retrieving expired and locked users. You can check this in table GRACUSERCONN.
We are waiting for a final analysis from sap support and I´ll update this post with that info.
Regards
Hi Pedro,
Can you please check rule set and risk level selected for risk analysis report.
screen shot provided you shows the rule set - global and Risk level - High, In this case User GRCTEST06 must have roles or access which will have risk level High and please check ruleset Global (activated) for SE1 system have risk(High level status).
Regards,
Rakesh Kirve
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.