cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC AC 10.1: ARA - no analysis results (no violations)

Go to solution
pedro_carvalho2097
Explorer

on ‎04-21-2015 3:08 PM

0 Kudos

Hello,

We are configured the system GRC AC 10.1 according the configuration guides.

After configure the  Access Risk Analysis for User Level/Role Level/Profile Level... no output data will be displayed. We use a user test with roles and rules created for test this situation  and no results are displayed. The same happens for the rest of real users.

We try to execute the risk analysis both in on line or offline mode but with the same result.

What could be missing? I found a lot of SAP notes for this particular problem specially for GRC 10.0 nut none for GRC 10.1.

Follow I send some information points:

Components

SAP GRC AC 10.1

SP v007

GRCFND_A  V1100  SAPK-V1107INGRCFNDA

GRCPINW  V1100_731  SAPK-11507INGRCPINW

Configuration steps

  1. 1.Default configuration parameters (1023,1024, 1025, 1026)
  2. 2.Adding connector to AUTH scenario
  3. 3.We are using the SAP standard as delivered in the BC Sets. After activating them, we did generate them.
  4. 4.Assigning connectors to the logical groups
  5. 5.Generating Rules
  6. 6.Running Jobs
  7. 7.GRAC_PFCG_AUTHORIZATION_SYNC
  8. 8.GRAC_REPOSITORY_OBJECT_SYNC

This tables contain entries:

GRACUSERCONN

GRACRLCONN

GRACACTRULE

This tables does not contain entries:

GRACUSERACTVL

GRACUSERPRMVL

Jobs executed:

GRAC_PFCG_AUTHORIZATION_SYNC

GRAC_REPOSITORY_OBJECT_SYNC

GRAC_ACTION_USAGE_SYNC

GRAC_ROLE_USAGE_SYNC


Best Regards for all.

PC

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

alessandr0
Active Contributor
‎04-21-2015 3:26 PM

Dear Pedro,

seems that your rule set is not working properly. Can you please check if the functions are maintained for the correct system or connector group?

After that you can for example try to analyze the profile SAP_ALL, which should definitely have risks. Therefore use the profile level risk analysis.

If you are unsure please post a screenshot from a risk/function(s) that should have risks so that we can check if it's correctly maintained.

Regards,

Alessandro

Show replies
Show replies
alessandr0
Active Contributor
‎04-21-2015 3:29 PM
0 Kudos

and as you are using standard rule sets provided by sap you need to enable GRAC_RA_RULESET_COMMON beforehand. After that you can enable the rule sets you need (e.g. for R3 - GRAC_RA_RULESET_SAP_R3).

Cheers,

Alessandro

pedro_carvalho2097
Explorer
‎04-21-2015 4:45 PM
0 Kudos

Thanks Alessandro for your answer,

Analyzing SAP_all profile with profile level risk analysis, the system returns results.


Although, if I using user level risk analysis for a user with SAP_all profile no violations are displayed (the same happens for the regular users synchronized from the plug in system, with regular functions).

We implemented the follow rulesets in the system:

GRAC_RA_RULESET_SAP_HR

GRAC_RA_RULESET_SAP_NHR

GRAC_RA_RULESET_SAP_R3

Here is a screenshot of the rules sets and a screenshot from a custom rule created to test this functionality:

Best Regards

alessandr0
Active Contributor
‎04-21-2015 4:54 PM
0 Kudos

and the system SE1 is in the connector group "SAP R3"?

If the profile SAP_ALL results any risks then you might have no risk applicable for the user you are analyzing.

On top your risk is a cross system risk. Are you aware of that? Did you try if it works for single system?

Personally I recommend to check one step after the other. If single system works properly then you can move on to more complex scenarios like cross system.

Let us know.

Regards,

Alessandro


Former Member
‎04-23-2015 3:48 PM
0 Kudos

Hello Pedro, were you able to resolve this issue ? I'm faced with a similar issue wherein the tables

GRACUSERACTVL and GRACUSERPRMVL have no entries (empty).  Do let me know. Thanks.


- Janantik.

pedro_carvalho2097
Explorer
‎05-22-2015 12:04 PM
0 Kudos

Hi Janantik,

By one side in our case we have a configuration that we just deleted:

Governance > Risk and Compliance > Access Control > Maintain Plug-in Settings.

You can check this by: Goto se11 and select view and add view name – GRACV_NONGRCPI > Open content (shft+ctrl+f10), then add your system and press enter. Then you will see active entry of SE1. Just delete this entry. That’s the only reason, it is not picking authorization from backend system and no violations are coming on ad-hoc screen.

By other side we notice that the system was not retrieving expired and locked users. You can check this in table GRACUSERCONN.

We are waiting for a final analysis from sap support and I´ll update this post with that info.

Regards

Former Member
‎02-26-2016 7:39 AM
0 Kudos

Hi Pedro,

Please let us know if you have solution or root cause why table is not GRACUSERPRMVL getting update with data in GRC.

In my system it's having 0 entries.

Regards

Venkat

Answers (1)

Answers (1)

former_member239021
Explorer
‎02-26-2016 11:38 AM
0 Kudos

Hi Pedro,

Can you please check rule set and risk level selected for risk analysis report.

screen shot provided you shows the rule set - global and Risk level - High, In this case User GRCTEST06 must have roles or access which will have risk level High and please check ruleset Global (activated) for SE1 system have risk(High level status).

Regards,

Rakesh Kirve

Show replies
Show replies
former_member239021
Explorer
‎02-26-2016 11:41 AM
0 Kudos

Also if user is already mitigated please tick Included Mitigate risk option in initial screen of Risk analysis report. sometime role itself are also mitigated so check the roles assign to user are not mitigated.

Ask a Question