cancel
Showing results for 
Search instead for 
Did you mean: 

No Roles Exists in Access Risk Analysis

Former Member
0 Kudos

Dear Gurus,

I just installed SAP GRC 10.1 for Access Control only, mainly to check risk analysis (SoD review) on SAP ECC 6.0. I installed the SAP Access Control on SAP Netweaver 7.4 SP 8 with GRCFND_A on version 1100 SP Level 13. The SAP ECC System has two clients: ERP and HR, therefore I installed GRC Plugin: GRCPINW on version V1100_700 SP Level 14 and GRCPIERP on version V1100_700 SP Level 13.

On the NWBC, I want to perform Access Risk Analysis on Access Management -> Role Level, however the result is empty. Then I check on Access Management -> Role Maintenance -> Role Search, there is no roles showed on the result.

I already performed these steps:

SAP Access Control 10.1 Installation Guide

-Activate Application on Client

Activate GRC-AC only

-Activate SAP Service

Activate all service under /sap/public,/sap/bc/sap/grc

-Configuring SAP Netweaver Gateway

-Maintaining Plug-in Setting.

I Installed the plugin on the SAP ECC, maintain its user exit for plug-in system and plug-in condiguration settings

-Activate BC Sets

I Activated BC sets for SAP Access Control only. I activated using TCode SCPR20, however I'm not really sure that all BC Sets I activated was using expert mode. DO I have to reactivate again? If I check on table SCPRACTP, all BC sets for SAP Access Control have been activated

AC 10.0 Post Installation

-Create User in SAP Access Control system, with roles SAP_GRAC*,SAP_GRC*

-Create Connector for both ERP and HR client

-Maintain COnnector and Connection Types

I maintained connector for both ERP and HR client and mapped it into Connector Group (SAP_BAS_LG,SAP_HR_LG,SAP_NHR_LG,SAP_R3_LG)

-Maintain Connector Setting

AC 10.1 Pre-Implementation From Post-Installation to First Risk Analysis

-Maintain Configuration Parameter

-Maintain Connection Setting

-Generate Rules

-Run Job GRAC_PFCG_AUTHORIZATION_SYNC and GRAC_OBJECT_REPOSITORY_SYNC

After these step, I check the Role Search on NWBC and the result was empty.

I also perform configuration on these items as well:

-Maintain Mapping for Actions and Connector Groups

-Maintain Plug-in Setting

-Execute Batch Risk Analysis

Any feedback will be greatly appreciated.

Thanks,

Kris

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
0 Kudos

Hi Kris,

Checking the role under F4 search for Risk Analysis at role level brings the result from the tables where the data is saved after running Role sync job.

Role Maintenance screen will show roles which are created in BRM application or either imported in BRM using Role import functionality.

You can check your Role Sync job if roles are not coming under F4 search from Role level risk analysis.

Regards,

Shaily

Former Member
0 Kudos

Hi Shaily,

Two sync job: GRAC_PFCG_AUTHORIZATION_SYNC and GRAC_REPOSITORY_OBJECT_SYNC finished succesfully with the logs said that succesfully synced to the connector. However, when I check the role using F4 search in Risk Analysis, I couldn't find any role there.

Thanks,

Kris

Former Member
0 Kudos

Hi Shaily,

Now I check using F4 search, I was able to find any role from SAP ECC system. However, after running Access Risk Analysis in Role level on background job, I checked the result on the report and analysis tab -> Access Risk Analysis Reports -> Role Risk Violation Report, the report was empty.

Thanks,

Kris

Former Member
0 Kudos

Hi Kris,

SAP recommends to active the BC Sets in Expert mode so that the customizing tables are correctly updated with the required data.

If you have a custom connector group you need to upload the ruleset against the custom connector group and generate the rules.

Also , you cannot find the roles in role search until they are explicitly imported to BRM repository.

However this is pre-requisite for ARM and not for ARA.

check if the  below thread is useful

http://scn.sap.com/thread/3952002

Regards,

Manju

Former Member
0 Kudos

Hi Manjunath,

For BC Activation, I will try to reactivate all the BC sets again using the expert mode.

>>If you have a custom connector group you need to upload the ruleset against the custom connector group and generate the rules.

Could you explain more detail about uploading the rule set?

I had generate the SoD rules from the standard rule set based on the AC 10.1 Pre-Implementation From Post-Installation to First Risk Analysis document..

So, it means that if I only want to perform ARA, there is no need to import all roles. But, when I perform ARA on role level, I couldn't find any role. The result always empty.

Thanks,

Kris

Regards,

Manju

former_member226273
Active Participant
0 Kudos

Hello Kris,

Could you please check the logs for the sync jobs if all jobs were successful?

Also, please check if table GRACRLCONN is having entries for the needed connector.

Kind regards,

Yashasvi

Former Member
0 Kudos

Hi Yashavi,

The log jobs told that sync completed for connector AOQCLNT100 (the ERP client) and AOQCLNT200 (the HR client).

The GRACRLCONN has entries with roles from the SAP ECC system for connector AOQCLNT100 and AOQCLNT200.

Thanks,

Kris

former_member226273
Active Participant
0 Kudos

Hello Kris,

Please check the connector settings for these connectors.

For Role Search and Role maintenance, the BRM data is needed. Please check if entries are available in GRACROLE table. If its empty, you have to upload roles in order to see them in Access Management -> Role Maintenance -> Role Search.

For empty risk analysis result, what is the message (e.g. no rules were selected) ?

Kind regards,

Yashasvi

Former Member
0 Kudos

Hi Yashavi,

It is clear for me that if I want the role to be shown on role search, the BRM data is needed. But my main focus now is I want to see if there is any violation on the role.

Now I was able to find the role on F4 search, therefore I start run Access Risk Analysis -> Role level in background job. However, on the Report and Analytics -> Access Risk Analysis dashboard -> Role Risk Violation Report, the report was empty. There is no error message, the dashboard was just empty.

Thanks,

Kris

former_member226273
Active Participant
0 Kudos

Hello Kris,

So now you have the role data available in GRC on which risk analysis is to be performed.

Now, the second component is the GRC Access rules.

Please check if rules are generated successfully, by the job log. you can also check table GRACACTRULE (for action rules) for respective connector.

Another question, are you getting risk results if you run risk analysis in foreground?

Kind regards,

Yashasvi

Former Member
0 Kudos

Hi Yashavi,

Rules are successfully generated by the job log. On table GRACACTRULE, I can see around 700.000 entries on the table.

I got connection timeout when I run in foreground, when I ran in background it took around 14000 s.

Thanks,

Kris

former_member226273
Active Participant
0 Kudos

Hello Kris,

Try running risk analysis on short data (one role or one user). Please make sure that this role or user has some risks.

If you get the results, it means risk analysis functionality is running fine.

In order to get results in report and analysis section, please run Batch Risk Anaysis from SPRO. You can find it under Access Control -> Access Risk Analysis

Kind regards,

Yashasvi