GRC AC 10: RAR - no analysis results
i configured my system accoring the configuration guides.
But when I start e.g. Access Risk Analysis for User Level/Role Level/Profile Level... no output data will be displayed!?
i ran all the Sync Jobs and SLG1 doesn't give me any errors.
FF and PSS both works fine.
FYI: Also in Business Role Management (BRM) no roles are displayed... maybe these two issues could be caused by the same problem?!
Thank you in advance
For the ruleset - are you using the SAP standard as delivered in the BC Sets? If so, after activating them, did you generate them.?
also, which SP are you on as there have been a few notes recently relating to No Violations displaying such as below:
|Note 1817251 - User Analysis Report shows "No violations"|
On you FYI comment about the BRM with NO roles are displaying....
- Is this on the role repository in NWBC?
- Did you complete the Role Import in NWBC to pull the role definitions into the repository (this is not the same as a they synch)
For both issues- have you competed Maintain Connection Settings in the Integration Framework for ROLEMG, PROV, AUTH and SUPGM?
Do you have the users and the roles in the repository tables.Please check the following tables
Please make sure that the entries for the specific connector exist in these tables.
Also make sure that the rules for the risks are generated, Check for the entries in the table GRACACTRULE.
If you have recently upgraded to the SP 11, Impliment the notes mentioned by colleen, This was a known bug in SP11.
For the BRM Role, yoiu will have to import all the roles from the backend to the BRM using the Role import functionality.Once this is done, Run the Sync job again.
I hope this will help.
Thanks & Regards
Kindly review/implemnt the sap note-1824956 .This should help in resolving this issue as there were few issues with the Risk Analysis results reported in SP11.
thanks for your helpfull response!
Yes, i use the pre-delivered BC Sets/rulesets.
Yes, after activation, I generated the SoD Rules in Governance, Risk and Compliance > Access Risk Analysis > SoD Rules > Generate SoD Rules (slide 13 of AC 10.0 Pre-Implementation From Post-Installation to First Risk Analysis.pdf), if u mean that.
I am running GRC on SP12. so Note 1817251 is already implemented.
Now I have implemented Note 182456.
But still NO Risk Analysis result in Access Management > Access Risk Analysis > User/Role/Profile Level (screenshot)
accorind to my BRM issue:
I didn't know that I have to import all the roles first... and thought a sync would be enough.
Now i imported the roles from my backend systems and now they show up in BRM :-) thank you!
Any other suggestions for my RAR issue?
Thanks in advance
after importing the roles, now the roles show up in BRM :-) thanks.
But my RAR issue still exist :-( (see screenshot above)
Other things to check
Configuration parameters for risk analysis - see of you are excluding any users (eg locked)
Look at the functions in the rule set for the connector group they are against and check to see if your connectors are in the same group?
Rerun your full object synch since importing roles
Sorry messaging from phone so can't provide steps
Looking at the screenshot,There are 2 possiabilities
1. There are no users in the GRC Repository.Please use the Tcode Se16 and check the entries in the tables GRACUSERCONN.
2.The rules are not generated. Please check the table GRACACTRULE.
Please provide the screenshot of both the tables.
Thanks & Regards
GRACUSERCONN: all Users from all backend systems are stored in table GRACUSERCONN.
GRACACTRULE: altough i generated alls Risk IDs, in table GRACACTRULE there are only entries for Risk ID=B001
i dont get it... i even rerun all the jobs... still no results (still like in screenshot)
The issue here is the rules.The rules are not generated.
The tables GRACACTRULE stores the action rules.You will have to regenrate the rules as the table does not have any entries apart from the Risk ID B001.
Once the rules are generated properily,You will get the violations.
Thanks & Regards
I found something weird. Maybe i just dont get the sense of the filed "System" (in Function/Action details) or there is something wrong.
In the screenshot u can see, that my 2 backend System "GRC->..." are available in the dropdown list.
The Functions are NOT assigned to them, they are assigned e.g. to SAP R3.
Just for understanding... should the Action assigned to my backend system oder only to e.g. SAP R3 (and my backend system to the group SAP r3).
Because I think, my backend system should be visible in this dropdown list, do they?
I dont know, where i customized this, so they are visible in the dropdown list...
I guess the SAP R3 is the logical group. Just make sure that
1.The physical system(Connector) for which you are running the riks analysis i spart of the logical group.
2. The rules exist for the logical group.(GRACACTRULE).
Thanks & Regards
to be sure, i activated again all the BC Rule Sets:
ONLY GRAC_RA_RULESET_COMMON could be activated without any warning.
The activation of the other Rule Sets ended with warnings!
e.g. "GRAC_RA_RULESET_SAP_R3 Activation ended with
View V_GRFNCONNTYPE: View cluster GRFNVC_CCI_TS_CONNECTOR does not contain data at all levels
View V_GRFNCCICONNECT: View cluster GRFNVC_CCI_TS_CONNECTOR does not contain data at all levels
View V_GRFNCCISSEQCON: View cluster GRFNVC_CCI_TS_CONNECTOR does not contain data at all levels
View V_GRFNCONNGRP: View cluster GRFNVC_CCI_TS_CONNECTOR does not contain data at all levels
View V_GRFNCGRPCONLNK: View cluster GRFNVC_CCI_TS_CONNECTOR does not contain data at all levels
Activation of customizing object GRFNVC_CCI_TS_CONNECTOR ended with warning
View V_GRFNCONNTYPE: View cluster VC_GRFN_CCI_TS_CONNECTOR does not contain data at all levels
View V_GRFNCCICONNECT: View cluster VC_GRFN_CCI_TS_CONNECTOR does not contain data at all levels
View V_GRFNCONNGRPTYP: View cluster VC_GRFN_CCI_TS_CONNECTOR does not contain data at all levels
View V_GRFNCGRPCONLNK: View cluster VC_GRFN_CCI_TS_CONNECTOR does not contain data at all levels
Activation of customizing object VC_GRFN_CCI_TS_CONNECTOR ended with warning"
Also see attachment for the whole Activation Log
Maybe thats the reason, why the Rules wont be generated?!
These tables should be populated with the BC Sets you are trying to activate.
VC_GRFN_CCI_TS_CONNECTOR is all of the views merged together to make up the IMG screen below
Please go to IMG > Governance, Risk and Compliance > Common Component Settings > Integration Framework > Maintain Connectors and Connection Types
For View V_GRFNCONNTYPE please check you have these values on the first screen:
Note: BUSINESS may not exist but if you intend to create Business roles in ERM you will need this connector type (there was a SAP note providing this information).
For Views V_GRFNCCICONNECT and V_GRFNCCISSEQCON- These are the connectors you create and define under "Define Connectors" and "Define Subsequent Connectors"
For View V_GRFNCONNGRP this is Define Connector Groups. You should have the following values:
For View V_GRFNCGRPCONLNK this is the "Assign Connectors to Connector Groups" - thisis where you map your connector to the Connection Group. This is also the link for SAP to know your system belongs to that group for the Risk.
I would recommend you review this configuration (integration framework) to ensure you have it all in place
In addition, you also need to ensure that you have completed IMG step "Maintain Connection Settings" to map your connectors to the integration scenarios of AUTH, ROLMG, SUPMG and PROV
Did you activate the BC sets in the same order you listed above? I recall in a post the COMMON set must be done first.
I still dont know, why the activation of the BC sets end with warnings... and yes, I activated them in the same order I listed above.
Well, I managed, that the table GRACACTRULE now contains all entries from all Risk IDs.
But still, no results in the reports (user/role/profile level), even though some dashboards (e.g. Access Dashboards > Role Analysis) give me results!
To make sure, 1 role contains a SoD violation, i created a role using GRC ERM containing functions BS04 & BS11 (that mean, this role should give a SoD violation for Risk ID B005).
Therefore i simply added those two functions during ERM step "Maintain Authorizations".
The creation of this role (single role) was successfully and i reran all the sync jobs.
But when i start again the Access Risk Analysis for Role Level, no results are displayed!!!
So it doesnt show, that this new role violate Risk ID B005?!?!?!
Do i have to ensure anything else? maybe some role specifics?
Because somehow i also cannot request this new role via Access Request Management (role isnt available for selection)?!
I'm probably repeating a large portion already mentioned in this thread but easier to keep it altogether. I'm assuming your connector group is SAP_R3_LG based on functions and risks you listed
CONFIGURATION IN IMG
- Create Connectors - you created your SM59 connector, tested it works, etc
- Maintain Connectors and Connection Types -
- Connection type definition - there is a connection type entry for SAP
- Define Connectors - You have added your Connector and mapped it to connector type SAP with Logical Port (value from BD54 - most likely your RFC Name); max number of background work process. Define Subsequent Connectors not required for SAP
- Define Connector Groups - You have the Connector Group SAP_R3_LG
- Assign Connector Groups to Group Types - Connector Group SAP_R3_LG has Logical Group Mapped
- Assign Connectors to Connector Groups - Your connector is mapped for Connection Type SAP
- Maintain Connection Settings - For Each Scenario: AUTH, ROLMG, PROV and SUPM - you have the Scenario-Connector Link completed to add your Connector for Connection Type SAP
Access Controls Configuration relating to Connectors
- Maintain Connector Settings
- Your Target Connector (RFC Connection) has Application Type 01 for SAP. Attributes do not need to be assigned
- Maintain Mapping for Actions and Connector Groups:
- You have a connection group entry for SAP_R3_LG marked as Active and mapped to Application 001 - SAP
- Assign default connector to connector group:
- Maintain Connector Group Status: Connection Group SAP_R3_LG should be active for Application Type 001 (SAP)
- Assign default connector to connector group: check the SAP_R3_LG group has your target connectors mapped for Action 0002 - Role Risk Analysis (also suggest actions 0001 to 0004; add 0005 if you have HR Trigger). No Group Field Mapping or parameter mapping would be required
Othe IMG Configuration
- Maintain Access Risk Levels - You have the Risk Levels for Low, Medium, High and Critical (I think are included as part of Add On)
- Maintain Business Processes - You have business process values to match the risk
The following Configuration Parameters will impact RAR (Group 03). Values in bold may impact exclusions for results. GRACCONFIG table contains the defaults. GRACCONFIGSET are any values you have entered in the Maintain Configuration Parameters
1021 Consider Org Rules for other applications
1022 Connector for which Object Ids may be maintained case sensitive
1023 Default report type for risk analysis
1024 Default risk level for risk analysis
1025 Default rule set for risk analysis
1026 Default user type for risk analysis
1027 Enable Offline Risk Analysis [Make NO or you need to complete the batch analysis]
1028 Include Expired Users
1029 Include Locked Users
1030 Include Mitigated Risks
1031 Ignore Critical Roles & Profiles
1032 Include Reference user when doing user analysis
1033 Include Role/Profile Mitigating Controls in Risk Analysis
1034 Max number of objects in a package for parallel processing
1035 Send email notification to the monitor of the updated mitigated object
1036 Show All Objects in Risk Analysis
1037 Use SoD Supplementary Table for Analysis.
1046 Extended objects enabled connector
1048 Business View for Risk Analysis is enabled
particular ones to check would be:
1012 Consider Rule Id also for mitigation assignment
1013 Consider System for mitigation assignment
1022 Connector for which Object Ids may be maintained case sensitive
1026 Default user type for risk analysis
1027 Enable Offline Risk Analysis
1051 Max number of objects in a file or database record
1100 Enable the authorization logging
Rule set and NWBC Data
- You have the rule set activated - I would recommend your Active the two functions and risk via NWBC again
- Your SoD Risk is mapped to the rule set that you are using in your report
- Do you have mitigating controls built and assigned?
- You have executed the synch job for object repository for users, roles and profiles for the Connector mapped to SAP_R3_LG
Your Report Information
What does your initial selection criteria look like? Are you leaving any fields blank (if so remove them). Also, do you have users and roles mitigated result in exclusion from results - tick box on selection criteria? Can you try running the report for the specific role and risk?
Key Tables checked in the report (based on ST05 trace for Single Role analysis for specific system)
GRACACTIONSYST Action Connector Text Table
GRACBPROC Business Process
GRACBPROCT Business Process Text
GRACCRPROFILE Critical Profile Rule
GRACCRROLE Critical Role Rule
GRACMITROLE Role mitigating control assignment
GRACRISKLEVELT Risk Level Descriptions
GRACRLCONN Store roles in backend system, incl roles not maint. in ERM
GRACRLCONNT Table to store role description in backend system
GRACSODREPDATA SOD Reporting Framework content
GRACSODREPINDEX SOD Reporting Framework index
GRACSODREPSTATUS Report status
GRACSYSRULE System Specific Rule Mapping
GRFNCCICONNECTOR CCI Connector
GRFNCGRPCONLK Connector Group and Connector Type Link
GRFNCONNGRP Connector Group definition
GRFNCONNGRPT Connector Group Description
GRFNCONNGRPTYPE Connector Group Type Definition
GRFNCONNSCNLK Connector Scenario Link
GRFNFLDHR HR Configurable Fields
GRFNFREQUENCYS Timeframe Frequencies - SAP delivered entries
GRFNSCNCTYPLK Sub Scenario Definition
HRP5354 DB Table for Infotype 5354
thank you very much for your helpful and detailed posts, really appreciated :-)
all the configuration steps you mentioned were already set correctly.
I got the "issue" fixed, even it wasn't really an issue.
The point is, the default fields "System" and "User"/"Role"/Object ID" musn't be empty. When they are empty, the reports don't show any results.
If you want to analyze ALL Objects, u have to fill in '*' (not blank!)
BUT - just for understanding:
The analysis in Access Management > Access Risk Analysis > User/Role/Profile Level WORK!
The analysis reports in Reports and Analytics > Access Risk Analysis Reports > User/Role/Profile Risk Violation DON'T WORK (no results)!
why? Because for me they ("Access Risk Analysis" & "Access Risk Analysis Reports") do the same
Glad to hear working. I'm not sure on differences - possibly selection of data for tables
I treat moments like these as "SAP is a special beast"
Excellent thread - should be a sticky !
Once again great advice Colleen. I'm wading through this to sort out my similar issue for which I've posted a thread too .
Great job guys ! Now let me delve into my issue....and get to the bottom of it.
I have a very similar problem, in that the results do not show. I did post another thread but it seems to have disappeared.I'm going to go through this and other similar threads once more and thoroughly check my all my configurations and then give you guys more details - so bear with me .
Did you resolve the Warning issues for the BC activations and if not did it affect your results or have any consequences later ?
I am running the ad hoc user risk analysis and it's working for some users and not working for other users. For the non-working users, I am not getting any results at all. when I run the analysis at the permission level/action . We are on SP10. All rules have been generated and all jobs have been schdueled. I also ran it by including mitigated risks for just one risk. Any ideas on what could be possibly wrong. We are doing a migration from Virsa to GRC 10 and just trying to validate/compare the user analysis results we got from Virsa to GRC 10. Virsa shows the user's violations but AC 10 is coming up BLANK for this user but I see that this user's riks are gnerated when I go to GRACACTRULE and also in NWBC. All the batch jobs and synchm jobs were sucessfully completeed as well. Any ideas?
This is very urgent for me...I will appreciate if anyone has a feedback.
My second question is unrelated. Currently we have only ONE ruleset - our customized ruleset that we migrated from our Virsa system. When you go into GRC NWBC. our permissions and rules are pointing at our physical connector which was created in Sm59 but my question is 1) should we create a custom connector group for this connector and assign the connector to the custom connector group? or should we assign it to the SAP_BAS_LG connector group? or SAP NHR_LG connector group? Why or why not? What does the connector group control or impact:?
2) We would like to house our custom rules as described above and GLOBAL rules as well in AC 10. Should we create another physical connector for our global rules ? or should we use the same connector that we used in (1) above for the custom rules but assign the connector to a different connector group e.g SAP_BAS_LG and SAP_NHR_LG.
no, there are still warnings... I don't know if those warnings could have any consequences later, because I am working on a sandbox GRC machine which is still under "construction".
This document was generated from the following discussion: GRC AC 10: RAR - no analysis results