cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ARA does not show Violations in a role though conflicting transaction codes are assigned???

Former Member

on ‎06-29-2014 11:11 AM

0 Kudos

Hi,

I have noticed that a role having conflicting transaction codes assigned in the back end system is not propelry analyzed and in ARA application. When this role is analyzed, "No Violations" message is shown though there are conflicing transaction codes assigned.

As far risk definitaion is concerned, conflicting actions are properly defined in respective conflicting actions and thse actions are grouped in a risk, which is applicable to a logical group (which in turn has the connector included causing this problem) and they are active.

Rule are properly generated for the all the risks and functions. However, at the time of running risk analysis for this role, ARA is not showing as risk.

May any one please advise on this?

Regards,

Rehan

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

former_member204479
Active Participant
‎06-30-2014 4:58 PM
0 Kudos

Hi Rehan,

Are you running the analysis from "reports and analytics" or "access management" tab?

If from reports and analytics, then has the batch risk analysis on the backend system completed successfully?

Make sure you are not running an offline report without batch risk analysis completed.

Thanks

Sammukh

Show replies
Show replies
Former Member
‎06-30-2014 5:17 PM
0 Kudos

Hi Sammukh,

I am running this analysis from "Access Management" Tab.

Rhn

Former Member
‎06-30-2014 2:17 AM
0 Kudos

Hello Rehan

3 step check for ur issue:

1 are you able to search for your role in GRC 10 in role analysis screen rather then just paste the role?

2 check k the object values related to tcodes added, check for 03 and 3 difference.

3 can you delete the profile and regenerate it, if not solved by it recreate the role and then try.

Rajesh

Message was edited by: Rajesh Nanda

Show replies
Show replies
Former Member
‎06-30-2014 7:57 AM
0 Kudos

Rajesh,

I have downloaded the rules for both SAP_R3_LG logical group and respective physical system. I have noticed that, I can find function_action rules for SAP_R3_LG in the downloaded file. However, I dont find FUN_ACT and FUN_PERM details for respective physical system I am analyzing this role for!

I can find all other details like, business processes, functions etc. But FUN_ACT and FUN_PERM files are empty. Do you think is can be the issue?

If we generate rules, simply we select all risks from NWBC and then run the background job. But I did not find a way to generate rules for a specific physical system.

Do you think that generating rule from back end will populate the rules for physical system also?

Can you please advise?

Regards,

Rehan

former_member204204
Active Participant
‎06-30-2014 12:47 PM
0 Kudos

Hi Rehan,

Upload the rule set for the physical system,make sure you have these files while uploading--FUNC_ACT and FUNC_PERM is a must.

Then generate the rule set and then try to perform the analysis.

Regards,

Neeraj

Former Member
‎06-30-2014 12:59 PM
0 Kudos

Neeraj,

If we are using SAP_R3_LG and all the rules are defined for this logical group, then may you tell me why I need to maintain the rules for each physical system?

What ever I maintain for this logical group, is applicable to all the physical systems defined under this.

Please advise.

Rhn

former_member204204
Active Participant
‎06-30-2014 1:05 PM
0 Kudos

Yeah Sorry I mean to say try to upload the rules for your logical system once with complete files.

Regards,

Neeraj

Former Member
‎06-30-2014 3:39 PM
0 Kudos

You mean, though it is "already there", I must now upload them for SAP_R3_LG again and generate the rules!

Really not sure what effect it will have since I have downloaded files for SAP_R3_LG logical group and again uploading the same for the same logical group.

Can you please advise?

Rhn

Former Member
‎07-01-2014 9:26 AM
0 Kudos

Neeraj,

I have uploaded the rules for one the physical systems (which is already defined in SAP_R3_LG logical group) and then generated the rules.

After that I performed risk analysis for one of the roles and it showed the violations accurately!

It means that do I need to maintain all physical systems individually? Then what is the use of having SAP_R3_LG logical group?

I have also this GRC system defined in the SAP_R3_LG logical group. If I perform risk analysis for one of the roles having violations for this system, it is showing correctly!

I think the rules available in SAP_R3_LG are not getting applied to "all" the physical systems.

Can you please advise how I can enforce this rules to be applicable to all the connectors defined in the SAP_R3_LG logical group?

Rhn

former_member204204
Active Participant
‎07-01-2014 10:32 AM
0 Kudos

HI Rehan,

Its not required to upload rule set for each physical system, if you are defining all your connector under the logical group SAP_R3_LG  then its enough, previously the Func_Action & Func_Pernision files were missing from your rule book  thats why you were not getting any results.

Now you try to run risk analysis for any connector under the same logical group you must get the result.

Hope it helps.

Regards,

Neeraj

Former Member
‎07-01-2014 11:03 AM
0 Kudos

Neeraj,

Yes, it is not required to upload the rules for each physical system as I am using SAP_R3_LG logical group.

But as I said, I uploaded the rules for one of the systems defined in logical group for testing purpose. If I try to analyze the roles for this connector, I am getting appropriate violations report.

But if I try to analyze the roles belonging to other connectors (which are defined in the same logical group), system is saying "No Violations"

I am not sure why system is NOT enforcing the rules defined for SAP_R3_LG logical group!

Can you please advise?

Rhn

former_member204204
Active Participant
‎07-01-2014 11:42 AM
0 Kudos

Rehan,

Please put some screen shots so that we can analyse your issue.

Regards,

Neeraj

Former Member
‎07-01-2014 11:58 AM
0 Kudos

Neeraj,

Below is the screen shot of SAP_R3_LG logical group. I have the physical systems defined.

For any one of these physical systems, analysis is showing "no violations"

Please advise.

Rhn

former_member204204
Active Participant
‎07-01-2014 1:12 PM
0 Kudos

Have you defined your connector group(SAP_R3_LG) to a connector type(SAP). Check in define connector group section.

Regards,

Neeraj

Former Member
‎07-01-2014 4:14 PM
0 Kudos

It is not defined. I will define it.

Should I also regenerate the rules again?

Rhn

Former Member
‎07-02-2014 8:20 AM
0 Kudos

Neeraj,

Now I have defined SAP_R3_LG logical group as "SAP" connector type and regenerated all the rules. Still it is showing no violations!

Below are the screens for your reference:

Can you please advise?

Regards,

Rhn

former_member204204
Active Participant
‎07-02-2014 8:56 AM
0 Kudos

Have you tried running with just permission level.

Also can you check if the tables GRACACTRULE have entries in it.

Regards,

Neeraj

Message was edited by: Neeraj Agarwal

Former Member
‎07-02-2014 9:40 AM
0 Kudos

Neeraj,

I tried with permission only, still no luck.

In GRACACTRULE table, I can only find entries for SAP_R3_LG logical group. But there are not entries for any other physical systems except the one physical system I had uploaded the rules for. (for testing purpose and this is showing fine for this system).

can you advise?

Rhn

former_member204204
Active Participant
‎07-02-2014 9:45 AM
0 Kudos

check in GRACSYSRULE against all your connectors whether there are any entries, also check in SLG1 for any error logs.

Regards,

Neeraj

Former Member
‎07-02-2014 10:01 AM
0 Kudos

Neeraj,

I could see the entries for physical systems. Both for standard and custom risks.

I dont see any error in SLG1

Rhn,

former_member204204
Active Participant
‎07-02-2014 10:12 AM
0 Kudos

Better you open a message for SAP.

Regards,

Neeraj

Former Member
‎07-02-2014 10:26 AM
0 Kudos

I will do it.

By the way, thanks for your all help and guidance!

Rhn,

Colleen
Advisor
Advisor
‎07-02-2014 12:37 PM
0 Kudos

Hi Rehan

What support pack are you on? Sorry I had been busy to respond back to the thread but I do recall there was an issue with risk analysis and logical systems. As you demonstrated that you can successfully run risk analysis for a physical system defined rule possibly the following note may apply to your system?

955032 Rule generation issue with logical system groups

Fix is delivered in SP14 or 10.1 SP04

Regards

Colleen

Former Member
‎07-02-2014 7:54 PM
0 Kudos

Hi Colleen,

I remember seeing this note recently.But did not pay attention because I am already on SP#14. Therefore, it seems that it is not applicable.

Still let me try implementing this note in my system and see what happens.

I will update you about this.

Former Member
‎07-04-2014 5:27 PM
0 Kudos

Dear Colleen,

As told you earlier, I am already on SP#14 and this note is not implementable.

Rhn

Colleen
Advisor
Advisor
‎07-06-2014 6:42 AM
0 Kudos

HI Rehan

As Neeraj mentioned, opening an incident with SAP might be the best way if you've already ruled out integration framework, authorisations, sync jobs, rule set generation.

Regards

Colleen

Former Member
‎07-14-2014 8:13 AM
0 Kudos

Hi Rehan,

I'm also facing the similar issue, Did you get any solution?   Please let me know.

Thanks in Advance for your help!!

Regards,

Vijei

Former Member
‎07-16-2014 11:42 AM
0 Kudos

Hi Rehan,

Please implement note 1966007 - Incorrect Rule Generation for Logical Groups

Let us know if it fixes the issue.

Thanks and Regards,

Ajesh.

Former Member
‎07-18-2014 7:58 AM
0 Kudos

Hi Ajesh,

We have implemented the note 1966007 and the issue got resolved. Now we are able to get the correct risk violations results. Thanks for your support.

Regards,

Vijei

Former Member
‎06-29-2014 2:08 PM
0 Kudos

In addition to selection criteria, also please ensure that you have executed the programs programs GRAC_PFCG_AUTHORIZATION_SYNC and GRAC_REPOSITORY_OBJECT_SYNC in full sync mode at least once.

Show replies
Show replies
Former Member
‎06-29-2014 2:20 PM
0 Kudos

Vivek,

Yes, these job have been run several times.

Regards,

Rehan

Former Member
‎06-29-2014 2:25 PM
0 Kudos

Ok.. might be a silly question but the risk isnt mitigated for the roles right? i mean have you checked "Include mitigated risks" in selection criteria option if that is showing the risk?

Also, is this happening for a particular role in question or none of the roles show risks despite having the same?

Former Member
‎06-29-2014 2:42 PM
0 Kudos

This role in question is not mitigated! Therefore, this option "Include Mitigated" risks is not included in the selection criteria.

I have noticed so far, this is happening with 2 roles.

Secondly, I have created a test risk with test functions. A role is created in the back end system and conflicting tcodes are added. This role is synchronized and then analyzed. Surprisingly, This is showing correct result!

I am not sure why this sporadic behavior is being shown by the tool. This is quite confusing. If it has shown "No Violations" for all the roles, then it would have been easy to understand.

But as I explained above, this is happening with some roles and does not happen with some other roles.

Really not sure how to crack it.

Please advise.

Regards,

Rehan

Colleen
Advisor
Advisor
‎06-29-2014 2:02 PM
0 Kudos

Hi Rehan

did you run risk analysis for action or permission level? What was your selection criteria?

regards

Colleen

Show replies
Show replies
Former Member
‎06-29-2014 2:19 PM
0 Kudos

Hi Colleen,

I executed for both "Action" and "Permission levels.

Ask a Question