Skip to Content
author's profile photo Former Member
0
Former Member

GRC AC ARA Role Simulation doesn't work

Posted on Jun 27, 2016 at 01:47 PM 533 Views

Hi GRC folks,

I am creating roles with separation of duties risk violations for testing. I am approaching this by first going to the Global Rule Set, selecting high risks (for example H001) and then from the functions listed (HR03 & PY04), adding T-codes from them to a role. I have tried this using Role Level Simulation within Access Maintenance to avoid having to execute a background update of the Access Control Repository. When I execute a simulation the results indicate no risks. But when I add the risks to the role in the development system, the risks show up in the report. I came to the conclusion that only the simulation part is not working here.


I have generated the rule sets multiple times and the Access risk analysis works great. Just the simulation is the issue here. I have checked other posts and did the initial problem solving but there are no results.


Could someone help me get the simulation to start working. GRC version is 10.0. Our ECC is the development environment and GRC is not connected to a prod environment yet.


Thanks!

Apoorva

SimulationRoleChangeResultingInNoRisks.jpg (629.1 kB)
Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

4 Answers

  • Best Answer
    author's profile photo Ken Golden
    Ken Golden
    Posted on Jun 27, 2016 at 07:23 PM
    2

    Hi Apoorva,

    My initial thought is that you are simulating the addition of tcodes from the system "GRC Testing" when you should be adding tcodes for the simulation from the ECC system. You should also remove the report criteria Type = Action Level, and only have Permission Level selected, although the Action Level should still return results (even thought they are likely false positives as they do not check for the authorization object level permissions).

    Let me know if this helps, and if not I can continue to think on it.

    -Ken

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Ken Golden
      Jun 27, 2016 at 09:15 PM

      Hi Ken,

      Yes, it doesn't show anything for the SAP_ALL role as well. It says no violations. I checked the parameters, nothing indicates any restrictions for simulation. Tried all the combinations for the filters and criteria.

      Do you have any ideas on parameters

      Regards,

      Apoorva

    Comment on This Answer
  • author's profile photo Yashasvi Sanvaliya
    Yashasvi Sanvaliya
    Posted on Jun 28, 2016 at 07:11 AM
    1

    Hello Apoorva,

    Can you please try executing it with SAP_ALL and with "Risks from Simulation only" ?

    And, please check if the simulation working for user level?

    I believe the ad-hoc risk analysis is working fine for the same connector, correct?

    Kind regards,

    Yashasvi

    Add a comment
    10|10000 characters needed characters exceeded

    • Ken Golden Former Member
      Jun 28, 2016 at 02:44 PM

      Are you trying to add SAP_ALL as "Role", because this should be added as a "Profile" in the simulation.

      When you uploaded or generated the ruleset, are you leveraging Logical Groups? What is your Logical Group configuration in SPRO? Is your system included in the logical groups?

      Check table GRACACTRULE in SE16 of GRC and check which connector the rules have been generated for. For example, I have my rules uploaded and generated for Logical Groups SAP_BAS_LG (containing the IT/Basis rules), and for SAP_NHR_LG (containing my ECC rules). Then, in my connector configuration I have my ECC system mapped to both of these logical groups.

    Comment on This Answer
  • author's profile photo Former Member
    Former Member
    Posted on Jun 28, 2016 at 12:25 PM
    0

    Hi Approva,

    Please generate the ruleset before you run the simulation. Then you can get the violations if any.

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Rakesh Ram
    Rakesh Ram
    Posted on Jun 29, 2016 at 01:57 AM
    0

    Hello Apoorva,


    Treating that you have activated BC sets and also regenerated all the rules, please verify the following.

    • Are you selecting the correct system?


    • Did you run the synch. jobs properly? are they running successfully or not?


    • It seems you have typed the actions. Rather go to selection and from there select the actions like this. It should solve the issue for you. If Not, atleast type the actions in CAPS.



    Let me know if you need further details.



    Regards,

    Rakesh Ram


    2016-06-29_07-23-43.png (4.9 kB)
    2016-06-29_07-24-39.png (8.3 kB)
    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.