Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Re: Virsa Compliance Calibrator & Pre-defined SOD Rule Set

Former Member
0 Kudos

Hi All,

We have installed the Virsa Compliance calibrator 5.1 in our sandbox environment. When we goto the "Rule Architect" tab under Compliance calibrator using tcode /virsa/zvrat it brings up the page with Rules information.

Per the Virsa documents that i read they have mentioned that there are pre-defined SOD Rules (Transaction codes and Tcode objects) that we can use in the Rule Architect.

My question is how do i enable and use those pre-set SOD Rules that Virsa provides by default. I do not see them under the Rule architect tab though. Can someone give some pointers to use these pre-set SOD rules.

Thanks & Regards

-Murali

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Hi Murali,

Agree, it's a tricky issue, because new Compliance Calibrator ... doesn't come with any rules !!!

You need to request them from SAP and then import into your CC to make it work. I can confirm that we are running CC 5.1 without any issues now.

Please, award the points if it answers your question.

Best regards,

Laziz

18 REPLIES 18

Former Member
0 Kudos

Hi Murali,

Agree, it's a tricky issue, because new Compliance Calibrator ... doesn't come with any rules !!!

You need to request them from SAP and then import into your CC to make it work. I can confirm that we are running CC 5.1 without any issues now.

Please, award the points if it answers your question.

Best regards,

Laziz

0 Kudos

Hi Laziz,

Thanks for your helpful reply. Can your detail me the procedures you followed how you requested the Virsa rules from SAP. Also, will SAP send us these rules only if we buy the license for this product? Do you have any contacts or the emailID to send any Virsa related queries like this to SAP.

Thanks

-Murali

0 Kudos

Hi Murali,

The procedure was quite simple: we raised new OSS ticket via Service Marketplace and then got prompt response from SAP GRC support team. Specify "GRC-SCC" as your application area in your request.

And, yes, SAP will probably provide you with CC rule set only if bought required licenses.

Hope this answers your questions.

Best regards,

Laziz

0 Kudos

Hi Laziz,

Thanks for your suggestion. We got the Rules from SAP. However, we are now stuck up with an Technical issue. I've uploaded the rules at the Java front end. but somehow after pushing the rules it doesn't reflect on the backend (ABAP) side and so results in not showing up no reports for Risk analysis based on uploaded rule set.

Also, point to mention here is, on the Compliance Calibrator "Configuration" tab if we goto Configuration->Backend Sync->Rule Sync we see a bug here. Basically on the "system rule set" list box it lists my destination system name (R3D in our case) and the "Destination System" list box is empty and does not list my destination system in our case it's R3D.

I am not sure if anyone faced the similar situation as mentioned above where in wrong entries appear on the Rule Sync configuration for "System rule set" & "Destination System". Any pointers or help to sync the front-end rule set (java )and back-end ABAP would be appreciated.

Also, pls note here that we have configured the right connectors that is JCO connectors with Adaptive RFC as we are using RTA(Real time agents) for compliance calibrator.

Thanks

-Murali

0 Kudos

Hi Murali,

As you use 5.1 Analysis Engine on the J2EE server and RTA on your backend server, there is no need to push rule set back to ABAP stack. Analysis of roles and users has to be done on your J2EE server, where you'll keep your rule set.

Yes, "Rule Synchronisation" doesn't work by default. There is a very tricky workaround solution, but in reality I don't think that you'll ever have a need to transfer anything back to your backend. The main idea is to extract user / roles data from backend, analyse everything in your J2EE server and then provide your AUTH team with access to the reports via Web interface.

Hope it answers your question and I can finally get my points

Best regards,

Laziz

0 Kudos

Hi Laziz,

I see your point here. However, whats strange is like i mentioned below wrong entries appear on the Rule Sync-> System rule set, Destination system. Is this is code bug?? how can i rectify this??

Also, when i run risk analysis at User level somehow the front end does not see any user's existing at the back-end (ABAP) eventhough user's do exist at back-end. When i search for a particular userID at front end it does not return any users though that user exists in back-end. I am not sure why the front end is not fetching some data from the back-end. I am really confused and tried to search for any SAP notes..so now we are at a point where we have uploaded the pre-defined Virsa rules succesfully but not able to run any analysis as the front end is not seeing the data stored in the back-end to run those rules on.

Thanks for all your answers here and i will surely award the points if we are able to solve this issue.

Thanks

-Murali

0 Kudos

Hi Murali,

Yes, there is a bug with pushing Rules back to SAP systems. When you select JCo specific to RTA, it always shows empty list in the Destination folder. But as I mentioned above, it's not important and you can ignore it (as well as few other options which were put in 5.1, but started to work only in 5.2 )....

I guess I know why you don't get any data. Don't worry - it's because some data is not in your Java server yet:

- in Configuration -> Rule Upload section click "Generate Rule";

- now open Configuration -> Bakground Job -> Schedule Analysis, then click Full Sync, tick User Synchronisation and press Schedule button. If the link is properly setup in JCo all users will be uploaded into Java database within next few hours;

- you may click then Informer -> Security Reports -> Users to check if correct data was uploaded;

- the last step will be to go back to Job Scheduler again and select Full Sync for the "User Analysis" with selected "Management Reports". Depending on the number of users and SoD conflicts in your system it may take few days to complete this part of processing.

After successful completion of user analysis you should be able to get your first nice pictures in Informer section of your CC Web site.

Good luck,

Laziz

0 Kudos

Hi Laziz,

Thanks for your patience in replying to my CC 5.1 queries. I did follow your steps for the Generate Rule & Background Job-> Schedule Analysis and scheduled the job immediate.

However, when i looked up the status of the scheduled analysis Background Job-> Search pulls up the job i scheduled at the top it reads "Job scheduler Status: unknown error" . I clicked on "View Log" button and it shows some messages as shown below (Note: I am just posting some parts of the error msgs below. but it still goes for 1 page...)

May 16, 2007 1:09:07 PM com.virsa.cc.xsys.bg.BgJobDaemon init

INFO: *** BgJobDaemon loaded

May 16, 2007 1:11:09 PM com.virsa.cc.common.util.ConfigUtil setDefaultJ2EEParam

WARNING: Cannot get Application URL: null. PLEASE SET 'Background Daemon URL' IN CONFIGURATION TAB

java.lang.NullPointerException

at com.virsa.cc.common.util.ConfigUtil.setDefaultJ2EEParam(ConfigUtil.java:203)

at com.virsa.cc.common.util.ConfigUtil.getBgJobStartURL(ConfigUtil.java:192)

at com.virsa.cc.xsys.bg.AnalysisDaemonThread.run(AnalysisDaemonThread.java:45)

at java.lang.Thread.run(Thread.java:534)

May 16, 2007 1:24:37 PM com.virsa.cc.extreport.JarClassLoader loadClassData

FINEST: class name: com.virsa.cc.extreport.ReportPack50SP1_01.ReportPack50SP1_01 class: com/virsa/cc/extreport/ReportPack50SP1_01/ReportPack50SP1_01.class

May 16, 2007 1:24:37 PM com.virsa.cc.extreport.JarClassLoader loadClassData

FINEST: Jar Entry length=1568 compressed size=1568 actual read=1568

May 16, 2007 1:24:37 PM com.virsa.cc.extreport.JarClassLoader loadClassData

FINEST: class name: com.virsa.cc.extreport.ReportPack50SP1_01.CrtActbyRsk_Act_RskLvl class: com/virsa/cc/extreport/ReportPack50SP1_01/CrtActbyRsk_Act_RskLvl.class

May 16, 2007 1:24:37 PM com.virsa.cc.extreport.JarClassLoader loadClassData

FINEST: Jar Entry length=13210 compressed size=13210 actual read=13210

May 16, 2007 1:24:37 PM com.virsa.cc.extreport.JarClassLoader loadClassData

FINEST: class name: com.virsa.cc.extreport.ReportPack50SP1_01.CrtRolbyRsk class: com/virsa/cc/extreport/ReportPack50SP1_01/CrtRolbyRsk.class

May 16, 2007 1:24:37 PM com.virsa.cc.extreport.JarClassLoader loadClassData

FINEST: Jar Entry length=19287 compressed size=19287 actual read=19287

May 16, 2007 1:24:37 PM com.virsa.cc.extreport.JarClassLoader loadClassData

FINEST: class name: com.virsa.cc.extreport.ReportPack50SP1_01.CrtProfbyRsk class: com/virsa/cc/extreport/ReportPack50SP1_01/CrtProfbyRsk.class

May 16, 2007 1:24:37 PM com.virsa.cc.extreport.JarClassLoader loadClassData

FINEST: Jar Entry length=12807 compressed size=12807 actual read=12807

May 16, 2007 1:24:37 PM com.virsa.cc.extreport.JarClassLoader loadClassData

FINEST: class name: com.virsa.cc.extreport.ReportPack50SP1_01.UsersbyOrgLevels class: com/virsa/cc/extreport/ReportPack50SP1_01/UsersbyOrgLevels.class

May 16, 2007 1:24:37 PM com.virsa.cc.extreport.JarClassLoader loadClassData

FINEST: Jar Entry length=18557 compressed size=18557 actual read=18557

May 16, 2007 1:24:59 PM com.virsa.cc.common.util.ConfigUtil setDefaultJ2EEParam

WARNING: Cannot get Application URL: null. PLEASE SET 'Background Daemon URL' IN CONFIGURATION TAB

java.lang.NullPointerException

I am not sure whats causing this and it's been 2hrs since i scheduled the user analysis but i don't see any data still appearing in the fron-end..Any pointers again???

Thanks

-Murali

0 Kudos

Hi Murali,

It's another issue specific to CC 5.1.

Please, insert required entries into virsa_cc_config table as per SAP Note # 999785.

Best regards,

Laziz

0 Kudos

Laziz,

Thanks for your help last week in scheduling User Sync background jon on CC 5.1.This week there seems to be strange problem again with scheduling full Role Synchronization using Configuration->background Job-> Schedule Analysis and i chose full sync and checked Role sync.

I also verified the SAP note regarding background Daemon that you had mentioned last week. When i view the Background job error log i see some entries like this

"INFO: Daemon idle time longer than RFC time out, terminating daemon 4"

Any pointers or help on this will be rewarded again..

Thanks

0 Kudos

Hi Murali,

It's a normal for CC on Java stack, as it resets daemons from time to time to ensure that none of them hung. Its configuration is managed via Configuration -> Miscellaneous -> Frequency of Background Job Daemon in Seconds and Configuration -> Risk Analysis -> Performance Tuning -> RFC time out for Web Services / Background Job Worker Threads (Minutes).

You may increase the latter one, but as you can see from log file, CC indicates that the logged details are for "INFO" purposes only.

As long as your scheduled job show "Running" or "Complete" status, CC engine is Ok. You'll have to check your log for details, if any sscheduled job will end up with "Error" status.

Best regards,

Laziz

0 Kudos

Hi Laziz,

This is really weird. I tried to schedule Background job for User analysis that ran succesfully last week but this week none of the background job analysis work fine. I also followed the steps from your previous post.

Here are some useful msgs from the error log

FINEST: --- @@@@@@@@@@@ Updating the Job History -


2@@Msg is Error while executing the Job:Interface Controller does not exist for Component Instance VirsaXSR3_01 in Component Usage VirsaXSR3_01

Any pointers about Interface controller?? anything i need to check or configure??

-Thanks

0 Kudos

Hi Murali,

Please, check JCO connection indicated in error log. You need to ensure that both Model and Metadata links are Ok.

Best regards,

Laziz

0 Kudos

Hi Laziz,

Thanks for your pointers.The CC 5.1 is tricky and strange again. Per your suggestion fixed the Jco and was able to run all backgrounds job analysis and pull up reports. But after all this when we changed the Jco metadata and model links as written below things changed again.

One of our Netweaver admin changed the Jco to use the default metadata and model links VIRSAHR_01_METADATA, VIRSAHR_01_MODEL. After this change when i goto Informer->Risk Analysis->User Level and run the user level report i get the error msg shown below. I double checked the Jco connections and it seems to be fine. Any pointers on this?? Also my question here is should we use the default metadata & model links for Jco or should we copy from the default links and create new metadata and model links as our Jco connections?

Error Message as shown below:

VIRSAHR_01: Cannot execute BAPI UserList: failed to create or init instance of model 'com.virsa.cc.modelvirsahr_01.BAPI_VIRSAHR_01' in scope APPLICATION_SCOPE with instanceId 'null': failed to create instance of model 'com.virsa.cc.modelvirsahr_01.BAPI_VIRSAHR_01': no jcoMetadata found for RFC function '/VIRSA/SEARCH_DATA'! Please verify, that your model is consistent with the ABAP backend: 'R3D'.

-Murali

0 Kudos

Laziz,

Please don't bother abt this question. We figured it out. There was a patch that rectified this Risk Analysis at User Level.

Former Member
0 Kudos

Hi Murali,

it might also be that if you are looking in the ABAP side - while the SOD Rules import files for CC5.1 are the txt files which you'll load into the Java front end.

They'll only appear in the ABAP side when you push them through there.

cheers

Paul

Former Member
0 Kudos

Hi Laziz,

We are having some issues with creating Mitigation control.

When i goto the tab Mitigation->Mitigation Controls Create that lets me associate risks that requires assignment of monitors in the "Monitors" tab i get a error saying monitor missing.

Inspite of creating a monitor user through tab Mitigation->Administrators->Create and assigning "All Administrator roles" to it i do not see this ID to automatically show up in "Monitor ID" column under Monitors tab. Is this again a bug?? Is there a patch or sap note for this?? Any pointers will be appreciated...

Thanks

-Murali

0 Kudos

Hi Murali,

Please, open new thread, as we may need it to discuss mitigations (which is a separate subject)

Best regards,

Laziz