10-05-2012 4:01 PM
Hi all,
if I make an analysís in our prod.system and in access control about the users and their critical SoD-conflicts, I get a different number of users in both systems. Curiously I get users in AC-analysis which have no SoD-conflicts in prod.system and otherwise I don't get user in AC but they have a SoD-conflict in prod.system.
Could it be that there is a different in actual datas.
Maybe there is a sync.job missing?
These are the jobs which run every night:
GRAC_ROLEREP_PROFILE_SYNC
GRAC_ROLEREP_ROLE_SYNC
GRAC_ROLEREP_USER_SYNC
GRAC_BATCH_RISK_ANALYSIS
GRAC_ROLE_USAGE_SYNC
GRAC_GENERATE_RULES
GRAC_PFCG_AUTHORIZATION_SYNC
GRAC_REPOSITORY_OBJECT_SYNC
Is it the right sequence?
Thanks for your help.
Thorsten
10-05-2012 4:18 PM
Thorsten:
I would be interestested in knowing how you are analyzing the prod system for conflicts if you are not using GRC AC.
As for the jobs:
GRAC_REPOSITORY_OBJECT_SYNC - this job will execute the following 3 in the correct order. I usually recommend this be incrementally done every hour
GRAC_ROLEREP_PROFILE_SYNC
GRAC_ROLEREP_ROLE_SYNC
GRAC_ROLEREP_USER_SYNC
GRAC_BATCH_RISK_ANALYSIS - Incrementally every day
GRAC_ACTION_USAGE_SYNC - this must be done before Role Usage. recommend every day
GRAC_ROLE_USAGE_SYNC
GRAC_GENERATE_RULES - this only needs to be done if rules have changed
GRAC_PFCG_AUTHORIZATION_SYNC - this only needs to be done if new auth objects or SU24 updates have been performed. Recommend ad hoc when changes have been made/transported and monthly just for maintenance purposes.
Thanks,
Kevin Tucholke
10-05-2012 4:18 PM
Thorsten:
I would be interestested in knowing how you are analyzing the prod system for conflicts if you are not using GRC AC.
As for the jobs:
GRAC_REPOSITORY_OBJECT_SYNC - this job will execute the following 3 in the correct order. I usually recommend this be incrementally done every hour
GRAC_ROLEREP_PROFILE_SYNC
GRAC_ROLEREP_ROLE_SYNC
GRAC_ROLEREP_USER_SYNC
GRAC_BATCH_RISK_ANALYSIS - Incrementally every day
GRAC_ACTION_USAGE_SYNC - this must be done before Role Usage. recommend every day
GRAC_ROLE_USAGE_SYNC
GRAC_GENERATE_RULES - this only needs to be done if rules have changed
GRAC_PFCG_AUTHORIZATION_SYNC - this only needs to be done if new auth objects or SU24 updates have been performed. Recommend ad hoc when changes have been made/transported and monthly just for maintenance purposes.
Thanks,
Kevin Tucholke