SAP Access Control 10.0 Alerting
SAP GRC Access Control supports real-time compliance around the clock and prevents security and control violations before they occur. After implementation and deployment of the risk analysis and remediation software, businesses can analyze real-time data, find hidden issues and help ensure the effectiveness of access and authorization controls across the enterprise.
Some considerations regarding alert functionality:
Alerts could be used as soon as a user executes a specific conflict within the system:
- to check if a user executes an SoD conflict or a critical transaction
- to check if the reports defined in the mitigating controls were executed on time
Points to consider when using alerts:
- no detailed authority check, only on transaction level
- no time-dependend aspects considered (e.g. order goods on day 1 and create goods received on day 2 for a separate order will create an alert as well)
My suggestion is to use the alert functionality wisely.
How to use Alerting within SAP GRC?
Run the program GRAC_ALERT_GENERATION to create alerts. Make sure that the action usage sync job run before (GRAC_ACT_USAGE_SYNC) so that all executed actions are captured from the backend system.
There is the possibility to send email notifications to risk owner to be informed when a SOD violation occurs.
NWBC Report
Alert reports can be displayed or cleared in the frontend. Go to NBCW workcenter “Access Management” and open “Conflicting and Critial Access Alerts” in section “Alerts”.
You have the possibility to clear an alert or delete an action.
- Clear Alert – removes all parts of an alert. User has to execute all sides for the alert to reappear. This tasks requires a comment to be entered.
- Delete Action – removes 1 action of an alert. User has to execute the deleted action for the alert to reappear.
If you need more information about the possibilities of alerting with SAP GRC do not hesitate to contact me directly by leaving a comment or sending an email.
Hi, in the alert report found action usage for call transaction into program
This is incorrect because the action monitorin not are in risk analysis user
Example Trsnacction ML84 Report use ML81N for viiew data
How configure exception ?
Dear Jaime,
as mentioned in my post
this has to be considered. Alerting is based on action usage and only on transaction level. If you have further transactions which are called by another you have to consider them as risk as well.
Does this answer your question?
Regards
Alessandro
Hi Alessandro,
I followed the below steps and still no luck. am I missing something ?
1. create a critical action risk and assign a risk owner.
2. run GRAC_ACT_USAGE_SYNC
3. run GRAC_ALERT_GENERATION
4. execute the critical tcode
5. execute the report under - NBCW workcenter "Access Management" and open "Conflicting and Critial Access Alerts" in section "Alerts". check for the alert ? - didnt see anything
6. check for work inbox message ?
- didnt see anything
Dear Urs,
I am really sorry for my late replay but didn't see your message.
To get alerts generated it is also necessary that all rules are generated. Alerts are populated based on the risk analysis performed on those rules.
As I am not sure what's your SP level you have to check the sap notes as well. There are a few considering that issue.
Let me know if the issue still exists and the SP level of your system.
Regards,
Alessandro
Hi Alessandro,
Do you know if there is a way to massively clear or delete generated alerts?
Regards,
Franklyn
Dear Franklyn,
did you try to Select All and click "Clear Alerts"?
Regards,
Alessandro
Hi Alessandro,
Yes I tried it but unfortunately it won't let met select all alerts, I can only select one by one.
Franklyn
Hi,
You mentioned that the check is only at transaction level.
Can you clairfy how this works? To me it appears that the BRA data is used to map the execution count to a risk that is stored in the BRA tables. As such that would tell me the result is taking inot account the auth checks, otherwise user would not be in BRA tables.
I guess what you don't know is whether the user actually performed an action with the transaction or just ran the transaction and exited. Could give some internal control people some headaches if this were the case.
Thanks
Peter
Hi Alessandro,
Is it possible to trigger an alert to be generated in GRC for an open risk assigned to users in the system ?
Thanks
Maz
Hi Alessandro,
I have configured a critical access alert, and it is showing in my NWBC report. However, a notification is not being sent to the risk owner. I see not outbound messages in SOST for this alert. Do you have a solution?
Thanks,
Ken
Hi Alessandro,
We want to setup alerts whenever users get provisioned roles that will potentially trigger Critical risks.
Please can you guide me on how to go about setting it up? I created a test risk, assigned risk owner, generated the risk id, scheduled background job for GRAC_ACT_USAGE_SYNC for that system, ran GRAC_ALERT_GENERATION for that risk id.
But dont see anything yet. Now is the alert supposed to go to the risk owner as an email as soon as the role is assigned ? Not sure how this works.Or is it triggered when the background job is triggered for the ACT_USAGE job?
Please advise
Thank you.
Regards,
Kiran
Hi Alessandro,
I was able to see the alert in the alerts tab but I think I am trying to figure out how to send email to the risk owner.
Please advise.
Kiran
Hello Alessandro,
I'm setting an alert issued by email when a user runs the OB52 transaction, this transaction associate it with a critical risk. The jjb I have scheduled to run every 5 minutes, but this is not causing me alert. Please your help orienting. Thank you.
Regards. Freddy
Hello Alessandro...
We are not using MSMP For mitigation assignment..
Can you please tell me from where we can modify the email going to owners..is it ABAP coding..or some notification in Se61 tcode
Regards
Praveen
Hello Alessandro,
Thanks for the excellent quick review of the functionality.
I think that the transaction code is not GRAC_ALERT_GENERATION but GRAC_ALERT_GENERATE though.
Regards, Andreas
Hello Alessandro,
I have a question on NWBC>Access Management>Access Alert>Mitigating Controls
We have created mitigating control and assign mitigating approver and mitigation monitor and in the report tab we have given SE16 /System:ECC/ Monitor:XYZ, and in Frequency we put 1 day. And we mitigated Users with this control.And GRAC_ACT_USAGE_SYNC and GRAC_ALERT_GENERATE job schedule on daily basis. Everything is working as expected like whenever any user execute the risk from this control our mitigation approver receive an email Mitigation Control Alert Notification saying
System :ECC
User ID : XXX (Monitor)
Control ID : (MTL_XXX)
Transaction :SE16
Our Mitigation Approver receive this email because of Monitor of the control did not execute his report i.e SE16 in given days frequency 1 day.
Next day Mitigation monitor Executed SE16 and Clear alerts from GRC.
but Mitigation Approver keep receiving Mitigation Control Alert Notification saying
System :ECC
User ID : XXX (Monitor)
Control ID : (MTL_XXX)
Transaction :SE16.
one more question is In which condition it should send the Mitigation Control Alert Notification to mitigation Approver and in which case it should not send Mitigation Control Alert Notification to Mitigation Approver
Thanks
Hi Alessandro,
is there any possibility to raise an alert when Profile SAP_ALL is beeing granted to any user ?
Regards
Max
Hi Alessandro,
We are trying to schedule recurring job for alert program to send out alerts. I am trying to understand if GRAC_ALERT_GENERATION program only generate for the actions updated from last execution or does it generate alerts again; which are already in previous executions?
FYI, we are trying to clear old alerts before running the new job. Idea is to have alert program consider data from GRACACTUSAGE from last one month only to generate alerts.
Regards,
Giridhar.
HI Alessandro
I have a question regarding the message format error for the document GRAC_SOD_ALERT_NOTIFICATION -> SE61.
The notification template looks good in the system but when the approver recieves the notification message the format does not look right, the content is zig zag. not in a proper format.
What could be the issue? I'm thinking this has something to do with the code for "%VARIABLE%" which is part of the template. Each time a violation occurs I would like to narrow it down to the particular risk and the user who violated the risk. Basically, how do I change the contents of the %VARIABLE%.
Any thoughts will be of great help.
Thanks,