This document describes the difference between Online and Offline Risk Analysis in SAP GRC Access Control based on several SAP Notes.
In order to be able to run offline analysis at all, the configuration option “Enable Offline Risk Analysis” must be set to YES (Parameter 1027) in Access Control configuration settings in SPRO.
This configuration option is now selectable in the Risk Analysis > Additional Criteria.
Offline analysis is not real-time data but is dependent on the date of the last Batch Risk Analysis. The Batch Risk Analysis is run as background job in GRC by using transaction GRAC_BATCH_RA (program GRAC_BATCH_RISK_ANALYSIS). This is the same batch risk analysis that is run to update the management reports and companies should be running this on a frequent basis to ensure their management reports are accurate. Running the Offline analysis is the same as drilling down via the Management View.
The benefits using offline analysis is mostly in response time. By using offline analysis, Risk Analysis and Remediation does not have to make as many calls into the connected systems so the analysis will return much faster than using online analysis. However, please keep in mind that offline analysis is not real-time and will not take into account any changes made since the last Batch Risk Analysis.
Using offline analysis, you can obtain both summary and detail reports. The one exception is that if you run Report types Critical Action or Critical Permission, you will not be able to see the detail report, only the summary report. Please note that this is only for Critical Action and Critical Permission. Report types of Permission level and Action level can go down to the detail level in offline mode.
Please keep in mind that how you have the Batch Risk Analysis set up for defaults will impact the data you have to run offline analysis on. For example, in Configuration under Risk Analysis you have the option “Exclude Locked Users”. If this is set to YES, when running the batch risk analysis, it will not evaluate locked users which means the tables holding the conflicts will not include any data for locked users.
When you run Risk Analysis, you have the option to change Ignored Users field to something other than what is set up in the Configuration. However, if you change this to NOT ignore locked users and run in offline mode, you will not receive any conflicts because no locked users were evaluated during the batch risk analysis. Running this report in online mode may turn up conflicts with locked users.
Impacts on Workflows
The following listing shows the impact on each workflow which uses date from the risk analysis.
Segregation of Duty (SoD) Review
The system uses Offline Risk Analysis data to update management graphics and to generate SoD Review workflow requests. When the system detects SoD violations, it automatically sends reports to managers so that they can take actions to either remove user access or to mitigate the SoD risks.
User Access Review
The system uses Offline Risk Analysis data to update and generate UAR Review workflow requests.
Access Request Submission
The application automatically performs an online risk analysis when the requestor submits the request. This behaviour can be configured in parameter 1071 (Enable risk analysis on form submission). Note: The risk analysis results are intended for the approver. Therefore, the risk analysis results appear on the approver’s screens but not on the requestor’s screens. SoD violations for access requestes are stored in table GRACSODREPDATA.
Role Approval Workflow
In Business Role Management (BRM), some customers may have a business requirement that once a role is sent for approval to Role Approval workflow, the role owner(s) must re-run the risk analysis and mitigate a risk before approval. The risk analysis has to be performed during Analyze Access Risk methodology step and is always performed as Online Risk Analysis.
Impact on Reports
The following listing shows the impact on Reports which uses data from the risk analysis.
Risk Analyisis in Access Management
The risk analysis results in Access Management, like User Level, Role Level, Profile Level or HR Objects, are based on real-time risk analysis. Also simulation uses real-time risk analysis data.
Risk Analysis in Reports and Analytics
The risk analysis in Reports and Analytics tab is always offline analysis and hence you should have run the Batch Risk Analysis to populate the violations data.
Looking forward to your input and contribution in this document.