Online vs. Offline Risk Analysis
This document describes the difference between Online and Offline Risk Analysis in SAP GRC Access Control based on several SAP Notes.
In order to be able to run offline analysis at all, the configuration option “Enable Offline Risk Analysis” must be set to YES (Parameter 1027) in Access Control configuration settings in SPRO.
This configuration option is now selectable in the Risk Analysis > Additional Criteria.
Offline analysis is not real-time data but is dependent on the date of the last Batch Risk Analysis. The Batch Risk Analysis is run as background job in GRC by using transaction GRAC_BATCH_RA (program GRAC_BATCH_RISK_ANALYSIS). This is the same batch risk analysis that is run to update the management reports and companies should be running this on a frequent basis to ensure their management reports are accurate. Running the Offline analysis is the same as drilling down via the Management View.
The benefits using offline analysis is mostly in response time. By using offline analysis, Risk Analysis and Remediation does not have to make as many calls into the connected systems so the analysis will return much faster than using online analysis. However, please keep in mind that offline analysis is not real-time and will not take into account any changes made since the last Batch Risk Analysis.
Using offline analysis, you can obtain both summary and detail reports. The one exception is that if you run Report types Critical Action or Critical Permission, you will not be able to see the detail report, only the summary report. Please note that this is only for Critical Action and Critical Permission. Report types of Permission level and Action level can go down to the detail level in offline mode.
Please keep in mind that how you have the Batch Risk Analysis set up for defaults will impact the data you have to run offline analysis on. For example, in Configuration under Risk Analysis you have the option “Exclude Locked Users”. If this is set to YES, when running the batch risk analysis, it will not evaluate locked users which means the tables holding the conflicts will not include any data for locked users.
When you run Risk Analysis, you have the option to change Ignored Users field to something other than what is set up in the Configuration. However, if you change this to NOT ignore locked users and run in offline mode, you will not receive any conflicts because no locked users were evaluated during the batch risk analysis. Running this report in online mode may turn up conflicts with locked users.
Impacts on Workflows
The following listing shows the impact on each workflow which uses date from the risk analysis.
Segregation of Duty (SoD) Review
The system uses Offline Risk Analysis data to update management graphics and to generate SoD Review workflow requests. When the system detects SoD violations, it automatically sends reports to managers so that they can take actions to either remove user access or to mitigate the SoD risks.
User Access Review
The system uses Offline Risk Analysis data to update and generate UAR Review workflow requests.
Access Request Submission
The application automatically performs an online risk analysis when the requestor submits the request. This behaviour can be configured in parameter 1071 (Enable risk analysis on form submission). Note: The risk analysis results are intended for the approver. Therefore, the risk analysis results appear on the approver’s screens but not on the requestor’s screens. SoD violations for access requestes are stored in table GRACSODREPDATA.
Role Approval Workflow
In Business Role Management (BRM), some customers may have a business requirement that once a role is sent for approval to Role Approval workflow, the role owner(s) must re-run the risk analysis and mitigate a risk before approval. The risk analysis has to be performed during Analyze Access Risk methodology step and is always performed as Online Risk Analysis.
Impact on Reports
The following listing shows the impact on Reports which uses data from the risk analysis.
Risk Analyisis in Access Management
The risk analysis results in Access Management, like User Level, Role Level, Profile Level or HR Objects, are based on real-time risk analysis. Also simulation uses real-time risk analysis data.
Risk Analysis in Reports and Analytics
The risk analysis in Reports and Analytics tab is always offline analysis and hence you should have run the Batch Risk Analysis to populate the violations data.
Looking forward to your input and contribution in this document.
Regards,
Alessandro
Hey Alessandro
Another 5 star!
Would it be worth a paragraph on workflow impacts? For example, SoD review using offline, risk analysis on submission of access request, etc. Or do you think this should be another topic?
Regards
Colleen
Hi Colleen,
we can add it here so that we have one document for all. Do you know how it works in workflows?
Regards,
Alessandro
SoD Review WF needs offline risk analysis to run first as it's based on that. I assume UAR is the same.
I can't remember of the top of my head for user access request workflow on submission (set by the configuration parameter). I think request and approval screens the user would be running online or have the choice as the risk analysis webdynpro is embedded. Role workflow approval will be similar to access request (it's a step in the methodology to run risk analysis but can't remember approval screens).
Regards
Colleen
Hi Colleen,
I have to google to make sure we provide the correct information. But just from my feeling I assume that request submission uses online risk analysis as the authorization is going to change. Means even the offline risk analysis run yesterday night I can see upcoming risks in the first approver screen. Hence it must run online.
Role approval I assume it is similar as it is always a new situation due to a change and therefore an online analysis is necessary.
Do you agree?
Regards,
Alessandro
Hi Alessandro
That's my thoughts but I'm not currently using the functionality to test it out. I think you've taken the right approach to see what others have to say.
Starting to wonder though if this is may benefit more as a WIKI? But then we'll be stuck back at issue of not having permissions to edit.
Regards
Colleen
Fully agree - let see what the other experts say.
ps. I will transfer to the Wiki as soon as the authorization issue is fixed. Still waiting for Fernando.
Regards,
Alessandro
Hi Colleen,
have added some comments on the impact of each workflow. Appreciate your feedback if you have some update/correction.
Best regards,
Alessandro
please make this correction in your blog "GRAC_BATCH_RA" is not a program but a transaction code. thank you
thanks for your feedback - you are right. The program is GRAC_BATCH_RISK_ANALYSIS. I have corrected the document.
Hi Alessandro,
In your document you mentioned that ' if the back-end system is down, offline analysis will not work '. I have checked in our GRC system, where we are able to run the offline risk analysis even when the backend system is down.
I have checked by giving wrong IP address in RFC definition. Then ran online analysis which gave error, then for offline analysis it is showing results.
Regards,
Kaavya.
Hi Kaavya,
thanks for your feedback. I have removed that.
Further I have also added the impact on reports.
Regards,
Alessandro
Hello Alessandro,
Really good material.
Regards,
Paulo
thanks a lot Paulo! 🙂
Hello Alessandro,
Really good material to understand about offline risk analysis. Is it possible to add a para or two about on-line risk analysis and its benefits also?
Regards,
Deepak M
Hi Deepak,
thanks for your feedback. The benefits of online risk analysis is actually that you have a real time analysis which takes a snapshot of the current situation. It allows you to make changes in the backend and analyze immediately. Hence you can proceed very fast e.g. while remediating violation issues.
As I tried to explain in the document real time analysis has also it's disatvantages where the offline analysis is more suitable and helpful. But as always it depends on your requirement and what you are going to do.
Best regards,
Alessandro
Hello Alessandro,
Thanks a lot for taking time to explain online risk analysis as well...
Regards
Deepak
Hi Alessandro,
I'm joining to all thankful words.
Unfortunately, you didn't mention about version and SP level of the system. Could you tell me please whether there was any corrections for the screens?
Some difference between my and your screens makes me frustrated.
Parameter value is set
But Offline Risk Analysis in Additional Criteria is not available for me (no permission or view restrictions).
Job for risk collecting is running periodically.
I'm on GRC 10 SP 20.
Regards,
Artem
Hello Artem,
Check if the field is not hidden by a user personalization.
Thank you Paulo.
My configuration for this section was not modified. I've posted my issue here.
If you have any ideas, you are welcome on my thread.
Regards,
Artem
Hi Alessandro,
Very helpful material as usual. Thank you.
Does the option to use the offline risk analysis significantly reduce the runtime in generating the risk analysis report compared to doing it online? What we have experienced so far is that there are no significant difference in performance between running it offline and online for the same set of selection criteria. Or are there any settings that we can look into to make the performance of offline risk analysis better?
Regards,
Francis
Hi Francis,
the offline analysis should be faster than the online as it only has to pull the data from the table versus running the risk analysis against the backend system. However, it depends on your setup.. if you have a well-designed roles along with proper assignments and a perfromant system, it might feel similarly perfromant when you run offline/online.
What is your current release and SP level? There have been several notes that address the perfromance of the risk analysis both for offline and online.
Regards,
Alessandro
Hi Alessandro,
We are at SP level 21 and I must admit that our role setup is not really optimal and that contributes to the fact that the risk analysis might contain huge amount of data. Given this, what would be the best way to increase performance? Is it to increase hardware capacity?
Thanks and Best Regards,
Francis