Skip to Content

This document describes the difference between Online and Offline Risk Analysis in SAP GRC Access Control based on several SAP Notes.

In order to be able to run offline analysis at all, the configuration option “Enable Offline Risk Analysis” must be set to YES (Parameter 1027) in Access Control configuration settings in SPRO.

/wp-content/uploads/2014/07/ana01_498654.png

This configuration option is now selectable in the Risk Analysis > Additional Criteria.

/wp-content/uploads/2014/07/ana02_498655.png
Offline analysis is not real-time data but is dependent on the date of the last Batch Risk Analysis. The Batch Risk Analysis is run as background job in GRC by using transaction GRAC_BATCH_RA (program GRAC_BATCH_RISK_ANALYSIS). This is the same batch risk analysis that is run to update the management reports and companies should be running this on a frequent basis to ensure their management reports are accurate. Running the Offline analysis is the same as drilling down via the Management View.

The benefits using offline analysis is mostly in response time. By using offline analysis, Risk Analysis and Remediation does not have to make as many calls into the connected systems so the analysis will return much faster than using online analysis. However, please keep in mind that offline analysis is not real-time and will not take into account any changes made since the last Batch Risk Analysis.

Using offline analysis, you can obtain both summary and detail reports. The one exception is that if you run Report types Critical Action or Critical Permission, you will not be able to see the detail report, only the summary report. Please note that this is only for Critical Action and Critical Permission. Report types of Permission level and Action level can go down to the detail level in offline mode.

Please keep in mind that how you have the Batch Risk Analysis set up for defaults will impact the data you have to run offline analysis on. For example, in Configuration under Risk Analysis  you have the option “Exclude Locked Users”. If this is set to YES, when running the batch risk analysis, it will not evaluate locked users which means the tables holding the conflicts will not include any data for locked users.

When you run Risk Analysis, you have the option to change Ignored Users field to something other than what is set up in the Configuration. However, if you change this to NOT ignore locked users and run in offline mode, you will not receive any conflicts because no locked users were evaluated during the batch risk analysis. Running this report in online mode may turn up conflicts with locked users.

 

Impacts on Workflows

The following listing shows the impact on each workflow which uses date from the risk analysis.

 

Segregation of Duty (SoD) Review

The system uses Offline Risk Analysis data to update management graphics and to generate SoD Review workflow requests. When the system detects SoD violations, it automatically sends reports to managers so that they can take actions to either remove user access or to mitigate the SoD risks.

 

User Access Review

The system uses Offline Risk Analysis data to update and generate UAR Review workflow requests.

 

Access Request Submission

The application automatically performs an online risk analysis when the requestor submits the request. This behaviour can be configured in parameter 1071 (Enable risk analysis on form submission). Note: The risk analysis results are intended for the approver. Therefore, the risk analysis results appear on the approver’s screens but not on the requestor’s screens. SoD violations for access requestes are stored in table GRACSODREPDATA.

 

Role Approval Workflow

In Business Role Management (BRM), some customers may have a business requirement that once a role is sent for approval to Role Approval workflow, the role owner(s) must re-run the risk analysis and mitigate a risk before approval. The risk analysis has to be performed during Analyze Access Risk methodology step and is always performed as Online Risk Analysis.

 

Impact on Reports

The following listing shows the impact on Reports which uses data from the risk analysis.

 

Risk Analyisis in Access Management

The risk analysis results in Access Management, like User Level, Role Level, Profile Level or HR Objects, are based on real-time risk analysis. Also simulation uses real-time risk analysis data.

 

Risk Analysis in Reports and Analytics
The risk analysis in Reports and Analytics tab is always offline analysis and hence you should have run the Batch Risk Analysis to populate the violations data.

Looking forward to your input and contribution in this document.

Regards,

Alessandro

To report this post you need to login first.

19 Comments

You must be Logged on to comment or reply to a post.

  1. Colleen Hebbert

    Hey Alessandro

    Another 5 star!

    Would it be worth a paragraph on workflow impacts? For example, SoD review using offline, risk analysis on submission of access request, etc. Or do you think this should be another topic?

    Regards

    Colleen

    (0) 
      1. Colleen Hebbert

        SoD Review WF needs offline risk analysis to run first as it’s based on that. I assume UAR is the same.

        I can’t remember of the top of my head for user access request workflow on submission (set by the configuration parameter). I think request and approval screens the user would be running online or have the choice as the risk analysis webdynpro is embedded. Role workflow approval will be similar to access request (it’s a step in the methodology to run risk analysis but can’t remember approval screens).

        Regards

        Colleen

        (0) 
        1. Alessandro Banzer Post author

          Hi Colleen,

          I have to google to make sure we provide the correct information. But just from my feeling I assume that request submission uses online risk analysis as the authorization is going to change. Means even the offline risk analysis run yesterday night I can see upcoming risks in the first approver screen. Hence it must run online.

          Role approval I assume it is similar as it is always a new situation due to a change and therefore an online analysis is necessary.

          Do you agree?

          Regards,

          Alessandro

          (0) 
          1. Colleen Hebbert

            Hi Alessandro

            That’s my thoughts but I’m not currently using the functionality to test it out. I think you’ve taken the right approach to see what others have to say.

            Starting to wonder though if this is may benefit more as a WIKI? But then we’ll be stuck back at issue of not having permissions to edit.

            Regards

            Colleen

            (0) 
            1. Alessandro Banzer Post author

              Fully agree – let see what the other experts say.

              ps. I will transfer to the Wiki as soon as the authorization issue is fixed. Still waiting for Fernando.

              Regards,

              Alessandro

              (0) 
            2. Alessandro Banzer Post author

              Hi Colleen,

              have added some comments on the impact of each workflow. Appreciate your feedback if you have some update/correction.

              Best regards,

              Alessandro

              (0) 
  2. Kaavya GRC

    Hi Alessandro,

    In your document you mentioned that ‘ if the back-end system is down, offline analysis will not work ‘. I have checked in our GRC system, where we are able to run the offline risk analysis even when the backend system is down.

    I have checked by giving wrong IP address in RFC definition. Then ran online analysis which gave error, then for offline analysis it is showing results.

    Regards,

    Kaavya.

    (0) 
      1. Rakesh Ram

        Hello Alessandro,

        Really good material to understand about offline risk analysis. Is it possible to add a para or two about on-line risk analysis and its benefits also?

        Regards,

        Deepak M

        (0) 
        1. Alessandro Banzer Post author

          Hi Deepak,

          thanks for your feedback. The benefits of online risk analysis is actually that you have a real time analysis which takes a snapshot of the current situation. It allows you to make changes in the backend and analyze immediately. Hence you can proceed very fast e.g. while remediating violation issues.

          As I tried to explain in the document real time analysis has also it’s disatvantages where the offline analysis is more suitable and helpful. But as always it depends on your requirement and what you are going to do.

          Best regards,

          Alessandro

          (0) 
  3. Artem Ivashkin

    Hi Alessandro,

    I’m joining to all thankful words.

    Unfortunately, you didn’t mention about version and SP level of the system. Could you tell me please whether there was any corrections for the screens?

    Some difference between my and your screens makes me frustrated.

    Parameter value is set

    But Offline Risk Analysis in Additional Criteria is not available for me (no permission or view restrictions).

    Job for risk collecting is running periodically.

    I’m on GRC 10 SP 20.

    Regards,

    Artem

    (0) 

Leave a Reply