Skip to Content
Technical Articles

SAP GRC – How to troubleshoot when Access Risk Analysis doesn’t show proper result

Hello Everyone,

In this blog post, you will learn how to troubleshoot when risk analysis doesn’t show any result.

Introduction

Access Risk Analysis is an automated tool within SAP GRC Access Control that enables you to perform access risk analysis in foreground or background at user level, role level, profile and HR Object levels. It is also possible to perform access risk simulation to see the possible risks when the addition or removal of access, for example, role added to a user or removed from a user.

Using this tool we can create rule sets and define access risks. During risk analysis, it uses the rules defined in the rule set for identifying access risks. We can run the risk analysis at action, permission, critical action, critical permission and critical role / profile levels. Depending on the risks identified, we can remediate or mitigate the access risk.

Typically, Organizations use this tool for staying risk free and compliant.

Recently I have faced few problems with risk analysis tool so thought of sharing errors and the steps I have taken to resolve them.

 

Below steps help you to verify settings needed for the risk analysis to show proper results.

Step 1: Add Plug-in system to the GRC system

Make sure the connector or plug-in system is created and assigned to the connector group. Also, the connector group is mapped to the function / risk.

Creating connector is the shortcut for creating RFC destination in t-code SM59.

For creating connector, follow menu path Governance, Risk and Compliance => Common Component Settings => Integration Framework => Create Connectors

a. Give RFC destination name, description and choose Connection Type 3 (here, the plug-in system is ABAP, so I am choosing connection type 3 which is Connection to ABAP system)

b. Next to fill the login details for connecting plugin system from GRC system. So, make sure the user id and password available in the plugin system / client.

c. Now, test the connection. Make sure Connection and Authorization Tests are successful.

If there is any access error, assign required RFC authorizations to the user id.

For testing the connection, follow menu path SM59 => RFC Destination => Utilities => Test => Connection Test / Authorization Test

Step 2: Assigning Connector to the Connector group

For assigning connector to the connector group, follow menu path Governance, Risk and Compliance => Common Component Settings => Integration Framework => Maintain Connectors and Connection Types

At this step, you need to perform multiple activities for adding connector to the connector group.

a) Define Connection Type

Connection types are used while connecting to other systems.

b) Define Connectors

Add the connector previously created at Step 1 here. Also, define subsequent connectors if any.

We are choosing the connection type SAP because the connector is an SAP system.

c) Define Connector Groups

Connector Group is used to group similar set of systems. For example, to group ECC systems, you can create one group such as ECC_GRP and for grouping CRM systems, create another group: CRM_GRP and so on.

 

d) Assign Connector to Connector Group

Add the previously created connector at Step 1 to the connector group and make sure the Connection Type is populated correctly.

 

Step 3: Adding Integration Scenario

This is very important step to add integration scenario because the application uses the connectors to communicate with other systems. Make sure the integration scenario “ AUTH “ is added to the connector.

Follow menu path Governance, Risk and Compliance => Common Component Settings => Integration Framework => Maintain Connection Settings

 

 

Step 4: Generate SoD Rules

After adding connector, you need to generate SoD Rules. Otherwise you will end up with message “ No rules were selected “ after the risk analysis is completed.

For generating rules, follow menu path Governance, Risk and Compliance => Access Control => Access Risk Analysis => SoD Rules > Generate SoD Rules

Step 5: Execute Repository Object Sync Program

This step synchronizes the data such as Roles, Profiles and User details from plugin systems to the GRC system repository.

We must make sure the tables GRACUSER and GRACUSERCONN are in sync. Otherwise risk analysis doesn’t show expected result. You may end up with error like “ Risk Analysis finished with error or User does not exist

 

For resolving this error, you need to execute Repository Object Sync (program: GRAC_REPOSITORY_OBJECT_SYNC) for the connector (created at Step 1).

I would suggest FULL Sync for the first time and then you can schedule incremental sync batch jobs.

For scheduling Repository Object Sync job, follow menu path Governance, Risk and Compliance => Access Control => Synchronization Jobs => Repository Object Synch

Step 6: Verify Repository Object Sync Job Status

Execute t-code SM37 for verifying the job status.

Sometimes you may see the job shows as finished but there can be an error in the spool so make sure you verify both the job log and spool log.

For troubleshooting, you can refer SLG1 log. If there is any error such as Name or password is incorrect or Too many failed attempts, then make sure the RFC user id is created in the plugin system and store same password in the RFC destination.

Once the Rep Obj Sync job completed successfully, run access risk analysis again and now you will be able to see the Result.

 

 

 

Thanks for reading and I hope this article would be useful for people looking for some solution around access risk analysis problems. In case of any question or suggestion, please leave a comment.

 

Regards,

Kranthi

Be the first to leave a comment
You must be Logged on to comment or reply to a post.