SAP GRC – How to troubleshoot when Access Risk Analysis doesn’t show proper result
In this blog post, you will learn how to troubleshoot when risk analysis doesn’t show any result.
Access Risk Analysis is an automated tool within SAP GRC Access Control that enables you to perform access risk analysis in foreground or background at user level, role level, profile and HR Object levels. It is also possible to perform access risk simulation to see the possible risks when the addition or removal of access, for example, role added to a user or removed from a user.
Using this tool we can create rule sets and define access risks. During risk analysis, it uses the rules defined in the rule set for identifying access risks. We can run the risk analysis at action, permission, critical action, critical permission and critical role / profile levels. Depending on the risks identified, we can remediate or mitigate the access risk.
Typically, Organizations use this tool for staying risk free and compliant.
Recently I have faced few problems with risk analysis tool so thought of sharing errors and the steps I have taken to resolve them.
Below steps help you to verify settings needed for the risk analysis to show proper results.
Step 1: Add Plug-in system to the GRC system
Make sure the connector or plug-in system is created and assigned to the connector group. Also, the connector group is mapped to the function / risk.
Creating connector is the shortcut for creating RFC destination in t-code SM59.
For creating connector, follow menu path Governance, Risk and Compliance => Common Component Settings => Integration Framework => Create Connectors
a. Give RFC destination name, description and choose Connection Type 3 (here, the plug-in system is ABAP, so I am choosing connection type 3 which is Connection to ABAP system)
c. Now, test the connection. Make sure Connection and Authorization Tests are successful.
If there is any access error, assign required RFC authorizations to the user id.
For testing the connection, follow menu path SM59 => RFC Destination => Utilities => Test => Connection Test / Authorization Test
Step 2: Assigning Connector to the Connector group
For assigning connector to the connector group, follow menu path Governance, Risk and Compliance => Common Component Settings => Integration Framework => Maintain Connectors and Connection Types
At this step, you need to perform multiple activities for adding connector to the connector group.
a) Define Connection Type
Connection types are used while connecting to other systems.
b) Define Connectors
Add the connector previously created at Step 1 here. Also, define subsequent connectors if any.
We are choosing the connection type SAP because the connector is an SAP system.
c) Define Connector Groups
Connector Group is used to group similar set of systems. For example, to group ECC systems, you can create one group such as ECC_GRP and for grouping CRM systems, create another group: CRM_GRP and so on.
d) Assign Connector to Connector Group
Add the previously created connector at Step 1 to the connector group and make sure the Connection Type is populated correctly.
Step 3: Adding Integration Scenario
This is very important step to add integration scenario because the application uses the connectors to communicate with other systems. Make sure the integration scenario “ AUTH “ is added to the connector.
Follow menu path Governance, Risk and Compliance => Common Component Settings => Integration Framework => Maintain Connection Settings
Step 4: Generate SoD Rules
After adding connector, you need to generate SoD Rules. Otherwise you will end up with message “ No rules were selected “ after the risk analysis is completed.
For generating rules, follow menu path Governance, Risk and Compliance => Access Control => Access Risk Analysis => SoD Rules > Generate SoD Rules
Step 5: Execute Repository Object Sync Program
This step synchronizes the data such as Roles, Profiles and User details from plugin systems to the GRC system repository.
We must make sure the tables GRACUSER and GRACUSERCONN are in sync. Otherwise risk analysis doesn’t show expected result. You may end up with error like “ Risk Analysis finished with error or User does not exist “
For resolving this error, you need to execute Repository Object Sync (program: GRAC_REPOSITORY_OBJECT_SYNC) for the connector (created at Step 1).
I would suggest FULL Sync for the first time and then you can schedule incremental sync batch jobs.
For scheduling Repository Object Sync job, follow menu path Governance, Risk and Compliance => Access Control => Synchronization Jobs => Repository Object Synch
Step 6: Verify Repository Object Sync Job Status
Execute t-code SM37 for verifying the job status.
Sometimes you may see the job shows as finished but there can be an error in the spool so make sure you verify both the job log and spool log.
For troubleshooting, you can refer SLG1 log. If there is any error such as Name or password is incorrect or Too many failed attempts, then make sure the RFC user id is created in the plugin system and store same password in the RFC destination.
Once the Rep Obj Sync job completed successfully, run access risk analysis again and now you will be able to see the Result.
Thanks for reading and I hope this article would be useful for people looking for some solution around access risk analysis problems. In case of any question or suggestion, please leave a comment.