Background Jobs in Risk Analysis and Remediation 5.

3
Skip to end of metadata

Attachments:3
Added by Yukti Sharma, last edited by Yukti Sharma on Dec 17, 2012 (view change)
show comment
Go to start of metadata
Purpose
The purpose of this document is to explain all types of Background jobs available in GRC-
Access Control- Risk Analysis Remediation - 5.3 version and what is the significance of these
jobs.
Overview
In GRC Risk Analysis Remediation 5.3, there are several types of background jobs which are
basically scheduled to synchronize with R/3 system, batch risk analysis, generate management
reports, alerts and data mart generation.
All the data from backend ABAP stack i.e. R/3 system is synchronized into the Risk Analysis
and Remediation database . This content contains all the details regarding generation of
background jobs.
Significance and types of background jobs in GRC RAR 5.3 version
1. Synchronization Job: Performing Synchronization is to ensure the front-end database tables
match completely the back-end connected systems. This job is scheduled to synchronize
the Users, Roles, Profiles from the backend system. You may perform a full synchronization the
first time when connector to backend system is created. Once the Full Synch Job is completed
successfully, Incremental Synch can be scheduled periodically to ensure data consistency
between RAR and backend(R/3) system.
2. Batch Risk Analysis Job: This is the core function of RAR. By performing batch risk analysis,
the security of users/roles/profiles are compared against the Segregation of Duties rules to
identify possible conflicts.
3. Management Report Generation: Management Report, it summarizes the detail data from
table VIRSA_CC_PRMVL, puts it into the Intermediate Table and then finally summarizes it in
the Management Report tables.
4. Alert Generation: This job scheduled to generate alerts for Conflicting Action, Critical Action
and Control Monitoring.
5. Data Mart: Data Mart functionality is basically used to extract data from Risk Analysis and
Remediation as well as Compliant User Provisioning and load it to any reporting tool, such as
Crystal Reports. This enables graphical display of RAR and CUP data in custom reports.


How to schedule Synchronization job
To schedule a sync job follow the below steps:
In RAR application, open Background Job which is visible under Configuration tab.
Select Background Jobs > Schedule Analysis.
Now select the User/Role/Profile Synchronization from the SYNC MODE field.
Synch Mode
1. Incremental: This uses various back-end SAP tables to identify users/role/profile changed from
the time of the last sync until today's date. This includes users who have had
authorizations changed. Only those items changed will be re-synched into the front-end. So
only those users changed in the back-end will have the UPDDATE field updated in table
VIRSA_CC_GENOBJ. It is best practice to schedule a nightly job to perform an incremental
sync job.
2. Full sync: This is basically deleting everything in the front-end and replacing it with what is in
the back-end. When a full synchronization is run, all users in table VIRSA_CC_GENOBJ have
the UPDDATE field updated for the date of the full synchronization. It should be performed
periodically as well to ensure the data integrity.
As per your requirement, select any synchronization from the following:
1. User Synchronization
2. Role Synchronization
3. Profile Synchronization
Select your System or select wildcard (*) to perform synchronization for all the connected
systems.
After clicking on Schedule, a new screen will appear on Risk Analysis Background Job.
Enter the Job Name and select Immediate or Delayed Start and mention the date and time to
begin.
You can schedule it periodically if you want the job to be performed multiple times.
After following all the above steps, click on Schedule.
The following message will get displayed: "Background job scheduled successfully, Job ID:
XXX"

How to schedule the Batch Risk Analysis job
If you want to schedule the batch risk analysis job follow the below steps:
In RAR application, open Background Job which is visible under Configuration tab.
Select Background Jobs > Schedule Analysis.
From the Batch Mode dropdown list, select Full Sync or Incremental.
Now select the Rule Set from the dropdown list.
For Report Type, select Action Level Analysis or Permission Level Analysis.
As per your requirement select any of the Risk Analysis type from the following:
1. User Synchronization: Select Appropriate System, Users and User Group for Analysis.
2. Role Synchronization: Select Appropriate System and Role for Analysis.
3. Profile Synchronization: Select Appropriate System and Profile for Analysis.
4. Critical Role and Role/Profile Analysis.
After clicking on Schedule, a new screen will appear on Risk Analysis Background Job.
Enter the Job Name and select Immediate or Delayed Start and mention the date and time to
begin.
You can schedule it periodically if you want the job to be performed multiple times.
After following all the above steps, click on Schedule.
The following message will get displayed: Background job scheduled successfully, Job ID: XXX
How to schedule the Management Reports Generation
If you want to generate the management report follow the below steps:
In RAR application, open Background Job which is visible under Configuration tab.
Select Background Jobs > Schedule Analysis.
Under Management Report Section, select the Management Report checkbox.
After clicking on Schedule, a new screen will appear on Risk Analysis Background Job.
Enter the Job Name and select Immediate or Delayed Start and mention the date and time to
begin.
You can schedule it periodically if you want the job to be performed multiple times.
After following all the above steps, click on Schedule.
How to schedule the Alert Generation job
If you want to schedule the alert generation job follow the below steps:
In RAR application, open Background Job which is visible under Configuration tab.
Select Background Jobs > Alert Generation.
In the Action monitoring section, select Generate Action Log.
Select any of your system for which you want to generate alerts.
Select any of the alert type to include in the action log:
1. Conflicting Action: Select the Risk ID and Risk Level (Consider mitigated users)
2. Critical Action: Select the Risk ID and Risk Level (Consider mitigated users)
3. Control Monitoring: Select Mitigating Control ID
Under Alert notification, select appropriate item for which you want to generate the e-mail
notifications.
After clicking on Schedule, a new screen will appear on Risk Analysis Background Job.
Enter the Job Name and select Immediate or Delayed Start and mention the date and time to
begin.
You can schedule it periodically if you want the job to be performed multiple times.
After following all the above steps, click on Schedule.
The following message will get displayed ,"Background job scheduled successfully, Job ID:
XXX".
How to schedule the Data Mart Job
Data Mart functionality is basically used to extract data from Risk Analysis and Remediation as
well as Compliant User Provisioning and load it to any reporting tool, such as Crystal Reports.
This enables graphical display of RAR and CUP data in custom reports.
Go to Configuration tab.
Select Background jobs and click on Schedule Data Mart job.
Now select any of the following as per you requirement:
1. Extract master data
2. Extract transactional data (Incremental/ full sync)
3. Include Compliant User Provisioning data
Click on execute button to run the job.


Related Content
offline means that the analysis is based on the last risk analysis (for example if you schedule
once per day you will get this information in your report). Online means you are checking on-
time in the systems (current situation) and system considers real time information. You can
choose "Offline Data" in risk analysis screen to run with offline data.

With parameter 1027 you can enable or disable offline risk analysis


Online vs. Offline Risk Analysis
created by Alessandro Banzer on Jul 16, 2014 11:38 AM, last modified by Alessandro Banzer on Jul 23,
2014 9:19 AM
Version 8
inShare
This document describes the difference between Online and Offline Risk Analysis in SAP GRC
Access Control based on several SAP Notes.


In order to be able to run offline analysis at all, the configuration option "Enable Offline Risk
Analysis" must be set to YES (Parameter 1027) in Access Control configuration settings in
SPRO.

This configuration option is now selectable in the Risk Analysis > Additional Criteria.

Offline analysis is not real-time data but is dependent on the date of the last Batch Risk Analysis. The
Batch Risk Analysis is run as background job in GRC by using program GRAC_BATCH_RA. This is the
same batch risk analysis that is run to update the management reports and companies should be running
this on a frequent basis to ensure their management reports are accurate. Running the Offline analysis is
the same as drilling down via the Management View.

The benefits using offline analysis is mostly in response time. By using offline analysis, Risk Analysis
and Remediation does not have to make as many calls into the connected systems so the analysis will
return much faster than using online analysis. However, please keep in mind that offline analysis is not
real-time and will not take into account any changes made since the last Batch Risk Analysis.

Using offline analysis, you can obtain both summary and detail reports. The one exception is that if you
run Report types Critical Action or Critical Permission, you will not be able to see the detail report, only
the summary report. Please note that this is only for Critical Action and Critical Permission. Report types
of Permission level and Action level can go down to the detail level in offline mode.

Please keep in mind that how you have the Batch Risk Analysis set up for defaults will impact the data
you have to run offline analysis on. For example, in Configuration under Risk Analysis you have the
option "Exclude Locked Users". If this is set to YES, when running the batch risk analysis, it will not
evaluate locked users which means the tables holding the conflicts will not include any data for locked
users.

When you run Risk Analysis, you have the option to change Ignored Users field to something other than
what is set up in the Configuration. However, if you change this to NOT ignore locked users and run in
offline mode, you will not receive any conflicts because no locked users were evaluated during the batch
risk analysis. Running this report in online mode may turn up conflicts with locked users.


Impacts on Workflows
The following listing shows the impact on each workflow which uses date from the risk analysis.



Segregation of Duty (SoD) Review
The system uses Offline Risk Analysis data to update management graphics and to generate SoD Review
workflow requests. When the system detects SoD violations, it automatically sends reports to managers
so that they can take actions to either remove user access or to mitigate the SoD risks.


User Access Review
The system uses Offline Risk Analysis data to update and generate UAR Review workflow requests.



Access Request Submission
The application automatically performs an online risk analysis when the requestor submits the request.
This behaviour can be configured in parameter 1071 (Enable risk analysis on form submission). Note:
The risk analysis results are intended for the approver. Therefore, the risk analysis results appear on the
approvers screens but not on the requestors screens. SoD violations for access requestes are stored in
table GRACSODREPDATA.


Role Approval Workflow

In Business Role Management (BRM), some customers may have a business requirement that once a role
is sent for approval to Role Approval workflow, the role owner(s) must re-run the risk analysis and
mitigate a risk before approval. The risk analysis has to be performed during Analyze Access Risk
methodology step and is always performed as Online Risk Analysis.


Impact on Reports
The following listing shows the impact on Reports which uses data from the risk analysis.


Risk Analyisis in Access Management
The risk analysis results in Access Management, like User Level, Role Level, Profile Level or HR
Objects, are based on real-time risk analysis. Also simulation uses real-time risk analysis data.



Risk Analysis in Reports and Analytics

The risk analysis in Reports and Analytics tab is always offline analysis and hence you should have run
the Batch Risk Analysis to populate the violations data.

Looking forward to your input and contribution in this document.