SAP Access Control (GRC) Online vs. Offline Risk Analysis

by

This article describes the differences between Online and Offline Risk Analysis in SAP Access Control (GRC) based on several SAP Notes and our implementation experience.

Before you can run offline analysis at all, you have to set the configuration option “Enable Offline Risk Analysis” to YES (Parameter 1027) in the Access Control configuration settings in SPRO.

Online Offline Risk Analysis
Configuration Parameter in SPRO

This configuration option is now selectable in the Risk Analysis > Additional Criteria.

Online Offline Risk Analysis
Risk Analysis on User Level

Offline analysis is not real-time data but is dependent on the generated data of the last Batch Risk Analysis. We recommend running the Batch Risk Analysis in the background by using transaction GRAC_BATCH_RA (program GRAC_BATCH_RISK_ANALYSIS). This is the same job that updates the management reports, and you should run this job on a frequent basis to ensure the management reports are up to date. Running the Offline analysis has the same effect as drilling down in the Management View.

Benefits of offline analysis

The main benefit of using the offline analysis is reduced response time. By using offline analysis data, the risk analysis and remediation pulls data from its database tables and hence will return results much faster than using the online analysis. However, please keep in mind that offline analysis is not real-time and will not take into account any changes that have been made since the last Batch Risk Analysis has been run.

Using offline analysis, you can obtain both summary and detail reports. The one exception is that if you run the report types Critical Action or Critical Permission, you will not be able to see the detail report, only the summary report. Please note that this is only for Critical Action and Critical Permission. Report types of Permission level and Action level can go down to the detail level in offline mode, too.

Also, note that your configuration (how you run the batch risk analysis) will impact the data you have available for your offline analysis. For example, in Configuration under Risk Analysis, you have the option “Exclude Locked Users.” If this is set to YES, when running the batch risk analysis, it will not evaluate locked users. That means the tables holding the conflicts will not include any data for locked users.

When you run a real-time analysis, you have the option to change Ignored Users field to something other than what is set up in the configuration. However, if you change this to NOT ignore locked users and run in offline mode, you will not receive any conflicts because no locked users were evaluated during the batch risk analysis. Running this report in online mode may show up conflicts with locked users.

Impacts on Workflows

The following section outlines the impact on workflows which use data from the risk analysis, either offline or online.

Segregation of Duty (SoD) Review

The system uses Offline Risk Analysis data to update management graphics and to generate SoD Review workflow requests. When the system detects SoD violations, it automatically sends reports to managers so that they can take actions to either remove user access or to mitigate the SoD risks.

User Access Review

The system uses Offline Risk Analysis data to update and generate UAR review workflow requests.

Access Request Submission

The application automatically performs an online risk analysis when the requestor submits the request. This behavior can be configured in parameter 1071 (Enable risk analysis on form submission). Note: The risk analysis results are intended for the approver. Therefore, the risk analysis results appear on the approver’s screens but not on the requestor’s screens. SoD violations for access requests are stored in table GRACSODREPDATA. With later support packages, you also have the option to run the risk analysis in the background by setting parameter 1071 to ASYNC (Asynchronous). The asynchronous mode also performs a real-time analysis with the advantage that the user doesn’t have to wait until the analysis is finished to continue.

Role Approval Workflow

In Business Role Management (BRM), some customers may have the requirement that once a role is sent for approval to the Role Approval workflow, the role owner(s) must re-run the risk analysis and mitigate the risks before approval. The risk analysis has to be performed during Analyze Access Risk methodology step and is always performed as Online Risk Analysis.

Impact on Reports

The following listing shows the impact on Reports which uses data from the risk analysis.

Risk Analysis in Access Management

The risk analysis results in Access Management, like User Level, Role Level, Profile Level, or HR Object level are based on real-time risk analysis. Also, all the simulations use real-time risk analysis data. However, if you tick the box “Offline Data”, the analysis will include offline data.

Risk Analysis in Reports and Analytics

The risk analysis in Reports and Analytics tab is always an offline analysis, and hence you should have run the Batch Risk Analysis to populate the violations data.

Alessandro Banzer

Alessandro has worked in the field of IT since 2004, specializing in SAP in 2009 and working on global SAP projects in various roles since that date. Alessandro is an active contributor and moderator in the Governance, Risk and Compliance space on SAP SCN. Alessandro is in charge of Xiting's operations in the United States and a subject matter expert in SAP Access Control and SAP Security.

Subscribe to our SAP Security Newsletter

Stay up to date with the latest SAP security news and receive valuable tips and tricks by subscribing to our newsletter.