This article describes the differences between Online and Offline Risk Analysis in SAP Access Control (GRC) based on several SAP Notes and our implementation experience.
Before you can run offline analysis at all, you have to set the configuration option “Enable Offline Risk Analysis” to YES (Parameter 1027) in the Access Control configuration settings in SPRO.
This configuration option is now selectable in the Risk Analysis > Additional Criteria.
Offline analysis is not real-time data but is dependent on the generated data of the last Batch Risk Analysis. We recommend running the Batch Risk Analysis in the background by using transaction GRAC_BATCH_RA (program GRAC_BATCH_RISK_ANALYSIS). This is the same job that updates the management reports, and you should run this job on a frequent basis to ensure the management reports are up to date. Running the Offline analysis has the same effect as drilling down in the Management View.
Benefits of offline analysis
The main benefit of using the offline analysis is reduced response time. By using offline analysis data, the risk analysis and remediation pulls data from its database tables and hence will return results much faster than using the online analysis. However, please keep in mind that offline analysis is not real-time and will not take into account any changes that have been made since the last Batch Risk Analysis has been run.
Using offline analysis, you can obtain both summary and detail reports. The one exception is that if you run the report types Critical Action or Critical Permission, you will not be able to see the detail report, only the summary report. Please note that this is only for Critical Action and Critical Permission. Report types of Permission level and Action level can go down to the detail level in offline mode, too.
Also, note that your configuration (how you run the batch risk analysis) will impact the data you have available for your offline analysis. For example, in Configuration under Risk Analysis, you have the option “Exclude Locked Users.” If this is set to YES, when running the batch risk analysis, it will not evaluate locked users. That means the tables holding the conflicts will not include any data for locked users.
When you run a real-time analysis, you have the option to change Ignored Users field to something other than what is set up in the configuration. However, if you change this to NOT ignore locked users and run in offline mode, you will not receive any conflicts because no locked users were evaluated during the batch risk analysis. Running this report in online mode may show up conflicts with locked users.
Impacts on Workflows
The following section outlines the impact on workflows which use data from the risk analysis, either offline or online.
Segregation of Duty (SoD) Review
The system uses Offline Risk Analysis data to update management graphics and to generate SoD Review workflow requests. When the system detects SoD violations, it automatically sends reports to managers so that they can take actions to either remove user access or to mitigate the SoD risks.
User Access Review
The system uses Offline Risk Analysis data to update and generate UAR review workflow requests.
Access Request Submission
The application automatically performs an online risk analysis when the requestor submits the request. This behavior can be configured in parameter 1071 (Enable risk analysis on form submission). Note: The risk analysis results are intended for the approver. Therefore, the risk analysis results appear on the approver’s screens but not on the requestor’s screens. SoD violations for access requests are stored in table GRACSODREPDATA. With later support packages, you also have the option to run the risk analysis in the background by setting parameter 1071 to ASYNC (Asynchronous). The asynchronous mode also performs a real-time analysis with the advantage that the user doesn’t have to wait until the analysis is finished to continue.
Role Approval Workflow
In Business Role Management (BRM), some customers may have the requirement that once a role is sent for approval to the Role Approval workflow, the role owner(s) must re-run the risk analysis and mitigate the risks before approval. The risk analysis has to be performed during Analyze Access Risk methodology step and is always performed as Online Risk Analysis.
Impact on Reports
The following listing shows the impact on Reports which uses data from the risk analysis.
Risk Analysis in Access Management
The risk analysis results in Access Management, like User Level, Role Level, Profile Level, or HR Object level are based on real-time risk analysis. Also, all the simulations use real-time risk analysis data. However, if you tick the box “Offline Data”, the analysis will include offline data.
Risk Analysis in Reports and Analytics
The risk analysis in Reports and Analytics tab is always an offline analysis, and hence you should have run the Batch Risk Analysis to populate the violations data.
Latest posts by Alessandro Banzer (see all)
- SAP Security Challenge – December 2017 - December 1, 2017
- SAP Access Control (GRC) Risk Owner and Mitigating Control Owner Mass Maintenance - November 21, 2017
- Comparison of SAP Role Design Concepts - November 14, 2017