1168120 - risk analysis and remediation 5.3 support package (vircc)

7/26/2019 1168120 - Risk Analysis and Remediation 5.3 Support Package (VIRCC)

http://slidepdf.com/reader/full/1168120-risk-analysis-and-remediation-53-support-package-vircc 1/22

SAP Note

Header Data

Symptom

This note provides information about the issues resolved in SAP GRC Access Control 5.3 - Risk AnalysisPackages.

Other Terms

Compliance Calibrator, Access Controls, VIRCC, VIREPRTA, Risk Analysis and Remediation

Reason and Prerequisites

Access Control 5.3 version should be installed prior to installing the support packages.

Solution

This note is updated on a regular basis. Review the current version of this note before you start the

Contents1. Change History 2. General Information 3. Resolved Issues

1. Change History:

Date Short Description05.08.2008 Created note for Support Package 107.16.2008 Updated for Support Package 2 - Patch 108.13.2008 Updated for Support Package 309.24.2008 Updated for Support Package 411.11.2008 Updated for Support Package 501.06.2009 Updated for Support Package 620.02.2009 Updated for Support Package 6 Patch 115.03.2009 Updated for Support Package 716.04.2009 Updated for Support Package 7 Patch 120.05.2009 Updated for Support Package 818.06.2009 Updated for Support Package 8 Patch 130.09.2009 Updated for Support Package 908.12.2009 Updated for Support Package 1007.01.2010 Updated for Support Package 10 Patch 1

28.01.2010 Updated for Support Package 10 Patch 222.02.2010 Updated for Support Package 1128.05.2010 Updated for Support Package 11 Patch 128.05.2010 Updated for Support Package 1220.08.2010 Updated for Support Package 12 Patch 127.08.2010 Updated for Support Package 1317.09.2010 Updated for Support Package 13 Patch 115.10.2010 Updated for Support Package 13 Patch 222.11.2010 Updated for Support Package 13 Patch 316.12.2010 Updated for Support Package 1416.03.2011 Updated for Support Package 1510.05.2011 Updated for Support Package 15 Patch 101.06.2011 Updated for Support Package 15 Patch 227.07.2011 Updated for Support Package 15 Patch 331.10.2011 Updated for Support Package 15 Patch 402.06.2011 Updated for Support Package 1620.07.2011 Updated for Support Package 16 Patch 1

01.08.2011 Updated for Support Package 16 Patch 222.09.2011 Updated for Support Package 16 Patch 308.11.2011 Updated for Support Package 16 Patch 420.02.2011 Updated for Support Package 16 Patch 16.09.2011 Updated for Support Package 1717.11.2011 Updated for Support Package 17 Patch 115.12.2011 Updated for Support Package 17 Patch 201.12.2011 Updated for Support Package 1812.06.2012 Updated for Support Package 18 Patch 2 12.06.2012 Updated for Support Package 18 Patch 3 12.06.2012 Updated for Support Package 19

1168120 - Risk Analysis and Remediation 5.3 Support Package (VIRCC)

Version 69 Validity: 08/30/2013 - active Language English (Master)

Released On 08/30/2013 07:29:23

Release Status Released for Customer

Component GRC-SAC-ARA Access Risk Management

Priority Recommendations / Additional InfoCategory Installation information



2. General Information:

These support packages are not automatically sent to all customers. To perform this installation, downpackages from the SAP Service Marketplace.To install this support pack, please follow the "SAP GRC Access Control 5.3 Installation Procedures" sAccess Control 5.3" installation guide.

3. Resolved Issues:

The following issues have been resolved in Support Package 1:

Performance improvement to the Risk Analysis functionalities.

Localization for Polish has been added.Issues related to internationalization have been resolved.


Multiple monitor assignment to Mitigation Control Report.

Parallel processing for Critical Action and Role/Profile analysis.

Deleted roles showing up in Management Report issue has been fixed.

Fixed Alert generation time out issue when there are lot of activities in backend.

Parallel processing of RAR is resloved where, if one of the thread fails, it will restart again on the

Status of background job for rule generation after restart of system changing to Abort, is fixed.

The following issues have been resolved in Support Package 2 - Patch 1:

Management View - Total number of Critical Action / Role / Profile is not proper when these rules areDump when updating executing User sync / analysis for the newly created connectors.


Job status is not correctly changed from "ready" to "running".

The rule generation job shows as complete, but when the GRC system is restarted, the status becomes "a If server thread 0 is unavailable, jobs won't complete.

When running on multiple threads, if one thread fails, it won't restart. So the entire job completes othread.

Delayed scheduled jobs show as "complete" and not "ready".

Job thread on server 0 is not released even if the job aborts.

Creating rules for portal systems is not saved correctly which results in incorrect results.

If the monitor has an invalid email ID, unable to mitigate a user with that monitor.

Selecting a specific system under management report is not showing correct results. When choosing "alcorrectly.If a user does not have a language in their UME account, a dump occurs. This has been changed.

If you attempt to schedule analysis job with * users and * system, it is not completing.

Critical action reports are not returning correct results.


Management report is showing inaccurate information compared to the detail level report.

Mitigating controls are not taken into account when doing incremental batch risk analysis.

Issue when reviewing management report in French.

Risk analysis reports are not fully translated.

Management report for logical system does not contain critical action/role/profile data.

When ignoring locked/expired users, the "total users analyzed" in management report still shows locked

If you use a variant for risk analysis and the variant has multiple users selected, the icon for multiturn green to denote that there are multiple selections.

Default ruleset is not defaulting when creating a risk.

From Informer -> Audit Reports -> Mitigating Controls -> Mitigation Control by Business Unit Control dreported.

In detailed risk analysis, the technical name is not showing for the field value.

When you disable a job, the enable/disable button becomes greyed out and you can't re-enable the job w When a role is made a critical role for a logical system, management reports are not correctly updated



Reference user analysis is not working for critical profiles.


Reports are not formatted in a manner to aid in analyzing the data in Excel or Access as the report hain all one row.

In the back-end in Risk Terminator, the mitigation button is still available, even though mitigation crisk terminator.

When executing the critical roles/profile jobs in background, a message "error while executing the Job

The system selected is not carried over when searching for roles to do simulations.

Contradicting results when simulating adding a role to a user with and without the "Risk from the simuor no.

Background job spools are not available after upgrade from 5.2 to 5.3.Critical action and critical role/profile analysis cannot be run in background by system.

The "number of users/roles analyzed" is based on sync numbers and not actual number of users/roles anaanalysis.

Introduced a new Button "Exclude Objects" has been provided in Configuration->Background Job->ScheduleWhen clicked it will open a new screen for defining excluded users/user groups/roles/profiles globallyWhen batch risk analysis is run then these users/user groups/roles/profiles will be excluded from the

Note:When a user/user group/role/profile is defined as excluded, all the offline and management reportuser/user group/role/profile is deleted. If huge number of objects are defined to exclude, using rangeit may take long time to delete the violation data that may lead to time out situation. It is recommendelete the violation data for these excluded objects manually and then define them in exclude objects.

Selection parameters (System, User and User Group) have been provided for "Critical Action and Role/PrConfiguration->Background Job->Schedule Job.

Import functionality is restricted to import only RAR related tables ('VIRSA_CC_*') data and all non Rskipped.For Ex: Configuration -> Utilities -> Import will allow to import data only related to tables which st Note: For information on the feature changes and enhancements for SP05, see SAP Note: 1282351, AccessPackage 05 Supplemental Note


Users deleted in the SAP back end system were not getting deleted from the RAR after the full user syn

While creating UAR requests in CUP, both composite roles and the single roles are showing when it shouroles.

The following issues have been resolved in Support Package 6 Patch 1:

Management report drilldown was giving an error if server is re-started and not executed Risk Analysis

When JMS fails and J2ee has multiple server nodes some of the RAR memory objects are getting nullifiednot able to login into RAR. Now, RAR application can even able to login if there are any JMS issues.

Critical Actions report in detail view shows no results after executing the Risk Analysis Job in the breport shows data when executed in the foreground.


When the Background Job is configured periodically showing Run date/time always the first run, which srun Date/time.

After restarting the RAR application, if Risk analysis is not executed and trying to drill down the Mashowing the 500 internal server error.

While executing the User Level Risk analysis, if users has a special characters like "'" in the name ianalysis.

While uploading the RAR Rule files if the Function Action file has a status of value "1" for disabled

Create a function and load data against a logical system instead of a physical system, the Critical AcReports is not working.

When an authorization object in the rules is enabled with TWO fields and Search Type of AND, the analyright results. It expects all the values to be within the same authorization.When modify a Role from PFCG, Risk Terminator triggers the TCode Level analysis, but it is not showing

When exporting Risk Analysis results, there is a long hirarchial folder structure to get to the XLS da Critical Actions report from Management View is downloading the data in Microsoft XL format, which is65,536 lines.

When modifying the Risk or Function, some of the values for which"funcid+'~'+Actionid+'~'+connector+'~'+authtree+'~'+valuefrom+'~'+valueto+'~'+condition" value exceedsto update.

When alert report for conflicting actions is run with specifying no time frame for a system shows thesometime and no report is generated.



When executing cross system Risks, RAR is returning composite Roles for actions, but not for permissio When Enterprise Portal server is configured in RAR has a port other than 53000 is not working.

While uploading the tcodes from Configuration >> Upload Objects as part of post install is failing wit

When there is only one periodic job configured in RAR, this job fails to start after the first time in

When sync the user data from the background job, the data downloaded does not include the Usergroup de Risk Terminator in 5.3 is not sending e-mails to the Risk Owner when conflicts are detected.

When executing the Embedded Action Calls in Compliance Calibrator Frontend is calling the /VIRSA/GET_AFunction Module in backend to fetch the data. It's unable to read a particular line, as the data is excausing a program dump.

Alert Job for the Transaction Usage Report is erroring out after 2 to 4 hours when there will be huge

In RAR,if a user has a same cross system risk across different cross systems, it only returns the firsrisk exists and it does not return the risk existing in other cross systems. This results in false repon SOD requests.

When a same single role is part of 2 composite Roles and both composite roles assigned to a user, SimuComposite Role exclude is showing wrong results.

When running a cross system analysis in RAR should be able to run a report using any of the users idsMaster User ID). If a user that uses 2 systems and executing a risk analysis should able to get the saIndividual and Master User IDs. Only using the Master User ID was displaying results across systems.

While executing a Offline Risk Analysis (Ad Hoc report) cannot be executed when the Backend SAP system


Management report numbers are not correct when compared to back-end number. Specifically, in the userreport, there are negative figures for users with violations which is not accurate.

After application of SP7 when the Net Weaver server is using a Oracle database, the background job anabackground jobs cannot be executed.

When running a risk analysis with SAP* as exclude object, it excludes all ID's that start with SAP, noPlease refer to the SAP note 1327733 for more details.

The Critical Action's audit report fails to run with error "failed to run report".


When running risk analysis, must enter * after risk ID, otherwise no results returned.

The 5.3_messages text does not include the Czech language translations.

The date/time label in the action alert is showing garbled text.

The wrong number of profiles, roles and users analyzed is showing in management report.

Management report shows negative numbers in the Management report under the User Analysis.

Org rules will only work when there is a single risk in each org rule.

Unable to mitigate at the org rule level in CUP.

When users have logon language set to Spanish as default the display still shows other language like E When rulesets are named similarly, causes invalid reports.

Running critical action or critical permission report in background does not show detail report.Critical Role/Profiles report shows incorrect result for locked & expired Dialogue users.

When logged into the system in Italian, unable to drill down on management report graphics.

The user authorization count report using the FTP server is not working.

The delivered VIRSA_CC_BUSINESS_OWNER role has update access to the configuration tab.

When a composite role is made a critical role, it's still showing up even when ignore critical role pr When running a risk analysis with SAP* as exclude object, it excludes all ID's that start with SAP, noPlease refer to the SAP note 1327733 for more details.

Critical actions are not correctly showing when triggered in ERM.

On the mitigation tab, risk level appears in French not in Spanish.

In CUP, the mitigating controls do not appear in sorted sequential order for oracle database.

The Critical Action's audit report fails to run with error "failed to run report".

Critical action report under Audit reports does not work if data is loaded against a logical system.

The analytical report returns the message "no match nor conflict found".

Editing functions in German sometimes brings up English headers.



Risk resolution screen is in English even though the user logged in Portuguese.

When going under rule architect - change history - functions, a 500 internal server error occurs.

Missing translation into Spanish for some columns when running risk analysis.

Different color schemes are shown for various management report graphs and are sometimes inappropriategreen for critical risks).

False alert notifications are sent to risk owners if the risk contains multiple systems.

When a user switches from debugger to the cc application, the cc application session expires.

When running informer - audit reports or security reports in a language other than english, the sub en

If a business process has a "_" in the description, management reports show a dump.When risk analysis is done for a composite role, the description of some single roles is missing (only

Unable to delete the single administrator in the search screen.

When logging in under a language other than English, the violations/violated users/level in pie chart,shown.

When logged in under a language other than English, the mitigation control graph is not correct.

When scheduling a periodic job, the periodic selection screen will dump if characters are written in tfield.

Web services do not all have required authentication controls set up.

The job scheduler shows "not responding" for the sync job even though it is running.

When filtering for alerts using system, all alerts are shown, they are not filtered for only the selec The Org Rule Analysis is reporting only one (single) violation i.e. the first in the alphabetical ordedefined under one ORG RULE.

In function mass maintenance and in risk search, buttons are displayed in English instead of user's lo No relevance of "End Date" while scheduling periodic jobs.

During upload extractor data, if the user clicks upload without selecting a checkbox, message "data exsuccessfully" received but it should be an error.

Critical profiles violations are not returned in risk terminator if risk terminator is configured to w The informer - audit report - miscellaneous - embedded action call report was not working properly.

When downloading informer - audit report - miscellaneous, or informer - security report - miscellaneou

file is not generated.

Unable to run profile analysis under Risk analysis - role level if the report type is set to critical

When risk terminator is triggered and rules are maintained in 4.0 abap, the risk description is not po Unable to terminate job when running "embedded action calls in programs of sap system" report.

Unable to run Informer - audit reports - critical role and profiles with logical systems.

No relevant language message in German for message 0290-0294.

Performance issue while searching permission rules for one riskid.

RAR is reporting a cross system risk for a user for which they don't satisfy part of the rule. Specishowing as having a risk, but the user does not have the transaction from one of the systems that the


While executing the more than one background job for ad-hoc User Risk Analysis in background and a reasimultaneously, either one of the background job or real-time risk analysis job will fail in AIX servewhile executing the Job:null". Please refer to the SAP Note 1354999 for more details.


l NEW FEATURE - Configuration Change History report has been introduced in RAR to track the changesparameters. This can be found in RAR under the Configuration tab as the last option "Configuratio

l When importing rules under Rule Architect - Import rules, error message "CONNECTORID is invalid sythe name of whatever connector rules are being loaded into). This occurs if the connector ID conttechnical ID of the connector.

l While trying to import the EP Master data file (using the Webservice), into the Configuration =>UpObjects, it returns error #Cannot assign an empty string to host variable 6.#

l Not all users who have conflicts in Portal systems are being reported if the Portal system ID is c"ALL" is chosen, users are being correctly reported. Caused by issue in user sync from the portal

l Portal violations are not correctly being reported. This is caused because when UME actions fromthrough files into RAR, all the actions are being converted into upper case. When rules are builtthey are stored in all upper case. As Portals actions are case sensitive and have both upper and



are not returned correctly.

l When searching for permission rules with permission object of s_tcode, error comes up and no resul

l Critical Roles can't be defined for netweaver Portal due to case-sensitive object names in Portalsearch function in RAR isn't case sensitive and therefore converts all search strings into capitalroles are lower letter and aren't found. This makes it impossible to define critical roles like 'sportal connector.

l NEW FEATURE - The ability to test connection is now available. To use, go to Configuration - ConnSearch. Highlight the connector to test and press Test Connection.

l NEW FEATURE - There is a new configuration option under Configuration - Performance tuning calledLimit for web service. This sets threshold violation limit for the Risk Analysis web service. When

exceeds this limit, an error message appears. The default value is 1000; if set to 0 (zero) then tlimit.

l On AIX environments, when running batch risk analysis, the background job log shows "error while e

l Able to delete a logical system even if there is a critical role/profile defined for that logicalchecking should be in place to prevent deletion of logical system if there is any data attached to

l Only one year of historical data is displayed for management reporting, even though all historicalsupport pack removes that limitation and now all historical information available will be displaye

l On management report tab, when you click on the graph to drill down to see the details of user/roldetails are shown (blank screen) even though there are conflicts. This is specific to environmenton mainframe.

l Batch Risk Analysis fails when it gets to 99% completed. This is due to multiple threads being ru

ID which results in a unique constraint error.

l Clicking on Rule Architect - Rule Library and then clicking on a risk level (such as high) in theaction level rules with a risk level in a non-English language. In addition, the Audit Report andon the Informer tab are sometimes displayed in non-English languages.

l On the informer tab, under management view, user analysis, the Users with Violations shows a negatwhich is not possible.

l After a manual restart of the NetWeaver server, all configured SAP Adapters are inactive (showingmanually activate the sap adapters after every restart.

l On Alert Monitor tab, when running Critical Actions report, the navigation buttons at the bottom oinstead of the texts and the number of pages are not displayed either.

l An ad hoc risk analysis is run in background. When the result icon is selected, error "failed to

and unable to display the results of the job. This is caused by special characters in the user ID

l Searching for jobs using the following paths are case sensitive and will not return results if incthe search.RAR -> Informer -> Background Job -> Search -> Scheduled Byor RAR -> Configuration -> Background Job -> Search -> Scheduled By

l Risk Terminator is not stopping role generation for a role with risks. The issue is caused by no dinstead of reporting that error, the role is allowed to generate.

l When drilling down in Rule Library on a certain business process, error message "Cannot assign a jlength 6 to host variable 3 which has JDBC type VARCHAR(4)" comes up. This is due to a business punderscore "_" in the name.

l When signed in under non-English language, when you search for a mitigation control, the risk ID iID column.

l When running offline analysis, the composite roles do not show in the detail or summary report eveoption is enabled.

l When drilling into the critical action section of Management View - User Analysis, the incorrect Rdoes not display the correct rule set that the management report was run under.

l The Security report for Action Usage by Role and Profile is generated. When the results icon is clfile, it gives a 500 internal server error.

l If the management report is run and there are 0 unmitigated risks, the Risk Violation by Process sbox instead of showing the management graphs.

l When using Configuration - Rule Upload, error messages are returning in languages other than the llogged on under.

l Emails sent to the mitigation monitor contains formatting text instead of having proper line breakunreadable.

l In PFCG, when two roles are added to a composite role and saved, Risk Terminator is executed propethe single roles is removed from the composite and then resaved, risk terminator executes and showdeleted role. The issue is the risk terminator does not refresh the violation page.

l The Mitigation controls downloaded from Mitigation > Mitigating Controls > Search Screen to a locshow proper description under the right column as seen on the excel, if the description is multili



been pressed in separating the description lines).

l When searching for an hr mitigation, 500 internal server error message appears saying "failed to pcontact your system administrator".

l After creation of a data extractor, the System and Object fields are still editable and should bechanging.

l The configuration change history screen shows the status of a deleted job as old value as "delete""terminate". The log should show the status of the deleted job as "terminate" and the new value s

l In the SAP Adapter tab, the adapter periodically turns gray (inactive). When it is selected to enamessage "the controller has already been destroyed" is displayed.

l When importing configuration under Configuration - Utilities - Import, an error [SYSTEMID] is inva(with system id being the connector ID. This happens if the system has an underscore '_' in the I

l When a role has * in the TO field of any authorization object, RAR is incorrectly saying the roletransactions/permissions. This is not correct. When a role has * in the to field it can only dowith the value in the FROM field to the last transaction (ZZZZZ).

l The complete text description is missing for Configuration--> Additional Options-->Convert users,upper case

l In configuration change history, the JCO destination change history is not correctly displayed. Tbeing fetched instead of the connector ID.

l In Logical Systems, either create or Change, if the Delete button (minus sign button) is clicked,is displayed.

l NEW FEATURE - When importing rules under Rule Architect - Import, a new option is available to chosystems or replace rules for systems imported.

l When generating rules, the option under Select Rule Type for either Actions or Actions and Permissremoved. Generating rules will generate required entries at both action and permission level.

l Risk analysis report download to a zip file. When customer does not have winRAR, he could not opetemp directory that the file is created under. The temp directory is now removed in the zip file.

l When selecting Rule Architect -> change history and enter for any function, error received"java.lang.IndexOutOfBoundsException: Index: 0, Size: 0."

l When going to the background daemon status URL, the word "details" is misspelled as details.

l In Audit Report -> Rule -> Action Rules by Action, error "'java.sql.SQLException: ORA-01427" is be

l Mitigations show against a role or profile even though it has not been correctly assigned to that

l When logged in under a non-English language, risk analysis reports run in background display the rEnglish instead of the logon language.

l Risk Terminator takes a long time to run and sometimes errors out due to timeout. This is due toroles. Previously risk terminator did not exclude critical roles/profiles from analysis. With thiroles/profiles are now excluded when running risk terminator.

l Change history logs under Rule Architect are not accurate. If change is made under one ID and theanother ID makes another change to the same record, it does not update the log with the right user

l On Mitigation - Mitigating Controls - Change, the search button for risk ID is not available if yomode. Unable to search for risks to assign to this mitigation.

l If connector does not exist, there is now an initial system set up that can be brought in during D

l When assigning the role to user from SU01, risk terminator triggers, however it will not stop youto user even if the role contains a conflict.

l NEW FEATURE - A new reporting data mart has been introduced to enable custom reporting on RAR andextracts relevant data from RAR and CUP and converts data for reporting purposes. The data mart ispublished schema to enable customer to integrate with any reporting tool.

l Risk Terminator is not being triggered when a new single role is being added to a composite role.

l The application allows a user to upload files to the server containing client side scripting. UserAdministrator" role can upload malicious files to the server containing client side scripting at "

l When running organizational rule analysis, the organization rule description is not showing on thethe Risk ID is entered in the report at the 4 digit level (XXXX*).

l Some of the graphics in RAR have a URL that includes the characters "/." and SiteMinder won't allostandard cross site scripting risk. One such URL for example is: https://sapgrc.mypepsico.com/webdynpro/dispatcher/sap.com/grc~ccappcomp/ComplianceCalibrator/~wd_ksap-wd-download=1sap-wd-ppwndid=c4c80df135c811dea06a001e0bfd611e& sap-wd-norefresh=X

l The mitigation control long description is truncated in the risk analysis reports. This is both owhen downloaded to Excel.



l NEW FEATURES - There are several new features introduced with SP09 in all components. Please refehttp://service.sap.com/instguides - > SAP BusinessObjects -> SAP BusinessObjects Governance, Risk,Access Control -> SAP GRC Access Control 5.3 for the features implemented in SP09.


l When logging in to RAR, the two nodes below on the informer tab are displayed using the language finstead of the language configured in the Portal.Audit reportsSecurity reports

l Alert notification job is sending multiple emails. If there are multiple alerts, then the data wilwhich are correct. If there is only 1 alert, then 2 mails will be sent but the second mail will be

l When Risk Terminator is not analyzing roles correctly when it is configured to run at tcode levelobject level. When a role is saved, Risk Terminator is not reporting all risks.

l The email received by mitigation monitors upon removal of a mitigation control assignment containsnot properly formatted.

l When running risk analysis at user level for critical permission risks, unable to display the deta

l When downloading reports into Excel from Rule Architect, the German Umlaute is not showing correct

l When creating a risk, the business process defaults to FI00, even if this business process does no

l When running risk analysis reports, if a range of risks is used, the "to" value risk is not includexample, if a risk range of B010*-B019* is entered in the report, risk B019* will not show even ifrisk. It will only show if the range is entered as B010*-B020*.

l When attempting to assign an existing Mitigating Control to a new role within the Mitigation tab,as an option. This is seen when clickin to search for a Role Name and the role search window opensystem.

l When the user tries to add SM59 TCODE to any existing function it gives you dump as java.null.poin

l Running the control monitoring alert job errors with message "java.lang.NullPointerException".

l RAR displays certain reports and fields in languages other than the language the user signed on un

l Batch risk analysis is not showing any users as having risks even though risks exist. The problemmade in Exclude objects table to exclude * Profiles. After making that entry when the full sync jothe users will also be marked as EXCLUDED in VIRSA_CC_GENOBJ table but it should not be the case asupposed to be excluded.

l In Informer -> Management Reports -> User Analysis, the number of users with no violation do notreport for ALL systems and individual system.

l Running risk analysis for Oracle ERP system has performance issues when compared to running agains

l The "List Expired and Expiring Roles for Users" report does not display any results when executed

l Unable to save numeric values in the Exclude Objects section of management reports. It appears toback, the field is empty.

l When searching the critical action rules via Rule Architect-> Rules-> Critical Action rules by #ALgives the error: #[jcc][t4][10120][10898][3.50.153] Invalid operation: result set is closed. ERRORSQLSTATE=null#. This error does not appear if you search the critical action rules based on some

l When we execute the alert generation job for control monitoring for a single mitigation control, i

the following error message in front-end logs. "WARNING: VIRSAXSR3_02: Cannot execute BAPI StatReccom.sap.tc.webdynpro.modelimpl.dynamicrfc.WDDynamicRFCExecuteException: No more storage space avaiinternal table., error key: RFC_ERROR_SYSTEM_FAILURE"

l The Generate Alert job errors with messages "TSV_TNEW_OCCURS_NO_ROLL_MEMORY" and "CALL_FUNCTION_REfixed in sap note 1401629 and the code change is now incorporated into this support pack.

l Program /VIRSA/ZVRAT_L03 which is used to convert the rules of CC4.0 for RAR 5.3 is failing with eis not seven digits".

l Scheduling Alert Generation program /VIRSA/ALERTGEN in the ABAP system does not generate alerts andumps. This is specific to situations where the system time zone is set to something besides CET.

l Inaccurate risk showing when running org rule analysis. Risk is showing that the user does NOT acrule analysis is not properly analyzing all permissions configured in the rules.

l Connection errors are encountered when running the report "Role Authorization Count" by going intoSecurity Reports >Roles.

l When running risk analysis, certain user groups are excluded from the results, even though they artables.

l After a server restart, two jobs get scheduled called "starts all SAP Adapters on server startup"has no adapters configured. The fix is that this job will only be created if there are adapters c

l The risk description is missing in the risk analysis reports. This is caused if the risk descript



text after the colon is not displayed.

l A duplicate blank email is received by the Risk owner for risk changes. This is fixed so only one

l Not all risks are shown under mitigation control monitors - search if * is entered in the risk ID

l When running risk analysis, error "string index out of range; 4RC:1" occurs. This is caused by rcolons (for example RU:1).

l When maintaining the permission field values in the functions, there is no validation check in plafield to ensure it is greater than the "value from" field.

l In the Informer tab under Rule Library, the permission level rule count is incorrect and sometimes

l Exception handling in datamart job is not configured.

l NEW FEATURE - With this support pack, two new delete functions are available on the configurationto delete connectors, the second option is to delete rules. Please see sap note 001416728 for mornew feature. If RAR application contains huge data in tables it is recommended to truncate tablesVIRSA_CC_ACTVL, and VIRSA_CC_CRROLEVL before running the delete program.

l When executing a Role analysis in Risk analysis and remediation, if a space occurs at the end of tcharacters following an error will occur: "Cannot assign a blank-padded string to host variable 2

l In RAR Configuration - Risk Analysis, the description text 'Default' is in English even if a userlanguage.

l Various areas in RAR display English text even when logged in under Hungarian.

l

In Rule Architect, various fields are shown in English even when logged in under Russian.

l Under Informer->Audit Reports->Critical Actions when clicking on the execute button and then clickbutton several times,the language is changed from time to time.

l The value "no" in various drop down boxes is translated incorrectly in Hungarian.


l While doing Risk Analysis in CUP, if any mitigated role is added by removing the existing role, ththe mitigated risk. However, the same Mitigated Role is ignored correctly, when it is added withourole.


l While performing cross system risk analysis (where one system is a legacy system), then applicatiomessage "cannot get user action authorizations".


l When you run a simulation and set Risks from Simulation Only to 'YES', the detail report only showpermissions required to satisfy the rule.

l Configuration - Additional Options - Offline Analysis option is set as YES. In the Risk analysis poffline Analysis to #Yes# and save the variant, it turns to be NO and the variant is also saved lithe variant, it shows the offline Analysis as #NO# when it should be YES.

l Alert emails are not going to the Risk Owner, if Risk description is maintained in a language othe

l The report at Informer tab-> Security Reports -> Users -> Users by User ID is not sorting by any p

l The translation of the word "high" in Portuguese is not consistent. In some places it's "alto" an"elevado". This support pack makes the text consistent in all areas of RAR.

l When we run the Org User Extraction Job, the job fails with error message "From value cannot be grvalue". The cause of this is that there is a role where the organizational field value has a fromthan the to value. This support pack includes a change where the Log Display will record the exacwill enable the customer to go back to PFCG and update the role with proper From/To values. The efail each time a role with invalid data is found until all roles are valid.

l When we try to search all the systems without any value in System input box (after searching for athe application gives a "500 internal server error" message.

l Application is throwing error in Alert Monitor & Dump in Control Monitor screen after running the

l The Manage Deletion Node has not been translated into non-English languages.

l In config change history, when we select the area as USER MAPPING and field as all, it shows the rUPDATE and DELETE records. But in case we select system id, it shows the result for update records

l Action Rules by Business Process and Risk report in Audit reports is showing inconsistent results

l In Search Background Jobs screen there is no task defined for the "manage deletion functionality".



l Proper message is not coming on activating the SAP Adaptor if the Test Connection of the connectormesage "java.lang.Exception" comes when the proper message should be that the test connection fail

l When adding a new permission within a function, the red * symbol is not showing next to the Objectshould show since this is a required field.

l When uploading rules via Configuration - Rule Upload, the warning messages are in a language otherof the user.

l When logged in under Chinese, on saving a risk without a Risk Description, the error mgs coms in EChinese.

l When searching for a role that has a space at the end of the name, error message "cannot assign ahost variable 2" displays.

l When logging in under Chinese or Russian, the level and status fields in the Audit reports are com

l When logged in under Russian, Chinese or Portuguese, while creating Function if any field is enablFrom value, the error message comes in English.

l If no ruleset is selected, yet the "change" or "delete" button is pressed, pop up comes up sayingdelete the selected ruleset". Proper message should be "please select at least one ruleset".

l If no jobs exist and the "show parameter" or "show job" button is pressed, it results in an "inter

l When creating a mitigation control, the Management View - Control Library counts of controls willrefresh of the RAR application.

l When going to Informer->Audit Reports->Critical Actions, if the hide/display button is hit several

changed from time to time.

l Under Informer - Background Job - Search, if the "reset" button is selected and jobs are searchedare shown. On the informer tab, a user should only be able to see the jobs that they have created

l When clicking on the Analyzed Auth Objects button in the RAR Informer -> Audit Reports -> Miscellain Roles but not in Rules report, a 500 internal server error occurs.

l When logged in under Chinese, Informer->Critical Action-> Search for all is showing in English, n

l Critical roles and profiles created in another language are not shown when going to informer - audrole and profile.

l When the user tries to add SM59 transaction to any existing function, it gives a java.null.pointerexists only in Oracle.

l Chinese risk levels other than "high" show as blanks.

l When Risk Terminator is configured for risk analysis at tcode level, the screen that should appeargeneration" does not show. It does work if risk analysis is set to be object level.

l The Generate Alert job errors with ABAP dumps "TSV_TNEW_OCCURS_NO_ROLL_MEMORY" and "CALL_FUNCTION_

l The Action usage report (Java stack) and the transaction code /virsa/zvrat_02 in the ABAP system bthe current month. Unable to run the report to obtain historical month's data.


l Critical permission type risks are not showing correctly after support pack 9. Users are showingpermission risks when they do not actually satisfy all parts of the rule.


l When you run risk analysis simulation, if a single role is part of multiple composite roles, onlythe report, not all composite roles.

l After upgrading to SP09, users cannot see background jobs that were scheduled before upgrading tois converted to UPPER case in SP09.

l After removing the server node from the configuration tool and restarting the J2EE server, the serin the CCADStatus.jsp or Analysis Daemon page. This can also be seen in the drop down in the CCDeb

l When defining an Administrator Id in RAR, error message "Enter a valid e-mail address" occurs. Thiaddress has an apostrophe in it.

l On GRC 5.3 => RAR => Informer => Comparisons. When the mouse pointer is moved over the dates on thComparison graph, a 'pop-up' title appears that says 'testcat'.

l The Authorization Count for Users report cannot be displayed or downloaded if it has more than 10,

l In periodic job scheduling the next run date is picked as per the last run date for the previous mof end of month scenario where job date is adjusted as per last day of the month e.g 31st JanauryFebraury -> and -> then it becomes 28th March and like wise for other months)



l When running Audit Reports - Action rules by Business Process, error message ""com.sap.sql.log.Opeassign a java.lang.String object of length 5 to host variable 7 which has JDBC type VARCHAR(4)." alogged in under a non-English language.

l GRC AC RAR Management View reports are split by business process, with only 2 characters, even thoprocess ID's are 4 characters.

l SAP* user ID is still showing in batch risk analysis and management reports even though the ID is

l In a Critical Permission level function, the description of Object Group is getting changed after

l When you download the ad hoc report from RAR, the selection criteria of the report is not download

l When trying to add or change a Monitor for a specific mitigation, the available monitors are not l

they are random.

l When searching for a mitigation using the mitigation ID, multiple lines are shown in results for tevery monitor that mitigation has, a line will be shown on the results page.

l When defining an organizational rule, logic conditions are automatically changed from AND to OR whthere is one line item in the rule that has an OR logic applied.

l When trying to delete a mitigated role from the mitigated role table, error"com.virsa.cc.rulearchitect.dao.DAOException: Cannot assign a java.lang.String object of length 6which has JDBC type VARCHAR(50)"

l The logic in User sync for Oracle ERP systems has been modified to improve performance.

l The logic in User sync for SAP ERP systems has been modified to improve performance. Previously,negatively impacted user sync performance.

l Login after SP10 takes significantly more time than on SP09.

l Performance improvements have been made for batch risk analysis.

l The issue occurs when background Batch Risk Analysis job is scheduled from the Configuration Tab oRemediation application. The issue occurs in case the background job errors out due to any connectreason and is manually Stopped/Terminated from the Search Background Job Result page. This issue iquestion goes to status Stopping for quite some time before finally coming to aborted state, thisBackground Jobs Result page.

l The mitigation control description in search mode does not display the long description. With thionly version of the screen is delivered. With this new capability a user can navigate to mitigatiosearch and search for a new control. In the returned list, a hyperlink would be available that woudetails of the control, but in read-only mode.

l The Help Link is now changed to directly link to the Access Control help pages. Previously, it washelp link and users had to drill down to find the Access Control specific information

l NEW FEATURE - A new configuration parameter is now available to allow customers to enable/disablethe Access Control capabilities.

l If you schedule a user sync job and attempt to click the back button on the schedule screen, a dum

l The last column of table GRC_DM_CC_SOD_PRM (COMPOSITEROLE) is not populated after running of the D

l When selecting months in transaction, /VIRSA/ZVRAT_S02, results are inconsistent.

l Users locked with lock code 32 (locked globally by administrator) are not excluded from analysis eusers" is set to YES. This support pack is adding this lock code in to the exclusion code.

l When creating a role in PFCG and changing from Menu to Authorizations, Risk Terminator tries to doand an error dialog with "Risk Analysis failed" pops up.

l After implementing VIRSANH SP 10, the customer tried to run the transaction report /VIRSA/ZVRAT_Serror on running it. The error is: "Field "DPS_SWNCGLDIR" is unknown. It is neither in one of thedefined by a "DATA" statement".

l In Risk Terminator, when changes are discarded, error message "Error in the ABAP Application Progrprogram "/VIRSA/SAPLPFCG" had to be terminated because it has come across a statement that unfortuexecuted. Function module "PRGN_RFC_CHANGE_TRANSACTIONS" was called with the parameter "NO_CHECK_Ois not defined."

l After implementing SP10, the alert job no longer executes and alerts are no longer sent out.

l Risk analysis results in the ABAP system are not correct if rules are maintained in the back-end Aset as a function-level risk, and one of the functions only has transactions (no permissions).

l Data mart tables SOD_PRM and SOD_ACT are not populating the composite role and the permission obje

l When aborting a data mart job, the status changes to stopping but it take a long time to fully abo

l Validation checks have been instituted to ensure all permissions that are activated have a value ifield. If a customer has permissions activated that contain blank values, an error message will brisk analysis that says "Cannot assign a blank-padded string to host variable 1.RC:1". The solutideactivate these permissions with blank values, or put the appropriate value in the "from value" f




l Generating RAR Rules in DB2 Database environment is failing for large data.

l While executing Risk Analysis in Risk Terminator intermittently failing with an error "Bean VIRSA/found".


l Running the profile sync as part of the synchronization background job showed different number ofdifferent days, even though the actual number of profiles in the system did not change. The issuebased on profile description, now it's been changed to be based on profile ID.

l User is showing as having a risk that they really do not have. This is specific to cross system rincorrectly pulling permissions from both systems to see if the user satisfied the rule instead ofthe required permission on each system based on the function permission definition for each system

l In previous support packs, Development made a change where every time a function is opened, a vfields to see if the fields have both AND/OR operators. If they do have both AND/OR operators fochanged to OR. This is for both enabled and disabled field values. The issue corrected herechange was recorded in the function change log, even though the user didn't themselves made any chRAR system itself). the resolution for this is that the Rule Upload functionality has been chfrom loading a function permission that has both AND OR logic.

l If a role has only permissions and no transactions, risk analysis shows correct results, but warni"Warning ROLE_NAME does not exist or has no Authorization." shows with this support pack, thisdeleted.

l If a new authorization object is added to a transaction in SU24 in ABAP and the files are re-uploaUpload Objects, the new object is not brought in to the correct tables and is not populated in thetransaction code is added.

l In Risk Terminator when saving in SU01, risks are not showing. User does have actual risks which

l The mitigated objects (users, roles, profiles) are not sorted in any particular manner. With SP13,firstly based on Mitigated object then Mitigation controls and finally Risk.

l When we run 'Action usage by User' report in background without giving the Non-Mandatory fields vaConflicts'. When running the report in foreground, it does give accurate results.

l When running Profile Sync, it runs successfully but no profiles are actually loaded. The log showbut the RAR tables are not updated.

l If a 4 digit risk has both org rule relevant and non-org rule relevant risks, the mitigations are

correctly in RAR. Basically the mitigations for the non-org rule relevant risks don't get populatwhich causes them to continue to show, even though they've been mitigated. With this support pattached at org level and user level now so the mitigations show everywhere.

l Management report text when displayed in French is not translated correctly when compared to the E

l Some labels on the dashboard are missing the required accents in French language.

l Mitigation Control is not shown in User Level risk analysis if the user's profile is being mitigatRole/Profile Mitigating Controls in User Analysis" is set to 'YES'.

l When using RAR->Rule Architect->Function Mass maintenance-> , Mass Maintenance-> select All appearDeselect All button was not working.

l Trying to add or remove a role from Mitigated Role table results in an error "cannot get data extr

l While doing user simulation with report type as Critical role/ profile, incorrect results are showonly is set to be NO. Risks are showing that should not show (false positives).

l Risks that contain functions that only have permissions defined are not reported correctly when ruanalysis. In SP13 this issue has been fixed, If a function only has permissions defined, the risksfunction not reported when running action level analysis.

l The issue occurs when a periodic weekly background Batch Risk Analysis job is scheduled from the CRisk Analysis and Remediation application. The issue occurs in case the background job errors outissues or any other reason and is manually restarted from the Search Background Job Status Resultstatus of the Object Ids from Error to Ready status. This manually restarts the job, but Current wweek's jobs that were supposed to be run originally get skipped with status of job as Ready . Thisthe Search Background Jobs Result page. with this support pack, this has been resolved so the jobscheduled time.

l If a Business Unit has an underscore in it (_), you are unable to maintain the business units corrunderscore is seen as a wildcard in SQL.

l The Invalid Mitigating Controls Report was showing incorrect user name for some of the Users appeaUser name of one User was repeated for a number of Users following it below. This happened becauseconsidering the subsequent Users to belong to the same system and hence, it did not find any data

l The text under Configuration option "ignore critical roles & profiles" has been modified to fullyconfiguration does New text is: "This option specifies whether Roles and Profiles maintained inand the Critical Profiles table are ignored when running a Risk Analysis. The default value is No.Profiles will be ignored when running the analysis if this value is Yes."



l If a role is set up as a critical role/profile and the configuration option "ignore critical roleyes, warning message "Either role doesn't exist and no authorization has given to this role" is di

l When running a batch risk analysis, it would run for all rulesets in the system, not just the rulejob is scheduled. With this support pack, only the ruleset configured when setting up the job wil

l When adding roles via SU10, risk terminator does not identify critical risks/roles and allows assi

l When running the Audit Report for Mitigation, the field called "description" has been changed to "this data is the short description.

l The incorrect mitigation control is sometimes showing against a user's risk when running user leve

l In RAR During Batch Risk Analysis, the log may show "Duplicate Key Exception".

l In RAR with multi cluster nodes, the job was not showing as completed even though it was. This isserver nodes exit the job at the same time and think the other server node is still running. Withlast server node will mark the job as complete.

l The timestamp was not being considered when RAR calculated the next scheduled periodic job date.

l If a periodically scheduled job is aborted, the next scheduled run time of that job will fail.

l As of SP12, the full user sync job was not updating RAR tables correctly. With SP13, this has bee

l The "Default expiration time for mitigating controls (in days) configured under Configuration - Minot flow through correctly to the Risk Mitigation screen when doing mitigation after running risk

l Org rule risk analysis is not reporting correctly. Risks that should be displayed are not.

l If an org level risk is mitigated at the 7 digits level with an * (SO12001*), the mitigation is noanalysis.

l Mitigations are not showing correctly for critical action/permission type risks.

l In the management Reports whenever user is opening the excel sheet directly from the download optiworksheet name is coming in the incorrect format. This is limitation in the excel format, please r

l Business Process Search for Rule in Audit reports is not inclusive for ranges. In Audit Reports--business process by giving the value A* to C* then it exclude the business processes starting fromhas been fixed, Business Process search is inclusive for ranges.

l Under exclusion object functionality it was not possible to exclude all the objects ends with pa*AAA . Instead, all objects are excluded as it sees the * as the only wildcard and ignores the


l Objects which were inactive in ERM application were considered for Risk Analysis.

l Performance impact when Org Rule Analysis is performed in CUP.

l RAR Risk Analysis webservice timing out in SP13.


l When a new permission/field combination is added to a function and that has never been used beforenot generating the permission rules in Support Pack 13.


l Risk analysis from CUP is failing when there are cross-systems configured in RAR.

l Org level Risks analysis is taking longer time to execute and timing out for some of the users forviolations. This is showing a web service exception some times in CUP.


l

Error "500 Internal Server Error" occurs intermittently when executing any of the reports under Inand Informer - Security Reports.

l The detail level report is not showing all permission field values that make up the rule that is bspecifically occurs if the function permission definition in the rules is set up with AND logic anspecific permission from DIFFERENT roles/profiles.

l Portal risk analysis is not reporting correct results, specifically users that have the risks areis caused if logical systems are used to load actions and permissions for Portal systems. The riswork if the actions and permissions were loaded directly to the Physical Portal system. With this



systems can now be used for loading Portal actions and permissions.

l When assigning a mitigating control in RAR in Spanish, the email sent to the Control Monitor conta#STATUSCHANGED#_1# instead of inserting the actual parameter value. With this support pack, the eto properly show the value and not the parameter name of #STATUSCHANGED#_1#.

l When signed in under non-English language, the Risk Level in the Management Reports is showing asof showing the proper text. For example, instead of showing "Mittel" (Medium) when logged in underisk level shows as 0.

l Previously, when a user would enter a role name for analysis that does not exist, the message that"No violations found". This was confusing because when you entered a user ID that did not exist,match nor conflict found". With this support pack, the User and Role messages now match. So a usthat does not exist, the message will be "no match nor conflict found." If a user or role ID is ebut does not have any conflicts, the message will be "no violations found.

l Assigning the UME action 'ViewBGJobsForAllUsers' actually gave users the ability to delete jobsothers. With this support pack, this ume action has now been limited to only view the jobs and usaction can no longer delete jobs.

l When analyzing legacy data uploaded via Data Extraction, an error "SQL syntax error: the token waoccurs. This SQL error also occurs when running the Comparison Utility for the Data Extraction.ID containing an apostrophe (').

l When running the Invalid Mitigation report in Informer - Risk Analysis - User level, the user's ncorrectly. In addition, the system filter entered when running the report is not honored, meaningare showing in the report.

l Users that have non-org level relevant critical action risks are not reporting correctly when runnreports. Specifically, users who should show as having a specific critical action risk are not shrule report is run. Prior to this support pack, only critical action risks that had org fields ecritical action org rule reports were run. With this support pack, all critical action risks arewhen running the org rule report.

l Full batch risk analysis fails for some users and error "SEVERE: null java.lang.NullPointerExcepti

l When trying to modify a risk, customer receives a message stating "Workflow Request Exists Alreadythe risk. This occurs when the Workflow Maintenance is set to YES, and the risk was previously chaCUP request. If that request is deleted from CUP (and not approved), the risk is still locked inchanges to occur.

l The email notification being received by the mitigation monitors is showing with the same sender a(TO/FROM). With this support pack, the "from" field will be the UME person who is logged onto tchanged the mitigation. There is a Visual Admin setting that must be set to allow this to work. Sgo to Visual Admin->Java Mail Client->mymail.from -> and enter the proper value here under Smtp a

l When creating a new risk, error "risk id xx already has the same function combinations" occurs, erisk with the function combinations. This occurs when the functions contain only numeric ID's (fo

l When importing rules via Rule Architect - Utilities - Rule Import, the formatting of the risk descformatting done in the exporting system. For example, if the risk description has carriage returnare removed when the rules are imported.

l When running full or incremental batch risk analysis for users, a large number of calls to table Aback-end ABAP system which causes performance concerns. This support pack changes the code so thaare only read once versus repeatedly.

l After upgraded to SP13, the back ground job scheduler status text in the header appears as "not rjobs still run and complete. This support pack fixes this so the header reports the correct job s

l The email notification sent out for critical action alerts does not include the name of the user waction.

l The report under Informer - Management View - Comparisons has the x axis (date) sorted alphabeticasorted by date.

l In RAR mitigation>Business Units>Search, if the last row is selected and the delete button is presBusiness Units, not just the highlighted row.

l After a J2EE restart, two "Starts all SAP Adapters on server startup# jobs are spawned. One complejob takes forever to complete and stays in Ready state. In addition, error "SEVERE: nodeElement(.BatchRiskAnalysisSelection.UserAnalysisInput.UserAnalysisSystems): unknown attribute Sign" occur

l While trying to generate the rules via Configuration - Rule Upload - Generate Rules, a "500 Internoccurs. This happens if no risks exist.

l If a user signs in under a non-supported language, the data descriptions and text do not show up uthe default language. Instead the descriptions and texts show as blanks. With this support pack,a non-supported language (or a language for which there is no text), the application will show theapplication's default language.

l Risk analysis is not correctly reporting users that do have a risk (false negatives). This occursobject in the rules is enabled with TWO fields and Search Type of AND, and the rules were createdfunctionality. 5.3 Support Pack 7 resolved this issue originally but only resolved it for when fumanually using Rule Architect. This support pack applies the same correction for when rules are lConfiguration.

l Unable to save "offline analysis" option as YES when saving a variant. The option reverts to NO an



as NO.

l Rule set description shows #null# value while searching for action rules. This occurs if the userlanguage other than English.

l Searching for a user using the user name in RAR is case sensitive. The search must be done usingthe user name is recorded in the database. With this support pack, searching by user name is now

l When searching Critical Action Rules, the following error message is thrown: "Invalid operation:

l In RAR 5.3 ABAP back-end, the Upload icon is missing from the Rule Architect Wizard.


l RAR-Locked and Expired users in reports-BatchRiskAnnalyisLocked and Expired users are considered idisplayed in reports. Now, expired and locked users are not considered.

¡ Same has been fixed.

l Variants and Offline Analyses Default Values in SP14-Previously, whenever we would run a risk analAnalysis" value would automatically default to "No".We recently applied SP14 patch1 to our RAR SA2that the "Offline Analysis" value would always default to "Yes" and have to be manually updated evanalysis.


l Mitigating control assignment error-In RAR we run a risk analysis on user level, select the risk,control and get an error message-Could notsend the message; enter a valid SAP sender address.


l User Type selection criteria is not working properly-Issue is with User Analysis reports. In thisAnalysis->User Analysis reports), if we select the user type as "Dialog" and run the report, the rof all the users,irrespective of the user type selected in the report.


l With reference of ( 286306 / 2010 )Red Issuue-The customer is getting only one of the roles from wauthorizations are coming while doing Simulation in CUP. Although one role is insufficient in itsconflicts but still CUP and RAR report only one Role when doing analysis. Both the roles should beof the conflicting authorizations is coming from Role 1 and part by Role 2.


l

Monitors associated with BussUnit-Monitors under Business Units are not sorted in Alphabetical ord


l Risk analysis SAP* ErrorSAP* user is locked in backend but it is still shown to have risks


l Report type - Invalid Mitigation Control-if we try to run a invalid mitigating control report andthen if the user's language is not english it results into an exception.


l E- Mail Workflows CUP-Email notification for mitigation control in Spanish appears with the text:S

¡

Same has been fixed.

l RAR 5.3 SP13.2 Language problems-In RAR, in the report RAR ->Informer -> Audit reports -> Mitigatidescription is not shown in Norwegian language. The report does not show any Short Description, ancolumn it showsthe text "null" together with the business process name (for exampleINI: null).


l RAR : Object description does not bring in resultsCustomer tried to search the HR object ID, but tsearch from the description. When leaving the search blank it will return all results.


l Error on detail report for risk - HZ20.RAR informer risk analysis for critical permission summaryresult while detail view is correct.This is the permission only function risk.The object is disablsummary report still shows risk.


l SP14 Default value Offline analysis default is YES.In RAR under Risk Analysis the value for Offlinto YES. In previous SP's this was always NO. There is no config setting available under Default Vato NO.




l Mass Function Mantenance causes NullPointerException Function created in Russian Language and modiusing Function Mass Maintenance giving 500 Internal Server Error.


l Exclude objects - Role After excluding objects like *R and then doing the full sync for role, thensystem gets excluded.


l Some Audit Reports don't show any data in RAR (CC)'Action Rules by Action' & 'Action Rules by Busireports are not working.


l Ad hoc risk analysis defaults to Offline-Ad hoc risk analysis defaults to be an offline analysis o


l RAR 5.3 SP13:Oracle constraint error when executing alert GRC Production server, after executing gRAR, GAVE: ORA-00001: unique constraint (SAPSR3DB.SYS_C007256) violated com.sap.sql.DuplicateKeyExunique constraint (SAPSR3DB.SYS_C007256) violated displayed.

¡ Same has been fixed

l Cross system risk is not displayed for physical systems.With SP15 cross system risk will be displasystem as well as physical systems.


l RAR 5.3 SP13: Oracle constraint error when executing alert


l Rule Architect->Cannot display Risks and Business Processe


l Problem with alert generation jobs

¡ Same has been fixed


l Portal connector for RAR from GRC fails.The Portal Connector is now working sucessfully.

l Portal Web Service Connector - CCPSService not found. With this Patch webservice and Portal connecand connection is successful.

l UME risk analysis returns inconsistent results. With this Patch Portal/UME risk analysis is workinconsistent results.

l MDN performance org rule analysis.With this Patch performance of org rule analysis is improved.


l Outer join not allowed in alert generation.While running alert generation for MAX DB log is displaallowed message.With this Patch the issue has been fixed.

The following issues have been resolved in Support Package 15 Patch3:

l Correct Risk was not getting reported in AC and PC for the same user.With this patch now correct rreported for the user in AC as well in PC.

l User Analysis Management Report was displaying Incorrect Count in a scenario where user is mitigatpatch this issue has been fixed.


l Ad hoc org rule report gives SQL Syntax error.With this patch a new feature "Org Rule analysis peuser" has been introduced in Performance tunning link at configuration settings of ARA.Now to run* users the value for this option should be set to "NO".This feature has been introduced by keepin

consideration.

The following issues have been resolved in Support Package 16 :

l While doing User level risk analysis with a report type of "Critical Role/Profile", running the resystem field returns no results, which is incorrect. The report was only returning results when aselected. With this support pack, running this report with "ALL" in the system field will returnconnected systems.



l While exporting the results of the report 'List of actions in roles that are not part of the rulesare exported to Excel. The export Excel file only contains 2 sheets and up to 65,537 lines, regardof lines shown in the online report.

l Logging into RAR with Japanese language and downloading any report doesn't brings any zip file namreports downloaded in Japanese language contains the name of the report.

l Searching for background jobs by using user name with a wildcard (example NLY*), does not bring ansupport pack, searching for jobs using a user ID with a wildcard will now bring results.

l When running a select statement using the CCDebugger screen results in error message "Outer joincontext" occurring. This only occurs in Max DB databases. With this support pack, the select staDB like they do in SQL Server.

l

In downloaded reports, the selection criteria header data is incorrect. Specifically, in the selecProcess", it shows the risk level (low, medium, high), instead of the business process selected whrun. With this support pack, the business process that the report was executed for will show in theader data when downloaded.

l Logging into RAR with a long name in upper case, results in the header being displayed incorrectlyunderneath the header where the user's name is displayed. With this support pack, the header datacorrectly with no scroll bar.

l NEW FUNCTIONALITY - 5.3 RAR application is now compatible with Basis 7.3 release. The installatiothe SAP Service Marketplace.


l Running SOD violations report in SPM just keep running and hangs .With this support patch the SODtaking less time in displaying the report and the job status is getting completed.;


l Earlier the mitigation monitor search field was accepting only 10 characters , with this patch thewill accept full 12 characters.

l The multilanguage mitigation description was not populating, with this patch while searching for mlanguage other than english the mitigation short description will be populated.

l User name search was working Sporadically for users, with this patch the user id is searched corre

l Role mitigation was not applied to user when role is mitigated and include role/profile mitigationfrom configuration settings.With this patch same has been fixed and now role/profile mitigation wi

if its set to "YES" from configuration.

l Ad hoc org rule report gives SQL Syntax error.With this patch org rule analysis is running smoothlerrors are displayed.

l Alert generation was not working as per the selection criteria.With this patch the selection critespecified while running the alert generation job.

l The months on the management report graphs were not sorted correctly and randomly displayed, withfixed and now months are populated correctly in order.

l Permission count for a risk was different in CUP and RAR, with this Patch the reported issues has


l Ad hoc org rule report gives SQL Syntax error.With this patch a new feature "Org Rule analysis peuser" has been introduced in Performance tunning link at configuration settings of ARA.Now to run* users the value for this option should be set to "NO".This feature has been introduced by keepinconsideration.

l After running cross risk analysis, conflicts previously detected for single physical system (whichsystem) are removed from VIRSA_CC_PRMVL.The reported issue is fixed in this patch.Now after runninsystem, conflicts in virsa_cc_prmvl will be updated for single system as well as for cross system.

l If a user is assigned Spanish language in the UME and while running Ad-hoc risk analysis in RAR, irisk by clicking on the risk description from the violation results and then click on Mitigate RisControl screen does not appear.With this patch now after mitigating the risk from the violation recontrol screen appears.The fix has been provided for User,Role and Profile.

l Permission count for a risk was different in CUP and RAR, with this Patch the reported issues has


l If a user is assigned Spanish/Italian language in the UME and while running Ad-hoc risk analysis ithe risk by clicking on the risk description from the violation results and then click on MitigateControl screen does not appear.With this patch now after mitigating the risk from the violation recontrol screen appears.The fix has been provided for User,Role and Profile.




l While integrating AC-PC by a webservice for critical action report type 3 . "New webservice has"SAP_GRC_CriticalViolatedUser" ".

l Existing Risk analysis webservice SAPGRC_CCRiskAnalysis_V01 works for offline analysis = "true" fo

l

l


l While doing User level risk analysis with a report type of "Critical Role/Profile", running the resystem field returns no results, which is incorrect. The report was only returning results when aselected. With this support pack, running this report with "ALL" in the system field will returnconnected systems.

l Alert generation was not working as per the selection criteria.With this Support Pack the selectiospecified while running the alert generation job.

l Earlier the mitigation monitor search field was accepting only 10 characters , with this Support Pfield will accept full 12 characters.

l The multilanguage mitigation description was not populating, with this Support Pack while searchinin any language other than english the mitigation short description will be populated.

l User name search was not working according to given search criteria for users, with this Supportsearched correctly for all users.

l Role mitigation was not applied to user when role is mitigated and include role/profile mitigation

from configuration settings.With this Support Pack same has been fixed and now role/profile mitigathe user if its set to "YES" from configuration.

l When assigning roles to a user in SU01, the risk terminator is triggered and the risks are correctthe Detail View for TCODE Level Analysis, the Role/Profile Description is not correctly displayed.this issue has been fixed and now the description for Role/Profile with colon(:) is correctly disp

l Unable to load the permissions file for LEGACY system under Upload Objects. The actions file withthis Support Pack permission object file can be uploaded successfully for LEGACY systems.

l The months on the management report graphs were not sorted correctly and randomly displayed, withfixed and now months are populated correctly in order.

l Permission count for a risk was different in CUP and RAR, with this Support Pack the reported issu

l User Analysis Management Report was displaying Incorrect Count in a scenario where user is mitigat

Support pack this issue has been fixed.

l Correct Risk was not getting reported in AC and PC for the same user.With this Support pack now cogetting reported for the user in AC as well in PC.


l When executing the executive summary reports in RAR Dev (Sp17) some strange results were displayedcases, risk levels are appearing in the violation #count#columns, instead of the actual violationthe reported issue is fixed,now number of conflicts and number of mitigated conflicts are displaye

l


l User ,Role and Profile Sync not working for Connectors with ()braces.The reported issue has been rNow the sync job is working fine for connectors with braces().

l Mitigation Object update notification wrongly translated ,the reported issue has been fixed with ttranslation file has been given to the customer for Portuguese language.

l When performing a RAR org rule analysis for multiple org rules the RAR report does not show for whis relevant.With this Patch RAR is showing org rule and the org rule description for a rule having$SPART, $VTWEG auhtorization objects which was not displayed correctly earlier.


l Risk Mitigation was not working from Risk Resolution screen for Portuguese language.

l Include Role Profile mitigation configuration option was returnign incorrect results during Risk Acontrols were mapped to non-mitigated roles in risk analysis results.


l Ad hoc org rule report gives SQL Syntax error.With this SP a new feature "Org Rule analysis perfohas been introduced in Performance tunning link at configuration settings of ARA.Now to run the orusers the value for this option should be set to "NO".This feature has been introduced by keeping



consideration.

l RAR Informer Management View shows violations that should not be counted for exclude and locked ushas been resolved in SP18.Now if exclude expired/locked users is set to 'YES'from configuration seusers will not be considered while running the management report.

l Intermittently mixed language Japanese/English is displayed in risk description field while perforthis Support Pack the reported issue has been fixed , now the risk description maintained in any oenglish will be displayed only after logging into using that particular language.

l Correct build Id has been updated for VIRACLP and VIREPRTA.


l When performing a RAR org rule analysis for multiple org rules the RAR report does not show for whis relevant.With this Patch RAR is showing org rule and the org rule description for a rule having$SPART, $VTWEG auhtorization objects which was not displayed correctly earlier.


l While doing Org rule analysis $BUKRS value was not replacing with org rule text value.Same as fixe

l Now Org rules are matching while doing orgrule user analysis.


l All the entries of locked & expired user will be deleted from VIRSA_CC_PRMVL table after user sync


l GRC RAR Informer Management View Errors resolved.


l GRC RAR Connectivity Issues with portal has been resolved.


l While integrating AC-PC by a webservice for critical action report type 3 . "New webservice has"SAP_GRC_CriticalViolatedUser" ".

l Existing Risk analysis webservice SAPGRC_CCRiskAnalysis_V01 works for offline analysis = "true" fo


l While running Alert Generation job sometimes take too long time due to so many action/permission r


l Risk analysis webservice time out issue is resolved.


l The error while user sync "WARNING: The SQL statement "DELETE FROM "VIRSA_CC_CGROUP" WHERE"GENOBJI'ORA11IDEV' AND "GENOBJTP" = 1" has been resolved.


Note: Prerequisite NW Version : Please refer to Note 1590008 for information regarding minimum NW Version(colibraries) required for AC53 SP20 or refer the following link :https://websmp230.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=1590008

l Potential modif./disclosure of persisted data : An attacker can exploit GRC AC 5.3 and use speci

modify database commands. This results in either the retrieval of additional information, or thepersisted by the system. ( Refer Security Note : 1763798 )

l Directory traversal : GRC AC 5.3 contains a vulnerability through which an attacker can potentialto the remote server, possibly corrupting data or altering system behavior.( Refer Security Note :

l Unauthorized modification of displayed content : GRC AC 5.3 can be abused by an attacker, allowingapplication content without authorization, and to potentially obtain authentication information frusers. ( Refer Security Note : 1763695 )



l Unauthorized modification of stored content : GRC AC 5.3 can be abused by an attacker, allowingapplication content, persist the modified content without authorization, and to potentially obtaininformation from other legitimate users.( Refer Security Note : 1763218)

l Hard-coded credentials : GRC AC5.3 contains code that changes the program's behavior when a userauthenticated with a certain user name. Hard-coded user name and password/credentials: An attacketo GRC AC 5.3, without having their own legitimate credentials, or they may escalate privileges.1763796 )

l Cross-Site-Scripting (XSS) : The GRC application JSP pages can be abused by an attacker, allowingapplication content without authorization, and to potentially obtain authentication information frusers.( Refer Security Note : 1763797 )

The following issues have been resolved in Support Package 20:Patch 1

l Batch Risk Analysis not working: Earlier jobs were showing only in running state, but scheduler wafor processing.


l Missing IN/OUT Parameter Exception in Batch risk Analysis: Batch Risk Analysis was running for somfailing with the exception missing in/out parameters.

l on in Role but not in rules - This functionality was not working thrwoing error message when you tAudit Report -Action in Roles but not in rules is working fine

l Permisson in Role but not in rules functionality was throwing error User was not able to execute t


l GRC Java System stop responding after restart sometimes the jdbc connector usage goes to peak or owhich system stop responding. We have changed the code to fix this issue and now its working fine.


l User Risk Analysis is taking too much time, for a single use risk analysis it is taking much time,


l Risk terminator Dump error "while trying to get the length of an array loaded from local variable

resolved.

Support Package 21:

VIRCC Packaged along with other AC5.3 components for AC5.3 SP21, it Contains no specific fixes for anydelivery.

Validity

Support Packages & Patches

Software Component From Rel. To Rel. And Subsequent

VIRCC 530.700 530.700

VIRSANH 530_46C 530_46C

530_620 530_620

530_640 530_640

530_700 530_700

530_710 530_710

530_731 530_731

Support Packages

Software Component Release Support Package

VIRSANH 530_46C SAPK-53006INVIRSANH 530_620 SAPK-53106INVIRSANH

530_640 SAPK-53206INVIRSANH



530_731 530_731

Support Package Patches



References

This document refers to:

SAP Notes

This document is referenced by:

SAP Notes (36)

Software Component Support Package Patch Level

VIRCC 530_700 SP014 000001

SP015 000004

SP016 000006

SP017 000012

SP018 000011

SP019 000015

SP020 000009

SP021 000003

SP022 000000

1611006 Risks are not showing in SoD report that should

1609073 'Result set is closed. ERRORCODE=-4470, SQLSTATE=null'

1604722 Risk Analysis and Remediation Rule Update Q3 2011

1603380 Change History of Mitigating Control in Access Risk Analysis

1603375 Role Level Simulation shows different results in ARA 5.3

1599445 VIRSA/RT_JAVA_RISK_ANALYSIS

1590008 JAVA output encoding 1589049 Workaround for JCO connection type

1562774 Risk analysis failed EXCEPTION_FROM_THE_SERVICE

1544480 Error in Risk Analysis; Violations exceeds the threshold

1543380 Background Jobs deletion authorizations in RAR after SP14

1514175 Alert Job in RAR is not completing even after server restart

1514112 Workaround to get error objects in BRA to complete again

1508611 RAR Risk Analysis Web Service Performance work around.

1499222 Tables involved in the execution of Manage Deletion utility

1485219 Disabled Log-Off link in GRC Applications

1484232 Job Stuck in Stopping State in RAR

1472216 Upgrade GRC from 5.2 to 5.3 and J2EE version

1455885 Disable logoff button in Access Controls


1433940 Access Control compatibility on Netweaver Java server 7.0X

1420388 Connection Failed while testing or changing the connector in

1416728 Manage Deletion Functionality in RAR 5.3 Support Pack 10

1400606 Critical Roles and Profiles included in Risk Analysis

1369045 AC SP09 Data Mart Design Description

1356111 Deleted Roles still show in Risk Analysis and Remediation

1352498 Support Pack Numbering - GRC Access Control


1314799 Users Analyzed on Management Report are not accurate

1286030 Configuration of EP Connector in RAR and setting up EP Rules

1174625 Access Control 5.3 Java Support Pack Installation

1173980 Risk Analysis and Remediation Rule Update Q2 2008 1168875 GRC AC 5.3 SPXX Release information note

1131003 Data Extraction - Best Practices and Tips

1121447 Update to Processing Logic of Rules

1088378 RAR- Undeployment of ccappcomp from SDM fails

1083611 Compliance Calibrator Rule Update Q3 2007

1069037 Unable to export rules from CC 4.0 and import into RAR 5.X


1034117 Management Reports run too long, not updating, or inaccurate

1168875 GRC AC 5.3 SPXX Release information note 1034117 Management Reports run too long, not updating, or inaccurate


1314799 Users Analyzed on Management Report are not accurate

1599445 VIRSA/RT_JAVA_RISK_ANALYSIS

1286030 Configuration of EP Connector in RAR and setting up EP Rules





1352498 Support Pack Numbering - GRC Access Control

1174625 Access Control 5.3 Java Support Pack Installation

1485219 Disabled Log-Off link in GRC Applications

1603375 Role Level Simulation shows different results in ARA 5.3


1356111 Deleted Roles still show in Risk Analysis and Remediation

1369045 AC SP09 Data Mart Design Description

1611006 Risks are not showing in SoD report that should

1609073 'Result set is closed. ERRORCODE=-4470, SQLSTATE=null'

1121447 Update to Processing Logic of Rules

1416728 Manage Deletion Functionality in RAR 5.3 Support Pack 10

1544480 Error in Risk Analysis; Violations exceeds the threshold 1446680 Risk Analysis and Remediation Rule Update Q2 2010

1131003 Data Extraction - Best Practices and Tips

1455885 Disable logoff button in Access Controls


1069037 Unable to export rules from CC 4.0 and import into RAR 5.X

1589049 Workaround for JCO connection type

1590008 JAVA output encoding

1472216 Upgrade GRC from 5.2 to 5.3 and J2EE version

1508611 RAR Risk Analysis Web Service Performance work around.

1514112 Workaround to get error objects in BRA to complete again

1514175 Alert Job in RAR is not completing even after server restart

1400606 Critical Roles and Profiles included in Risk Analysis

1543380 Background Jobs deletion authorizations in RAR after SP14 1088378 RAR- Undeployment of ccappcomp from SDM fails

1433940 Access Control compatibility on Netweaver Java server 7.0X

1562774 Risk analysis failed EXCEPTION_FROM_THE_SERVICE

1168120 - risk analysis and remediation 5.3 support package (vircc)

Documents