Do you trust the SAP standard rule set ?

Hello all,
I have the impression that, too often, the SAP standard ruleset has been taken for granted : upload, generate and use. Here is a post as to why not to do so. Hopefuly, this will generate a interesting discussion.
As I have previously stated in other threads, you should be very careful accepting the SAP standard rule set without reviewing it first. Before accepting it, you should ensure that your specific SAP environment has been reflected in the functions. The 2 following questions deal with this topic :
1. what is your SAP release  ? ---> 46C is different than ECC 6.0 in terms of permissions to be included in the function permission tab. With every SAP release, new authorization objects are linked to SAP standard tcodes. Subsequently some AUTHORITY-CHECK statements have been adapted in the ABAP behind the transaction code. So, other authorizations need to provided from an implementation point of view (PFCG). And thus, from an audit perspective (GRC-CC), other settings are due when filtering users' access rights in search for who can do what in SAP.
2. what are your customizing settings and master data settings ? --> depending on these answers you will have to (de)activate certain permissions in your functions. Eg. are authorization groups for posting periods, business areas, material types, ... being used ? If this is not required in the SAP system and if activated in SAP GRC function, then you filter down your results too hard, thereby leaving certain users out of the audit report while in reality they can actually execute the corresponding SAP functionality --> risk for false negatives !
Do not forget that the SAP standard ruleset is only an import of SU24 settings of - probably - a Walldorf system. That's the reason SAP states that the delivered rule set is a starting point. 
So, the best practice is :
a. collect SAP specific settings per connector in a separate 'questionnaire' document, preferably structured in a database
b. reflect these answers per function per connector per action per permission by correctly (de)activating the corresponding permissions for all affected functions
You can imagine that this is a time-consuming process due to the amount of work and the slow interaction with the Java web-based GRC GUI. Therefore, it is a quite cumbersome and at times error-prone activity ...... That is, in case you would decide to implement your questionnaire answers manually. There are of course software providers on the market that can develop and maintain your functions in an off-line application and generate your rule set so that you can upload it directly in SAP GRC. In this example such software providers are particularly interesting, because your questionnaire answers are structurally stored and reflected in the functions. Any change now or in the future can be mass-reflected in all (hundreds / thousands of) corresponding permissions in the functions. Time-saving and consistent !
Is this questionnaire really necessary ? Can't I just activate all permissions in every function ? Certainly not, because that would - and here is the main problem - filter too much users out of your audit results because the filter is too stringent. This practice would lead too false negatives, something that auditors do not like.
Can't I just update all my functions based on my particular SU24 settings ? (by the way, if you don't know what SU24 settings are, than ask your role administrator. He/she should know. ) Yes, if you think they are on target, yes you can by deleting all VIRSA_CC_FUNCPRM entries from the Rules.txt export of the SAP standard rule set, re-upload, go for every function into change mode so that the new permissions are imported based on your SU24 settings. Also, very cumbersome and with the absolute condition that you SU24 are maintained excellent.
Why is that so important ? Imagine F_BKPF_GSB the auth object to check on auth groups on business areas within accounting documents. Most role administrator will leave this object on Check/Maintain in the SU24 settings. This means that the object will be imported in the role when - for example - FB01 has been added in the menu.  But the role administrator inactivates the object in the role. Still no problem, because user doesn't need it, since auth groups on business areas are not being used. However, having this SU24 will result in an activated F_BKPF_GSB permission in your GRC function. So, SAP GRC will filter down on those users who have F_BKPF_GSB, which will lead to false negatives.
Haven't you noticed that SAP has deactivated quite a lot of permissions, including F_BKPF_GSB ? Now, you see why. But they go too far at times and even incorrect. Example : go ahead and look deeper into function AP02. There, you will see for FB01 that two permissions have been activated. F_BKPF_BEK and F_BKPF_KOA.  The very basic authorizations needed to be able to post FI document are F_BKPF_BUK and F_BKPF_KOA.  That's F_BKPF_BUK .... not F_BKPF_BEK. They have made a mistake here. F_BKPF_BEK is an optional  auth object (as with F_BKPF_GSB) to check on vendor account auth groups.
Again, the message is : be very critical when looking at the SAP standard rule set. So, test thoroughly. And if your not sure, leave the job to a specialized firm.
Success !
Sam

Sam and everyone,
Sam brings up some good points on the delivered ruleset.  Please keep in mind; however, that SAP has always stated that the delivered ruleset is a starting point.  This is brought up in sap note 986996     Best Practice for SAP CC Rules and Risks.  I completely agree with him that no company should just use the supplied rules without doing a full evaluation of their risk and control environment.
I'll try to address each area that Sam brings up:
1.  Regarding the issue with differences of auth objects between versions, the SAP delivered rulset is not meant to be version specific.  We therefore provide rules with the lowest common denominator when it comes to auth object settings.
The rules were created on a 4.6c system, with the exception of transactions that only exist in higher versions.
The underlying assumption is that we want to ensure the rules do not have any false negatives.  This means that we purposely activate the fewest auth objects required in order to execute the transaction.
If new or different auth object settings come into play in the higher releases and you feel this results in false positives (conflicts that show that don't really exist), then you can adjust the rules to add these auth objects to the rules.
Again, our assumption is that the delivered ruleset should err on the side of showing too many conflicts which can be further filtered by the customer, versus excluding users that should be reported.
2.  For the customizing settings, as per above, we strive to deliver rules that are base level rules that are applicable for everyone.  This is why we deliver only the core auth objects in our rules and not all.  A example is ME21N. 
If you look at SU24 in an ECC6 system, ME21N has 4 auth objects set as check/maintain.  However, in the rules we only enable one of the object, M_BEST_BSA.  This is to prevent false negatives.
3.  Sam is absolutely right that the delivered auth object settings for FB01 have a mistake.  The correct auth object should be F_BKPF_BUK and not F_BKPF_BEK.  This was a manual error on my part.  I've added this to a listing to correct in future versions of the rules.
4.  Since late 2006, 4 updates have been made to the rules to correct known issues as well as expand the ruleset as needed.  See the sap notes below as well as posting Compliance Calibrator - Q2 2008 Rule Update from July 22.
1083611 Compliance Calibrator Rule Update Q3 2007
1061380 Compliance Calibrator Rule Update Q2 2006
1035070 Compliance Calibrator Rule Update Q1 2007
1173980 Risk Analysis and Remediation Rule Update Q2 2008
5.  SAP is constantly working to improve our rulesets as we know there are areas where the rules can be improved.  See my earlier post called Request for participants for an Access Control Rule mini-council from January 28, 2008.  A rule mini-council is in place and I welcome anyone who is interested in joining to contact me at the information provided in that post.
6.  Finally, the document on the BPX location below has a good overview of how companies should review the rules and customize them to their control and risk environment:
https://www.sdn.sap.com/irj/sdn/bpx-grc                                                                               
Under Key Topics - Access Control; choose document below:
    o  GRC Access Control - Access Risk Management Guide   (PDF 268 KB) 
The access risk management guide helps you set up and implement risk    
identification and remediation with GRC Access Control.

Similar Messages

  • Worked on the SAP-Script layout sets in MM modules.

    sir,
    Like to know How would  Worked on the SAP-Script layout sets in MM modules.

    Hi,
    First of all what are we trying to achieve?
    I understand that changes where made to standard SAP SAPscript RVINVOICE01 and you where asked to make further changes.
    In SAP configuration you need to see what is the driver program for your SAPscript and what is the SAPscript name (transaction VOK2->Output->Processing Programs->Billing Documents) or via table TNAPR.
    This will allow you to see what is the driver program for your SAPscripr (this is the program that prepares data to be formatted by your SAPscript layour set).
    Once data is derived by an ABAP program, a sapscript is called from driver ABAP to print this data.
    You may need to make changes to driver ABAP (in case changes to data are required) or to SAPscript if changes to layout and window positioning are requested.
    Try not to modify standard SAP programs (copy to Z versions)...
    Hope it is of some help...
    Michael

  • Work on the SAP-Script layout sets in SD modules

    Hi,
         How to Work on the SAP-Script layout sets in SD modules. The documents modified were RVINVOICE01 as per the client’s requirements.

    Hi,
    First of all what are we trying to achieve?
    I understand that changes where made to standard SAP SAPscript RVINVOICE01 and you where asked to make further changes.
    In SAP configuration you need to see what is the driver program for your SAPscript and what is the SAPscript name (transaction VOK2->Output->Processing Programs->Billing Documents) or via table TNAPR.
    This will allow you to see what is the driver program for your SAPscripr (this is the program that prepares data to be formatted by your SAPscript layour set).
    Once data is derived by an ABAP program, a sapscript is called from driver ABAP to print this data.
    You may need to make changes to driver ABAP (in case changes to data are required) or to SAPscript if changes to layout and window positioning are requested.
    Try not to modify standard SAP programs (copy to Z versions)...
    Hope it is of some help...
    Michael

  • Standard rule-set for IS-H solution

    Hello all,
    I would like to have the standard rule-set for IS-H solution (Healthcare). I know that it should be developed by the business owners, technical team and auditors, but It will be a helpfull resource as a start point.
    I would appreciate if any of you may share with me.
    Thanks and regards!

    Hi Marina,
    The basis rule set will contain only basis relevant risks, which as you say will apply only for the backend.
    There are no default rulesets for reports. I am pretty sure you could create a custom ruleset for BW reports, if you wanted to.
    Regards,
    Chinmaya

  • How to create the Sap script & Layout Set (wants sample code)

    Hi All ,
    Can you please provide me the step by step procedure
    to create the Sap script & Layout Set .(please provide sample
    code/links /docs for layout & print program).
    Regards
    Rahul

    hi,
    go through the following links  what i found to create sap script.
    http://www.thespot4sap.com/Articles/SAPscript_Introduction.asp
    http://abapliveinfo.blogspot.com/2008/01/free-sapscript-made-easy-46-book.html
    http://www.thespot4sap.com/articles/SAPscript_example_code.asp
    http://idocs.de/www3/cookbooks/sapscript/sapscript_1/docu.htm
    http://idocguru.com/www5/cookbooks/sapscript/sapscript_1/example.htm
    www.geocities.com/wardaguilar25/sapscript-tutorial.html
    http://logosworld.de/www3/cookbooks/sapscript/sapscript_8/docu.htm
    how to create a  scripts?give steps?
    https://forums.sdn.sap.com/click.jspa?searchID=1811669&messageID=2969311
    https://forums.sdn.sap.com/click.jspa?searchID=1811669&messageID=2902391
    https://forums.sdn.sap.com/click.jspa?searchID=1811669&messageID=3205653
    https://forums.sdn.sap.com/click.jspa?searchID=1811669&messageID=3111402
    http://www.sap-img.com/sapscripts.htm
    http://sappoint.com/abap/
    http://www.henrikfrank.dk/abapexamples/SapScript/sapscript.htm
    http://help.sap.com/saphelp_crm40/helpdata/en/16/c832857cc111d686e0000086568e5f/content.htm
    http://www.sap-basis-abap.com/sapabap01.htm
    http://www.sap-img.com/sapscripts.htm
    http://searchsap.techtarget.com/tip/1,289483,sid21_gci943419,00.html
    http://sap.ittoolbox.com/topics/t.asp?t=303&p=452&h2=452&h1=303
    http://www.sapgenie.com/phpBB2/viewtopic.php?t=14007&sid=09eec5147a0dbeee1b5edd21af8ebc6a
    Other Links

  • How  to add custom fields to the  sap standard  program ukm_bp_display

    How  to add new custom  fields to the  sap standard  program ukm_bp_display .
    could u  please any one help me on this?

    Hello Kumar,
    You have to modify below structure, as this structure is providing the field catalog for output display (ALV).
    Here you can see there are a lot of include structures, so if you want to add fields in the output display you can add those fileds as an append structure to any of the below mentioned structures (Like ukm_s_account, ukm_s_bp_cms_sgm etc as per your requiremnt and positon at which you need to dispaly your fields.)
    DATA: BEGIN OF gt_grid_alv OCCURS 0.
           partner LIKE but000-partner,
           credit_sgmnt LIKE ukmbp_cms_sgm-credit_sgmnt.
            INCLUDE STRUCTURE ukm_s_account.
            INCLUDE STRUCTURE ukm_s_bp_cms_sgm.
    DATA:   credit_sgmnt_txt LIKE ukmcred_sgm0t-credit_sgmnt_txt.
          Gruppe Vector
            INCLUDE STRUCTURE ukm_s_bp_vector.
          Gruppe OBL = Obligo
          include structure UKM_S_BP_CMS_MALUSDSP_OUT.
            INCLUDE STRUCTURE ukm_s_display_segment.
            INCLUDE STRUCTURE ukm_s_bp_cms.
            INCLUDE STRUCTURE bus000_dat.
    *DATA:   icon(4).
          Gruppe RAST (Raster)
    DATA:
             rast01 LIKE ukm_s_display_segment-AMOUNT_GRID,
             rast02 LIKE ukm_s_display_segment-AMOUNT_GRID,
             rast03 LIKE ukm_s_display_segment-AMOUNT_GRID,
             rast04 LIKE ukm_s_display_segment-AMOUNT_GRID,
             rast05 LIKE ukm_s_display_segment-AMOUNT_GRID,
             rast06 LIKE ukm_s_display_segment-AMOUNT_GRID.
    DATA:    rast2_6 LIKE ukm_s_display_segment-AMOUNT_GRID.
    "Summe raster 2 bis 6
    DATA:  END OF gt_grid_alv.
    Another way is you can  go  to SE38, and you can create implicit enhancements.One enhancement point is available here in this required area. so create an implementation and add your fileds with data types.This way is also simple.
    Hope this will solve yiour problems.
    Regards,
    Antony Thomas

  • What are the SAP standard programs?

    Hi PM Guys,
    I have a question that is as below:-
    We have the following Master Data:
    1) Functional Location
    2) Equipment
    3) Equipment BOM
    4) Counter
    5) Catalog Profiles
    6) Task List
    a) General Task List
    b) Equipment Task List
    7) Maintenance Plans
    a) Time Based
    b) Performance Based
    Can you tell me the SAP standard programs available for the above master data which can be used for data migration of the above master data from the flat files into SAP system.
    Thanks in Advance,
    Vijaya Krishna

    HI
    you can find the standard program while executing the T code LSMW itself.
    type LSMW ,specify the description in the next screen select the <b>Standard batch or direct input</b> under the heading you can find the in the field <b>object</b> use F4 to find all the standard programs in SAP
    0400   Equipment         
    0410   Message (IH)      
    0420   Confirmation (IH) 
    0425   Measuring point   
    0430   Measurement Documen
    0440   Functional location
    0450   Object link       
    0460   Maintenance plan  
    0470   Equipment task list
    0480   FnctnlLoc.TaskList
    0490   Gen.task list     
    regards
    thyagarjan

  • Can i use the SAP standard package for lock object creation ?

    Dear Guru ,
    I want to create a new lock ojbect for my abap program .
    When i completed the creation , SAP required a new request and it said the object only can be imported to SAP standard package .
    But i saw the help from SAP said :
    >* Package begins with A-S or U-X:
    >These packages are for SAP standard objects. Customer objects cannot be created in them. Changes to objects of these packages are recorded by the Transport Organizer (Request management) and can be transported (see field transport layer.
    In this case ,  Can i use one of the SAP standard package for this creation ? Does it will affect the SAP system ( such as the system upgrade ) ?
    Thanks .
    Best Regards,
    Carlos Zhang
    Moderator message - Please do not use code tags to format text - it should only be used for code
    Edited by: Rob Burbank on May 25, 2010 11:12 AM

    Hi Carlos...
    First , You will never be able to use any standard SAP Package for your custom programs. So don't go for it.
    So in your case what you need to do is , when you save your Lock object , 
    - if you want Transport request to be created , then 
    in the screen shown you need to enter the Z package name (the same package as that of your ABAP Program)
    or
    -if you want it to be stored as local object , then
    specify package as $tmp
    Regards,
    Uma

  • Add vendor number and vendor name to the SAP Standard CO/PS Line item repor

    Hi
    how i can post PS commitment line items and cost center and orders commitment line items
    The SAP standard reports are:
    CJI5 PS Commitment Line items
    KSB2 Cost Centre Commitment Line Items
    KOB1 Orders Actual Line Items
    KOB2 Orders Commitment Line Items.
    give me suggestion for above tr. codes
    Regards
    nreddy

    I dont uderstand completely, your subject says you want to add vendor field, but your message body says "how i can post PS commitment line items and cost center and orders commitment line items" . What is your requirement?

  • How to fetch the SAP Standard Prog. built internal table into my_z_prog.?

    Hi Experts,
    Pls. let me know that,
    How to fetch the SAP Standard Prog. built internal table into my_z_prog.?
    For more explannation, pls. see my other thread with name of yestrday,
    SUBMIT RFGLBALANCE WITH selection criteria, then How to get resulted itab?
    thanq

    Hi
    Suppose RFGLBALANCE is your standard program and you have an internal table named I_RFGLBALANCE.
    And lets say your Z program name is Z_SRINIVAS.
    First find out the type of the internal table you want in your Z-program in the standard program. And declare an internal table of similar type in your Z-program.
    I hope you can do this much.
    Later wherever you are putting the below mentioned code.
    SUBMIT RFGLBALANCE WITH selection criteria
    Write the code which i have written.Obviously modify it to suit your requirement.
    Please show what is not working fine so that even anyone else can help you with the problem you are facing.
    Regards,
    Mayank

  • How can I save the Personal Settings done in the SAP standard viewer

    Dear All,
    I am facing the problem that I am not able to save changes made in the personal settings of the SAP standard viewer. I want to change the Colors to monochrome and I also want to change the background. Unfortunatelly these changes are not saved and I have to do that every time I am starting the viewer.
    How can I save these changes?
    Thank you very much for your help.
    Best regards,
    Markus

    Dear Markus,
    normally the personal settings for the ECL Viewer are stored in the registry. Here the value for background color is for example stored in the following directory:
    HKEY_CURRENT_USER/Software/SAP/VCT_Retained/6.1/Common/de/ImageViewUtils
    Depending in the language of the operating system the key has weither the value 'en' (english) or 'de' german.
    So here the personal settings should be stored or can be modified directly.
    Best regards,
    Christoph

  • Download all roles Individually and list all the SAP standard roles

    Hi ,
    I have two questions .
    1. I want o download all the roles individually in SAP.
    2. I want to list all the SAP standard roles whose profile is generated.
    Can anyone help me . to achieve this

    Dear,
    I am no sure what kind of problem you have faced that requires revert back. Which took 2 days. If it's for mass role revert back then mass role download should work. If it few selective role then change history should help you out.
    Anyway I might pull this out of the topic.
    Even you download mass role in a single file then also if you want then can upload a single role only with 2-3 mins spending on replace function in notepad!!
    Let say you have taken 1000 role in a single file and want to upload a specific role only. Open the file (copy of the file) in a notepad. Now replace(Ctrlh) LOADED_AGRS with nothing. Find(Ctrlf) the role you want to upload. In begining of that line paste LOADED_AGRS
    Above file will upload the specific role only.
    Regards,
    Arpan Paik

  • On opening up toast to burn its telling me that the tv standard is set to ntsc but all of my content is in pal format. how to change the content to ntsc seeing i am using final cut 10.

    on opening up toast to burn its telling me that the tv standard is set to ntsc but all of my content is in pal format. how to change the content to ntsc seeing i am using final cut 10.

    Select the Project in the Browser.  Go to the Info section of the Inspector.  Click the Modify Settings button.  For  Video Properties, change the Format from PAL to NTSC.  Export again, you'll be fine.

  • How to find the SAP Standard form given the variant name.

    I am working on forms, How to find the standard form given
    print program name or the variant name .
    for eg:
    given
    print program is RKFORD10
    varinat is SAP06
    The SAP standard Form is F140_ACC_STAT_01.
    I need to find the standard form given the variant as SAP13.

    In SPRO,
    SAP Customizing Imp guide->Financial Accounting->Fin Account Global Settings->Correspondence
    Under this-
    'Assign Programs for Correspondence Types'(Tcode OB78) &
    'Define Form names for correspondence print'
    should be useful to you
    Message was edited by: Sravanthi

  • How to Enhance the SAP standard WebService XMLA or others

    Now we will show the SAP BW data for other application, we apply the SAP standard WebService XMLA to retrieve the BW Cube or ODS data for external system, but the authorization for data scope is a question, I didn't know how to pass the logon user name and password to the BW system,  the SAP standard WebService XMLA did not provide the paramters for input these variants. So I want to enhance this webservice but didn't know how to do it, if anyone know this please tell me, thank you very much!

    Hi,
    When you try to access url of webservice it will prompt for user/password. .Net and Java have provision to supply user/password to webservice.
    Regards,
    Gourav

Maybe you are looking for

  • File system error message

    When I try to delete a media file it says file system error. Anyone know what this is and how to fix it? Thank you!

  • MACBOOK PRO 15" EARLY '11 CRASHED AFTER RECORDING HELP PLEASE

    Hello everyone, Thankyou for reading. Let me start by explaining the situation. Im a university student studying music, and I was in the university studio for a few hours recording vocal tracks for an assignment I've been working on. I was using the

  • Facetime disappeared after reformatting of computer

    I just recently reformmated my laptop and now my Facetime is nowhere to be found. Any suggestions on how to get it back without purchasing a new one? Thank you in advance.

  • # of parameters you can pass using AJAX

    I have a weird problem with an AJAX form combined with a CFC.  Just to rule out any possibilities, is there a limit on the number of input fields you can pass to a CFC using AJAX?  I only ask because it appears when the entire form is filled out the

  • How to install HP printer driver *****

    Hi, How to install HP printer driver , so that i can see new device type in SPAD. Thanks Lisa