5.3 upgrade delivered rules vs 5.2 rules

Similar Messages

• CC 5.2 - Adding delivered rules as second ruleset

  We are in the process of upgrading from CC 5.1 to 5.2.  In addition to carrying over the custom ruleset that we have created for the company, I have been asked to load the delivered rules as a second ruleset, so that the folks in the compliance department can use them for comparison.  I have created rulesets by uploading the 7 files (business_processes.txt, function.txt, risks.txt, etc.) and generating the rules.  I have also created entire rulesets from scratch, but I have never done both in the same system, though I understand it can be done.  The ruleset we are using right now was built from scratch and has been fine-tuned for the company's needs, so I want to keep it intact.  What I would like to know is how I go about uploading the delivered rule files without affecting my existing ruleset.  I've already seen a note that says none of the functions or risks can have the same IDs across rulesets, so I'm prepared to make those changes to the upload files.  Any assistance will be much appreciated!
  Thanks,
  Dave

  Dave,
  You've already considered the main hangup most would encounter with loading another ruleset into CC 5.x-- the need for unique Ids within the elements of the ruleset.
  One key item that needs to be specified is the default ruleset because the file upload only uploads into whatever has been specified as the default ruleset.  Your current default ruleset is likely your customized ruleset.  Create a new ruleset to contain the GRC delivered rules, and temporarily set that as your default ruleset.  Perform the upload of the text files (and as you note, a prerequisite is to make sure that all of the business process, function, and risk Ids are unique from what already exists).  You can then switch the default ruleset back to normal and proceed with generating the rules in background.
  Note that you'll want to do this at a time when there is very little expected activity in the system as it's pretty likely that end users of CC will not realize that the ruleset is different as they perform ad-hoc analysis.  Also, Access Enforcer risk analysis is always tied to the default ruleset, so for a few minutes at least, if anyone performs risk analysis in AE, they would receive incorrect results.

• About GRC Delivered Rules

  Hi I'm new to GRC.
  I installed GRC Compliance Collabirator but there is no data in it. No business processes, no functions, no risks though SAP should has provided a lot of delivered rules after installation.
  I have gone through this forum and found the following information:
  "As part of risk analysis and remediation of SAP's GRC Access Control application (formerly Compliance Calibrator), SAP delivers a set of Segregation of Duties rules. This delivered set of rules address many areas, but they are meant to be used as a base and each company must customize the rules for their environment. This is explained in detail in the GRC Access Control - Access Risk Management Guide (available on the Business Process Expert Community) and in SAP Note 986996.
  The current delivered rulest contains the following rules:
  SAP
  256 risks
  44,337 action combinations
  Can anyone tell me how I get these SAP delivered data?
  Thanks&regards
  Stellare

  Hi Stellare,
  the rules and all data for the initial import are delivered with the Compliance Calibrator software.
  There is a ZIP file called "5.2_text_files.zip" which contains all the files.
  Regards,
  Daniela

• How to upgrade Update rules to Transformations

  Hi
    My is to Update/Upgrade UPDATE RULES to TRANSFORMATIONS
    How can i do it in BI 7.0.
    Is there any programe that will upgrade the update rules to transformations
  Thanks

  Hi,
  Right click on your update rule
  Goto -> additional functions
  say create transformations.
  It will automatically convert your update rule into BI 7.0 transformation.
  Regards
  Githen

• Brazil - SAP Standard Delivered Rule / Config for R/3 ?

  Hi
  I have recently come across an issue with updating a Brazilian employees IT0008 - Basic Pay screen. I was trying to modify the start date of the screen (BEGDA) to reflect a date other than the 1st of the month. When I attempt to do this though I get a hard stop error message.
  I was told that this rule / hard stop error message in R/3 when trying to update IT8 for Brazil employees was as standard delivered SAP rule.
  I am trying to validate if that is the case, and if so if anyone can give me more details on this SAP delivered rule / functionality.
  If it's not a SAP delivered, but something my company has put in place perhaps, is there a way to find out in R/3 where this rule is set-up/referenced in order to remove it potentially to allow for IT8 Begda changes for Brazil ?
  Any help on this matter would be much appreciated and rewarded with points.
  Nicola.

  Please check the BADI under the following include
  Main Program     MP000800 
  Source code of   MPPERS00 
  Form - POST_INPUT_EDYNR
  Line - PERFORM badi_after_input(sapfp50m).
  IMP_NAME     BR_SALARY_INCREASE
  INTER_NAME     IF_EX_HRPAD00INFTY
  IMP_CLASS     CL_IM_BR_SALARY_INCREASE
  Main Program     CL_IM_BR_SALARY_INCREASE======CP      
  Source code of   CL_IM_BR_SALARY_INCREASE======CM002   
  method IF_EX_HRPAD00INFTY~AFTER_INPUT
  Line 23 - 35
  Regards
  Ravikumar

• Upgrade Business rules with Calc Manager

  Hello Gurus,
  Recently performed an upgrade from 11.1.1.3 to 11.1.2.2 by replicating the Database to a new database machine.
  I had Business rules in 11.1.1.3 and did not perform any steps to migrate the rules to Calculation manager in 11.1.2.2
  The doubt I have is,
  1. Are the business rules automatically upgraded when performing upgrade by EPM system configurator (since the database is replicated)
  2. If so, how do I see the business rules in 11.1.2.2 environment? How can I use migrate feature option.
  Thanks
  HyperionEPM.

  From 11.1.2.2 documentation:
  Upgrade Wizard
  If your application used Oracle Hyperion Business Rules, the Upgrade Wizard automatically converts Business Rules business rules to Oracle Hyperion Calculation Manager business rules. Release 11.1.2.2 supports onlyBusiness Rules business rules as the calculation module.
  Notes:
  •Classic application administration is now called Oracle Hyperion Planning application administration (versus Oracle Hyperion EPM Architect application administration).
  •The Upgrade Wizard automatically upgrades applications having Oracle Hyperion Business Rules business rules, converting them to Calculation Manager business rules. However, the Upgrade Wizard does not automatically convert Release 11.1.2.1 applications having Oracle Hyperion Calculation Manager business rules. For those upgrade instructions, see the Oracle Enterprise Performance Management System Installation and Configuration Guide.
  Business Rules Maintenance Release and Upgrade Installation PrerequisitesIf you are using Business Rules, you must migrate to Calculation Manager rules in Release 11.1.2.2. Before migrating business rules, you must perform prerequisite tasks. Note that these tasks are required if you are applying the maintenance release or if you are upgrading.
  To prepare to migrate Business Rules, perform the following tasks in your current Business Rules environment before installing Release 11.1.2.2:
  1.in Business Rules, within the Rule Editor, remove the associated outline (that is, the design time location) from each business rule. After you do this, the Associated Outline drop-down list should display the text, Select Outline.
  2.On the Locations tab of the Rule Editor, ensure that each business rule has a valid launch location, which must be an absolute location. Although “All Locations” is valid in Business Rules, when you migrate business rules, you must provide the details of a specific launch location (that is, the application type---Planning or Essbase, the server name, the application name, and the database or plan type). If you want a business rule to be valid for multiple launch locations, you must provide the details for each location. The locations must be in different applications; you cannot migrate the same business rule to different plan types in the same application within Calculation Manager.
  If the rule is a part of a sequence, then the launch location of the rule within the sequence must be one of the launch locations listed in the Locations tab of the rule.
  3.On the Access Privileges tab of the Rule Editor, ensure that each business rule has security defined for a specific location or locations and not “All Locations.” If multiple locations are defined for a business rule on its Locations tab, you must add security for each location individually.
  4.Do not modify rules in Calculation Manager until migration is completed.
  5.If you are using Business Rules with Planning, as a precaution, create a backup of the rules: Use Administration Services to export the rules to XML in Business Rules format. If you are upgrading from 11.1.1.3 or 11.1.1.4, also export the rules to Calculation Manager format. EPM System Configurator exports the rules during database configuration for use during application upgrade.
  6.If you are an Essbase-only Business Rules user, you must export business rules. To export the Essbase rule from Business Rules:
  a.From Administration Services Console, right-click the Business Rules node and select Export.
  b.Export the rules in Business Rules format and then select all of the Essbase rules in the repository. If you are upgrading from 11.1.1.3 or 11.1.1.4, also export the rules to Calculation Manager format.
  c.Specify the location to save the XML file, and then click OK. If you are upgrading, the location should be a shared drive that is accessible from the upgraded environment.
  Make a note of the location. You import the file later in the process.
  Migrating Business Rules to Calculation Manager for use with Planning
  If you applied the maintenance release to move from Planning Release 11.1.2.0 or 11.1.2.1 to Release 11.1.2.2, and you were using Business Rules rules, you must migrate the rules to Calculation Manager rules.
  Before you migrate, ensure that user directories and native users with the same SID are available when you upgrade Shared Services.
  Ensure that the Planning applications are upgraded to the current release and are available in Calculation Manager under SYSTEM View.
  To migrate Business Rules rules to Calculation Manager rules:
  1.In Calculation Manager, select the migrated Planning application, and then select Migrate.
  The data that was exported during database configuration with EPM System Configurator is imported to Calculation Manager.
  2.Repeat for each Planning application.
  3.Deploy the rules from Calculation Manager to Planning. See the Oracle Hyperion Calculation Manager Designer's Guide.
  After migrating business rules and rules security, if any of the rules had multiple launch locations and you migrated to more than one location, Calculation Manager creates a rule for the first migration, and shortcuts for all subsequent migrations. If the rule had rule-level variables, for the shortcuts that are created in the application in the new environment , its variables are moved to the Plan level. In this scenario, test rules in your environment to ensure that they work as expected.
  If you still have problems, raise an SR and we can get on a call to figure out why the rules are not coming over.
  -Sree

• Error message while upgrading transfer rules

  hi
  while migrating transfer rules to transformations
  i am getting
  automatic time convension not possible for source field kmonth.
  i say continue and continue i got transformations
  whjat is this message how can i solve

  Hi,
  Please check the settings for the mappings in the Transfer Rules. Also, have you made some settings for "kmonth' ?

• Configure business rules

  Hello
  I have had conflicting information so once and for all I want to clear my doubt
  someone said you can't configure the business rules in GRC. When you install or upgrade RAR ( CC), you have to run the txt file and that's how you load the rules
  Another person said you can configure based on the Client business process.
  Q. How do I configure business rules according to Client's business processes?

  Hello Jack O. Trades,
  The standard business rules for RAR delivered by SAP are a good starting point; however, they are not intended to be the defacto rules for all customers. All customers I've met have customized the rule set to their business.
  You can do this by activating/deactivating or changing the Business Functions and Risks. You can also add new Business Functions and Risks. Some customers have moved transactions around to different Business Functions than the originally delivered ones from SAP.
  The rules and rule set are yours for the changing. BUT! (big but):
  1. Don't stray too far from the delivered model, make deliberate notations about rule changes and why you changed them. Get second opinions before doing so. Your rule set is the most important peice of RAR and it's a nightmare to start over from scratch. Believe me, re-configuring customer rules are part of what keeps me busy as a consultant.
  2. If you do modify the existing delivered rules, don't ever reload the delivered rule set. Currently, the ruleset import will overwrite your customization. Instead, if SAP delivers a new rule set, compare the new one with a current downloaded copy of the existing in MS Excel. Understand the differences and manually add the new additions as necessary.
  Regarding the "how-to," there are various approaches but I've found the following to be helpful:
  1. Understand technically how to make changes to the business functions and risks (get a copy of SAP's user guides and configuration manuals)
  2. Understand the impact of making a change. What happens if you add/remove/inactivate a transaction in a business function? What risks will be impacted? Is a rule change necessary or is a mitigation a better option? Is the risk valid? Should the transaction be removed from the role or the role assignment from the user? and so on...
  3. Never make the decision yourself (if you are an IT person), make sure you've considered the change with the business department (e.g. A/P) and with someone in Compliance/Internal Audit.

• 1503653.1 - should change the comptability to 11.0.0 from 10.2.0.5 before manuelly upgrade?

  hi All,
  i am trying to follow through the steps.
  I will be porting the data from the old box into a new box ( windows 12.1.0.2.0)
  I run the pre- tools script -> preupgrd.sql
  it give me error or some warning to fix before doing the upgrade.
  My question is , before i port over the data via a cold backup, should i first change the compatability to 11.0.0 from 10.2.0.5.0 (source db) then do a cold backup then port over the data to the new box then do the upgrade steps?
  of course i can change the init.ora process to 300. As for the rest of the warning, i am not too sure is it necessary for me to do it since i will moving to a new box. Warning likes, EM database control, etc
                           [Update parameters]
           [Update Oracle Database 10.2.0.5.0 init.ora or spfile]
  --> If Target Oracle is 32-bit, refer here for Update Parameters:
  WARNING: --> "processes" needs to be increased to at least 300
  --> If Target Oracle is 64-bit, refer here for Update Parameters:
  WARNING: --> "sga_target" needs to be increased to at least 624951296
  WARNING: --> "processes" needs to be increased to at least 300
                            [Renamed Parameters]
                       [No Renamed Parameters in use]
                      [Obsolete/Deprecated Parameters]
  --> background_dump_dest         11.1       DESUPPORTED  replaced by  "diagnostic_dest"
  --> user_dump_dest               11.1       DESUPPORTED  replaced by  "diagnostic_dest"
          [Changes required in Oracle Database init.ora or spfile]
                              [Component List]
  --> Oracle Catalog Views                   [upgrade]  VALID    
  --> Oracle Packages and Types              [upgrade]  VALID    
  --> JServer JAVA Virtual Machine           [upgrade]  VALID    
  --> Oracle XDK for Java                    [upgrade]  VALID    
  --> Oracle Workspace Manager               [upgrade]  VALID    
  --> OLAP Analytic Workspace                [upgrade]  VALID    
  --> Oracle Enterprise Manager Repository   [upgrade]  VALID    
  --> Oracle Text                            [upgrade]  VALID    
  --> Oracle XML Database                    [upgrade]  VALID    
  --> Oracle Java Packages                   [upgrade]  VALID    
  --> Oracle Multimedia                      [upgrade]  VALID    
  --> Oracle Spatial                         [upgrade]  VALID    
  --> Data Mining                            [upgrade]  VALID    
  --> Expression Filter                      [upgrade]  VALID    
  --> Rule Manager                           [upgrade]  VALID    
  --> Oracle OLAP API                        [upgrade]  VALID    
                                [Tablespaces]
  --> SYSTEM tablespace is adequate for the upgrade.
       minimum required size: 1122 MB
  --> UNDOTBS1 tablespace is adequate for the upgrade.
       minimum required size: 400 MB
  --> SYSAUX tablespace is adequate for the upgrade.
       minimum required size: 619 MB
  --> TEMP tablespace is adequate for the upgrade.
       minimum required size: 60 MB
  --> EXAMPLE tablespace is adequate for the upgrade.
       minimum required size: 78 MB
                        [No adjustments recommended]
                            [Pre-Upgrade Checks]
  WARNING: --> Process Count may be too low
       Database has a maximum process count of 150 which is lower than the
       default value of 300 for this release.
       You should update your processes value prior to the upgrade
       to a value of at least 300.
       For example:
          ALTER SYSTEM SET PROCESSES=300 SCOPE=SPFILE
       or update your init.ora file.
  ERROR: --> Compatible set too low
       "compatible" currently set at 10.2.0.5.0 and must
       be set to at least 11.0.0 prior to upgrading the database.
       Do not make this change until you are ready to upgrade
       because a downgrade back to 10.2 is not possible once compatible
       has been raised.
       Update your init.ora or spfile to make this change.
  WARNING: --> Enterprise Manager Database Control repository found in the database
       In Oracle Database 12c, Database Control is removed during
       the upgrade. To save time during the Upgrade, this action
       can be done prior to upgrading using the following steps after
       copying rdbms/admin/emremove.sql from the new Oracle home
     - Stop EM Database Control:
      $> emctl stop dbconsole
     - Connect to the Database using the SYS account AS SYSDBA:
     SET ECHO ON;
     SET SERVEROUTPUT ON;
     @emremove.sql
       Without the set echo and serveroutput commands you will not
       be able to follow the progress of the script.
  WARNING: --> "DMSYS" schema exists in the database
       The DMSYS schema (Oracle Data Mining) will be removed
       from the database during the database upgrade.
       All data in DMSYS will be preserved under the SYS schema.
       Refer to the Oracle Data Mining User's Guide for details.
  WARNING: --> Database contains INVALID objects prior to upgrade
       The list of invalid SYS/SYSTEM objects was written to
       registry$sys_inv_objs.
       The list of non-SYS/SYSTEM objects was written to
       registry$nonsys_inv_objs unless there were over 5000.
       Use utluiobj.sql after the upgrade to identify any new invalid
       objects due to the upgrade.
  INFORMATION: --> OLAP Catalog(AMD) exists in database
       Starting with Oracle Database 12c, OLAP Catalog component is desupported.
       If you are not using the OLAP Catalog component and want
       to remove it, then execute the
       ORACLE_HOME/olap/admin/catnoamd.sql script before or
       after the upgrade.
  INFORMATION: --> Older Timezone in use
       Database is using a time zone file older than version 18.
       After the upgrade, it is recommended that DBMS_DST package
       be used to upgrade the 10.2.0.5.0 database time zone version
       to the latest version which comes with the new release.
       Please refer to My Oracle Support note number 1509653.1 for details.
  WARNING: --> Existing schemas with network ACLs exist
       Database contains schemas with objects dependent on network packages.
       Refer to the Upgrade Guide for instructions to configure Network ACLs.
  INFORMATION: --> There are existing Oracle components that will NOT be
       upgraded by the database upgrade script.  Typically, such components
       have their own upgrade scripts, are deprecated, or obsolete.
       Those components are:  OLAP Catalog

  Not something I've done before but it seems that setting the parameter to 11.0.0 is a pre-requisite.
  http://docs.oracle.com/database/121/UPGRD/intro.htm#BHCJHGFA
  A full backup isn't neccessary specifically for this upgrade.  Just port your data over, change the compatibile parameter on the spfile/pfile on your target upgrade host and upgrade away.
  Your source will be your backup so I would be inclined not to change things on there.
  You can ignore some of the warning like EM dbcontrol as it states you can do it manually prior to the upgrade to save time, otherwise it will be done as part of the upgrade process anyway.
  Other warnings like. OLAP and the timezone file (timezone is a recommendation) you will need to pay attention to and action, as well as the network ACL warning:
  http://docs.oracle.com/database/121/UPGRD/preup.htm#BABEDAFB
  http://docs.oracle.com/database/121/UPGRD/preup.htm#BABJGCIC

• Do you trust the SAP standard rule set ?

  Hello all,
  I have the impression that, too often, the SAP standard ruleset has been taken for granted : upload, generate and use. Here is a post as to why not to do so. Hopefuly, this will generate a interesting discussion.
  As I have previously stated in other threads, you should be very careful accepting the SAP standard rule set without reviewing it first. Before accepting it, you should ensure that your specific SAP environment has been reflected in the functions. The 2 following questions deal with this topic :
  1. what is your SAP release  ? ---> 46C is different than ECC 6.0 in terms of permissions to be included in the function permission tab. With every SAP release, new authorization objects are linked to SAP standard tcodes. Subsequently some AUTHORITY-CHECK statements have been adapted in the ABAP behind the transaction code. So, other authorizations need to provided from an implementation point of view (PFCG). And thus, from an audit perspective (GRC-CC), other settings are due when filtering users' access rights in search for who can do what in SAP.
  2. what are your customizing settings and master data settings ? --> depending on these answers you will have to (de)activate certain permissions in your functions. Eg. are authorization groups for posting periods, business areas, material types, ... being used ? If this is not required in the SAP system and if activated in SAP GRC function, then you filter down your results too hard, thereby leaving certain users out of the audit report while in reality they can actually execute the corresponding SAP functionality --> risk for false negatives !
  Do not forget that the SAP standard ruleset is only an import of SU24 settings of - probably - a Walldorf system. That's the reason SAP states that the delivered rule set is a starting point. 
  So, the best practice is :
  a. collect SAP specific settings per connector in a separate 'questionnaire' document, preferably structured in a database
  b. reflect these answers per function per connector per action per permission by correctly (de)activating the corresponding permissions for all affected functions
  You can imagine that this is a time-consuming process due to the amount of work and the slow interaction with the Java web-based GRC GUI. Therefore, it is a quite cumbersome and at times error-prone activity ...... That is, in case you would decide to implement your questionnaire answers manually. There are of course software providers on the market that can develop and maintain your functions in an off-line application and generate your rule set so that you can upload it directly in SAP GRC. In this example such software providers are particularly interesting, because your questionnaire answers are structurally stored and reflected in the functions. Any change now or in the future can be mass-reflected in all (hundreds / thousands of) corresponding permissions in the functions. Time-saving and consistent !
  Is this questionnaire really necessary ? Can't I just activate all permissions in every function ? Certainly not, because that would - and here is the main problem - filter too much users out of your audit results because the filter is too stringent. This practice would lead too false negatives, something that auditors do not like.
  Can't I just update all my functions based on my particular SU24 settings ? (by the way, if you don't know what SU24 settings are, than ask your role administrator. He/she should know. ) Yes, if you think they are on target, yes you can by deleting all VIRSA_CC_FUNCPRM entries from the Rules.txt export of the SAP standard rule set, re-upload, go for every function into change mode so that the new permissions are imported based on your SU24 settings. Also, very cumbersome and with the absolute condition that you SU24 are maintained excellent.
  Why is that so important ? Imagine F_BKPF_GSB the auth object to check on auth groups on business areas within accounting documents. Most role administrator will leave this object on Check/Maintain in the SU24 settings. This means that the object will be imported in the role when - for example - FB01 has been added in the menu.  But the role administrator inactivates the object in the role. Still no problem, because user doesn't need it, since auth groups on business areas are not being used. However, having this SU24 will result in an activated F_BKPF_GSB permission in your GRC function. So, SAP GRC will filter down on those users who have F_BKPF_GSB, which will lead to false negatives.
  Haven't you noticed that SAP has deactivated quite a lot of permissions, including F_BKPF_GSB ? Now, you see why. But they go too far at times and even incorrect. Example : go ahead and look deeper into function AP02. There, you will see for FB01 that two permissions have been activated. F_BKPF_BEK and F_BKPF_KOA.  The very basic authorizations needed to be able to post FI document are F_BKPF_BUK and F_BKPF_KOA.  That's F_BKPF_BUK .... not F_BKPF_BEK. They have made a mistake here. F_BKPF_BEK is an optional  auth object (as with F_BKPF_GSB) to check on vendor account auth groups.
  Again, the message is : be very critical when looking at the SAP standard rule set. So, test thoroughly. And if your not sure, leave the job to a specialized firm.
  Success !
  Sam

  Sam and everyone,
  Sam brings up some good points on the delivered ruleset.  Please keep in mind; however, that SAP has always stated that the delivered ruleset is a starting point.  This is brought up in sap note 986996     Best Practice for SAP CC Rules and Risks.  I completely agree with him that no company should just use the supplied rules without doing a full evaluation of their risk and control environment.
  I'll try to address each area that Sam brings up:
  1.  Regarding the issue with differences of auth objects between versions, the SAP delivered rulset is not meant to be version specific.  We therefore provide rules with the lowest common denominator when it comes to auth object settings.
  The rules were created on a 4.6c system, with the exception of transactions that only exist in higher versions.
  The underlying assumption is that we want to ensure the rules do not have any false negatives.  This means that we purposely activate the fewest auth objects required in order to execute the transaction.
  If new or different auth object settings come into play in the higher releases and you feel this results in false positives (conflicts that show that don't really exist), then you can adjust the rules to add these auth objects to the rules.
  Again, our assumption is that the delivered ruleset should err on the side of showing too many conflicts which can be further filtered by the customer, versus excluding users that should be reported.
  2.  For the customizing settings, as per above, we strive to deliver rules that are base level rules that are applicable for everyone.  This is why we deliver only the core auth objects in our rules and not all.  A example is ME21N. 
  If you look at SU24 in an ECC6 system, ME21N has 4 auth objects set as check/maintain.  However, in the rules we only enable one of the object, M_BEST_BSA.  This is to prevent false negatives.
  3.  Sam is absolutely right that the delivered auth object settings for FB01 have a mistake.  The correct auth object should be F_BKPF_BUK and not F_BKPF_BEK.  This was a manual error on my part.  I've added this to a listing to correct in future versions of the rules.
  4.  Since late 2006, 4 updates have been made to the rules to correct known issues as well as expand the ruleset as needed.  See the sap notes below as well as posting Compliance Calibrator - Q2 2008 Rule Update from July 22.
  1083611 Compliance Calibrator Rule Update Q3 2007
  1061380 Compliance Calibrator Rule Update Q2 2006
  1035070 Compliance Calibrator Rule Update Q1 2007
  1173980 Risk Analysis and Remediation Rule Update Q2 2008
  5.  SAP is constantly working to improve our rulesets as we know there are areas where the rules can be improved.  See my earlier post called Request for participants for an Access Control Rule mini-council from January 28, 2008.  A rule mini-council is in place and I welcome anyone who is interested in joining to contact me at the information provided in that post.
  6.  Finally, the document on the BPX location below has a good overview of how companies should review the rules and customize them to their control and risk environment:
  https://www.sdn.sap.com/irj/sdn/bpx-grc                                                                               
  Under Key Topics - Access Control; choose document below:
      o  GRC Access Control - Access Risk Management Guide   (PDF 268 KB) 
  The access risk management guide helps you set up and implement risk    
  identification and remediation with GRC Access Control.

• Solve oracle multimedia post upgrade errors

  Hello,
  I performed and out of place upgrade from oracle 10.2.0.4 to 11.2.0.4.
  when I run the postupgrade script i have issues on oracle multimedia that i cannot solve.. it is about shared memory. I followed all the recommendations suggested on the pre-upgrade script.
  SQL>  @/oracle/product/11.2.0.4/dbhome_1/rdbms/admin/utlu112s.sql
  Oracle Database 11.2 Post-Upgrade Status Tool           10-03-2014 15:06:57
  Component                               Current      Version     Elapsed Time
  Name                                    Status       Number      HH:MM:SS
  Oracle Server
  .                                         VALID      11.2.0.4.0  00:14:07
  JServer JAVA Virtual Machine
  .                                         VALID      11.2.0.4.0  00:11:08
  Oracle Workspace Manager
  .                                         VALID      11.2.0.4.0  00:00:48
  Oracle Enterprise Manager
  .                                         VALID      11.2.0.4.0  00:09:58
  Oracle XDK
  .                                         VALID      11.2.0.4.0  00:02:48
  Oracle Text
  .                                         VALID      11.2.0.4.0  00:00:59
  Oracle XML Database
  .                                         VALID      11.2.0.4.0  00:05:45
  Oracle Database Java Packages
  .                                         VALID      11.2.0.4.0  00:00:20
  Oracle Multimedia
  .   ORA-00604: error occurred at recursive SQL level 1 ORA-04031: unable to
  allocate 32 bytes of shared memory ("shared pool","select col#, grantee#,
  privi...","KGLH0^34b96f2","kglHeapInitialize:temp")
  ORA-06512: at
  "SYS.DBMS_JAVA", line 655
  ORA-06512: at line 1
  .   ORA-04031: unable to allocate 32 bytes of shared memory ("shared
  pool","select col#, grantee#,
  privi...","KGLH0^34b96f2","kglHeapInitialize:temp")
  ORA-06512: at
  "SYS.DBMS_JAVA", line 655
  ORA-06512: at line 1
  .   col#, grantee#, privi...","KGLH0^34b96f2","kglHeapInitialize:temp")
  ORA-06512: at "SYS.DBMS_JAVA", line 655
  ORA-06512: at line 1
  .   ORA-06512: at "SYS.DBMS_JAVA", line 655 ORA-06512: at line 1
  .   ORA-06512: at line 1
  .   ORA-00604: error occurred at recursive SQL level 1 ORA-04031: unable to
  allocate 136 bytes of shared memory ("shared pool","select
  i.obj#,i.ts#,i.file#,...","KGLH0^4006e26c","wds: qksmmGetWorkArea")
  ORA-06512:
  at "SYS.DBMS_JAVA", line 655
  ORA-06512: at line 1
  .   ORA-04031: unable to allocate 136 bytes of shared memory ("shared
  pool","select i.obj#,i.ts#,i.file#,...","KGLH0^4006e26c","wds:
  qksmmGetWorkArea")
  ORA-06512: at "SYS.DBMS_JAVA", line 655
  ORA-06512: at line 1
  .   i.obj#,i.ts#,i.file#,...","KGLH0^4006e26c","wds: qksmmGetWorkArea")
  ORA-06512: at "SYS.DBMS_JAVA", line 655
  ORA-06512: at line 1
  .   ORA-06512: at "SYS.DBMS_JAVA", line 655 ORA-06512: at line 1
  .   ORA-06512: at line 1
  .   ORA-04045: errors during recompilation/revalidation of
  ORDSYS./f87ac59f_DicomEngine
  ORA-04031: unable to allocate 32 bytes of shared
  memory ("shared pool","ALTER JAVA CLASS
  "ORDSYS"."/...","KGLH0^1182baa5","kglHeapInitialize:temp")
  ORA-06512: at
  "ORDSYS.ORD_DICOM_ADMIN_PRV", line 6945
  ORA-06512: at "ORDSYS.ORD_DICOM_ADMIN",
  line 276
  ORA-06512: at line 1
  .   ORDSYS./f87ac59f_DicomEngine ORA-04031: unable to allocate 32 bytes of
  shared memory ("shared pool","ALTER JAVA CLASS
  "ORDSYS"."/...","KGLH0^1182baa5","kglHeapInitialize:temp")
  ORA-06512: at
  "ORDSYS.ORD_DICOM_ADMIN_PRV", line 6945
  ORA-06512: at "ORDSYS.ORD_DICOM_ADMIN",
  line 276
  ORA-06512: at line 1
  .   ORA-04031: unable to allocate 32 bytes of shared memory ("shared
  pool","ALTER JAVA CLASS
  "ORDSYS"."/...","KGLH0^1182baa5","kglHeapInitialize:temp")
  ORA-06512: at
  "ORDSYS.ORD_DICOM_ADMIN_PRV", line 6945
  ORA-06512: at "ORDSYS.ORD_DICOM_ADMIN",
  line 276
  ORA-06512: at line 1
  .   JAVA CLASS "ORDSYS"."/...","KGLH0^1182baa5","kglHeapInitialize:temp")
  ORA-06512: at "ORDSYS.ORD_DICOM_ADMIN_PRV", line 6945
  ORA-06512: at
  "ORDSYS.ORD_DICOM_ADMIN", line 276
  ORA-06512: at line 1
  .   ORA-06512: at "ORDSYS.ORD_DICOM_ADMIN_PRV", line 6945 ORA-06512: at
  "ORDSYS.ORD_DICOM_ADMIN", line 276
  ORA-06512: at line 1
  .   ORA-06512: at "ORDSYS.ORD_DICOM_ADMIN", line 276 ORA-06512: at line 1
  .   ORA-06512: at line 1
  .   ORA-53051: no editDataModel session found ORA-06512: at
  "ORDSYS.ORD_DICOM_ADMIN_PRV", line 6306
  ORA-06512: at "ORDSYS.ORD_DICOM_ADMIN",
  line 125
  ORA-06512: at line 14805
  .   ORA-06512: at "ORDSYS.ORD_DICOM_ADMIN_PRV", line 6306 ORA-06512: at
  "ORDSYS.ORD_DICOM_ADMIN", line 125
  ORA-06512: at line 14805
  .   ORA-06512: at "ORDSYS.ORD_DICOM_ADMIN", line 125 ORA-06512: at line 14805
  .   ORA-06512: at line 14805
  .   ORA-53051: no editDataModel session found ORA-06512: at
  "ORDSYS.ORD_DICOM_ADMIN_PRV", line 6306
  ORA-06512: at "ORDSYS.ORD_DICOM_ADMIN",
  line 125
  ORA-06512: at line 67
  .   ORA-06512: at "ORDSYS.ORD_DICOM_ADMIN_PRV", line 6306 ORA-06512: at
  "ORDSYS.ORD_DICOM_ADMIN", line 125
  ORA-06512: at line 67
  .   ORA-06512: at "ORDSYS.ORD_DICOM_ADMIN", line 125 ORA-06512: at line 67
  .                                       INVALID      11.2.0.4.0  00:55:05
  Spatial
  .                                    OPTION OFF      10.2.0.4.0  00:00:00
  Oracle Expression Filter
  .                                         VALID      11.2.0.4.0  00:00:16
  Oracle Rules Manager
  .                                         VALID      11.2.0.4.0  00:00:14
  Final Actions
  .                                                                00:01:34
  Total Upgrade Time: 01:43:11
  PL/SQL procedure successfully completed.
  thank you
  Mario.

  I explicity set up the sga_target to 668MB as suggested by the pre-upgrade script.
  see  the output of preugrade tool:
  SQL> @/oracle/utlu112i.sql
  Oracle Database 11.2 Pre-Upgrade Information Tool 10-02-2014 17:24:25
  Script Version: 11.2.0.4.0 Build: 001
  Database:
  --> name:          FUELPLUS
  --> version:       10.2.0.4.0
  --> compatible:    10.2.0.3.0
  --> blocksize:     8192
  --> platform:      Solaris Operating System (x86-64)
  --> timezone file: V4
  Tablespaces: [make adjustments in the current environment]
  --> SYSTEM tablespace is adequate for the upgrade.
  .... minimum required size: 1071 MB
  --> UNDOTBS1 tablespace is adequate for the upgrade.
  .... minimum required size: 400 MB
  --> SYSAUX tablespace is adequate for the upgrade.
  .... minimum required size: 804 MB
  --> TEMP tablespace is adequate for the upgrade.
  .... minimum required size: 60 MB
  Flashback: OFF
  Update Parameters: [Update Oracle Database 11.2 init.ora or spfile]
  Note: Pre-upgrade tool was run on a lower version 64-bit database.
  --> If Target Oracle is 32-Bit, refer here for Update Parameters:
  WARNING: --> "sga_target" needs to be increased to at least 484 MB
  --> If Target Oracle is 64-Bit, refer here for Update Parameters:
  WARNING: --> "sga_target" needs to be increased to at least 668 MB
  Renamed Parameters: [Update Oracle Database 11.2 init.ora or spfile]
  -- No renamed parameters found. No changes are required.
  Obsolete/Deprecated Parameters: [Update Oracle Database 11.2 init.ora or spfile]
  --> cursor_space_for_time        11.1       DEPRECATED
  --> background_dump_dest         11.1       DEPRECATED   replaced by  "diagnostic_dest"
  --> user_dump_dest               11.1       DEPRECATED   replaced by  "diagnostic_dest"
  --> cursor_space_for_time        11.2       DEPRECATED
  Components: [The following database components will be upgraded or installed]
  --> Oracle Catalog Views         [upgrade]  VALID
  --> Oracle Packages and Types    [upgrade]  VALID
  --> JServer JAVA Virtual Machine [upgrade]  VALID
  --> Oracle XDK for Java          [upgrade]  VALID
  --> Oracle Workspace Manager     [upgrade]  VALID
  --> EM Repository                [upgrade]  VALID
  --> Oracle Text                  [upgrade]  VALID
  --> Oracle XML Database          [upgrade]  VALID
  --> Oracle Java Packages         [upgrade]  VALID
  --> Oracle interMedia            [upgrade]  VALID
  --> Spatial                      [upgrade]  VALID
  --> Data Mining                  [upgrade]  VALID
  --> Expression Filter            [upgrade]  VALID
  --> Rule Manager                 [upgrade]  VALID
  Miscellaneous Warnings
  WARNING: --> Database is using a timezone file older than version 14.
  .... After the release migration, it is recommended that DBMS_DST package
  .... be used to upgrade the 10.2.0.4.0 database timezone version
  .... to the latest version which comes with the new release.
  WARNING: --> Database contains INVALID objects prior to upgrade.
  .... The list of invalid SYS/SYSTEM objects was written to
  .... registry$sys_inv_objs.
  .... The list of non-SYS/SYSTEM objects was written to
  .... registry$nonsys_inv_objs.
  .... Use utluiobj.sql after the upgrade to identify any new invalid
  .... objects due to the upgrade.
  .... USER PUBLIC has 1 INVALID objects.
  WARNING: --> EM Database Control Repository exists in the database.
  .... Direct downgrade of EM Database Control is not supported. Refer to the
  .... Upgrade Guide for instructions to save the EM data prior to upgrade.
  WARNING: --> Your recycle bin is turned on and currently contains no objects.
  .... Because it is REQUIRED that the recycle bin be empty prior to upgrading
  .... and your recycle bin is turned on, you may need to execute the command:
          PURGE DBA_RECYCLEBIN
  .... prior to executing your upgrade to confirm the recycle bin is empty.
  WARNING: --> JOB_QUEUE_PROCESS value must be updated
  .... Your current setting of "10" is too low.
  .... Starting with Oracle Database 11g Release 2 (11.2), setting
  .... JOB_QUEUE_PROCESSES to 0 causes both DBMS_SCHEDULER and
  .... DBMS_JOB jobs to not run. Previously, setting JOB_QUEUE_PROCESSES
  .... to 0 caused DBMS_JOB jobs to not run, but DBMS_SCHEDULER jobs were
  .... unaffected and would still run. This parameter must be updated to
  .... a value greater than 48  (default value is 1000) prior to upgrade.
  .... Not doing so will affect the running of utlrp.sql after the upgrade
  Recommendations
  Oracle recommends gathering dictionary statistics prior to
  upgrading the database.
  To gather dictionary statistics execute the following command
  while connected as SYSDBA:
      EXECUTE dbms_stats.gather_dictionary_stats;
  Oracle recommends reviewing any defined events prior to upgrading.
  To view existing non-default events execute the following commands
  while connected AS SYSDBA:
    Events:
      SELECT (translate(value,chr(13)||chr(10),' ')) FROM sys.v$parameter2
        WHERE  UPPER(name) ='EVENT' AND  isdefault='FALSE'
    Trace Events:
      SELECT (translate(value,chr(13)||chr(10),' ')) from sys.v$parameter2
        WHERE UPPER(name) = '_TRACE_EVENTS' AND isdefault='FALSE'
  Changes will need to be made in the init.ora or spfile.
  SQL> SPOOL OFF
  here are the last 100 lines of upgrade.log
  ORA-06512: at "ORDSYS.ORD_DICOM_ADMIN",
  line 276
  ORA-06512: at line 1
  .   JAVA CLASS "ORDSYS"."/...","KGLH0^1182baa5","kglHeapInitialize:temp")
  ORA-06512: at "ORDSYS.ORD_DICOM_ADMIN_PRV", line 6945
  ORA-06512: at
  "ORDSYS.ORD_DICOM_ADMIN", line 276
  ORA-06512: at line 1
  .   ORA-06512: at "ORDSYS.ORD_DICOM_ADMIN_PRV", line 6945 ORA-06512: at
  "ORDSYS.ORD_DICOM_ADMIN", line 276
  ORA-06512: at line 1
  .   ORA-06512: at "ORDSYS.ORD_DICOM_ADMIN", line 276 ORA-06512: at line 1
  .   ORA-06512: at line 1
  .   ORA-53051: no editDataModel session found ORA-06512: at
  "ORDSYS.ORD_DICOM_ADMIN_PRV", line 6306
  ORA-06512: at "ORDSYS.ORD_DICOM_ADMIN",
  line 125
  ORA-06512: at line 14805
  .   ORA-06512: at "ORDSYS.ORD_DICOM_ADMIN_PRV", line 6306 ORA-06512: at
  "ORDSYS.ORD_DICOM_ADMIN", line 125
  ORA-06512: at line 14805
  .   ORA-06512: at "ORDSYS.ORD_DICOM_ADMIN", line 125 ORA-06512: at line 14805
  .   ORA-06512: at line 14805
  .   ORA-53051: no editDataModel session found ORA-06512: at
  "ORDSYS.ORD_DICOM_ADMIN_PRV", line 6306
  ORA-06512: at "ORDSYS.ORD_DICOM_ADMIN",
  line 125
  ORA-06512: at line 67
  .   ORA-06512: at "ORDSYS.ORD_DICOM_ADMIN_PRV", line 6306 ORA-06512: at
  "ORDSYS.ORD_DICOM_ADMIN", line 125
  ORA-06512: at line 67
  .   ORA-06512: at "ORDSYS.ORD_DICOM_ADMIN", line 125 ORA-06512: at line 67
  .                                       INVALID      11.2.0.4.0  00:55:05
  Spatial
  .                                    OPTION OFF      10.2.0.4.0  00:00:00
  Oracle Expression Filter
  .                                         VALID      11.2.0.4.0  00:00:16
  Oracle Rules Manager
  .                                         VALID      11.2.0.4.0  00:00:14
  Final Actions
  .                                                                00:01:34
  Total Upgrade Time: 01:43:11
  PL/SQL procedure successfully completed.
  SQL>
  SQL> SET SERVEROUTPUT OFF
  SQL> SET VERIFY ON
  SQL> commit;
  Commit complete.
  SQL>
  SQL> shutdown immediate;
  Database closed.
  Database dismounted.
  ORACLE instance shut down.
  SQL>
  SQL>
  SQL>
  SQL> DOC
  DOC>#######################################################################
  DOC>#######################################################################
  DOC>
  DOC>   The above sql script is the final step of the upgrade. Please
  DOC>   review any errors in the spool log file. If there are any errors in
  DOC>   the spool file, consult the Oracle Database Upgrade Guide for
  DOC>   troubleshooting recommendations.
  DOC>
  DOC>   Next restart for normal operation, and then run utlrp.sql to
  DOC>   recompile any invalid application objects.
  DOC>
  DOC>   If the source database had an older time zone version prior to
  DOC>   upgrade, then please run the DBMS_DST package.  DBMS_DST will upgrade
  DOC>   TIMESTAMP WITH TIME ZONE data to use the latest time zone file shipped
  DOC>   with Oracle.
  DOC>
  DOC>#######################################################################
  DOC>#######################################################################
  DOC>#
  SQL>
  SQL> Rem Set errorlogging off
  SQL> SET ERRORLOGGING OFF;
  SQL>
  SQL> REM END OF CATUPGRD.SQL
  SQL>
  SQL> REM bug 12337546 - Exit current sqlplus session at end of catupgrd.sql.
  SQL> REM                This forces user to start a new sqlplus session in order
  SQL> REM                to connect to the upgraded db.
  SQL> exit

• Utlu111i.sql upgrade from 10.2.0.3 to 11.1.0.7

  My question is re the COMPATIBLE initialization parameter.
  when run the utlu111i.sql there NO warning about the COMPATIBLE parameter.
  So, the appropriate action to go fine with the upgrade is to leave the current value or to change before the upgrade.
  SQL> @utlu111i.sql;
  Oracle Database 11.1 Pre-Upgrade Information Tool 06-12-2011 11:15:37
  Database:
  --> name:     TBABES
  --> version:     10.2.0.3.0
  --> compatible: 10.2.0.3.0
  --> blocksize:     8192
  --> platform:     Linux 64-bit for AMD
  --> timezone file: V4
  Tablespaces: [make adjustments in the current environment]
  --> SYSTEM tablespace is adequate for the upgrade.
  .... minimum required size: 1431 MB
  .... AUTOEXTEND additional space required: 351 MB
  --> UNDOTBS1 tablespace is adequate for the upgrade.
  .... minimum required size: 26 MB
  --> SYSAUX tablespace is adequate for the upgrade.
  .... minimum required size: 778 MB
  .... AUTOEXTEND additional space required: 308 MB
  --> TEMP tablespace is adequate for the upgrade.
  .... minimum required size: 61 MB
  .... AUTOEXTEND additional space required: 31 MB
  --> IAS_META tablespace is adequate for the upgrade.
  .... minimum required size: 205 MB
  --> B2B_RT tablespace is adequate for the upgrade.
  .... minimum required size: 39 MB
  --> BAM tablespace is adequate for the upgrade.
  .... minimum required size: 7 MB
  Update Parameters: [Update Oracle Database 11.1 init.ora or spfile]
  WARNING: --> "shared_pool_size" needs to be increased to at least 448 MB
  WARNING: --> "java_pool_size" needs to be increased to at least 128 MB
  Renamed Parameters: [Update Oracle Database 11.1 init.ora or spfile]
  -- No renamed parameters found. No changes are required.
  Obsolete/Deprecated Parameters: [Update Oracle Database 11.1 init.ora or spfile]
  --> "remote_os_authent"
  --> "background_dump_dest" replaced by     "diagnostic_dest"
  --> "user_dump_dest" replaced by "diagnostic_dest"
  --> "core_dump_dest" replaced by "diagnostic_dest"
  Components: [The following database components will be upgraded or installed]
  --> Oracle Catalog Views     [upgrade] VALID
  --> Oracle Packages and Types     [upgrade] VALID
  --> JServer JAVA Virtual Machine [upgrade] VALID
  --> Oracle XDK for Java      [upgrade] VALID
  --> Oracle Workspace Manager     [upgrade] VALID
  --> OLAP Analytic Workspace     [upgrade] VALID
  --> OLAP Catalog          [upgrade] VALID
  --> EM Repository          [upgrade] VALID
  --> Oracle Text           [upgrade] VALID
  --> Oracle XML Database      [upgrade] VALID
  --> Oracle Java Packages     [upgrade] VALID
  --> Oracle interMedia          [upgrade] VALID
  --> Spatial               [upgrade] VALID
  --> Data Mining           [upgrade] VALID
  --> Oracle Ultra Search      [upgrade] VALID
  --> Expression Filter          [upgrade] VALID
  --> Rule Manager          [upgrade] VALID
  --> Oracle Application Express     [upgrade] VALID
  --> Oracle OLAP API          [upgrade] VALID
  Miscellaneous Warnings
  WARNING: --> Database contains stale optimizer statistics.
  .... Refer to the 11g Upgrade Guide for instructions to update
  .... statistics prior to upgrading the database.
  .... Component Schemas with stale statistics:
  .... SYS
  .... WKSYS
  WARNING: --> Database contains INVALID objects prior to upgrade.
  .... The list of invalid SYS/SYSTEM objects was written to
  .... registry$sys_inv_objs.
  .... The list of non-SYS/SYSTEM objects was written to
  .... registry$nonsys_inv_objs.
  .... Use utluiobj.sql after the upgrade to identify any new invalid
  .... objects due to the upgrade.
  .... USER DSGATEWAY has 1 INVALID objects.
  WARNING: --> Database contains schemas with objects dependent on network
  packages.
  .... Refer to the 11g Upgrade Guide for instructions to configure Network ACLs.
  .... USER WKSYS has dependent objects.
  .... USER BAM has dependent objects.
  .... USER FLOWS_020200 has dependent objects.
  .... USER OWF_MGR has dependent objects.
  .... USER ORASSO has dependent objects.
  .... USER PORTAL has dependent objects.
  WARNING: --> EM Database Control Repository exists in the database.
  .... Direct downgrade of EM Database Control is not supported. Refer to the
  .... 11g Upgrade Guide for instructions to save the EM data prior to upgrade.
  PL/SQL procedure successfully completed.
  Please help as the down time for the upgrade is in progress.
  Cheers.

  Pl see the documentation - http://download.oracle.com/docs/cd/B28359_01/server.111/b28300/intro.htm#UPGRD12473
  In an upgrade project, one typically does a test upgrade and then tests the application (with compatibility set to the upgraded version) to ensure there are no performance issues. What has your testing revealed ? If there are no issues, omit the compatible parameter (it will default to 11.1.0.7)
  Oracle 11gR1 Upgrade Companion          (Doc ID 601807.1)
  HTH
  Srini

• ORA-29958 when upgrading 10.2.0.4 to 11.2.0.1 on Solaris 10 using DBUA

  Hello,
  We are working in our test environment on our upgrade process from 10.2.0.4 to 11.2.0.1. I have cloned a copy of our Production database to support this effort. During the upgrade process using DBUA, we consistently receive an error. The error is encountered when DBUA is at 79% and the exact error information is:
  ORA-29958: fatal error occurred in the execution of ODCIINDEXCREATE routine
  ORA-01031: insufficient privileges
  ORA-06512: at "SYS.DBMS_SQL", line 1053
  ORA-06512: at line 6
  I'm given the option to Ignore or Abort in DBUA.
  From the upgrade log file the error is the same:
  [Thread-104] [ 2010-11-12 13:25:07.012 PST ] [BasicStep.handleNonIgnorableError:431] ORA-29958: fatal error occurred in the execution of ODCIINDEXCREATE routine
  ORA-01031: insufficient privileges
  ORA-06512: at "SYS.DBMS_SQL", line 1053
  ORA-06512: at line 6
  :msg
  The PUBLIC role has EXECUTE permissions on DBMS_SQL so it should have privileges.
  Here's our environment:
  $ showrev
  Hostname: hyperion
  Hostid: 846ecb2e
  Release: 5.10
  Kernel architecture: sun4v
  Application architecture: sparc
  Hardware provider: Sun_Microsystems
  Domain:=20
  Kernel version: SunOS 5.10 Generic_142909-17
  I've gone through metalink, google and some listservs that are particular to my industry and have tried many ways to solve this but still haven't been able to overcome this problem.
  Does anyone have any ideas what might be causing this?

  Thank you for the warm welcome as well as your response Srini :-) I have entered an SR with Oracle but to date they haven't been able to help so I thought I would try the community to see if anyone else has seen this problem.
  Here's the last 50 lines of output from the upgrade log:
  12 abcd
  13 abcd
  14 abcd
  15 abcd
  16 abcd
  17 abcd
  18 abcd
  19 b
  20 29d 217
  21 JNEJU4P9KpbgnzrkHXKCHLQVXhkwg2PMLq7hfy+BR2R1BLdVLsjphqEVa/Vb3ophLgWUV3kv
  22 K2yXgHALzjphTMp1ME5LLJD+GUc06ul9gkLmBIV+ngeVHtd++VxIJJrZQ0VIfx1iqTioTQEJ
  23 pmKgYDgMY1gOWfNIZ4xioKYLKhfUrOCerbZ1Ne9EUPGMyq0VmbP1otIQ5FDNn7dBHVvO26Jq
  24 m3uApMb3xTlusxYv0fwCNaRJxvxpJ3Bvx7ibtMqAJ2p2BCdY1jULaGFjZHU2U4nFTdFFQlLG
  25 hsZAFsLdHg3skNY+KK3Kd//zBAKJ84fTlwv+3RTBn+V8rUSoGM+pq2WgTccbcRtfRVbcea7O
  26 C5pzUj/cqI+ASb//p403VVOB6MKspYtXHGtg3fT2eUZHUGSzQBYy/qcrB0WjljPEIJjXxSdq
  27 s99n9VQQO/5zHtBFGSLo3lcy39pJJntO18Uy/rmBkGo/UqRsUL/aU+MTEfl2IRPqKcBzTM38
  28 tfA6lFO1boT+ZAosQsTYGg==
  29
  30 /
  Package body created.
  grant execute on xdb.xdb$acl_pkg_int to public;
  Grant succeeded.
  alter session set events='31150 trace name context forever, level 0x04';
  Session altered.
  declare
  2 cur integer;
  3 rc integer;
  4 begin
  5 cur := dbms_sql.open_cursor;
  6 dbms_sql.parse(cur,
  7 'create index xdb.xdb$acl_xidx on xdb.xdb$acl(object_value) '||
  8 'indextype is xdb.xmlindex '||
  9 'parameters(''PATH TABLE XDBACL_PATH_TAB VALUE INDEX XDBACL_PATH_TAB_VALUE_IDX'') ',
  10 dbms_sql.native);
  11 rc := dbms_sql.execute(cur);
  12 dbms_sql.close_cursor(cur);
  13 end;
  14 /
  declare
  ERROR at line 1:
  ORA-29958: fatal error occurred in the execution of ODCIINDEXCREATE routine
  ORA-01031: insufficient privileges
  ORA-06512: at "SYS.DBMS_SQL", line 1053
  ORA-06512: at line 6
  And here's the output of utlu112i.sql. I did the purging of the recycle bin but planned on resolving the time zone and ACL information post-upgrade, as per the Oracle documentation.
  SYS@TEST11>@utlu112i
  Oracle Database 11.2 Pre-Upgrade Information Tool 11-18-2010 08:48:30
  Database:
  --> name: TEST11
  --> version: 10.2.0.4.0
  --> compatible: 10.2.0.4.0
  --> blocksize: 8192
  --> platform: Solaris[tm] OE (64-bit)
  --> timezone file: V4
  Tablespaces: [make adjustments in the current environment]
  --> SYSTEM tablespace is adequate for the upgrade.
  .... minimum required size: 1632 MB
  --> UNDOTBS1 tablespace is adequate for the upgrade.
  .... minimum required size: 310 MB
  --> SYSAUX tablespace is adequate for the upgrade.
  .... minimum required size: 1277 MB
  --> TEMP tablespace is adequate for the upgrade.
  .... minimum required size: 61 MB
  --> BANAQ tablespace is adequate for the upgrade.
  .... minimum required size: 13 MB
  Flashback: OFF
  Update Parameters: [Update Oracle Database 11.2 init.ora or spfile]
  -- No update parameter changes are required.
  Renamed Parameters: [Update Oracle Database 11.2 init.ora or spfile]
  -- No renamed parameters found. No changes are required.
  Obsolete/Deprecated Parameters: [Update Oracle Database 11.2 init.ora or spfile]
  --> background_dump_dest 11.1 DEPRECATED replaced by
  "diagnostic_dest"
  --> user_dump_dest 11.1 DEPRECATED replaced by
  "diagnostic_dest"
  --> core_dump_dest 11.1 DEPRECATED replaced by
  "diagnostic_dest"
  Components: [The following database components will be upgraded or installed]
  --> Oracle Catalog Views [upgrade] VALID
  --> Oracle Packages and Types [upgrade] VALID
  --> JServer JAVA Virtual Machine [upgrade] VALID
  --> Oracle XDK for Java [upgrade] VALID
  --> Oracle Workspace Manager [upgrade] VALID
  --> EM Repository [upgrade] VALID
  --> Oracle XML Database [upgrade] VALID
  --> Oracle Java Packages [upgrade] VALID
  --> Oracle interMedia [upgrade] VALID
  --> Expression Filter [upgrade] VALID
  --> Rule Manager [upgrade] VALID
  Miscellaneous Warnings
  WARNING: --> Database is using a timezone file older than version 11.
  .... After the release migration, it is recommended that DBMS_DST package
  .... be used to upgrade the 10.2.0.4.0 database timezone version
  .... to the latest version which comes with the new release.
  WARNING: --> Database contains schemas with stale optimizer statistics.
  .... Refer to the Upgrade Guide for instructions to update
  .... schema statistics prior to upgrading the database.
  .... Component Schemas with stale statistics:
  .... SYS
  .... SYSMAN
  WARNING: --> Database contains INVALID objects prior to upgrade.
  .... The list of invalid SYS/SYSTEM objects was written to
  .... registry$sys_inv_objs.
  .... The list of non-SYS/SYSTEM objects was written to
  .... registry$nonsys_inv_objs.
  .... Use utluiobj.sql after the upgrade to identify any new invalid
  .... objects due to the upgrade.
  .... USER PUBLIC has 2 INVALID objects.
  .... USER FAPROD has 1 INVALID objects.
  .... USER SIPROD has 1 INVALID objects.
  .... USER SYS has 2 INVALID objects.
  .... USER USF_ADV has 2 INVALID objects.
  WARNING: --> Database contains schemas with objects dependent on network
  packages.
  .... Refer to the Upgrade Guide for instructions to configure Network ACLs.
  .... USER BANINST1 has dependent objects.
  .... USER SIPROD has dependent objects.
  .... USER SCTCVT06 has dependent objects.
  .... USER GEPROD has dependent objects.
  .... USER USF_FIN has dependent objects.
  .... USER WTAILOR has dependent objects.
  .... USER WFBANNER has dependent objects.
  .... USER BANSSO has dependent objects.
  .... USER ADPROD has dependent objects.
  WARNING: --> EM Database Control Repository exists in the database.
  .... Direct downgrade of EM Database Control is not supported. Refer to the
  .... Upgrade Guide for instructions to save the EM data prior to upgrade.
  WARNING:--> recycle bin in use.
  .... Your recycle bin is turned on and it contains
  .... 449 object(s). It is REQUIRED
  .... that the recycle bin is empty prior to upgrading
  .... your database.
  .... The command: PURGE DBA_RECYCLEBIN
  .... must be executed immediately prior to executing your upgrade.
  PL/SQL procedure successfully completed.
  SYS@TEST11>exit

• How to make or create rule matrix?

  HI,
  How to create rule matrix...do we first consider the business process.I mean do we have to craete rule matrix as per the different SAP Modules(BASIS,HR,PAYROLL etc.).
  Also if somebody have any document or link for role simulation demonstration please share the same with me.!!

  Dear Pranjal,
  you have to start to analyze your business and then based on your processes you have to define what is a risk. In the end a risk must be declared by your management. I would recommend to start with the pre-delivered rule set from SAP to see what has been defined as a risk. Basically that is a good start to develop your own rule set.
  Personally I am using a risk matrix to identify SOD conflicts we have in our organization. Based on that we have identified critical risks and those are defined in the rule set. Please see the following matrix of general tasks:
  As mentioned above in the end the risks must be declared by your management. Some SOD might not be critical in my organization but in yours they are. Hence you have to analyze your business, your processes and based on that defining what is critical and what not.
  Please let me know if you need further details.
  Regards,
  Alessandro

• Non existing value EC for M_BEST_BSA / BSART used in rule set

  Hello,
  while implementing the 2010 rule set updates into our system, we realized that there is a value used that is not existing in the system.
  It is for object M_BEST_BSA, field BSART. The value is EC.
  In the rule update document from Q2 2010, there is the following comment:
  5. PR02 u2013 Maintain Purchase Order u2013 Upon review of this function with the rules mini-council, the decision was made to remove document type from the rules.  Previously, we delivered document types EC, FO and NB with our rules.  However, the majority of customers create custom document types for purchasing.  Many customers did not customize the rules, which results in only those users that had the standard EC, FO and NB document types being reported as having a risk.  Users who had the custom document types would not be reported, which results in false negative reporting.  Therefore, the decision was made to remove document type from our delivered rules.  This will force each customer to review their document types and edit this function to include all relevant document types so all users who have a risk are shown.
  However the value is still enabled in function PR04, even though it is not a valid value for field BSART. It is not existin in table T161, which holds the PO document types. It does not seem to exist since at least release 4.6C
  The value is inherited from the transactions ME28 and ME29N
  Does anyone know what it is about and why the value still is considered a standard value?
  I know this does not give me false conflicts, as the BSART values are used in condition OR.
  Why is the value not just removed, if it is not a valid value at all?
  edit:
  Sorry, forgot to mention, we use CC4.0 in an ECC6.0 system
  end of edit:
  Regards,
  Thomas Schaeflein
  IBM
  Edited by: Thomas Schaeflein on Jan 26, 2011 4:14 PM

  Start by saying bump.
  I've still no word from Adobe if they are doing anything with
  this problem. Any one had any replys from Adobe on it? Any one
  found a work around with recoding queries?