About GRC Delivered Rules

Similar Messages

• CC 5.2 - Adding delivered rules as second ruleset

  We are in the process of upgrading from CC 5.1 to 5.2.  In addition to carrying over the custom ruleset that we have created for the company, I have been asked to load the delivered rules as a second ruleset, so that the folks in the compliance department can use them for comparison.  I have created rulesets by uploading the 7 files (business_processes.txt, function.txt, risks.txt, etc.) and generating the rules.  I have also created entire rulesets from scratch, but I have never done both in the same system, though I understand it can be done.  The ruleset we are using right now was built from scratch and has been fine-tuned for the company's needs, so I want to keep it intact.  What I would like to know is how I go about uploading the delivered rule files without affecting my existing ruleset.  I've already seen a note that says none of the functions or risks can have the same IDs across rulesets, so I'm prepared to make those changes to the upload files.  Any assistance will be much appreciated!
  Thanks,
  Dave

  Dave,
  You've already considered the main hangup most would encounter with loading another ruleset into CC 5.x-- the need for unique Ids within the elements of the ruleset.
  One key item that needs to be specified is the default ruleset because the file upload only uploads into whatever has been specified as the default ruleset.  Your current default ruleset is likely your customized ruleset.  Create a new ruleset to contain the GRC delivered rules, and temporarily set that as your default ruleset.  Perform the upload of the text files (and as you note, a prerequisite is to make sure that all of the business process, function, and risk Ids are unique from what already exists).  You can then switch the default ruleset back to normal and proceed with generating the rules in background.
  Note that you'll want to do this at a time when there is very little expected activity in the system as it's pretty likely that end users of CC will not realize that the ruleset is different as they perform ad-hoc analysis.  Also, Access Enforcer risk analysis is always tied to the default ruleset, so for a few minutes at least, if anyone performs risk analysis in AE, they would receive incorrect results.

• 5.3 upgrade delivered rules vs 5.2 rules

  We recently upgraded to 5.3 and noticed there were delivered rules sent with the software.  Are these rules different than the ones we used in 5.2 because I have role violations but no user violations and I can't figure this out....any advice?
  Regards,
  Greg

  PROBLEM DESCRIPTION TO SAP: My 5.2 GRC AC system was upgraded to 5.3 in Oct 09. Since the upgrade, no user violations are showing/updating and I know for certain that the users have been assigned roles with conflicts. I would like to obtain a cleanup script to wipe the Business Process, Function, Function Authorization, Rule Set, and Risk rules so that I may reload them.
  SAP RESPONSE:  Unfortunately, at this time, we are unable to provide you scripts to perform the function you want. Doing direct table updates is not something that GRC is able to support at this time. I'm attaching a word document that provides you the table and field names for the application. Your Database Administrator and developers should be able to use this information to develope scripts to accomplish what you require.
  MY RESPONSE: I have asked our DBA to look at the information you sent and he's informed me that he wouldn't know where to begin. Will this script work (script not attached).
  SAP RESPONSE:  I technically can't confirm that this will work. But the tables
  did not change between 5.2 and 5.3.

• What about GRC Process Control 3.0

  Hi experts!
  I've read a lot of information about GRC AC 5.2/3. But no so much documents about the new version of PC.
  Right now we are trying to install and test a system parameterized in our laboratory.
  Is there a specific forum for PC?
  Has anyone installed it successfully?
  What are the main steps?
  Documentation "useful?
  Thanks a lot

  Hi,
  There are quite a few successful GRC PC implementations around the world. If you are representing a customer / partner, you can touch base with me and I will be more than happy to help you.
  Application Help for PC @ SAP Help Portal, Installation,Upgrade Security guide are available @ SAP Service Market place.
  Which version of PC are you planning to implement.
  Regards
  Rohit Balu

• Brazil - SAP Standard Delivered Rule / Config for R/3 ?

  Hi
  I have recently come across an issue with updating a Brazilian employees IT0008 - Basic Pay screen. I was trying to modify the start date of the screen (BEGDA) to reflect a date other than the 1st of the month. When I attempt to do this though I get a hard stop error message.
  I was told that this rule / hard stop error message in R/3 when trying to update IT8 for Brazil employees was as standard delivered SAP rule.
  I am trying to validate if that is the case, and if so if anyone can give me more details on this SAP delivered rule / functionality.
  If it's not a SAP delivered, but something my company has put in place perhaps, is there a way to find out in R/3 where this rule is set-up/referenced in order to remove it potentially to allow for IT8 Begda changes for Brazil ?
  Any help on this matter would be much appreciated and rewarded with points.
  Nicola.

  Please check the BADI under the following include
  Main Program     MP000800 
  Source code of   MPPERS00 
  Form - POST_INPUT_EDYNR
  Line - PERFORM badi_after_input(sapfp50m).
  IMP_NAME     BR_SALARY_INCREASE
  INTER_NAME     IF_EX_HRPAD00INFTY
  IMP_CLASS     CL_IM_BR_SALARY_INCREASE
  Main Program     CL_IM_BR_SALARY_INCREASE======CP      
  Source code of   CL_IM_BR_SALARY_INCREASE======CM002   
  method IF_EX_HRPAD00INFTY~AFTER_INPUT
  Line 23 - 35
  Regards
  Ravikumar

• GRC AC Rule Sets

  Hi
  We have a requirement of building up a custom rule set for our organization. The current requirement is to have a central rule set across for all system and have subsequent system specific Risks identified in addition.
  Scenario: Letu2019s say we have identified around 100 risks across the enterprise, however only 50 risks out of 100 risks are applicable for one system. While for the second system there are around 70 risks applicable. Finally for the third one all 100 risks are applicable.
  Should we have system specific rule sets to address the above scenario or should we have a common rule set for the enterprise.
  Appreciate your inputs about the approach for building up of rule set for such scenarios.
  Question: With GRC 10.0, can we run risks for a system on multiple rule set IDs at one time.
  Thanks.
  Anjan Pandey

  Hi,
  Most of the clients will prefer to go with one rule set. However System can allow create/maintain multiple rule sets.
  Anyway your requirement is to have one central rule set across all systems u2013 For that, Create Logical system and maintains one Rule set is the right approach and it gives flexibility for future usage to add /remove required systems. You can maintain risks by system specific, not required to maintain multiple rule sets.
  Refer  GRC Access Control Effective Rule Set Design document,  it gives some good explanation of Rule Set Design&typical Scenarios, Logical & Physical systems approach..etc.
  Regards,
  Ram
  Edited by: ram komma on Apr 13, 2011 1:55 PM

• Doubt about the settlement rule of the Production ORder

  The only default distribution rule allowed for a PP order is PP1 or PP2.  We would need to change that to allow settlement to multiple receivers as a default. If that is the case, we may want to look into a user exit to update the settlement rule during production order creation instead so that the G/L account is correct from the beginning.
  Currently when we create the production order, the settlement rule will default the below, I am not sure if a user exit is able to maintain the Source as 200 (Materials)?
  If yes, we can then add the second rule for Source 100 (Labor and Mfg) via the user exit as well.
  In this case, SAP will not prompt us error of settlement with 200%, as they are from difference Sources.
  now anybody can explain me about the User EXit we have to correct this

  any help on this.. please its very urgent
  thanks in advance

• Best practice for the Update of SAP GRC CC Rule Set

  Hi GRC experts,
  We have in a CC production system a SoD matrix that we would like to modified extensively. Basically by activating many permissions.
  Which is a best practice for accomplish our goal?
  Many thanks in advance. Best regards,
    Imanol

  Hi Simon and Amir
  My name is Connie and I work at Accenture GRC practice (and a colleague of Imanolu2019s). I have been reading this thread and I would like to ask you a question that is related to this topic. We have a case where a Global Rule Set u201CLogic Systemu201D and we may also require to create a Specific Rule Set. Is there a document (from SAP or from best practices) that indicate the potential impact (regarding risk analysis, system performance, process execution time, etc) caused by implementing both type of rule sets in a production environment? Are there any special considerations to be aware? Have you ever implemented this type of scenario?
  I would really appreciate your help and if you could point me to specific documentation could be of great assistance. Thanks in advance and best regards,
  Connie

• SAP GRC - Exporting rules from GRC - how to read the .txt file generated ?

  Hi there,
  I am using GRC Compliance Calibrator and have downloaded the default Global rules defined in Compliance Calibrator using the Rule Architect -> Utilities->Export rules.
  This gave me a massive txt file with a lot of tables and data. Reading through this forum, I did figure out that lines starting with M are the header rows for the tables and D rows are the data rows.
  My question is, how do i figure out what each of the Virsa tables stand for (e.g. VIRSA_CC_FUNCACT, VIRSA_CC_FUNCPRM) ?
  I tried SE11 and looking up these tables in the SAP environment associated with this CC install, however it says that the table was not found.
  Could someone please point me to :
  A) A list of the common Virsa CC tables and their descriptions ?
  OR
  B) How can i find what these tables stand for online or in the SAP environment?
  Many thanks !

  Hi Santosh,
  There is no option available to export only the customized rule sets to another system. The export rules option will give all the rules that are available in that system.
  You can do in the below manner
  a) Extract the data from Export rules
  b) Open that text file in a spreadsheet and edit the spreadsheet [Remove the rule sets & the rules not required in production system]
  c) Save the spreadsheet in UTF-8 text file
  d) Upload them in the production.
  The above procedure is bit complex and cumbersome -as changing the text file is risky. Even a space will not generate any rules in the RAR. I would suggest rename the new rule set in different naming convention and upload in your test environment before uploading the text files  in Production.
  But, using the Export and Import option you cannot upload only the customized rule set as the extract happens for the entire rules sets available in the system.
  Thanks and Best Regards,
  Srihari.K

• SAP GRC RAR Rules Generation Job Error - SP13 application

  Hello,
  we applied SP 13 on GRC and RAR Rule Generation job is always in "error" status; below I list an example of job log:
  INFO: -
  Scheduling Job =>237----
  Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.BgJob run
  INFO: --- Starting Job ID:237 (RULE_GENERATION) - generate f113
  Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.util.Lock lock
  FINEST: Lock:1007
  Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.BgJob setStatus
  INFO: Job ID: 237 Status: Running
  Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.BgJob updateJobHistory
  FINEST: --- @@@@@@@@@@@ Updating the Job History -
  1@@Msg is generate f113 started :threadid: 1
  Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
  INFO: -
  Background Job History: job id=237, status=1, message=generate f113 started :threadid: 1
  Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.util.Lock unlock
  FINEST: Unlock:1007
  Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.BgJob ruleGeneration
  INFO: @@@--- Rule ruleGeneration Started ....237
  Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.BgJob run
  WARNING: *** Job Exception: null
  java.lang.NullPointerException
       at com.virsa.cc.xsys.bg.BgJob.ruleGeneration(BgJob.java:1245)
       at com.virsa.cc.xsys.bg.BgJob.runJob(BgJob.java:609)
       at com.virsa.cc.xsys.bg.BgJob.run(BgJob.java:363)
       at com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob.scheduleJob(AnalysisDaemonBgJob.java:375)
       at com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob.start(AnalysisDaemonBgJob.java:92)
       at com.virsa.cc.comp.BgJobInvokerView.wdDoModifyView(BgJobInvokerView.java:444)
       at com.virsa.cc.comp.wdp.InternalBgJobInvokerView.wdDoModifyView(InternalBgJobInvokerView.java:1236)
       at com.sap.tc.webdynpro.progmodel.generation.DelegatingView.doModifyView(DelegatingView.java:78)
       at com.sap.tc.webdynpro.progmodel.view.View.modifyView(View.java:337)
       at com.sap.tc.webdynpro.clientserver.cal.ClientComponent.doModifyView(ClientComponent.java:481)
       at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.doModifyView(WindowPhaseModel.java:551)
       at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.processRequest(WindowPhaseModel.java:148)
       at com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.processRequest(WebDynproWindow.java:335)
       at com.sap.tc.webdynpro.clientserver.cal.AbstractClient.executeTasks(AbstractClient.java:143)
       at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:333)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:741)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:694)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:253)
       at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
       at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
       at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doGet(DispatcherServlet.java:46)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1060)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.BgJob setStatus
  INFO: Job ID: 237 Status: Error
  Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.BgJob updateJobHistory
  FINEST: --- @@@@@@@@@@@ Updating the Job History -
  2@@Msg is Error while executing the Job:null
  Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
  INFO: -
  Background Job History: job id=237, status=2, message=Error while executing the Job:null
  Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob scheduleJob
  INFO: -
  Complted Job =>237----
  Apr 4, 2011 1:36:13 PM com.virsa.cc.xsys.util.Lock lock
  WARNING: It is used by the same owner: For current thread retrying to get lock : 1001
  Apr 4, 2011 1:36:13 PM com.virsa.cc.xsys.util.Lock lock
  FINEST: Lock:1001
  Apr 4, 2011 1:36:13 PM com.virsa.cc.xsys.util.Lock unlock
  FINEST: Unlock:1001
  Is there someone that can help me?
  I checked and it seems that "Use NetWeaver Logical Lock" in config tab has to be set to "No"...is it correct for you or have you got other tips?
  Thx to all

  Hello,
  actuallt current values are:
  Row CNFGPARAM| CNFGSEQ| CNFGVALUE|
  35 250 0 NO
  36 251 0 YES
  Value for 250 is ok based on your feedback.
  Value for 251 is based on SNOTE 1508611, even if  SDN forum suggests "0" against the note.
  Have you got any tips?

• GRC Form Rules Event Tracker Not Capturing Button

  Hello,
  I have a form rule for the Projects form (PAXPREPR) that I need to fire when a button is pressed. I have set the event tracker, navigating to the form and pressed the button. I then modified a field and saved the record. When I go back to finish creating the rule, When Button Pressed is not an option and the button is not available inthe field name. I entered the button name and it did not give an error, but the rule did not fire when I press the button. Is there another way to trigger a rule on a button?
  Thank you,
  Jo

  Jo,
  Are you trying to run a rule when saving?  If so you want to use the action: When Validate Record
  Have a look at the PCG user guide on page 2-5 for events that you can typically use. Also going forward you should use the following forum for GRC products: Governance, Risk and Compliance (GRC) (MOSC)
  This forum is no longer used.  I hope that helps!
  Regards,
  Yasir

• GRC Form Rules

  Hi,
  I am trying to call GRC Approval Group; whenver Approve Button is clicked in the Move Order Form. But I am not sure how to prevent the standard Oracle flow/code attached to the button to be stopped from executing and call this approval hierarchy instead.
  Any help/suggestion please?
  Thanks,
  Gowri

  Gowri,
  Go to http://download.oracle.com/docs/cd/E12515_02/grc/html/docset.html and download the document for your version of Preventative Controls Governor (PCG), you want the user's guide in this case. You will need to have the GRC Responsibility (it was called LogicalApps in previous releases). Log in as this responsibility and you can check "Install History" which should tell you the version you're on. Get the correct documentation and go over the section on Form Rules and Flow Rules (you need GRC responsibility for these screens). This should give you a better idea on what you're looking for. I would think you also need a business analysts help, or someone who originally setup the rule. When looking at the Form Rules you can see which form they are attached to, and that should help tell you if the rule is the one affecting you. You will need to know the form name where this is happening for this to help you.
  I hope that helps.
  Edited by: yshah on Jun 1, 2011 10:32 AM

• About GRC portal

  Hi All,
  I am new to GRC and trying to understand the concept and process flow in GRC. I am basically a Portal Consultant, and was comparing the things between GRC portal and EP 7.0.
  In what way are this both related and how I can use, suppose say some reports that are generated in GRC can be shown in EP. Please correct me if my thinking is wrong.
  Also, would like to know, where exactly GRC fits in the Netweaver Architecture?
  Provide me with some inputs on this.
  Thanks,
  Aman.

  Hello Aman,
  GRC products are both JAVA as well as ABAP stack based.
  Front end for all product is in either J2E - JAVA or WEBDYNPRO-JAVA.
  So did you got idea how GRC fits in NW?
  And now in GRC 5.3, they had enabled its integration with Portal through web services.
  Kindly let me know if not clear.
  Regards,
  Surpreet

• Questions about Unplanned deliv cost as Freight in Invoice

  Hi Experts,
  I believe if you don't have any condition for freight in purchase order, then only way to charge freight in Invoice is by using "Unplanned deliv cost" field. My questions are:
  1. Is there any way that we can calculate tax on this unplanned deliv cost value?
  2. Can we have some tolerance limit for "Unplanned Deliv. cost". (e.g $500)?
  We are receiving invoice through EDI.
  Regards,
  Kamal

  1. Is there any way that we can calculate tax on this unplanned deliv cost value?
  Yes, you can. Go to OMR2 trasnaciton adn maintain the tax code for you rcompany than it will populate that in tax code in MIRO for unplanned
  if you want to see the tax code in MIRO than in the SPRO-MM-Invoice verificaiton-Incoming invoice- Configure How Unplanned Delivery Costs Are Posted
  here you have to maintain the 2 in your company code
  than only you can see the tax code in MIRO for unplanned delivery cost
  2. Can we have some tolerance limit for "Unplanned Deliv. cost". (e.g $500)?
  No, this free form fiedl except you use the custom code or user eixt for this to control

• GRC CC rule update q2 2009

  Having taken a look at it, I don't agree with the fact that it recommends to remove the check of f_bkpf_koa in many tcode. For tcd FB05 for example, the Tcode is in functions AP01, AR01, GL01. If we remove the permission check f_bkpf_koa, the authroization check of FB05 in these 3 functions will be exactely the same. And because GL01 conflicts against AP01 and also AR01, every users having FB05 will have conflicts. Same case for FBV0, and also much more other tcds!!!
  Does any body have an idea why SAP recommend to remove f_bkpf_koa check in the q2 2009 rule update?

  I think this is because a vendor accoutant, restricted on account type K (vendor) for object f_bkpf_koa is automatically authorized to post on S (GL) account type. This is mandatory to balance the post. Yet it makes him possible to post frrom GL account to GL account, even if he does not have S (GL) in his authorizations.
  Same thing for a customer accountant who is restricted on D (customer) in his authorizations: he can post on GL accounts too.
  Only GL accountant is really restrictied on GL account type if he has only S for object f_bkpf_koa in his authorizations.
  So according to me, the rules should be:
  AP01 => K
  AR01 => D
  GL01 => K, D, S, A, M
  ...which effectively create risks for every user who has FB05, FBV0...