Access to update the GRC rule set is limited

Similar Messages

• GRC Rule Set Updates

  Where can I fund updates made to the default rule set?

  http://service.sap.com/support
  Click on the Help & Support tab --> Search for SAP Notes.
  You will need a valid S-number to log in.
  Thanks!
  Ankur
  SAP GRC RIG

• Error while uploading standard text files for the Global rule set

  Hi all,
  As part of Post Installation Activities we have uploaded standard text files for business process, functions, risks and rule set obtained with the installable Software.
  While uploading the text files we have uploaded the Basis Functions Authorizations first and then R/3 text files.
  When we checked no actions are appearing in the rule architect under respective functions except for the BASIS Module.
  Is this because we have uploaded the Basis functions before the R/3 text files?If yes, how to replace the Basis with the R/3 ones.
  We tried to replace the Basis function authorizations by re-uploading the R/3 text files again but we got the below error message u201CORA-00001:unique constraint (SAPSR3DB.SYS_C004479) violatedu201D
  Can somebody please help in this regard how to get the standard rule set in our system?
  Thanks and Best Regards,
  Srihari.K

  Hi Sri,
  you should upload first the static text files and the authorization objects first and then the GRC standard rule set files following the instructions of the SAP Configuration Guide available in Service Market Place under http://service.sap.com/instguides .
  The GRC standard rule set contains files named Basis_functions_action.txt and R3_function_action.txt. The first one contains ONLY function definitions in terms of transcation codes for basis only, whereas the second one contains functions definition for basis AND ERP modules. The same holds for the *_function_permission.txt files. There are also function definition files for other SAP solutions such as APO, CRM, HR  etc.
  You can open a customer message and request a deletion script for the rule sets files you have uploaded already. After their application of this script all rule set data will be deleted from your database. If you have uploaded static text and authorization files correctly, you can then upload the GRC standard rule set files as needed again.
  best regards,
  Frank

• Multiple GRC rule set update

  we are having a custom rule set A loaded in GRC. Now we want another rule set B, with new risks and definition to be loaded in GRC. If we try to upload rule set B risks and functions via Upload function in GRC, would it overwrite the rule set A, or not.Just wanted to confirm whether existing rule set A would be affected or not, due to upload of rule set B.

  Hey Alpesh,
  Sorry, I haven't understand it correct. This is a question that will always be asked in the train.
  You wrote:
  "If you have created different files (e.g. risks, ruleset, function action, function permission etc.) and upload them via configuration -> rule upload then RAR will not overwrite your ruleset A and will only insert new rule set files."
  Is this just possible, if all IDs (risk, function, function action, function permission) will be changed before and could not be equal like in the rule set A? correct?
  What's about with the ALL.txt files, do I have to change/upload them as well again?
  Thanks for feedback,
  alwaly a pleasure!
  Greets
  Martin

• Access policy or the Applicatios&Gaming setting on E1200

  Hi, all,
  I wonder if I can setup certain rule for a pc or Mac through the" Access policy" or the "applications&Gaming". Here is what I wanted: this PC/Mac only can access some internet for example: dictionary or wiki or google from 5:00M-8:30PM, and from 8:30PM-9:30PM it can access the "facebook" and etc, and it will be disconnected after 9:30PM.
  Thank you for helping.
  Solitons

  Thanks,
  I tried to use opendns, and set the coputer for standard user, but the boy still can play games whenever he wants to. I do see he cannot access the internet by setting the parental control. but the parental control setting is not good enough, e.g. the ist column is only the PM times, and 2nd column is only AM times, therefoe I cannot set for 6:00PM-9:00PM. by the way, I only have the"Access Policy". I tried to upgrade the software, but it seems that's it.
  Could you please give some instructions on how to setup a policy step by step? e.g. the boy can use the facebook only for 8:00PM-9:00PM.
  Thanks again

• Updating Compliance Calibrator Rule Set

  The business has decided to change a few rules by removing a couple of custom tcodes from the rule set.  In DEV I go into the Function and remove the objects associated with the tcode and disable the tcode.  After running the rule set update there is still some sort of tie.  I have created a test ID in DEV with a known issue around each of the changes.  I'm not getting a different result when running compliance calibrator.
  Any ideas?
  We are running R/3 4.6C and compliance calibrator 4.0

  Can you please check the following demo?
  [Virsa Compliance Calibrator Application for SAP v5.1 Demo|http://www.sdn.sap.com/irj/scn/elearn?rid=/library/uuid/d2f1cf9c-0d01-0010-2dac-aedd3c4f7f5b&overridelayout=true]
  Please give more details on the step where you got stuck.
  Regards,
  Dipanjan

• GRC - Rule Set Library

  Hello,
  Does the GRC deliver rule set library for compliance calibrator? If yes, how it delivers this package, is it includes in the installation of the package itself or separate one. What are the factors do we need to consider when customizing or modifying the standard library to accommodate to any client requirement?
  I appreciate any help on this.
  Thanks in advance!
  Eric

  Each customer is unique therefore their ruleset should be unique.
  Afterall how can the out of the box ruleset meet all of the Internal Control requirements for all different industries in all countries for all legislations for all versions of SAP, it can't!
  Your next question is how long does it take to build your own ruleset, I have clients that have take 2 weeks and others that are still working on it after 15 years!!
  The most important people to include in your ruleset review process are:
  External audit
  Internal audit/Compliance
  Business Process Experts
  without these people on board you will design a ruleset and remediate/mitigate issues that are not actually considered to be issues!!

• The icon on my message app does not work since the update, the recipient is set up to use it, my grandchildren

  The sent icon on my ipad doesn't work since the update to ISO 7.06 the recipients are set up to receive messages 

  You can try resetting your iPad by simultaneously pressing and holding the Home and Sleep/Wake buttons until you see the Apple Logo. This can take up to 15 seconds so be patient and don't release the buttons until the logo appears.
  Try again to see if the problem persists.

• How to update the value of setter and getter..!!

  Hii all i am developing an portal application in which i display the metadata information related to a document(Stored in UCM) in a popup in my application...
  The user can also update the information through the application.
  in my popup i have a trh : table layout in which i have a Select Onechoice field as
  <trh:cellFormat id="xcfcSecurityGrp">
  <af:selectOneChoice value="#{MetaDataFields.DSecurityGroup}" id="ddldSecurityGroup" showRequired="false"
  autoSubmit="true"
  immediate="true">
  <f:selectItems value="#{ContentDataBean.TSecurityGrpList}" id="si1"/>
  </af:selectOneChoice>
  </trh:cellFormat>
  The MetaDataFields.DSecurityGroup show the current security group on document
  and
  ContentDataBean.TSecurityGrpList provide the user with the list of security group to update.
  The current security group i am getting through a map which consist of metadata information for a document :-
  public void setDSecurityGroup(String dSecurityGroup) {
  this.dSecurityGroup = dSecurityGroup;
  public String getDSecurityGroup() throws IdcClientException, IOException {
  Map<String,String> mapValue=ep.getDocumentPropertiesSystem();
  dSecurityGroup=mapValue.get("dSecurityGroup");
  return dSecurityGroup;
  The problem is that whenever i am updating the value for the security group, i am getting the old value, the problem is that i have to every time get value from the map only as it consist metadata information for the current selected document..
  Is there is any way through which i can update the value for this field..??
  Thanks
  JDeveloper - 11.1.1.6.0

  Hi,
  Try binding ValueChangeListener on the selectList. Also set autoSumit property to true.
  Thanks,
  Pandu

• How do I update the TOC, after setting page numbers?

  I have set page numbers to run from Chapter 1. Actually on Page 9. but the TOC shows Chapter 1 starting at Page 7, which is not correct anyway.
  How do I cause the TOC to update? so the Chapter/Page numbers align ok.

  You need to say which version you are taking about, they behave differenetly.
  Peter

• I've updated to Maverick and now my iPhoto app won't work until updated. The problem I'm experiencing is that my Apps store won't grant me access to update the app. help.

  Included are screen grabs of some of the message prompts I'm recieving when attempting to update my iPhoto app.
  *side note: my operating system recently crashed, and my comptuer was wiped, so 'salvaging' photos from the current app is not a factor since they've been backedup externally already.

  Please test after each of the following steps that you haven't already tried. Stop when the problem is resolved. Back up all data before making any changes.
  Step 1
  Select the Purchases page in the App Store and locate the app(s) in your purchase history. If there's a button markedACCEPT on the right, click it.
  Step 2
  If you're trying to update iLife or iWork apps that were installed from a purchased DVD, or if you have a refurbished Mac bought directly from Apple, contact App Store customer service for a redemption code. You may be asked for the part number of the DVD.
  Step 3
  From the App Store menu bar, select
  Store ▹ View My Account
  Enter your Apple ID password at the prompt. At the lower right corner of the window that opens, click the Reset button. Close the window.
  Step 4
  If you have a used Mac, the bundled apps were linked to the original owner's Apple ID and can't be transferred to you. Reportedly, customer service has issued redemption codes to some second owners who asked, but it's not guaranteed.
  Step 5
  Delete the app(s) you want to update and reinstall them.

• Access Control Rule Set deletion in GRC 10

  Greetings,
  Has anyone tried deleting rulesets or have experienced any issues while deleting rule sets in GRC 10. I have tried to delete them from SPRO as well as from Setup Tab in Access Control , however its not working for me . Even in SPRO , after chooseing the physical system and logical system infromation , it stays on that screen for ever and nothing happens.
  Any help or guidance here will be much appreciated.
  Thanks everyone for your valueable time.
  Vikas

  Hey ,
  There are no tricks or tips.  It was something stupid on my part.
  I Just had a look at the system again and found a function left in the system which was mapped to this Ruleset , so that was the only i was not able to delete the ruleset . As soon as i deleted that function , it worked .
  So i was able to delete the entire rule set after deleting all the risks and functions mapped to this rule set.
  Have a great day ahead ...
  Vikas

• Do you trust the SAP standard rule set ?

  Hello all,
  I have the impression that, too often, the SAP standard ruleset has been taken for granted : upload, generate and use. Here is a post as to why not to do so. Hopefuly, this will generate a interesting discussion.
  As I have previously stated in other threads, you should be very careful accepting the SAP standard rule set without reviewing it first. Before accepting it, you should ensure that your specific SAP environment has been reflected in the functions. The 2 following questions deal with this topic :
  1. what is your SAP release  ? ---> 46C is different than ECC 6.0 in terms of permissions to be included in the function permission tab. With every SAP release, new authorization objects are linked to SAP standard tcodes. Subsequently some AUTHORITY-CHECK statements have been adapted in the ABAP behind the transaction code. So, other authorizations need to provided from an implementation point of view (PFCG). And thus, from an audit perspective (GRC-CC), other settings are due when filtering users' access rights in search for who can do what in SAP.
  2. what are your customizing settings and master data settings ? --> depending on these answers you will have to (de)activate certain permissions in your functions. Eg. are authorization groups for posting periods, business areas, material types, ... being used ? If this is not required in the SAP system and if activated in SAP GRC function, then you filter down your results too hard, thereby leaving certain users out of the audit report while in reality they can actually execute the corresponding SAP functionality --> risk for false negatives !
  Do not forget that the SAP standard ruleset is only an import of SU24 settings of - probably - a Walldorf system. That's the reason SAP states that the delivered rule set is a starting point. 
  So, the best practice is :
  a. collect SAP specific settings per connector in a separate 'questionnaire' document, preferably structured in a database
  b. reflect these answers per function per connector per action per permission by correctly (de)activating the corresponding permissions for all affected functions
  You can imagine that this is a time-consuming process due to the amount of work and the slow interaction with the Java web-based GRC GUI. Therefore, it is a quite cumbersome and at times error-prone activity ...... That is, in case you would decide to implement your questionnaire answers manually. There are of course software providers on the market that can develop and maintain your functions in an off-line application and generate your rule set so that you can upload it directly in SAP GRC. In this example such software providers are particularly interesting, because your questionnaire answers are structurally stored and reflected in the functions. Any change now or in the future can be mass-reflected in all (hundreds / thousands of) corresponding permissions in the functions. Time-saving and consistent !
  Is this questionnaire really necessary ? Can't I just activate all permissions in every function ? Certainly not, because that would - and here is the main problem - filter too much users out of your audit results because the filter is too stringent. This practice would lead too false negatives, something that auditors do not like.
  Can't I just update all my functions based on my particular SU24 settings ? (by the way, if you don't know what SU24 settings are, than ask your role administrator. He/she should know. ) Yes, if you think they are on target, yes you can by deleting all VIRSA_CC_FUNCPRM entries from the Rules.txt export of the SAP standard rule set, re-upload, go for every function into change mode so that the new permissions are imported based on your SU24 settings. Also, very cumbersome and with the absolute condition that you SU24 are maintained excellent.
  Why is that so important ? Imagine F_BKPF_GSB the auth object to check on auth groups on business areas within accounting documents. Most role administrator will leave this object on Check/Maintain in the SU24 settings. This means that the object will be imported in the role when - for example - FB01 has been added in the menu.  But the role administrator inactivates the object in the role. Still no problem, because user doesn't need it, since auth groups on business areas are not being used. However, having this SU24 will result in an activated F_BKPF_GSB permission in your GRC function. So, SAP GRC will filter down on those users who have F_BKPF_GSB, which will lead to false negatives.
  Haven't you noticed that SAP has deactivated quite a lot of permissions, including F_BKPF_GSB ? Now, you see why. But they go too far at times and even incorrect. Example : go ahead and look deeper into function AP02. There, you will see for FB01 that two permissions have been activated. F_BKPF_BEK and F_BKPF_KOA.  The very basic authorizations needed to be able to post FI document are F_BKPF_BUK and F_BKPF_KOA.  That's F_BKPF_BUK .... not F_BKPF_BEK. They have made a mistake here. F_BKPF_BEK is an optional  auth object (as with F_BKPF_GSB) to check on vendor account auth groups.
  Again, the message is : be very critical when looking at the SAP standard rule set. So, test thoroughly. And if your not sure, leave the job to a specialized firm.
  Success !
  Sam

  Sam and everyone,
  Sam brings up some good points on the delivered ruleset.  Please keep in mind; however, that SAP has always stated that the delivered ruleset is a starting point.  This is brought up in sap note 986996     Best Practice for SAP CC Rules and Risks.  I completely agree with him that no company should just use the supplied rules without doing a full evaluation of their risk and control environment.
  I'll try to address each area that Sam brings up:
  1.  Regarding the issue with differences of auth objects between versions, the SAP delivered rulset is not meant to be version specific.  We therefore provide rules with the lowest common denominator when it comes to auth object settings.
  The rules were created on a 4.6c system, with the exception of transactions that only exist in higher versions.
  The underlying assumption is that we want to ensure the rules do not have any false negatives.  This means that we purposely activate the fewest auth objects required in order to execute the transaction.
  If new or different auth object settings come into play in the higher releases and you feel this results in false positives (conflicts that show that don't really exist), then you can adjust the rules to add these auth objects to the rules.
  Again, our assumption is that the delivered ruleset should err on the side of showing too many conflicts which can be further filtered by the customer, versus excluding users that should be reported.
  2.  For the customizing settings, as per above, we strive to deliver rules that are base level rules that are applicable for everyone.  This is why we deliver only the core auth objects in our rules and not all.  A example is ME21N. 
  If you look at SU24 in an ECC6 system, ME21N has 4 auth objects set as check/maintain.  However, in the rules we only enable one of the object, M_BEST_BSA.  This is to prevent false negatives.
  3.  Sam is absolutely right that the delivered auth object settings for FB01 have a mistake.  The correct auth object should be F_BKPF_BUK and not F_BKPF_BEK.  This was a manual error on my part.  I've added this to a listing to correct in future versions of the rules.
  4.  Since late 2006, 4 updates have been made to the rules to correct known issues as well as expand the ruleset as needed.  See the sap notes below as well as posting Compliance Calibrator - Q2 2008 Rule Update from July 22.
  1083611 Compliance Calibrator Rule Update Q3 2007
  1061380 Compliance Calibrator Rule Update Q2 2006
  1035070 Compliance Calibrator Rule Update Q1 2007
  1173980 Risk Analysis and Remediation Rule Update Q2 2008
  5.  SAP is constantly working to improve our rulesets as we know there are areas where the rules can be improved.  See my earlier post called Request for participants for an Access Control Rule mini-council from January 28, 2008.  A rule mini-council is in place and I welcome anyone who is interested in joining to contact me at the information provided in that post.
  6.  Finally, the document on the BPX location below has a good overview of how companies should review the rules and customize them to their control and risk environment:
  https://www.sdn.sap.com/irj/sdn/bpx-grc                                                                               
  Under Key Topics - Access Control; choose document below:
      o  GRC Access Control - Access Risk Management Guide   (PDF 268 KB) 
  The access risk management guide helps you set up and implement risk    
  identification and remediation with GRC Access Control.

• Deployment Rule Sets do not properly launch the latest available version from the JRE6 family when the jpi-version is specified by the RIA

  Issue Summary
  In Java 1.7 Update 71, Java 1.7 Update 72 and Java 1.8 Update 25 Deployment Rule Sets do not properly launch the latest available version from the JRE6 family when the jpi-version is specified by the RIA.  We've noticed this with Oracle Forms and Reports 11g where we have forms that specify Java 1.6 Update 20.  We used to be able to specify Java 1.6 Update 26 in our Ruleset, but now the only version a that works in our ruleset is Java 1.6 Update 20 which is the same version requested by the JPI-Version attribute of the jar.  The long term solution would be to upgrade Oracle Forms and Reports, however this isn't currently in the cards.
  RuleSet.xml Test
  Ruleset.xml
  1 
  2
  3
  4
  5
  6
  7
  8
  9
  10
  11
  &lt;ruleset version=&quot;1.0+&quot;&gt;  
  &lt;rule&gt;
     &lt;id location=&quot;*.javatester.org&quot; /&gt;
     &lt;action permission=&quot;run&quot; version=&quot;1.6*&quot; /&gt;
  &lt;/rule&gt;
  &lt;ruleset version=&quot;1.0+&quot;&gt;
  &lt;rule&gt;
     &lt;id location=&quot;*.internaldomain.name&quot; /&gt;
     &lt;action permission=&quot;run&quot; version=&quot;1.6*&quot; /&gt;
  &lt;/rule&gt;
  &lt;/ruleset&gt;
  Test 1 (Control)
  Installed Java Versions:
  – 1.7 Update 51 b13 (both x86 and x64 however x86 is invoked)
  – 1.6 Update 26 b03 (both x86 and x64 however x86 is invoked)
  Deployment Ruleset works as expected for both URLs
  Test 2
  Installed Java Versions:
  – 1.7 Update 72 (both x86 and x64 however x86 is invoked)
  – 1.6 Update 26 b03 (both x86 and x64 however x86 is invoked)
  The RuleSet works for JavaTester.org however on internaldomain.name we get the following error:
  With the trace logging turned on, I suspected the version attribute supplied by the RIA. I was able to trick Java by adding the following to my system deployment.properties file:
  deployment.javaws.jre.0.product=1.6.0_20
  deployment.javaws.jre.0.path=C\:\\Program Files (x86)\\Java\\jre6\\bin\\javaw.exe
  deployment.javaws.jre.0.enabled=true
  Because the RIA requests 1.6.0_20 it matches 1.6* from the deployment ruleset sooner than 1.6.0_26. However, if 1.6.0_20 is not available 1.6.0_26 should match according to the Deployment Rule Set documentation:
  http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/deployment_rules.html
  The version of the JRE that is used is determined by the following order of precedence:
  1. The current version of the JRE is used if it is available and matches both the version attribute and the version requested by the RIA.
  2. The latest available version of the JRE is used if it matches both the version attribute and the version requested by the RIA.
  3. The current version of the JRE is used if it is available and matches the version attribute.
  4. The latest available version of the JRE is used if it matches the version attribute.
  If no version is available that meets the criteria, then the RIA is blocked, and a message is shown to the user. To provide a custom message, include the message element.
  As a result:
  If Java 1.6.0_20 is listed in the version requested by the RIA and 1.6.0_20 is listed in the deployment.properties file, #1 matches.
  If Java 1.6.0_20 is listed in the version requested by the RIA, but 1.6.0_20 is NOT listed in the deployment.properties file the #1 SHOULD match, but doesn’t. It used to match up-to and including JRE 1.7 Update 51 however the ruleset appears to no longer match in subsequent versions.
  #2 should never match with our current Deployment Ruleset. It would match if we specified 1.7* as a version in the Ruleset.xml.
  #3 used to be broken as well after JRE 1.7 Update 51 however this bug has been marked as fixed. See: http://bugs.java.com/view_bug.do?bug_id=8032781
  I have reproduced this issue with Java 1.7 Update 71, Java 1.7 Update 72, and Java 1.8 Update 25 when one of these versions are installed with Java 1.6 Update 26.

  I can't seem to edit this post anymore, for some odd reason.
  So here goes;
  I found this post in NVIDIA's knowledge base;
  When installing an after-market graphics card into a certified Windows 8 PC with UEFI enabled, the s...
  The interesting parts in this post are as follows;
  When an after-market graphics card is installed into a motherboard with UEFI enabled in the system BIOS, or if the system is a certified Windows 8 PC with Secure Boot enabled, the system may not boot.
  UEFI is a new system BIOS feature that is provided on most new motherboards. A UEFI system BIOS is required in order for the Windows 8 Secure Boot feature to work. Secure boot is enabled by default on certified Windows 8 PCs.
  In order to get the PC to boot with a graphics card that does not contain UEFI firmware, the end-user must first disable the secure boot feature in the system's SBIOS before installing the graphics card.
  Note: Some system SBIOS's incorporate a feature called compatibility boot. These systems will detect a non-UEFI-enabled firmware VBIOS and allow the user to disable secure boot and then proceed with a compatibility boot. If the system contains a system SBIOS the supports compatibility boot, the user will need to disable secure boot when asked during boot process
  This leads me to believe that the BIOS update that wrecked my setup was 9SKT58A/9SJT58A, which only contains one change;
  "Adds support for updating BIOS from a WIN7 BIOS to a WIN8 BIOS".
  I've just ordered a cheap UEFI-compatible GT640 from Gainward, so I hope I'll be able to try that out this weekend.

• FBL5N - in Rule set - It is a Display customer line items

  Dear All,
  We observed that FBL5N - Display customer line items in Standard SoD rule set under function AR07  addressing a risk of S022.
  Unless there are t-codes of FD03 or FB02 this t-code does not allow to change the payment terms of the customer.
  We are having a challenge from the client that FBL5N is a display t-code and why it is there in rule set.
  Has anybody came across this scenario? If yes, what is the underlying risk for this FBL5N independently.
  Is there any SAP Note for this t-code like ME23N from SAP.
  Thanks and Best Regards,
  Srihari.K

  Hi Christian,
  We checked the authorization objects as well enabled in GRC rule set as below:
  F_BKPF_BUK - Docume t Authorization document for company codes - 01 or 02 - Enable.
  Inspite of this access, FBL5N cannot be used to change the document for payment terms and assignments without FB02 t-code
  assignment in the role.
  Independently FBL5N cannot be used for any change or create activity except Display customer line items.
  Please advise
  Thanks and Best Regards,
  Srihari.K