CC / RAR 5.2 - Multiple Rule Set Question

Similar Messages

• Multiple rule sets - impacts in GRC modules

  Hi,
  We are currently running CC 5.2 on our European perimeter.  We would like to extend in the near future to our US perimeter.  For that, we have to take into consideration a complete new set of rules.
  I presume there will be no issue to handle multiple sets of rules in CC but I was wondering what could be the potential impacts/problems for the other GRC modules?
  i.e.: in Role Expert, for the US roles we would like to avoid getting potential risks from European rule sets,...
  Has anybody some attention points or good practice to share on that ?  It would be a great help for us.
  Thanks & Regards

  Different installation of GRC Solutions for different regions is certainly not recommended and not even required.  It is important to design your cross system landscape efficiently considering different regions in mind and create different rule sets for different regions. In a cross system landscape you can have multiple systems from different regions with entirely a different set of modules and data. Obviously the risk will be different, for that purpose you have to create different rule sets for sure.
  Now when you are performing risk analysis for a particular region you have to select the considered system/connector and a rule set respectively so that you get the risks on targeted system only.
  Bill-
  as you asked, if there are chances of potential impacts/problems for the other GRC modules or not,
  The answer is, There will be no impact at all because you are considering them as separate entities within a landscape. It is the beauty of GRC Access Controls to have multiple system connectors, logical systems and cross system landscape that provides almost every feature to cover all regional perimeters.
  Regards,
  Amol Bharti

• GRC AC Rule Sets

  Hi
  We have a requirement of building up a custom rule set for our organization. The current requirement is to have a central rule set across for all system and have subsequent system specific Risks identified in addition.
  Scenario: Letu2019s say we have identified around 100 risks across the enterprise, however only 50 risks out of 100 risks are applicable for one system. While for the second system there are around 70 risks applicable. Finally for the third one all 100 risks are applicable.
  Should we have system specific rule sets to address the above scenario or should we have a common rule set for the enterprise.
  Appreciate your inputs about the approach for building up of rule set for such scenarios.
  Question: With GRC 10.0, can we run risks for a system on multiple rule set IDs at one time.
  Thanks.
  Anjan Pandey

  Hi,
  Most of the clients will prefer to go with one rule set. However System can allow create/maintain multiple rule sets.
  Anyway your requirement is to have one central rule set across all systems u2013 For that, Create Logical system and maintains one Rule set is the right approach and it gives flexibility for future usage to add /remove required systems. You can maintain risks by system specific, not required to maintain multiple rule sets.
  Refer  GRC Access Control Effective Rule Set Design document,  it gives some good explanation of Rule Set Design&typical Scenarios, Logical & Physical systems approach..etc.
  Regards,
  Ram
  Edited by: ram komma on Apr 13, 2011 1:55 PM

• Multiple GRC rule set update

  we are having a custom rule set A loaded in GRC. Now we want another rule set B, with new risks and definition to be loaded in GRC. If we try to upload rule set B risks and functions via Upload function in GRC, would it overwrite the rule set A, or not.Just wanted to confirm whether existing rule set A would be affected or not, due to upload of rule set B.

  Hey Alpesh,
  Sorry, I haven't understand it correct. This is a question that will always be asked in the train.
  You wrote:
  "If you have created different files (e.g. risks, ruleset, function action, function permission etc.) and upload them via configuration -> rule upload then RAR will not overwrite your ruleset A and will only insert new rule set files."
  Is this just possible, if all IDs (risk, function, function action, function permission) will be changed before and could not be equal like in the rule set A? correct?
  What's about with the ALL.txt files, do I have to change/upload them as well again?
  Thanks for feedback,
  alwaly a pleasure!
  Greets
  Martin

• Need information on the new RAR Rule Architect/Rule Set functions

  Does anyone have any information on the new 5.3 functions listed under Rule Architect/Rule Sets, specifically the Compare function?
  My 5.3 Config manual mentions this area but doesn't describe anything about it.  I have a request from our user group and need to determine if this can fit that request.
  What they are looking for is an easy way to compare our RAR Rule Set with the latest SAP version (Q2 2010 is the most recent I believe).  Just from the screen shots, it looks like we could maybe use the Rule Sets functions for that.  Load the new SAP one into RAR as a separate ruleset and then run this Compare function.  However I haven't been able to find any documentation on this function, so I don't know if it really does what we are looking for.
  Thanks.

  Hi,
  the error 'NullPointerException ' is very common error in GRC.
  kindly search, you will find lots of threads and notes on thi.
  check you permission TXT file. It contain null value some where.
  especially check SD01 & SD02 tcodes.
  Also open permission file in word and check all TAB's and ENTER's in technical view.
  Regards,
  Surpreet

• RAR: Global Rule set

  Hi,
  I am wondering if the latest global rule set contains the tcodes, authorization objects and values based on the latest version of SAP? If yes, can this global rule set be applicable for SAP version 4.7 ?
  Thanks,
  Debbie

  Hello Rajesh,
  Hope this information from SAP helps you.RAR Rule Update - Documentation
  It is not possible to programmatically send out updates to the default ruleset (i.e. via transports or STMS). 
  This is because rule uploads only overwrite and not append.  As every company should have made changes to their ruleset, SAP cannot send out rule updates as this would overwrite the customization done by each company
  Since the SAP acquisition of Virsa, there have been seven updates to the supplied ruleset which are described in detail in SAP notes below.
  1061380 u2013 Q2 2006
  1035070 u2013 Q1 2007
  1083611 u2013 Q3 2007
  1173980 u2013 Q2 2008
  1326497 u2013 Q2 2009
  1446680 u2013 Q2 2010
  1604722 u2013 Q3 2011
  These notes provide a company a detailed Word document that summarizes the changes made. 
  The company must go through these changes to evaluate if they agree with the SAP supplied change. 
  If they agree, the company will have to make the change manually via the Rule Architect.
  To get more details, please refer to note#986996
  Regards,
  Renuka

• Mass RAR Rule Set Changes

  My integrator is telling me that there is no way to complete a mass update to the authorizations/restrictions in our RAR rule set (AC 5.3.)  That is, at the recommendation of our external auditor, we added additional transactions to existing rules but failed to activate the company code restrictions to ignore display only access and therefore, I am receiving a significant number of SODs which are false positives. 
  I find it hard to believe that there is no easy way to activate the company code authorization objects (and others) for the additional transactions in the rule set.  The integrator is telling me that this has to be done one by one.  Please tell me that there is an easier way.
  Apologies if this is a repeat; if this topic is out there, could someone point me in the right direction?Thank you in advance!
  Thank you in advance!

  Is there any easy way?  Depends on what you think is easy  
  For mass updates to function I will typically use the:  Configuration -> Rule Upload  feature.  To perform an update to an authorization object, you would use the 'Function Authorization' selection.
  To upload the function you'd want to use the file formats from the 9 upload files SAP provides for the ruleset.  If I recall correctly, function uploads will overwrite the existing function so it is important that your upload file contains all existing function data + the additional auth objects you want to activiate. 
  As with any text file manipulation and download/upload or export/import features into GRC you want to be particulary careful with formatting and attention to detail.  Probably a good idea to take a backup of the rules if this is your first time working with the ruleset files.

• CC / RAR Rule Set Build

  We had a rule set built in Compliance Calibrator 5.2 by a vendor during implementation.  We have over 700 rules and now know that there are too many rules in our rule set. 
  Can any of you tell me the best way to build a rule set?  How many rules do most people have in their rule set?  Is there a best practice out there somewhere to do this?

  Hi Greg,
      You will have to understand relationship between rule, risk, business process, function, transaction and permission to build a rule from scratch. If you need to build one or two rules, you can just go through CC and do it. If you want to build large set of rules then you will have to create text files for risks, functions, rules etc. I will recommend you go through the config guide for CC 5.2 or 5.3 and see how rules are being built.
  There is no straight answer on the number of rules. The number rules you need will depend on industry, company size, location, rules and regulations to follow, company structure etc. Best practice rules come with the installation and you can always get them from SAP. Best practice ruleset contains around 40,000 action and permission rules.
  Regards,
  Alpesh
  SAP GRC Manager (PwC)

• Cisco ASA: Assign same rule sets to multiple interfaces

  Hi guys,
  We want to connect to physical interfaces from ASA to each Nexus core, so is there any possibility to assign same rule set to both interfaces simultaneously? (a kind of zone aggregation).
  Regards.
  Jesus

  Hi 
   What is Your ASA Code running on your ASA appliance , From ASA code 8.3 you can have global access rule . 
  lobal access rules.
  8.3(1)
  Global access rules were introduced.
  The following command was modified: access-group.
  Interface access rules are bound to any interface at the time of their creation. Without binding them to an interface, you can not create them. This differs from the Command Line example. With CLI, you first create the access list with the access listcommand, and then bind this access list to an interface with the access-group command. ASDM 6.3 and later, the access list is created and bound to an interface as a single task. This applies to the traffic flowing through that specific interface only.
  Global access rules are not bound to any interface. They can be configured through the ACL Manager tab in the ASDM and are applied to the global ingress traffic. They are implemented when there is a match based on the source, the destination, and the protocol type. These rules are not replicated on each interface, so they save memory space.
  When both these rules are to be implemented, interface access rules normally takes the precedence over the global access rules.
  HTH
  Sandy

• Do you trust the SAP standard rule set ?

  Hello all,
  I have the impression that, too often, the SAP standard ruleset has been taken for granted : upload, generate and use. Here is a post as to why not to do so. Hopefuly, this will generate a interesting discussion.
  As I have previously stated in other threads, you should be very careful accepting the SAP standard rule set without reviewing it first. Before accepting it, you should ensure that your specific SAP environment has been reflected in the functions. The 2 following questions deal with this topic :
  1. what is your SAP release  ? ---> 46C is different than ECC 6.0 in terms of permissions to be included in the function permission tab. With every SAP release, new authorization objects are linked to SAP standard tcodes. Subsequently some AUTHORITY-CHECK statements have been adapted in the ABAP behind the transaction code. So, other authorizations need to provided from an implementation point of view (PFCG). And thus, from an audit perspective (GRC-CC), other settings are due when filtering users' access rights in search for who can do what in SAP.
  2. what are your customizing settings and master data settings ? --> depending on these answers you will have to (de)activate certain permissions in your functions. Eg. are authorization groups for posting periods, business areas, material types, ... being used ? If this is not required in the SAP system and if activated in SAP GRC function, then you filter down your results too hard, thereby leaving certain users out of the audit report while in reality they can actually execute the corresponding SAP functionality --> risk for false negatives !
  Do not forget that the SAP standard ruleset is only an import of SU24 settings of - probably - a Walldorf system. That's the reason SAP states that the delivered rule set is a starting point. 
  So, the best practice is :
  a. collect SAP specific settings per connector in a separate 'questionnaire' document, preferably structured in a database
  b. reflect these answers per function per connector per action per permission by correctly (de)activating the corresponding permissions for all affected functions
  You can imagine that this is a time-consuming process due to the amount of work and the slow interaction with the Java web-based GRC GUI. Therefore, it is a quite cumbersome and at times error-prone activity ...... That is, in case you would decide to implement your questionnaire answers manually. There are of course software providers on the market that can develop and maintain your functions in an off-line application and generate your rule set so that you can upload it directly in SAP GRC. In this example such software providers are particularly interesting, because your questionnaire answers are structurally stored and reflected in the functions. Any change now or in the future can be mass-reflected in all (hundreds / thousands of) corresponding permissions in the functions. Time-saving and consistent !
  Is this questionnaire really necessary ? Can't I just activate all permissions in every function ? Certainly not, because that would - and here is the main problem - filter too much users out of your audit results because the filter is too stringent. This practice would lead too false negatives, something that auditors do not like.
  Can't I just update all my functions based on my particular SU24 settings ? (by the way, if you don't know what SU24 settings are, than ask your role administrator. He/she should know. ) Yes, if you think they are on target, yes you can by deleting all VIRSA_CC_FUNCPRM entries from the Rules.txt export of the SAP standard rule set, re-upload, go for every function into change mode so that the new permissions are imported based on your SU24 settings. Also, very cumbersome and with the absolute condition that you SU24 are maintained excellent.
  Why is that so important ? Imagine F_BKPF_GSB the auth object to check on auth groups on business areas within accounting documents. Most role administrator will leave this object on Check/Maintain in the SU24 settings. This means that the object will be imported in the role when - for example - FB01 has been added in the menu.  But the role administrator inactivates the object in the role. Still no problem, because user doesn't need it, since auth groups on business areas are not being used. However, having this SU24 will result in an activated F_BKPF_GSB permission in your GRC function. So, SAP GRC will filter down on those users who have F_BKPF_GSB, which will lead to false negatives.
  Haven't you noticed that SAP has deactivated quite a lot of permissions, including F_BKPF_GSB ? Now, you see why. But they go too far at times and even incorrect. Example : go ahead and look deeper into function AP02. There, you will see for FB01 that two permissions have been activated. F_BKPF_BEK and F_BKPF_KOA.  The very basic authorizations needed to be able to post FI document are F_BKPF_BUK and F_BKPF_KOA.  That's F_BKPF_BUK .... not F_BKPF_BEK. They have made a mistake here. F_BKPF_BEK is an optional  auth object (as with F_BKPF_GSB) to check on vendor account auth groups.
  Again, the message is : be very critical when looking at the SAP standard rule set. So, test thoroughly. And if your not sure, leave the job to a specialized firm.
  Success !
  Sam

  Sam and everyone,
  Sam brings up some good points on the delivered ruleset.  Please keep in mind; however, that SAP has always stated that the delivered ruleset is a starting point.  This is brought up in sap note 986996     Best Practice for SAP CC Rules and Risks.  I completely agree with him that no company should just use the supplied rules without doing a full evaluation of their risk and control environment.
  I'll try to address each area that Sam brings up:
  1.  Regarding the issue with differences of auth objects between versions, the SAP delivered rulset is not meant to be version specific.  We therefore provide rules with the lowest common denominator when it comes to auth object settings.
  The rules were created on a 4.6c system, with the exception of transactions that only exist in higher versions.
  The underlying assumption is that we want to ensure the rules do not have any false negatives.  This means that we purposely activate the fewest auth objects required in order to execute the transaction.
  If new or different auth object settings come into play in the higher releases and you feel this results in false positives (conflicts that show that don't really exist), then you can adjust the rules to add these auth objects to the rules.
  Again, our assumption is that the delivered ruleset should err on the side of showing too many conflicts which can be further filtered by the customer, versus excluding users that should be reported.
  2.  For the customizing settings, as per above, we strive to deliver rules that are base level rules that are applicable for everyone.  This is why we deliver only the core auth objects in our rules and not all.  A example is ME21N. 
  If you look at SU24 in an ECC6 system, ME21N has 4 auth objects set as check/maintain.  However, in the rules we only enable one of the object, M_BEST_BSA.  This is to prevent false negatives.
  3.  Sam is absolutely right that the delivered auth object settings for FB01 have a mistake.  The correct auth object should be F_BKPF_BUK and not F_BKPF_BEK.  This was a manual error on my part.  I've added this to a listing to correct in future versions of the rules.
  4.  Since late 2006, 4 updates have been made to the rules to correct known issues as well as expand the ruleset as needed.  See the sap notes below as well as posting Compliance Calibrator - Q2 2008 Rule Update from July 22.
  1083611 Compliance Calibrator Rule Update Q3 2007
  1061380 Compliance Calibrator Rule Update Q2 2006
  1035070 Compliance Calibrator Rule Update Q1 2007
  1173980 Risk Analysis and Remediation Rule Update Q2 2008
  5.  SAP is constantly working to improve our rulesets as we know there are areas where the rules can be improved.  See my earlier post called Request for participants for an Access Control Rule mini-council from January 28, 2008.  A rule mini-council is in place and I welcome anyone who is interested in joining to contact me at the information provided in that post.
  6.  Finally, the document on the BPX location below has a good overview of how companies should review the rules and customize them to their control and risk environment:
  https://www.sdn.sap.com/irj/sdn/bpx-grc                                                                               
  Under Key Topics - Access Control; choose document below:
      o  GRC Access Control - Access Risk Management Guide   (PDF 268 KB) 
  The access risk management guide helps you set up and implement risk    
  identification and remediation with GRC Access Control.

• Best practice for the Update of SAP GRC CC Rule Set

  Hi GRC experts,
  We have in a CC production system a SoD matrix that we would like to modified extensively. Basically by activating many permissions.
  Which is a best practice for accomplish our goal?
  Many thanks in advance. Best regards,
    Imanol

  Hi Simon and Amir
  My name is Connie and I work at Accenture GRC practice (and a colleague of Imanolu2019s). I have been reading this thread and I would like to ask you a question that is related to this topic. We have a case where a Global Rule Set u201CLogic Systemu201D and we may also require to create a Specific Rule Set. Is there a document (from SAP or from best practices) that indicate the potential impact (regarding risk analysis, system performance, process execution time, etc) caused by implementing both type of rule sets in a production environment? Are there any special considerations to be aware? Have you ever implemented this type of scenario?
  I would really appreciate your help and if you could point me to specific documentation could be of great assistance. Thanks in advance and best regards,
  Connie

• Rule set migration from GRC 5.3 to GRC 10.0

  Hello everyone,
  I ask you this question: if I want to migrate from GRC 5.3 to GRC 10.0, can I keep my old custom rule set with no modification or I have to make some changes to it to import in GRC 10?
  Thankyou in advance for the answers
  Greetings
  Gianluca
  Edited by: Gianluca Mocini on Apr 1, 2011 5:33 PM

  Hi,
    The migration utility is very simple. You install it on GRC 5.3 box and then select the items you want to migrate. It will generate tab limited text files and you can use those files to import data into 10.0 box.
  Regards,
  Alpesh

• Multiple characater set data

  I have data in multiple character sets, eg. ASCII, IBM850, Windows1252, UTF8 etc. I want to insert them into the database. How do I specify the character set of the data at bind time in ODBC.
  If this is not possible, what is an alternative?

  thanks matt; despite a questionable layout for this setup i think that you'll end up with problems exporting those values to xml as you can't join them in a say, people subset, as each person is basically a standalone value.
  in any case i can argue that this is a real deal breaker for a bunch of organizations given that you would expect a simple multiple choice field based on existing lookup values with an optional possibility to populate the set with new values for the end user (based on your permission) -- or alternatively a text input with auto suggestion based on lookup values that allows you to add/remove multiple records via [+/-] which again end up in one single field.

• Stored Procedure With Multiple Result Sets As Report Source : Crosspost

  Hello Everyone,
  I have an issue where i have created a stored procedure that returns multiple result sets
  /* Input param = @SalesOrderID */
  SELECT * FROM Orders TB1
    INNER JOIN OrderDetails TB2 ON  TB1.ID = TB2.ID
  WHERE TB1.OrderID = @SalesOrderID
  SELECT * FROM Addresses
    WHERE Addresses.OrderID = @SalesOrderID AND Addresses.AddressType = 'Shipping'
  SELECT * FROM Addresses
    WHERE Addresses.OrderID = @SalesOrderID AND Addresses.AddressType = 'Billing'
  This is just a quick sample, the actual procedure is a lot more complex but this illustrates the theory.
  When I set the report source in Crystal X to the stored procedure it is only allowing me to add rows from the first result set.
  Is there any way to get around this issue?
  The reason that I would prefer to use a stored procedure to get all the data is simply performance. Without using one big stored procedure I would have to run at least 6 sub reports which is not acceptable because the number of sub reports could grow exponentially depending on the number of items for a particular sales order.
  Any ideas or input would be greatly appreciated.
  TIA
      - Adam
  P.S
  Sorry for the cross post, I originally posted this question [here|/community [original link is broken];
  but was informed that it might be the wrong forum
  Edited by: Adam Harris on Jul 30, 2008 9:44 PM

  Adam, apologies for the redirect, but it is better to have .NET posts in one place. That way anyone can search the forum for answers. (and I do not have the rights to move posts).
  Anyhow, as long as the report is created, you should be able to pass the datasets as:
  crReportDocument.Database.Tables(0).SetDataSource(dataSet.Tables("NAME_OF_TABLE"))
  Of course alternatively, (not sure if this is possible in your environment) you could create a multi-table ADO .NET dataset and pass that to the report.
  Ludek

• Access to update the GRC rule set is limited

  Hello - What is the process (tcode) to see who has access to update the GRC rule set?
  Thanks!

  Hi Sam,
     What is the version of your RAR (CC)? If it is CC 4.0 then you enter the product via tcode and go to rule architect to make changes. If you have CC 5.X then you go through the web browser and go to Rule architect to make changes to the rule set.
  The process to change a rule set is as below:
  1) Creats Function
  2) Create risk
  3) Create Rule
  Regards,
  Alpesh