CC ruleset approval

Similar Messages

• Creating SOD matrix with the help of Access control default ruleset

  I am creating the SOD matrix for the existing roles of CRM and HR modules.  As I am the security consultant therefore does not have the functional knowledge about the conflicts for CRM and HR transactions. My question is can I use the function/actions/risks conflicts provided with the Access control 5.3 default ruleset.  We are not using Access control for these systems, so I want to know whether I can take the help of AC 5.3 default risks to create the SOD matrix based on it.
  For e.g, like H001 default HR risk, I would make sure not to assign PA30(maintain HR data) with the PA03/PA04(maintain personal control record) as this will result in the providing conflict "Modify payroll master data and then process payroll". 
  Once I have the SOD list based upon AC 5.3, I can consult the Business approver/auditor to verify and modify as per the business requirement.
  Maybe I am thinking the wrong way, please provide your inputs so I can work on it.  Any help appreciated.
  Thanks,
  Sanjay Desai

  The most important thing to keep in mind is that you need to build a rule set that reflects the customers real business risk!
  What you build there will influence the way the customer will be able to continue work, assign access and perform control activities. The input HAS to come from the business!
  You can use the SAP standard risk definitions as a starting point for discussions, and the HR functions are an excellent building block to identify the transactions and necessary authorization objects that allow users to perform the actions.
  But the real challenge is to identify the risks as perceived/accepted by the business!
  Frank.

• Is there a ruleset comparison tool available in the market?

  Dear all,
  I wanted to know if there is a SAP GRC ruleset comparison tool available in the market? As a part of our audit requirement, I would need to compare our current rulesets with the ones from last quarter - To identify any changes/enhancements.
  I know Bizrights Approva supports a comparison tool called ExamXML where we can perform a comparison of 2 XML files and figure out the differences/ changes.
  Please let me know if any of you has used such a tool for GRC ruleset comparison.
  Thanks,
  Kunal

  >
  Kenguru wrote:
  > As a part of our audit requirement, I would need to compare our current rulesets with the ones from last quarter - To identify any changes/enhancements. > Kunal
  If any auditor is comparing sap delivered rule sets with a companies' grc rule sets (without deep investigations) and reporting the differences in his/her audit report (as white spaces)  then the auditor is doing it the wrong way.
  The auditor should be aware of the following facts:
  1. SAP delivered rule sets are mere best practices (only starting point)
  2. Most of the customers modify/update the rule sets as per their requirements
  3. Organizational rules are created by customers differently
  4. Some customers don't even choose sap delivered rule sets and completely create their own.
  So the difference between rule sets is obvious, but these findings may or may not be entirely appropriate to reach to a conclusion for audit purposes.
  Best Regards,
  Amol Bharti
  http://amudee.com

• GRC 10: Deleting the Ruleset.

  Hello Guys,
  Anyone has a clue how to go about deleting an existing Ruleset in the system? I tried in SPRO - Delete Ruleset but it is not working. At the same time, I see an option in the nwbc also, which is to Delete the ruleset.
  1. Any idea how we should go about deleting the existing Ruleset?
  2. What is the difference between deleting from NWBC and deleting from SPRO?
  We have 3 Physical systems A, B and C and the connector groups are:
  Logical Group 1 - Having A&B systems.
  Cross Group 2 - Having A&C systems.
  Any ideas appreciated.
  Regards.
  Edited by: sapgrc10 on Nov 7, 2011 8:14 PM

  Hello Asheesh,
  Thanks for your reply. Besides SAP_ALL and SAP_NEW, I also have allmost all the roles to myself as under:
  SAP_GRAC_ACCESS_APPROVER     Role for Access Request Approver
  SAP_GRAC_ACCESS_REQUEST_ADMIN     Role for Access Request Administrator
  SAP_GRAC_ACCESS_REQUESTER     Role for End user
  SAP_GRAC_ALERTS     Generate, clear and delete SOD Alerts
  SAP_GRAC_ALL     Super Admin for AC
  SAP_GRAC_BASE     Base Role for all Access Control Users
  SAP_GRAC_CONTROL_APPROVER     Create AC MIT control, approve, assign, Alerts and perform Risk Analysis
  SAP_GRAC_CONTROL_MONITOR     Ability to assign MIT control to a Risk and perform Risk Analysis
  SAP_GRAC_CONTROL_OWNER     Create AC MIT control.
  SAP_GRAC_DISPLAY_ALL     Display Access To All AC Objects.
  SAP_GRAC_FUNCTION_APPROVER     Approve Function for Workflow
  SAP_GRAC_NWBC     View Access Control Information Architecture.
  SAP_GRAC_REPORTS     Ability to run all AC reports.
  SAP_GRAC_RISK_ANALYSIS     Ability to Perform Risk Analysis
  SAP_GRAC_RISK_OWNER     Risk maint. And Risk Analysis
  SAP_GRAC_ROLE_MGMT_DESIGNER     Role Management Designer
  SAP_GRAC_ROLE_MGMT_ROLE_OWNER     Role Owner
  SAP_GRAC_ROLE_MGMT_USER     Role Management Business User
  SAP_GRAC_RULE_SETUP     Ability to define Access Rules
  SAP_GRAC_SETUP     Ability to setup Access Control
  SAP_GRAC_SUPER_USER_MGMT_ADMIN     Super User  Administrator Role
  SAP_GRAC_SUPER_USER_MGMT_CNTLR     Super User  Controller Role
  SAP_GRAC_SUPER_USER_MGMT_OWNER     Super User  Owner Role
  SAP_GRAC_SUPER_USER_MGMT_USER     Super User  Firefighter
  SAP_GRC_FN_ADISSUE_PROCESS     Ad-hoc Issue Processer
  SAP_GRC_FN_ALL     GRC - Power User
  SAP_GRC_FN_BASE     GRC - Base role to run GRC applications
  SAP_GRC_FN_BUSINESS_USER     GRC - Business User
  SAP_GRC_FN_DISPLAY     GRC - Display
  SAP_GRC_FN_POST     Role with Post Authority Only
  SAP_GRC_MSMP_WF_ADMIN_ALL     MSMP Overall Administrator
  SAP_GRC_MSMP_WF_CONFIG_ALL     MSMP Overall Configurator
  SAP_GRC_NWBC     Governance, Risk, & Compliance
  SAP_GRC_SPC_SCHEDULER     Authorization to schedule background jobs
  But still having the problem. When I press the execute botton to delete, the system does not do anything, neither does it give any message or error.
  Anything else, that I am missiing?
  Also, my second question was if there is any difference deleting the ruleset from NWBC or from the Frontend or are these both the same?
  Thanks in advance!
  Edited by: sapgrc10 on Nov 8, 2011 5:27 PM

• Deletion Ruleset Workflow

  Hello all,
  I'm using GRC AC 10.0. It seems that we only have workflow approval for maintain function and risk, not for ruleset.
  I think this is really risky if someone has the right to delete the ruleset without approval.
  So anyone know how we can set the workflow approval for maintain the ruleset ?
  Thank you.

  Hi Toan
  Go into IMG and you can mass download all the risk definitions to files:
  Governance, Risk and Compliance > Access Control > Access Risk Analysis > SoD Rules > Download SoD Rules
  Someone making a modification - switch on configuration parameters to get your change documents (1001 and 1002).
  As far as global rule set goes - if you really have major issues you can always delete the entire rule set and the reactivate the BC steps. Only do this if completely restarting the SAP delivered rules et is just a starting point and should be maintained to suit your business requirements.
  Note - IMG mass functionality bypasses workflow. NWBC changes to risks and functions triggers workflow if you have configured it.
  Regards
  Colleen

• GRC - Default Ruleset

  Hi All,
  We have 2 rulesets for the our ECC system.
  During risk analysis by default we can configure one ruleset to appear under risk violations tab for the approver to perform risk analysis.
  But my requirement is to change the default ruleset configured in configuration parameters based on some attribute in the request like (Business process or roles in the request etc)
  Is this possible or approver need to manually select the ruleset manually if request needs to be evaluated against ruleset different from default one?
  Please suggest
  Regards,
  Sai.

  Hi Sai
  Can you check IMG to see if there is a step to map a BRF+ rule for default ruleset. I think it's in a similar location to the SLA and/or User Defaults (under Maintain AC Application and BRFplus Function Mapping). There should be an application for Rule Et
  I think SAP delivered BRF+ function Id for it with a return result for the Rule Set.
  If you have configured the mapping and the rule for the MSMP Process Id it is evaluated.
  Possibly the note Prasant mention explains this.
  Regards
  Colleen

• Loading multiple rulesets?

  We've done a lot of work on CC5.1, starting with the standard ruleset, tweaking it to our requirements and getting it all approved. Then the NetWeaver system died (long story, not relevant here) and while installing its replacement we decided to upgrade to RAR 5.3 - we were planning to do that anyway sometime. I'd like to load both the standard 5.3 ruleset and our old, customised 5.1 ruleset so we can compare them but I don't see an easy way to do that. The "ruleset" concept in RAR is associated with the "risk" and the risk names need to be unique, so this means I need to rename the risks in either the old or new sets if I'm going to load both. I'm happy to take the text files and edit them to change names, but I don't see an obvious automatic renaming rule to apply. Being restricted to 4 characters isn't helping at all!
  Has anybody else ever done this? Is there an easy way I just haven't spotted yet? What am I missging?
  Thanks,
  Steve.

  >
  Amol Patil wrote:
  > Just ensure to use different naming convention for your customized risks than what SAP delivers.
  >
  That's exactly the problem. My ruleset from 5.1 uses risk names that clash with the ruleset from 5.3, because most of them are the original SAP risks. We have only a few custom risks.
  It is easy enough to edit the text file to change the risk name, except that there're only 4 characters to use. If I could simply add "_51" or similar to the risk name, there'd be no problem. But with just 4-character names, how do I modify the old "B001" so it doesn't clash with the new "B001". Doing this for one or two risks is OK, but for hundreds I'd want an automatic rule and I don't see an obvious rule, given that the risk names don't stick to the same pattern.
  This isn't a major problem, but I just think some more thought should have been put into the upgrade process. Surely people want to compare old and new rulesets, and not just stick to the one they started with years ago. An easy way of comparing rulesets would be a big help.
  Steve.

• How to delete the entries in a approval status report

  Hi,
  I have designed approval procedure for marketing document.The approval procedure works fine.But there are certain documents which has gone through approval procedure and is been approved.
  I understand after approval we cannot alter the document hence i created new one with the changes then i have posted it.Now the exisitng document which are no longer required i want to delete or cancel it.
  I am going in user log in and trying Data>Cancel but the document is not getting cancelled.Is there any solution for this???
  thanks
  regards
  Md.nazeer Shaikh

  Hi,
        https://wiki.sdn.sap.com/wiki/pages/viewpage.action?pageId=88735894
        How do I delete a draft invoice?
  Thanks
  Mansoor

• Error while approving the request ..

  Hi ,
  I have created a SOA composite where in the 1st level approver is manager and second level approval is a role . When i raise the request the task is assigned to the manager and manager approves it . Then the task is assigned to the Role . However the issue is , when any member of the Role tries to approve the task , the below error is thrown . Please note he is able to reject the request though , only in case of approving i see the below error .
  Though it shows in the logs as warning but on the approval UI , it throws an error . ie ."An Error Occured "
  Any clues Pls !
  ####<Aug 7, 2012 3:42:56 PM EEST> <Notice> <Stdout> <bubo.stadi.sonera.fi> <soa_server1> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <a94ee5b878875ef9:-47c429e2:138eb2557d6:-8000-000000000007d520> <1344343376602> <BEA-000000> <<Aug 7, 2012 3:42:56 PM EEST>
  <Warning> <oracle.soa.services.workflow.persistency> <BEA-000000> <<PredicateImpl.getPredicateCondtion> Query values for columns that can contain multiple identity types (users, groups, approles) should be IdentityType or list of IdentityType objects. Incorrect use of 'WF_NONEXISTENT_ASSIGNEE' for column 'wfa.assignee'>>
  ####<Aug 7, 2012 3:42:56 PM EEST> <Notice> <Stdout> <bubo.stadi.sonera.fi> <soa_server1> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <a94ee5b878875ef9:-47c429e2:138eb2557d6:-8000-000000000007d51f> <1344343376602> <BEA-000000> <<Aug 7, 2012 3:42:56 PM EEST>
  <Warning> <oracle.soa.services.workflow.persistency> <BEA-000000> <<QueryUtil.warnForUseOfNonIdentityTypeValues> Query values for columns that can contain multiple identity types (users, groups, approles) should be IdentityType or list of IdentityType objects. Incorrect use of 'WF_NONEXISTENT_ASSIGNEE' for column 'wfa.assignee'>>

  You need to give approver the right on the request . Add the approver to the request administrator role .
  Thanks
  Suren

• Error while approving Leave request

  Hi,
  I am facing an issue while approving the attendance request of an employee via MSS. The error message comes for the leave request further in the queue.
  Error Message : No read authorization for infotype 2001/5006(Annual Leave) for employee number between 07.06.2010 and 07.06.2010
  Hoping for the early response.
  Thanks!

  I guess there is problem with the managers ID and the authorizations.
  Try to check in SU53 and speak to security team to run the trace and provide the necessary authorizations

• Approval Authorization for Sales Order

  Dear Experts,
  Can anybody help me by providing a user query for Approval templete for the following condition.
  The system should prevent the sales order & Delivery when the customer is having one oustanding invoice above 90 days and the balance due for that invoice is less than Rs. 100
  Regards,
  Srinivas

  Hi Gordon,
  Thanks for your effort. I am getting the approval window after the sales order . ie at delivary it is asking me for approval and also for every delivary it is asking even the customer doesn't have any outstanding. if the approval process activates during SO genaration time ..then this will be helpful.
  If any previous invoice having outstanding balance >100 and if it exceeds 90 days then it should ask for approval. But the system should not check the Customer account balance.
  Regards
  Srinivas

• Approval for Sales Order

  Hi All,
          Is it possible for me to set an approval procedure on sales order in case the user forgets to fill in the remarks column??? please help with the query.
  Thanks in advance,
  Joseph

  Hai!
  If, your requirement is block users to add SO without remarks, then u do with Strored Procedure.
  if @transaction_type = 'A' and @object_type = '17'
  begin
  if exists(select T.docentry from ORDR T where T.docentry = @list_of_cols_val_tab_del and
  (T.comments is null or T.Comments=''))
  begin
  SET @error = 17
  SET @error_message = N'Enter the Remarks'
  end
  end
  Add this code in SP_TransNotification of your company DB.
  Please test it in a test system and put in Live
  Regards,
  Thanga Raj.K

• Query Based Approval Procedure for Sales order .

  Hi 
  I have created query for SO which results above 5000 d 50,000 .
  By using this each query i created two seperate Approval Procedures which So is >5000 d >50000.
  If So>5000 Approval Procedure wants to activate same thing for >50,000., Bur approval Procedure is not working wat will be the cause. i have linked this query In Terms as when the following applies.
  If SO >5000 approved by user A.
  If SO>50,000approved by User A & B.
  Regards
  Giridharan

  Hi Giri
  Your query for the first should be as follows:
  SELECT DISTINCT TRUE
  WHERE $[$29.0.NUMBER] > 5000 AND $[$29.0.NUMBER] < 50000
  For the second query:
  SELECT DISTINCT TRUE
  WHERE $[$29.0.NUMBER] > 50000
  The query you were trying to use is looking at the table which will only apply to documents already posted, and as that query is not being filtered specifically it is bringing back all the records and getting confused. You must reference to the runtime value of the document being posted.
  Kind regards
  Peter Juby

• Can not see the details of the task approved in UWL of ESS

  Leave approver can not see the detail of the task approved such as the start and end date of the leave, number of days used, leave quota details of the applicant when he approved it.
  Please give your advises!
  Regards,

  Hi!
  Maybe these attributes are not being shown due to the fact that they might have been specified in the "List of Display Attribute to exclude from Preview/Detail area" attribute of the UWL iview currently being used.
  As you can see in the Help page:
  http://help.sap.com/saphelp_nw70/helpdata/de/0a/ad68c125ae496f8c04a25090bd2e3c/content.htm
  It states the following about this attribute:
  "Enter the names of the attributes which you want to hide from the display in the preview area. These names should be comma separated."
  Maybe for the UWL iview currently being used it has been specified some values for this attribute, and so some information for the items such as the start and end date of the leave (along with the others you have mentioned) are not getting displayed in the preview area.
  Hope this helps!
  Best regards,
  Armando Zaro

• Approver can't view Attachment in Shopping carts

  Hello,
  We are on SRM 7.0 and facing issue as Requester put attachments .doc, .xls etc but when approver click on attachment it does not open.
  We are on SP 7 . I have checked the Note 1381247 , The configuration is there for Data type BBPS_ATTACHMENT_BCS which is referred in the Note.
  What our approver is having issue is they do see the Attachment list but when they click on the attachment it looks like open in new window and just shut it down immediately. Even we tried Clicking the attachment with CTRL Key press it opens up a window If Approver wants to Save, Open File by clicking Save also do not show any options.
  Do i have to do any settings for the same?
  Please advise.
  Thanks
  Ritesh

  Hi Ricardo,
  We are on SP 7 . I have checked the Note, The configuration is there for Data type BBPS_ATTACHMENT_BCS which is referred in the Note.
  What our approver is having issue is they do see the Attachment list but when they click on the attachment it looks like open in new window and just shut it down immediately. Even we tried Clicking the attachment with CTRL Key press it opens up a window If Approver wants to Save, Open File by clicking Save also do not show any options.
  Please advise.
  Thanks
  Ritesh