Create rules in Compliance Calibrator for HR PD profiles

Similar Messages

• Compliance Calibrator for SRM and SCM???

  Hello,
  Can we use the compliance calibrator for the modules like SRM and SCM? Do we get any ruleset for these modules from SAP or need to create ourself?
  Thanks in advance
  Eric

  Alexander,
  Thanks for your prompt response. But the note available from SAP is not included SCM?
  <b>Note 1033326 - Compliance Calibrator 5.2 Rule Upload</b>
  SOD Action and Permission level rules are provided for R/3, APO, ECCS, CRM
  and SRM. HR and Basis rules are included in the R/3 but also broken out
  separately.
  Could you tell me what all other modules are included in the standard ruleset?
  Thanks in advance
  Eric

• ISE: create rules with AD groups for Users and Computers

  Hello,
  We've just begun to work with ISE.
  Is it the good place to post on ISE, or there is a dedicated forum in another place?
  We'd like to create some rule depending of Computer member groups AND Users member groups from AD, but we meet some difficulties.
  We've created AD groups for Computers and Users depending of their Department:
  Users_1
  Users_2
  Computers_1
  Computers_2
  When we create some basics rules regarding one group only:
  - with a group Computers_x to attribute a specific VLAN to a computer (when no Windows session is opened), it runs correctly.
  - with a group Users_x to attribute a specific VLAN to an user (when Windows session is opened), it runs correctly.
  But when we create a rule regarding a group from Computers and one from Users, to attribute a specific VLAN to an user on a specific computer, this rule is not applied.
  Is it possible to use ISE on this way?
  Thanks for help.
  Regards,
  Chris

  Enable EAP Chaining— if  you want Cisco ISE to allow authentication of both machine and user in the same  EAP-FAST authentication.
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_80_eapchaining_deployment.pdf

• Compliance Calibrator for multiple SAP systems

  I was wondering if anyone could assist me with my query.  We are currently performing an implementation of Virsa CC for a client and have begun to configure a CC DEV system they have installed with their custom SoD rule set.  The DEV CC system (sitting on a stand alone NetWeaver box) is "connected" to four SAP systems (DEV, QA, HR DEV & HR QA).  When we are building "functions" (i.e. raise purchase orders) in CC it asks us to define a SAP system when we are entering the transaction codes.  We've been configuring the functions with SAP DEV as the system, however when we run the analysis of results we would like to get results from QA as well.  It appears that the risk analysis only works for the system that you have defined the functions in (i.e. we get results for users in DEV but not for users in QA).
  My questions are as follows:
  - Do you need to define all the systems you wish to run a risk analysis for within the function (i.e. function = Raise purchase orders. DEV ME21 & QA ME21)?
  - If so, is there an easy way to convert our functions so that they point to QA as well (we've noticed that we can't edit the SAP system once the function is saved)?
  - Is it possible to export the functions and then define the SAP system when importing them back into CC (we've noticed with the SAP delivered rule set that SAP DEV was automatically defaulted)?  This is particularly relevant as we would like to export the rules from the DEV CC system and import them to the PROD CC system without having to manually create the rule set again; and
  - Is it possible to export the rules and manually change the SAP system reference and import them back into CC (i.e. do a "replace all" DEV to QA)?
  Any help would be greatly appreciated.
  Thanks,
  Alexi

  In order to perform what your are trying to do in CC 5.2, you will need to go to configuration and setup a logical system, such as SAP R/3 and define all the appropriate systems for the logical system.  Then, when modifying the functions, you will need to set the tcode (action) to the logical system defined, such as R/3 or APO, etc. 
  The cross-system functionality only comes into play if you want to analyze the SOD where a conflict would occur if a user had access to one function in one system (for example - purchase order processing in APO) and a conflicting function in a different system (for example - Vendor Master in R/3). 
  If you simply want to check who has violates a risk against multiple system - the logical system is the best way.  You can have an logical system by system type - R/3, BW, APO, SRM, etc.
  To convert this over, you can export the rules and during the export you have to define the new system when exporting the file.  If that doesn't work, I'd just delete everything out, and use the upload files to reload the rules with the correct data.

• Compliance Calibrator Design - Roles and Profiles

  Hi guys,as you know SAP's authorization concept involves generation of Roles into Profile before it can be assigned to a User. In CC, i wonder why is there a need to segregate Roles and Profiles into 2 seperate functions. Isnt it already sufficient to analyse roles instead of profiles? Profile are names which is too technical which i feel should be omitted unless really necessary.
  Well, unless it is to cater for indirect assignment where profiles are granted to position/org unit etc... I will also be trying out whether there is a difference when you only batch analyse a Role and intentionally excluding the 'profile' whenever a new role is created. Will the system work fine when i do a role analysis?
  Cheers!

  I agree that profiles are old fashioned and should be phased out.  The system has to stop people from being able to maintain profiles directly and assign them directly before they do this though.  SAP_ALL etc can be converted and assigned as a role.  It would make the whole authorisation concept just that little bit easier.  We are talking about a German company though!
  Also, you don't need profiles for indirect assignment.  You can relate roles to the position using PFCG!  Click on the organisational management button on the user-tab, next to the user comparison button.
  Using profiles (ie, maintaining directly and assignment) is highly recommended against.

• Compliance Calibrator Start up

  Hi,
  We are planning to bring SOD tool Compliance calibrator soon for our r/3 system.......
  before that I need to know how it works....I mean SAP provides CC software to be installed on R/3 server???
  Can some tell me on which server CC installation takes place.

  Hi Lisa,
  Purpose of Installing RTA in R/3 Server
  ==============================
  This is an ABAP component which continously and regularly collects data from R/3 Server. As I said, this the Backend used by all the GRC components that is:
  1)Access Enforcer
  2)FireFighter
  3)Role Expert    and
  4)Compliance Calibrator
  What we install in J2EE Server and Purpose of it
  ====================================
  These are Java Deployable files (called Software Deployable Archives, SDA). These files form the frontend to access GRC components. The purpose of this is that, this forms an Interface to access the different applications.
  You have different SDAs for different applications like:
  1)Access Enforce
  2) Role Expert
  3) FireFighter    and
  4) Compliance Calibrator
  For each application, you have respective Java Deployable files i.e., SDAs. Example, if you want to use Compliance Calibrator, then you need to install it FronEnd files (SDAs) on J2EE server access through Web Browser.
  Data Flow
  =========
  I will take Compliance Calibrator example and explain it you you:
  You have RTA installed in R/3 server and frontend files on J2EE server.
  As you know, Compliance Calibrator is SODs violations reporting tool. Here you define all the rules and save it. You run reports called "Synchronization" for:
  Users
  Roles and
  Profiles
  When you run this, RTA (ABAP component in R/3 Server) will send the data as per your selection (User/Role/Profile) to FrontEnd on J2EE server where it maintains its own database in J2EE server for rendering purpose.
  Then you run the "Risk Analysis" reports in front end of different types:
  User
  Roles and
  Profiles
  Then it gives you the reports accordingly. Any change in the R/3 Server, you need to re-run the "Synchronizaiton" reports again. Usually, these reports are run every day on "Incremental" basis.
  Hope, this will answer what you have asked for.
  Feel free to ask further queries.
  Reward points if useful.
  Thanks and Regards,
  Faisal

• SAP GRC 5.2 Compliance Calibrator rule sets for HR module

  HI All,
  The company i am working for has done installation of GRC 5.2. I would like to download the SAP out of box Compliance Calibrator rule sets for HR function module in a spreadsheet format.
  I would like to download the rule set for risks at Function level, Tcode level and also at authorization object level in ABAP and Roles, actions and permissions in JAVA.
  I will discuss with the BPAs, internal auditors and come up with a new rule set exclusively for my company needs with the help of the above spreadhseet.
  Please tell me what steps i need to do to get this thing done.

  Please go through the process but save these as txt files for UNIX. I am not sure about 5.2 but CC4 was not uploading rule files correctly if file was not saved for TXT for UNIX.
  Regards,
  Harry Sidhu

• Updating Compliance Calibrator Rule Set

  The business has decided to change a few rules by removing a couple of custom tcodes from the rule set.  In DEV I go into the Function and remove the objects associated with the tcode and disable the tcode.  After running the rule set update there is still some sort of tie.  I have created a test ID in DEV with a known issue around each of the changes.  I'm not getting a different result when running compliance calibrator.
  Any ideas?
  We are running R/3 4.6C and compliance calibrator 4.0

  Can you please check the following demo?
  [Virsa Compliance Calibrator Application for SAP v5.1 Demo|http://www.sdn.sap.com/irj/scn/elearn?rid=/library/uuid/d2f1cf9c-0d01-0010-2dac-aedd3c4f7f5b&overridelayout=true]
  Please give more details on the step where you got stuck.
  Regards,
  Dipanjan

• Compliance Calibrator standard rule files needed

  Hello, we need the standard rule files (.txt) for the Compliance Calibrator 5.2. We don't have the installation software accessible atm and couldn't find anything on the SAP marketplace.
  If someone could give us information on where to get these files explicitly would be great.
  Thanks and best regards,
  Jan

  The rules are delivered together with the software which you will be able to download if you hold a valid software license for SAP GRC Access Control. Your organization holds valid licenses of the software in several countries, e.g. in Germany, France, India, Italy, the Netherlands, and the US.

• Re: Virsa Compliance Calibrator & Pre-defined SOD Rule Set

  Hi All,
  We have installed the Virsa Compliance calibrator 5.1 in our sandbox environment. When we goto the "Rule Architect" tab under Compliance calibrator using tcode /virsa/zvrat it brings up the page with Rules information.
  Per the Virsa documents that i read they have mentioned that there are pre-defined SOD Rules (Transaction codes and Tcode objects) that we can use in the Rule Architect.
  My question is how do i enable and use those pre-set SOD Rules that Virsa provides by default. I do not see them under the Rule architect tab though. Can someone give some pointers to use these pre-set SOD rules.
  Thanks & Regards
  -Murali

  Hi Laziz,
  Thanks for your patience in replying to my CC 5.1 queries. I did follow your steps for the Generate Rule & Background Job-> Schedule Analysis and scheduled the job immediate.
  However, when i looked up the status of the scheduled analysis Background Job-> Search pulls up the job i scheduled at the top it reads "Job scheduler Status: unknown error" . I clicked on "View Log" button and it shows some messages as shown below (Note: I am just posting some parts of the error msgs below. but it still goes for 1 page...)
  May 16, 2007 1:09:07 PM com.virsa.cc.xsys.bg.BgJobDaemon init
  INFO: *** BgJobDaemon loaded
  May 16, 2007 1:11:09 PM com.virsa.cc.common.util.ConfigUtil setDefaultJ2EEParam
  WARNING: Cannot get Application URL: null. PLEASE SET 'Background Daemon URL' IN CONFIGURATION TAB
  java.lang.NullPointerException
       at com.virsa.cc.common.util.ConfigUtil.setDefaultJ2EEParam(ConfigUtil.java:203)
       at com.virsa.cc.common.util.ConfigUtil.getBgJobStartURL(ConfigUtil.java:192)
       at com.virsa.cc.xsys.bg.AnalysisDaemonThread.run(AnalysisDaemonThread.java:45)
       at java.lang.Thread.run(Thread.java:534)
  May 16, 2007 1:24:37 PM com.virsa.cc.extreport.JarClassLoader loadClassData
  FINEST: class name: com.virsa.cc.extreport.ReportPack50SP1_01.ReportPack50SP1_01 class: com/virsa/cc/extreport/ReportPack50SP1_01/ReportPack50SP1_01.class
  May 16, 2007 1:24:37 PM com.virsa.cc.extreport.JarClassLoader loadClassData
  FINEST: Jar Entry length=1568 compressed size=1568 actual read=1568
  May 16, 2007 1:24:37 PM com.virsa.cc.extreport.JarClassLoader loadClassData
  FINEST: class name: com.virsa.cc.extreport.ReportPack50SP1_01.CrtActbyRsk_Act_RskLvl class: com/virsa/cc/extreport/ReportPack50SP1_01/CrtActbyRsk_Act_RskLvl.class
  May 16, 2007 1:24:37 PM com.virsa.cc.extreport.JarClassLoader loadClassData
  FINEST: Jar Entry length=13210 compressed size=13210 actual read=13210
  May 16, 2007 1:24:37 PM com.virsa.cc.extreport.JarClassLoader loadClassData
  FINEST: class name: com.virsa.cc.extreport.ReportPack50SP1_01.CrtRolbyRsk class: com/virsa/cc/extreport/ReportPack50SP1_01/CrtRolbyRsk.class
  May 16, 2007 1:24:37 PM com.virsa.cc.extreport.JarClassLoader loadClassData
  FINEST: Jar Entry length=19287 compressed size=19287 actual read=19287
  May 16, 2007 1:24:37 PM com.virsa.cc.extreport.JarClassLoader loadClassData
  FINEST: class name: com.virsa.cc.extreport.ReportPack50SP1_01.CrtProfbyRsk class: com/virsa/cc/extreport/ReportPack50SP1_01/CrtProfbyRsk.class
  May 16, 2007 1:24:37 PM com.virsa.cc.extreport.JarClassLoader loadClassData
  FINEST: Jar Entry length=12807 compressed size=12807 actual read=12807
  May 16, 2007 1:24:37 PM com.virsa.cc.extreport.JarClassLoader loadClassData
  FINEST: class name: com.virsa.cc.extreport.ReportPack50SP1_01.UsersbyOrgLevels class: com/virsa/cc/extreport/ReportPack50SP1_01/UsersbyOrgLevels.class
  May 16, 2007 1:24:37 PM com.virsa.cc.extreport.JarClassLoader loadClassData
  FINEST: Jar Entry length=18557 compressed size=18557 actual read=18557
  May 16, 2007 1:24:59 PM com.virsa.cc.common.util.ConfigUtil setDefaultJ2EEParam
  WARNING: Cannot get Application URL: null. PLEASE SET 'Background Daemon URL' IN CONFIGURATION TAB
  java.lang.NullPointerException
  I am not sure whats causing this and it's been 2hrs since i scheduled the user analysis but i don't see any data still appearing in the fron-end..Any pointers again???
  Thanks
  -Murali

• Compliance Calibrator Default Rules Upload Files

  I'm implementing Compliance Calibrator 5.1, and I'm at the point where I need to upload the default rule-set.  However, I cannot locate the flat files required for the initial rule-set upload (i.e. business process, function, and risk definitions).  I've read through the user guides, but they don't seem to reference exact file names or specify where the files would be located after install.  Thanks in advance for your help.

  Varun,
  you may get a quicker answer to your question in the GRC forum
  Governance, Risk and Compliance (SAP GRC)

• Compliance Calibrator 5.2 RTA for Non-SAP Apps

  Hi all,
  Can SoD rules be written for analyzing a Users access to SAP and NON-SAP applications across the enterprise?
  If yes will CC RTA need to be installed on the NON-SAP application?
  If yes are there any requirements that need to be met by NON-SAP application and is there a list of NON-SAP applications (other than-Peoplesoft, Oracle, Hyperion, JD Edwards) that CC has an RTA for?
  Is there any documentation specific to aplications that can support CC RTAs and installation on these?
  -Cheers

  Hi,
  Yes SoD rules can be written for analyzing user accesses to SAP and non-SAP applications.
  Basically there is no other application for which an RTA exists, but there is a documentation discussing the technical requirements for file generation from the non-SAP systems for integration of non-SAP Systems with SAP Compliance Calibrator.
  This documentation is available in <a href="http://service.sap.com/rkt-grc">http://service.sap.com/rkt-grc</a>
  under SAP GRC Access Control 5.2 -> SAP GRC Compliance Calibrator 5.2 -> Step2: Prepare for your project -> Cross Application Material
  You'll need your OSS user-id to access that page; in case you cannot access it, please post a message in the OSS.
  Rgds,
  Karim

• Error while creating rules for Event generator

  Hi,
  I followed the PO samples in dev2dev site to create an EventGenerator(both file and JMS) from a jython script. While creating rules for the eventgenerator, am getting the following exception.
  "AttributeError: 'None' object has no attribute 'newFileEventGenConfigurationMBean'"
  here is the PO sample code,
  egCfgMBean = getMBean("FileEventGenerators/FileEventGenerators")
  egMBean = egCfgMBean.newFileEventGenConfigurationMBean(egName)
  I used getMBean() instead of wlst.getTarget() to retrieve the MBean info.
  The server is weblogic 9.2 and domain is Integration domain. Looks like the getMBean() wasnt able to locate the Eventgenerator MBean for some reason and hence the variable 'egCfgMBean ' is always null. Anyone had this issue before.
  Thanks.

  It looks like getMBean("FileEventGenerators/FileEventGenerators") is not
  returning an MBean. "None" is returned if no MBean is found. Check the path
  parameter to getMBean() and make sure it is correct. If you know the object
  name of the MBean you are interested in, you may be able to use the
  getPath() command to get its path.
  wls:/mydomain/serverConfig>path=getPath('com.bea:Name=myserver,Type=Server')
  wls:/mydomain/serverConfig> print path
  <Ramesh R> wrote in message news:[email protected]..
  Hi,
  I followed the PO samples in dev2dev site to create an EventGenerator(both
  file and JMS) from a jython script. While creating rules for the
  eventgenerator, am getting the following exception.
  "AttributeError: 'None' object has no attribute
  'newFileEventGenConfigurationMBean'"
  here is the PO sample code,
  egCfgMBean = getMBean("FileEventGenerators/FileEventGenerators")
  egMBean = egCfgMBean.newFileEventGenConfigurationMBean(egName)
  I used getMBean() instead of wlst.getTarget() to retrieve the MBean info.
  The server is weblogic 9.2 and domain is Integration domain. Looks like the
  getMBean() wasnt able to locate the Eventgenerator MBean for some reason and
  hence the variable 'egCfgMBean ' is always null. Anyone had this issue
  before.
  Thanks.

• Creating rules for Mail - yet visible on iPhone

  I fully understand how to create rules for email so that when receiving them, they automatically go into folders.  The problem is, if I receive an email that automatically gets sorted into a folder, I can not tell on my iPhone I have actually received a new email.
  However, I need to know how to have rules to automatically sort/file emails into a folder, but still know I have received a new email on my iPhone mail. 
  Anyone got ideas?
  Thanks

  I can understand not wanting to put out money to gain a feature that you think should be standard.
  Here is a link to some Applescripts that I had downloaded in the past. I actually forgot about these. There is a script which will allow you to apply some rules to outgoing messages, but the author of the scripts notes that it is not a perfect solution. Maybe it can help.
  If all else fails, maybe you can use smart folders as a sort of go between. Instead of scanning through the sent mail folder and hand picking individual messages to drag to folders, why not set up a smart folder to aggregate all like mail. Then you could just drag the messages from a smart folder to a regular one. It might help speed things up.
  I am just about out of ideas. I hope you can come up with a good solution.

• Creating rules for variant

  Hi gurus,
  How to create rules for variant in work schedules.....Explain clearly.....
  iam unable to understand x and . under holiday calender....
  Explain it by taking example of having only 4 working hours before a public holiday.
  thnx in adv.....
  Regards,
  praveen.

  hi u use day of varient when u want to disrupt ur dws for some day.
  here u shd know what r the holiday classes 0 is workday.
  1 is holiday  .2 is half day holiday and 3-9 are customer specific holiday classes.
  rule NO  hclas     hcla n.d.   weekday      var
  ZA 01     X.X.......   .X........  XXXXXXX       1
  this is how we may write ur requirement .
  4 hours of working before public holiday.
  that day on which u want to apply the rule that shd be either workday or halfday so x.x 
  the next day u want as a public holiday so check 1 that is fullday holiday. 
  which workdays u want to apply this u can decide in 3rd collumn.
  this varient u give in DWS.
  and there u change ur work schedule to only 4 hrs.
  clarify with other members too.since i might be wrong.
  regards,
  raj.