GRC RAR -Rules Updates

Hello All,
Q1- How we add one new physical system to the Rules (how we generate same rules for the new physical system), Please let me know the steps
Q2-In my current RAR System rules are generated on the basis of physical system, now I want to import same rule to New RAR System and generate rules for the logical system, Please let me know which steps I need to follow.
Thanks in advance.
Jagat

Hi Jagat,
guessing you talk ab AC 5.3.
Q1: Under configuration generate the rules after you added the system
Q2: Use import/export function under configuration.
Both described in the config guide.
Best,
Frank

Similar Messages

  • SAP GRC RAR Rules Generation Job Error - SP13 application

    Hello,
    we applied SP 13 on GRC and RAR Rule Generation job is always in "error" status; below I list an example of job log:
    INFO: -
    Scheduling Job =>237----
    Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.BgJob run
    INFO: --- Starting Job ID:237 (RULE_GENERATION) - generate f113
    Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.util.Lock lock
    FINEST: Lock:1007
    Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.BgJob setStatus
    INFO: Job ID: 237 Status: Running
    Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.BgJob updateJobHistory
    FINEST: --- @@@@@@@@@@@ Updating the Job History -
    1@@Msg is generate f113 started :threadid: 1
    Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
    INFO: -
    Background Job History: job id=237, status=1, message=generate f113 started :threadid: 1
    Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.util.Lock unlock
    FINEST: Unlock:1007
    Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.BgJob ruleGeneration
    INFO: @@@--- Rule ruleGeneration Started ....237
    Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.BgJob run
    WARNING: *** Job Exception: null
    java.lang.NullPointerException
         at com.virsa.cc.xsys.bg.BgJob.ruleGeneration(BgJob.java:1245)
         at com.virsa.cc.xsys.bg.BgJob.runJob(BgJob.java:609)
         at com.virsa.cc.xsys.bg.BgJob.run(BgJob.java:363)
         at com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob.scheduleJob(AnalysisDaemonBgJob.java:375)
         at com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob.start(AnalysisDaemonBgJob.java:92)
         at com.virsa.cc.comp.BgJobInvokerView.wdDoModifyView(BgJobInvokerView.java:444)
         at com.virsa.cc.comp.wdp.InternalBgJobInvokerView.wdDoModifyView(InternalBgJobInvokerView.java:1236)
         at com.sap.tc.webdynpro.progmodel.generation.DelegatingView.doModifyView(DelegatingView.java:78)
         at com.sap.tc.webdynpro.progmodel.view.View.modifyView(View.java:337)
         at com.sap.tc.webdynpro.clientserver.cal.ClientComponent.doModifyView(ClientComponent.java:481)
         at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.doModifyView(WindowPhaseModel.java:551)
         at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.processRequest(WindowPhaseModel.java:148)
         at com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.processRequest(WebDynproWindow.java:335)
         at com.sap.tc.webdynpro.clientserver.cal.AbstractClient.executeTasks(AbstractClient.java:143)
         at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:333)
         at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:741)
         at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:694)
         at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:253)
         at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
         at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
         at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doGet(DispatcherServlet.java:46)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1060)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
         at java.security.AccessController.doPrivileged(Native Method)
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
    Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.BgJob setStatus
    INFO: Job ID: 237 Status: Error
    Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.BgJob updateJobHistory
    FINEST: --- @@@@@@@@@@@ Updating the Job History -
    2@@Msg is Error while executing the Job:null
    Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
    INFO: -
    Background Job History: job id=237, status=2, message=Error while executing the Job:null
    Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob scheduleJob
    INFO: -
    Complted Job =>237----
    Apr 4, 2011 1:36:13 PM com.virsa.cc.xsys.util.Lock lock
    WARNING: It is used by the same owner: For current thread retrying to get lock : 1001
    Apr 4, 2011 1:36:13 PM com.virsa.cc.xsys.util.Lock lock
    FINEST: Lock:1001
    Apr 4, 2011 1:36:13 PM com.virsa.cc.xsys.util.Lock unlock
    FINEST: Unlock:1001
    Is there someone that can help me?
    I checked and it seems that "Use NetWeaver Logical Lock" in config tab has to be set to "No"...is it correct for you or have you got other tips?
    Thx to all

    Hello,
    actuallt current values are:
    Row CNFGPARAM| CNFGSEQ| CNFGVALUE|
    35 250 0 NO
    36 251 0 YES
    Value for 250 is ok based on your feedback.
    Value for 251 is based on SNOTE 1508611, even if  SDN forum suggests "0" against the note.
    Have you got any tips?

  • GRC CC rule update q2 2009

    Having taken a look at it, I don't agree with the fact that it recommends to remove the check of f_bkpf_koa in many tcode. For tcd FB05 for example, the Tcode is in functions AP01, AR01, GL01. If we remove the permission check f_bkpf_koa, the authroization check of FB05 in these 3 functions will be exactely the same. And because GL01 conflicts against AP01 and also AR01, every users having FB05 will have conflicts. Same case for FBV0, and also much more other tcds!!!
    Does any body have an idea why SAP recommend to remove f_bkpf_koa check in the q2 2009 rule update?

    I think this is because a vendor accoutant, restricted on account type K (vendor) for object f_bkpf_koa is automatically authorized to post on S (GL) account type. This is mandatory to balance the post. Yet it makes him possible to post frrom GL account to GL account, even if he does not have S (GL) in his authorizations.
    Same thing for a customer accountant who is restricted on D (customer) in his authorizations: he can post on GL accounts too.
    Only GL accountant is really restrictied on GL account type if he has only S for object f_bkpf_koa in his authorizations.
    So according to me, the rules should be:
    AP01 => K
    AR01 => D
    GL01 => K, D, S, A, M
    ...which effectively create risks for every user who has FB05, FBV0...

  • GRC-AC v5.3 SP11 -- RAR Rules for BI, GTS, SRM, XI, GRC-AC, SolMan

    Hi!
    Has SAP released RAR Rule sets for BI, GTS, SRM, XI, GRC-AC, or Solution Manager?
    Let me know if anyone else has found them.
    Thanks,
    -john

    Hi John,
       SRM rules have always been available. I have not seen rules for BI, GTS, XI, AC or SolMan. Would definitely want to see rules for XI, BI and SolMan.
    Alpesh

  • Unexpected risks after rule update

    I wanted to updat RAR rules in dev GRC as per Q2 2009 rule update provided by SAP.
    SAP recommendation for transaction FBV0 is:
    remove auth objects F_BKPF_KOA and add F_BKPF_BUK with actvt 01 or 02.
    As client wants to keep KOA active, I have done following in function AP02 and GL01, to test user risk analysis result in each case
    case 1. KOA and BUK both active
    case 2: KOA inactive and BUK active
    I tested 5 users who have acccess to FBV0.
    Among those, in case of 2 test users I found some unexpected results.
    In case 1, both users have less number of risks where as in case 2(inactive KOA) I got more risks in user analysis in dev grc.
    I am surprised, if I make an auth obj inactive, how can the new risks be generated. The new risks are related to FBV0 and  functions AP02, GL01.
    Other three users have same risks in both cases.
    Can you suggest me what could be the reasons behind this.

    In case 2, number of conditions are less : if any user satisfies the condition of BUK active - user will show respective risk. For specific 2 users, they may have authorization for BUK only, but not for KOA. So they are not showing the risks in case1. But in case 2, they have the required authorization to satisfy the risks for BUK only. When case1 is set as risk condition(bith KOA and BUK active) those 2 users can not satisfy the conditions to show rish as they may not have authorization of both KOA and BUK.

  • GRC RAR function ids

    Hi,
    I have a question for GRC RAR functions ids.After uploading objects,do i have to create function ids and add tcodes and update permissions with the help of controllers/finance admin.I am not sure how it works.
    Thanks
    Mushu.

    Dear Mushu,
    You will get businessprocess, rule set, funciton, risks  etc., text files for different systems like R/3, CRM & SRM along with the installation files. You can upload these files and generate your SOD rules. This is standard rule set available from SAP. You can customize this rule set later as per your business requirements by changing functions, risks etc.,
    If you want to have totally customized rule set then you need to follow the procedure of creating functions, addition of t-codes, authorization obejcts (permissions) enablement and then generating rules. If the customized rule set is huge the better to use the text files - tweak them and upload into RAR tool
    Thanks and Best Regards,
    Srihari.K

  • GRC RAR version relative to SAP upgrade to ECC 6

    Hi,
    Currently we are on GRC RAR version AC-RAR 5.3-13.3. We are upgrading our SAP from ECC 5 to ECC 6 and the latest support pack. What GRC RAR version do we need to be on to identify any potential SOD issues on the ECC 6 system? Are there any other potential pitfalls that we should be aware of?
    Thanks,
    John Burk

    Hello John,
    Are you using a customized rule set?
    SAP provides rule updates periodically:
    For example:
    1446680 - Risk Analysis and Remediation Rule Update Q2 2010
    You'll find that some specific changes are performed in these rule updates, and some of these changes are only for ECC 6.
    You might want to check also here:
    Note 986996 - GRC Access Control- Best Practice for Rules and Risks
    Then, the point is not the GRC version, but the rule set. Of course, you have to upgrade the RTAs.
    Cheers,
    Diego.

  • Mass RAR Rule Set Changes

    My integrator is telling me that there is no way to complete a mass update to the authorizations/restrictions in our RAR rule set (AC 5.3.)  That is, at the recommendation of our external auditor, we added additional transactions to existing rules but failed to activate the company code restrictions to ignore display only access and therefore, I am receiving a significant number of SODs which are false positives. 
    I find it hard to believe that there is no easy way to activate the company code authorization objects (and others) for the additional transactions in the rule set.  The integrator is telling me that this has to be done one by one.  Please tell me that there is an easier way.
    Apologies if this is a repeat; if this topic is out there, could someone point me in the right direction?Thank you in advance!
    Thank you in advance!

    Is there any easy way?  Depends on what you think is easy  
    For mass updates to function I will typically use the:  Configuration -> Rule Upload  feature.  To perform an update to an authorization object, you would use the 'Function Authorization' selection.
    To upload the function you'd want to use the file formats from the 9 upload files SAP provides for the ruleset.  If I recall correctly, function uploads will overwrite the existing function so it is important that your upload file contains all existing function data + the additional auth objects you want to activiate. 
    As with any text file manipulation and download/upload or export/import features into GRC you want to be particulary careful with formatting and attention to detail.  Probably a good idea to take a backup of the rules if this is your first time working with the ruleset files.

  • Need information on the new RAR Rule Architect/Rule Set functions

    Does anyone have any information on the new 5.3 functions listed under Rule Architect/Rule Sets, specifically the Compare function?
    My 5.3 Config manual mentions this area but doesn't describe anything about it.  I have a request from our user group and need to determine if this can fit that request.
    What they are looking for is an easy way to compare our RAR Rule Set with the latest SAP version (Q2 2010 is the most recent I believe).  Just from the screen shots, it looks like we could maybe use the Rule Sets functions for that.  Load the new SAP one into RAR as a separate ruleset and then run this Compare function.  However I haven't been able to find any documentation on this function, so I don't know if it really does what we are looking for.
    Thanks.

    Hi,
    the error 'NullPointerException ' is very common error in GRC.
    kindly search, you will find lots of threads and notes on thi.
    check you permission TXT file. It contain null value some where.
    especially check SD01 & SD02 tcodes.
    Also open permission file in word and check all TAB's and ENTER's in technical view.
    Regards,
    Surpreet

  • Critical transactions in GRC RAR 5.3

    Hi,
    we have an option in GRC RAR 5.3 to fetch the critical action report in informer. how can i add some more critical actions into the GRC, is there a facility in GRC RAR to add critical transactions or this should be done through backend??. kindly advice.
    thanks

    Hi,
    The process is very simple, identify your sensitive/critical transactions, make functions and then define risks as critical acttions in RAR. After generating rules, you will be able to run risk analysis for those critical/Sensitive transactions.
    Regards,
    Sabita

  • GRC - CRM Org.Update

    Hi All,
    I want to update BP employee master data using GRC. Is this supported by GRC? Experts please share your opinion.
    Requirement:
    Whenever a new user is created, update this User's sap UserID into BP master data through GRC. Can GRC be used for this kind of update?
    How is the HR org structure assignment request working with GRC? Can i use it for fetching CRM org structure and update it using this MSMP process ID (SAP_GRAC_ACCESS_REQUEST_HR) ?
    Can i use Organizational assignment request in SAP GRC to update the org.structure in my CRM system? Will that work? As i can see in the template used for org.assignment request below are the attributes mentioned. Is this role mentioned in this template is a business role tagged to a position in CRM? or Is this different?
    Please share your thoughts.
    Regards,
    Madhu.

    Hi Claudio,
    Thanks for the details.
    We have a org.structure defined in our system.
    We have PFCG roles created for each position in org.structure.
    Now can i assign my PFCG role to position in my org.structure? How does this actually work? How does GRC connect and update the org.structure?
    We are using SAP transportation management (TM) system.
    Is this request type "Organizational Assignment Request" applicable for only HR system?
    Any guidance or documents to understand the concept of organizational assignment request will be very helpful.
    Thanks & Regards,
    Madhu.

  • GRC RAR Alert Email Sender

    Hi,
    I am trying to work out how GRC RAR determines which email address to use when sending out RAR Alerts.  I have a risk which has 3 Risk Owners, I have tried various combinations of assigning Risk Owners to the Risk, but cannot see any logic as to how RAR picks which one to send the email alert from.
    If I just have one Risk Owner, then the Alert is sent from that user, however when multiple owners are attached there does not appear to be any logic as to which one from the list is chosen.
    Any help would be much appreciated.
    Thanks & Regards,
    Stephen

    Hi Stephen,
    In GRC ARA 5.3, following is the logic which determines that who is sending the notification if there are multiple role owners.
    The logic goes like this while sending the emails:-
    1. It re-orders the role owner list so that alphabetically the last e-mail is treated as first.
    For example:-
    email of C01   say email is C01@ XYZ.com
    email of B01   say email is B01@ XYZ.com
    email of Z01    say email is A01@ XYZ.com
    ** Alphabetically C01 is last and will send the mails.
    2. Now this last email of C01 becomes the e-mail id who will be set to send the mail to all other owners in list.
    I hope this information helps.
    Regards,
    Yukti

  • GRC RAR

    Hi,
    When i ran user/role/profile synchronization job for oracle in GRC RAR.It's keep running and when i check log.It says:
    com.virsa.cc.xsys.util.Lock lock
    WARNING: It is used by the another owner: For current thread retrying to get lock : 1004
    Please let me know,how it  can be fixed.
    Thanks
    Mash

    Basis has unlocked an object in the database for us and the user/role/profile full synchronization job for oracle in GRC RAR is now running and completed successfully
    We scheduled full synch batch risk analysis job. But Job is failed due to ORA issue. 
    Below the Job log error message.
    2012-02-23 04:01:35 Failed Error while executing the Job for Object(s) :CDELACK:Batch rolled back. Caused by java.sql.BatchUpdateException: ORA-00001: unique constraint (SAPSR3DB.SYS_C00157225) violate... (see log for details)
    2012-02-23 05:40:20 Started Full Synch batch Risk ORA11IDEV started :threadid: 0

  • Rule Updates - Custom Risks, Multiple Systems

    We have CC 5.2 on SP8 connected to 3 ECC clients in our landscape. We also have a bunch of Custom Risks - both Conflicting and Critical action.
    If we update to SP9 to include ALL  Rule updates from Q2 2008 as indicated in Note: 1173980:
    will the Custom risks beginning with 'Y' be wiped out?
    and also will we have to update the applicability of the Risks to the particular cleints..now we have a subset of risks to Client A, a different subset applicable to client B and ALL applicable to Client C.
    Any information on how the Rule Updates via SP9 impact the current setup is appreciated.
    Thanks

    Thanks Simon,
    Will ONLY the Functions (TCodes, Object values) be updated and the expectation is to Generate the Rules again?
    Will any other activities have to be performed after applying the SP for Rule Updates.
    Thx

  • Transfer rules & Update rules

    hi gurus,
        what is difference between transfer rules and update rules? Can we do currency conversion in transfer rules? if yes how? if no why?
    as far of my knowledge i think tran rules are info object level and update rules are data target level.
    points are rewareded...
    thanks
    bw bw

    Hello,
    Transfer Rules:
    When we maintains the transfer structure and the communication structure, we use the transfer rules to determine how we want the transfer structure fields to be assigned to the communication structure InfoObjects. we can arrange for a 1:1 assignment. we can also fill InfoObjects using routines, formulas, or constants.
    Update rules:
    Update rules specify how the data (key figures, time characteristics, characteristics) is updated to data targets from the communication structure of an InfoSource. You are therefore connecting an InfoSource with a data target.
    For Currency Conversion, put a mail to [email protected]
    I have an excellent document which would be help ful to you.
    Thanks
    Ramu

Maybe you are looking for

  • Third party returns from customer to vendor (Urgent)

    Hi, We have an urgent requirement regarding an issue with third party returns from customer. The scenario required is as follows : When the customer returns the goods in Third party proccess the goods should be directly returned to the vendor instead

  • After installing itunes every icon on my screen becomes an itunes icon and no matter what you hit only the itunes page appears.

    I have a Dell 570 PC.  I use internet explorer and Yahoo.  When I finish installing iTunes every icon on my screen becomes an iTunes icon. No matter what icon I hit only the iTunes page appears.  Help

  • Prompts in Pre-built reports

    Does anybody know how the pre-built reports are made in regards to prompting? e.g. the top-10-oppty report: At top you have a dashboard prompt and underneath the report, which gets filtered by the values of the prompt. This analysis looks like a dash

  • Packet Loss to First Hop

    Hello, For about the last 10 days now or so I have been experiencing severe packloss which seems to be caused by the first hop my connection goes through. I exchanged my modem for a brand new one last week to no avail. and had an extremely helpful te

  • How do I upload PDFs to .Mac website with iWeb?

    Is there a way to upload documents such as PDFs to my .Mac website with iWeb and then link to them from iWeb pages such as Blogs? 17" iMac (Intel Core Duo)   Mac OS X (10.4.6)