GRC Rule Set Updates

Similar Messages

• Multiple GRC rule set update

  we are having a custom rule set A loaded in GRC. Now we want another rule set B, with new risks and definition to be loaded in GRC. If we try to upload rule set B risks and functions via Upload function in GRC, would it overwrite the rule set A, or not.Just wanted to confirm whether existing rule set A would be affected or not, due to upload of rule set B.

  Hey Alpesh,
  Sorry, I haven't understand it correct. This is a question that will always be asked in the train.
  You wrote:
  "If you have created different files (e.g. risks, ruleset, function action, function permission etc.) and upload them via configuration -> rule upload then RAR will not overwrite your ruleset A and will only insert new rule set files."
  Is this just possible, if all IDs (risk, function, function action, function permission) will be changed before and could not be equal like in the rule set A? correct?
  What's about with the ALL.txt files, do I have to change/upload them as well again?
  Thanks for feedback,
  alwaly a pleasure!
  Greets
  Martin

• Access to update the GRC rule set is limited

  Hello - What is the process (tcode) to see who has access to update the GRC rule set?
  Thanks!

  Hi Sam,
     What is the version of your RAR (CC)? If it is CC 4.0 then you enter the product via tcode and go to rule architect to make changes. If you have CC 5.X then you go through the web browser and go to Rule architect to make changes to the rule set.
  The process to change a rule set is as below:
  1) Creats Function
  2) Create risk
  3) Create Rule
  Regards,
  Alpesh

• Rule set Updates

  We started with Virsa CC 5.1 in 2006 now we are using CC 5.2
  If I go to the SAP Note 1173980 u2013 Q2 2008. Do I find all the Rule
  Updates from 2006 to 2008 or we need to implement all the below Virsa
  Rule updates.
  1061380 u2013 Q2 2006
  1035070 u2013 Q1 2007
  1083611 u2013 Q3 2007
  1173980 u2013 Q2 2008

  HI:
  You need to review each set of updates, and determine if they are applicable for your system.  Each subsequent rule set update issued does NOT include previous entries.
  It is up to each client to customize entries in the updates per their own requirements, but just taking the last one, means that you may miss some of the important updates in previous updates.
  Margaret

• GRC - Rule Set Library

  Hello,
  Does the GRC deliver rule set library for compliance calibrator? If yes, how it delivers this package, is it includes in the installation of the package itself or separate one. What are the factors do we need to consider when customizing or modifying the standard library to accommodate to any client requirement?
  I appreciate any help on this.
  Thanks in advance!
  Eric

  Each customer is unique therefore their ruleset should be unique.
  Afterall how can the out of the box ruleset meet all of the Internal Control requirements for all different industries in all countries for all legislations for all versions of SAP, it can't!
  Your next question is how long does it take to build your own ruleset, I have clients that have take 2 weeks and others that are still working on it after 15 years!!
  The most important people to include in your ruleset review process are:
  External audit
  Internal audit/Compliance
  Business Process Experts
  without these people on board you will design a ruleset and remediate/mitigate issues that are not actually considered to be issues!!

• Rule Set Update - Transactions Missing

  Hello,
  I’m having an issue when trying to add a transaction to a critical rule which is part of a logical system. When I look up the transaction
  against the logical system I can’t find it. But when I look it up against one of the connectors in the logical system I can find it. Any ideas why? I’ve run
  all the sync and regenerated the rule set. I’ve also double checked that the connector is part of the logical group.
  Thanks,

  Hi Colleen thanks for the response.
  I swear in the past you were able to pull in the transaction from the logical system but I can’t remember unfortunately. The person who built this rule set must have added these custom tcode when they did the initial upload. That must be how they were able to put them under the logical system?
  I’m wondering though, If I pull a transaction in from a specific connector won’t it only run against that connector when doing analysis? That seems odd since the logical system is to avoid that! How did you handle it? I also found that since the transaction was copied and pasted into the rule set that it’s not being analyzed during analysis.
  Maybe I can’t search on the logical system since the transaction doesn’t exist in both ECC systems I have grouped under it?
  I am on SP 13 now.

• Updating rule set in CC from SAP

  Hi - if anyone can help with this issue - I'd greatly appreciate it.
  We loaded CC 5.2 last year and loaded all of our custom transactions to the appropriate functions.  However, since then, there have been changes to standard and custom transactions (in the authorization objects) and those changes are not showing up in the rule set.  (we added new authorization objects)  Is there a way to have the rule set update automatically with these?
  We are running the two SAP jobs that export the texts and objects and then we have two jobs running daily in CC to bring in from those files.  We then have a full system sync running daily.  Updates are still not coming in.
  Any help is appreciated!
  Thanks,
  Elizabeth

  HI Elizabeth,
  When you say you have added new Authorization objects, do you mean to say that you have added to the roles?
  I strongly recommend to go to SU24 tcode and check whether the new Authorization objects are properly Check/Maintained to the respective Tcodes.
  Also merge all the new authorization data in all the roles and regenerate them.
  Also you need to update the rules once the above steps are done.
  Regards,
  Kiran Kandepalli.

• Updating Compliance Calibrator Rule Set

  The business has decided to change a few rules by removing a couple of custom tcodes from the rule set.  In DEV I go into the Function and remove the objects associated with the tcode and disable the tcode.  After running the rule set update there is still some sort of tie.  I have created a test ID in DEV with a known issue around each of the changes.  I'm not getting a different result when running compliance calibrator.
  Any ideas?
  We are running R/3 4.6C and compliance calibrator 4.0

  Can you please check the following demo?
  [Virsa Compliance Calibrator Application for SAP v5.1 Demo|http://www.sdn.sap.com/irj/scn/elearn?rid=/library/uuid/d2f1cf9c-0d01-0010-2dac-aedd3c4f7f5b&overridelayout=true]
  Please give more details on the step where you got stuck.
  Regards,
  Dipanjan

• FBL5N - in Rule set - It is a Display customer line items

  Dear All,
  We observed that FBL5N - Display customer line items in Standard SoD rule set under function AR07  addressing a risk of S022.
  Unless there are t-codes of FD03 or FB02 this t-code does not allow to change the payment terms of the customer.
  We are having a challenge from the client that FBL5N is a display t-code and why it is there in rule set.
  Has anybody came across this scenario? If yes, what is the underlying risk for this FBL5N independently.
  Is there any SAP Note for this t-code like ME23N from SAP.
  Thanks and Best Regards,
  Srihari.K

  Hi Christian,
  We checked the authorization objects as well enabled in GRC rule set as below:
  F_BKPF_BUK - Docume t Authorization document for company codes - 01 or 02 - Enable.
  Inspite of this access, FBL5N cannot be used to change the document for payment terms and assignments without FB02 t-code
  assignment in the role.
  Independently FBL5N cannot be used for any change or create activity except Display customer line items.
  Please advise
  Thanks and Best Regards,
  Srihari.K

• Non existing value EC for M_BEST_BSA / BSART used in rule set

  Hello,
  while implementing the 2010 rule set updates into our system, we realized that there is a value used that is not existing in the system.
  It is for object M_BEST_BSA, field BSART. The value is EC.
  In the rule update document from Q2 2010, there is the following comment:
  5. PR02 u2013 Maintain Purchase Order u2013 Upon review of this function with the rules mini-council, the decision was made to remove document type from the rules.  Previously, we delivered document types EC, FO and NB with our rules.  However, the majority of customers create custom document types for purchasing.  Many customers did not customize the rules, which results in only those users that had the standard EC, FO and NB document types being reported as having a risk.  Users who had the custom document types would not be reported, which results in false negative reporting.  Therefore, the decision was made to remove document type from our delivered rules.  This will force each customer to review their document types and edit this function to include all relevant document types so all users who have a risk are shown.
  However the value is still enabled in function PR04, even though it is not a valid value for field BSART. It is not existin in table T161, which holds the PO document types. It does not seem to exist since at least release 4.6C
  The value is inherited from the transactions ME28 and ME29N
  Does anyone know what it is about and why the value still is considered a standard value?
  I know this does not give me false conflicts, as the BSART values are used in condition OR.
  Why is the value not just removed, if it is not a valid value at all?
  edit:
  Sorry, forgot to mention, we use CC4.0 in an ECC6.0 system
  end of edit:
  Regards,
  Thomas Schaeflein
  IBM
  Edited by: Thomas Schaeflein on Jan 26, 2011 4:14 PM

  Start by saying bump.
  I've still no word from Adobe if they are doing anything with
  this problem. Any one had any replys from Adobe on it? Any one
  found a work around with recoding queries?

• GRC role set documents for auditors

  Hi,
  We have installed GRC5.2 and Iam looking for GRC rule set documents.I could not find in service market place, what i found was Installation/config/migration which was not helping me anymore.
  Can some one guide me hwere to find GRC rule set docs?
  Appriciate if you can help
  - Lisa

  Hello Lisa,
  You are welcome.
  1. I would not say it would be exactly a document that you would get from GRC server but you can create a saparate login for the auditor when he comes to  review your system, much like you do in SAP R/3 and he can see from there what information he wants to get out of your system. There are change histories and request histories in the tool itself which he can explore to get what you wanted to create a document for.
  2. Regarding the post installation steps, I would advise you to go through te documentation for the same which is available on the SAP portal. It differs from installation to installation and would be not possible to explain it all here in the forum as it has many aspects to it. Also, the guide has step by step explanation for various tasks, none of which should ideally be missed or skipped for an efficient implementation, which can be the case otherwise if you just take a note of the points only based on forum posts.
  3. Not sure of the program for training, though SAP does not have the certification for the GRC AC till date for sure, as I had enquired in the SAP TechED 2008. Or maybe you can drop a mail to the trainings department with SAP to check the same and get the sure info, which we would like if you could share with us too.
  Thanks.
  Regards,
  Hersh.

• Best practice for the Update of SAP GRC CC Rule Set

  Hi GRC experts,
  We have in a CC production system a SoD matrix that we would like to modified extensively. Basically by activating many permissions.
  Which is a best practice for accomplish our goal?
  Many thanks in advance. Best regards,
    Imanol

  Hi Simon and Amir
  My name is Connie and I work at Accenture GRC practice (and a colleague of Imanolu2019s). I have been reading this thread and I would like to ask you a question that is related to this topic. We have a case where a Global Rule Set u201CLogic Systemu201D and we may also require to create a Specific Rule Set. Is there a document (from SAP or from best practices) that indicate the potential impact (regarding risk analysis, system performance, process execution time, etc) caused by implementing both type of rule sets in a production environment? Are there any special considerations to be aware? Have you ever implemented this type of scenario?
  I would really appreciate your help and if you could point me to specific documentation could be of great assistance. Thanks in advance and best regards,
  Connie

• Mulltiple Rule Sets in GRC 10.0 for one System

  Hi All,
  We do have 2 different companies working on one system and by that 2 different rule sets that are applicable.
  Due to that we are facing different problems we don't know how to solve yet but lets start with the first one dealing with the rule set that should be used in the access request.
  We want to determin which rule set should be used over the requested role (e.g. if role name contains 0001 use rule set 0001, if role name contains 0002 use rule set 0002).
  We have alerady tried several different senarios in BRF+ without success.
  Does anybody have a solution or at least an idea for this topic?
  Thank you all very much in advance!
  Eva

  Hi Ashish ,
  Thanks for your time . Let me explain you my requirement and would really appreciate if you would have some inputs here which would help me to design this .
  The actual client requirement is to design a CUP Workflow and If there are SOD issues identified, the workflow will need to go to a central team for them to address each issue. If this group decides to apply mitigating controls to the issues, the workflow must then go to the compliance group for them to review for appropriateness. Requirement is do a SoD analysis for every role change/add request , so that this group takes the appropriate action based on the SoD Analysis . For all my CUP request raised , i want system to do a SoD analysis and let this group know whenever there is a SoD found or just end the workflow if there is no risk.
  I am aware of the Risk analysis process for GRC 10.0 , however i want it to happen as a part of this work flow requirement.
  The requirement is to configure the access request work flow so that the end goal of work flow is just facilitation of an SOD review.  I hope i was able to explain my requirement . Thanks again for your help.
  Your valuable guidance would be really appreciated.
  Vikas

• Access Control Rule Set deletion in GRC 10

  Greetings,
  Has anyone tried deleting rulesets or have experienced any issues while deleting rule sets in GRC 10. I have tried to delete them from SPRO as well as from Setup Tab in Access Control , however its not working for me . Even in SPRO , after chooseing the physical system and logical system infromation , it stays on that screen for ever and nothing happens.
  Any help or guidance here will be much appreciated.
  Thanks everyone for your valueable time.
  Vikas

  Hey ,
  There are no tricks or tips.  It was something stupid on my part.
  I Just had a look at the system again and found a function left in the system which was mapped to this Ruleset , so that was the only i was not able to delete the ruleset . As soon as i deleted that function , it worked .
  So i was able to delete the entire rule set after deleting all the risks and functions mapped to this rule set.
  Have a great day ahead ...
  Vikas

• Rule set migration from GRC 5.3 to GRC 10.0

  Hello everyone,
  I ask you this question: if I want to migrate from GRC 5.3 to GRC 10.0, can I keep my old custom rule set with no modification or I have to make some changes to it to import in GRC 10?
  Thankyou in advance for the answers
  Greetings
  Gianluca
  Edited by: Gianluca Mocini on Apr 1, 2011 5:33 PM

  Hi,
    The migration utility is very simple. You install it on GRC 5.3 box and then select the items you want to migrate. It will generate tab limited text files and you can use those files to import data into 10.0 box.
  Regards,
  Alpesh