GRC Ruleset for Logistics (IS-D, IS-M)

Similar Messages

• GRC  RuleSet Upload for SAP 5.3

  All ,
  As a background , we are running on SAP GRC 5.3 Version . When we initially Installed SAP GRC , we created a Ruleset "SAP Rule Set " based on SAP Provided Functions & Actions. Then we created one more Rule set for Client named "GLOBAL". On Course of time , we lost SAP RuleSet , as Global Ruleset was somw how copied to SAP Provided Ruleset
  Now , we need to have a fresh SAP RuleSet for comparison purpose with Customer Rule Set "Global ". We got the files from SAP GRC Folder
  1) If we upload this Files whether it will overwrite all Available Ruleset in System , (Client Specific "Global "& SAP RuleSet ) or do we have an option just to upload to only one Rule Set . We dont want "Global" Ruleset to be overwritten ?
  2) Also , Can you please tell me the steps which we need to perform to get thet SAP Rule Set Updated ?
  Thanks ,
  Jerry George

  Hello Jerry,
  1) This point has been discussed so far in the forums, for example:
  Loading multiple rulesets?
  GRC AC Rule Sets
  2) There's no automatic procedure. check here:  Note 1604722:
  Customers that have implemented Risk Analysis and Remediation should have customized the ruleset to meet their business requirements. Therefore, changes to the SAP best practice ruleset cannot be systematically updated via SAINT as it would potentially overwrite this customization.
  However, customers may want to evaluate the changes incorporated into the most recent SAP ruleset to determine if the changes should be added to their own ruleset.  Any modifications the customer desires to make will need to be manually made by the customer via the Rule Architect feature of access risk management.  The configuration guides available on SAP Service Marketplace provide detailed instructions on how to update rules via the Rule Architect.
  Cheers,
  Diego.

• GRC 10 want to extend our ruleset for use by another connector

  Hello.   We migrated our RAR ruleset from 5.3 to 10.0 and it is working for on our original connector (our SBX).  Now we would like to use that same ruleset for a new connector (our QAS).   I do not see a way to do any mass maintenance for this.  There is a mass maintance for functions where I can add a new system, but it appears I have to do it one function at a time. Is there a better way?  I thought about transforming my original export files to modify the connector name, but wasn't sure if that would work since connector isn't one of the fields offered for transformation.  
  Would appreciate any suggestions from the experts!

  Interesting suggestion about logical system.   As for your other suggestion, I do not see an option to "download SOD rules" offered in SPRO -- only "upload SOD rules".  Hmm.   I found on Idea Please this has been logged as an enhancement:
  https://cw.sdn.sap.com/cw/ideas/4448
  In the meantime I figured out how to load. I took the export files created in 5.3 and manually modified (witha global replace in Notepad) the connector then ran GRAC_DATA_MIGRATION for only the FUNCTION_ACTIONdata.dat and FUNCTIONAL_PERMISSIONdata.dat (append mode selected).  Then I generated the ruleset, and that seemed to do the trick.   Thanks for your input!

• Include Custom transactions  GRC ruleset

  Hi Everyone,
  Can anyone please tell me the best strategy of including the Z & Y transactions in GRC ruleset.
  Our SU24 is not maintained , however I have run a program to get all the authority check for these Z transactions 
  and also segregated them based on business process , we have over 600 custom transactions  and they re compltley customized ones , they are no SAP standard programs in it.
  I have all the authority checks in place for these Z-transactions , now the question is how to group them under relevent fucntions
  I have used  following stategy  but it wasnt much helpful suign the CDHDR & CDPOS tables .
  since these are completley customized the change object they update  in CDHDR table  is being updated by another Z transaction .
  so I am bit lost , I am only left with an option of creating new fucntions. which is quite tedious
  any help would be much appreciated
  Best Regards
  Jhon

  Hi Jhon
  Deleting the standard ruleset takes about 1 minute if you obtain the script from SAP Support.
  If you do NOT delete the standard ruleset then
       To add your Custom Tcodes to existing functions you should use the Rule Architect, if you try to load (using the upload files) new versions of functions that already exist the results are not always as expected, eg: the functions existing content will be deleted
       You will NOT be able to overwrite existing risks using upload files, therefore you will be forced to use rule architect, however, new risks can be uploaded using the upload files
  If you do delete the standard ruleset then
      Add the new Tcodes and functions/risks etc into the upload files and upi do not need to use the Rule Architect
  There is no hard and fast rule as to when you should andshould not use Rule Architect and when you should revert to using upload files.  However, my rule of thumb is if I have more than 100 changes to make then I use the upload files option.
  However, the upload file option can be frustrating as the files have to be perfect in terms of syntax to load and a single space can cause the file to fail and this can be an issue to debug the file

• New Z tcode which calls BAPI - add this to GRC RuleSet

  Hi,
  There is a development currently underway in house where a z transaction has been created which calls the BAPI:
  BAPI_ACC_GL_POSTING_POST
  I have been asked to add this transaction to the GRC RuleSet but i don't think there's any point in doing this yet as i don't feel the z transaction is calling an authority check in the right way.
  When i trace the test user, or check the transaction in RSABAPSC, i cannot see any posting activity taking place i.e. i cannot see ACTIVITY 01 being called anywhere.
  The developer added the FM Z_AUTH_BUKRS_FROM_BUKRS at my request but i think he should go further and add a check with an ACTIVITY 01. Only then will GRC be able to properly analyse this tcode for SOD violations because as-is, it's not calling enough.
  I hope i have explained this in enough detail.
  Has anyone come across an issue like this in the past? Any advice greatly appreciated.
  Regards,
  Colin

  Hi Colin
  You can still define your function but you do need to clarify what the checks should be. At the moment, your function defintion would be the S_TCODE for the Z transaction.
  However, if you just define it like that and there are additional checks then you increase the level of false positives. If there isn't then you are right that the code still needs to be hardened
  As you have mentioned a Z authority check none of us can comment on the security. Did you run a security trace on the Z transaction with the BAPI to see what is checked? How has the developer coded the authority check.
  I would push back if there is insufficient checks from a security point of view. But if the Z transaction activity forms part of a risk and is available to end users you should capture it and then start the remeidation/mitigation processes.
  Regards
  Colleen

• Uploading Critical Permissions in GRC Ruleset

  Hi Everyone ,
  I am trying to upload the critical permission for my GRC Ruleset and need some guidance here. I have already uploaded all the files and my system can perform risk analysis for SOD and Critical actions .
  Now I have identified the critical permissions for my system and have created the Function_action as well as Function_permission notepad files for upload. I have replaced the tcode information in these files with ^! so that system understands that its doesnt have any action. I just kept all the function id's and have added all the Auth objects with replacing tcode tab with ^!.
  I just want to confirm if uploading these files would make this work or if there is any other step that is required to have this work.
  Thanks guys for all your help .. Appreciate your guidance.   
  Vikas

  Hi Raghu ..
  Thanks for your reply .
  I am not modifying any SAP delivered xml files , i was just trying to make changes to my rule set to have critical permission added to it.  This issue is now resolved however let me explain so that everyone our here in forum is aware of the procedure.
  I was trying to upload these critical permissions in GRC 10 Box . Manually creating 100+ functions and then creating risks mapped with them doesn't make sense as it would have taken a lot of time so i updated my existing rule set to have these critical permissions updated .  I exported my rule set from the system and added new function's to Function_action and function_permission data with " ^! " in place of Tcodes so that system doesn't consider this value while doing the analysis at critical permissions file . After updating my existing rule set i used the Overwrite option as my ruleset has my existing working functions plus the changes that i have made to include critical permissions. So  , Its working fine now and i was able to do the analysis .
  Sap Note 1225227 was very helpfull here.
  Vikas

• MTO - For logistics purpose - Effect in COPA

  Hi,
  We have a MTO scenario maintained for logistics purpose. A production order is created with reference to a Sales Order, wherein 2 or more FG are fabricated. These FG are issued to sales order as special stock. Consumption of FG is posted at time of such issue.
  Header material for the production order does not have any cost.. neither MAP nor Std cost as the inputs for such material are variable.
  Sales order is created with reference to this header material. Sales order costing is not done.
  Now we have to implement COPA, how would the COGS can be captured for this sales order. VPRS condition cannot find anything.. neither Valuation as no std cost estimate
  Please give your valuable suggestions.

  Hi,
  the given situation is just like another Make to stock scenario except that it will have products tracking to
  Sale Order.
  in this case, you must have Standard cost estimate being done and released to Material master. without that, the process does not completed.
  In this case only VPRS condition type need to carry the cost to COPA (nothing else).
  Please change the understanding of the people about this scenario.
  Best Regards
  Surya

• NO Ruleset for GENRAL\96A available (EDI to XML Conversion Error)

  Hi,
  My Scenario is Inbound EDI Scenario. I am facing problem during conversion of EANCOM to XML .
  Control Key Scenario Association part with the EDI Content Manager is filled in properly. we are not doing anything in the above Control Key
  Scenario Association part .Because whatever we are saving we are not able to see in the screen. Please find the below screen shot attached.
  XSD produced from B2B Integration Cockpit was being used in the ESR.
  No Acknowledgement Enabled.
  We have checked with the possible option in the below blog.But not working
  http://scn.sap.com/thread/3309007
  Regards,
  Prem

  Hi Dmitri/Ruchir,
  By mistake I have uploaded  Message Type ORDERS screen shot with Message Protocol EANCOM,but my actual one is Message Type GENRAL with Message Protocol EANCOM only
  The combination of message type and version specified in the UNH segment is not maintained in the tables?
  the above mentined EDIFACT\EANCOM seems different issue.
  Message could not be forwarded to the JCA adapter.
  Reason: com.sap.aii.adapter.ediseparator.ra.integration.DispatchException:
  Message cannot be dispatched: Message cannot be dispatched: Error Occured :
  Error in conversion of GENRAL/96A-Edifact-Document at character 1489 to XML:
  java.lang.UnsupportedOperationException: No ruleset for GENRAL/96A
  available.
  MP: exception caught with cause
  javax.resource.ResourceException:
  com.sap.aii.adapter.ediseparator.ra.integration.DispatchException: Message
  cannot be dispatched: Message cannot be dispatched: Error Occured : Error in
  conversion of GENRAL/96A-Edifact-Document at character 1489 to XML:
  java.lang.UnsupportedOperationException: No ruleset for GENRAL/96A
  available.
  Exception caught by adapter framework:
  com.sap.aii.adapter.ediseparator.ra.integration.DispatchException: Message
  cannot be dispatched: Message cannot be dispatched: Error Occured : Error in
  conversion of GENRAL/96A-Edifact-Document at character 1489 to XML:
  java.lang.UnsupportedOperationException: No ruleset for GENRAL/96A
  available.
  Transmitting the message to endpoint <local>
  using connection File_http://sap.com/xi/XI/System failed, due to:
  com.sap.engine.interfaces.messaging.api.exception.MessagingException:
  javax.resource.ResourceException:
  com.sap.aii.adapter.ediseparator.ra.integration.DispatchException: Message
  cannot be dispatched: Message cannot be dispatched: Error Occured : Error in
  conversion of GENRAL/96A-Edifact-Document at character 1489 to XML:
  java.lang.UnsupportedOperationException: No ruleset for GENRAL/96A
  available.
  if you need mu input payload please let me know
  Please suggest me.
  Thanks
  Prem

• Basic configuration in GRC 10 for portals

  Hi Gurus,
  Could you please tell me the basic configuration details in GRC 10 for portals.
  Thanks,
  Mukesh

  Hi Mukesh,
  You can refer to https://websmp230.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/sno/ui_entry/entry.htm?param=69765F6D6F64653D3030312669765F7361…
  However there is no such guide on Portal integration with GRC, you might need to follow below steps:
  1- Create one HTTP type RFC connection between GRC and Portal system.
  2- Create System Alias in portal system for GRC system
  3- Deploy the GRC Portal content in Portal system
  5-Portal content comes with 5 work-sets and one security role.You can assign the portal role that comes with the Portal content to user in Portal and also GRC roles to the same user in GRC system.
  Hope this helps.
  Regards,
  Ameet

• T.c FF7B: planning levels for Logistics

  Hi All,
  With reference to the Report FF7B and the CM data from Logistics,
  I've defined the  planning levels for logistics and the others steps under the CASH MANAGEMENT menù of SPRO.
  But the report FF7A doesn't prodide me the logistic data... are there other customizing steps out of the CASH MANAGEMENT menù of SPRO.
  Thanks

  Hi,
  If you have done the config as mentioned by Kalyan, i.e. define planning groups, assign/link them to planning levels and assign the appropriate planning level in customer/vendor master data either you run FF7B (for liquidity forecast) or even you can run FF7A, but need to tick the check box for liquidity forecast.
  thanks,
  Kumar

• Define Planning levels for Logistics (Liquidity forecast).

  Hi Gurus,
    I am defining planning levels for logistics for my client inorder to see the purchase order items in liquidity forecast report FF7A/FF7B but I can only assign one vendor planning group to M2 as my requirement  requires all vendor planning groups to be assigned to M2 to see all the purchase orders items for all the vendor planning groups. Does anybody has any idea how do we assign?
  Thanks,
  Bob

  Hi Nirmal,
    I think that is for displaying per cash management group but thanks nirmal for replying.
  Regards,
  Bob

• DO porcess for logistics

  Dear all,
  I am mm consultant ....
  We need to develop DO (Delivery Order for logistice dept. ) facality from supply location.
  client requirement is follwing
  Delivery Challan: This will be generated from depot and will be linked to SO. Every vehicle should carry this and customer acknowledgement should be obtained on the same
  Transportation details: We would like to have vehicle number and LR number as active data fields (today it is fed as text field). Also, these details should appear in Invoice summary report.
  Please guide me for the same.
  Thansk in advance.

  Hi
  You Can achieve this by maintaining Route Scheduling  with POD in Logistic, take the help of your SD Consultant to configure it. By this you can achieve your Goal.
  Regards
  Shambhu Sarkar

• JLin ruleset for Portal

  Hi,
  The Developer Manual on help.sap.com talks about a JLin ruleset for Portal development (http://help.sap.com/saphelp_nw04/helpdata/en/78/023c41325fa831e10000000a1550b0/frameset.htm), which should be available on SDN. I think it has been here indeed, but I cannot find it anymore...
  Does somebody have more info on this topic?

  Nobody?

• Demos for logistics an hcm KPIs on dashboards

  hi gurus
  i have to build a demo for logistics and hcm KPIs on xcelcius, does anyone of you know some website to download some dashboards? i m using the ones tha came like templates but kinda they r some simple and i have no so much time to build some.
  regards
  JAV

  Hi JAV,
  Refer below links for demo dashboards.
  [http://www.businessobjects.com/campaigns/esri/demos.asp]
  [http://www.sdn.sap.com/irj/boc/xcelsius-samples]
  Hope it helps you.
  Regards,
  Nikhil Joy

• Help requires_A Safety Belt for Logistics Extraction Queues

  Hi All,
  I have read the Blog "A Safety Belt for Logistics Extraction Queues" and it is very useful for taking the backup data from Extraction Queue.
  I have a set of Queues related to this BLOG.
  1. Suppose, i have created the Backup table for the Particular Application (Ex 03).And i am scheduling the Job from the JOb Control of LBWE.Will it pull the data from Backup table or with the Standard Table. How can i pull data based on our needs.
  Pls suggest on this.
  Thanks,
  Jelina.

  Dear All,
  Anybody has tried performing the Backup of LBWQ data in ECC. How to pull data from backup table to RSA7.
  Pls suggest.
  Thanks,
  Jelina.