GRC V10: BRFplus rule transport
Hi experts,
how is it possible to transport a brfplus rule.
we generate a function module via SE37 and afterwards the rule. Are the decision table and all brfplus rule settings in the transport of the function module?
Or should I transport the rule as well via brfplus? But there the "Transport" button is greyed-out, because of local object.
But the generated rule has still a local package in the settings, although the function module was assigned to a customer-package. As well I found a note 1624157, but this note doesn't work.
Any ideas?
Thanks a lot.
Alexa
Hi Alexa,
Yes brfplus rules will be transported along with function module, no need to transport separately.
First create the function module and assign to to customer package with transport request and dont forget to activate it. Once this is done select "Define Wofkflow-Related MSMP Rules" from SPRO -> Access Control -> Workflow for Access Control.
There select correct process id, rule type, rule kind, Rule id and in Application/Func. Group Name insert the function module which you have created and execute it.
Let me know if it fixes your issue.
Thanks,
Soman
Similar Messages
-
Good day,
OK, it seems that I am missing something with GRC 10. We are upgrading from CC4.0 to GRC 10. I believe I have everything configured through SPRO correctly. I can run a risk analysis on end users and I get results. I am now at the point where I put the mitigations into the system but I have seem to run into a snag. When I go to master data > Mitigation, I start to fill in the information but when I try to add a AC Owner I get "No Results Found".
I have tried adding a Owner to a risk and then going back, I have also added a user under "Access Management" tab with "Access Control Owners". I have reviewed almost every node in SPRO and I can not seem to find where I am missing something.
I am sure it is simple since I can not find any documentation on this almost anywhere. We are currently running GRC v10 SP5. We are only planning to use the RAR (5.3 term) portion of AC not the other part (Example: Risk Terminator). Please let me know if there is a simple solution to get a user populated in the AC Owner tab.
Kind Regards,
PaulSome of the GRC Roles ..
SAP_GRAC_ACCESS_APPROVER Role for Access Request Approver
SAP_GRAC_ACCESS_REQUESTER Role for End user
SAP_GRAC_ACCESS_REQUEST_ADMIN Role for Access Request Administrator
SAP_GRAC_ALERTS Generate, clear and delete SOD Alerts
SAP_GRAC_ALL Super Admin for AC
SAP_GRAC_BASE Base Role for all Access Control Users.
SAP_GRAC_CONTROL_APPROVER Create AC MIT control, approve, assign, alert and perform Risk analysis
SAP_GRAC_CONTROL_MONITOR Ability to assign MIT control to Risk and perform risk analysis
SAP_GRAC_CONTROL_OWNER Create AC MIT control.
SAP_GRAC_DISPLAY_ALL Display Access To All AC Objects.
SAP_GRAC_END_USER End User as a GRC Guest
SAP_GRAC_FUNCTION_APPROVER Approve Function for Workflow
SAP_GRAC_NWBC View Access Control Information Architecture.
SAP_GRAC_REPORTS Ability to run all AC reports.
SAP_GRAC_RISK_ANALYSIS Ability to Perform Risk Analysis
SAP_GRAC_RISK_OWNER Risk maintainence And Risk Analysis
SAP_GRAC_ROLE_MGMT_ADMIN Role Management Admin
SAP_GRAC_ROLE_MGMT_DESINGER Role Management Designer
SAP_GRAC_ROLE_MGMT_ROLE_OWNER Role Owner
SAP_GRAC_ROLE_MGMT_USER Role Management Business User
SAP_GRAC_SUPER_USER_MGMT_USER Super User Firefighter
SAP_GRAC_SUPER_USER_MGMT_ADMIN Super User Administrator Role
SAP_GRAC_SUPER_USER_MGMT_CNTLR Super User Controller Role
SAP_GRC_MSMP_WF_ADMIN_ALL MSMP Overall Administrator
SAP_GRC_MSMP_WF_CONFIG_ALL MSMP Overall Configurator
SAP_GRAC_RULE_SETUP Ability to define Access Rules
SAP_GRAC_SETUP Ability to setup Access Control
SAP_GRC_FN_BASE GRC - Base role to run applications
Hope it helps ..
Vikas -
WebServices in GRC v10.0
Hi all,
I have three questions to WebServices regarding SAP GRC v10.0:
1. Is it possible with v10 to check permissions via WebServices (SAPGRC_AC_IDM_*) only with the RAR component? In v5.3 it was only possible, if CUP was installed too.
2. Contain the WebService SAPGRC_AC_IDM_RISKANALYSIS in v10 a analysis of critical permissions? In v5.3 only SoDs and critical actions was checked.
3. What is the task of the parameter includeCrossSystemsAnalysis of the WebService VirsaCCRiskAnalysisService in v10? In v5.3 the value of this WebService has no impact to the SoD check (it SHOULD be:
includeCrossSystemsAnalysis == true ==> cross system SoD check
includeCrossSystemsAnalysis == false ==> single system SoD check
But doesn't matter what's the value of the parameter. There is always a cross system check. Has this changed in v10.0?
Regards
PeterHi Peter,
AFAIK the web services have not yet been published.
If you had the web service return violations without the requirement for CUP, what would you do with that information?
I hear that question a lot, I would really like to understand the ideas behind it.
To one of your other questions: cross system check is only possible for dedicated cross system risks. If there are no such risks defined, this will not yield any results no matter what the value of the parameter is.
Thanks,
Frank. -
Hi,
I need some information about implementing integration with SAP GRC v10 and SoD. Does anyone of you has any experience in that configuration?
We have only base information in SAP UM Connector doc and on metalink either. Dooes anyone work with SAP GRC v10 and OIM 11g?
best
mpSee if this helps:
http://www.oracle.com/technetwork/testcontent/oimconnectordatasheet-saperp-134222.pdf
regards,
GP -
Hi,
we generated our own brfplus agent. But how is it possible to add more than one user ID to a rule result? We want to inform a group of userIDs.
We don´t want to use MSMP Approver GroupID for the scenario, because we have to make flexible approver results regarding the request details.
Any ideas?
Thanks for your help.
AlexaHi Alexa,
I'm theorising here but you should be able to have a separate decision table which actually lists the user IDs out and reports them into a new result key.
This would effectively be your CAD (in 5.3 terminology). You can then make your original decision table reference that new decision table to find the appropriate result (a list of User IDs rather than just a single entry). Alternatively, you could play with the other types of expressions (e.g. boolean formula etc) to directly work through the logic.
This could quickly end up being a complex over-engineered solution to a potentially simple problem so whilst it may be possible, I'm still not sure I'd go for it. I'd really look back at the core requirement and see whether it would be possible to manage with the direct users mapped or approvers group.
Simon -
Experts,
I'm currently in the process of converting a legacy SoD rule-set (non SAP GRC AC) to the GRC AC 10.0 rule-set template. This is a tedious process of converting the legacy rule-set to the AC text files (Business Process, Function Action, Risks, etc.), but wanted to reach out to the group to see if there is a better way to perform this task.
Also, is it possible to get the templates for the text files to confirm my understanding of the text files.
Any help is greatly appreciated.
Thank you,
KunalDiego,
That is extremely helpful, thank you.
My next issue is when I try to upload the text files - I receive an error " Transferred codepage does not match the byte order mark"
I'm not sure which of the files is causing the issue. Do you know if there's a table where it will say the file and location? In 5.3 as you uploaded the files it would provide you with an error and a line number.
Any thoughts?
Thanks,
Kunal -
Workflow rule transporting problem
Hi,
When i am trying to transport rule to from dev system to client system it is not getting copied can any body tell how to copy the rule data from dev to c systemHi!!!
Thanks for ur prompt helps. Actually instead of OBJECTID I was passing the Obj-key and not the OBJECTID. This was creating problem. But still dont know why it was creating the prob.
Anyways THANKS A LOT.
Regards,
Sudipto. -
FI rule transport with user exit
I'm transporting FI substition rule, there are two selection checkbox: logical rules and boolean class,
if I want to transport pre-requisite only, do I need to select logical rules only? what happens if I don't select?
if I want to transport also user exit under the substitution rule, should I choose boolean class and de-selct logical rules?
what should I select for each above two case?Hi,
Boolean classes and logical rules have nothing to do with pre-requisites and/or user-exit of your substitution. Logical rules is something you define outside the subsitution as additional feature.
Regards,
Eli -
For GRC 5.3 can I use the SAP GRC 5.2 rule set
We are going for an upgrade to GRC 5.3, I have a small concern here....
Can I use the same ruleset what I used in GRC 5.2 to SAP GRC5.3 ...?
because when I checked ruleset at permission level in GRC 5.2 it displays first object of an action from one function conflicting with first object of an action from another function, where as in GRC 5.3 it displays all objects of an action from one function vs all objects of an action from another function....
How will it impact analysis in GRC 5.3 with old rule set...?
appreciate your response & thanks in advance.Hi,
Here you will find the documentation to get Upgrade/Configuration Guides.
[https://websmp103.sap-ag.de/~form/sapnet?_SHORTKEY=01100035870000718172&]
SAP BusinessObjects Governance --> Access Control ---> SAP GRC Access Control 5.3
There you will find a Upgrade guideline.
Cheers,
Martin -
SAP GRC AC: Organizational rules at Batch risks analysis and Dashboards
Dear All.
I would like to know GRC AC is able to consider the organizational rules defined (for example: risk only affected to Company, BUKRS 0001) at the Batch risks analysis and at the Dashboard. I already know that for the ad-hoc reporting you can filter by the Org.rules created but i would like to know if this filter is also able for the Batch risks analysis.
Thanks and regards.Dear all.
As per my knowledge this parameter only sets the flag of Consider Org.Rules at the filters. This is what the guide indicates:
"Setting the value to YES automatically selects the Consider Org Rule checkbox on the Risk Violations tab of the Access Request and
Role Maintenance screens."
So how are you so sure about that indicating this flag to YES will take into consideration the org rules at the Dashboards?
Regards -
GRC AC RAR rules not picked up
Hello All,
I am new to GRC AC and we have a sandbox set up. When looking at SRM a user that has SAP_ALL and is set up in the Java stack for open access. When we run the RAR for this user there are a number of the standard rules that are not showing up. I can explain away the ones that are cross system (ECC and SRM because we have not yet set up the Cross System to look at both) however there are a number of rules that are strictly SRM that are not being picked up can anyone explain why?
Thanks
MKHello All,
I am new to GRC AC and we have a sandbox set up. When looking at SRM a user that has SAP_ALL and is set up in the Java stack for open access. When we run the RAR for this user there are a number of the standard rules that are not showing up. I can explain away the ones that are cross system (ECC and SRM because we have not yet set up the Cross System to look at both) however there are a number of rules that are strictly SRM that are not being picked up can anyone explain why?
Thanks
MK -
Not able to upload SAP GRC 5.2 rules
Hi All,
We are in the process of performing the Post Installation steps of SAP GRC CC 5.2
While we are trying to import rule set the system is creating/scheduling a background job. In the log there is a warning regarding the URL
WARNING: Cannot get Application URL: null. PLEASE SET 'Background Daemon URL' IN CONFIGURATION TAB
Pls guide us as to how to import standard SAP rulesets witout getting above warning message.
Also I dont understand why the background job is triggered when i am still trying to import the rules.
Regards,
Kiran Kandepalli.Hi Kiran,
This is a common issue in GRC AC 5.2. Please follow the pre-implementation guide thoroughly which will take care of this issue. Look at the last section in the guide. Here is the link:
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/0079de64-f5f1-2910-3688-b16619da82fb
If this does not help, please follow OSS note # 999785 and 1176262.
Regards,
Alpesh -
GRC 10: Default Rule sets
Hi All.
i am wondering whether we have default rule set for GRC10 as we found with GRC 5.3. Where do I find them in GRC 10 software download?
rEgards,
FaisalIn GRC10 default rule set are available by BCset :
GRAC_RA_RULESET_COMMON
GRAC_RA_RULESET_JDE
GRAC_RA_RULESET_ORACLE
GRAC_RA_RULESET_PSOFT
GRAC_RA_RULESET_SAP_APO
GRAC_RA_RULESET_SAP_BASIS
GRAC_RA_RULESET_SAP_CRM
GRAC_RA_RULESET_SAP_ECCS
GRAC_RA_RULESET_SAP_HR
GRAC_RA_RULESET_SAP_NHR
GRAC_RA_RULESET_SAP_R3
GRAC_RA_RULESET_SAP_SRM -
Hi Friends,
I would like to transport all my alert rules configured for my scenario at RTW of QUALITY system to PRODUCTION system. for that i found 2 options.
1. Manually enter the alert rules in RTW
2. run the report "SXMSALERT_CONFIGTRANS".
in option2: i run the report and transport request created. it shows message as "transport enrty written. alert no: ABC1234".
So now my doubt is: will this report transport all teh alert rules configured in RTW to PROD? my requirement is i need to transport only my scenario related alert rules....(out of 200 alert rules in RTW, only 10are related to my scenario and i need to transfer only those 10).
Best Regards,SARANHi SARAN,
Transport Alert Categories
Go to ALRTCATDEF (In DEV) --> Transport (In TOOLBAR) --> Current Alert Category --> Create a Customizing Request and note down your request number
Go to SE09 (In DEV) --> Check customizing request and Modifiable --> Choose Display Button --> Go to your Request number --> and release the sub node and then release the request.
Go to STMS (In QA) --> Import --> Import your request
Transport Alert Rules
Create a workbench transport request manually with transaction SE09. Delete the corresponding unclassified task of that request. Double click on the transport request and click on button 'edit <-> change'. For Program ID enter R3TR, for Object Type enter TABU and for Object Name enter SXMSALERTRULES.
Now click on the button with the key symbol (located under 'Function'). Click on 'Insert row' and enter * for table key. Save the request, release it and import it in the target system.
SAP Note 1110295
/people/santhosh.kumarv/blog/2011/02/03/know-how-to-transport-only-the-required-alert-rules -
Cube update rules transport failing-urgent
Hello All,
We had a set of TPs created for our project. All went well to the QA system. But when we tried to move these transports to the PROD, first we had a set of TPs failed, all related to the activation of the update rules of the cube we have. We found that this happened ( I think so) because we missed sending changes of a few display attributes, changed to Navigational attributes, to PROD. These navigational attributes are used in the cube. Even after sending the changes of display attributes to NAV attributes, still the TPs are failing. We tried activating the cube update rules by creating new TP and transporting to PROD. But the TP failed. As nobody in us have the authorization for activating the update rules directly in PROD, we are facing the problem. We are in doubt even if we create another new TP for activation of the UR, we may still fail to activate the UR.
Can anybody help me with this.
Many Thanks in advance
VinayHello Dinesh,
When I recreated transports, I included the cube and its update rules in 2 transports. All other object, like the infoobjects changed/created, Navigational attributes are already in production box. When I sent the TPs with cube activation and update rules activation, the TP with the UR activation failed again.
Hi Siggi,
When I try to open the update rules in PROD, I am unable to open and I get a message that there is error in UR coming from the data mart infosource to the cube.
Could you please suggest me something more.
Thanks a lot
Regards
Vinay
Maybe you are looking for
-
Both DVD drives open in bootcamp
I'm running bootcamp on a MacPro with dual DVD's. When I use the keyboard to open the top DVD drawer, BOTH of them open, first the top, then the bottom. That's going to make it inconvenient to use the DVD drives separately. BTW, neither of them close
-
How to create new database?
In the "Oracle ODBC Test" client app, when I try to create a database with ... create database swett ... I get the error "ORA-01100: database already mounted" error. Why? I can create a table with: create table mytable .... and it builds it in the SY
-
4507R Supervisor module question
Hi everyone, I am getting the following message when I try to configure the gig1/2 interface which is on Sup mod 1 of my 4507 switch. router(config)#int gig1/2 % WARNING: Interface GigabitEthernet1/2 is usable/operational % only when this is the only
-
Where can I get glibc version 2.0.6 or above
Would anyone know how/where to download glibc version 2.0.6 or above? Thanks. null
-
RegTask: Failed to send registration request message. Error: 0x80040231
Hi, i am getting the below error ClientIDManager.log RegTask: Failed to send registration request message. Error: 0x80040231 RegTask: Failed to send registration request. Error: 0x80040231 Error initializing client registration (0x80040222). Please l