GRC10 - SOD Function

Similar Messages

• [NEW] [IMAGES] Adding the ability to preview/live edit the source code.

  If the Muse Team added this, they could relax and not worry about adding so many other features.
  Sure, you can do this already in your browser. But it's not really a dynamically edit thing.
  Here, let me demonstrate.
  You could naviagate (or shortcut) to a new button, as you can see below.
  Once clicked you will get a dialog to choose preset program, open your own, or exit.
  As you can see above, if the user does not have Dreamweaver, it will be greyed out.
  You could probably guess what the dreamweaver would look like, but the muse editor may look like this.
  Maybe even some html tags in button form
  Of course, it would have content in it, including the <html> structure, including <head> and <body>
  Why add this? Well...
  Since Adobe Muse doesn't support all the features of the internet, you can easily add it here yourself! Until they add a button of course.
  Then the Muse Team won't be so rushed to get all these features out.
  Really hope they add this.
  Also, they could touchup and make it look nicer, I just did some quick photoshop.
  Note: We kind of have this already, though we can only edit the header... sort of...
  This could be already done by exporting the html, opening it in a text editor, editing the code, somehow adding it back to muse, and realizing that you forgot some code, repeat.
  But that is too long of a process, this request is much easier.

  Most Segregation of Duties (SOD) functionality has been moved to AACG. From my understanding AACG's job is to handle SOD across platforms (EBS, PeopleSoft, HFM, etc.), the visualization was probably moved to the AACG product and that's why it's no longer in the PCG product. Out of the box AACG can connect to EBS and Peoplesoft, you can build connectors for other platforms to manage SOD controls across these different systems. Because AACG is no longer an "EBS only" product, I believe the need to use AACG for all approvals/SOD functionality is required.
  Think of AACG as your SOD workbench, where you can simulate SOD access, model controls, create controls, remediate incidents, etc. Between LogicalApps (5+ years old) and the new Oracle GRC products, there has been some migration of features to newer products.
  Don't forget, If you feel you need a feature in a certain product (even if it has moved), you always have the ability to request it via My Oracle Support. I hope that has helped in understanding what direction the products have taken.

• SoD Analysis with Portal functions

  HI all:
  Can anyone point me to a place where i can find information on proces of creating SoD rules for Portal functions?  We want to perform SoD analysis on Portal functions which do not necessarily have transaction codes.
  We have iviews that we have restricted by role placement, very basic.
  However, we would like to be able to analyse SoD based on Webdynpro execution.  Is this possible and if so, how can we do this?
  Thanks,
  Margaret

  Hi Margaret,
  the Portal SoD Analysis is either based on UME actions or iView names, that's it.
  Here you will find a guide:
  http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/502a14db-6261-2c10-22b5-95117ab0e5ed
  Best,
  Frank

• GRC53 Rule Set Migrated into GRC10

  Gurus, has anyone encountered the following situation. We migrated our 53 rule set into GRC 10 using the Migration Tool. On the surface all of the rule objects seem to move across as they should. We then began to run our risk reports. We noticed that for the same user, in the same backend ECC system, we get varying results from our 53 Rule Set which is in our GRC10 system vs the 5.3 Rule Set executed from our old 5.3 system. We see more violations returned from our old 5.3 system; entire risks are not reported from the GRC10 system.
  Consequently, I began reviewing the functions (actions/permissions). I picked a specific risk that was returned by the 5.3 system and reviewed it, line by line - comparing the 53 Rule Set in GRC10 against the 53 Rule Set in the 5.3 system. Everything lined up, with the exception of the activity values. In the 53 Rule Set that was migrated into GRC10 the activity values are single digits (1,2,5, etc) where as in the 5.3 System the activates are two digits (01, 02, 05, etc), Since the values are mainatined in SAP as double digits, could this be causing this? I would hope this is not the culprit, but I am unsure where else to turn.
  I will say for those risks that were returned in the results, the activities in those functions were single digits as well.

  Hi Penn,
  Can you check if your default SoD risk level is "Critical" and hence all the conflicts are not being thrown in 10.0
  There is an SAP Note 1632864 where you need to maintain parameter 1024 and se tthe default risk level to High. Since there is no option of All in 10.0 similar to 5.3
  Thanks and Best Regards,
  Srihari.K

• How do i realise the most basic functionality with my zen tou

  I've been playing around with my zen touch for a couple of hours now and I have to admit I'm impressed. The zen has certainly opened my eyes and challenged my previous foolish preconceptions about portable mp3 players which should be open platform, plug-and-play, straightforward and easy to use, because my experience thus far has not been any of these.
  In an attempt to stop wasting any more my time I was just wondering if someone could quickly tell me how exactly do I manage the files which are already on my touch? A couple of things I would like to do:
  . view and music files on my zen touch from some interface on my computer
  2. copy music files from my zen touch back on to my computer
  3. delete all music files without manually having to go through each and every album
  Now I've probably made another crass assumption that it is infact possible to actually do this, but here's to hoping.
  Now, the manual says I can use the creative mediasource organizer to transfer music to my touch. And indeed, Creative MediaSource Player/Organizer 3.30.2 claims to be able to do just this (transfer music tracks to and from your Creative portable music player using Sync Manager and SmartFit*). My question is... how? I've run the organizer, it looks like yet another music library management tool, great except for the whole part about that mp3 player stuff. Is there a hidden setting somewhere only available to stonemasons that will let me access my mp3 player?
  I've also installed the Creative NOMAD Explorer (Version 3.0.0). Now, at least this works - in the same way a person in a coma can be said to li've. When I open the 'music library' I get an empty explorer window to I can click and drag mp3 files into it and it copies them over. So, I guess I have some functionality, although it would be kind of nice to have some feedback about what files I have on there.
  Now as it's not april fools I'm not quite ready to accept that zen touch as the great big joke it appears to be, so if somebody could provide some insight I would really be grateful.
  edit: forgot to mention, running .0.03 firmware, and the model number on the back is DAP-HD004. Upgrading to the 2. firmware is unfortunatley not an option at the moment.Message Edited by adante on 02-24-20060:7 PM

  Mosey: thank you for the information. Just out of curiousity, was I just not paying attention and was this made known somewhere? Or do creative just expect you to potter around endlessly installing software in the hopes that you might randomly stumble across the right configuration?
  Perhaps I am just crazy for assuming that if the latest firmware does not have a superseded message, it is still acti've and valid.
  Anyway, I'm happy to report that the situation has been resolved mostly to my satisfaction. I was able to fob off my zen touch to some other sod, and actually make a profit from it, no less! This was quite a pleasant surprise because I usually dispose of fecal matter by flushing it down the toilet (but then, I don't have to pay for it either).
  I have since purchased a noname mp3 player which, while having some pretty severe firmware, provides some great additional functionality which I have to admit I really like over the touch. Primarily, this was being able to copy mp3s to and from it* and hence use it as an mp3 player! I know this concept is a little radical, but I really think creative should look into it because it would really add some value to their current line of paperweights and doorsto
  ps.
  So thanks creative for that hilarious little experience. I have to admit, you guys certainly do manage to distinguish yourself from the field and push the limits of mp3 player technology. Where I used to think of a nai'vely spectrum of good to bad, I have since extended this from the good, to the bad, to the creative.
  * This alone is a great feature I was never able to realise with my touch, and made even better by the fact I didn't have to install all sorts of half-baked software to achieve it!

• AC 5.3 - Web Services as part of Function Groups for inclusion in RAR

  I need to be able to add webservices into my function groups to create risks  for AC 5.3 SP9.
  Is there any guide available on how to create rulesets that contain webservices and how to load the equivalent of the USOBT/SU24 and TSTC information for web services?
  Any help would be greatly appreciated.
  Regards
  Simon

  Simon,
  Can you please provide clarification on type of web services you are referring to? Are those hosted on SAP system or Non SAP system? How user access is restricted to web service?
  I believe you will have to load the web service authorization data as if it is for a Non-RTA system (using RAR data Extraction functionality).  As RAR SOD rule logic is based on Risk -- Function --Action --- Permission concept, you will have to represent webservices as dummy actions, add dummy permission if there are any further authorization restrictions on web services. Define and load dummy text and permissions ( to replicate USOBT/SU24 and TSTC information)
  Define functions and risks based on dummy actions/permissions, generate rules. Refer latest AC configuration guide for Non-RTA system's data mapping templates which you will need to upload the authorization data
  Hope I understood your question correctly, let me know if u meant something else.
  Regards,
  Amol

• SODA - Service Oriented Integration of Medical Devices in Hospitals

  In this thread I will write about my dissertation project. It addresses the problem of the integration of medical devices with their proprietary interfaces and data models into the existing hospitals´ IT infrastructure.
  Interoperability is an almost non-existent feature of medical devices. The consequences of non-interoperable devices in hospitals are manifold. Medical data produced by devices cannot be directly integrated into hospital information systems for medical documentation. Thus, important data will be lost and examinations have to be repeated if required information is not available due to incomplete documentation. In addition, the documentation quality is affected by human errors due to manual nonelectronic steps and media discontinuities. Another example is maintenance. Medical devices have to be maintained at regular intervals. Thus, an inventory of all devices, their status and maintenance intervals is needed for generating a maintenance manual. Currently there is usually no possibility for automatically getting a detailed inventory of all medical devices in a hospital (or section of a hospital).
  The market size in conjunction with a multitude of companies and products (the DIMDI information system contains data about 60,000 medical devices) results in challenges concerning interoperability due to different proprietary hard- and software interfaces, data structures and semantical interpretations. Initiatives like IHE (Integrating the Healthcare Enterprise) are trying to push standardization in the medical sector. However u2013 as mentioned above - the current situation is still unsatisfying and increasingly getting worse due to the continuously growing number of medical devices and associated interfaces.
  A promising approach for overcoming interoperability issues is the service oriented device integration, also known as SODA (Service Oriented Device Architecture). The basic concept is the encapsulation of devices as services, analogous to enterprise services in service oriented architectures (SOA). An enterprise service is a software component that offers a business functionality on a highly semantical level by specifying the interface in a standardized way (e.g. by the Webservice Description Language u2013 WSDL). Highly semantical level especially means, that a service is self-descriptive in a way that it can be consumed dynamically and loosely coupled by other components with a consistent understanding of shared data. In the medical domain a device service for instance could offer functionality for measuring the current blood pressure of a patient. Based on such basic services more complex services (like a patient monitoring system) can be realized.
  The main advantage of the service oriented approach is that the manufacturer-specific device interface does not have to be known by the service consumer and by the programmer respectively, as it is encapsulated by a standardized service interface. This enables the extension of IT supported medical processes by devices, e.g. by using the Business Process Execution Language (BPEL). In addition new functionalities could be added to the device service that are logically related to the device but not offered by the device itself (e.g. tracking & tracing functionalities); so the device service can be considered as a virtual device. Therefore software maintenance will become easier, because the service interface remains unchanged in case of a device exchange or device interface changes. In my dissertation project I will explore the advantages and obstacles of the SODA concept in comparison to existing approaches for integrating medical devices in hospitals.
  The SODA approach is in accordance with the SAP Enterprise SOA (ESOA) strategy. For instance, the scope of the Healthcare Community Definition Group is to further enhance the Enterprise Services (ES) Bundles Patient Administration and Medical Activities, Patient Billing and Invoicing and to define a new ES Bundle on Medical Documentation. SODA projects define services for devices. These services can use or combined with Enterprise Services, e.g., for Patient Administration. In the EU funded project SOCRADES, SAP Research explores the SODA approach in other domains, especially industrial automation.

  Hmm, perhaps your other discovery settings are configured that it'll get the OOB OU because you're OOB OU is under some other OU that's configured to be discovered and you have the recursive and group settings turned on, CHECK this first.
  Remove the OOB from your discovery. For testing purposes, remove (delete) one or more machine objects from the ConfigMgr console, wait a while and then run the AD System Discovery again and check what object gets there. AD system discovery shouldn't look
  objects from other OUs than the ones you've specified in the discovery settings.
  I'm not that familiar with vPro, so the behavior you're seeing might well be the default, but I doubt that.. Doen't make sense that you control your computer objects.
  For more information you could also post adsysdis.log from the configmgr server.

• GRC 10.0 Upgrade & Functionality - 4 Questions

  Hi Forum,
  We are currently evaluating upgrading to GRC 10.0 from 5.3 and also start using SPM. Currently, we only use RAR. Can you guys help me with following 4 questions?
  1. We have a number of different firefighter roles used by different teams and approved by different approvers. Can we have separate requester and approver lists for different firefighter accounts in GRC 10.0 SPM?
  2. Do we have to implement GRC 10.0 Portals for SPM approval workflow?
  3. We have license for all GRC modules. Does this also include Continuous Transaction Monitoring with Oversight or is a separate license required for this?
  4. Does GRC 10.0 support automatic archiving of AC-RAR SoD reports? - When I start a weekly background job, can it be automatically archived into an archive folder of my desigantion?
  Thanks so much for your input.
  Joerg

  hi Joerg
  1.Yes, you can have different approvers per firefighter ID and have the requestors assigned to different ones as well.
  2.You do not need to install portal but you will need to facilitate some access to the front end components through activating the NWBC Netweaver Business client or using a web browser to view the internet facing services in SICF.
  3. I don't believe that your GRC license automatically entitles you to the Oversight product suite as they are still separately marketed, however the GRC Process Controls and Risk Management modules can be included if you have a full enterprise GRC license from SAP.
  4. You could certainly manage to archive the reports using standard SAP ABAP functionality (SARA). However, If you mean the standard Batch risk Analysis, then I think you'll find that the offline content is overwritten with the latest and only the summary data is retained in the historical data tables for trend analysis. From an audit perspective, historical detailed data is not partuicularly useful since they are more interested in current exposure. Auto archiving of the SPM logs is available as standard.
  Regards,
  Simon

• UIU object in GRC AC CC Functions

  hi to all, I am trying to create SOD rules in GRC AC for a cross system risk
  One function is in CRM and user access via UIU
  second function is in R3 ABAP
  For the first function I need to create a function that checks on not tcodes but objects as UIU does not use Tcodes.
  Is this possible, and if so, how?
  Thx in advance
  Denis

  I found a note with the help of a friend that explains how to do this:
  sap note 1223759
  Denis

• SOD and Risks

  I was going through the SOD listed at http://www.*********************/sox_sod/sod_matrix.htm and I was wondering why the following are in conflicts:
  Conflicts by business process
  1) AP Invoice Verification and AP Payment Runs/ Clearing
  2) Customer Master and Sales Order
  3) Delivery Goods Issue and Cash Receipts/ AR Credit Memos
  4) Delivery Goods Issue and Customer Master
  5) Delivery Goods Issue and Sales Order
  6) Purchase Order and  Vendor
  7) Purchase Order and AP Invoice Verification
  8) Purchase Order and AP Payment Runs/ Clearing
  9) Purchase Order and Receiving
  10) Receiving and Inventory Adjustments
  11) Sales Order and Cash Receipts/ AR Credit Memos
  12) Vendor and AP Invoice Verification
  13) Vendor and AP Payment Runs/ Clearing
  I would like to understand the risks involve in the above conflicts and what the risk levels are for each one.
  Thanks in advance!
  Bliss

  I think you'd best talk to some functional people about this. I think I can see some danger in the process combinations you mention but the real risk depends on your company's processes and control measures.
  For instance:
  People who can edit customer masters and sales orders could easily set the customer delivery addres to a fake one (their own for instance), create a sales order and set the address back to the original. If the changes on delivery addresses are monitored/logged this is not such a big risk.
  The same goes for a lot of items in your list. Basically you do not want transactional data and customer/vendor masterdata to be maintained by the same person. Just to avoid them changeing masterdata, creating orders, accepting invoices and releasing payment runs after which they can change back the masterdata.

• SOD Risk P003 and transaction F-44

  In the use of our version of SOD Rule P003, we are encountering SOD violations caused by access to F-44  from the AP01-AP Payment Processing functional group and various AP02-Process Vendor Invoice functional group transactions (such as F-42, FB60, FBVO and MR8M).
  Can someone explain the risk of having F-44 as well as Process Vendor Invoice transactions?
  We also need to mitigate this risk. Is there a standard SAP report which lists vendor invoices/items entered and cleared by the same person? Or can someone suggest an alternate monitoring report?
  Thanks.

  Laks,
  Thank you for the reply.
  Regarding F-44 specifically, I understand that it only allows you to clear items already existing in a single vendor's account that are equal in amount and would offset each other. The net impact to the vendor balance and to the financial statements appears to be $0.00. I believe the risk comes from having the ability to create a credit memo or something like it to offset a vendor invoivce and F-44 would allow you to clear the credit memo against an invoice. I am not sure what the real risk is because the amount is still owed to the vendor who will still expect to be paid.
  Regarding the FBL1N report for cleared vendor items, is there a way to limit the report to the users who need to be mitigated aby a control due to a F-44 SOD violation? When we run the report for our company which is global, the report is very lenghty and does not show the name of the user executing F-44 to clear the vendor balances?
  Thanks again for your help.
  John

• Rule Upload : GRC10

  Hello Gurus,
  Would appreciate if anyone can let me know how to use the Upload SOD rules feature under SPRO>Access Control> Access Risk Analysis> SOD Rules> Upload SOD rules.
  Here I am asked to upload the files for Business Process, Function, Permission, Risk etc. but not sure where can I get the format for these files? I need to append few new functions and their corresponding risks into an existing ruleset.
  Many thanks in advance.

  Hello Vikas,
  Thanks, have dropped you a mail for the files. Though I am not very sure I need them or whould I directly use the export functionality of my exixting SAP GRC 5.3 ruleset.
  We have decided not go to for the Global Ruleset but use the custom one from GRc 5.3 (as we were using GRC 5.3 earlier) by importing the same. Thus I have the following questions on he rueset Migration:
  1. How will I migrate existing Ruleset from 5.3 to 10.0 Development Box(using your files or I guess there is a functionality already in 5.3 to export the ruleset)? Can you please tell me how to Migrate this (which was actually my question)?
  2. How will then I be able to Migrate the ruleset from GRC 10.0 Development Box to GRC 10.0 Quality Box?
  Thanks.

• Creating SOD matrix with the help of Access control default ruleset

  I am creating the SOD matrix for the existing roles of CRM and HR modules.  As I am the security consultant therefore does not have the functional knowledge about the conflicts for CRM and HR transactions. My question is can I use the function/actions/risks conflicts provided with the Access control 5.3 default ruleset.  We are not using Access control for these systems, so I want to know whether I can take the help of AC 5.3 default risks to create the SOD matrix based on it.
  For e.g, like H001 default HR risk, I would make sure not to assign PA30(maintain HR data) with the PA03/PA04(maintain personal control record) as this will result in the providing conflict "Modify payroll master data and then process payroll". 
  Once I have the SOD list based upon AC 5.3, I can consult the Business approver/auditor to verify and modify as per the business requirement.
  Maybe I am thinking the wrong way, please provide your inputs so I can work on it.  Any help appreciated.
  Thanks,
  Sanjay Desai

  The most important thing to keep in mind is that you need to build a rule set that reflects the customers real business risk!
  What you build there will influence the way the customer will be able to continue work, assign access and perform control activities. The input HAS to come from the business!
  You can use the SAP standard risk definitions as a starting point for discussions, and the HR functions are an excellent building block to identify the transactions and necessary authorization objects that allow users to perform the actions.
  But the real challenge is to identify the risks as perceived/accepted by the business!
  Frank.

• Regarding Rules, Functions and Risks

  Hello,
  1. Does SAP provide a standard ruleset for SoD? Does it come with the AC 5.3 .SCA?
  2. What is the relation between Rules, Risks, Functions and Business Process?
  Thanks.

  Hi Gautam,
  Just to make it more explanatory, lets take few examples for each entity:
  1. Business Process (BP):
  It can be a department, group or an independent functional unit in an organization. E.g Finance or HR or Material Management.
  2. Function:
  It can be a set of activites or say set of simlilar activities in a BP. E.g in SAP Security - SU01 and PFCG combination can be termed as a function - "User and role maintenence" .
  3. Risk:
  It can be a combination of 2 or more functions which when given to a single user, can be harmful to the organization.
  4. Rule:
  It is generated from Risks automatically. E.g if A and B are 2 funtions in a risk R, such that:
                     A has transactions X and Y and
                     B has transactions M and N
  so there can be multiple rules generated here for Risk R , with the combinations like X and M rule, X and N rule, Y and M rule, Y and N rule etc.
  5. Ruleset:
  As the name suggest, is a set of Rules, generated from Risks. Two Rulesets may contain same, similar or dissimilar risks, based on the lanscape for which you want to use the ruleset. E.g you might have ruleset R1 having Risks 1 to N in your development system and you might have ruleset R 2 having Risks 1 to M in your Production system.
  Hope this makes it a bit clearer to you know. For more dependencies within these entities and how they behave with eah other, I would suggest if you create each of them and then observe their linkages. The config guide from SAP would be more than enough for this purpose.
  Regards,
  Hersh.
  http://www.linkedin.com/in/hersh13

• GRC 10.1 - Routing at Request Submission in case of SOD violations

  I am trying to configure MSMP workflow or risks analysis while creating userid
  1. No Risks >> User created and access assigned automatically
  2. Risks found >> forward to security team to review and approve
  I have checked the standard functional module - GRAC_MSMP_DETOUR_SODVIOL cannot be used in AC 10.0 . This is  only be used as Routing Rule after first stage approval and at subsequent stages as per Note - 1783157 - Routing at Request Submission in case of SOD violations
  Can anyone advise the standard SAP delivered rule / functional module we can use in GRC AC 10.1 to achieve the outcome at the time of request submission ??

  Hi Anil,
  You have enable riak analysis at submission buy setting parameter and the need to have a first stage as dummy where risk analysis result can be analysed and have a detour at this dummy stage so that in case of risk request is forwarded to next stage.
  Hope that helps..
  Regards
  Ashish