Latest Rule Set Implementation

Hello ,
My client is asking us to implement latest rule set in our CC system , could someone tell me , is there any guide on how to do it , I already read note : 1326497 , I want the procedure like step by step implementation of this or else steps and tentative time lines involved in this procedure.
Thanks
Srikanth

Hello Srikanth,
I assume you would be having a customisd rule set at your client place (which can be a subset or a superset of Standard rule set from SAP). Thus, what you need to look in for in the new Rule set is that how many of these rules are actually applicable for your implementation. There might be N number of rules in the new rule sets but the rules that might be applicable to you might be very less. In this casde you need to sit with your Controls team and find out the applicable ones. This is because if you import the new rule-set as a whole you might loose your current rules, as it will just over-write the old rule set..
Once these are identified you may import these into your Rule-set. The details for how to accomplish this is stated step by step in the USer guide and would not be a problem if you follow that carefully.
Regards,
Hersh.

Similar Messages

Deployment Rule Sets do not properly launch the latest available version from the JRE6 family when the jpi-version is specified by the RIA

Issue Summary
In Java 1.7 Update 71, Java 1.7 Update 72 and Java 1.8 Update 25 Deployment Rule Sets do not properly launch the latest available version from the JRE6 family when the jpi-version is specified by the RIA. We've noticed this with Oracle Forms and Reports 11g where we have forms that specify Java 1.6 Update 20. We used to be able to specify Java 1.6 Update 26 in our Ruleset, but now the only version a that works in our ruleset is Java 1.6 Update 20 which is the same version requested by the JPI-Version attribute of the jar. The long term solution would be to upgrade Oracle Forms and Reports, however this isn't currently in the cards.
RuleSet.xml Test
Ruleset.xml
1
2
3
4
5
6
7
8
9
10
11
<ruleset version="1.0+">
<rule>
   <id location="*.javatester.org" />
   <action permission="run" version="1.6*" />
</rule>
<ruleset version="1.0+">
<rule>
   <id location="*.internaldomain.name" />
   <action permission="run" version="1.6*" />
</rule>
</ruleset>
Test 1 (Control)
Installed Java Versions:
– 1.7 Update 51 b13 (both x86 and x64 however x86 is invoked)
– 1.6 Update 26 b03 (both x86 and x64 however x86 is invoked)
Deployment Ruleset works as expected for both URLs
Test 2
Installed Java Versions:
– 1.7 Update 72 (both x86 and x64 however x86 is invoked)
– 1.6 Update 26 b03 (both x86 and x64 however x86 is invoked)
The RuleSet works for JavaTester.org however on internaldomain.name we get the following error:
With the trace logging turned on, I suspected the version attribute supplied by the RIA. I was able to trick Java by adding the following to my system deployment.properties file:
deployment.javaws.jre.0.product=1.6.0_20
deployment.javaws.jre.0.path=C\:\\Program Files (x86)\\Java\\jre6\\bin\\javaw.exe
deployment.javaws.jre.0.enabled=true
Because the RIA requests 1.6.0_20 it matches 1.6* from the deployment ruleset sooner than 1.6.0_26. However, if 1.6.0_20 is not available 1.6.0_26 should match according to the Deployment Rule Set documentation:
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/deployment_rules.html
The version of the JRE that is used is determined by the following order of precedence:
1. The current version of the JRE is used if it is available and matches both the version attribute and the version requested by the RIA.
2. The latest available version of the JRE is used if it matches both the version attribute and the version requested by the RIA.
3. The current version of the JRE is used if it is available and matches the version attribute.
4. The latest available version of the JRE is used if it matches the version attribute.
If no version is available that meets the criteria, then the RIA is blocked, and a message is shown to the user. To provide a custom message, include the message element.
As a result:
If Java 1.6.0_20 is listed in the version requested by the RIA and 1.6.0_20 is listed in the deployment.properties file, #1 matches.
If Java 1.6.0_20 is listed in the version requested by the RIA, but 1.6.0_20 is NOT listed in the deployment.properties file the #1 SHOULD match, but doesn’t. It used to match up-to and including JRE 1.7 Update 51 however the ruleset appears to no longer match in subsequent versions.
#2 should never match with our current Deployment Ruleset. It would match if we specified 1.7* as a version in the Ruleset.xml.
#3 used to be broken as well after JRE 1.7 Update 51 however this bug has been marked as fixed. See: http://bugs.java.com/view_bug.do?bug_id=8032781
I have reproduced this issue with Java 1.7 Update 71, Java 1.7 Update 72, and Java 1.8 Update 25 when one of these versions are installed with Java 1.6 Update 26.

I can't seem to edit this post anymore, for some odd reason.
So here goes;
I found this post in NVIDIA's knowledge base;
When installing an after-market graphics card into a certified Windows 8 PC with UEFI enabled, the s...
The interesting parts in this post are as follows;
When an after-market graphics card is installed into a motherboard with UEFI enabled in the system BIOS, or if the system is a certified Windows 8 PC with Secure Boot enabled, the system may not boot.
UEFI is a new system BIOS feature that is provided on most new motherboards. A UEFI system BIOS is required in order for the Windows 8 Secure Boot feature to work. Secure boot is enabled by default on certified Windows 8 PCs.
In order to get the PC to boot with a graphics card that does not contain UEFI firmware, the end-user must first disable the secure boot feature in the system's SBIOS before installing the graphics card.
Note: Some system SBIOS's incorporate a feature called compatibility boot. These systems will detect a non-UEFI-enabled firmware VBIOS and allow the user to disable secure boot and then proceed with a compatibility boot. If the system contains a system SBIOS the supports compatibility boot, the user will need to disable secure boot when asked during boot process
This leads me to believe that the BIOS update that wrecked my setup was 9SKT58A/9SJT58A, which only contains one change;
"Adds support for updating BIOS from a WIN7 BIOS to a WIN8 BIOS".
I've just ordered a cheap UEFI-compatible GT640 from Gainward, so I hope I'll be able to try that out this weekend.

Do you trust the SAP standard rule set ?

Hello all,
I have the impression that, too often, the SAP standard ruleset has been taken for granted : upload, generate and use. Here is a post as to why not to do so. Hopefuly, this will generate a interesting discussion.
As I have previously stated in other threads, you should be very careful accepting the SAP standard rule set without reviewing it first. Before accepting it, you should ensure that your specific SAP environment has been reflected in the functions. The 2 following questions deal with this topic :
1. what is your SAP release ? ---> 46C is different than ECC 6.0 in terms of permissions to be included in the function permission tab. With every SAP release, new authorization objects are linked to SAP standard tcodes. Subsequently some AUTHORITY-CHECK statements have been adapted in the ABAP behind the transaction code. So, other authorizations need to provided from an implementation point of view (PFCG). And thus, from an audit perspective (GRC-CC), other settings are due when filtering users' access rights in search for who can do what in SAP.
2. what are your customizing settings and master data settings ? --> depending on these answers you will have to (de)activate certain permissions in your functions. Eg. are authorization groups for posting periods, business areas, material types, ... being used ? If this is not required in the SAP system and if activated in SAP GRC function, then you filter down your results too hard, thereby leaving certain users out of the audit report while in reality they can actually execute the corresponding SAP functionality --> risk for false negatives !
Do not forget that the SAP standard ruleset is only an import of SU24 settings of - probably - a Walldorf system. That's the reason SAP states that the delivered rule set is a starting point.
So, the best practice is :
a. collect SAP specific settings per connector in a separate 'questionnaire' document, preferably structured in a database
b. reflect these answers per function per connector per action per permission by correctly (de)activating the corresponding permissions for all affected functions
You can imagine that this is a time-consuming process due to the amount of work and the slow interaction with the Java web-based GRC GUI. Therefore, it is a quite cumbersome and at times error-prone activity ...... That is, in case you would decide to implement your questionnaire answers manually. There are of course software providers on the market that can develop and maintain your functions in an off-line application and generate your rule set so that you can upload it directly in SAP GRC. In this example such software providers are particularly interesting, because your questionnaire answers are structurally stored and reflected in the functions. Any change now or in the future can be mass-reflected in all (hundreds / thousands of) corresponding permissions in the functions. Time-saving and consistent !
Is this questionnaire really necessary ? Can't I just activate all permissions in every function ? Certainly not, because that would - and here is the main problem - filter too much users out of your audit results because the filter is too stringent. This practice would lead too false negatives, something that auditors do not like.
Can't I just update all my functions based on my particular SU24 settings ? (by the way, if you don't know what SU24 settings are, than ask your role administrator. He/she should know. ) Yes, if you think they are on target, yes you can by deleting all VIRSA_CC_FUNCPRM entries from the Rules.txt export of the SAP standard rule set, re-upload, go for every function into change mode so that the new permissions are imported based on your SU24 settings. Also, very cumbersome and with the absolute condition that you SU24 are maintained excellent.
Why is that so important ? Imagine F_BKPF_GSB the auth object to check on auth groups on business areas within accounting documents. Most role administrator will leave this object on Check/Maintain in the SU24 settings. This means that the object will be imported in the role when - for example - FB01 has been added in the menu. But the role administrator inactivates the object in the role. Still no problem, because user doesn't need it, since auth groups on business areas are not being used. However, having this SU24 will result in an activated F_BKPF_GSB permission in your GRC function. So, SAP GRC will filter down on those users who have F_BKPF_GSB, which will lead to false negatives.
Haven't you noticed that SAP has deactivated quite a lot of permissions, including F_BKPF_GSB ? Now, you see why. But they go too far at times and even incorrect. Example : go ahead and look deeper into function AP02. There, you will see for FB01 that two permissions have been activated. F_BKPF_BEK and F_BKPF_KOA. The very basic authorizations needed to be able to post FI document are F_BKPF_BUK and F_BKPF_KOA. That's F_BKPF_BUK .... not F_BKPF_BEK. They have made a mistake here. F_BKPF_BEK is an optional auth object (as with F_BKPF_GSB) to check on vendor account auth groups.
Again, the message is : be very critical when looking at the SAP standard rule set. So, test thoroughly. And if your not sure, leave the job to a specialized firm.
Success !
Sam

Sam and everyone,
Sam brings up some good points on the delivered ruleset. Please keep in mind; however, that SAP has always stated that the delivered ruleset is a starting point. This is brought up in sap note 986996     Best Practice for SAP CC Rules and Risks. I completely agree with him that no company should just use the supplied rules without doing a full evaluation of their risk and control environment.
I'll try to address each area that Sam brings up:
1. Regarding the issue with differences of auth objects between versions, the SAP delivered rulset is not meant to be version specific. We therefore provide rules with the lowest common denominator when it comes to auth object settings.
The rules were created on a 4.6c system, with the exception of transactions that only exist in higher versions.
The underlying assumption is that we want to ensure the rules do not have any false negatives. This means that we purposely activate the fewest auth objects required in order to execute the transaction.
If new or different auth object settings come into play in the higher releases and you feel this results in false positives (conflicts that show that don't really exist), then you can adjust the rules to add these auth objects to the rules.
Again, our assumption is that the delivered ruleset should err on the side of showing too many conflicts which can be further filtered by the customer, versus excluding users that should be reported.
2. For the customizing settings, as per above, we strive to deliver rules that are base level rules that are applicable for everyone. This is why we deliver only the core auth objects in our rules and not all. A example is ME21N.
If you look at SU24 in an ECC6 system, ME21N has 4 auth objects set as check/maintain. However, in the rules we only enable one of the object, M_BEST_BSA. This is to prevent false negatives.
3. Sam is absolutely right that the delivered auth object settings for FB01 have a mistake. The correct auth object should be F_BKPF_BUK and not F_BKPF_BEK. This was a manual error on my part. I've added this to a listing to correct in future versions of the rules.
4. Since late 2006, 4 updates have been made to the rules to correct known issues as well as expand the ruleset as needed. See the sap notes below as well as posting Compliance Calibrator - Q2 2008 Rule Update from July 22.
1083611 Compliance Calibrator Rule Update Q3 2007
1061380 Compliance Calibrator Rule Update Q2 2006
1035070 Compliance Calibrator Rule Update Q1 2007
1173980 Risk Analysis and Remediation Rule Update Q2 2008
5. SAP is constantly working to improve our rulesets as we know there are areas where the rules can be improved. See my earlier post called Request for participants for an Access Control Rule mini-council from January 28, 2008. A rule mini-council is in place and I welcome anyone who is interested in joining to contact me at the information provided in that post.
6. Finally, the document on the BPX location below has a good overview of how companies should review the rules and customize them to their control and risk environment:
https://www.sdn.sap.com/irj/sdn/bpx-grc
Under Key Topics - Access Control; choose document below:
    o GRC Access Control - Access Risk Management Guide   (PDF 268 KB)
The access risk management guide helps you set up and implement risk
identification and remediation with GRC Access Control.

Best practice for the Update of SAP GRC CC Rule Set

Hi GRC experts,
We have in a CC production system a SoD matrix that we would like to modified extensively. Basically by activating many permissions.
Which is a best practice for accomplish our goal?
Many thanks in advance. Best regards,
Imanol

Hi Simon and Amir
My name is Connie and I work at Accenture GRC practice (and a colleague of Imanolu2019s). I have been reading this thread and I would like to ask you a question that is related to this topic. We have a case where a Global Rule Set u201CLogic Systemu201D and we may also require to create a Specific Rule Set. Is there a document (from SAP or from best practices) that indicate the potential impact (regarding risk analysis, system performance, process execution time, etc) caused by implementing both type of rule sets in a production environment? Are there any special considerations to be aware? Have you ever implemented this type of scenario?
I would really appreciate your help and if you could point me to specific documentation could be of great assistance. Thanks in advance and best regards,
Connie

Reading rule sets from an XML file

Hi all,
How can I read rule sets from an XML file? I have been given some rules in XML
format and using those I have to query some content. I am using WLP4.0
Also how can I code rules in java?
Thanks in advance.

You can have the following classes:
Players class deriving from Vector (or containing a vector), and then
Player class with attribute 'name'.
class Players
           Vector myVector = new Vector();
            void addPlayer(Player p)
                  myVector.add(p);
            Player getPlayer(int index)
                  myVector.get(index);
class Player
         private String myName = null;
         Player(String name)
                this.myName = name;
         String getName()
                return myName;
}Then while handling the SAX events you can do the following:
class MySAXHandler implements ContentHandler (or whatever the itnerface is)
             public void startElement(String name,....)
                      Players p = null;
                      if(name.equals("Players"))
                             p = new Players();
                     else if (name.equals("Name"))
                            p.add(new Player(value));
}HTH,
Kalyan.

Business rules to implement - BEST way - triggers and mutating table

I have the following table where it has Foreign Key defined on itself(self reference for parent_id column which can be null or valid site_id)
create table test_virtual_site
site_id number CONSTRAINT site_id_pk primary key,
parent_id number CONSTRAINT parent_site_id_unq UNIQUE ,
closed_date date default NULL ,
CONSTRAINT check_self_ref CHECK(parent_site_id <> site_id), --avoid self refernce
CONSTRAINT check_valid_site foreign key(parent_site_id) references test_virtual_site(site_id)
I have the following business rules to implement and my problem is related to their implementation
1)     A check should be made that Site_id specified as parent_id should not be a child of any other store (parent should have its parent_id column as NULL)
Site_id Parent_id
1
2 1
3 2 =>NOT VALID 2 is a child of another store
2)     Parent is not closed
Site_id Parent_id Closed_date
1 10-May-2005
3     1 =>NOT VALID 1 is a closed
3)
when parent store is closed - updated so at closed_date is not null
Want to set the parent_id as NULL for the child store.
OR
SET the closed_date for child store too same as the parent_store.
Example
Site_id Parent_id Closed_date
1
1 2
Update test_virtual_site
SET closed_date = sysdate
Where site_id = 1 ;
Through Trigger
Site_id Parent_id Closed_date
1     22-Mar-06
1 2 22-Mar-06
OR
Site_id Parent_id Closed_date
1     22-Mar-06
1
When I am trying to do the above mentioned through constraints I am running into mutating trigger problem. Can you please guide me what is the best way to handle the above-mentioned scenarios.
I am aware that I can avoid the 3rd problem using the following
-- - Initialize an array in the before statement trigger.
-- - Add the processed rowid to the array in the after row
-- trigger.
-- - In the after statement trigger: get each rowid from the
-- array and process it. When all rowids are processed, clear
-- the array.
BUT for 1 and 2 I need to look at the parent specified , the parent exists in the same table BUT I can not perform the lookup from the BEFORE INSERT ROW LEVEL trigger but I want to ensure at the row level , so if the parent store is closed or parent specifed itself is a child(not permissible) I want to rollback the insert RAISE_APPLICATION_ERROR.
Can you please guide me what is the best way to handle the above mentioned conditions .

I have the following table where it has Foreign Key defined on itself(self reference for parent_id column which can be null or valid site_id)
create table test_virtual_site
site_id number CONSTRAINT site_id_pk primary key,
parent_id number CONSTRAINT parent_site_id_unq UNIQUE ,
closed_date date default NULL ,
CONSTRAINT check_self_ref CHECK(parent_site_id <> site_id), --avoid self refernce
CONSTRAINT check_valid_site foreign key(parent_site_id) references test_virtual_site(site_id)
I have the following business rules to implement and my problem is related to their implementation
1)     A check should be made that Site_id specified as parent_id should not be a child of any other store (parent should have its parent_id column as NULL)
Site_id Parent_id
1
2 1
3 2 =>NOT VALID 2 is a child of another store
2)     Parent is not closed
Site_id Parent_id Closed_date
1 10-May-2005
3     1 =>NOT VALID 1 is a closed
3)
when parent store is closed - updated so at closed_date is not null
Want to set the parent_id as NULL for the child store.
OR
SET the closed_date for child store too same as the parent_store.
Example
Site_id Parent_id Closed_date
1
1 2
Update test_virtual_site
SET closed_date = sysdate
Where site_id = 1 ;
Through Trigger
Site_id Parent_id Closed_date
1     22-Mar-06
1 2 22-Mar-06
OR
Site_id Parent_id Closed_date
1     22-Mar-06
1
When I am trying to do the above mentioned through constraints I am running into mutating trigger problem. Can you please guide me what is the best way to handle the above-mentioned scenarios.
I am aware that I can avoid the 3rd problem using the following
-- - Initialize an array in the before statement trigger.
-- - Add the processed rowid to the array in the after row
-- trigger.
-- - In the after statement trigger: get each rowid from the
-- array and process it. When all rowids are processed, clear
-- the array.
BUT for 1 and 2 I need to look at the parent specified , the parent exists in the same table BUT I can not perform the lookup from the BEFORE INSERT ROW LEVEL trigger but I want to ensure at the row level , so if the parent store is closed or parent specifed itself is a child(not permissible) I want to rollback the insert RAISE_APPLICATION_ERROR.
Can you please guide me what is the best way to handle the above mentioned conditions .

Need information on the new RAR Rule Architect/Rule Set functions

Does anyone have any information on the new 5.3 functions listed under Rule Architect/Rule Sets, specifically the Compare function?
My 5.3 Config manual mentions this area but doesn't describe anything about it. I have a request from our user group and need to determine if this can fit that request.
What they are looking for is an easy way to compare our RAR Rule Set with the latest SAP version (Q2 2010 is the most recent I believe). Just from the screen shots, it looks like we could maybe use the Rule Sets functions for that. Load the new SAP one into RAR as a separate ruleset and then run this Compare function. However I haven't been able to find any documentation on this function, so I don't know if it really does what we are looking for.
Thanks.

Hi,
the error 'NullPointerException ' is very common error in GRC.
kindly search, you will find lots of threads and notes on thi.
check you permission TXT file. It contain null value some where.
especially check SD01 & SD02 tcodes.
Also open permission file in word and check all TAB's and ENTER's in technical view.
Regards,
Surpreet

Deployment Rule Set broken with Java 7u55

Hello!
I'm using Deployment Rule Set in my company environment, its signed by code signing certificate that is given out by internal CA. After I upgraded to Java 7u55, the Deployment Rule Set does not recognize older statically installed Java version.
Versions I have:
7u45 - install directory: C:\Program Files\Java\jre1.7.0_45
7u51 - install directory: C:\Program Files\Java\jre1.7.0_51
7u55 - install directory: C:\Program Files\Java\jre1.7.0_55 or C:\Program Files\Java\jre7\ - neither does not work
When I go to site described in Ruleset and that has to use Java 7u45, then I receive an message "Deployment Rule Set required Java version 1.7.0_45 not available. In the same way it doesn't recognize 1.7.0.51 or even Java version 6.
When I uninstall Java 7u55, everthing works fine again.
My ruleset looks like this:
<ruleset version="1.0+">
     <rule>
          <id location="first.site.com" />
          <action permission="run" version="1.7.0_45" />
     </rule>
     <rule>
          <id location="second.site.com" />
          <action permission="run" version="1.7.0_51" />
     </rule>
     <rule
          <id />
          <action permission="default" />
     </rule>
</ruleset>
Anyone knows what's wrong or is it a bug?

costlow - I disagree. If I'm using IE, then I only need the internal certficate used to sign the jar to be also insalled on the machine in question in the windows CA Certs store. If the cert was the issue, why does it work with 7u51. If it was a bad cert, it should fail with every version. Plus, I think the pop up has a different error message if it has a cert issue.
I'm having the exact same issue as the OP described and it all started with 7u55. Here's what I've found:
- With 7u55 or 7u60 installed, the error will come up rergardless of what prior version is being requested.
- If 7u51 is the latest installed, it works
- If 8u05 is installed with 7u55 and/or 7u60, it works
- If I install the 7u60 EA b15, it works
Something in the final release is being added that blocks this functionality, but for some odd reason only in the 7 family starting with 7u55.
Any insight you could give would be very helpful. In the meantime, I am deploying 8u05 to cover this up, but it does pose issues for some apps that don't work with the new 8 family plugin.

Risk Analysis at user level shows nothing in all 3 views though at role level shows risks of global rule set

I am configuring ARA 10.1 for a ECC 6.0 plug in development system and facing this issue. Risk Analysis at user level shows no data in all 3 views though at role level shows risks of global rule set. I am using Global rule set. I generated all risks/functions & using connector group as SAP_ECCS_LG not SAP_R3_LG.I activated common, R/3 & ECCS BC sets. Added integration scenario for AUTH. Run all 4 sync jobs multiple times successfully. My system already has decentralised EAM 10.1 implemented & even used in production as BAU. I have checked at both chrome & IE. The misleading thing is that RFC is also working fine & I can see risks in Risk Analysis at role level & risky roles are even assigned to valid users.GRC is at SP4 & accordingly is the ECC 6.0 plug in. Thanks in Advance. Please consider it urgent.

Hi,
Assign ECC connector to SAP_ECCS_LG group.
Run the programs GRAC_PFCG_AUTHORIZATION_SYNCand GRAC_REPOSITORY_OBJECT_SYNC) in full synch mode(this might take time so better do this in background). Better do it sequentially.Check the logs of the jobs in SLG1 just to ensure everythings fine.
Run ARA for a specific user and mention the connector for faster output. Ensure this user has the role with risks.Also as explained earlier check the GUID against user id in table GRACUSERROLE and using GRACROLE you can find out the technical name of the role updated in the table. This should be same as the backend role.
Then run ARA and while doing so please ensure the selection screen doesnt have any unwanted default inputs. If followed correctly , this should be of help. I am assuming the role analysis yielded correct risks as configured since this would mean that connector have correct actions and basic config is in place.
Regards,
Vivek

CC / RAR Rule Set Build

We had a rule set built in Compliance Calibrator 5.2 by a vendor during implementation. We have over 700 rules and now know that there are too many rules in our rule set.
Can any of you tell me the best way to build a rule set? How many rules do most people have in their rule set? Is there a best practice out there somewhere to do this?

Hi Greg,
You will have to understand relationship between rule, risk, business process, function, transaction and permission to build a rule from scratch. If you need to build one or two rules, you can just go through CC and do it. If you want to build large set of rules then you will have to create text files for risks, functions, rules etc. I will recommend you go through the config guide for CC 5.2 or 5.3 and see how rules are being built.
There is no straight answer on the number of rules. The number rules you need will depend on industry, company size, location, rules and regulations to follow, company structure etc. Best practice rules come with the installation and you can always get them from SAP. Best practice ruleset contains around 40,000 action and permission rules.
Regards,
Alpesh
SAP GRC Manager (PwC)

Non existing value EC for M_BEST_BSA / BSART used in rule set

Hello,
while implementing the 2010 rule set updates into our system, we realized that there is a value used that is not existing in the system.
It is for object M_BEST_BSA, field BSART. The value is EC.
In the rule update document from Q2 2010, there is the following comment:
5. PR02 u2013 Maintain Purchase Order u2013 Upon review of this function with the rules mini-council, the decision was made to remove document type from the rules. Previously, we delivered document types EC, FO and NB with our rules. However, the majority of customers create custom document types for purchasing. Many customers did not customize the rules, which results in only those users that had the standard EC, FO and NB document types being reported as having a risk. Users who had the custom document types would not be reported, which results in false negative reporting. Therefore, the decision was made to remove document type from our delivered rules. This will force each customer to review their document types and edit this function to include all relevant document types so all users who have a risk are shown.
However the value is still enabled in function PR04, even though it is not a valid value for field BSART. It is not existin in table T161, which holds the PO document types. It does not seem to exist since at least release 4.6C
The value is inherited from the transactions ME28 and ME29N
Does anyone know what it is about and why the value still is considered a standard value?
I know this does not give me false conflicts, as the BSART values are used in condition OR.
Why is the value not just removed, if it is not a valid value at all?
edit:
Sorry, forgot to mention, we use CC4.0 in an ECC6.0 system
end of edit:
Regards,
Thomas Schaeflein
IBM
Edited by: Thomas Schaeflein on Jan 26, 2011 4:14 PM

Start by saying bump.
I've still no word from Adobe if they are doing anything with
this problem. Any one had any replys from Adobe on it? Any one
found a work around with recoding queries?

Rule set Version

Hi ,
How to find out , rules set version a particular RAR( CC) system have , If a logged into RAR( Or CC) of some one else system,
To be specific I wanted to know which Rule Set Version?( Rules) they are using (Like Q1 2007 , Q3 2007, Q2 2008 or Q2 2009 Rule Update etc) irrespective of application version they are using ( Like 5.1 ,5.2 or 5.3 ) .
Thanks & Regards
Uma Shankar T

Hi Uma,
The ruleset versions are normally shipped as part of support packs.
However, you would only normally implement the ruleset version when doing a clean implementation as uploading a completely new version could overwrite any changes which you have made for your own organisation.
I do not know of any technical settings to identify exactly which version was uploaded into the system as the ruleset is shipped as a data file.
You can track the released versions via the SAP Notes though.
Simon

Deployment Rule Set Centrally Managed location of .jar file?

Hello,
We are currently looking at implementing the Deployment Rule Set in our company and I was wondering if there is a way to centrally manage the Deployment Rule Set?
Having to keep up with deploying the jar file for every change and expiring certificates isn't ideal
Thanks!

And your OS doesn't have a file search feature, which might have given you the answer faster than waiting for a response on these columns?
db

Rule set Updates

We started with Virsa CC 5.1 in 2006 now we are using CC 5.2
If I go to the SAP Note 1173980 u2013 Q2 2008. Do I find all the Rule
Updates from 2006 to 2008 or we need to implement all the below Virsa
Rule updates.
1061380 u2013 Q2 2006
1035070 u2013 Q1 2007
1083611 u2013 Q3 2007
1173980 u2013 Q2 2008

HI:
You need to review each set of updates, and determine if they are applicable for your system. Each subsequent rule set update issued does NOT include previous entries.
It is up to each client to customize entries in the updates per their own requirements, but just taking the last one, means that you may miss some of the important updates in previous updates.
Margaret

Rule set import - Background job did not run

Hi,
I am setting up my CC 5.2 production system. I have downloaded from ruleset from the dev CC and imported it into production. However the background job generated did not run. I am implementing SAP note 999785 to fix this, but am wondering what should I do about the rule set? Do I need to delete the rule set and reimport it? As this background job did not run I notice that the permission rules did not generate.
Any advice is welcome.
Thanks

Hi,
as the backgorund job never ran and no rules were created, I can just reimport the ruleset and let the job run. I have tried this and the rules were created successfully

Latest Rule Set Implementation

Similar Messages

Maybe you are looking for