Logical Groups in GRC-AC

Dear Experts,
We are using business role concept.Only business roles are assigned and not technical roles.
Requirement is To assign business role from GRC Prod system to ECC DEV and ECC QA also apart from ECC Prod.
To do so we have a logical group SAP_R3_LG mapped to ECC Prod for all action 1,2,3 and 4. Do I need to create other 2 logical groups mapped to ECC DEV and QA respectively.
Also I believe we need to create different business role name for QA and DEV system .
Appreciate your thoughts on this...
Thanks,
Mamoon

Hi Mamoon,
First of all, you need to create unique connector groups per each connectors in order to create/maintain the roles in the backend systems. Then you need to map the connector in the corresponding connector groups.
In BRM, you can have only one system as default connector and this would not let you to maintain the roles in case you have to use multiple connectors for role maintenance.
Make sure to define the integration scenarios for each connectors individually.
Hope this would help.
Regards,
Ameet

Similar Messages

Creation of logic group - any limitation for the Criteria Value Field?

I am trying to create simple logic groups in FDM (version 11.1.1.3 and 11.1.2.1). However, an error message displayed in the information bar.
Error: Error adding new record.
Detail: Data access error.
I clicked the "Add" button and created a logic group which contains *1,520* non-sequential source accounts in the Criteria Value Field (with In operator).
I have separated these source accounts with a comma and no spaces in between them. (Note: Operator = x, Value/Exp = 1, Seq = 0) I updated the grid. Then, the error message was displayed and the logic group creation was failed.
And then, I created a new logic group which contains only *100* non-sequential source accounts in the Criteria Value Field (with In operator).
I also separated them with a comma, no spaces and same setting. I updated the grid. And the logic group was added successfully.
Each source account contains 10 characters (alphabet and/or number).
I want to ask:
1. Is there any limitation in specifying source accounts (i.e.. no more than certain number of source accounts for each logic group) in the Criteria Value Field when creating simple logic group?
2. I am adding these logic groups by clicking the "Add" button one by one, is there faster way to do it (i.e.. upload an excel or csv file or source accounts specified)?
Thank you very much!

Thank you Expert for your reply!
I would like to ask about loading the Logic Accounts with the template.
As instructed, I exported the excel out for the template format and updated the template with new Logic Accounts. Then, I imported the excel file in the "Import XLS" section under Tools. The excel file was uploaded successfully. (Note: I am using excel 2010 and saved it as .xls file)
However, there is no changes in the Logic Accounts and seem no updates was made.
I want to ask:
1. Did I import the excel at the right location (i.e. "Import XLS" section under Tools)?
2. Is there anything else I need to do after the file has been imported (i.e. delete the existing logic accounts or click another button(?) for this change) so the new list of logic accounts would become effective?
I would like to use excel to maintain my list of logic accounts for better control in the future.
Thanks in advance!

Non-system wide DNS Lookups on RBL (i.e. logical groups supported)

Sun Java System Messaging Server documetation seems to state that RBL filtering can only exist in one of three files that are used for filtering based off of inbound connection IP address. My question is, can conditional execution occur for a section of one of these files based of destination e-mail address?
I'd like to have multipule levels of e-mail filtering using RBL and allow users to be assinged to the level of filtering they desire by joining a logical group which will enable a level of RBL filtering for that logical group.
Any help is greatly appreciated, as far as I can see, I can only have one system wide filtering set, so I can't possibly have one set of e-mail ids using 10 RBL (remote black lists) and another group e-mail ids using a smaller set of RBLs.
======= From the documentation =======
MAIL_ACCESS : Used to block incoming connections based on combined information found in SEND_ACCESS and PORT_ACCESS tables: that is, the channel and address information found in SEND_ACCESS combined with the IP address and port number information found in PORT_ACCESS.
ORIG_MAIL_ACCESS : Used to block incoming connections based on combined information found in ORIG_SEND_ACCESS and PORT_ACCESS tables: that is, the channel and address information found in ORIG_SEND_ACCESS combined with the IP address and port number information found in PORT_ACCESS.
PORT_ACCESS : Used to block incoming connections based on IP number.
====================================

Alas, the RBL stuff is done before iMS even knows who the message is addressd to. That stuff is done at the initial connection phase, as our philosophy is to reject a message just as soon as possible . . .
After the message is accepted, then you can opt-in/out for things like spamassassin, brightmail, etc.

Logical grouping of dimensions

Hi,
What is criteria to enter dimension into the cube and what does mean by logical grouping of dimensions
Thanks in advance
krish

Hi,
While designing the dimensions, you must ask to yourself that "What will be the size of dimension table if I add this characteristic to this dimension?".The smaller ratio of size of dimension table/ fact table means better performance.For this ratio, 20% is dangerous and 10% is preffered.
If the characteristics included in one dimension have mxn relationship, then your dimension table will be too big(specially if those charactersitics are already big) and performance will be decreased.Therefore, 2 characteristics that have mxn relationship(e.g sales document and sales document item) must be in seperate dimensions i.e two characteristics that have nx1 relationship(e.g material and material group) may be put into one dimension(Not logically related(groupped) characteristics, this is not a criteria)Two characteristics that have nx1 relationship in one dimension will add only m+n rows to dimension table instead of mxn.To sum up, you must create the dimensions by considering the relationships of characteristics that will be included in the cube.I propose you to activate some SAP cubes(e.g 0FIAR_C03) from BI content to view their dimensions.You can see the logic there.
You can see the size of dimension table and fact table by executing the program SAP_INFOCUBE_DESIGNS in se38.
Useful threads:
Regards,
Güneş

Logical Grouping of ProfitCenter/CostCenter Records

Hi,
I have this scenario where in I got a set of records in the cube which consists ProfitCenter/Cost Center combinations.
ProfitCenter is a Hierarchy.
Now I need to create a set of logical groups (called Divisions) from these set of combinations.
Client had asked us to hardcode this.
Is this the only viable solution?
I can send the sample file (which represents the ProfitCenter/CostCenter combination) if someone needs more clarity.
Thanks,
Manesh

Hi Manesh,
You can always create the logical grouping for Divisions in BW in a hierarchical format. But when the structure changes you would have to manually update the same every time.
If the hierarchy were maintained in a source system like R/3 it would always be possible to extract the latest version, reducing manual intervention. I would say a preferable way.
But you would need to check whether the standard datasource for Profit center hierarchy in R/3 supports
cost center assignment also. If not then creating the same in BW seems to be the only option I can think of.
Hope it helps.

Exporting and Importing Logic groups

Hello, I am creating a logic group that is quite long in my UAT application, but once it works properly I need to have it aslo in my Production application, However I don't fancy recreating the 95 lines of complex logic.
Is there a way to export the Logic group from the UAT and import them in the Prod ?
Many thanks foryour ideas
Lionel

There is an Export/Import command in the File menu. I have only used it for the entire app, but there is probably a way to just do pieces.

Simple logic group to operate prior to custom import script?

Hi all,
Thanks for taking the time to read my question. I will gladly mark this thread as helpful or answered if you can help me. I'm a novice at FDM so please bear with.
I have a custom import script that assigns ICP None to a specific account (overriding any ICP detail). However, now I need the ICP detail for that account in a second statistical account. I setup a simple logic group to create the logic account that I can map to the statistical but then realized that the import script runs prior to the logic group so I lose all ICP detail in the logic account as well.
Is there a way to run the logic group prior to import script or is there a better way to accomplish what I'm trying to do?
I'm not sure how critical this is but I'm using FDM v11.1.1.3.01 adapter 11x-G5-C
Edited by: user4591089 on Aug 17, 2011 2:10 PM
Edited by: user4591089 on Aug 17, 2011 2:50 PM

Do the following:
1) Remove the custom import script.
2) Create a complex logic account and override the ICP dimension in the Group By Column with the Value [ICP None]. This will then be what is diplayed on the import screen for this logic account.
3) Map the original source as the statistical account and the logic account as appropriate
Edited by: SH on Aug 18, 2011 9:48 AM

Custom User Groups in GRC Access Control Risk and Remediation 5.3

Hi all,
Does anyone know how I can mass upload assignments of users to custom user groups in R&R?
We have a requirement to group users in a different way to the SAP user groups so I wanted to create new 'custom' user groups in R&R and allocate specific users. We're talking about 3000 users so I can't do it manually.
Regards
Amir

Hi Amir,
I don't think there is direct way to do this. You might be able to pull this off by going through the back-door (database update). Talk to SAP support about this and they should be able to provide you with the tablenames which gets affected by users and user groups upload.
Regards,
Alpesh

Need ability to group forums into logical groups as a user.

As heavy reader & contributor of the CRM forums, there are getting to be so many forums it is difficult to look through and assist on so many column headings. Plus I believe the more novice users frequently submit their question in the wrong forum.
I would love to group (Personalize) these topics to see all new post or limit my searches to these forums. It is still o.k. if I post a question to where it has to be in a specific forum.
Customer Relationship Management (CRM) - General & Framework
CRM Webclient UI
CRM Web Channel E-Commerce, E-Marketing & E-Service
CRM 7.0
CRM - Interaction Center
CRM Sales

Hi Faisal,
Thank you very much for your prompt reply. With your suggestion, I do figure out where my problem is. I did set the control flag in my ldapAuthenticator "OPTIONAL". However, it appears that the DefaultAuthenticator is given as "REQUIRED" by default.
Once I changed it to be "OPTIONAL", it works.
Thanks again.
John

Condition Definition Logic group/alone

Hi All,
can some one help me to understand the logic for condition definition within one query .........
1 - one condition with different parameter........
Exmp...
Within one condition 1
Parameter 1 -- Amount <
                2 -- balance =>
2 - two different condition......
Exmp ..
   condition 1 -- amount <
                 2 -- balance =>
Regards
SSMS
Edited by: SSMS on Nov 20, 2008 5:24 PM

SAP's detailed explanation on Conditions -
http://help.sap.com/saphelp_nw04s/helpdata/en/43/b57138c1afbd20e10000009b38f889/content.htm
Abhijit

GRC 10.0 SP14 - Poblems when generating rules for logical systems

Hello Experts!
We recently updated a DEV system to SP14 and we're having issues regarding the rule set generation. I'd like to know if you have faced a similar problem after installing SP14. The details are described below:
Create a test function ZTEST_F1
The action PFCG is associated to a Physical System (Test Connector SP14) and to a Logical System (Sistema Logico Retail)
The logical system contains D05 among other connectors:
And it’s defined as a logical group:
The connector “test connector Sp14” points to the same system as D05.
Now I create another function, let’s say ZTEST_F2
Now let’s define a SoD Risk ZTSTSP14
Generate rules and after that we check GRACSYSRULE table for such risk and we get:
Let’s add more transactions:
Generate rules:
Now in the table we get:
The logical system has been added to the GRACSYSRULE table for the new combination and also the physical system TST_D05, but there's no combinations for the system D05 for example.
Now if we run SoD analysis:
We have four combinations for the physical system TST_D05 but only two for D05 that belongs to the logical system:
Do you have any clue? have you faced a similar problem?
Thanks in advance.
Cheers,
Diego.

Hello Collen!
First of all I want to thank you because after aplying the note the rules generated fine and now the Risk Analysis is OK for the example described above:
I've also tested with a huge number of risks and made a comparison between the results of the Physical conector and the Connector that belongs to a logical group and I got the same results as action level as well as Permission Level as expected.
Regarding the note itself, we usually check for notes and we have implemented many notes in advance related to rule generation issues.
The point is that, as my point of view is just not acceptable to get a new SP with this kind of issue. Rule generation is a core functionality and SAP must test such functionalities before releasing a SP and these checks cannot rely on the customer. For me, rule generation issues in GRC are just unnaceptable. I can accept issues with other modules or new functionalities, but with role generation they must guarantee that it works properly and perform the requiered tests before releasing an SP.
Well... bottom line the issue has been resolved and I really appreciate the help you provided!!!!
Many Thanks!!!
Diego.

Logical Systems vs Cross Systems

Dear all,
I have two physical SAP ERP systems grouped under one logical system.
Now I want to connect to a third SAP ERP system in order to execute Cross System analysis between the systems under the logical system and the new third system.
I understand that I cannot do a Cross System RA on systems of the same logical system so that´s the reason why I need to set up the third system as a single new ERP system.
Anyhow the new ERP system should use the same rule set than the two systems of the logical system.
So I´d just like to set up the new system connector for the GRC 5.3 but I do not want to load the same rules again for the new ERP system, etc.
Is this possible? I tried to create a new logical system containing the new ERP system and regenerate the rules for the logical systems. But after that no simple RA is possible for the new ERP system.
Thanks for any advice and regards,
Markus Richter

Hello Markus,
Yes, you are right that you can not include the third system in the same logical group if you wish to use it for cross-system analysis. If you choose to have this as a stand alone system in RAR then first you will have to upload the rules for this stand alone system in RAR. The rules loaded for logical system will not work for this system as it is not part of the logical system group.
Regards, Varun

GRC AC 10 - risk analysis : No rules were selected

Hi,
In GRC AC 10, when I do a risk analysis (user level for example).
For each userid the result shown in the column action is "No rules were selected "
any idea ?
Thanks
Aurélien.

Hi Vikas,
Further to your comment above, I would like to point you to my thread here and specifically ask you about the following statement:...
3. Open your GRC functions and make sure you have correct back end system updated for them. Check the status of all your GRC functions and make sure they all are active.
I opened up the Functions from NWBC and realized that all the systems for each function were as follows:
1. SAP Basis
2. SAP CRM
3. SAP ECCS
4. SAP HR
5. SAP R3 NON HR Basis Logical Group
6. SAP R3
7. Logical Group
AND ALSO
8. The DESCRIPTION of my RFC Connector ?!
Now my question is as follows:
1. Where in the Pre/Post/GRC300 documents does it say that one must configure each function with the backend system as you state above....should the configurations Connector/Connector/etc etc already mapped the functions to the backend system ?
2. Also Why is the description of my RFC Connector available as a drop down menu from " System" tab on the function edit mode - see attached screenshot.
Your advice would be appreciated.
Best regards,
Paul

GRC AC 10.1 - Risk Analysis: No rules were selected

Hi All,
I'm currently configuring the ARA module in GRC AC 10.1, and an facing this issue. When I run my User Analysis, its throwing an error message "No rules were selected'.
As per your suggestions from discussions, i double checked all the below activities
Activate the BC sets
Run Sync Jobs
Run Batch Risk Analysis
After all this I found that the functions are not mapped to the logical groups(Back-end Systems) I have defined. Can you please let me know how to make sure you have correct back end system(logical Group) updated for the functions in the setup? Doesn't the configurations Connector/Connector Groups etc already mapped the functions to the back-end system? It would be a hell of work to do all the system mapping on function level manually.

Hi Narsimha
You need to map your connectors to the logical systems that are used in the function definitions
Look at your integration framework Setup in the IMG.
Governance, Risk and Compliance > Common Component Settings > Integration Framework > Maintain Connectors and Connection Types
Also, for 10.1 there was an issue with logical systems. It may be that your configuration is correct: Re: GRC 10.0 SP14 - Poblems when generating rules for logical systems
Regards
Colleen

GRC 10: Deleting the Ruleset.

Hello Guys,
Anyone has a clue how to go about deleting an existing Ruleset in the system? I tried in SPRO - Delete Ruleset but it is not working. At the same time, I see an option in the nwbc also, which is to Delete the ruleset.
1. Any idea how we should go about deleting the existing Ruleset?
2. What is the difference between deleting from NWBC and deleting from SPRO?
We have 3 Physical systems A, B and C and the connector groups are:
Logical Group 1 - Having A&B systems.
Cross Group 2 - Having A&C systems.
Any ideas appreciated.
Regards.
Edited by: sapgrc10 on Nov 7, 2011 8:14 PM

Hello Asheesh,
Thanks for your reply. Besides SAP_ALL and SAP_NEW, I also have allmost all the roles to myself as under:
SAP_GRAC_ACCESS_APPROVER     Role for Access Request Approver
SAP_GRAC_ACCESS_REQUEST_ADMIN     Role for Access Request Administrator
SAP_GRAC_ACCESS_REQUESTER     Role for End user
SAP_GRAC_ALERTS     Generate, clear and delete SOD Alerts
SAP_GRAC_ALL     Super Admin for AC
SAP_GRAC_BASE     Base Role for all Access Control Users
SAP_GRAC_CONTROL_APPROVER     Create AC MIT control, approve, assign, Alerts and perform Risk Analysis
SAP_GRAC_CONTROL_MONITOR     Ability to assign MIT control to a Risk and perform Risk Analysis
SAP_GRAC_CONTROL_OWNER     Create AC MIT control.
SAP_GRAC_DISPLAY_ALL     Display Access To All AC Objects.
SAP_GRAC_FUNCTION_APPROVER     Approve Function for Workflow
SAP_GRAC_NWBC     View Access Control Information Architecture.
SAP_GRAC_REPORTS     Ability to run all AC reports.
SAP_GRAC_RISK_ANALYSIS     Ability to Perform Risk Analysis
SAP_GRAC_RISK_OWNER     Risk maint. And Risk Analysis
SAP_GRAC_ROLE_MGMT_DESIGNER     Role Management Designer
SAP_GRAC_ROLE_MGMT_ROLE_OWNER     Role Owner
SAP_GRAC_ROLE_MGMT_USER     Role Management Business User
SAP_GRAC_RULE_SETUP     Ability to define Access Rules
SAP_GRAC_SETUP     Ability to setup Access Control
SAP_GRAC_SUPER_USER_MGMT_ADMIN     Super User Administrator Role
SAP_GRAC_SUPER_USER_MGMT_CNTLR     Super User Controller Role
SAP_GRAC_SUPER_USER_MGMT_OWNER     Super User Owner Role
SAP_GRAC_SUPER_USER_MGMT_USER     Super User Firefighter
SAP_GRC_FN_ADISSUE_PROCESS     Ad-hoc Issue Processer
SAP_GRC_FN_ALL     GRC - Power User
SAP_GRC_FN_BASE     GRC - Base role to run GRC applications
SAP_GRC_FN_BUSINESS_USER     GRC - Business User
SAP_GRC_FN_DISPLAY     GRC - Display
SAP_GRC_FN_POST     Role with Post Authority Only
SAP_GRC_MSMP_WF_ADMIN_ALL     MSMP Overall Administrator
SAP_GRC_MSMP_WF_CONFIG_ALL     MSMP Overall Configurator
SAP_GRC_NWBC     Governance, Risk, & Compliance
SAP_GRC_SPC_SCHEDULER     Authorization to schedule background jobs
But still having the problem. When I press the execute botton to delete, the system does not do anything, neither does it give any message or error.
Anything else, that I am missiing?
Also, my second question was if there is any difference deleting the ruleset from NWBC or from the Frontend or are these both the same?
Thanks in advance!
Edited by: sapgrc10 on Nov 8, 2011 5:27 PM

Logical Groups in GRC-AC

Similar Messages

Maybe you are looking for