Mass RAR Rule Set Changes

Similar Messages

• CC / RAR Rule Set Build

  We had a rule set built in Compliance Calibrator 5.2 by a vendor during implementation.  We have over 700 rules and now know that there are too many rules in our rule set. 
  Can any of you tell me the best way to build a rule set?  How many rules do most people have in their rule set?  Is there a best practice out there somewhere to do this?

  Hi Greg,
      You will have to understand relationship between rule, risk, business process, function, transaction and permission to build a rule from scratch. If you need to build one or two rules, you can just go through CC and do it. If you want to build large set of rules then you will have to create text files for risks, functions, rules etc. I will recommend you go through the config guide for CC 5.2 or 5.3 and see how rules are being built.
  There is no straight answer on the number of rules. The number rules you need will depend on industry, company size, location, rules and regulations to follow, company structure etc. Best practice rules come with the installation and you can always get them from SAP. Best practice ruleset contains around 40,000 action and permission rules.
  Regards,
  Alpesh
  SAP GRC Manager (PwC)

• Need information on the new RAR Rule Architect/Rule Set functions

  Does anyone have any information on the new 5.3 functions listed under Rule Architect/Rule Sets, specifically the Compare function?
  My 5.3 Config manual mentions this area but doesn't describe anything about it.  I have a request from our user group and need to determine if this can fit that request.
  What they are looking for is an easy way to compare our RAR Rule Set with the latest SAP version (Q2 2010 is the most recent I believe).  Just from the screen shots, it looks like we could maybe use the Rule Sets functions for that.  Load the new SAP one into RAR as a separate ruleset and then run this Compare function.  However I haven't been able to find any documentation on this function, so I don't know if it really does what we are looking for.
  Thanks.

  Hi,
  the error 'NullPointerException ' is very common error in GRC.
  kindly search, you will find lots of threads and notes on thi.
  check you permission TXT file. It contain null value some where.
  especially check SD01 & SD02 tcodes.
  Also open permission file in word and check all TAB's and ENTER's in technical view.
  Regards,
  Surpreet

• GRC-AC v5.3 SP11 -- RAR Rules for BI, GTS, SRM, XI, GRC-AC, SolMan

  Hi!
  Has SAP released RAR Rule sets for BI, GTS, SRM, XI, GRC-AC, or Solution Manager?
  Let me know if anyone else has found them.
  Thanks,
  -john

  Hi John,
     SRM rules have always been available. I have not seen rules for BI, GTS, XI, AC or SolMan. Would definitely want to see rules for XI, BI and SolMan.
  Alpesh

• RAR: Global Rule set

  Hi,
  I am wondering if the latest global rule set contains the tcodes, authorization objects and values based on the latest version of SAP? If yes, can this global rule set be applicable for SAP version 4.7 ?
  Thanks,
  Debbie

  Hello Rajesh,
  Hope this information from SAP helps you.RAR Rule Update - Documentation
  It is not possible to programmatically send out updates to the default ruleset (i.e. via transports or STMS). 
  This is because rule uploads only overwrite and not append.  As every company should have made changes to their ruleset, SAP cannot send out rule updates as this would overwrite the customization done by each company
  Since the SAP acquisition of Virsa, there have been seven updates to the supplied ruleset which are described in detail in SAP notes below.
  1061380 u2013 Q2 2006
  1035070 u2013 Q1 2007
  1083611 u2013 Q3 2007
  1173980 u2013 Q2 2008
  1326497 u2013 Q2 2009
  1446680 u2013 Q2 2010
  1604722 u2013 Q3 2011
  These notes provide a company a detailed Word document that summarizes the changes made. 
  The company must go through these changes to evaluate if they agree with the SAP supplied change. 
  If they agree, the company will have to make the change manually via the Rule Architect.
  To get more details, please refer to note#986996
  Regards,
  Renuka

• RA&R rules 5.3 changes compared to standard global rule set

  Good day,
  Please can someone assist me. I need to compare a clients customised rule set to the standard rule set, and document where changes have been made. (There is no log of the changes) A client has made modifications to the rule set, we are not sure if these modifications were valid, so we need to compare these to the standard rule set. The problem is that the client has modified the "GLOBAL" rule set, so I do not have a base rule set to work from. I have looked at the initial upload files, but they are not easily compared with the  current production rule set. Does anyone have any solutions as to how this could be achieved?
  Thank you and Kind Regards
  Jill

  Hi ,
  How the client has modified the GLOBAL Rule Set in RAR, are they just dectivated the risk from the global rule set? or deleted the risks peminately.
  if they dectivated the Risks in GLOBAL Rule set, just download the Rules through utilities(Cofiguration) and check the values which are having the '0' (ZERO) values, those risks only deactivated. it is the better process to sagarigate rule set.
  Regards,
  Arjuna.

• CC / RAR 5.2 - Multiple Rule Set Question

  How does the system handle the use of multiple rule sets in CC / RAR 5.2?
  For example, letu2019s say I want to keep a standard SAP rule set in tact to use for testing and comparison in RAR, but I also want to load another one.
  I realize that only 1 can be the u201CDEFAULTu201D so what does that mean?  I know that a risk analysis is only run against the rule set you set as default.  I also know that you can select the rule set to use in processing when you manually run either through Informer or Configuration tab a risk analysis.  What I am really concerned with is what happens if you take the results to u201Cmanagement reportsu201D from 2 different rule sets?
  First, can you even do it?
  Second, if you can, then I think you must have to come up with a different RISKID configuration schema for each rule set otherwise, I do not see how you can differentiate from which rule set the violation is generated.  That said, you will also need to export the report information into Excel and make any u201Crule set sortu201D there as I donu2019t see a way to do it directly in RARu2026.maybe a future improvement?
  Can anyone confirm the impact of multiple rule sets and how you manage them?
  Regards,
  Greg

  Greg,
  You can maintain the different severity levels for different Rule Sets. For example, in one Rule Set you can keep the "Critical" Risks and in other you can keep "High", "Medium" & "Low". Run your analysis against first Rule Set if you want to know the "Critical" Risks and second Rule set you can use for rest of the severity levels. I hope this way you can manage your multiple Rule Sets in RAR.
  Thanks,
  Tavi
  SAP Security & GRC Consultant.

• Change History When Importing DEV Rule Set to PRD

  Does anyone know what effect importing the DEV rule set in PRD has on the change history in CC5.x?  In other words, if one imports the DEV rule set into PRD, will the change history capture any changes that were made to the risks and functions during the import process?
  Thanks!

  Importing the Rules to a new environment is like creating them anew from scratch. Any new function/risk creation does not appear in the Change history at all. 'Change' only refers to modification done to the original entries.
  Cheers!!

• Do you trust the SAP standard rule set ?

  Hello all,
  I have the impression that, too often, the SAP standard ruleset has been taken for granted : upload, generate and use. Here is a post as to why not to do so. Hopefuly, this will generate a interesting discussion.
  As I have previously stated in other threads, you should be very careful accepting the SAP standard rule set without reviewing it first. Before accepting it, you should ensure that your specific SAP environment has been reflected in the functions. The 2 following questions deal with this topic :
  1. what is your SAP release  ? ---> 46C is different than ECC 6.0 in terms of permissions to be included in the function permission tab. With every SAP release, new authorization objects are linked to SAP standard tcodes. Subsequently some AUTHORITY-CHECK statements have been adapted in the ABAP behind the transaction code. So, other authorizations need to provided from an implementation point of view (PFCG). And thus, from an audit perspective (GRC-CC), other settings are due when filtering users' access rights in search for who can do what in SAP.
  2. what are your customizing settings and master data settings ? --> depending on these answers you will have to (de)activate certain permissions in your functions. Eg. are authorization groups for posting periods, business areas, material types, ... being used ? If this is not required in the SAP system and if activated in SAP GRC function, then you filter down your results too hard, thereby leaving certain users out of the audit report while in reality they can actually execute the corresponding SAP functionality --> risk for false negatives !
  Do not forget that the SAP standard ruleset is only an import of SU24 settings of - probably - a Walldorf system. That's the reason SAP states that the delivered rule set is a starting point. 
  So, the best practice is :
  a. collect SAP specific settings per connector in a separate 'questionnaire' document, preferably structured in a database
  b. reflect these answers per function per connector per action per permission by correctly (de)activating the corresponding permissions for all affected functions
  You can imagine that this is a time-consuming process due to the amount of work and the slow interaction with the Java web-based GRC GUI. Therefore, it is a quite cumbersome and at times error-prone activity ...... That is, in case you would decide to implement your questionnaire answers manually. There are of course software providers on the market that can develop and maintain your functions in an off-line application and generate your rule set so that you can upload it directly in SAP GRC. In this example such software providers are particularly interesting, because your questionnaire answers are structurally stored and reflected in the functions. Any change now or in the future can be mass-reflected in all (hundreds / thousands of) corresponding permissions in the functions. Time-saving and consistent !
  Is this questionnaire really necessary ? Can't I just activate all permissions in every function ? Certainly not, because that would - and here is the main problem - filter too much users out of your audit results because the filter is too stringent. This practice would lead too false negatives, something that auditors do not like.
  Can't I just update all my functions based on my particular SU24 settings ? (by the way, if you don't know what SU24 settings are, than ask your role administrator. He/she should know. ) Yes, if you think they are on target, yes you can by deleting all VIRSA_CC_FUNCPRM entries from the Rules.txt export of the SAP standard rule set, re-upload, go for every function into change mode so that the new permissions are imported based on your SU24 settings. Also, very cumbersome and with the absolute condition that you SU24 are maintained excellent.
  Why is that so important ? Imagine F_BKPF_GSB the auth object to check on auth groups on business areas within accounting documents. Most role administrator will leave this object on Check/Maintain in the SU24 settings. This means that the object will be imported in the role when - for example - FB01 has been added in the menu.  But the role administrator inactivates the object in the role. Still no problem, because user doesn't need it, since auth groups on business areas are not being used. However, having this SU24 will result in an activated F_BKPF_GSB permission in your GRC function. So, SAP GRC will filter down on those users who have F_BKPF_GSB, which will lead to false negatives.
  Haven't you noticed that SAP has deactivated quite a lot of permissions, including F_BKPF_GSB ? Now, you see why. But they go too far at times and even incorrect. Example : go ahead and look deeper into function AP02. There, you will see for FB01 that two permissions have been activated. F_BKPF_BEK and F_BKPF_KOA.  The very basic authorizations needed to be able to post FI document are F_BKPF_BUK and F_BKPF_KOA.  That's F_BKPF_BUK .... not F_BKPF_BEK. They have made a mistake here. F_BKPF_BEK is an optional  auth object (as with F_BKPF_GSB) to check on vendor account auth groups.
  Again, the message is : be very critical when looking at the SAP standard rule set. So, test thoroughly. And if your not sure, leave the job to a specialized firm.
  Success !
  Sam

  Sam and everyone,
  Sam brings up some good points on the delivered ruleset.  Please keep in mind; however, that SAP has always stated that the delivered ruleset is a starting point.  This is brought up in sap note 986996     Best Practice for SAP CC Rules and Risks.  I completely agree with him that no company should just use the supplied rules without doing a full evaluation of their risk and control environment.
  I'll try to address each area that Sam brings up:
  1.  Regarding the issue with differences of auth objects between versions, the SAP delivered rulset is not meant to be version specific.  We therefore provide rules with the lowest common denominator when it comes to auth object settings.
  The rules were created on a 4.6c system, with the exception of transactions that only exist in higher versions.
  The underlying assumption is that we want to ensure the rules do not have any false negatives.  This means that we purposely activate the fewest auth objects required in order to execute the transaction.
  If new or different auth object settings come into play in the higher releases and you feel this results in false positives (conflicts that show that don't really exist), then you can adjust the rules to add these auth objects to the rules.
  Again, our assumption is that the delivered ruleset should err on the side of showing too many conflicts which can be further filtered by the customer, versus excluding users that should be reported.
  2.  For the customizing settings, as per above, we strive to deliver rules that are base level rules that are applicable for everyone.  This is why we deliver only the core auth objects in our rules and not all.  A example is ME21N. 
  If you look at SU24 in an ECC6 system, ME21N has 4 auth objects set as check/maintain.  However, in the rules we only enable one of the object, M_BEST_BSA.  This is to prevent false negatives.
  3.  Sam is absolutely right that the delivered auth object settings for FB01 have a mistake.  The correct auth object should be F_BKPF_BUK and not F_BKPF_BEK.  This was a manual error on my part.  I've added this to a listing to correct in future versions of the rules.
  4.  Since late 2006, 4 updates have been made to the rules to correct known issues as well as expand the ruleset as needed.  See the sap notes below as well as posting Compliance Calibrator - Q2 2008 Rule Update from July 22.
  1083611 Compliance Calibrator Rule Update Q3 2007
  1061380 Compliance Calibrator Rule Update Q2 2006
  1035070 Compliance Calibrator Rule Update Q1 2007
  1173980 Risk Analysis and Remediation Rule Update Q2 2008
  5.  SAP is constantly working to improve our rulesets as we know there are areas where the rules can be improved.  See my earlier post called Request for participants for an Access Control Rule mini-council from January 28, 2008.  A rule mini-council is in place and I welcome anyone who is interested in joining to contact me at the information provided in that post.
  6.  Finally, the document on the BPX location below has a good overview of how companies should review the rules and customize them to their control and risk environment:
  https://www.sdn.sap.com/irj/sdn/bpx-grc                                                                               
  Under Key Topics - Access Control; choose document below:
      o  GRC Access Control - Access Risk Management Guide   (PDF 268 KB) 
  The access risk management guide helps you set up and implement risk    
  identification and remediation with GRC Access Control.

• Access to update the GRC rule set is limited

  Hello - What is the process (tcode) to see who has access to update the GRC rule set?
  Thanks!

  Hi Sam,
     What is the version of your RAR (CC)? If it is CC 4.0 then you enter the product via tcode and go to rule architect to make changes. If you have CC 5.X then you go through the web browser and go to Rule architect to make changes to the rule set.
  The process to change a rule set is as below:
  1) Creats Function
  2) Create risk
  3) Create Rule
  Regards,
  Alpesh

• Multiple GRC rule set update

  we are having a custom rule set A loaded in GRC. Now we want another rule set B, with new risks and definition to be loaded in GRC. If we try to upload rule set B risks and functions via Upload function in GRC, would it overwrite the rule set A, or not.Just wanted to confirm whether existing rule set A would be affected or not, due to upload of rule set B.

  Hey Alpesh,
  Sorry, I haven't understand it correct. This is a question that will always be asked in the train.
  You wrote:
  "If you have created different files (e.g. risks, ruleset, function action, function permission etc.) and upload them via configuration -> rule upload then RAR will not overwrite your ruleset A and will only insert new rule set files."
  Is this just possible, if all IDs (risk, function, function action, function permission) will be changed before and could not be equal like in the rule set A? correct?
  What's about with the ALL.txt files, do I have to change/upload them as well again?
  Thanks for feedback,
  alwaly a pleasure!
  Greets
  Martin

• Rule set Version

  Hi ,
    How to find out , rules set version a particular RAR( CC) system have , If a logged into RAR( Or CC) of some one else system,
  To be specific I wanted to know which Rule Set Version?( Rules)  they are using (Like Q1 2007 , Q3 2007, Q2 2008 or Q2 2009 Rule Update etc) irrespective of application version they are using ( Like 5.1 ,5.2 or 5.3 ) .
  Thanks & Regards
  Uma Shankar T

  Hi Uma,
  The ruleset versions are normally shipped as part of support packs.
  However, you would only normally implement the ruleset version when doing a clean implementation as uploading a completely new version could overwrite any changes which you have made for your own organisation.
  I do not know of any technical settings to identify exactly which version was uploaded into the system as the ruleset is shipped as a data file.
  You can track the released versions via the SAP Notes though.
  Simon

• FBL5N - in Rule set - It is a Display customer line items

  Dear All,
  We observed that FBL5N - Display customer line items in Standard SoD rule set under function AR07  addressing a risk of S022.
  Unless there are t-codes of FD03 or FB02 this t-code does not allow to change the payment terms of the customer.
  We are having a challenge from the client that FBL5N is a display t-code and why it is there in rule set.
  Has anybody came across this scenario? If yes, what is the underlying risk for this FBL5N independently.
  Is there any SAP Note for this t-code like ME23N from SAP.
  Thanks and Best Regards,
  Srihari.K

  Hi Christian,
  We checked the authorization objects as well enabled in GRC rule set as below:
  F_BKPF_BUK - Docume t Authorization document for company codes - 01 or 02 - Enable.
  Inspite of this access, FBL5N cannot be used to change the document for payment terms and assignments without FB02 t-code
  assignment in the role.
  Independently FBL5N cannot be used for any change or create activity except Display customer line items.
  Please advise
  Thanks and Best Regards,
  Srihari.K

• I have messages in mail that are color-coded as if by a rule, but I have no rules set. How can I correct this?

  The only rule that I ever had in Mail was the default one that color coded messages from Apple blue. I notice that some messages are color-coded brown and I have no rules set at al (hence no rule to turn off.)  Some of the messages are related to viewing online magazine, but not all.  How can I stop this?

  Hi. Thanks for your message.
  Well, I understand what you are trying to say but I thought it was easier to categorize in Apple Mail.
  On Entourage I just click twice on a sender address, record it on Address book and give it a colour that I previously defined as "Work", "Personal", "Customers", "Suppliers", "Friends" or whatever.
  As Apple Mail don't have Address Book as part of it but an outside feature it's very annoying. Of course I am used to use a software and I don't expect now Apple Mail do everything as Entourage but... as someone said it seems Apple Mail stopped in time. The recent version seems the first one ever issued. I hate the way Mail.app handles attachments by placing big chunky previews right in my email. I prefer them to be named attachments listed somewhere else, out of the content of my email. I don't if I can change this via terminal commands? Can you tell me if that is possible?
  I don't understand why Apple Mail have lots of plugins instead of a great improvment from the backstage.
  I use Apple computers since ever and I love this machines but sometimes I don't understand this lake of improvments.
  Take a look at this link:
  http://scottworldblog.wordpress.com/2009/10/12/microsoft-entourage-vs-apple-mail /
  Of course I don't agree 100% with him but some things are true...

• Is it possible to add a firewall Filter or Rule Set to the Extreme Router (802.11n)

  Is it possible to add a firewall Filter or Rule Set to the setting for the Extreme Router (802.11n) like the following:
  "ALLOW TCP/UDP IN/OUT to 208.67.222.222 or 208.67.220.220 on Port 53"  and
  "BLOCK TCP/UDP IN/OUT all IP addresses on Port 53"
  The goal of this is to create a firewall rule to only allow DNS (TCP/UDP) to OpenDNS' servers and restrict all other DNS traffic to any other IPs.
  Or, alternatively is there a way to configure same applied to the Network preferences on IMAC OS X?
  Thanks and much appreciation to anyone who has any clue about this.

  Sorry, I think you've got it backwards.
  The concern is NOT that the child can make changes to our hardware/AEBS, or even our network software on my IMAC - nothing's been changed.
  BUT, he changed the dns settings on his OWN device (ie chromebook) to google public server, accessed the AE using our home wifi network BUT bypassed our dns settings. Capeesh?
  See: http://www.pocketables.com/2013/03/how-to-use-change-the-dns-settings-on-your-ch romebook-and-use-googles.html