Meaning of SOD......

Similar Messages

• SOD conflict related to Service Pack Stack 15?

  Hello everybody,
  My Company has SAP ECC 6.0 and we recently installed the Service Pack Stack 15. The previous SP installed was the 7, which is a big leap between versions, as you can see.
  Do you know is possible to have an impact on the authorizations (roles, profiles) and in consequence, an increasing number of SOD risks?
  I've alredy inquired, and there should be no impact; but I would like to know your opinion.
  The thing is that the SOD risks increased in a 200% in the same weekend the SP was installed.
  Thanks in advance for your help and advice.

  >
  Mateus Pedroso wrote:
  > What do you mean by SOD risks ?
  What do you mean by SOD risks ?
  Hey Mateus, by SOD riks I mean Segregation of Duties conflicts?
  Thank you 4 your help...

• SODA - Service Oriented Integration of Medical Devices in Hospitals

  In this thread I will write about my dissertation project. It addresses the problem of the integration of medical devices with their proprietary interfaces and data models into the existing hospitals´ IT infrastructure.
  Interoperability is an almost non-existent feature of medical devices. The consequences of non-interoperable devices in hospitals are manifold. Medical data produced by devices cannot be directly integrated into hospital information systems for medical documentation. Thus, important data will be lost and examinations have to be repeated if required information is not available due to incomplete documentation. In addition, the documentation quality is affected by human errors due to manual nonelectronic steps and media discontinuities. Another example is maintenance. Medical devices have to be maintained at regular intervals. Thus, an inventory of all devices, their status and maintenance intervals is needed for generating a maintenance manual. Currently there is usually no possibility for automatically getting a detailed inventory of all medical devices in a hospital (or section of a hospital).
  The market size in conjunction with a multitude of companies and products (the DIMDI information system contains data about 60,000 medical devices) results in challenges concerning interoperability due to different proprietary hard- and software interfaces, data structures and semantical interpretations. Initiatives like IHE (Integrating the Healthcare Enterprise) are trying to push standardization in the medical sector. However u2013 as mentioned above - the current situation is still unsatisfying and increasingly getting worse due to the continuously growing number of medical devices and associated interfaces.
  A promising approach for overcoming interoperability issues is the service oriented device integration, also known as SODA (Service Oriented Device Architecture). The basic concept is the encapsulation of devices as services, analogous to enterprise services in service oriented architectures (SOA). An enterprise service is a software component that offers a business functionality on a highly semantical level by specifying the interface in a standardized way (e.g. by the Webservice Description Language u2013 WSDL). Highly semantical level especially means, that a service is self-descriptive in a way that it can be consumed dynamically and loosely coupled by other components with a consistent understanding of shared data. In the medical domain a device service for instance could offer functionality for measuring the current blood pressure of a patient. Based on such basic services more complex services (like a patient monitoring system) can be realized.
  The main advantage of the service oriented approach is that the manufacturer-specific device interface does not have to be known by the service consumer and by the programmer respectively, as it is encapsulated by a standardized service interface. This enables the extension of IT supported medical processes by devices, e.g. by using the Business Process Execution Language (BPEL). In addition new functionalities could be added to the device service that are logically related to the device but not offered by the device itself (e.g. tracking & tracing functionalities); so the device service can be considered as a virtual device. Therefore software maintenance will become easier, because the service interface remains unchanged in case of a device exchange or device interface changes. In my dissertation project I will explore the advantages and obstacles of the SODA concept in comparison to existing approaches for integrating medical devices in hospitals.
  The SODA approach is in accordance with the SAP Enterprise SOA (ESOA) strategy. For instance, the scope of the Healthcare Community Definition Group is to further enhance the Enterprise Services (ES) Bundles Patient Administration and Medical Activities, Patient Billing and Invoicing and to define a new ES Bundle on Medical Documentation. SODA projects define services for devices. These services can use or combined with Enterprise Services, e.g., for Patient Administration. In the EU funded project SOCRADES, SAP Research explores the SODA approach in other domains, especially industrial automation.

  Hmm, perhaps your other discovery settings are configured that it'll get the OOB OU because you're OOB OU is under some other OU that's configured to be discovered and you have the recursive and group settings turned on, CHECK this first.
  Remove the OOB from your discovery. For testing purposes, remove (delete) one or more machine objects from the ConfigMgr console, wait a while and then run the AD System Discovery again and check what object gets there. AD system discovery shouldn't look
  objects from other OUs than the ones you've specified in the discovery settings.
  I'm not that familiar with vPro, so the behavior you're seeing might well be the default, but I doubt that.. Doen't make sense that you control your computer objects.
  For more information you could also post adsysdis.log from the configmgr server.

• SOD's are not shown in the Report

  We have created the connector in Compliance Calibrator for MQA system
  We ran the user Full Synch and Incremental Synch.
  But the Sod Report doesn't show any SOD's.
  SOD's are shown for the different system's the user has same Roles in
  the two systems.
  Is something we are missing?

  Venkat,
    You need to run 1) Full User Sync, 2) Full Role Sync, 3) Full Profile sync if you are using profiles, 4) Full Risk Analysis and 5) Management Reports to see SoD violations.
  I did not understand meaning of this statmenet:
  "SOD's are shown for the different system's the user has same Roles in the two systems."
  What do you mean by this?
  Regards,
  Alpesh

• How to understand Permission level SoD analysis reports?

  Hi ,
  We would like to confirm whether our understanding is correct in analysing the SoD analysis reports at Permission Level
  Below is an example on how functions are configured at permission level
  Under Function 0C0004 we have t-code as below
  VA01 - Create Sales Order with Auth Objects
  B_USER_STAT  - ACTVT 01 AND
                              ACTVT 06 AND
  K_CKBS_CO-PC - ACTVT 01 AND
                               ACTVT 06 AND
  V_VBAK_AAT - ACTVT 01 AND 02 AND 06 etc.,
  Similarly we have another Function GA0001  with t-code as below
  F-03- Clear G/L Account
  F_BKPF_BLA  - ACTVT 01 AND
  F_BKPF_BUK -  ACTVT 01 AND
  F_BKPF_KOA - ACTVT 01 AND
  We have defined Risk betwee GA0001 & OC0004 with RISK ID 0045.
  Does this means that a User / Role which are having t-code VA01 with the above permission values should be thrown as a conflict if the same user/ role is having t-code F-03 with the above permission values.
  Do we need to understand the conflicts are only  between two transaction codes and their permission values? or
  Do we need to understand within the transaction code permission values also there are conflicts i.e. if a user is having  01,02 & 06 for V_VBAK_AAT in VA01 also.
  When SoD reports are thrown for a User/ Role it just provides the Rule ID number and the t-codes conflicting followed by the permission values of the t-codes as below
  004500101 : Transaction Code Check at Transaction Start  Transaction Code     Create Sales Order (VA01)   OC00004
  004500101 : Transaction Code Check at Transaction Start  Transaction Code      Clear G/L Account (F-03)      OCA00001
  004500101:  B_USERSTAT : ACTVT : Activity      Delete(06)                          OC00004
  004500101:  F_BKPF_BLA : ACTVT : Activity      Create or generate(01)      GA00001
  004500101: B_USERSTAT : ACTVT : Activity      Create or generate(01)      OC00004
  004500101: F_BKPF_KOA : ACTVT : Activity      Create or generate(01)      GA00001
  004500101: V_VBAK_VKO : ACTVT : Activity      Create or generate(01)      OC00004
  In the above scenario what exactly we need to understand ? Whether the conflicts are between t-codes & their respective permission values or the conflicts are intra conflicts i.e between permission values as well?  User should not posses both 01 & 06 for Auth Object B_USERSTAT and remove the access to any of them.
  Please provide your suggestions in our understanding.
  Thanks and Best Regards,
  Srihari.K

  Hi Sri,
            In RAR the conflict is always between Actions not permission. Permission level data is only for your info. All permission level details out of the box are not configured you have to activate it and fill in the value in the field. Now based on the value you feed in it will pull out the details.
  eg: if you enter * it will show all values, If you enter 01 it will show all  values with 01. 
         So to summarize the permission level details you need to configure based on needs and are not linked to conflicts they just show AS IS permission level details.
  Thanks,
  Darshan

• Compliance Calibrator SOD Conflict (FI01 and FB05)

  I was hoping that someone could provide some insight as to why the "FI01 - Create Bank" and "FI02 - Change Bank" transactions would create a risk (in Compliance Calibrator) when coupled in the same security role with the "FB05 - Post with Clearing" transaction.  The risk description given by Compliance Calibrator is "Maintain bank account and post a payment from it".
    The FI01 and FI02 t-codes appear to only create/change routing numbers or addresses for banks.  There is no ability to create or change an actual bank account.  This alone doesn't seem to create a conflict when coupled with a posting transaction.  Is there possibly some functionality that I am missing?

  Hi Joshua,
  I strongly agree with you that there is no SOD conflict technically with FI01, FI02 with FB05 although the wording of the SOD conflict in a business sense meaning Maintain Bank Accounts vs Posting Payments sounds more like a Conflict.
  I dont see by anyway how you can maintain actual bank account in either FI01, FI02.
  FI01 and FI02 - Maintain Bank Info like Bank Address, Bank Key and soforth.
  FB05 - Make Payments to various accounts.
  Regards,
  Kiran Kandepalli.

• Does "Access Enforcer" only support "role" based SOD analyse?

  Hi Expert,
  In the demo script, when the user create the "Access Request Form", he can choose the "Role" he wanted from "Select roles" list, I'm just wondering whether each role here is corresponding to the role in the backend system? for example,
  If I choose role "Z_AP_ACCOUNTANT" actualy at that time there is a role called "Z_AP_ACCOUNTANT" already in the backend system if the system is a SAP ECC system.
  Another question is, if so, does that mean it can only support "Role" based SOD analyse? as you know, each role may contain several "authorization objects", can it be done from "authorization object" level?
  Thanks and best regards.

  Hi,
  The Roles are normally determined based on the SOD.Using T/code:PFCG the roles are mapped to the system.These Roles are common to all the system,regardless of R3,Virsa etc.
  The roles also can be determined without SOD [but this is not recommended.].
  The SOD is only to ensure that there exist no internal control weaknesses while creating the Roles at an organizational level.Thus it is only an excercise outside the System,be it SAP,Virsa or else.
  At the system level we map only the roles [ using :PFCG].We dont map SOD here.So,SOD or No SOD,the system supports the Roles.
  Hope this helps.
  Regards,
  Ramesh.

• Is it possible to copy the SoD rules in the same system to diff. Rule SetId

  Hi all,
  We have created SoD rules as per our business requirement in RAR 5.3 Component connecting to the QA system. We want to copy the same rules into another different RULE SET for the same QA system. Is this possible?
  Ex: ABRULE SET - Tailored as per Business Requirement and generated rules linking to QA system [Manually configured the SoD rules].We will use this Rule set for our Production System as it was frozen as per the Business Requirement (This we will do by establishing another JCO to production system)
  We wanted to copy the entire SoD rules of ABRULESET to another rule set say YZRULESET. This YZRULESET we will use for making any configuration changes in future before making changes to ABRULESET which will be connected to Production System.
  Is it possible to copy the SoD RULES from one Rule Set ID to another Rule Set ID within the same system? If yes, please provide us the procedure on how to copy the rules of one Rule set Id to another Rule set ID.
  We explored the options of Export & Import Rules but no where it asked for new Rule Set ID for copying.
  Thanks and Best Regards,
  Srihari.K

  Here is a method I've seen a few customers use, which seems like a good idea:
  - load the standard rule set
  - create a new empty rule set
  - create your risks in the new rule set ( initially this could be a re-import of the risks, risk_desc and risk_ruleset files with a few changes done in excel to change the IDs)
  This means you have an exact copy of the SAP standard risks in your own rule set, using the SAP functions.
  Even if you have to define your own risks, there's an enormous value in the functions. The identification of TCodes and objects that do similar business transactions is probably the most difficult thing to reproduce on your own.
  Now, whenever you have to change a risk (risk level, description, owner) you do that in your own name space
  If you have to change a function (modify objects, add custom TCodes), you COPY the function to your own name space and change the risk in your name space to use the changed function.
  If you want to be smart, you do all your own stuff in copies of the text files that come with the support packs (i.e. not in rule architect). That may not be an option if your compliance requirements want you to use the change history or automatic workflows that RAR provides, but if you don't need that, here's the advantage of this:
  When a new set of rules arrives every few months, you delete your rules with a deletion script you can get from SAP support, upload the standard rule text files, upload your own text files, and you're set with your own rule set that makes use of SAP's latest updated functions.
  This is (currently) basically the only way to automatically apply SAP changes without doing it manually, thus leveraging changes to functions by SAP.
  All your changes will be in your own text files, which you can document and version control according to your requirements.
  Not exactly the way according to the manual, but an interesting concept worth considering.

• What do you mean by Role Remediation

  Guys, I want to know clearly that what does this Role Remediation means.. Pls let me know as I am little bit confused on this.!

  Hello Ramu
  Role Remediation refers to the measures, to address the SOD (segregation of duties) conflicts associated with the Roles in the ERPs.
  For example, an SOD Conflict / risk which is associated with a single role, can be removed (remediated) by splitting into two different roles, if it is feasible. This is one way of remediation of the role.
  Where ever it is not possible to split the roles or remove the roles from the system, a mitigation control can be identified for such SOD risk associated with the role, to reduce the impact to some extent ( mitigation control is generally defined in such a way that some user in the system would be monitoring the usage of such role on a periodic basis). This is one more way of remediation. Defining the mitigation control depends on the criticality of the SOD risk, as maintaining mitigation controls involves efforts and cost.
  One more way is to give access to such role through super user access (if the usage of the role is not regular).
  The best practice in the remediation would be to start with the single roles remediation as it automatically removes the SOD violations in the composite roles as well as violations associated with the users with such roles.
  I just wrote few ways of remediation to give you a brief idea of role remediation.
  Regards
  Swarna

• SOD violation as per sizing guide

  Hi All,
  I have a query regarding sizing for GRC server. As per sizing guide, there are few inputs like total roles and total users in system landscape, which are to be connected to GRC and total violations during per peak hour etc.
  I want to know what violation count means in this context -
  Is it SOD violation before GRC implementation occuring in system?
  Or is it SOD voilation count when GRC is established and we assume that either most of the risks are mitigated and / or remediations are done.
  Does this count SATs as well?
  Thanks & Regards,
  Sabita

  Hi Experts,
  Please excuse me for re-opening this message. Our client wants clear understaning on sizing and I want confirmation before I can convince them.
  Here are my queries-
  1. When we do sizing for RAR, what activities are covered under " Daily Transactional Sizing per hour". We do incremental Sync and Batch risk Analysis, but they run in nights when system is less loaded. So what does it mean"during peak hour"? What else are under transactional sizing-do webservice calls from ERM or CUP are included in it and does Alert Monitor job also falls under it?
  2. What does it mean voilations in context of Risk Analysis? Does it mean actual violations in daily backend transactions or it is only voilations based upon Role/User authorizations? What kind of voilation it includes-permission level all line items(like ME21N ACTVT 01, 02, 03 are 4 voilations or it is only one for one risk?
  3. Under which criteria or parametr should we do sizing for Adhoc risk analysis ( run from Informer tab) .
  4. There is parameter for "initial load" in RAR and CUP. We would like to know why there are two parameters for "initial load" and "daily transactional". They may overlap for sizing purpose because when we do initial it means system is not ready to perform daily tasks. And when we say " Transactional" it means initial load is done. So in this case, the SAPS used in initial load is released for daily transactional task.
  Thanks in advace.
  Regards,
  Sabita

• SAP Security Planning and implementation with SOX/SOD compliance

  hello
  Hi guys, i am a security guy
  could you tell me ,"SAP Security Planning and implementation with SOX/SOD compliance" 
  what does it mean.
  <removed_by_moderator>
  thanks
  Ramesh
  Edited by: Julius Bussche on Feb 2, 2008 1:26 PM

  Ramesh Sammiti wrote:>
  > hello
  >
  > Hi guys, i am a security guy
  >
  > could you tell me ,"SAP Security Planning and implementation with SOX/SOD compliance" 
  > 
  > what does it mean.
  >
  >
  > <removed_by_moderator>
  >
  >
  > thanks
  > Ramesh
  Forgive me for saying, but it means:
  Implementing security which complies with Sarbanes Oxley requirements and takes into account Segregation of Duties.
  SOX and SOD are different things, from a security perspective SOX is generally technical security based and SOD is business process based (although bus proc has big SOX component).
  There is a plethora of information via yahoo/google etc.
  Edited by: Julius Bussche on Feb 2, 2008 1:28 PM

• NO direct integration to external apps in SOD?!

  Hi,
  Could someone comfirm for me that SOD is not able to directly send out data from siebel into an external application directly?
  It seems i can use workflow to trigger a record to be placed on an integration event queue. However i need a API that "reaches" into Siebel and PULLS the data off the queue and pushes it into the external applications. If this is the case, then this means the external application is a actually having to 'ping' the event queue all day for records. - is this correct?????
  What i was hoping for was the SOD will be able to send outbound data directly off the queue and into the external applications.

  Hi !
  You are right, Oracle CRM OnDemand does not send datas directly in other applications. That's why there are companies that are Integrator of this solution.
  Imagine that this functionality was standard. How Oracle is supposed to know to which type of external application you want to send your datas ? There are to many types of integration possibility and each customer has its specific needs for integration...
  Can you describe a type of interface you would like to have in standard in OCOD ?
  Hope this will help, feel free to ask more !
  Max

• What does this message mean?

  I creaetd a Webhelp Pro help file and now my co-worker can't
  access it. She gets the message 'Open project was cancelled or
  unable to load database for "\\DEVELOPMENT\f\Jenny\Documentation\28
  AX System\AX System.cpd" ' The CPD file is the directory - I can
  open the project with no problems.
  It is checked into SourceSafe using RoboSource Control- but
  no one has it checked out.
  Does anyone know what this message means? Thanks in advance
  for any help!
  Jenny

  Never mind - I see all the previous posts about this problem.
  I'm sure I"ll find my answer there.

• HT1498 Today I tried to rent ,this means war, it plays ok but always comes up with an error for the sound, also we can't play anything on AirPlay tonight , the icon doesn't even show up

  Tried to watch, movie, "this means war, but couldn't get any sound working , always came up with error, also we tried to play things from you tube and iview but the icon for the apple tv wasn't there, we switched and restarted the Internet, wireless(airport ) and even restarted our iPads , but could play anything thru apple tv, even on my computer (Mac book air) the icon was there but only allowing to p,au on the MacBook air,there was no option fir apple tv, I also restarted the apple tv, still nothing working
  I'll try agin tomorrow , the 22 July and see if anything is working
  Cheers lilian

  I am experiencing a similar problem in Windows 7 64bit.  Since my laptop has a 128gb SSD, I have loaded my iTunes library on to an external drive.  I can sync my iPhones and iPads from this library, and the songs play fine from those devices.  However, when I select a song from my library, and click the play button, nothing happens.  iTunes does nothing.  I have also tried right-clicking mp3s in my library and selecting "Play", with no results.  I do not receive an error message of any kind.
  I have also noticed that some of my mp3's within iTunes denote the Time as 00:00.  The same mp3's will play and register properly using other mp3 players on my computer, and they also play normally on my iPhones and iPads.
  I am running Windows 7 x64 on a Lenovo T530, in iTunes 11.1.3.  Everything else in iTunes appears to function normally.  I can listen to internet radio stations without an issue, through iTunes, and they play as they should.  I have tried three different external drives, with different drive formats, and they all have the same issue.  If I copy my iTunes library back to my internal drive, iTunes will play my mp3s.
  I did not have this issue with iTunes 10, so I am assuming it is something that has occured within the last few updates.
  Has anyone found a fix for this?  Unfortunately, I am forced to use iTunes 11 because of my iOS devices, otherwise I would revert to iTunes 10.

• HT1349 How do you get help from apple if you don't know where to find the serial number of my "product."  I don't know if they mean my itunes program, my iphone, my computer, which one, the number on the computer (is there one), or something in Windows or

  How are you supposed to get help from Apple if you don't know what your serial number is?  They say to input the serial number of the "product" that you are asking about.  Since my problem is how to deauthorize/authorize computers, and they are saying I have more than 5 (which I have never owned more than 5 computers in my life), I can't imagine what serial number they mean.  Does it mean your desktop computer?  If so, which one?  Do they mean your device?  LIke your iPhone, iPod or whatever?  Do they mean the software ON one of your computers and/or devices?  If so, which program, and on which computer/device?
  We have three operational computers, one does not have iTunes on it.  Since Apple is saying I have more than 5 authorized computers, and I can't imagine what they are, I am afraid to deauthorize all my computers.  See what I mean?  I just wanted to ask the question about how I can find out WHICH computers Apple thinks I have authorized, so I can decide if it's safe to deauthorize them all or not.  I only know of 2 computers that have iTunes on them, so how can there be 5?  We also have 2 iPhones and 2 iPods in this family, but one of the iPhones has his own apple id.  He may have been using mine, since his computer died.  I read that those don't count as "computers" to the 5.  Do they, then?
  Help!  I can't contact apple because I have no idea what they mean about serial number.  I doubt they would help me anyway.  In order to get the serial number off my desktop computer (that has iTunes on it already), I will have to move furniture, so I don't want to if that's not it.  Is there some way to find the serial number in the software, either on my desktop or my iPhone?

  sunshinecowgill wrote:
  We have three operational computers, one does not have iTunes on it.  Since Apple is saying I have more than 5 authorized computers, and I can't imagine what they are, I am afraid to deauthorize all my computers.  See what I mean?  I just wanted to ask the question about how I can find out WHICH computers Apple thinks I have authorized, so I can decide if it's safe to deauthorize them all or not. 
  You could have more 5 computers authorized if you ever, for example, reformatted a hard drive or replaced a hard drive without deauthorizing the computer first. Apple's system would see that as a different computer, even though you don't. There's nothing to be afraid of in deauthorizing everything and the reauthorizing what you actually have. You won't lose any data. Mistimp is correct, they can't tell you which computers are authorized.