Multiple Rulesets in GRC AC 10

Similar Messages

• Upload of multiple rulesets

  Hello,
  I have created logical system and defined rules according to the no of risk.
  I need to know, a checklist of steps on how to upload multiple rulesets, with it's associated risks, for different logical systems (which have been assigned to them)?
  Any OSS Note or SDN How to is highly appreciated.
  Thanks!

  This is a known problem with Internet Explorer 11, which Microsoft has been aware of since October 18 when they released their latest "untested" browser. The pages can't recognize the browser, so they don't recognize any of the plugins, like Flash Player. So far, Microsoft has made NO indication that they have any plan to fix it soon.
  Microsoft's recommendation is to use Compatibility View for affected pages, and "pretend" you're using an different browser. Trouble with that is it has seen limited success at best, and you have to individually enable it for EVERY page that has problems.
  I'm not big on "pretending" so I recommend actually using another browser.
  Firefox (from Mozilla)
  Opera (from Opera)
  Safari (from Apple)
  Chrome (from Google)
  ANY of those will work where IE11 won't, with the Flash Player Plug-in (For all other browsers), and Chrome doesn't even need that because it has its own Flash Player plugin built in.

• Loading multiple rulesets?

  We've done a lot of work on CC5.1, starting with the standard ruleset, tweaking it to our requirements and getting it all approved. Then the NetWeaver system died (long story, not relevant here) and while installing its replacement we decided to upgrade to RAR 5.3 - we were planning to do that anyway sometime. I'd like to load both the standard 5.3 ruleset and our old, customised 5.1 ruleset so we can compare them but I don't see an easy way to do that. The "ruleset" concept in RAR is associated with the "risk" and the risk names need to be unique, so this means I need to rename the risks in either the old or new sets if I'm going to load both. I'm happy to take the text files and edit them to change names, but I don't see an obvious automatic renaming rule to apply. Being restricted to 4 characters isn't helping at all!
  Has anybody else ever done this? Is there an easy way I just haven't spotted yet? What am I missging?
  Thanks,
  Steve.

  >
  Amol Patil wrote:
  > Just ensure to use different naming convention for your customized risks than what SAP delivers.
  >
  That's exactly the problem. My ruleset from 5.1 uses risk names that clash with the ruleset from 5.3, because most of them are the original SAP risks. We have only a few custom risks.
  It is easy enough to edit the text file to change the risk name, except that there're only 4 characters to use. If I could simply add "_51" or similar to the risk name, there'd be no problem. But with just 4-character names, how do I modify the old "B001" so it doesn't clash with the new "B001". Doing this for one or two risks is OK, but for hundreds I'd want an automatic rule and I don't see an obvious rule, given that the risk names don't stick to the same pattern.
  This isn't a major problem, but I just think some more thought should have been put into the upgrade process. Surely people want to compare old and new rulesets, and not just stick to the one they started with years ago. An easy way of comparing rulesets would be a big help.
  Steve.

• How to upload Ruleset to GRC CC5.2

  Hello,
  How to upload ruleset to the compliance calibrator 5.2.
  Thanks in advance
  Eric

  You can refer to Compliance Calibrato 5.2 User Guide page 176;
  In a nutshell, go to the administration tab, expand "Rule upload"
  then one by one, upload the provided text files that came with the install package.
  You upload the text files in the same order as the tree structure in the menu. Once they are all uploaded, click on the last link under "Rule upload" and generate the rules. Generate them in background.
  have a nice day

• GRC  RuleSet Upload for SAP 5.3

  All ,
  As a background , we are running on SAP GRC 5.3 Version . When we initially Installed SAP GRC , we created a Ruleset "SAP Rule Set " based on SAP Provided Functions & Actions. Then we created one more Rule set for Client named "GLOBAL". On Course of time , we lost SAP RuleSet , as Global Ruleset was somw how copied to SAP Provided Ruleset
  Now , we need to have a fresh SAP RuleSet for comparison purpose with Customer Rule Set "Global ". We got the files from SAP GRC Folder
  1) If we upload this Files whether it will overwrite all Available Ruleset in System , (Client Specific "Global "& SAP RuleSet ) or do we have an option just to upload to only one Rule Set . We dont want "Global" Ruleset to be overwritten ?
  2) Also , Can you please tell me the steps which we need to perform to get thet SAP Rule Set Updated ?
  Thanks ,
  Jerry George

  Hello Jerry,
  1) This point has been discussed so far in the forums, for example:
  Loading multiple rulesets?
  GRC AC Rule Sets
  2) There's no automatic procedure. check here:  Note 1604722:
  Customers that have implemented Risk Analysis and Remediation should have customized the ruleset to meet their business requirements. Therefore, changes to the SAP best practice ruleset cannot be systematically updated via SAINT as it would potentially overwrite this customization.
  However, customers may want to evaluate the changes incorporated into the most recent SAP ruleset to determine if the changes should be added to their own ruleset.  Any modifications the customer desires to make will need to be manually made by the customer via the Rule Architect feature of access risk management.  The configuration guides available on SAP Service Marketplace provide detailed instructions on how to update rules via the Rule Architect.
  Cheers,
  Diego.

• One GRC connected to multiple R3

  Hi
  Needed you expert opinion
  I am  implementing GRC for a customer with 10 R3 systems
  We have to implement one instance of GRC connected to 10 R3 systems
  Each of these R3 belongs to a Business Unit ( 10 different business units in all)
  Each of this business Unit is as good as a independent company have  their own business and IT processes, roles and  user. ( No user would have access in more than one R3 system)
  Though many  business process and risks would be common amongst the Business units.  The risk owner would be different  and so would be the mitigation process etc
  In the above scenario I have following choices
  Choice one - Use Logical system
  This would have the least flexibility for the Business unit to manage their risks, actions and permission
  Choice Two - Physical systems
  Have a choice of common Risk ruleset and connect the 10 R3 systems as physical systems .
  In this case the Risks would be common so would have issues related to risk owner, mitigation etc would remain. This would have limited flexibility. Also we may hit the 46000 rules limit
  Choice three
  Have 10 rulesets (10 sets  of risks/functions etc,  one each for the business unit)
  Each business unit would have their individual risk and thereby greater control
  I am inclined towards last choice. My concern is multiple rulesets/risks will lead to an greater number of rules thereby affecting performance
  There would be around 6000 users and around 30000 roles in all these 10 systems put together
  Can somebody share their experience/expertise on this
  Regards

  Hello,
  I would suggest using the Logical system, and bundle all the 10 systems into One logical system, so you will have to create and maintain only one set of Rules, This will be very helpful in the long run, when you get into the prod support phase.
  Coming to your question on using mitigating controls for this approach, You can have multiple monitors for one mitigating control (Please note that there will be only one Management Approver, I would assume it will be someone more at a central level for the entire business in your case).  And on the third tab (Reports) in the mitigating control section, you can define a relationship between the systems and the concerned mitigating monitor. This way the mitigating monitor will recieve reports only for their particular system.
  Note: This approach will only help if you have a common set of rules across the 10 systems.
  Hope this helps.
  - Naveen

• "Global" Ruleset

  All,
  I wanted to get your opinion on building a "global" ruleset for multiple sites.
  Currently we are using the standard ruleset, customized to meet our needs.As we roll out AC (RAR) to other sites around the world we are wondering how to localize the ruleset. How do we account for smaller offices with less people? They will violate many SoD violations we currently have.
  Also, I know in CUP 5.2 SoD violation checks were run against the ruleset set as "default" in RAR. Is this still the case in 5.3? If so, how do you account for multiple rulesets?
  Thanks so much,
  Grace Rae

  All,
  I wanted to get your opinion on building a "global" ruleset for multiple sites.
  Currently we are using the standard ruleset, customized to meet our needs.As we roll out AC (RAR) to other sites around the world we are wondering how to localize the ruleset. How do we account for smaller offices with less people? They will violate many SoD violations we currently have.
  One way of attending this concern is to use Org rules and then run the Jobs/analysis based on Org rules and corresponding risks specific to that region
  Also, I know in CUP 5.2 SoD violation checks were run against the ruleset set as "default" in RAR. Is this still the case in 5.3? If so, how do you account for multiple rulesets?
  Unfortunately, still it is the same case. CUP picks up the same Ruleset which sets as u201Cdefaultu201D in RAR for analysis
  Thanks
  Qalid

• CC & AE Questions

  Hello Experts,
  I have some more interview questions on CC & AE please answer to these questions
  1. What's the latest Support Pack for GRC 5.3? How it
  differs from the previous one?
  2. What are the issues faced by you in ERM & CUP after
  golive?
  3. Can we change Single roles, objects & Profile description
  through mass maintenance of role?  If yes, how?
  4. What are the prerequisites for creating a workflow for
  user provisioning?
  5. How will you control GRC system if you have multiple
  rulesets activated?
  6. Can we view the changes of a role, happened in PFCG,
  through GRC?
  7. How will you mitigate a user against an authorization
  object which is decided as sensitive by Business?
  8. Give an example of SOD with object level control & also
  decide the Risk implication from the Technical standpoint.
  9. Is it possible to assign two roles with different
  validity period to a user in one shot throughGRC? If yes,
  how?
  10. What's the use of Detour path? How Fork path differs
  from Detour path?
  11. How can you enable self password reset facility in GRC?
  12. Can we have customized actions for creating request
  types in CUP?
  13. Which SOX rules got inherited in SAP GRC?
  14. How many types of Background job you are familiar with?
  Why Role/Profile & User Sync. job is required?
  15. Where from can we change the default expiration time for
  mitigating controls? What's the default value for the same?
  16. How will you do the mass import of role in GRC?
  17. Explain the total configuration & utility of SPM?
  18. Can we create Logical systems in GRC? If yes, how & what
  can be the advantages & disadvantages of the same?
  19. Can we have different set of number ranges activated for
  request generation?
  20. Explain, how can we create derived roles in ERM? What
  will be the significant changes in methodology for creating
  composite roles?
  21. Explain in detail how the different components of the
  Access Controls suite integrate with each other
  22.Explain the key problem areas in implementation of RAR
  Thanks
  karunakar

  Hi karunakar,
  here you can find a lot of documentation and links:
  http://www.sdn.sap.com/irj/bpx/bpx-grc
  Best,
  Frank

• Rule Upload : GRC10

  Hello Gurus,
  Would appreciate if anyone can let me know how to use the Upload SOD rules feature under SPRO>Access Control> Access Risk Analysis> SOD Rules> Upload SOD rules.
  Here I am asked to upload the files for Business Process, Function, Permission, Risk etc. but not sure where can I get the format for these files? I need to append few new functions and their corresponding risks into an existing ruleset.
  Many thanks in advance.

  Hello Vikas,
  Thanks, have dropped you a mail for the files. Though I am not very sure I need them or whould I directly use the export functionality of my exixting SAP GRC 5.3 ruleset.
  We have decided not go to for the Global Ruleset but use the custom one from GRc 5.3 (as we were using GRC 5.3 earlier) by importing the same. Thus I have the following questions on he rueset Migration:
  1. How will I migrate existing Ruleset from 5.3 to 10.0 Development Box(using your files or I guess there is a functionality already in 5.3 to export the ruleset)? Can you please tell me how to Migrate this (which was actually my question)?
  2. How will then I be able to Migrate the ruleset from GRC 10.0 Development Box to GRC 10.0 Quality Box?
  Thanks.

• Rules are not getting fired - urgent

  Hello
  I am a newbie to the oracle rules engine (10.1.3) and introducing the rules engine in our architecture.
  I have started to fire a simple rule but looks like the rules are not getting fired.
  Here is my code snipped: I am setting a value in the fact if another value is null.
  ==========
  RuleDictionary rDict = RuleFactory.getRuleDictionary(RadiusConstants.RADIUS_REPOSITORY, RadiusConstants.RADIUS_DICTIONARY, RadiusConstants.DICTIONARY_VERSION);
  RuleSession ruleSession = new RuleSession();
  ruleSession.executeRuleset(rDict.dataModelRL());
  ruleSession.executeRuleset(rDict.ruleSetRL(taskName));
  RuleMessage ruleMessage = new RuleMessage();
  ruleSession.callFunctionWithArgument("assert", moduleVo);
  ruleSession.callFunction("run");
  ruleSession.callFunctionWithArgument("assert", moduleVo);
  // ruleSession.callFunctionWithArgument("assert", moduleVo);
  System.out.println(" Module Status " + moduleVo.getStatus());
  ========
  Any help is greatly appreciated. I am not sure if I am missing. I am suing rule author to create the rules.
  I am asserting the fact in the rules engine. Here is the RL file generated from the rule author.
  ==================
  ruleset MODULE_CREATE
  2.
  3. {
  4.
  5. rule ModuleId_Null
  6. {
  7. priority = 0;
  8. if
  9. (
  10. (
  11. fact gov.sec.radius.admin.service.module.vo.ModuleVO v0_ModuleVO && (
  12. (v0_ModuleVO.moduleId == null)))
  13. )
  14.
  15. {
  16. v0_ModuleVO.status = "P";
  17. assert(v0_ModuleVO);
  18. }
  19. } //end rule ModuleId_Null;
  20. }// end ruleset MODULE_CREATE
  =================
  thanks very much in advance
  Yugandhar

  You need to specify the ruleset or rulesets that should be run. If there is only one, you can do:
  ruleSesion.callFunctionWithArgument("run", taskName);
  or
  ruleSesion.callFunctionWithArgument("pushRuleset", taskName);
  ruleSession.callFunction("run");
  If there are multiple rulesets you want to run in order, then call pushRuleset in stack-order that you want their actions executed.

• Fact Not Found in Rule engine working memory

  I am using 11g, I have built a Business Rule, using RL facts, XML facts, Bucketsets and multiple Rulesets which internally has decision table and If-then rules. After deploying the same, Business rules runs successfully for some conditions and faults for some condition. The fault error for those failed conditions displays the following error:
  Fact not found in the rule engine working memory, rule session execution failed. The rule session bpel:<somenumber> failed because an instance of the fact <factname> could not be found in the working memory of the rule session. This is most likely a rule modeling error. The decision service interaction expects the fact instance to exist in the working memory of the rule session. Check the rule actions in rule designer and make sure that a fact of the expected type is being asserted. Contact oracle support if error is not fixable.
  It is wierd becuase if it is a fault with respect to working memory then I would imagine it has to fail for all the conditions as all the conditions assert the same Object. Has anyone faced the same issue or am I doing something wrong here.
  Venkat

  Ervan
  I deleted the RL facts that I had created and asserted the result to the Business Object, this seems to have taken care of this issue, but I am still not sure what was wrong in the way I build the rules using RL.Hope this helps.
  Venkat

• CC 5.2 questions

  Hi,
  1.)We planned to create a local rule set for each project so that their reports would run against both the Global and their Local rule set.  Someone recommended using only 1 Global rule set. Why the 1 Global rule set recommended?
  2.) Do you recommend adding custom transactions for each project (project means: systemID) to existing SAP functions or creating a custom function for these custom transactions?  What are advantages, disadvantages, consequences and implications for each approach?
  3.) We plan to connect 5 projects with 3 instances (development, test & projection) to each CC server.  We're concerned that  the limitation of 46K rules per risk may be a problem.  Do you see this as a concern?
  4.) In future releases,  can we download reports to .txt files in addition to .xls due to .the size limitations of .xls files.
  5.) Do you have any post installation Lessons Learned or Best Practices documentation available regarding CC 5.2?
  Thank you in advance,
  Jozsef

  Good day Jozsef
  1) This depends on how system specific the rules would be, if risks definitions are the same for each system, having multiple rulesets would probably represent more maintenance in the end and the possibility of desynchronisation between the different systems (maintain the logic of a rule in one system and forget about one system for instance)
  2.1 Where you add the custon built transactions (and you should really add them to the ruleset so that the analysis covers the full scope of the system...auditors always look at those) depends on the actual functionnality of the transaction. You should take some time to sit with business process owners and discuss the transactions. Pretty often youll see custom transactions that only mimic standard tcodes so you can group those easily, so far I would say that 90% of the custom stuff I have seen (if part of a standard business process) would fit in a standard function.
  2.2 If you create new functions, this also means that new risks will need to be defined depending on the control objectives...
  4) I do not know about this but I would also like to hear about it because my current client is not satisfied with the standard reporting flexibility...I have heard about a BW cube for 5.2, anyone have more info about this please share! Also, any way we could just capture the spool file for the analysis from the server in a text format to reformat it elsewhere or load it to BW???
  Jay

• Risk Descriptions in Japanese

  Hi Gurus:
  I uploaded my ruleset into GRC AC RAR 5.3, generated the rule job and followed the config guide.
  When I search for the functions and risks they appear in english.
  When I perform a risk analysis via the informer tab, the risk violations appear in Japanese.
  My question is - where is this pulling from? My ID in the UME has the default language set to EN.
  Please advise!
  Thanks,
  Grace Rae

  When working on any language other than EN, remember (say DE)
  - user id (XYZ) used in JCO connection has default language DE in PFCG (default tab)
  - XYZ exist in UME also (may be without any permission) and it's default language in UME is also DE
  Regards,
  Surpreet

• GRC 10: Initial password for multiple users creation in a ARQ request???

  Hi All,
  I was trying to create a request in ARQ for multiple users. I noticed that, I could add all the necessary required information for multiple users using the template. I added the roles as well. However, I could not set the initial password for multiple users as the tab "User System Details" (where the initial password is provided for a single user) is disabled!!!
  The users were successfully created in the R/3 system. However, due to non-availability of initial password, these users could not log into the R/3 system.
  May I know how to set the initial password for multiple users?
  Regards,
  faisal

  Vit,
  I was trying to test this multiple user creation scenario. But I am surprise to get a template where in I have only below mentioned fields:
  1. User Name
  2. User Id
  3. Email
  I filled these details and uploaded. Then filled the "User Access" details. While submitting the request, I got the error:
  "Last name is not mentioned for user id XXX"
  But there is not such column in provided template by GRC!
  I added 2 columns: First Name and Last Name and saved it and uploaded again. These details are not picked up!
  Following are the only columns shown:
  1. User Name
  2. User Id
  3. Email
  4. Manager
  Out of above, only "Manager" field is editable and others are disabled.
  Last time I remember, I has got complete template with all the columns. Unfortunately, I have deleted it and not available with me now.
  Any idea you have why am I getting such incomplete template?
  Regards,
  faisal

• GRC 10.0 Notifications in Multiple Languages

  Hello GRC Gurus,
  In my Organization, We have a requirement to support French Language due to legal requirements in the Quebec provinvce. This means that all notifications to users in the Quebec province will have to be delivered in French.
  I have researched this in as far as:
  French Language has to be implemented as a prerequisite in SMLT
  The standard notification templates will be available in French language once the language pack is installed
  The issue i have here is:
  can the notifications be sent to different sets of users in different languages? I see that that one message class can only be associated with one document object. Is there a way to get around this to define who will get the notification in French and who will get it in English probaly based on USER GROUP or DEFAULT LANGUAGE
  Ofcourse, the message documents can be modified to present it in both English and French to make it easier but in future if there are legal requirement in others countries it does not make sense to keep adding the message body in all the required languages
  Can you please help?
  Regards,
  Prashant

  Hi Prashant,
  I was looking into a similar requirement and came to the early conclusion that GRC is not smart enough to handle multi language notifications.
  The reason why I say this is that whilst you can create multiple documents in SE61 in different languages, it looks like you can only create a single message class that gets aligned into MSMP, i.e no choice of multiple languages there.
  What I am unsure about (as I have never bothered to investigate it) is the "message number" column in the "Variables & Templates" section of MSMP. I am unsure if you can send a number of messages for the same template and message class.
  Also, I am unsure how GRC checks the user's logged in language and selects the document template.
  Have you considered having the content of the email contain dual languages? i.e. first paragraph in English, second in French etc?