RAR: Global Rule set

Similar Messages

• RA&R rules 5.3 changes compared to standard global rule set

  Good day,
  Please can someone assist me. I need to compare a clients customised rule set to the standard rule set, and document where changes have been made. (There is no log of the changes) A client has made modifications to the rule set, we are not sure if these modifications were valid, so we need to compare these to the standard rule set. The problem is that the client has modified the "GLOBAL" rule set, so I do not have a base rule set to work from. I have looked at the initial upload files, but they are not easily compared with the  current production rule set. Does anyone have any solutions as to how this could be achieved?
  Thank you and Kind Regards
  Jill

  Hi ,
  How the client has modified the GLOBAL Rule Set in RAR, are they just dectivated the risk from the global rule set? or deleted the risks peminately.
  if they dectivated the Risks in GLOBAL Rule set, just download the Rules through utilities(Cofiguration) and check the values which are having the '0' (ZERO) values, those risks only deactivated. it is the better process to sagarigate rule set.
  Regards,
  Arjuna.

• Risk Analysis at user level shows nothing in all 3 views though at role level shows risks of global rule set

  I am configuring ARA 10.1 for a ECC 6.0 plug in development system and facing this issue. Risk Analysis at user level shows no data  in all 3 views though at role level shows risks of global rule set. I am using Global rule set. I generated all risks/functions & using connector group as SAP_ECCS_LG not SAP_R3_LG.I activated common, R/3 & ECCS BC sets. Added integration scenario for AUTH. Run all 4 sync jobs multiple times successfully. My system already has decentralised EAM 10.1 implemented & even used in production as BAU. I have checked at both chrome & IE. The misleading thing is that RFC is also working fine & I can see risks in Risk Analysis at role level & risky roles are even assigned to valid users.GRC is at SP4 & accordingly is the ECC 6.0 plug in. Thanks in Advance. Please  consider it urgent.

  Hi,
  Assign ECC connector to SAP_ECCS_LG group.
  Run the programs GRAC_PFCG_AUTHORIZATION_SYNCand GRAC_REPOSITORY_OBJECT_SYNC) in full synch mode(this might take time so better do this in background). Better do it sequentially.Check the logs of the jobs in SLG1 just to ensure everythings fine.
  Run ARA for a specific user and mention the connector for faster output. Ensure this user has the role with risks.Also as explained earlier check the GUID against user id in table GRACUSERROLE and using GRACROLE you can find out the technical name of the role updated in the table. This should be same as the backend role.
  Then run ARA and while doing so please ensure the selection screen doesnt have any unwanted default inputs. If followed correctly , this should be of help.  I am assuming the role analysis yielded correct risks as configured since this would mean that connector have correct actions and basic config is in place.
  Regards,
  Vivek

• Error while uploading standard text files for the Global rule set

  Hi all,
  As part of Post Installation Activities we have uploaded standard text files for business process, functions, risks and rule set obtained with the installable Software.
  While uploading the text files we have uploaded the Basis Functions Authorizations first and then R/3 text files.
  When we checked no actions are appearing in the rule architect under respective functions except for the BASIS Module.
  Is this because we have uploaded the Basis functions before the R/3 text files?If yes, how to replace the Basis with the R/3 ones.
  We tried to replace the Basis function authorizations by re-uploading the R/3 text files again but we got the below error message u201CORA-00001:unique constraint (SAPSR3DB.SYS_C004479) violatedu201D
  Can somebody please help in this regard how to get the standard rule set in our system?
  Thanks and Best Regards,
  Srihari.K

  Hi Sri,
  you should upload first the static text files and the authorization objects first and then the GRC standard rule set files following the instructions of the SAP Configuration Guide available in Service Market Place under http://service.sap.com/instguides .
  The GRC standard rule set contains files named Basis_functions_action.txt and R3_function_action.txt. The first one contains ONLY function definitions in terms of transcation codes for basis only, whereas the second one contains functions definition for basis AND ERP modules. The same holds for the *_function_permission.txt files. There are also function definition files for other SAP solutions such as APO, CRM, HR  etc.
  You can open a customer message and request a deletion script for the rule sets files you have uploaded already. After their application of this script all rule set data will be deleted from your database. If you have uploaded static text and authorization files correctly, you can then upload the GRC standard rule set files as needed again.
  best regards,
  Frank

• Best practice for the Update of SAP GRC CC Rule Set

  Hi GRC experts,
  We have in a CC production system a SoD matrix that we would like to modified extensively. Basically by activating many permissions.
  Which is a best practice for accomplish our goal?
  Many thanks in advance. Best regards,
    Imanol

  Hi Simon and Amir
  My name is Connie and I work at Accenture GRC practice (and a colleague of Imanolu2019s). I have been reading this thread and I would like to ask you a question that is related to this topic. We have a case where a Global Rule Set u201CLogic Systemu201D and we may also require to create a Specific Rule Set. Is there a document (from SAP or from best practices) that indicate the potential impact (regarding risk analysis, system performance, process execution time, etc) caused by implementing both type of rule sets in a production environment? Are there any special considerations to be aware? Have you ever implemented this type of scenario?
  I would really appreciate your help and if you could point me to specific documentation could be of great assistance. Thanks in advance and best regards,
  Connie

• Downloading a single rule set out of N rule sets.

  HI All,
  We have defined 4 Rule sets for one particular system. Out of these one is the global rule set. Now, my requirement is to have oe more rule set, with 80% rules from global and then add the rest 20% myself. Would like to know if there is any way we can achieve this efficiently, other than creating manually all the 80% rules from GLOBAL rule set.
  Thanks a lot in advance.
  Regards,
  Hersh

  HI Jose,
  Well what you guided was perfectly fine an true in case of making changes to GLOBAL rule set. But any idea how we can make a new rule set out of the custom rule set i have already made.
  I have , in all 4 rule sets present at the moment in GRC - GLOBAL, CUST -1,2 and 3. Now, my requirement is to have a copy of CUST1 into new rule set CUST4, and I manually later on need to update CUST4 for some more risks in it. The problem i am facing is whenever i download the existing rule sets, it is not giving me an option to download just CUST1, but all of four rule sets get downloaded together. Whereas, i need just a copy of CUST1. Any ideas on this?
  Regards,
  Hersh.

• Need information on the new RAR Rule Architect/Rule Set functions

  Does anyone have any information on the new 5.3 functions listed under Rule Architect/Rule Sets, specifically the Compare function?
  My 5.3 Config manual mentions this area but doesn't describe anything about it.  I have a request from our user group and need to determine if this can fit that request.
  What they are looking for is an easy way to compare our RAR Rule Set with the latest SAP version (Q2 2010 is the most recent I believe).  Just from the screen shots, it looks like we could maybe use the Rule Sets functions for that.  Load the new SAP one into RAR as a separate ruleset and then run this Compare function.  However I haven't been able to find any documentation on this function, so I don't know if it really does what we are looking for.
  Thanks.

  Hi,
  the error 'NullPointerException ' is very common error in GRC.
  kindly search, you will find lots of threads and notes on thi.
  check you permission TXT file. It contain null value some where.
  especially check SD01 & SD02 tcodes.
  Also open permission file in word and check all TAB's and ENTER's in technical view.
  Regards,
  Surpreet

• CC / RAR 5.2 - Multiple Rule Set Question

  How does the system handle the use of multiple rule sets in CC / RAR 5.2?
  For example, letu2019s say I want to keep a standard SAP rule set in tact to use for testing and comparison in RAR, but I also want to load another one.
  I realize that only 1 can be the u201CDEFAULTu201D so what does that mean?  I know that a risk analysis is only run against the rule set you set as default.  I also know that you can select the rule set to use in processing when you manually run either through Informer or Configuration tab a risk analysis.  What I am really concerned with is what happens if you take the results to u201Cmanagement reportsu201D from 2 different rule sets?
  First, can you even do it?
  Second, if you can, then I think you must have to come up with a different RISKID configuration schema for each rule set otherwise, I do not see how you can differentiate from which rule set the violation is generated.  That said, you will also need to export the report information into Excel and make any u201Crule set sortu201D there as I donu2019t see a way to do it directly in RARu2026.maybe a future improvement?
  Can anyone confirm the impact of multiple rule sets and how you manage them?
  Regards,
  Greg

  Greg,
  You can maintain the different severity levels for different Rule Sets. For example, in one Rule Set you can keep the "Critical" Risks and in other you can keep "High", "Medium" & "Low". Run your analysis against first Rule Set if you want to know the "Critical" Risks and second Rule set you can use for rest of the severity levels. I hope this way you can manage your multiple Rule Sets in RAR.
  Thanks,
  Tavi
  SAP Security & GRC Consultant.

• Check in Similar not populating custom metadata value set by global rule

  I have created a global rule to set the default value for custom metadata field creation date as current system date.This rule is working fine for normal check in but when i am using check in similar functionality of ucm the creation date value is getting populated from original content metadata value instead of default value set by rule.Is there any way to populate creation date as default value set by rule even in the check in similar function.
  Thanks in advance!!!
  Edited by: 906120 on Jan 5, 2012 4:42 AM

  Check-in similar does not evaluate scripts in the "use defaultvalue" field, as it has to copy metadata values. However, you can add script to the "Is derived field" as well. Just don't use dprDefaultValue but dprDerivedValue=
  This script will be evaluated before check-in operation and any value contained in the metadata field will be overwritten with value defined by script.
  Regards,
  Boris

• Mass RAR Rule Set Changes

  My integrator is telling me that there is no way to complete a mass update to the authorizations/restrictions in our RAR rule set (AC 5.3.)  That is, at the recommendation of our external auditor, we added additional transactions to existing rules but failed to activate the company code restrictions to ignore display only access and therefore, I am receiving a significant number of SODs which are false positives. 
  I find it hard to believe that there is no easy way to activate the company code authorization objects (and others) for the additional transactions in the rule set.  The integrator is telling me that this has to be done one by one.  Please tell me that there is an easier way.
  Apologies if this is a repeat; if this topic is out there, could someone point me in the right direction?Thank you in advance!
  Thank you in advance!

  Is there any easy way?  Depends on what you think is easy  
  For mass updates to function I will typically use the:  Configuration -> Rule Upload  feature.  To perform an update to an authorization object, you would use the 'Function Authorization' selection.
  To upload the function you'd want to use the file formats from the 9 upload files SAP provides for the ruleset.  If I recall correctly, function uploads will overwrite the existing function so it is important that your upload file contains all existing function data + the additional auth objects you want to activiate. 
  As with any text file manipulation and download/upload or export/import features into GRC you want to be particulary careful with formatting and attention to detail.  Probably a good idea to take a backup of the rules if this is your first time working with the ruleset files.

• CC / RAR Rule Set Build

  We had a rule set built in Compliance Calibrator 5.2 by a vendor during implementation.  We have over 700 rules and now know that there are too many rules in our rule set. 
  Can any of you tell me the best way to build a rule set?  How many rules do most people have in their rule set?  Is there a best practice out there somewhere to do this?

  Hi Greg,
      You will have to understand relationship between rule, risk, business process, function, transaction and permission to build a rule from scratch. If you need to build one or two rules, you can just go through CC and do it. If you want to build large set of rules then you will have to create text files for risks, functions, rules etc. I will recommend you go through the config guide for CC 5.2 or 5.3 and see how rules are being built.
  There is no straight answer on the number of rules. The number rules you need will depend on industry, company size, location, rules and regulations to follow, company structure etc. Best practice rules come with the installation and you can always get them from SAP. Best practice ruleset contains around 40,000 action and permission rules.
  Regards,
  Alpesh
  SAP GRC Manager (PwC)

• Access to update the GRC rule set is limited

  Hello - What is the process (tcode) to see who has access to update the GRC rule set?
  Thanks!

  Hi Sam,
     What is the version of your RAR (CC)? If it is CC 4.0 then you enter the product via tcode and go to rule architect to make changes. If you have CC 5.X then you go through the web browser and go to Rule architect to make changes to the rule set.
  The process to change a rule set is as below:
  1) Creats Function
  2) Create risk
  3) Create Rule
  Regards,
  Alpesh

• Multiple GRC rule set update

  we are having a custom rule set A loaded in GRC. Now we want another rule set B, with new risks and definition to be loaded in GRC. If we try to upload rule set B risks and functions via Upload function in GRC, would it overwrite the rule set A, or not.Just wanted to confirm whether existing rule set A would be affected or not, due to upload of rule set B.

  Hey Alpesh,
  Sorry, I haven't understand it correct. This is a question that will always be asked in the train.
  You wrote:
  "If you have created different files (e.g. risks, ruleset, function action, function permission etc.) and upload them via configuration -> rule upload then RAR will not overwrite your ruleset A and will only insert new rule set files."
  Is this just possible, if all IDs (risk, function, function action, function permission) will be changed before and could not be equal like in the rule set A? correct?
  What's about with the ALL.txt files, do I have to change/upload them as well again?
  Thanks for feedback,
  alwaly a pleasure!
  Greets
  Martin

• SoD rule set Download issue

  Hi All,
  While downloading the SoD rule set (Global), I am not getting the data for Function-Action and Function-Permission, except these, rest of the data are coming.
  But, I can get to see these data under tables: GRACFUNCACT and GRACFUNCPRM.
  so obviously we can't have these data exported from table and to get converted into .txt format to upload SoD.
  GRCFND_A is at SP14.
  Please help in getting this issue resolved.
  Thanks,
  Ameet

  Hi Ameet,
  You have to reactivate it each time you install a SP in order to get the updates.
  If you develelop your own SoD ruleset you wont use the SAP standard functions and risk, so reactivate the BC Set wont cause any problem.
  If you change the standard functions and risks (which is wrong) such changes will be overwritten when reactivate the BC Set.
  After reactivating the BC set you'll be able to download SoD rules fom the logical system SAP_R3_LG.
  Cheers,
  Diego.

• Rule set Version

  Hi ,
    How to find out , rules set version a particular RAR( CC) system have , If a logged into RAR( Or CC) of some one else system,
  To be specific I wanted to know which Rule Set Version?( Rules)  they are using (Like Q1 2007 , Q3 2007, Q2 2008 or Q2 2009 Rule Update etc) irrespective of application version they are using ( Like 5.1 ,5.2 or 5.3 ) .
  Thanks & Regards
  Uma Shankar T

  Hi Uma,
  The ruleset versions are normally shipped as part of support packs.
  However, you would only normally implement the ruleset version when doing a clean implementation as uploading a completely new version could overwrite any changes which you have made for your own organisation.
  I do not know of any technical settings to identify exactly which version was uploaded into the system as the ruleset is shipped as a data file.
  You can track the released versions via the SAP Notes though.
  Simon