RAR. Rules (SoD) download

Similar Messages

• Mass RAR Rule Set Changes

  My integrator is telling me that there is no way to complete a mass update to the authorizations/restrictions in our RAR rule set (AC 5.3.)  That is, at the recommendation of our external auditor, we added additional transactions to existing rules but failed to activate the company code restrictions to ignore display only access and therefore, I am receiving a significant number of SODs which are false positives. 
  I find it hard to believe that there is no easy way to activate the company code authorization objects (and others) for the additional transactions in the rule set.  The integrator is telling me that this has to be done one by one.  Please tell me that there is an easier way.
  Apologies if this is a repeat; if this topic is out there, could someone point me in the right direction?Thank you in advance!
  Thank you in advance!

  Is there any easy way?  Depends on what you think is easy  
  For mass updates to function I will typically use the:  Configuration -> Rule Upload  feature.  To perform an update to an authorization object, you would use the 'Function Authorization' selection.
  To upload the function you'd want to use the file formats from the 9 upload files SAP provides for the ruleset.  If I recall correctly, function uploads will overwrite the existing function so it is important that your upload file contains all existing function data + the additional auth objects you want to activiate. 
  As with any text file manipulation and download/upload or export/import features into GRC you want to be particulary careful with formatting and attention to detail.  Probably a good idea to take a backup of the rules if this is your first time working with the ruleset files.

• Need information on the new RAR Rule Architect/Rule Set functions

  Does anyone have any information on the new 5.3 functions listed under Rule Architect/Rule Sets, specifically the Compare function?
  My 5.3 Config manual mentions this area but doesn't describe anything about it.  I have a request from our user group and need to determine if this can fit that request.
  What they are looking for is an easy way to compare our RAR Rule Set with the latest SAP version (Q2 2010 is the most recent I believe).  Just from the screen shots, it looks like we could maybe use the Rule Sets functions for that.  Load the new SAP one into RAR as a separate ruleset and then run this Compare function.  However I haven't been able to find any documentation on this function, so I don't know if it really does what we are looking for.
  Thanks.

  Hi,
  the error 'NullPointerException ' is very common error in GRC.
  kindly search, you will find lots of threads and notes on thi.
  check you permission TXT file. It contain null value some where.
  especially check SD01 & SD02 tcodes.
  Also open permission file in word and check all TAB's and ENTER's in technical view.
  Regards,
  Surpreet

• SAP GRC RAR Rules Generation Job Error - SP13 application

  Hello,
  we applied SP 13 on GRC and RAR Rule Generation job is always in "error" status; below I list an example of job log:
  INFO: -
  Scheduling Job =>237----
  Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.BgJob run
  INFO: --- Starting Job ID:237 (RULE_GENERATION) - generate f113
  Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.util.Lock lock
  FINEST: Lock:1007
  Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.BgJob setStatus
  INFO: Job ID: 237 Status: Running
  Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.BgJob updateJobHistory
  FINEST: --- @@@@@@@@@@@ Updating the Job History -
  1@@Msg is generate f113 started :threadid: 1
  Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
  INFO: -
  Background Job History: job id=237, status=1, message=generate f113 started :threadid: 1
  Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.util.Lock unlock
  FINEST: Unlock:1007
  Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.BgJob ruleGeneration
  INFO: @@@--- Rule ruleGeneration Started ....237
  Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.BgJob run
  WARNING: *** Job Exception: null
  java.lang.NullPointerException
       at com.virsa.cc.xsys.bg.BgJob.ruleGeneration(BgJob.java:1245)
       at com.virsa.cc.xsys.bg.BgJob.runJob(BgJob.java:609)
       at com.virsa.cc.xsys.bg.BgJob.run(BgJob.java:363)
       at com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob.scheduleJob(AnalysisDaemonBgJob.java:375)
       at com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob.start(AnalysisDaemonBgJob.java:92)
       at com.virsa.cc.comp.BgJobInvokerView.wdDoModifyView(BgJobInvokerView.java:444)
       at com.virsa.cc.comp.wdp.InternalBgJobInvokerView.wdDoModifyView(InternalBgJobInvokerView.java:1236)
       at com.sap.tc.webdynpro.progmodel.generation.DelegatingView.doModifyView(DelegatingView.java:78)
       at com.sap.tc.webdynpro.progmodel.view.View.modifyView(View.java:337)
       at com.sap.tc.webdynpro.clientserver.cal.ClientComponent.doModifyView(ClientComponent.java:481)
       at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.doModifyView(WindowPhaseModel.java:551)
       at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.processRequest(WindowPhaseModel.java:148)
       at com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.processRequest(WebDynproWindow.java:335)
       at com.sap.tc.webdynpro.clientserver.cal.AbstractClient.executeTasks(AbstractClient.java:143)
       at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:333)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:741)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:694)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:253)
       at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
       at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
       at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doGet(DispatcherServlet.java:46)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1060)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.BgJob setStatus
  INFO: Job ID: 237 Status: Error
  Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.BgJob updateJobHistory
  FINEST: --- @@@@@@@@@@@ Updating the Job History -
  2@@Msg is Error while executing the Job:null
  Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
  INFO: -
  Background Job History: job id=237, status=2, message=Error while executing the Job:null
  Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob scheduleJob
  INFO: -
  Complted Job =>237----
  Apr 4, 2011 1:36:13 PM com.virsa.cc.xsys.util.Lock lock
  WARNING: It is used by the same owner: For current thread retrying to get lock : 1001
  Apr 4, 2011 1:36:13 PM com.virsa.cc.xsys.util.Lock lock
  FINEST: Lock:1001
  Apr 4, 2011 1:36:13 PM com.virsa.cc.xsys.util.Lock unlock
  FINEST: Unlock:1001
  Is there someone that can help me?
  I checked and it seems that "Use NetWeaver Logical Lock" in config tab has to be set to "No"...is it correct for you or have you got other tips?
  Thx to all

  Hello,
  actuallt current values are:
  Row CNFGPARAM| CNFGSEQ| CNFGVALUE|
  35 250 0 NO
  36 251 0 YES
  Value for 250 is ok based on your feedback.
  Value for 251 is based on SNOTE 1508611, even if  SDN forum suggests "0" against the note.
  Have you got any tips?

• GRC-AC v5.3 SP11 -- RAR Rules for BI, GTS, SRM, XI, GRC-AC, SolMan

  Hi!
  Has SAP released RAR Rule sets for BI, GTS, SRM, XI, GRC-AC, or Solution Manager?
  Let me know if anyone else has found them.
  Thanks,
  -john

  Hi John,
     SRM rules have always been available. I have not seen rules for BI, GTS, XI, AC or SolMan. Would definitely want to see rules for XI, BI and SolMan.
  Alpesh

• SoD rule set Download issue

  Hi All,
  While downloading the SoD rule set (Global), I am not getting the data for Function-Action and Function-Permission, except these, rest of the data are coming.
  But, I can get to see these data under tables: GRACFUNCACT and GRACFUNCPRM.
  so obviously we can't have these data exported from table and to get converted into .txt format to upload SoD.
  GRCFND_A is at SP14.
  Please help in getting this issue resolved.
  Thanks,
  Ameet

  Hi Ameet,
  You have to reactivate it each time you install a SP in order to get the updates.
  If you develelop your own SoD ruleset you wont use the SAP standard functions and risk, so reactivate the BC Set wont cause any problem.
  If you change the standard functions and risks (which is wrong) such changes will be overwritten when reactivate the BC Set.
  After reactivating the BC set you'll be able to download SoD rules fom the logical system SAP_R3_LG.
  Cheers,
  Diego.

• RAR - Rules Upload

  Hi Experts,
  From the RAR, I can see the default "Global" ruleset. I went to the Configuration tab, navigated to Rule Upload > Generare Rules, and clicked on the Foreground button, and I see a list of Risk Description, conflicting conflicts etc etc.
  However, I did not want to use the Global ruleset, as I have a customized ruleset which addresses my client's SoD concerns very specifically. What I did first was to export the all components of the rules (as a backup) and then I navigated to the Rule Architect Tab, and manually deleted all the Risks, Functions, Rule Sets and Business Process (in that order).
  I then proceeded to the Configuration tab > Rule Upload and uploaded the Business process, Function, Function Authorisation, Rule Set and Risk. No error messages encountered as I followed the Rule File Templates as per the configuration guide. But it also does not tell me if I was successful in importing those files. (so I assumed no error message = import successful)
  However, when I navigated to Rule Upload > Generate Rules, and clicked on the Foreground button, I was unable to see any list generated this time. I tried to export all the components of the rules (based on what I imported) to troubleshoot, and I found that the "function_permission.txt" and the "Risk_desc.txt" portions were missing from the exported textfile. However, all the other information from other text files are in that exported text file.
  From initial analysis, this seems like the Function Authorisation and the Risk files may not have been imported successfully. Would like to know if anyone has encountered this problem and what actions should be taken to rectify it?
  Thanks!

  Hi Experts,
  Thanks for your response.
  I followed the Rule Set Template from the configuration guide to the letter.
  Upon closer inspection of the contents in what I exported, I discovered that for the "function_action.txt" portion, the Tcodes of some of the business process were not found, for e.g.
  Business Process FA may have tcodes under function action Tab, but business process IM seems to have no tcodes under the function action Tab. I suspect that during the import, certain business processes were not "picked up", whereas others were. It was a clean omission of tcodes from IM business process. Does the naming convention of business process follow some reserved words (i.e. financial accounting must be FA, procurement Must be PR etc to be same as the global ruleset)?
  In addition, for those business process which have tcodes reflected in the function action Tab, I tried to click on the "+" to expand and see the objects, fields and values under the function permission Tab, but it cannot be expanded (i.e. blank).

• How to Open a rar file with downloaded software

  I was bothering this forum yesterday trying to find some way to get a file opened that I had downloaded. Today I discovered that my problem was that "rar" files need their own software to enable them to be opened....So I downloaded the software UnRarX...and it is now sitting on the bottom of my desktop...but I can not get the software into the Applications folder, and so I can not figure out how to use this little package of software to open my "rar" files...
  What do I have to do to open my files with this new software???
  Thanks..
  Miguel

  HI,
  The UnRarX application should be accessible from your Dock after installing the software. The application icon looks like this:
  "How to extract a rar archive?"
  1. Launch UnRarX.
  2. Drag rar archive into the UnRarX window.
  3. Extraction begins automatically.
  Carolyn

• RAR 5.3- Downloading ruleset from DEV RAR and uploading to PRD RAR

  Hi ,
  I am currently looking to implement RAR version 5.3 SP9. I will have a 2 tier landscape with a DEV and PRD GRC instance. We may not have the ruleset fully customised before we build PRD GRC. So after both RAR environments are built I may need to change the ruleset in DEV and then upload the changes to PRD. Is this possible in 5.3. Can I easily download the ruleset from DEV and import to PRD as many times as I want? Or do I need to delete the PRD ruleset each time and recreate it?
  Thanks,
  Gary

  Hi Gary,
  You should be able to export and import using the utilities functionality.
  You may find it easier to delete the PRD one and upload the new one as a clean ruleset to prevent from data corruption.
  Simon

• GRC AC RAR rules not picked up

  Hello All,
  I am new to GRC AC and we have a sandbox set up.  When looking at SRM a user that has SAP_ALL and is set up in the Java stack for open access.  When we run the RAR for this user there are a number of the standard rules that are not showing up.  I can explain away the ones that are cross system (ECC and SRM because we have not yet set up the Cross System to look at both) however there are a number of rules that are strictly SRM that are not being picked up can anyone explain why?
  Thanks
  MK

  Hello All,
  I am new to GRC AC and we have a sandbox set up.  When looking at SRM a user that has SAP_ALL and is set up in the Java stack for open access.  When we run the RAR for this user there are a number of the standard rules that are not showing up.  I can explain away the ones that are cross system (ECC and SRM because we have not yet set up the Cross System to look at both) however there are a number of rules that are strictly SRM that are not being picked up can anyone explain why?
  Thanks
  MK

• Blank values in RAR Rules - RAR (SAP GRC AC 5.3)

  Hello,
  We are working on the deployment of a GRC Access Control 5.3 system in a main customer and we have found next issues about AC 5.3:
  When a rule with a Blank value in u201CValue Fromu201D and u201CValue Tou201D columns is set, RAR is not taking users with any u201CValue Fromu201D / u201C Value Tou201D for that rule. In fact we are seeing that only users with value: * in u201CValue Fromu201D column are taken. It doesnu2019t fit with the standard SAP practices. Could you confirm this issue? How could we set a rule for taking any value?
  Rule Example:
  Object: F_BKPF_BUK   Field: ACTVT    Value From:      Value To:         Condition: AND            Status: ENABLE
  User1 value:
  Object: F_BKPF_BUK   Field: ACTVT    Value From: 4   Value To:         (Itu2019s NOT taken)
  User2 value:
  Object: F_BKPF_BUK   Field: ACTVT    Value From: 5   Value To:         (Itu2019s NOT taken)
  User3 value:
  Object: F_BKPF_BUK   Field: ACTVT    Value From: *   Value To:         (Itu2019s taken)
  Best regards.

  You need to distinguish between the value in the authorization field of the object and the search pattern.
  is only looking for the field name. It does not even care about the value.
  Values '4' and '5' are not valid for F_BKPF_BUK (see table TACTZ) so unless you populate UST12-BIS (what you call "Value To:" then you won't get a result.
  I faintly suspect that you are "cooking the books" at the file level, and are expecting the GRC system and possibly the ABAP system as well to use the same logic?
  Can you explain what User1 + User2 are expected to achieve with these values.
  The system does sometimes make DUMMY checks (see the ABAP key word documentation in transaction ABAPDOCU) but this is not the correct strategy to pass those checks in my opinion.
  I also suspect that this is an "action" in the customer name space. Perhaps you are using an unreleased FM instead of a BOR object? See transaction BAPI for more infos and finding the correct BOR (Business Object Repository) so that your RAR is not confused by dodgey coding....
  Cheers,
  Julius

• GRC RAR -Rules Updates

  Hello All,
  Q1- How we add one new physical system to the Rules (how we generate same rules for the new physical system), Please let me know the steps
  Q2-In my current RAR System rules are generated on the basis of physical system, now I want to import same rule to New RAR System and generate rules for the logical system, Please let me know which steps I need to follow.
  Thanks in advance.
  Jagat

  Hi Jagat,
  guessing you talk ab AC 5.3.
  Q1: Under configuration generate the rules after you added the system
  Q2: Use import/export function under configuration.
  Both described in the config guide.
  Best,
  Frank

• RAR Rules - DEV and QA

  Hi,
  Our RAR Dev has two active connectors to SAP Dev as well as QA. We have uploaded a Rule Set for QA which is working fine. We can do a risk analysis and we get results. However we are struggling to get results for Dev. How do we go about uploading a test rule set for Dev?
  Please assist.
  Regards.

  Hi,
  Thank you to you all.  My problem is solved:)
  The Master User Source was pointing to Dev and the Function action did have Dev and QA. I however reran a full sync on user, role, profile as well as batch analysis and that did the trick.
  Thanks once again.
  Regards.

• CC / RAR Rule Set Build

  We had a rule set built in Compliance Calibrator 5.2 by a vendor during implementation.  We have over 700 rules and now know that there are too many rules in our rule set. 
  Can any of you tell me the best way to build a rule set?  How many rules do most people have in their rule set?  Is there a best practice out there somewhere to do this?

  Hi Greg,
      You will have to understand relationship between rule, risk, business process, function, transaction and permission to build a rule from scratch. If you need to build one or two rules, you can just go through CC and do it. If you want to build large set of rules then you will have to create text files for risks, functions, rules etc. I will recommend you go through the config guide for CC 5.2 or 5.3 and see how rules are being built.
  There is no straight answer on the number of rules. The number rules you need will depend on industry, company size, location, rules and regulations to follow, company structure etc. Best practice rules come with the installation and you can always get them from SAP. Best practice ruleset contains around 40,000 action and permission rules.
  Regards,
  Alpesh
  SAP GRC Manager (PwC)

• RAR: Global Rule set

  Hi,
  I am wondering if the latest global rule set contains the tcodes, authorization objects and values based on the latest version of SAP? If yes, can this global rule set be applicable for SAP version 4.7 ?
  Thanks,
  Debbie

  Hello Rajesh,
  Hope this information from SAP helps you.RAR Rule Update - Documentation
  It is not possible to programmatically send out updates to the default ruleset (i.e. via transports or STMS). 
  This is because rule uploads only overwrite and not append.  As every company should have made changes to their ruleset, SAP cannot send out rule updates as this would overwrite the customization done by each company
  Since the SAP acquisition of Virsa, there have been seven updates to the supplied ruleset which are described in detail in SAP notes below.
  1061380 u2013 Q2 2006
  1035070 u2013 Q1 2007
  1083611 u2013 Q3 2007
  1173980 u2013 Q2 2008
  1326497 u2013 Q2 2009
  1446680 u2013 Q2 2010
  1604722 u2013 Q3 2011
  These notes provide a company a detailed Word document that summarizes the changes made. 
  The company must go through these changes to evaluate if they agree with the SAP supplied change. 
  If they agree, the company will have to make the change manually via the Rule Architect.
  To get more details, please refer to note#986996
  Regards,
  Renuka