RAR - Rules Upload
Hi Experts,
From the RAR, I can see the default "Global" ruleset. I went to the Configuration tab, navigated to Rule Upload > Generare Rules, and clicked on the Foreground button, and I see a list of Risk Description, conflicting conflicts etc etc.
However, I did not want to use the Global ruleset, as I have a customized ruleset which addresses my client's SoD concerns very specifically. What I did first was to export the all components of the rules (as a backup) and then I navigated to the Rule Architect Tab, and manually deleted all the Risks, Functions, Rule Sets and Business Process (in that order).
I then proceeded to the Configuration tab > Rule Upload and uploaded the Business process, Function, Function Authorisation, Rule Set and Risk. No error messages encountered as I followed the Rule File Templates as per the configuration guide. But it also does not tell me if I was successful in importing those files. (so I assumed no error message = import successful)
However, when I navigated to Rule Upload > Generate Rules, and clicked on the Foreground button, I was unable to see any list generated this time. I tried to export all the components of the rules (based on what I imported) to troubleshoot, and I found that the "function_permission.txt" and the "Risk_desc.txt" portions were missing from the exported textfile. However, all the other information from other text files are in that exported text file.
From initial analysis, this seems like the Function Authorisation and the Risk files may not have been imported successfully. Would like to know if anyone has encountered this problem and what actions should be taken to rectify it?
Thanks!
Hi Experts,
Thanks for your response.
I followed the Rule Set Template from the configuration guide to the letter.
Upon closer inspection of the contents in what I exported, I discovered that for the "function_action.txt" portion, the Tcodes of some of the business process were not found, for e.g.
Business Process FA may have tcodes under function action Tab, but business process IM seems to have no tcodes under the function action Tab. I suspect that during the import, certain business processes were not "picked up", whereas others were. It was a clean omission of tcodes from IM business process. Does the naming convention of business process follow some reserved words (i.e. financial accounting must be FA, procurement Must be PR etc to be same as the global ruleset)?
In addition, for those business process which have tcodes reflected in the function action Tab, I tried to click on the "+" to expand and see the objects, fields and values under the function permission Tab, but it cannot be expanded (i.e. blank).
Similar Messages
-
Hello,
I have a proof of concept project for GRC 5.3 implementation and have configured the GRC RAR as per the config Guide and the Rule upload was done accordingly. In the configrued system, I am seeing the GLOBAL Rule set and all the rules generated against it.
The real problem started when I started to load the custom Rule Files (BP,Functions.txt etc etc ) for all the custom rules we plan to use. I tried to load the custom Files from CONFIGURATION tab -> RULE UPLOAD.
- I am seeing some error messages and now I dont know if I have damaged the existing rules and need to fix the Global itself ?
- How do I bring in the customized Text Files for Rules ?
Thanks,
Farah
HERE IS A SNAPSHOT OF ERRORS :
Business process ID: AP00 cannot be deleted because a Function ID exists
Business process ID: BS00 cannot be deleted because a Risk ID exists
Business process ID: CA00 cannot be deleted because a Risk ID exists
Business process ID: CR00 cannot be deleted because a Function ID exists
Business process ID: EC00 cannot be deleted because a Function ID exists
Business process ID: FI00 cannot be deleted because a Risk ID exists
Business process ID: HR00 cannot be deleted because a Risk ID exists
Business process ID: MM00 cannot be deleted because a Risk ID exists
Business process ID: PM00 cannot be deleted because a Risk ID exists
Business process ID: PR00 cannot be deleted because a Risk ID exists
Business process ID: SD00 cannot be deleted because a Risk ID exists
Business process ID: SR00 cannot be deleted because a Function ID exists
Business process upload not complete due to above errorsHello Alpesh,
So if I am understanding it right, I should manually create a new Rulesset from the Rule Architect tab and for the decription call it custom
and then start uploading the Rules against it .
I will try it now and see if I can upload it without any errors or warning.
Thanks,
Farah -
My integrator is telling me that there is no way to complete a mass update to the authorizations/restrictions in our RAR rule set (AC 5.3.) That is, at the recommendation of our external auditor, we added additional transactions to existing rules but failed to activate the company code restrictions to ignore display only access and therefore, I am receiving a significant number of SODs which are false positives.
I find it hard to believe that there is no easy way to activate the company code authorization objects (and others) for the additional transactions in the rule set. The integrator is telling me that this has to be done one by one. Please tell me that there is an easier way.
Apologies if this is a repeat; if this topic is out there, could someone point me in the right direction?Thank you in advance!
Thank you in advance!Is there any easy way? Depends on what you think is easy
For mass updates to function I will typically use the: Configuration -> Rule Upload feature. To perform an update to an authorization object, you would use the 'Function Authorization' selection.
To upload the function you'd want to use the file formats from the 9 upload files SAP provides for the ruleset. If I recall correctly, function uploads will overwrite the existing function so it is important that your upload file contains all existing function data + the additional auth objects you want to activiate.
As with any text file manipulation and download/upload or export/import features into GRC you want to be particulary careful with formatting and attention to detail. Probably a good idea to take a backup of the rules if this is your first time working with the ruleset files. -
VIRSA Tables after Rules Upload
Hello,
While uploading rules and mitigations, I see in the log file that several VIRSA Tables get updated and populated.
Is there a way to run SQL Query in Debug mode, to see which columns of VIRSA Tables have been updated by uploading ruleset and mitigations?
Thanks,
ImranHi Varun,
Thank you very much. I have the following 4 queries.
If you do not have access to Debugger of RAR
1- I have the administrator password with full access to RAR, so is there a seperate Debugger of RAR, which I can access, other than the below URL that you have provided?
then go to the following URL
http://<SERVER>:<PORT>/webdynpro/dispatcher/sap.com/grc~ccappcomp/CCDebugger
Here put in the query like following
select * from virsa_cc_busprc
this will return the data from business process table.
2a- So should I first (1) put the query like select * from virsa_cc_busprc and then (2) and then execute rules export, and then (3) mitigation export etc?
2b- Is there a way to make debugger on and off, just like you can make SQL Trace on and off?
Here is the list of some of the tables which get populated while rules upload
virsa_cc_busprc, virsa_cc_busprct, virsa_cc_func, virsa_cc_funct, virsa_cc_funcact, virsa_cc_risk, virsa_cc_riskrs, virsa_cc_riskt, virsa_cc_mituser, virsa_cc_mitrole, virsa_cc_mitgen
3- Is there any OSS Note or SDN Guide or URL, which provides the list of VIRSA tables and their significance?
4- The reason for asking this question 3, is I am trying to extract rules & mitigation from GRC AC 5.2 system through export of rules, mitigations etc., and then by using the GRC/ RAR Debugger, I want to format the data in the tables according to 5.3 tables requirements and then upload it into a different GRC AC 5.3 system).
Thank you very much in advance.
Thanks & Regards,
Imran -
Hello Gurus,
Would appreciate if anyone can let me know how to use the Upload SOD rules feature under SPRO>Access Control> Access Risk Analysis> SOD Rules> Upload SOD rules.
Here I am asked to upload the files for Business Process, Function, Permission, Risk etc. but not sure where can I get the format for these files? I need to append few new functions and their corresponding risks into an existing ruleset.
Many thanks in advance.Hello Vikas,
Thanks, have dropped you a mail for the files. Though I am not very sure I need them or whould I directly use the export functionality of my exixting SAP GRC 5.3 ruleset.
We have decided not go to for the Global Ruleset but use the custom one from GRc 5.3 (as we were using GRC 5.3 earlier) by importing the same. Thus I have the following questions on he rueset Migration:
1. How will I migrate existing Ruleset from 5.3 to 10.0 Development Box(using your files or I guess there is a functionality already in 5.3 to export the ruleset)? Can you please tell me how to Migrate this (which was actually my question)?
2. How will then I be able to Migrate the ruleset from GRC 10.0 Development Box to GRC 10.0 Quality Box?
Thanks. -
Need information on the new RAR Rule Architect/Rule Set functions
Does anyone have any information on the new 5.3 functions listed under Rule Architect/Rule Sets, specifically the Compare function?
My 5.3 Config manual mentions this area but doesn't describe anything about it. I have a request from our user group and need to determine if this can fit that request.
What they are looking for is an easy way to compare our RAR Rule Set with the latest SAP version (Q2 2010 is the most recent I believe). Just from the screen shots, it looks like we could maybe use the Rule Sets functions for that. Load the new SAP one into RAR as a separate ruleset and then run this Compare function. However I haven't been able to find any documentation on this function, so I don't know if it really does what we are looking for.
Thanks.Hi,
the error 'NullPointerException ' is very common error in GRC.
kindly search, you will find lots of threads and notes on thi.
check you permission TXT file. It contain null value some where.
especially check SD01 & SD02 tcodes.
Also open permission file in word and check all TAB's and ENTER's in technical view.
Regards,
Surpreet -
SAP GRC RAR Rules Generation Job Error - SP13 application
Hello,
we applied SP 13 on GRC and RAR Rule Generation job is always in "error" status; below I list an example of job log:
INFO: -
Scheduling Job =>237----
Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.BgJob run
INFO: --- Starting Job ID:237 (RULE_GENERATION) - generate f113
Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.util.Lock lock
FINEST: Lock:1007
Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.BgJob setStatus
INFO: Job ID: 237 Status: Running
Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.BgJob updateJobHistory
FINEST: --- @@@@@@@@@@@ Updating the Job History -
1@@Msg is generate f113 started :threadid: 1
Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
INFO: -
Background Job History: job id=237, status=1, message=generate f113 started :threadid: 1
Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.util.Lock unlock
FINEST: Unlock:1007
Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.BgJob ruleGeneration
INFO: @@@--- Rule ruleGeneration Started ....237
Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.BgJob run
WARNING: *** Job Exception: null
java.lang.NullPointerException
at com.virsa.cc.xsys.bg.BgJob.ruleGeneration(BgJob.java:1245)
at com.virsa.cc.xsys.bg.BgJob.runJob(BgJob.java:609)
at com.virsa.cc.xsys.bg.BgJob.run(BgJob.java:363)
at com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob.scheduleJob(AnalysisDaemonBgJob.java:375)
at com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob.start(AnalysisDaemonBgJob.java:92)
at com.virsa.cc.comp.BgJobInvokerView.wdDoModifyView(BgJobInvokerView.java:444)
at com.virsa.cc.comp.wdp.InternalBgJobInvokerView.wdDoModifyView(InternalBgJobInvokerView.java:1236)
at com.sap.tc.webdynpro.progmodel.generation.DelegatingView.doModifyView(DelegatingView.java:78)
at com.sap.tc.webdynpro.progmodel.view.View.modifyView(View.java:337)
at com.sap.tc.webdynpro.clientserver.cal.ClientComponent.doModifyView(ClientComponent.java:481)
at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.doModifyView(WindowPhaseModel.java:551)
at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.processRequest(WindowPhaseModel.java:148)
at com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.processRequest(WebDynproWindow.java:335)
at com.sap.tc.webdynpro.clientserver.cal.AbstractClient.executeTasks(AbstractClient.java:143)
at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:333)
at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:741)
at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:694)
at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:253)
at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doGet(DispatcherServlet.java:46)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1060)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.BgJob setStatus
INFO: Job ID: 237 Status: Error
Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.BgJob updateJobHistory
FINEST: --- @@@@@@@@@@@ Updating the Job History -
2@@Msg is Error while executing the Job:null
Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
INFO: -
Background Job History: job id=237, status=2, message=Error while executing the Job:null
Apr 4, 2011 1:36:12 PM com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob scheduleJob
INFO: -
Complted Job =>237----
Apr 4, 2011 1:36:13 PM com.virsa.cc.xsys.util.Lock lock
WARNING: It is used by the same owner: For current thread retrying to get lock : 1001
Apr 4, 2011 1:36:13 PM com.virsa.cc.xsys.util.Lock lock
FINEST: Lock:1001
Apr 4, 2011 1:36:13 PM com.virsa.cc.xsys.util.Lock unlock
FINEST: Unlock:1001
Is there someone that can help me?
I checked and it seems that "Use NetWeaver Logical Lock" in config tab has to be set to "No"...is it correct for you or have you got other tips?
Thx to allHello,
actuallt current values are:
Row CNFGPARAM| CNFGSEQ| CNFGVALUE|
35 250 0 NO
36 251 0 YES
Value for 250 is ok based on your feedback.
Value for 251 is based on SNOTE 1508611, even if SDN forum suggests "0" against the note.
Have you got any tips? -
GRC-AC v5.3 SP11 -- RAR Rules for BI, GTS, SRM, XI, GRC-AC, SolMan
Hi!
Has SAP released RAR Rule sets for BI, GTS, SRM, XI, GRC-AC, or Solution Manager?
Let me know if anyone else has found them.
Thanks,
-johnHi John,
SRM rules have always been available. I have not seen rules for BI, GTS, XI, AC or SolMan. Would definitely want to see rules for XI, BI and SolMan.
Alpesh -
Hi Experts,
I encountered the following errors when I uploaded the text files in RAR:
1) Function Action and Function Permission text files - For input string: ""
2) Risk, Risk Description, Rule Set Mapping text files - Function FA01Hi,
As Sabita mentioned, files are corrupted. Get fresh set of files and try to upload.
Regards,
Alpesh -
Hi,
Our RAR Dev has two active connectors to SAP Dev as well as QA. We have uploaded a Rule Set for QA which is working fine. We can do a risk analysis and we get results. However we are struggling to get results for Dev. How do we go about uploading a test rule set for Dev?
Please assist.
Regards.Hi,
Thank you to you all. My problem is solved:)
The Master User Source was pointing to Dev and the Function action did have Dev and QA. I however reran a full sync on user, role, profile as well as batch analysis and that did the trick.
Thanks once again.
Regards. -
Experts,
I'm currently in the process of converting a legacy SoD rule-set (non SAP GRC AC) to the GRC AC 10.0 rule-set template. This is a tedious process of converting the legacy rule-set to the AC text files (Business Process, Function Action, Risks, etc.), but wanted to reach out to the group to see if there is a better way to perform this task.
Also, is it possible to get the templates for the text files to confirm my understanding of the text files.
Any help is greatly appreciated.
Thank you,
KunalDiego,
That is extremely helpful, thank you.
My next issue is when I try to upload the text files - I receive an error " Transferred codepage does not match the byte order mark"
I'm not sure which of the files is causing the issue. Do you know if there's a table where it will say the file and location? In 5.3 as you uploaded the files it would provide you with an error and a line number.
Any thoughts?
Thanks,
Kunal -
Hi guys,
I am facing an issue when trying to upload ruleset files in RAR 5.3. The default language for the tool was originally set to english and the upload worked fine with file format ANSI for all files. However, when we changed the language to Norwegian, special norwegian characters such as æ, ø, and å, where omitted. Because of that I changed the file format to:
1. All_Business_Processes - UTF-8
2. ALL_Functions - UTF-8
3. All_Function_BP - UTF-8
4. R3_function_action - ANSI
5. R3_function_permission - ANSI
6. ALL_Ruleset - ANSI
7. R3_risks - ANSI
8. R3_risk_desc - UTF-8
9. R3_Risk_Ruleset - ANSI
Uploading the risks (files 7 - 9) I get following error message:
Cannot assign a java.lang.String object of length 5 to host variable 13 which has JDBC type VARCHAR(4).
Risk-ID must contain 4 characters
I have double checked the Risk-ID field and it does not contain more than 4 characters for any risks. Despite this error message, all but 1 risks are created. The one missing is the one in the first row of the R3_risks file.
I hope somebody out there can help me with this issue.
Kind Regards
Arif ButtHi Imanol,
Thanks for the feedback. I already tried opening the files in different editors. That didnt help. I think the problems is in the R3_risk.txt file in which 3 of the risks are referring to a businessprocess (BP) containing a special character (ø). Thats why I changed the format of this file to UTF-8.
I am uploading the files in these formats:
1. All_Business_Processes - UTF-8
2. ALL_Functions - UTF-8
3. All_Function_BP - UTF-8
4. R3_function_action - ANSI
5. R3_function_permission - ANSI
6. ALL_Ruleset - ANSI
7. R3_risks - UTF-8
8. R3_risk_desc - UTF-8
9. R3_Risk_Ruleset - ANSI
10. SRM_risks - ANSI
11. SRM_risk_desc - UTF-8
12. SRM_Risk_Ruleset - ANSI
Uploading the same files for SRM does not give any error , but also here the first risk is skipped.
Regards
Arif -
RAR 5.3- Downloading ruleset from DEV RAR and uploading to PRD RAR
Hi ,
I am currently looking to implement RAR version 5.3 SP9. I will have a 2 tier landscape with a DEV and PRD GRC instance. We may not have the ruleset fully customised before we build PRD GRC. So after both RAR environments are built I may need to change the ruleset in DEV and then upload the changes to PRD. Is this possible in 5.3. Can I easily download the ruleset from DEV and import to PRD as many times as I want? Or do I need to delete the PRD ruleset each time and recreate it?
Thanks,
GaryHi Gary,
You should be able to export and import using the utilities functionality.
You may find it easier to delete the PRD one and upload the new one as a clean ruleset to prevent from data corruption.
Simon -
GRC AC RAR rules not picked up
Hello All,
I am new to GRC AC and we have a sandbox set up. When looking at SRM a user that has SAP_ALL and is set up in the Java stack for open access. When we run the RAR for this user there are a number of the standard rules that are not showing up. I can explain away the ones that are cross system (ECC and SRM because we have not yet set up the Cross System to look at both) however there are a number of rules that are strictly SRM that are not being picked up can anyone explain why?
Thanks
MKHello All,
I am new to GRC AC and we have a sandbox set up. When looking at SRM a user that has SAP_ALL and is set up in the Java stack for open access. When we run the RAR for this user there are a number of the standard rules that are not showing up. I can explain away the ones that are cross system (ECC and SRM because we have not yet set up the Cross System to look at both) however there are a number of rules that are strictly SRM that are not being picked up can anyone explain why?
Thanks
MK -
Blank values in RAR Rules - RAR (SAP GRC AC 5.3)
Hello,
We are working on the deployment of a GRC Access Control 5.3 system in a main customer and we have found next issues about AC 5.3:
When a rule with a Blank value in u201CValue Fromu201D and u201CValue Tou201D columns is set, RAR is not taking users with any u201CValue Fromu201D / u201C Value Tou201D for that rule. In fact we are seeing that only users with value: * in u201CValue Fromu201D column are taken. It doesnu2019t fit with the standard SAP practices. Could you confirm this issue? How could we set a rule for taking any value?
Rule Example:
Object: F_BKPF_BUK Field: ACTVT Value From: Value To: Condition: AND Status: ENABLE
User1 value:
Object: F_BKPF_BUK Field: ACTVT Value From: 4 Value To: (Itu2019s NOT taken)
User2 value:
Object: F_BKPF_BUK Field: ACTVT Value From: 5 Value To: (Itu2019s NOT taken)
User3 value:
Object: F_BKPF_BUK Field: ACTVT Value From: * Value To: (Itu2019s taken)
Best regards.You need to distinguish between the value in the authorization field of the object and the search pattern.
is only looking for the field name. It does not even care about the value.
Values '4' and '5' are not valid for F_BKPF_BUK (see table TACTZ) so unless you populate UST12-BIS (what you call "Value To:" then you won't get a result.
I faintly suspect that you are "cooking the books" at the file level, and are expecting the GRC system and possibly the ABAP system as well to use the same logic?
Can you explain what User1 + User2 are expected to achieve with these values.
The system does sometimes make DUMMY checks (see the ABAP key word documentation in transaction ABAPDOCU) but this is not the correct strategy to pass those checks in my opinion.
I also suspect that this is an "action" in the customer name space. Perhaps you are using an unreleased FM instead of a BOR object? See transaction BAPI for more infos and finding the correct BOR (Business Object Repository) so that your RAR is not confused by dodgey coding....
Cheers,
Julius
Maybe you are looking for
-
How to configure Redundant Internet Access on WIndows Server 2008 R2
I have a Windows Server 2008 R2 machine running in my basement. I have an application installed on it that calls a web service out on the open internet on a periodic timer. Everything works great until my ISP goes done. For redundancy I got a seco
-
Should I get an extended warranty for a T520?
I already have a 2 year warranty including my AMEX 1 year extended warranty. I heard that if something is going to go wrong, it will happen in the first two years. Lenovo has a 30% sale on extended warranties. I can get a three year for $80.00 A two
-
Updates to codecs for Quicktime Player
I want to update codecs used by QuickTime player 7. Do I just use the update feature in the program, or do i need to manually update the codecs online somewhere?
-
I cannot move icons to the home screen
Pardon me if this is old, but I cannot find it here via search. I'm new to iPhone, having had Windows phones, Palm, and others in the past. Just picked this up today. Slick. It even makes AT&T look better. Here's my question. I understand tap an
-
How to disable individual operations in a service in ALSB 3.0?
Hi all, We are using ALSB 3.0 for our service developments. we have WSDL based services. The service accesses different back ends in each of the operations. We would like to disable few operations in production when the back end is not available (bec