Rule Set tables

Similar Messages

• Tables for rule sets

  Hi,
  Can you provide me the tables used for rule sets, activities, task etc in EM

  Hi Dipak,
  Below are the EM tables requested.
  Regards,
  Jonathan Hansen
  /SAPTRX/ACTIVITY – Activity Header Table
  /SAPTRX/ACTIVTXT – Activity Text Table
  /SAPTRX/ACT_TASK – Multi-Task Activity Task Table
  /SAPTRX/ACT_TSKT - Multi-Task Activity Task Text Table
  /SAPTRX/EM_RLSET – Rule Set header table
  /SAPTRX/EM_RLSTX – Rule Set text table
  /SAPTRX/EM_RULE - Rule table (Rule Set item)
  /SAPTRX/EM_RULET – Rule Set text table

• Rule set/mitigation control tables backups

  I am working in GRC AC 5.3 with old SPs. How can I take backup of existing rule set and mitigation controls so that I can compare those after GRC AC SP upgrade. Please guide me in detail.

  You can download the ruleset via rule architect -> utilities -> export and mitigation via mitigation -> utilities -> export.
  Regards,
  Alpesh

• Risk Analysis at user level shows nothing in all 3 views though at role level shows risks of global rule set

  I am configuring ARA 10.1 for a ECC 6.0 plug in development system and facing this issue. Risk Analysis at user level shows no data  in all 3 views though at role level shows risks of global rule set. I am using Global rule set. I generated all risks/functions & using connector group as SAP_ECCS_LG not SAP_R3_LG.I activated common, R/3 & ECCS BC sets. Added integration scenario for AUTH. Run all 4 sync jobs multiple times successfully. My system already has decentralised EAM 10.1 implemented & even used in production as BAU. I have checked at both chrome & IE. The misleading thing is that RFC is also working fine & I can see risks in Risk Analysis at role level & risky roles are even assigned to valid users.GRC is at SP4 & accordingly is the ECC 6.0 plug in. Thanks in Advance. Please  consider it urgent.

  Hi,
  Assign ECC connector to SAP_ECCS_LG group.
  Run the programs GRAC_PFCG_AUTHORIZATION_SYNCand GRAC_REPOSITORY_OBJECT_SYNC) in full synch mode(this might take time so better do this in background). Better do it sequentially.Check the logs of the jobs in SLG1 just to ensure everythings fine.
  Run ARA for a specific user and mention the connector for faster output. Ensure this user has the role with risks.Also as explained earlier check the GUID against user id in table GRACUSERROLE and using GRACROLE you can find out the technical name of the role updated in the table. This should be same as the backend role.
  Then run ARA and while doing so please ensure the selection screen doesnt have any unwanted default inputs. If followed correctly , this should be of help.  I am assuming the role analysis yielded correct risks as configured since this would mean that connector have correct actions and basic config is in place.
  Regards,
  Vivek

• Non existing value EC for M_BEST_BSA / BSART used in rule set

  Hello,
  while implementing the 2010 rule set updates into our system, we realized that there is a value used that is not existing in the system.
  It is for object M_BEST_BSA, field BSART. The value is EC.
  In the rule update document from Q2 2010, there is the following comment:
  5. PR02 u2013 Maintain Purchase Order u2013 Upon review of this function with the rules mini-council, the decision was made to remove document type from the rules.  Previously, we delivered document types EC, FO and NB with our rules.  However, the majority of customers create custom document types for purchasing.  Many customers did not customize the rules, which results in only those users that had the standard EC, FO and NB document types being reported as having a risk.  Users who had the custom document types would not be reported, which results in false negative reporting.  Therefore, the decision was made to remove document type from our delivered rules.  This will force each customer to review their document types and edit this function to include all relevant document types so all users who have a risk are shown.
  However the value is still enabled in function PR04, even though it is not a valid value for field BSART. It is not existin in table T161, which holds the PO document types. It does not seem to exist since at least release 4.6C
  The value is inherited from the transactions ME28 and ME29N
  Does anyone know what it is about and why the value still is considered a standard value?
  I know this does not give me false conflicts, as the BSART values are used in condition OR.
  Why is the value not just removed, if it is not a valid value at all?
  edit:
  Sorry, forgot to mention, we use CC4.0 in an ECC6.0 system
  end of edit:
  Regards,
  Thomas Schaeflein
  IBM
  Edited by: Thomas Schaeflein on Jan 26, 2011 4:14 PM

  Start by saying bump.
  I've still no word from Adobe if they are doing anything with
  this problem. Any one had any replys from Adobe on it? Any one
  found a work around with recoding queries?

• SoD rule set Download issue

  Hi All,
  While downloading the SoD rule set (Global), I am not getting the data for Function-Action and Function-Permission, except these, rest of the data are coming.
  But, I can get to see these data under tables: GRACFUNCACT and GRACFUNCPRM.
  so obviously we can't have these data exported from table and to get converted into .txt format to upload SoD.
  GRCFND_A is at SP14.
  Please help in getting this issue resolved.
  Thanks,
  Ameet

  Hi Ameet,
  You have to reactivate it each time you install a SP in order to get the updates.
  If you develelop your own SoD ruleset you wont use the SAP standard functions and risk, so reactivate the BC Set wont cause any problem.
  If you change the standard functions and risks (which is wrong) such changes will be overwritten when reactivate the BC Set.
  After reactivating the BC set you'll be able to download SoD rules fom the logical system SAP_R3_LG.
  Cheers,
  Diego.

• Improving CAPTURE rule set performance

  Hi -
  I am capturing and streaming 10 schema and about 10 tables on different schema.
  Approach 1 :
  Setup rule for each schema and rule for each table ( 20 rules total) add them to one rule set for the capture process.
  Approach 2: Have one rule for all the schema with rule condition saying
  where schema_name in ('SCHEMA1','SCHEMA2',... SCHEMA10')
  and another similar rule for tables.
  Is there a performance advantage on either of the approach ?
  thanks.

  My experience will suggest you to create one rule for all the schemas and another for your tables. This will give you more flexibility for future updation. I wont suggest you to create one rule each for all the schema and tables unless there is vast diversity in your requirment.
  Kapil

• Invalid Rule set

  We recently dropped a table level rule and now the following rule sets are invalid:
  APPLY_QUEUE_R
  CAPTURE_QUEUE_R
  These are rule sets for the following contexts:
  AQ$_CAPTURE_QUEUE_V
  AQ$_APPLY_QUEUE_V
  Now when we run a streams healthcheck report, it errors out with an ORA-07445 on the gv$rule table.
  How do we validate these rulesets? There is no pertinent info on Metalink.
  We have an SR pending, but any information would be appreciated.
  Thanks all!
  Adam

  We figured out the issue. You need to first remove a rule from its rule set before dropping it.
  STRMADMIN@str_dev>
  begin
  dbms_rule_adm.remove_rule( rule_name => 'strmadmin.bug_task404', rule_set_name=> 'strmadmin.apply_rule_set');
  end;
  PL/SQL procedure successfully completed.
  STRMADMIN@str_dev>
  begin
  dbms_rule_adm.drop_rule(rule_name => 'strmadmin.bug_task404', force => false );
  end;
  STRMADMIN@str_dev>select count(*) from user_objects where status = 'INVALID'
  COUNT(*)
  0
  --IF WE DROP IT FORCE:
  STRMADMIN@str_dev>
  begin
  dbms_rule_adm.drop_rule(rule_name => 'strmadmin.bug_task405', force => true );
  end;
  1* select object_name, status from user_objects where status = 'INVALID'
  STRMADMIN@str_dev>/
  OBJECT_NAME STATUS
  APPLY_QUEUE_R INVALID
  Hope this helps anyone who might have encountered this issue.

• FBL5N - in Rule set - It is a Display customer line items

  Dear All,
  We observed that FBL5N - Display customer line items in Standard SoD rule set under function AR07  addressing a risk of S022.
  Unless there are t-codes of FD03 or FB02 this t-code does not allow to change the payment terms of the customer.
  We are having a challenge from the client that FBL5N is a display t-code and why it is there in rule set.
  Has anybody came across this scenario? If yes, what is the underlying risk for this FBL5N independently.
  Is there any SAP Note for this t-code like ME23N from SAP.
  Thanks and Best Regards,
  Srihari.K

  Hi Christian,
  We checked the authorization objects as well enabled in GRC rule set as below:
  F_BKPF_BUK - Docume t Authorization document for company codes - 01 or 02 - Enable.
  Inspite of this access, FBL5N cannot be used to change the document for payment terms and assignments without FB02 t-code
  assignment in the role.
  Independently FBL5N cannot be used for any change or create activity except Display customer line items.
  Please advise
  Thanks and Best Regards,
  Srihari.K

• I have messages in mail that are color-coded as if by a rule, but I have no rules set. How can I correct this?

  The only rule that I ever had in Mail was the default one that color coded messages from Apple blue. I notice that some messages are color-coded brown and I have no rules set at al (hence no rule to turn off.)  Some of the messages are related to viewing online magazine, but not all.  How can I stop this?

  Hi. Thanks for your message.
  Well, I understand what you are trying to say but I thought it was easier to categorize in Apple Mail.
  On Entourage I just click twice on a sender address, record it on Address book and give it a colour that I previously defined as "Work", "Personal", "Customers", "Suppliers", "Friends" or whatever.
  As Apple Mail don't have Address Book as part of it but an outside feature it's very annoying. Of course I am used to use a software and I don't expect now Apple Mail do everything as Entourage but... as someone said it seems Apple Mail stopped in time. The recent version seems the first one ever issued. I hate the way Mail.app handles attachments by placing big chunky previews right in my email. I prefer them to be named attachments listed somewhere else, out of the content of my email. I don't if I can change this via terminal commands? Can you tell me if that is possible?
  I don't understand why Apple Mail have lots of plugins instead of a great improvment from the backstage.
  I use Apple computers since ever and I love this machines but sometimes I don't understand this lake of improvments.
  Take a look at this link:
  http://scottworldblog.wordpress.com/2009/10/12/microsoft-entourage-vs-apple-mail /
  Of course I don't agree 100% with him but some things are true...

• Do you trust the SAP standard rule set ?

  Hello all,
  I have the impression that, too often, the SAP standard ruleset has been taken for granted : upload, generate and use. Here is a post as to why not to do so. Hopefuly, this will generate a interesting discussion.
  As I have previously stated in other threads, you should be very careful accepting the SAP standard rule set without reviewing it first. Before accepting it, you should ensure that your specific SAP environment has been reflected in the functions. The 2 following questions deal with this topic :
  1. what is your SAP release  ? ---> 46C is different than ECC 6.0 in terms of permissions to be included in the function permission tab. With every SAP release, new authorization objects are linked to SAP standard tcodes. Subsequently some AUTHORITY-CHECK statements have been adapted in the ABAP behind the transaction code. So, other authorizations need to provided from an implementation point of view (PFCG). And thus, from an audit perspective (GRC-CC), other settings are due when filtering users' access rights in search for who can do what in SAP.
  2. what are your customizing settings and master data settings ? --> depending on these answers you will have to (de)activate certain permissions in your functions. Eg. are authorization groups for posting periods, business areas, material types, ... being used ? If this is not required in the SAP system and if activated in SAP GRC function, then you filter down your results too hard, thereby leaving certain users out of the audit report while in reality they can actually execute the corresponding SAP functionality --> risk for false negatives !
  Do not forget that the SAP standard ruleset is only an import of SU24 settings of - probably - a Walldorf system. That's the reason SAP states that the delivered rule set is a starting point. 
  So, the best practice is :
  a. collect SAP specific settings per connector in a separate 'questionnaire' document, preferably structured in a database
  b. reflect these answers per function per connector per action per permission by correctly (de)activating the corresponding permissions for all affected functions
  You can imagine that this is a time-consuming process due to the amount of work and the slow interaction with the Java web-based GRC GUI. Therefore, it is a quite cumbersome and at times error-prone activity ...... That is, in case you would decide to implement your questionnaire answers manually. There are of course software providers on the market that can develop and maintain your functions in an off-line application and generate your rule set so that you can upload it directly in SAP GRC. In this example such software providers are particularly interesting, because your questionnaire answers are structurally stored and reflected in the functions. Any change now or in the future can be mass-reflected in all (hundreds / thousands of) corresponding permissions in the functions. Time-saving and consistent !
  Is this questionnaire really necessary ? Can't I just activate all permissions in every function ? Certainly not, because that would - and here is the main problem - filter too much users out of your audit results because the filter is too stringent. This practice would lead too false negatives, something that auditors do not like.
  Can't I just update all my functions based on my particular SU24 settings ? (by the way, if you don't know what SU24 settings are, than ask your role administrator. He/she should know. ) Yes, if you think they are on target, yes you can by deleting all VIRSA_CC_FUNCPRM entries from the Rules.txt export of the SAP standard rule set, re-upload, go for every function into change mode so that the new permissions are imported based on your SU24 settings. Also, very cumbersome and with the absolute condition that you SU24 are maintained excellent.
  Why is that so important ? Imagine F_BKPF_GSB the auth object to check on auth groups on business areas within accounting documents. Most role administrator will leave this object on Check/Maintain in the SU24 settings. This means that the object will be imported in the role when - for example - FB01 has been added in the menu.  But the role administrator inactivates the object in the role. Still no problem, because user doesn't need it, since auth groups on business areas are not being used. However, having this SU24 will result in an activated F_BKPF_GSB permission in your GRC function. So, SAP GRC will filter down on those users who have F_BKPF_GSB, which will lead to false negatives.
  Haven't you noticed that SAP has deactivated quite a lot of permissions, including F_BKPF_GSB ? Now, you see why. But they go too far at times and even incorrect. Example : go ahead and look deeper into function AP02. There, you will see for FB01 that two permissions have been activated. F_BKPF_BEK and F_BKPF_KOA.  The very basic authorizations needed to be able to post FI document are F_BKPF_BUK and F_BKPF_KOA.  That's F_BKPF_BUK .... not F_BKPF_BEK. They have made a mistake here. F_BKPF_BEK is an optional  auth object (as with F_BKPF_GSB) to check on vendor account auth groups.
  Again, the message is : be very critical when looking at the SAP standard rule set. So, test thoroughly. And if your not sure, leave the job to a specialized firm.
  Success !
  Sam

  Sam and everyone,
  Sam brings up some good points on the delivered ruleset.  Please keep in mind; however, that SAP has always stated that the delivered ruleset is a starting point.  This is brought up in sap note 986996     Best Practice for SAP CC Rules and Risks.  I completely agree with him that no company should just use the supplied rules without doing a full evaluation of their risk and control environment.
  I'll try to address each area that Sam brings up:
  1.  Regarding the issue with differences of auth objects between versions, the SAP delivered rulset is not meant to be version specific.  We therefore provide rules with the lowest common denominator when it comes to auth object settings.
  The rules were created on a 4.6c system, with the exception of transactions that only exist in higher versions.
  The underlying assumption is that we want to ensure the rules do not have any false negatives.  This means that we purposely activate the fewest auth objects required in order to execute the transaction.
  If new or different auth object settings come into play in the higher releases and you feel this results in false positives (conflicts that show that don't really exist), then you can adjust the rules to add these auth objects to the rules.
  Again, our assumption is that the delivered ruleset should err on the side of showing too many conflicts which can be further filtered by the customer, versus excluding users that should be reported.
  2.  For the customizing settings, as per above, we strive to deliver rules that are base level rules that are applicable for everyone.  This is why we deliver only the core auth objects in our rules and not all.  A example is ME21N. 
  If you look at SU24 in an ECC6 system, ME21N has 4 auth objects set as check/maintain.  However, in the rules we only enable one of the object, M_BEST_BSA.  This is to prevent false negatives.
  3.  Sam is absolutely right that the delivered auth object settings for FB01 have a mistake.  The correct auth object should be F_BKPF_BUK and not F_BKPF_BEK.  This was a manual error on my part.  I've added this to a listing to correct in future versions of the rules.
  4.  Since late 2006, 4 updates have been made to the rules to correct known issues as well as expand the ruleset as needed.  See the sap notes below as well as posting Compliance Calibrator - Q2 2008 Rule Update from July 22.
  1083611 Compliance Calibrator Rule Update Q3 2007
  1061380 Compliance Calibrator Rule Update Q2 2006
  1035070 Compliance Calibrator Rule Update Q1 2007
  1173980 Risk Analysis and Remediation Rule Update Q2 2008
  5.  SAP is constantly working to improve our rulesets as we know there are areas where the rules can be improved.  See my earlier post called Request for participants for an Access Control Rule mini-council from January 28, 2008.  A rule mini-council is in place and I welcome anyone who is interested in joining to contact me at the information provided in that post.
  6.  Finally, the document on the BPX location below has a good overview of how companies should review the rules and customize them to their control and risk environment:
  https://www.sdn.sap.com/irj/sdn/bpx-grc                                                                               
  Under Key Topics - Access Control; choose document below:
      o  GRC Access Control - Access Risk Management Guide   (PDF 268 KB) 
  The access risk management guide helps you set up and implement risk    
  identification and remediation with GRC Access Control.

• Is it possible to add a firewall Filter or Rule Set to the Extreme Router (802.11n)

  Is it possible to add a firewall Filter or Rule Set to the setting for the Extreme Router (802.11n) like the following:
  "ALLOW TCP/UDP IN/OUT to 208.67.222.222 or 208.67.220.220 on Port 53"  and
  "BLOCK TCP/UDP IN/OUT all IP addresses on Port 53"
  The goal of this is to create a firewall rule to only allow DNS (TCP/UDP) to OpenDNS' servers and restrict all other DNS traffic to any other IPs.
  Or, alternatively is there a way to configure same applied to the Network preferences on IMAC OS X?
  Thanks and much appreciation to anyone who has any clue about this.

  Sorry, I think you've got it backwards.
  The concern is NOT that the child can make changes to our hardware/AEBS, or even our network software on my IMAC - nothing's been changed.
  BUT, he changed the dns settings on his OWN device (ie chromebook) to google public server, accessed the AE using our home wifi network BUT bypassed our dns settings. Capeesh?
  See: http://www.pocketables.com/2013/03/how-to-use-change-the-dns-settings-on-your-ch romebook-and-use-googles.html

• Mulltiple Rule Sets in GRC 10.0 for one System

  Hi All,
  We do have 2 different companies working on one system and by that 2 different rule sets that are applicable.
  Due to that we are facing different problems we don't know how to solve yet but lets start with the first one dealing with the rule set that should be used in the access request.
  We want to determin which rule set should be used over the requested role (e.g. if role name contains 0001 use rule set 0001, if role name contains 0002 use rule set 0002).
  We have alerady tried several different senarios in BRF+ without success.
  Does anybody have a solution or at least an idea for this topic?
  Thank you all very much in advance!
  Eva

  Hi Ashish ,
  Thanks for your time . Let me explain you my requirement and would really appreciate if you would have some inputs here which would help me to design this .
  The actual client requirement is to design a CUP Workflow and If there are SOD issues identified, the workflow will need to go to a central team for them to address each issue. If this group decides to apply mitigating controls to the issues, the workflow must then go to the compliance group for them to review for appropriateness. Requirement is do a SoD analysis for every role change/add request , so that this group takes the appropriate action based on the SoD Analysis . For all my CUP request raised , i want system to do a SoD analysis and let this group know whenever there is a SoD found or just end the workflow if there is no risk.
  I am aware of the Risk analysis process for GRC 10.0 , however i want it to happen as a part of this work flow requirement.
  The requirement is to configure the access request work flow so that the end goal of work flow is just facilitation of an SOD review.  I hope i was able to explain my requirement . Thanks again for your help.
  Your valuable guidance would be really appreciated.
  Vikas

• Best practice for the Update of SAP GRC CC Rule Set

  Hi GRC experts,
  We have in a CC production system a SoD matrix that we would like to modified extensively. Basically by activating many permissions.
  Which is a best practice for accomplish our goal?
  Many thanks in advance. Best regards,
    Imanol

  Hi Simon and Amir
  My name is Connie and I work at Accenture GRC practice (and a colleague of Imanolu2019s). I have been reading this thread and I would like to ask you a question that is related to this topic. We have a case where a Global Rule Set u201CLogic Systemu201D and we may also require to create a Specific Rule Set. Is there a document (from SAP or from best practices) that indicate the potential impact (regarding risk analysis, system performance, process execution time, etc) caused by implementing both type of rule sets in a production environment? Are there any special considerations to be aware? Have you ever implemented this type of scenario?
  I would really appreciate your help and if you could point me to specific documentation could be of great assistance. Thanks in advance and best regards,
  Connie

• How to use complex function as condition in Oracle Rule Decision Table?

  How to use complex function as condition in Oracle Rule Decision Table?
  We want to compare an incoming date range with the date defined in the rules. This date comparison is based on the input date in the fact & the date as defined for each rule. Can this be done in a decision table?

  I see a couple of problems here.
  First, what you posted below is not a syntactically valid query. It seems to be part of a larger query, specifically, this looks to be only the GROUP BY clause of a query.
  Prabu ammaiappan wrote:
  Hi,
  I Have a group function in the Query. Below is the Query i have used it,
  GROUP BY S.FREIGHTCLASS,
  R.CONTAINERKEY,
  S.SKU,
  S.DESCR ||S.DESCRIPTION2,
  S.PVTYPE,
  RD.LOTTABLE06,
  R.WAREHOUSEREFERENCE,
  RD.TOLOC,
  R.ADDWHO,
  R.TYPE,
  S.CWFLAG,
  S.STDNETWGT,
  S.ORDERUOM,
  R.ADDDATE,
  C.DESCRIPTION,
  (CASE WHEN P.POKEY LIKE '%PUR%' THEN 'NULL' ELSE to_char(P.PODATE,'dd/mm/yyyy') END),
  NVL((CASE WHEN R.ADDWHO='BOOMI' THEN RDD.SUPPLIERNAME END),SS.COMPANY),
  RDD.BRAND,
  S.NAPA,
  RD.RECEIPTKEY,
  R.SUSR4,
  P.POKEY,
  RDD.SUSR1,
  r.STATUS, DECODE(RDD.SUSR2,' ',0,'',0,RDD.SUSR2),
  rd.SUSR3Second, the answer to your primary question, "How do I add a predicate with with a MAX() function to my where clause?" is that you don't. As you discovered, if you attempt to do so, you'll find it doesn't work. If you stop and think about how SQL is processed, it should make sense to you why the SQL is not valid.
  If you want to apply a filter condition such as:
  trunc(max(RD.DATERECEIVED)) BETWEEN TO_DATE('01/08/2011','DD/MM/YYYY') AND TO_DATE('01/08/2011','DD/MM/YYYY')you should do it in a HAVING clause, not a where clause:
  select ....
    from ....
  where ....
  group by ....
  having max(some_date) between this_date and that_date;Hope that helps,
  -Mark