Rule Sets to control application access

Similar Messages

• Rule set/mitigation control tables backups

  I am working in GRC AC 5.3 with old SPs. How can I take backup of existing rule set and mitigation controls so that I can compare those after GRC AC SP upgrade. Please guide me in detail.

  You can download the ruleset via rule architect -> utilities -> export and mitigation via mitigation -> utilities -> export.
  Regards,
  Alpesh

• GRC AC Rule Sets

  Hi
  We have a requirement of building up a custom rule set for our organization. The current requirement is to have a central rule set across for all system and have subsequent system specific Risks identified in addition.
  Scenario: Letu2019s say we have identified around 100 risks across the enterprise, however only 50 risks out of 100 risks are applicable for one system. While for the second system there are around 70 risks applicable. Finally for the third one all 100 risks are applicable.
  Should we have system specific rule sets to address the above scenario or should we have a common rule set for the enterprise.
  Appreciate your inputs about the approach for building up of rule set for such scenarios.
  Question: With GRC 10.0, can we run risks for a system on multiple rule set IDs at one time.
  Thanks.
  Anjan Pandey

  Hi,
  Most of the clients will prefer to go with one rule set. However System can allow create/maintain multiple rule sets.
  Anyway your requirement is to have one central rule set across all systems u2013 For that, Create Logical system and maintains one Rule set is the right approach and it gives flexibility for future usage to add /remove required systems. You can maintain risks by system specific, not required to maintain multiple rule sets.
  Refer  GRC Access Control Effective Rule Set Design document,  it gives some good explanation of Rule Set Design&typical Scenarios, Logical & Physical systems approach..etc.
  Regards,
  Ram
  Edited by: ram komma on Apr 13, 2011 1:55 PM

• Access Control Rule Set deletion in GRC 10

  Greetings,
  Has anyone tried deleting rulesets or have experienced any issues while deleting rule sets in GRC 10. I have tried to delete them from SPRO as well as from Setup Tab in Access Control , however its not working for me . Even in SPRO , after chooseing the physical system and logical system infromation , it stays on that screen for ever and nothing happens.
  Any help or guidance here will be much appreciated.
  Thanks everyone for your valueable time.
  Vikas

  Hey ,
  There are no tricks or tips.  It was something stupid on my part.
  I Just had a look at the system again and found a function left in the system which was mapped to this Ruleset , so that was the only i was not able to delete the ruleset . As soon as i deleted that function , it worked .
  So i was able to delete the entire rule set after deleting all the risks and functions mapped to this rule set.
  Have a great day ahead ...
  Vikas

• Access to update the GRC rule set is limited

  Hello - What is the process (tcode) to see who has access to update the GRC rule set?
  Thanks!

  Hi Sam,
     What is the version of your RAR (CC)? If it is CC 4.0 then you enter the product via tcode and go to rule architect to make changes. If you have CC 5.X then you go through the web browser and go to Rule architect to make changes to the rule set.
  The process to change a rule set is as below:
  1) Creats Function
  2) Create risk
  3) Create Rule
  Regards,
  Alpesh

• How to set application access type for list of users

  Hi everybody,
  I've an requirement to automise the application access type setting in shared services.
  When i searhed to do with MaxL scripts.I'm able to set the application access type for a single user using
  alter user 'username' add application access type essbase
  alter user 'username' add application access type planning
  But,i've to perform this as a daily activity updating for list of users.Is there away to do it..??..i want to pass the list of users to the above alter user command.??
  Please help me.
  Cheers
  Saran
  Edited by: user11396937 on Aug 27, 2010 2:09 AM

  I discovered that changing "Image interpolation" optioon in general preferences of Photoshop has direct influence on smart object interpolation type. You can even reinterpolate smart object after changing image interpolation in preference. Just click ctrl + t and enter.

• What if the consolidation rules is disable in Application Setting ?

  Hi everybody,
  Could you please tell me what will happen when the consolidation rules are disable in Application Setting? I understand that the default consolidation still works (agregate cacul). But i am wondering if the intercompany account will be eliminate in this case? I would say it don't !! Could you please confirm it ?
  Thank you in advance.
  Thanh.
  Edited by: ThanhKP on Nov 26, 2011 2:07 PM

  Hi ThanhKP,
  By disabling the Consolidation Rules in the application settings, the Intercompany account will be eliminated.
  For more information regarding Consolidation rules, please refer to HFM Admin guide:
  http://docs.oracle.com/cd/E17236_01/epm.1112/hfm_admin.pdf
  Please feel free to mark the answer as Helpful Answer/ Correct Answer should you find the relevant posting helpful so that it also helps us in keeping track of the answered queries.
  Thank you,
  Charles Babu J

• After time capsule 7.6 Firmware upgrade I can't set up Access Control / Timed Access using mac adresses.

  After time capsule 7.6 Firmware upgrade I can't set up Access Control / Timed Access using mac adresses.
  I have a Time Capsule and an Airport express and when I change access control parameters on whatever one of those
  two devices through Airport Utility its duplicating the same setup on the other device !
  What a mess !
  I had to choose "Not Enabled" in the Access Control stup window.
  Has anyone experienced same problem ?
  Jean.

  I did downgraded firmware to 7.5.2 ...
  and the Acess Control Setting from Airport Utility is back to normal behaviour.
  Jean.

• Setting parental controls and allow safari access

  when is set parental controls i can't fine safari (although it's checked) in the guest user profile of my applications

  Sharon...
  Possibly a restriction causing this...
  Read here >  Mac OS X v10.5, 10.6: About the Parental Controls Internet content filter

• Do you trust the SAP standard rule set ?

  Hello all,
  I have the impression that, too often, the SAP standard ruleset has been taken for granted : upload, generate and use. Here is a post as to why not to do so. Hopefuly, this will generate a interesting discussion.
  As I have previously stated in other threads, you should be very careful accepting the SAP standard rule set without reviewing it first. Before accepting it, you should ensure that your specific SAP environment has been reflected in the functions. The 2 following questions deal with this topic :
  1. what is your SAP release  ? ---> 46C is different than ECC 6.0 in terms of permissions to be included in the function permission tab. With every SAP release, new authorization objects are linked to SAP standard tcodes. Subsequently some AUTHORITY-CHECK statements have been adapted in the ABAP behind the transaction code. So, other authorizations need to provided from an implementation point of view (PFCG). And thus, from an audit perspective (GRC-CC), other settings are due when filtering users' access rights in search for who can do what in SAP.
  2. what are your customizing settings and master data settings ? --> depending on these answers you will have to (de)activate certain permissions in your functions. Eg. are authorization groups for posting periods, business areas, material types, ... being used ? If this is not required in the SAP system and if activated in SAP GRC function, then you filter down your results too hard, thereby leaving certain users out of the audit report while in reality they can actually execute the corresponding SAP functionality --> risk for false negatives !
  Do not forget that the SAP standard ruleset is only an import of SU24 settings of - probably - a Walldorf system. That's the reason SAP states that the delivered rule set is a starting point. 
  So, the best practice is :
  a. collect SAP specific settings per connector in a separate 'questionnaire' document, preferably structured in a database
  b. reflect these answers per function per connector per action per permission by correctly (de)activating the corresponding permissions for all affected functions
  You can imagine that this is a time-consuming process due to the amount of work and the slow interaction with the Java web-based GRC GUI. Therefore, it is a quite cumbersome and at times error-prone activity ...... That is, in case you would decide to implement your questionnaire answers manually. There are of course software providers on the market that can develop and maintain your functions in an off-line application and generate your rule set so that you can upload it directly in SAP GRC. In this example such software providers are particularly interesting, because your questionnaire answers are structurally stored and reflected in the functions. Any change now or in the future can be mass-reflected in all (hundreds / thousands of) corresponding permissions in the functions. Time-saving and consistent !
  Is this questionnaire really necessary ? Can't I just activate all permissions in every function ? Certainly not, because that would - and here is the main problem - filter too much users out of your audit results because the filter is too stringent. This practice would lead too false negatives, something that auditors do not like.
  Can't I just update all my functions based on my particular SU24 settings ? (by the way, if you don't know what SU24 settings are, than ask your role administrator. He/she should know. ) Yes, if you think they are on target, yes you can by deleting all VIRSA_CC_FUNCPRM entries from the Rules.txt export of the SAP standard rule set, re-upload, go for every function into change mode so that the new permissions are imported based on your SU24 settings. Also, very cumbersome and with the absolute condition that you SU24 are maintained excellent.
  Why is that so important ? Imagine F_BKPF_GSB the auth object to check on auth groups on business areas within accounting documents. Most role administrator will leave this object on Check/Maintain in the SU24 settings. This means that the object will be imported in the role when - for example - FB01 has been added in the menu.  But the role administrator inactivates the object in the role. Still no problem, because user doesn't need it, since auth groups on business areas are not being used. However, having this SU24 will result in an activated F_BKPF_GSB permission in your GRC function. So, SAP GRC will filter down on those users who have F_BKPF_GSB, which will lead to false negatives.
  Haven't you noticed that SAP has deactivated quite a lot of permissions, including F_BKPF_GSB ? Now, you see why. But they go too far at times and even incorrect. Example : go ahead and look deeper into function AP02. There, you will see for FB01 that two permissions have been activated. F_BKPF_BEK and F_BKPF_KOA.  The very basic authorizations needed to be able to post FI document are F_BKPF_BUK and F_BKPF_KOA.  That's F_BKPF_BUK .... not F_BKPF_BEK. They have made a mistake here. F_BKPF_BEK is an optional  auth object (as with F_BKPF_GSB) to check on vendor account auth groups.
  Again, the message is : be very critical when looking at the SAP standard rule set. So, test thoroughly. And if your not sure, leave the job to a specialized firm.
  Success !
  Sam

  Sam and everyone,
  Sam brings up some good points on the delivered ruleset.  Please keep in mind; however, that SAP has always stated that the delivered ruleset is a starting point.  This is brought up in sap note 986996     Best Practice for SAP CC Rules and Risks.  I completely agree with him that no company should just use the supplied rules without doing a full evaluation of their risk and control environment.
  I'll try to address each area that Sam brings up:
  1.  Regarding the issue with differences of auth objects between versions, the SAP delivered rulset is not meant to be version specific.  We therefore provide rules with the lowest common denominator when it comes to auth object settings.
  The rules were created on a 4.6c system, with the exception of transactions that only exist in higher versions.
  The underlying assumption is that we want to ensure the rules do not have any false negatives.  This means that we purposely activate the fewest auth objects required in order to execute the transaction.
  If new or different auth object settings come into play in the higher releases and you feel this results in false positives (conflicts that show that don't really exist), then you can adjust the rules to add these auth objects to the rules.
  Again, our assumption is that the delivered ruleset should err on the side of showing too many conflicts which can be further filtered by the customer, versus excluding users that should be reported.
  2.  For the customizing settings, as per above, we strive to deliver rules that are base level rules that are applicable for everyone.  This is why we deliver only the core auth objects in our rules and not all.  A example is ME21N. 
  If you look at SU24 in an ECC6 system, ME21N has 4 auth objects set as check/maintain.  However, in the rules we only enable one of the object, M_BEST_BSA.  This is to prevent false negatives.
  3.  Sam is absolutely right that the delivered auth object settings for FB01 have a mistake.  The correct auth object should be F_BKPF_BUK and not F_BKPF_BEK.  This was a manual error on my part.  I've added this to a listing to correct in future versions of the rules.
  4.  Since late 2006, 4 updates have been made to the rules to correct known issues as well as expand the ruleset as needed.  See the sap notes below as well as posting Compliance Calibrator - Q2 2008 Rule Update from July 22.
  1083611 Compliance Calibrator Rule Update Q3 2007
  1061380 Compliance Calibrator Rule Update Q2 2006
  1035070 Compliance Calibrator Rule Update Q1 2007
  1173980 Risk Analysis and Remediation Rule Update Q2 2008
  5.  SAP is constantly working to improve our rulesets as we know there are areas where the rules can be improved.  See my earlier post called Request for participants for an Access Control Rule mini-council from January 28, 2008.  A rule mini-council is in place and I welcome anyone who is interested in joining to contact me at the information provided in that post.
  6.  Finally, the document on the BPX location below has a good overview of how companies should review the rules and customize them to their control and risk environment:
  https://www.sdn.sap.com/irj/sdn/bpx-grc                                                                               
  Under Key Topics - Access Control; choose document below:
      o  GRC Access Control - Access Risk Management Guide   (PDF 268 KB) 
  The access risk management guide helps you set up and implement risk    
  identification and remediation with GRC Access Control.

• Mulltiple Rule Sets in GRC 10.0 for one System

  Hi All,
  We do have 2 different companies working on one system and by that 2 different rule sets that are applicable.
  Due to that we are facing different problems we don't know how to solve yet but lets start with the first one dealing with the rule set that should be used in the access request.
  We want to determin which rule set should be used over the requested role (e.g. if role name contains 0001 use rule set 0001, if role name contains 0002 use rule set 0002).
  We have alerady tried several different senarios in BRF+ without success.
  Does anybody have a solution or at least an idea for this topic?
  Thank you all very much in advance!
  Eva

  Hi Ashish ,
  Thanks for your time . Let me explain you my requirement and would really appreciate if you would have some inputs here which would help me to design this .
  The actual client requirement is to design a CUP Workflow and If there are SOD issues identified, the workflow will need to go to a central team for them to address each issue. If this group decides to apply mitigating controls to the issues, the workflow must then go to the compliance group for them to review for appropriateness. Requirement is do a SoD analysis for every role change/add request , so that this group takes the appropriate action based on the SoD Analysis . For all my CUP request raised , i want system to do a SoD analysis and let this group know whenever there is a SoD found or just end the workflow if there is no risk.
  I am aware of the Risk analysis process for GRC 10.0 , however i want it to happen as a part of this work flow requirement.
  The requirement is to configure the access request work flow so that the end goal of work flow is just facilitation of an SOD review.  I hope i was able to explain my requirement . Thanks again for your help.
  Your valuable guidance would be really appreciated.
  Vikas

• How to set the WebDynpro application title (IE windows title)?

  Hello all,
  I would like to set the WebDynpro application title according to the current transaction ID. This title is the IE windows title that is shown on the upper left-corner of the IE browser.
  Rule: [Object Instance Information] u2013 [Application Title] u2013 [Browser Title]
  For example: Trans. <No.> - <My App> - Windows Internet Explorer
  I would like to set <No.> dynamically on run-time according to my current transaction number.
  I have this piece of code that gets a reference to the application info:
  data: lr_app_info TYPE REF TO if_wdr_rr_application.
  lr_app_info ?= wdr_task=>application->application_info.
  And there is lr_app_info->get_description() method to have the description of the application, but there is no set method.
  The application description can be hardcoded in:
  tx. SE80, opening the WebDynpro component, then accessing its WebDynpro application. In the properties tab, there is a description field. I need to append transaction ID to it.
  Do you know any way to implement this? This issue is for WebDynpro ABAP.  
  Best regards and thanks in advance,
  Fouad.

  Hello Satra,
  Thanks for your reply. I already had a look into that thread, but my question is not related to the windows title of the WebDynpro  component.
  My question is related to the title of the Internet Explorer that we all see on the top left-corner. For WebDynpro , this is the WebDynpro  application title. How can we change it?
  I hope my question is clear now, and I wish someone can help me soon.
  With kind regards,
  Fouad.

• How to migrate Master Data (Rule set etc.) from GRC 5.3 to 10.1 without using the "Migration Tool"

  Greetings,
  We are currently on GRC 5.3 SP 18 (Java ONLY) and migrating to GRC 10.1. I referred the Migration Guide which outlines that GRC 5.3 needs to be upgraded to SP 20 as pre-requisite for using the "Migration Tool" . Our BASIS team is reluctant to perform this upgrade from SP 18 to SP 20.
  Having said thus, I'm exploring options of migrating data from 5.3 to 10.1 without using the "Migration Tool:.
  Rule set Migration:
  I'm in the process of preparing the 9 different files (listed below) and later utilize the "Upload Rule" option for migrating the Rule set data from 5.3 to 10.1.
  While I'm able to gather data for most of the files I'm not sure how can I obtain the data pertaining to the two files (Function Actions and Function Permissions) underlined and highlighted in Red below.
  1. Business Process
  2. Function
  3. Function Business Process
  4. Function Actions
  5 .Function Permissions
  6. Rule Set
  7. Risk
  8. Risk Description
  9. Risk Rule Set Relationship
  10. Risk Owner Relationship
  Can someone please enlighten me and share their experience with regards to this exercise. Really appreciate your help !
  - Janantik.

  I have done this successfully before.  Because you are having issues, I would NOT recommend using the migration tool to move the ruleset.  Instead:
  1. Download the ruleset files from 5.3
  2. The 5.3 tcode-permission file, which defines which tcode permissions from SU24 need to be checked during risk analysis, needs to be split into the two files you mention above in red.
  FUNCTION_ACTION : this file represents S_TCODE objects and TCD fields mapped to each function (Function to Tcode relationship).  In the 5.3 file, you will filter on object S_TCODE and field TCD, and you will get a complete list that now represents "FUNCTION_ACTION".  BUT instead of having all the jumbled permission info, you will just have 3 columns: Function - Tcode - Status.
  3. The remaining permissions that are left over, after taking out the S_TCODE -TCD items, represent the "FUNCTION_PERMISSION" file in GRC 10.
  4. Manually create the excel spreadsheets for each file.
  5. Copy and past each sheet to a unique .txt file.
  6. Upload the ruleset manually through SPRO-->GRC-->Access Control-->Access Risk Analysis-->SoD Rules-->Upload SoD Rules.
  7. Select each file and then upload to the correct Logical Group.
  This is a huge pain, but it works.  Let me know how this goes and if you need any assistance.
  -Ken

• For GRC 5.3 can I use the SAP GRC 5.2 rule set

  We are going for an upgrade to GRC 5.3,  I have a small concern here....
  Can I use the same ruleset what I used in GRC 5.2 to SAP GRC5.3 ...?
  because when I checked ruleset at permission level in GRC 5.2 it displays first object of an action from one function conflicting with first object of an action from another function, where as in GRC 5.3 it displays all objects of an action from one function vs all objects of an action from another function....
  How will it impact analysis in GRC 5.3 with old rule set...?
  appreciate your response & thanks in advance.

  Hi,
  Here you will find the documentation to get Upgrade/Configuration Guides.
  [https://websmp103.sap-ag.de/~form/sapnet?_SHORTKEY=01100035870000718172&]
  SAP BusinessObjects Governance --> Access Control ---> SAP GRC Access Control 5.3
  There you will find a Upgrade guideline.
  Cheers,
  Martin

• 7u45: MacOS X: Deployment Rule Set not found?

  Per the Deployment Rule Set packaging instructions:
  http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/deployment_rules.html#package
  "Install the DeploymentRuleSet.jar file on your users' systems in the following directories:
  On Windows platforms, install the file in the <Windows-directory>\Sun\Java\Deployment directory, for example, c:\Windows\Sun\Java\Deployment.
  On Mac OS X and UNIX platforms, install the file in the /etc/.java/deployment directory.
  To view the active rule set, see the Security section of Java Control Panel."
  I am able to use and view the rule set on Windows and Linux platforms, but the deployment rule set is not seen under MacOS X (10.9 Mavericks).
  I placed it in:
  /etc/.java/deployment/DeploymentRuleSet.jar and yes, it is properly signed, in the correct format, etc. Identical file works fine under Windows and Linux.
  Anyone else have this issue?

  Hurray!! I finally found out how to get the JCP to display the DeployementRuleSet.jar file.
  The path in the documentation (/etc/.java/deployment) is wrong (at least on Mac OSX 10.7.5)!.
  I went through the decompilation of the ControlPanel source code, and found out that the expected path for the jar file is
  /Library/Application Support/Oracle/Java/Deployment
  Note:The Deployment directory has to be created