Rule Upload : GRC10

Similar Messages

• RAR - Rules Upload

  Hi Experts,
  From the RAR, I can see the default "Global" ruleset. I went to the Configuration tab, navigated to Rule Upload > Generare Rules, and clicked on the Foreground button, and I see a list of Risk Description, conflicting conflicts etc etc.
  However, I did not want to use the Global ruleset, as I have a customized ruleset which addresses my client's SoD concerns very specifically. What I did first was to export the all components of the rules (as a backup) and then I navigated to the Rule Architect Tab, and manually deleted all the Risks, Functions, Rule Sets and Business Process (in that order).
  I then proceeded to the Configuration tab > Rule Upload and uploaded the Business process, Function, Function Authorisation, Rule Set and Risk. No error messages encountered as I followed the Rule File Templates as per the configuration guide. But it also does not tell me if I was successful in importing those files. (so I assumed no error message = import successful)
  However, when I navigated to Rule Upload > Generate Rules, and clicked on the Foreground button, I was unable to see any list generated this time. I tried to export all the components of the rules (based on what I imported) to troubleshoot, and I found that the "function_permission.txt" and the "Risk_desc.txt" portions were missing from the exported textfile. However, all the other information from other text files are in that exported text file.
  From initial analysis, this seems like the Function Authorisation and the Risk files may not have been imported successfully. Would like to know if anyone has encountered this problem and what actions should be taken to rectify it?
  Thanks!

  Hi Experts,
  Thanks for your response.
  I followed the Rule Set Template from the configuration guide to the letter.
  Upon closer inspection of the contents in what I exported, I discovered that for the "function_action.txt" portion, the Tcodes of some of the business process were not found, for e.g.
  Business Process FA may have tcodes under function action Tab, but business process IM seems to have no tcodes under the function action Tab. I suspect that during the import, certain business processes were not "picked up", whereas others were. It was a clean omission of tcodes from IM business process. Does the naming convention of business process follow some reserved words (i.e. financial accounting must be FA, procurement Must be PR etc to be same as the global ruleset)?
  In addition, for those business process which have tcodes reflected in the function action Tab, I tried to click on the "+" to expand and see the objects, fields and values under the function permission Tab, but it cannot be expanded (i.e. blank).

• Custom Rules upload in 5.3

  Hello,
  I have a proof of concept project for GRC 5.3 implementation and  have configured the GRC RAR as per the config Guide and the Rule upload was done accordingly. In the configrued system, I am seeing the GLOBAL Rule set and all the rules generated against it.
  The real problem started when I started to load the custom Rule Files (BP,Functions.txt etc etc ) for all the custom rules we plan to use. I tried to load the  custom Files from CONFIGURATION tab -> RULE UPLOAD.
  - I am seeing some error messages and now I dont know if I have damaged the existing rules and need to fix the Global itself ?
  - How do I bring in the customized Text Files for Rules ?
  Thanks,
  Farah
  HERE IS A SNAPSHOT OF ERRORS :
  Business process ID: AP00 cannot be deleted because a Function ID exists
  Business process ID: BS00  cannot be deleted because a Risk ID exists
  Business process ID: CA00  cannot be deleted because a Risk ID exists
  Business process ID: CR00 cannot be deleted because a Function ID exists
  Business process ID: EC00 cannot be deleted because a Function ID exists
  Business process ID: FI00  cannot be deleted because a Risk ID exists
  Business process ID: HR00  cannot be deleted because a Risk ID exists
  Business process ID: MM00  cannot be deleted because a Risk ID exists
  Business process ID: PM00  cannot be deleted because a Risk ID exists
  Business process ID: PR00  cannot be deleted because a Risk ID exists
  Business process ID: SD00  cannot be deleted because a Risk ID exists
  Business process ID: SR00 cannot be deleted because a Function ID exists
  Business process upload not complete due to above errors

  Hello Alpesh,
  So if I am understanding it right, I should manually create a new Rulesset from the Rule Architect tab and for the decription call it custom
  and then start uploading the Rules against it .
  I will try it now and see if I can upload it without any errors or warning.
  Thanks,
  Farah

• VIRSA Tables after Rules Upload

  Hello,
  While uploading rules and mitigations, I see in the log file that several VIRSA Tables get updated and populated.
  Is there a way to run SQL Query in Debug mode, to see which columns of VIRSA Tables have been updated by uploading ruleset and mitigations?
  Thanks,
  Imran

  Hi Varun,
  Thank you very much. I have the following 4 queries.
  If you do not have access to Debugger of RAR
  1- I have the administrator password with full access to RAR, so is there a seperate Debugger of RAR, which I can access, other than the below URL that you have provided?
    then go to the following URL
  http://<SERVER>:<PORT>/webdynpro/dispatcher/sap.com/grc~ccappcomp/CCDebugger
  Here put in the query like following
  select * from virsa_cc_busprc
  this will return the data from business process table. 
  2a- So should I first (1) put the query like select * from virsa_cc_busprc and then (2) and then execute rules export, and then (3) mitigation export etc?
  2b- Is there a way to make debugger on and off, just like you can make SQL Trace on and off?
    Here is the list of some of the tables which get populated while rules upload
  virsa_cc_busprc, virsa_cc_busprct, virsa_cc_func, virsa_cc_funct, virsa_cc_funcact, virsa_cc_risk, virsa_cc_riskrs, virsa_cc_riskt, virsa_cc_mituser, virsa_cc_mitrole, virsa_cc_mitgen
  3- Is there any OSS Note or SDN Guide or URL, which provides the list of VIRSA tables and their significance? 
  4- The reason for asking this question 3,  is I am trying to extract rules & mitigation from GRC AC 5.2 system through export of rules, mitigations etc., and then by using the GRC/ RAR Debugger, I want to format the data in the tables according to 5.3 tables requirements and then upload it into a different GRC AC 5.3 system).
  Thank you very much in advance.
  Thanks & Regards,
  Imran

• GRC 10.0 Rule Upload

  Experts,
  I'm currently in the process of converting a legacy SoD rule-set (non SAP GRC AC) to the GRC AC 10.0 rule-set template. This is a tedious process of converting the legacy rule-set to the AC text files (Business Process, Function Action, Risks, etc.), but wanted to reach out to the group to see if there is a better way to perform this task.
  Also, is it possible to get the templates for the text files to confirm my understanding of the text files.
  Any help is greatly appreciated.
  Thank you,
  Kunal

  Diego,
  That is extremely helpful, thank you.
  My next issue is when I try to upload the text files - I receive an error " Transferred codepage does not match the byte order mark"
  I'm not sure which of the files is causing the issue. Do you know if there's a table where it will say the file and location? In 5.3 as you uploaded the files it would provide you with an error and a line number.
  Any thoughts?
  Thanks,
  Kunal

• RAR - Error in Rules Upload

  Hi Experts,
  I encountered the following errors when I uploaded the text files in RAR:
  1) Function Action and Function Permission text files - For input string: ""
  2) Risk, Risk Description, Rule Set Mapping text files - Function  FA01

  Hi,
    As Sabita mentioned, files are corrupted. Get fresh set of files and try to upload.
  Regards,
  Alpesh

• Compliance Calibrator Default Rules Upload Files

  I'm implementing Compliance Calibrator 5.1, and I'm at the point where I need to upload the default rule-set.  However, I cannot locate the flat files required for the initial rule-set upload (i.e. business process, function, and risk definitions).  I've read through the user guides, but they don't seem to reference exact file names or specify where the files would be located after install.  Thanks in advance for your help.

  Varun,
  you may get a quicker answer to your question in the GRC forum
  Governance, Risk and Compliance (SAP GRC)

• GRC Upgrade 4.7 to 5.3 - Rule Set Upload

  Questions about upgrade from 4.7 to 5.3
  Work in corporate conglomerate that consists of 4 independent business units each with own SOD rule set:
  u2022How do we upload each independent set of rule sets so they can coexist within GRC 5.3?
  u20224.7 mapping of files to 5.3 naming conventions u2013 see 4.7 rule set download below
  CONFIG
  CR_PROFS
  CR_PROFST
  CR_ROLES
  CR_ROLEST
  CR_TRANS
  CR_TRANST
  SOD_OBECT01
  SOD_OBECT02
  SOD_OBECT03
  SOD_OBECTT
  SOD_TCODE
  SOD_TCODET

  Alpesh
  We are trying to upload our existing SOD 4.7 rules using the 5.3 the configuration tab u2013 rule upload.  We are having difficulties associating old 4.7 SOD files names to the 5.3 SOD file names.  Is this the correct location within 5.3 to associate a physical system to a specific set of SOD rule sets?  If not could you please point us to correct location within 5.3.
  Thanks

• Upload Rules to CC5.2 from CC 4.0

  Hi All,
  How can I transfer Business process, Function & Risks etc from RTA system (CC 4.0) to Netweaver version 5.2.
  I have found how to upload above items using the "Rule Upload" function in CC 5.2, however this only allows upload from text files.
  Is there any chance to download the Business process, Function & Risks etc to text files in the CC 4.0 RTA system.
  Please advice.
  Regards,
  Sri Vandan.

  Simon / Ankur,
  Thanks for the reply and clarification.
  One more question, we will get the default template text files for rules etc.. with CC 5.2 deployment kit. I know the process of upload those files in to CC Java front end. But how can we upload those files in to abap system?
  Regards,
  Sri Vandan.

• Error While uploading the Function and Function_BP

  Hello,
  I am getting the following error while uploading the Functions and Funtions_BP using the Rule Upload functions.
  com.virsa.cc.comp.Function_upload.onActionUploadFunc(Function_upload.java:302) com.virsa.cc.comp.wdp.InternalFunction_upload.wdInvokeEventHandler(InternalFunction_upload.java:150) com.sap.tc.webdynpro.progmodel.generation.DelegatingView.invokeEventHandler(DelegatingView.java:87) com.sap.tc.webdynpro.progmodel.controller.Action.fire(Action.java:67) com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.doHandleActionEvent(WindowPhaseModel.java:420) com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.processRequest(WindowPhaseModel.java:132) com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.processRequest(WebDynproWindow.java:335) com.sap.tc.webdynpro.clientserver.cal.AbstractClient.executeTasks(AbstractClient.java:143) com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:321) com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:713) com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:666) com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:250) com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149) com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62) com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doPost(DispatcherServlet.java:53) javax.servlet.http.HttpServlet.service(HttpServlet.java:760) javax.servlet.http.HttpServlet.service(HttpServlet.java:853) com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401) com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266) com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386) com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364) com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039) com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265) com.sap.engine.services.httpserver.server.Client.handle(Client.java:95) com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175) com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33) com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41) com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37) java.security.AccessController.doPrivileged(Native Method) com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104) com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  The files which i am uploading the file from the Best practises only.
  What is the reason for this error?
  Did any one get this error?
  Regards,
  Kumar Rayudu
  Edited by: Kumar Rayudu on Aug 4, 2009 12:32 PM

  Hello Kumar,
  Have you uploaded the SAP text and object files? Upload them first and then try to upload functions.
  Harleen
  SAP GRC RIG

• How to merge rules of new busines process module in existing rule set

  We have existing GRC 5.3 SP10 with business process like finance, basis etc. Now if I want to implement another business process(e.g. MM module) delivered by other organisation to my existing GRC . How can this new module be merged/added? Is there any easy way? e.g. a) download existing rule - add new module to it - upload full

  Hi Pal,
  Yes, exactly as you suggest. The Rule Upload utility in the Configuration Tab allows you to upload individual elements of the ruleset or you can use the Rule Architect Impoert / Export facility to do it as a complete file.
  Remember though that if you upload a ruleset, you will OVERWRITE the existing one so be careful to ensure that you have appropriate backups and test in pre-production first!
  Simon

• RAR 5.3: Uploading Critical Actions

  Hi,
  We have already a system with SoD Matrix already loaded and rules generated.
  Our question: Is it possible to upload critical actions (include in functions and these into risks) using "Rule upload" functionality or once the SoD Matriz is loaded not more risks can be uploaded using such functionality and must be entered manually?
  I remember there was a note related with the way rule upload works and the append / insert happening but I can not find it now.
  Any help on this?
  Many thanks in advance. Best regards,
     Imanol

  Hi Imanol,
  You can create txt files for new risks upload and do it. It will append the existing data. Just make sure that tcodes, objects and other required values are in place. Also, if a function / risk is existing, then modified data will not be applicable but it will throw error. But if your txt files are having all new data, then it will be uploaded successfully. We have done it, as our rulebook was prepared in installment and we uploaded SOD first and gave the risk alanysis to business before SAT risks were prepared and uploaded.
  Regards,
  Sabita

• How to migrate Master Data (Rule set etc.) from GRC 5.3 to 10.1 without using the "Migration Tool"

  Greetings,
  We are currently on GRC 5.3 SP 18 (Java ONLY) and migrating to GRC 10.1. I referred the Migration Guide which outlines that GRC 5.3 needs to be upgraded to SP 20 as pre-requisite for using the "Migration Tool" . Our BASIS team is reluctant to perform this upgrade from SP 18 to SP 20.
  Having said thus, I'm exploring options of migrating data from 5.3 to 10.1 without using the "Migration Tool:.
  Rule set Migration:
  I'm in the process of preparing the 9 different files (listed below) and later utilize the "Upload Rule" option for migrating the Rule set data from 5.3 to 10.1.
  While I'm able to gather data for most of the files I'm not sure how can I obtain the data pertaining to the two files (Function Actions and Function Permissions) underlined and highlighted in Red below.
  1. Business Process
  2. Function
  3. Function Business Process
  4. Function Actions
  5 .Function Permissions
  6. Rule Set
  7. Risk
  8. Risk Description
  9. Risk Rule Set Relationship
  10. Risk Owner Relationship
  Can someone please enlighten me and share their experience with regards to this exercise. Really appreciate your help !
  - Janantik.

  I have done this successfully before.  Because you are having issues, I would NOT recommend using the migration tool to move the ruleset.  Instead:
  1. Download the ruleset files from 5.3
  2. The 5.3 tcode-permission file, which defines which tcode permissions from SU24 need to be checked during risk analysis, needs to be split into the two files you mention above in red.
  FUNCTION_ACTION : this file represents S_TCODE objects and TCD fields mapped to each function (Function to Tcode relationship).  In the 5.3 file, you will filter on object S_TCODE and field TCD, and you will get a complete list that now represents "FUNCTION_ACTION".  BUT instead of having all the jumbled permission info, you will just have 3 columns: Function - Tcode - Status.
  3. The remaining permissions that are left over, after taking out the S_TCODE -TCD items, represent the "FUNCTION_PERMISSION" file in GRC 10.
  4. Manually create the excel spreadsheets for each file.
  5. Copy and past each sheet to a unique .txt file.
  6. Upload the ruleset manually through SPRO-->GRC-->Access Control-->Access Risk Analysis-->SoD Rules-->Upload SoD Rules.
  7. Select each file and then upload to the correct Logical Group.
  This is a huge pain, but it works.  Let me know how this goes and if you need any assistance.
  -Ken

• Multiple GRC rule set update

  we are having a custom rule set A loaded in GRC. Now we want another rule set B, with new risks and definition to be loaded in GRC. If we try to upload rule set B risks and functions via Upload function in GRC, would it overwrite the rule set A, or not.Just wanted to confirm whether existing rule set A would be affected or not, due to upload of rule set B.

  Hey Alpesh,
  Sorry, I haven't understand it correct. This is a question that will always be asked in the train.
  You wrote:
  "If you have created different files (e.g. risks, ruleset, function action, function permission etc.) and upload them via configuration -> rule upload then RAR will not overwrite your ruleset A and will only insert new rule set files."
  Is this just possible, if all IDs (risk, function, function action, function permission) will be changed before and could not be equal like in the rule set A? correct?
  What's about with the ALL.txt files, do I have to change/upload them as well again?
  Thanks for feedback,
  alwaly a pleasure!
  Greets
  Martin

• GRC AC 10:How to generate Access Rule? No output from User or Risk Analysis

  Hello Gurus,
  We have done configuration of GRC AC 10, and uploaded files via
  SoD rules -->Upload Rules
  After that we generated SoD rules for Risk Id : B001 and B002
  Now when we go to NWBC --> Reports & Analytics >Access Dashboards>Access Rule Library
  The report shows (for Group Rule level : Action)
  Number of Active rules : 0
  Number of Disabled Rules : 0
  Number of Functions :  151
  Where as for Group Rule level : Action Risk
  The report shows
  Number of Active Risk : 42
  Disabled risk : 161
  Nmr. of functions : 151 .
  When we perform Risk Analysis at User Level or Role Level, the output is empty !!!
  Note: All the background jobs have run successfully.
  Also the SoD files also have been uploaded successfully.
  Will you please guide how can i activate the "rules" for the uploaded risk ??
  regards,
  Victor

  Hello Victor/ Inder,
  For Risk ID B001functions are BS02 and BS11 if you open any one of them you can see system maintained as SAP BASIS which is SAP_BAS_LG (logical connector group).
  Post installation you can check in SPRO>Governance, Risk and Compliance-> common Component---> integration framework-> maintain connector and connector types->select SAP and click Define connector Group.
  BUSINESS     Business Roles     SAP
  SAP_BAS_LG     SAP Basis     SAP
  SAP_CRM_LG     SAP CRM     SAP
  SAP_ECC_LG     SAP ECCS     SAP
  SAP_HR_LG     SAP HR     SAP
  SAP_NHR_LG     SAP R3 - NON HR Basis Logical Group     SAP
  SAP_R3_LG     SAP R3     SAP
  SAP_SRM_LG     SAP SRM     SAP
  (If not present then manually you can create the same)
  Select SAP_BAS_LG and put connector type as SAP,  select SAP_BAS_LG and click Assign Connector group to group types as AM & LG, then click on Assign Connector to connector group and maintain you connector.
  Post this activity re generate SOD for B001 and then check for user level and role level analysis.
  Hope it will resolve your issue.
  Regards,
  Sudesh