Rulset Comparison in GRC 10.0

Similar Messages

• GRC 5.3 | ERM | Disabled Role Comparison Field

  When executing a role comparison in ERM, the only way to select the role is to use the magnifier next to the field, search and select the role. As we have thousands of roles, this is not userfriendly.
  Is is possible to enable the field for role name in the role comparison "section" so that can be searched on roles using wildcards.
  Thx.

  Hello Kraell 
  Considering that this feature is not available as of now but if you still have dire need for the same, you may contact SAP if they can treat this as an enhancement request (for which you might be charged a bit) and deliver this feature to you.
  Regards,
  Hersh.
  http://www.linkedin.com/in/hersh13

• GRC 10.0 SP14 - Poblems when generating rules for logical systems

  Hello Experts!
  We recently updated a DEV system to SP14 and we're having issues regarding the rule set generation. I'd like to know if you have faced a similar problem after installing SP14. The details are described below:
  Create a test function ZTEST_F1
  The action PFCG is associated to a Physical System (Test Connector SP14) and to a Logical System (Sistema Logico Retail)
  The logical system contains D05 among other connectors:
  And it’s defined as a logical group:
  The connector “test connector Sp14” points to the same system as D05.
  Now I create another function, let’s say ZTEST_F2
  Now let’s define a SoD Risk ZTSTSP14
  Generate rules and after that we check GRACSYSRULE table for such risk and we get:
  Let’s add more transactions:
  Generate rules:
  Now in the table we get:
  The logical system has been added to the GRACSYSRULE table for the new combination and also the physical system TST_D05, but there's no combinations for the system D05 for example.
  Now if we run SoD analysis:
  We have four combinations for the physical system TST_D05 but only two for D05 that belongs to the logical system:
  Do you have any clue? have you faced a similar problem?
  Thanks in advance.
  Cheers,
  Diego.

  Hello Collen!
  First of all I want to thank you because after aplying the note the rules generated fine and now the Risk Analysis is OK for the example described above:
  I've also tested with a huge number of risks and made a comparison between the results of the Physical conector and the Connector that belongs to a logical group and I got the same results as action level as well as Permission Level as expected.
  Regarding the note itself, we usually check for notes and we have implemented many notes in advance related to rule generation issues.
  The point is that, as my point of view is just not acceptable to get a new SP with this kind of issue. Rule generation is a core functionality and SAP must test such functionalities before releasing a SP and these checks cannot rely on the customer. For me, rule generation issues in GRC are just unnaceptable. I can accept issues with other modules or new functionalities, but with role generation they must guarantee that it works properly and perform the requiered tests before releasing an SP.
  Well... bottom line the issue has been resolved and I really appreciate the help you provided!!!!
  Many Thanks!!!
  Diego.

• GRC AC 10.0: Info about rejected roles in the CUP Email

  Hello all,
  the GRC componetent CUP seems to be technically mature in comparison to Role Management component, but there is one thing where I am not sure, is it an error or did I miss some config parameters:
  When the CUP Request ist closed, the user gets an email (Template ID: GRAC_AR_CLOSE). Not all of the roles were approved, some of the roles were rejected. But the user gets an email where only the approved roles are listed:
  We would like to inform the user about the status of all roles in the CUP requests: which roles were approved and which roles were rejected. Is it possible to configure in MSMP Workflow?
  Right now we have the following setting:
  Thanks,
  regards Sabrina

  Hi Sabrina,
  To notify the requester for the roles which got rejected, you can try with Email notification template: GRAC_MSMP_ERM_REJECTED for the for the message class.
  You can create custom version of this template. For more understanding on how to customize the Email notification template, you can refer to: http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/605077fc-3577-2e10-e1a6-a743514d4eb3?QuickLink=index&…
  Hope this helps, Let us know if you face any issues.
  Regards,
  Ameet

• Is there a ruleset comparison tool available in the market?

  Dear all,
  I wanted to know if there is a SAP GRC ruleset comparison tool available in the market? As a part of our audit requirement, I would need to compare our current rulesets with the ones from last quarter - To identify any changes/enhancements.
  I know Bizrights Approva supports a comparison tool called ExamXML where we can perform a comparison of 2 XML files and figure out the differences/ changes.
  Please let me know if any of you has used such a tool for GRC ruleset comparison.
  Thanks,
  Kunal

  >
  Kenguru wrote:
  > As a part of our audit requirement, I would need to compare our current rulesets with the ones from last quarter - To identify any changes/enhancements. > Kunal
  If any auditor is comparing sap delivered rule sets with a companies' grc rule sets (without deep investigations) and reporting the differences in his/her audit report (as white spaces)  then the auditor is doing it the wrong way.
  The auditor should be aware of the following facts:
  1. SAP delivered rule sets are mere best practices (only starting point)
  2. Most of the customers modify/update the rule sets as per their requirements
  3. Organizational rules are created by customers differently
  4. Some customers don't even choose sap delivered rule sets and completely create their own.
  So the difference between rule sets is obvious, but these findings may or may not be entirely appropriate to reach to a conclusion for audit purposes.
  Best Regards,
  Amol Bharti
  http://amudee.com

• Ruleset Comparison in GRC10

  Hi,
  Does any one also know the Ruleset comparison program name in GRC10.
  I tried running the Ruleset comparison option from NWBC->Setup-> Access Ruleset Maintenance->Rulesetup->Ruleset Comparison, there is an option to select Risks,Actions,Permission, however on running the comparison tool no risks/action/permission is getting populated in the output report. Is this a bug? has any one else faced this issue?
  Cheers,
  Sabitha

  Dear both,
  with the rule comparison report you have the possibility to compare GRC rule sets (old/new) directly in ARA.
  Basically you upload the new rule set and you are able to compare which risks, actions or permissions have been changed compared with your old one. Please be aware that you cannot load the new rule set with the similar name as comparison isn't possible then.
  The report shows the differences between the rule sets, e.g. which risk, action or permission has differences.
  Does this answer your question?
  Thanks and regards,
  Alessandro

• Alternatives to SAP GRC Tool to monitor compliance & automatic provisioning

  Hello Gurus,
  Not sure if this would be the right forum to ask this but surely there exist tools in the market which are viable alternatives to the SAP GRC Tool. We are a large semiconductor firm and currently manage role assignments, user provisioning and auditing manually.It is a huge cost overhead and is labor intensive.
  Looking at possible alternatives?
  SAP GRC Tool is a strong contender but I am trying to weigh in other options with it and their comparisons.
  To your minds, what would be the biggest advantage of implementing GRC versus any other third party tool? What is the distinctive edge it provides? This is also to help me build a strong business for pushing GRC to the management.
  Appreciate any thougts/ideas/suggestions, at the earliest!! Much appreciated.
  -Tan
  Edited by: Tania Nijhawan on Jul 21, 2011 2:19 AM

  Hi Tania,
  GRC is a convenient grouping of solutions that have been developed and acquired over time. There are pros and cons in every application and no one can say that SAP GRC is 100% best and un comparable with any other compliance product in the market.
  But, I can strongly say that GRC gels well with all the SAP flavours such as ECC and BI, and it is easy to implement, incorporate, and manage.
  With the introduction of GRC 10, SAP is looking at more features and easy to manage compliance solutions. I bet you can't get A to B product comparision anywhere. I rather suggest you to look at the top ten features and advantages in different products in terms of deployment, adaptability, user friendlyness etc., and opt for the right one.
  Regards,
  Raghu

• Two GRC systems linking to one SAP system

  Hi,
  I have a possible scenario where there are 2 GRC systems (for company 1 & company 2) connected to two seperate ECC6.0 systems.
  Both companies are now looking to split out the HR element of their ECC6.0 systems and share a common HR system.
  I am wondering what is the recommended approach to take for the GRC systems? I was thinking of creating a link from each GRC system to the new HR system.
  However I am not sure how to deal with SPM- as this seems to have a one to one connection with the SAP system, meaning that only one GRC instance will be able to report against SPM usage.
  Does anybody have any suggestions?
  Thanks,
  Niamh

  Niamh,
  As long as you configure the connectors from the SPM Java side, you can report on multiple SPM backend instances from a single GRC Java System.
  However, if you want to integrate SPM with RAR for the critical transactions / SOD analysis, I believe that you can only specify one RAR source.
  If you split out the HR elements to a single shared system, you can also have both GRC systems connected to that HR system You would need to consider the rulset defined in each RAR instance and the users who report on it to ensure that you are getting the "correct" rules in the correct place.
  I would recommend not reporting from both grc systems as it doubles the administrative overheads and adds further complexity to the implementation. I would pick one of the GRC systems and adjust the functions in that one to look at the new HR system for the relevant authorisation definitions.
  Simon

• GRC  RuleSet Upload for SAP 5.3

  All ,
  As a background , we are running on SAP GRC 5.3 Version . When we initially Installed SAP GRC , we created a Ruleset "SAP Rule Set " based on SAP Provided Functions & Actions. Then we created one more Rule set for Client named "GLOBAL". On Course of time , we lost SAP RuleSet , as Global Ruleset was somw how copied to SAP Provided Ruleset
  Now , we need to have a fresh SAP RuleSet for comparison purpose with Customer Rule Set "Global ". We got the files from SAP GRC Folder
  1) If we upload this Files whether it will overwrite all Available Ruleset in System , (Client Specific "Global "& SAP RuleSet ) or do we have an option just to upload to only one Rule Set . We dont want "Global" Ruleset to be overwritten ?
  2) Also , Can you please tell me the steps which we need to perform to get thet SAP Rule Set Updated ?
  Thanks ,
  Jerry George

  Hello Jerry,
  1) This point has been discussed so far in the forums, for example:
  Loading multiple rulesets?
  GRC AC Rule Sets
  2) There's no automatic procedure. check here:  Note 1604722:
  Customers that have implemented Risk Analysis and Remediation should have customized the ruleset to meet their business requirements. Therefore, changes to the SAP best practice ruleset cannot be systematically updated via SAINT as it would potentially overwrite this customization.
  However, customers may want to evaluate the changes incorporated into the most recent SAP ruleset to determine if the changes should be added to their own ruleset.  Any modifications the customer desires to make will need to be manually made by the customer via the Rule Architect feature of access risk management.  The configuration guides available on SAP Service Marketplace provide detailed instructions on how to update rules via the Rule Architect.
  Cheers,
  Diego.

• SAP IdM / GRC 10 GRAC_REQUEST_STATUS_WS Table

  We are trying to find what tables in GRC provide the web services, like GRAC_REQUEST_STATUS_WS, their information.  We are seeing a situation where a GRC Access Request appears approved in GRC10 , but the status that gets read back into IDM (via the Polling Process) shows the status of FAILED.  So we want to be able to look at the table that has the status in it in GRC so we can verify what status was actually written to the status table and is then made available via the GRAC_REQUEST_STATUS_WS web service.  Again, we are using polling in IdM, so the status IdM is getting is actually fetched from GRC so we just need the name of the table to do some comparisons.
  If we have GRC do the provisioning instead of IDM, the status IdM receives (via the Polling Process) is OK.  Yet when IdM is to do the provisioning the status is always FAILED.  IF a resquest is disapproved in GRC, it comes back to IDM as FAILED (which is proper), but the approved requests are also coming back as FAILED.
  Has anyone seen this behavior before?

  Andrew,
  As you are looking for GRC tables, maybe you should post this to the GRC forum?  I would do it for you but I am not a moderator.  Maybe Christopher Leonard or Kristian Lehment can help?
  Matt

• SAP GRC precautions

  Hi SDN,
     We have SAP ERP system which is on 4.6c and SAP business objects GRC implemented in other standalone box. We are now upgrading to ECC 6.0 . my question what are the changes and precautions we need to take care when we upgrade our ERP system so that our GRC setup doesn't get affected.
  Regards!!

  Hi Madhu,
  You are saying that you have Ztransaction Codes and some of them are not going to exist. So I guess, your ruleset might have been customized as well. Though in market place we'll get the Global Rule Set, which is delivered along with the AC software (predefined one). It may not meet all your business requirements. it's better to have a back up of the current rule set. I suggest you to download the same and keep it for further comparison and analysis. Hope it'll helpful for you in postupgrade scenario.
  Coming to RFC destination, in general there won't be any change after upgrade. But it's better to take screenshots of all the RFC destination and their configuration details and keep it with you. If any RFC doesn't work properly after upgrade, it'll help you to check and rectify the same.
  All the very best.
  Regards,
  Gurugobinda

• SAP GRC vs. other GRC Systems

  Hi experts,
  does anyone has some information or a link regarding grc system comparisons, e.g. SAST vs. SAP GRC or in general? I didn't find anything about such comparisons, but I think it is helpful whlie discussing with the client and know disadvantages of other GRC systems.
  Thanks
  Tobi

  Hi Tobi,
  I've found the best approach is to talk directly to the vendors and build up your understanding that way.  I am not aware of any links that have any reasonable level of info.
  I've evaluated most of the solutions in this area and as you can imagine, a lot of the decent information is under NDA.  I appreciate what you are trying to achieve but personally I don't think a forum sponsored by SAP is the sort of place to discuss competitors.
  Cheers
  Follow me @grccomparisongurutypefella

• GRC- Cutover/GoLive activities List

  Hello All
  We will approaching practice cutovers next month for GRC Access controls and wanted to validate aming the forum what the exhaustive list of Cutover and Golive activities are with respect to the 4 GRC-AC components.
  If anybody has a list and sequence please post them here or inform me: khannat2 gmail
  thks

  Make sue that the PRD GRC is pointed/connected at the PRD R/3 Servers (always a good start) and test them.
  CC - you need rulset upload files to be created
  AE - you need workflow configuration documented
  FF - make sure you have sufficient background jobs set up to collect the information
  Make sure that the FireFighter users, controllers, owners etc have the correct access
  In Target systems
  Make sure that correct versions (NH and HR) versions of the RTA are installaed
  Make sure that the latest versiosn of the RTAs are installed
  Make sure that your RFC user(s) have appropriate access rights
  Make sure that the logon groups have been set to external access
  In General
  Install the latest patches to AC 5.2

• GRC Ruleset for Logistics (IS-D, IS-M)

  Dear All,
  I'm working on a GRC Implementation project & need GRC Ruleset for IS-Media & IS-D (Circulation) Modules. As No Standard rulset is available for these modules, any guidance on Custom ruleset will be of great help.
  Regards,
  Sudhakar S

  hi Nathan,
  SAP provide pre defined rules as text files in 5.x and as BC sets for activation in 10.0. You should be able to find the BC sets within your system (should contain the words GRAC and RULESET). Over the years the rule sets delivered by SAP have been updated and refined, but majority of the rules defined have remained the same as a whole.
  From these pre delivered rules you should be able to compare the "standard" definition to your custom rule definitions.
  I Hope that helps.

• DEVOLUÇÃO DE EXPORTAÇÃO - CFOP 3201 - GRC VALIDA DADOS DI.

  Boa tarde a todos!
  Estamos em um projeto de NFE XML 2.00 e nos deparamos com o seguinte erro:
  Ao emitirmos um NF-e de devolução da mercadoria que se encontrava no Porto (devolução de exportação - CFOP 3201), a validação do monitor GRC informa que é necessário constar os dados de importação, apesar deste processo não se tratar de importação. Os seguintes logs de validação são gerados:
  Erro de validação: campo Código do fabricante estrangeiro no sistema. Campo é obrigatório e não pode ficar em branco. (campo IT_NFE_ADI-CFABRICANTE, ID campo I028)
  Erro de validação: campo Nº da adição. Campo é obrigatório e não pode ficar em branco. (campo IT_NFE_ADI-NADICAO, ID campo I026)
  Erro de validação: campo Nº sequencial do artigo na adição. Campo é obrigatório e não pode ficar em branco. (campo IT_NFE_ADI-NSEQADIC, ID campo I027)
  Erro de validação: campo . Campo é obrigatório e não pode ficar em branco. (campo IT_NFE_IMP-CEXPORTADOR, ID campo I024)
  Erro de validação: campo . Campo é obrigatório e não pode ficar em branco. (campo IT_NFE_IMP-DDESEMB, ID campo I023)
  Erro de validação: campo . Campo é obrigatório e não pode ficar em branco. (campo IT_NFE_IMP-DDI, ID campo I020)
  Erro de validação: campo . Campo é obrigatório e não pode ficar em branco. (campo IT_NFE_IMP-NDI, ID campo I019)
  Erro de validação: campo . Campo é obrigatório e não pode ficar em branco. (campo IT_NFE_IMP-UFDESEMB, ID campo I022)
  Erro de validação: campo . Campo é obrigatório e não pode ficar em branco. (campo IT_NFE_IMP-XLOCDESEMB, ID campo I021)
  Estamos no SAPK-10015INSLLNFE e as seguintes notas relacionadas a validação estão aplicadas:
  1493980     Validation for field xJust in cancel and skipping messages
  1499921     Problem with validation after implementing SP15
  1500046     Upgrade validation rule for field ID for version 2.00
  1500742     Adjust validation for field NADICAO and NSEQADIC layout 2.00
  1502217     Extend validation rules for , layout 2
  1504379     Adjust validation for field X_CLISTSERV
  1511291     Update allowed values for field E1_CPAIS for validation
  1511577     Update validation rules for field VUNCOM_V20
  1520861     Update validation rules for OIL_CPRODANP and OIL_UFCONS
  Não encontrei nenhuma nota SAP recente para o componente SLL-NFE que seja relacionada a este problema.
  Desde já agradeço pela ajuda.
  Sds / Renato Penido.

  Boa tarde, Fernando,
  Obrigado pela pronta resposta.
  Debugamos a BADI e descobrimos que os dados de importação estão sendo gravado "em branco", gerando o erro de validação no GRC, tal qual dito por você.
  Aprimoramos a lógica da BADI para que a tag de importação não seja preenchida indevidamente para as notas de devolução do porto e as notas foram aprovadas.
  Muito obrigado,
  Renato Penido.