SAP BPM Flow Rule set error: Result for ResultSet is required.

Similar Messages

• Best practice for the Update of SAP GRC CC Rule Set

  Hi GRC experts,
  We have in a CC production system a SoD matrix that we would like to modified extensively. Basically by activating many permissions.
  Which is a best practice for accomplish our goal?
  Many thanks in advance. Best regards,
    Imanol

  Hi Simon and Amir
  My name is Connie and I work at Accenture GRC practice (and a colleague of Imanolu2019s). I have been reading this thread and I would like to ask you a question that is related to this topic. We have a case where a Global Rule Set u201CLogic Systemu201D and we may also require to create a Specific Rule Set. Is there a document (from SAP or from best practices) that indicate the potential impact (regarding risk analysis, system performance, process execution time, etc) caused by implementing both type of rule sets in a production environment? Are there any special considerations to be aware? Have you ever implemented this type of scenario?
  I would really appreciate your help and if you could point me to specific documentation could be of great assistance. Thanks in advance and best regards,
  Connie

• "sync-rule-inbound-flow-rules-invalid" error on synchronizing an Inbound Sync Rule from the FIM connector space to the Metaverse

  I have created an inbound sync rule in the FIM portal to import groups from an external system (SQL Server) into the metaverse.  I can import the rule from the FIM MA into the FIM connector space but when I run a full sync on the FIM MA I get the error
  "sync-rule-inbound-flow-rules-invalid".  The only way I have found around the error is to remove all the attributes from Inbound Attribute Flow in the sync rule.  However, this defeats the purpose of having the sync rule in the first place.  Searching
  the Web, I have come across posts from other people with "sync-rule-inbound-flow-rules-invalid" problems but the solutions do not seem to work in my situation. 
  A little background about the sync rule
  Metaverse Resource Type: group
  External System Resource type: group
  Relationship Criteria: accountName (metaverse) = "string field" (ConnectedSystemObject)
  Create resource in FIM: yes
  Inbound attribute flow:
  - Domain
  - Member
  - DisplayName
  - accountName
  - MembershipLocked
  - MembershipAddWorkFlow
  - Type
  - Scope
  I am new to FIM so it's possible I have overlooked something in the setup of this sync rule.  Any suggestions on possible causes of this issue would greatly appreciated.

  There is no scope filter.   In regards to the attribute flows, no functions are used.  Here is further information about the attribute flows
  Set up of Inbound attribute flow for the inbound Synchronization Rule.
  Metaverse External System (SQL Server View)
  - Domain  Domain (string)
  - Member Member (multi value attribute)
  - DisplayName ObjectDescription (string)
  - accountName ObjectID (string)
  - MembershipLocked 'false' (set up as a string literal)
  - MembershipAddWorkFlow 'Owner Approval' (set up as a string literal)
  - Type 'Security' (set up as a string literal)
  - Scope 'Universal' (set up as a string literal)
  Is this the info you were asking for?  If not, please clarify what details you are looking for in regards to the  sync rule.

• Deletion Flag setting Error message for production order

  "Unprocessed future change recs for orders prevent del. flag/completion"
  I tried to used COFC and CO1P but didn't work out?
  How to fix this issue i am trying to set deletion flags for certain production orders?
  If i even found errors in final confirmations how to fix them

  Hi Aparna,
  This is absolutely fine to set the deletion flag to archieve the Production Orders.
  For this error, which you are getting, there could be entries in COGI or CO1P..
  Whether you are using Process Control (check in OPK4)?
  If that is the case you should have got the entries in CO1P.
  Can you see any entries in COGI? even 102 movement against the order?
  Check once again and revert for further discussion..
  Regards,
  Siva

• How to set error message for 541 Movement type

  Dear gurus,
              I want to know that is it possible to set error message through any configuration? My requirement is that when we create issue document using m.t 541 it will not allow me to process that document without releasing PO document.so for that i want to set error message.
  <removed by moderator>
  Message was edited by: Jürgen L

  Hi,
     The subcontracting goods issue can be done even without PO reference. If your organization is strictly following the goods issue against PO only and you want to restrict the goods issue if the PO is not released, then you may check the below option. Please note that the below option is available in standard only from EHP 4 or above.
  1. Refer the KBA: 1915825 - Transfer Posting reference to a Purchase Order in MIGO and activate the PO reference option in MIGO - Transfer posting.
  2. Restrict the use of 541 movement in MB1B - Go to OMJJ and enter movement type as 541. Now go to "allowed transactions" folder and remove MB1B. Now the user cant use 541 in MB1B.
  3. Maintain the field - Purchase order as mandatory field for the movement type 541 in OMJJ.
  4. Train the users to use MIGO - Transfer Posting - Purchase order option for goods issue with 541 movement.
  5. If the PO is not released, system wont allow to use the PO in MIGO - Transfer Postings.
  6. If the user is selecting Transfer Posting - Other, system wont check the PO and hence it will allow to post the goods issue even if PO is not released. You may take organizational measures to restrict the usage or you may check for authorization concept - Refer the note: 773003 - MIGO: No authorization object for action/reference document
     If you are below EHP 4, there is no standard functionality available for the requirement as of my knowledge. If so, you may go for development to restrict the same.
  Regards,
  AKPT

• Quality check on Business Rules gives strang result for OMS-60005

  OMS-60005 Functions used to record business rules should be labeled as:
  BR_[entity short name]###([decomposition id])_[type abbreviation]
  BR_IDE024_CEW, BR_IDE029_CEV, BR_IDE030_CEW, BR_IPF004_CEW are violations but they are valid as far as I know.

  Yes my particular issue is not like yours. However, there have been many other laptop users experiencing similar problem to yours after 3.10 kernel. Mostly it seems to be bumblebee users that experience your problem with the blank screen. We do know that nvidia have yet to make their official drivers work with kernel 3.10 and up. The drivers in the Arch repository have been patched to work with 3.10. From what I have seen, this also only seem to be affecting laptops with newer nvidia gpu's. I fear there is not much to do with this problem until nvidia give official 3.10 kernel support.
  My suggestion would be to stick with 3.9.9 kernel and the drivers that work with it, and don't upgrade those packages until nvidia has addressed these issues. If you have a look at the nvidia forums you will see quite a number of topics mentioning black screen when starting x on 3.10 kernel, and also a thread for the system dying. Reading some of the threads there may help you keep up to date on whether or not the issue seem to be solved.
  https://devtalk.nvidia.com/default/board/98/

• Rule Sets for ICM in CC 4.0

  Hello,
  We are adding the Incentive and Commissions Management (ICM) module to SAP, and would like to know if there are any Virsa rule sets pre-defined for it.
  Thanks,
  Michael

  Michael,
     As far as I know, rule set for ICM is not developed and not available. You will have to develop your own rule set.
  Regards,
  Alpesh

• RAR: Global Rule set

  Hi,
  I am wondering if the latest global rule set contains the tcodes, authorization objects and values based on the latest version of SAP? If yes, can this global rule set be applicable for SAP version 4.7 ?
  Thanks,
  Debbie

  Hello Rajesh,
  Hope this information from SAP helps you.RAR Rule Update - Documentation
  It is not possible to programmatically send out updates to the default ruleset (i.e. via transports or STMS). 
  This is because rule uploads only overwrite and not append.  As every company should have made changes to their ruleset, SAP cannot send out rule updates as this would overwrite the customization done by each company
  Since the SAP acquisition of Virsa, there have been seven updates to the supplied ruleset which are described in detail in SAP notes below.
  1061380 u2013 Q2 2006
  1035070 u2013 Q1 2007
  1083611 u2013 Q3 2007
  1173980 u2013 Q2 2008
  1326497 u2013 Q2 2009
  1446680 u2013 Q2 2010
  1604722 u2013 Q3 2011
  These notes provide a company a detailed Word document that summarizes the changes made. 
  The company must go through these changes to evaluate if they agree with the SAP supplied change. 
  If they agree, the company will have to make the change manually via the Rule Architect.
  To get more details, please refer to note#986996
  Regards,
  Renuka

• Basic techno functional question on PCG flow rule.

  Lets say i want to create a flow rule to enforce approval for contractor user accounts in EBS. Iam able to generate a approval notification when a contractor user account is created. Also by a form rule i have defaulted an end date for the user account by which the account cannot be accessed until its approved. Now lets say the notification is approved, how will i bring in this approval and release the end date in the user account automatically.
  I saw the examples use a sql to pass this approval but they are using some custom package.procedure for this. But iam not sure if i can use this but i need a way to achieve this.Can someone share their thoughts on this?

  Yes, i did look at that. They are using the following. They are custom packages. Does this mean that we need to write custom package for each and every process flow which involves approval process?
  DECLARE
  V_ITEM_TYPE VARCHAR2(30);
  V_ITEM_KEY VARCHAR2(30);
  BEGIN
  V_ITEM_TYPE := #V_ITEM_TYPE#;
  V_ITEM_KEY := #V_ITEM_KEY#;
  LAA_APPS_ACCESS_ONLINE.WF_APPROVE_CONFLICT(V_ITEM_TYPE, V_ITEM_KEY);
  END;
  DECLARE
  P_ITEMTYPE VARCHAR2(30);
  P_ITEMKEY VARCHAR2(30);
  BEGIN
  P_ITEMTYPE := #V_ITEM_TYPE#;
  P_ITEMKEY := #V_ITEM_KEY#;
  --LA_CHANGECENTER_API.LA_CC_REJECT(V_ITEM_TYPE,V_ITEM_KEY);
  --LA_CC_APP_PKG.LA_CC_APPROVE(P_ITEMTYPE,P_ITEMKEY);
  LA_CHANGECENTER_API.LA_CC_APPROVE(P_ITEMTYPE,P_ITEMKEY);
  END;

• Wants to build caree in SAP BPM

  Hi,
  I have 5 years of experience as a PLM Consultant. I have involved in configuring and customizing of PLM solution to suit to various business needs for various customers.
  I would like make my career in SAP technologies. I see SAP BPM would be the right tool for my career transformation. Please suggest what are the technologies do i need to look into to be a SAP Consultant.

  Hi,
  From where u hv learned all these SAP Stuff ? R U still looking for job ?? If so keep on trying it may take some time but definitely u will get it .  But at the same time if u get some job in non  SAP platform then try  to get that n t later on u can try for better oppurnity .
  Try to apply online in  TCS / WIPRO/ IBM/ CTS/SATYAM / ITC etc ....
  Good Luck.,
  Cheers.

• Rule set customization Document

  Hi ,
  Can someone please help me to locate  " GRC Access Control Effective Rule Set Design document " on SDN or on Google  .
  I have been searching for this documnet for some time , however couldnt locate this . This document was referenced in some earlier forum questions as well.
  I am working for a rule set customization documnet for my client and would like to refer this document . Would also appreciate if someone can help me or guide me here to what all contents i can include in this document. As per the requirement , this has to be a high level document that explains the rule set customization process. Any refrence links or procedure here would be a great help for me to start with .
  Thanks everyone for your valuable time.
  Thanks guys ... Vikas

  [http://download.oracle.com/docs/cd/B28359_01/server.111/b28321/strms_rules.htm#i1006137]

• Error while uploading standard text files for the Global rule set

  Hi all,
  As part of Post Installation Activities we have uploaded standard text files for business process, functions, risks and rule set obtained with the installable Software.
  While uploading the text files we have uploaded the Basis Functions Authorizations first and then R/3 text files.
  When we checked no actions are appearing in the rule architect under respective functions except for the BASIS Module.
  Is this because we have uploaded the Basis functions before the R/3 text files?If yes, how to replace the Basis with the R/3 ones.
  We tried to replace the Basis function authorizations by re-uploading the R/3 text files again but we got the below error message u201CORA-00001:unique constraint (SAPSR3DB.SYS_C004479) violatedu201D
  Can somebody please help in this regard how to get the standard rule set in our system?
  Thanks and Best Regards,
  Srihari.K

  Hi Sri,
  you should upload first the static text files and the authorization objects first and then the GRC standard rule set files following the instructions of the SAP Configuration Guide available in Service Market Place under http://service.sap.com/instguides .
  The GRC standard rule set contains files named Basis_functions_action.txt and R3_function_action.txt. The first one contains ONLY function definitions in terms of transcation codes for basis only, whereas the second one contains functions definition for basis AND ERP modules. The same holds for the *_function_permission.txt files. There are also function definition files for other SAP solutions such as APO, CRM, HR  etc.
  You can open a customer message and request a deletion script for the rule sets files you have uploaded already. After their application of this script all rule set data will be deleted from your database. If you have uploaded static text and authorization files correctly, you can then upload the GRC standard rule set files as needed again.
  best regards,
  Frank

• SAP GRC 5.2 Compliance Calibrator rule sets for HR module

  HI All,
  The company i am working for has done installation of GRC 5.2. I would like to download the SAP out of box Compliance Calibrator rule sets for HR function module in a spreadsheet format.
  I would like to download the rule set for risks at Function level, Tcode level and also at authorization object level in ABAP and Roles, actions and permissions in JAVA.
  I will discuss with the BPAs, internal auditors and come up with a new rule set exclusively for my company needs with the help of the above spreadhseet.
  Please tell me what steps i need to do to get this thing done.

  Please go through the process but save these as txt files for UNIX. I am not sure about 5.2 but CC4 was not uploading rule files correctly if file was not saved for TXT for UNIX.
  Regards,
  Harry Sidhu

• For GRC 5.3 can I use the SAP GRC 5.2 rule set

  We are going for an upgrade to GRC 5.3,  I have a small concern here....
  Can I use the same ruleset what I used in GRC 5.2 to SAP GRC5.3 ...?
  because when I checked ruleset at permission level in GRC 5.2 it displays first object of an action from one function conflicting with first object of an action from another function, where as in GRC 5.3 it displays all objects of an action from one function vs all objects of an action from another function....
  How will it impact analysis in GRC 5.3 with old rule set...?
  appreciate your response & thanks in advance.

  Hi,
  Here you will find the documentation to get Upgrade/Configuration Guides.
  [https://websmp103.sap-ag.de/~form/sapnet?_SHORTKEY=01100035870000718172&]
  SAP BusinessObjects Governance --> Access Control ---> SAP GRC Access Control 5.3
  There you will find a Upgrade guideline.
  Cheers,
  Martin

• Do you trust the SAP standard rule set ?

  Hello all,
  I have the impression that, too often, the SAP standard ruleset has been taken for granted : upload, generate and use. Here is a post as to why not to do so. Hopefuly, this will generate a interesting discussion.
  As I have previously stated in other threads, you should be very careful accepting the SAP standard rule set without reviewing it first. Before accepting it, you should ensure that your specific SAP environment has been reflected in the functions. The 2 following questions deal with this topic :
  1. what is your SAP release  ? ---> 46C is different than ECC 6.0 in terms of permissions to be included in the function permission tab. With every SAP release, new authorization objects are linked to SAP standard tcodes. Subsequently some AUTHORITY-CHECK statements have been adapted in the ABAP behind the transaction code. So, other authorizations need to provided from an implementation point of view (PFCG). And thus, from an audit perspective (GRC-CC), other settings are due when filtering users' access rights in search for who can do what in SAP.
  2. what are your customizing settings and master data settings ? --> depending on these answers you will have to (de)activate certain permissions in your functions. Eg. are authorization groups for posting periods, business areas, material types, ... being used ? If this is not required in the SAP system and if activated in SAP GRC function, then you filter down your results too hard, thereby leaving certain users out of the audit report while in reality they can actually execute the corresponding SAP functionality --> risk for false negatives !
  Do not forget that the SAP standard ruleset is only an import of SU24 settings of - probably - a Walldorf system. That's the reason SAP states that the delivered rule set is a starting point. 
  So, the best practice is :
  a. collect SAP specific settings per connector in a separate 'questionnaire' document, preferably structured in a database
  b. reflect these answers per function per connector per action per permission by correctly (de)activating the corresponding permissions for all affected functions
  You can imagine that this is a time-consuming process due to the amount of work and the slow interaction with the Java web-based GRC GUI. Therefore, it is a quite cumbersome and at times error-prone activity ...... That is, in case you would decide to implement your questionnaire answers manually. There are of course software providers on the market that can develop and maintain your functions in an off-line application and generate your rule set so that you can upload it directly in SAP GRC. In this example such software providers are particularly interesting, because your questionnaire answers are structurally stored and reflected in the functions. Any change now or in the future can be mass-reflected in all (hundreds / thousands of) corresponding permissions in the functions. Time-saving and consistent !
  Is this questionnaire really necessary ? Can't I just activate all permissions in every function ? Certainly not, because that would - and here is the main problem - filter too much users out of your audit results because the filter is too stringent. This practice would lead too false negatives, something that auditors do not like.
  Can't I just update all my functions based on my particular SU24 settings ? (by the way, if you don't know what SU24 settings are, than ask your role administrator. He/she should know. ) Yes, if you think they are on target, yes you can by deleting all VIRSA_CC_FUNCPRM entries from the Rules.txt export of the SAP standard rule set, re-upload, go for every function into change mode so that the new permissions are imported based on your SU24 settings. Also, very cumbersome and with the absolute condition that you SU24 are maintained excellent.
  Why is that so important ? Imagine F_BKPF_GSB the auth object to check on auth groups on business areas within accounting documents. Most role administrator will leave this object on Check/Maintain in the SU24 settings. This means that the object will be imported in the role when - for example - FB01 has been added in the menu.  But the role administrator inactivates the object in the role. Still no problem, because user doesn't need it, since auth groups on business areas are not being used. However, having this SU24 will result in an activated F_BKPF_GSB permission in your GRC function. So, SAP GRC will filter down on those users who have F_BKPF_GSB, which will lead to false negatives.
  Haven't you noticed that SAP has deactivated quite a lot of permissions, including F_BKPF_GSB ? Now, you see why. But they go too far at times and even incorrect. Example : go ahead and look deeper into function AP02. There, you will see for FB01 that two permissions have been activated. F_BKPF_BEK and F_BKPF_KOA.  The very basic authorizations needed to be able to post FI document are F_BKPF_BUK and F_BKPF_KOA.  That's F_BKPF_BUK .... not F_BKPF_BEK. They have made a mistake here. F_BKPF_BEK is an optional  auth object (as with F_BKPF_GSB) to check on vendor account auth groups.
  Again, the message is : be very critical when looking at the SAP standard rule set. So, test thoroughly. And if your not sure, leave the job to a specialized firm.
  Success !
  Sam

  Sam and everyone,
  Sam brings up some good points on the delivered ruleset.  Please keep in mind; however, that SAP has always stated that the delivered ruleset is a starting point.  This is brought up in sap note 986996     Best Practice for SAP CC Rules and Risks.  I completely agree with him that no company should just use the supplied rules without doing a full evaluation of their risk and control environment.
  I'll try to address each area that Sam brings up:
  1.  Regarding the issue with differences of auth objects between versions, the SAP delivered rulset is not meant to be version specific.  We therefore provide rules with the lowest common denominator when it comes to auth object settings.
  The rules were created on a 4.6c system, with the exception of transactions that only exist in higher versions.
  The underlying assumption is that we want to ensure the rules do not have any false negatives.  This means that we purposely activate the fewest auth objects required in order to execute the transaction.
  If new or different auth object settings come into play in the higher releases and you feel this results in false positives (conflicts that show that don't really exist), then you can adjust the rules to add these auth objects to the rules.
  Again, our assumption is that the delivered ruleset should err on the side of showing too many conflicts which can be further filtered by the customer, versus excluding users that should be reported.
  2.  For the customizing settings, as per above, we strive to deliver rules that are base level rules that are applicable for everyone.  This is why we deliver only the core auth objects in our rules and not all.  A example is ME21N. 
  If you look at SU24 in an ECC6 system, ME21N has 4 auth objects set as check/maintain.  However, in the rules we only enable one of the object, M_BEST_BSA.  This is to prevent false negatives.
  3.  Sam is absolutely right that the delivered auth object settings for FB01 have a mistake.  The correct auth object should be F_BKPF_BUK and not F_BKPF_BEK.  This was a manual error on my part.  I've added this to a listing to correct in future versions of the rules.
  4.  Since late 2006, 4 updates have been made to the rules to correct known issues as well as expand the ruleset as needed.  See the sap notes below as well as posting Compliance Calibrator - Q2 2008 Rule Update from July 22.
  1083611 Compliance Calibrator Rule Update Q3 2007
  1061380 Compliance Calibrator Rule Update Q2 2006
  1035070 Compliance Calibrator Rule Update Q1 2007
  1173980 Risk Analysis and Remediation Rule Update Q2 2008
  5.  SAP is constantly working to improve our rulesets as we know there are areas where the rules can be improved.  See my earlier post called Request for participants for an Access Control Rule mini-council from January 28, 2008.  A rule mini-council is in place and I welcome anyone who is interested in joining to contact me at the information provided in that post.
  6.  Finally, the document on the BPX location below has a good overview of how companies should review the rules and customize them to their control and risk environment:
  https://www.sdn.sap.com/irj/sdn/bpx-grc                                                                               
  Under Key Topics - Access Control; choose document below:
      o  GRC Access Control - Access Risk Management Guide   (PDF 268 KB) 
  The access risk management guide helps you set up and implement risk    
  identification and remediation with GRC Access Control.