Standard rule-set for IS-H solution

Similar Messages

• Do you trust the SAP standard rule set ?

  Hello all,
  I have the impression that, too often, the SAP standard ruleset has been taken for granted : upload, generate and use. Here is a post as to why not to do so. Hopefuly, this will generate a interesting discussion.
  As I have previously stated in other threads, you should be very careful accepting the SAP standard rule set without reviewing it first. Before accepting it, you should ensure that your specific SAP environment has been reflected in the functions. The 2 following questions deal with this topic :
  1. what is your SAP release  ? ---> 46C is different than ECC 6.0 in terms of permissions to be included in the function permission tab. With every SAP release, new authorization objects are linked to SAP standard tcodes. Subsequently some AUTHORITY-CHECK statements have been adapted in the ABAP behind the transaction code. So, other authorizations need to provided from an implementation point of view (PFCG). And thus, from an audit perspective (GRC-CC), other settings are due when filtering users' access rights in search for who can do what in SAP.
  2. what are your customizing settings and master data settings ? --> depending on these answers you will have to (de)activate certain permissions in your functions. Eg. are authorization groups for posting periods, business areas, material types, ... being used ? If this is not required in the SAP system and if activated in SAP GRC function, then you filter down your results too hard, thereby leaving certain users out of the audit report while in reality they can actually execute the corresponding SAP functionality --> risk for false negatives !
  Do not forget that the SAP standard ruleset is only an import of SU24 settings of - probably - a Walldorf system. That's the reason SAP states that the delivered rule set is a starting point. 
  So, the best practice is :
  a. collect SAP specific settings per connector in a separate 'questionnaire' document, preferably structured in a database
  b. reflect these answers per function per connector per action per permission by correctly (de)activating the corresponding permissions for all affected functions
  You can imagine that this is a time-consuming process due to the amount of work and the slow interaction with the Java web-based GRC GUI. Therefore, it is a quite cumbersome and at times error-prone activity ...... That is, in case you would decide to implement your questionnaire answers manually. There are of course software providers on the market that can develop and maintain your functions in an off-line application and generate your rule set so that you can upload it directly in SAP GRC. In this example such software providers are particularly interesting, because your questionnaire answers are structurally stored and reflected in the functions. Any change now or in the future can be mass-reflected in all (hundreds / thousands of) corresponding permissions in the functions. Time-saving and consistent !
  Is this questionnaire really necessary ? Can't I just activate all permissions in every function ? Certainly not, because that would - and here is the main problem - filter too much users out of your audit results because the filter is too stringent. This practice would lead too false negatives, something that auditors do not like.
  Can't I just update all my functions based on my particular SU24 settings ? (by the way, if you don't know what SU24 settings are, than ask your role administrator. He/she should know. ) Yes, if you think they are on target, yes you can by deleting all VIRSA_CC_FUNCPRM entries from the Rules.txt export of the SAP standard rule set, re-upload, go for every function into change mode so that the new permissions are imported based on your SU24 settings. Also, very cumbersome and with the absolute condition that you SU24 are maintained excellent.
  Why is that so important ? Imagine F_BKPF_GSB the auth object to check on auth groups on business areas within accounting documents. Most role administrator will leave this object on Check/Maintain in the SU24 settings. This means that the object will be imported in the role when - for example - FB01 has been added in the menu.  But the role administrator inactivates the object in the role. Still no problem, because user doesn't need it, since auth groups on business areas are not being used. However, having this SU24 will result in an activated F_BKPF_GSB permission in your GRC function. So, SAP GRC will filter down on those users who have F_BKPF_GSB, which will lead to false negatives.
  Haven't you noticed that SAP has deactivated quite a lot of permissions, including F_BKPF_GSB ? Now, you see why. But they go too far at times and even incorrect. Example : go ahead and look deeper into function AP02. There, you will see for FB01 that two permissions have been activated. F_BKPF_BEK and F_BKPF_KOA.  The very basic authorizations needed to be able to post FI document are F_BKPF_BUK and F_BKPF_KOA.  That's F_BKPF_BUK .... not F_BKPF_BEK. They have made a mistake here. F_BKPF_BEK is an optional  auth object (as with F_BKPF_GSB) to check on vendor account auth groups.
  Again, the message is : be very critical when looking at the SAP standard rule set. So, test thoroughly. And if your not sure, leave the job to a specialized firm.
  Success !
  Sam

  Sam and everyone,
  Sam brings up some good points on the delivered ruleset.  Please keep in mind; however, that SAP has always stated that the delivered ruleset is a starting point.  This is brought up in sap note 986996     Best Practice for SAP CC Rules and Risks.  I completely agree with him that no company should just use the supplied rules without doing a full evaluation of their risk and control environment.
  I'll try to address each area that Sam brings up:
  1.  Regarding the issue with differences of auth objects between versions, the SAP delivered rulset is not meant to be version specific.  We therefore provide rules with the lowest common denominator when it comes to auth object settings.
  The rules were created on a 4.6c system, with the exception of transactions that only exist in higher versions.
  The underlying assumption is that we want to ensure the rules do not have any false negatives.  This means that we purposely activate the fewest auth objects required in order to execute the transaction.
  If new or different auth object settings come into play in the higher releases and you feel this results in false positives (conflicts that show that don't really exist), then you can adjust the rules to add these auth objects to the rules.
  Again, our assumption is that the delivered ruleset should err on the side of showing too many conflicts which can be further filtered by the customer, versus excluding users that should be reported.
  2.  For the customizing settings, as per above, we strive to deliver rules that are base level rules that are applicable for everyone.  This is why we deliver only the core auth objects in our rules and not all.  A example is ME21N. 
  If you look at SU24 in an ECC6 system, ME21N has 4 auth objects set as check/maintain.  However, in the rules we only enable one of the object, M_BEST_BSA.  This is to prevent false negatives.
  3.  Sam is absolutely right that the delivered auth object settings for FB01 have a mistake.  The correct auth object should be F_BKPF_BUK and not F_BKPF_BEK.  This was a manual error on my part.  I've added this to a listing to correct in future versions of the rules.
  4.  Since late 2006, 4 updates have been made to the rules to correct known issues as well as expand the ruleset as needed.  See the sap notes below as well as posting Compliance Calibrator - Q2 2008 Rule Update from July 22.
  1083611 Compliance Calibrator Rule Update Q3 2007
  1061380 Compliance Calibrator Rule Update Q2 2006
  1035070 Compliance Calibrator Rule Update Q1 2007
  1173980 Risk Analysis and Remediation Rule Update Q2 2008
  5.  SAP is constantly working to improve our rulesets as we know there are areas where the rules can be improved.  See my earlier post called Request for participants for an Access Control Rule mini-council from January 28, 2008.  A rule mini-council is in place and I welcome anyone who is interested in joining to contact me at the information provided in that post.
  6.  Finally, the document on the BPX location below has a good overview of how companies should review the rules and customize them to their control and risk environment:
  https://www.sdn.sap.com/irj/sdn/bpx-grc                                                                               
  Under Key Topics - Access Control; choose document below:
      o  GRC Access Control - Access Risk Management Guide   (PDF 268 KB) 
  The access risk management guide helps you set up and implement risk    
  identification and remediation with GRC Access Control.

• SAP GRC 5.2 Compliance Calibrator rule sets for HR module

  HI All,
  The company i am working for has done installation of GRC 5.2. I would like to download the SAP out of box Compliance Calibrator rule sets for HR function module in a spreadsheet format.
  I would like to download the rule set for risks at Function level, Tcode level and also at authorization object level in ABAP and Roles, actions and permissions in JAVA.
  I will discuss with the BPAs, internal auditors and come up with a new rule set exclusively for my company needs with the help of the above spreadhseet.
  Please tell me what steps i need to do to get this thing done.

  Please go through the process but save these as txt files for UNIX. I am not sure about 5.2 but CC4 was not uploading rule files correctly if file was not saved for TXT for UNIX.
  Regards,
  Harry Sidhu

• Same rule set for two apply processes

  Hi!
  Can anyone tell me whether it is possible to use the same rule set and all rules in it for two apply processes? It would be easy for me to use such configuration, because sometimes I create LCRs myself, sometimes Oracle captures them. They're exactly the same.
  And second question - I tried the above configuration, but the apply process for user created LCRs aborts when it sees first message. Error is: "ORA-00600: internal error code, arguments: [knlcfpactx:any_knlso], [], [], [], [], [], [], []". Oracle MetaLink and Google know nothing about this error. I also don't know if it's somehow connected with these rule sets or is it a problem within my procedure which creates LCRs.
  Greetings

  I'm answering myself. Yes, it is possible, to use the same rule set for different processes. It is said in the documentation. It is also possible to use one rule in several rule sets according to documentation.
  And it seems that it has nothing to do with my ORA-00600 error.

• How to Modify the standard layout set for Sales Order

  Hi all,
  Do we have any sap defined standard to modify the sales order,if no How to Modify the standard layout set for Sales Order,an also plz send me the step by step procedure for the same.
  Thanks in advance
  Santosh R

  Hi, Dear Ferry Lianto,
  Thank you very much.
  Commonly I know the total pricing procedures.
  But, would you please tell me how to control the CURRENCY for the subitem of a condition type as follows?
  For example, I can see the following kind of
  contents in the Tab:condition of a sales order:
  PR00     Price     130.00000      TEST     100
       Gross Value     20.12      USD     100 <-how to
       Discount Amount     0.00      USD     100
       Rebate Basis     20.12      USD     100
       Net Value for Item     20.12      USD     100
       Net Value 2     20.12      USD     100
       Net Value 3     20.12      USD     100
  VPRS     Cost     27.22      HKD
       Profit Margin     16.61      USD
  The currency of PR00:price can be controlled via tcode VK12; but how to control the currency of its subitem such as gross value, discount amountm, net value for item, net value 2, & net calue 3...
  Thanks and regards.

• Rule Sets for ICM in CC 4.0

  Hello,
  We are adding the Incentive and Commissions Management (ICM) module to SAP, and would like to know if there are any Virsa rule sets pre-defined for it.
  Thanks,
  Michael

  Michael,
     As far as I know, rule set for ICM is not developed and not available. You will have to develop your own rule set.
  Regards,
  Alpesh

• List of Standard BC sets for OM and PA

  hi ,
  Request you to help me with any standard list of OM and PA BC sets.....Hope for your reply soon...
  Thanks,
  Sonu

  Check with BC Sets is activated or not through tcode SCPR20PR...If it not activated then activate with Tcode SCPR20..
  BC Sets for HR
  EA-HR-MENU
  EA-HR-AKH
  EA-HR-IMG
  Check with SAP Notes as well..
  855959 - Activation of Extension Sets via SPRO not successful
  719694 - Activating BC Sets in the production system
  Mohan

• What is Completion Rule Setting for Item Category KBN?

  Hi,
  In the standard SAP configuration, what is the setting of Completion Rule for
  Item Category KBN?  In our system, currently it's set to "B".
  Thanks!

  Dear Mari
  In Standard, item category <b>KBN</b> will have "<b>A</b>" as billing relevance.
  "A" Indicates what the basis for billing should be.
  Billing is based on the outbound delivery. Billing status is only updated in the outbound delivery. 
  For information, in standard, both <b>KBN</b> and <b>KEN</b> item categories will have "<b>A</b>" as Billing Relevance and in <b>KEN, "W"</b> will be maintained in the field "<b>Special Stock</b>". 
  Thanks
  G. Lakshmipathi

• Error while uploading standard text files for the Global rule set

  Hi all,
  As part of Post Installation Activities we have uploaded standard text files for business process, functions, risks and rule set obtained with the installable Software.
  While uploading the text files we have uploaded the Basis Functions Authorizations first and then R/3 text files.
  When we checked no actions are appearing in the rule architect under respective functions except for the BASIS Module.
  Is this because we have uploaded the Basis functions before the R/3 text files?If yes, how to replace the Basis with the R/3 ones.
  We tried to replace the Basis function authorizations by re-uploading the R/3 text files again but we got the below error message u201CORA-00001:unique constraint (SAPSR3DB.SYS_C004479) violatedu201D
  Can somebody please help in this regard how to get the standard rule set in our system?
  Thanks and Best Regards,
  Srihari.K

  Hi Sri,
  you should upload first the static text files and the authorization objects first and then the GRC standard rule set files following the instructions of the SAP Configuration Guide available in Service Market Place under http://service.sap.com/instguides .
  The GRC standard rule set contains files named Basis_functions_action.txt and R3_function_action.txt. The first one contains ONLY function definitions in terms of transcation codes for basis only, whereas the second one contains functions definition for basis AND ERP modules. The same holds for the *_function_permission.txt files. There are also function definition files for other SAP solutions such as APO, CRM, HR  etc.
  You can open a customer message and request a deletion script for the rule sets files you have uploaded already. After their application of this script all rule set data will be deleted from your database. If you have uploaded static text and authorization files correctly, you can then upload the GRC standard rule set files as needed again.
  best regards,
  Frank

• RA&R rules 5.3 changes compared to standard global rule set

  Good day,
  Please can someone assist me. I need to compare a clients customised rule set to the standard rule set, and document where changes have been made. (There is no log of the changes) A client has made modifications to the rule set, we are not sure if these modifications were valid, so we need to compare these to the standard rule set. The problem is that the client has modified the "GLOBAL" rule set, so I do not have a base rule set to work from. I have looked at the initial upload files, but they are not easily compared with the  current production rule set. Does anyone have any solutions as to how this could be achieved?
  Thank you and Kind Regards
  Jill

  Hi ,
  How the client has modified the GLOBAL Rule Set in RAR, are they just dectivated the risk from the global rule set? or deleted the risks peminately.
  if they dectivated the Risks in GLOBAL Rule set, just download the Rules through utilities(Cofiguration) and check the values which are having the '0' (ZERO) values, those risks only deactivated. it is the better process to sagarigate rule set.
  Regards,
  Arjuna.

• SAP Standard BI extractor for EhP4/5 Performance Management Solution

  Hi,
  Are they any SAP Standard BI extractors for Performance Management Solution EhP4/5? Could you please be so kind to tell me where can i find the info about it?
  ...Naddy

  [here|http://help.sap.com/erp2005_ehp_05/helpdata/EN/3e/80d8cd269142db93cdcffeecfa2a93/frameset.htm] is the BI Content foe EhP5 Perf.Mgt,

• SAP IS-Media SoD Rule Set

  Hi Everyone
  I would like to know if anyone have a rule set for the IS-Media SAP solution, specially for the M/SD and M/PS modules

  Hi Ricardo,
  A few years ago I was looking for IS specific rule sets also, but it seems that there is no SAP standard developed version openly available. I know some GRC implementing specialists (and audit companies) have built up so called "Starter" rule sets for IS solutions, but to get your hands on it, you would have to involve them in your project and allow them to devise a custom governance framework and rule set for your company (i.e. pay for their services and intellectual property).
  From personal experience, if you have a confident understanding of the SAP standard rule set, you could relate IS specific t codes to the standard ECC tcodes and make custom functions and risks similar to the ones in the SAP standard rule set.
  In addition, I would also get function specialists, Internal and External Audit involved and see if any risks have been reported in regards to your IS-Media transactions/processes and see if you can write your own rules up with the information at hand.
  If you feel you have little confidence in trying to device your custom rules and instead need the professional help, it may be worth reaching out to your auditors or the GRC specialists to help you devise the ruleset.
  Hope that helps.

• SAP GRC 5.3 - Standard Text files for RAR - Are they complete

  Dear All,
  Whether the standard text file SoD rule set provided by SAP covers all the standard SAP transaction codes which are available in ECC6.0 and other systems as well.
  Because we found that there are some t-codes which are not form part of Standard SoD Rule set say eg., MIGO_TR - Transfer posting, ME11, ME58 - Create PO, CKME - Release planned prices etc.,. like this there are some standard t-codes which are not part of the functions in standard rule set
  We have a challenge from the client that Standard rule set provided by SAP might have covered all the standard t-codes for SoD rule set and it has to be only customized to the extent of Custom t-codes (Y & Z T-codes).
  Is this correct? How frequently the text files are updated. I remember the last release of text files is along with 5.3 version and there is no change from then onwards i.e. increasing t-codes in functions or increase in risks.
  Please advise.
  Thanks in Advance,
  Best Regards,
  Srihari.K

  Sri,
  From SAP: u201CThe SAP ruleset will never be 100% complete as the definition of "complete" is unique for each company.  SAP goal is to ensure that the rules we provide are accurate and address the major segregation of duties concerns.u201D
  A clear point that reflects that, it is that you will have to do the exercise to identify, analyze and include every Z (custom) transactions used by your customer within the standard SoD Matrix that SAP provides.
  SAP provides updates for the Rule Set every Quarter.
  To get the latest SoD Matrix and key information regarding this topic please refer to SAP Notes:
  986996
  1326497
  Hope it helps. Regards,
    Imanol

• Multiple rule sets - impacts in GRC modules

  Hi,
  We are currently running CC 5.2 on our European perimeter.  We would like to extend in the near future to our US perimeter.  For that, we have to take into consideration a complete new set of rules.
  I presume there will be no issue to handle multiple sets of rules in CC but I was wondering what could be the potential impacts/problems for the other GRC modules?
  i.e.: in Role Expert, for the US roles we would like to avoid getting potential risks from European rule sets,...
  Has anybody some attention points or good practice to share on that ?  It would be a great help for us.
  Thanks & Regards

  Different installation of GRC Solutions for different regions is certainly not recommended and not even required.  It is important to design your cross system landscape efficiently considering different regions in mind and create different rule sets for different regions. In a cross system landscape you can have multiple systems from different regions with entirely a different set of modules and data. Obviously the risk will be different, for that purpose you have to create different rule sets for sure.
  Now when you are performing risk analysis for a particular region you have to select the considered system/connector and a rule set respectively so that you get the risks on targeted system only.
  Bill-
  as you asked, if there are chances of potential impacts/problems for the other GRC modules or not,
  The answer is, There will be no impact at all because you are considering them as separate entities within a landscape. It is the beauty of GRC Access Controls to have multiple system connectors, logical systems and cross system landscape that provides almost every feature to cover all regional perimeters.
  Regards,
  Amol Bharti

• Latest Rule Set Implementation

  Hello ,     
      My client is asking us to implement latest rule set in our CC system , could someone tell me , is there any guide on how to do it , I already read note :  1326497 , I want the procedure like step by step implementation of this or else steps and tentative time lines involved in this procedure.
  Thanks
  Srikanth

  Hello Srikanth,
  I assume you would be having a customisd rule set at your client place (which can be a subset or a superset of Standard rule set from SAP). Thus, what you need to look in for in the new Rule set is that how many of these rules are actually applicable for your implementation. There might be N number of rules in the new rule sets but the rules that might be applicable to you might be very less. In this casde you need to sit with your Controls team and find out the applicable ones. This is because if you import the new rule-set as a whole you might loose your current rules, as it will just over-write the old rule set..
  Once these are identified you may import these into your Rule-set. The details for how to accomplish this is stated step by step in the USer guide and would not be a problem if you follow that carefully.
  Regards,
  Hersh.