Updation of Rule-set in GRC10

Hi,
There is a requirement for us to update few risks(objects within the risk) for our non-business ruleset. What is the best suggested method to do this?
->Directly update from NWBC
->Download Rule-set and upload from SPRO
->Transport
If any body can share their suggestions and steps, it would be great.
Thanks,
Sabitha

Hello Sabitha,
This is because you haven't created the connectors in DEV. do you have that connectors in SM59?? I recoomend to create the connectors and associate the to the logical system just to keep all the systems with the same info. you can create the connectors but it's not neccesary to fill all the data in SM59. Just create the connector with the name would be fine.
If i modify the ruleset based on the connector group in development and transport the ruleset would all the physical systems still be listed in the drop down in Quality and Prod
Yes, this will be deleted only if you transport the logical system configuration from DEV and it's not related to SoD rules transport.
If we modify the ruleset based on connector group in development and transport , would it cause any inconsistency as it looks like the Quality and Prod the physical connectors are linked to the ruleset
No. if you are working with the logical system and you haven't uploaded rules to the physical ones it has no effect.
From your comment I understand that it does not matter about the physical systems as rule generation would take care of generating/linking the ruleset based on the systems assigned to the Connector Group/Logical Systems- If this is the case I am wondering why in development system even after the generation of rule-sets the physical systems are not available
This is because you haven't created the connector or you haven't linked the connectors to te connector groups or you haven't enabled the connectors for the auth scenario.
When generating rules the system generates the rules for the necessary logical systems. since you have none in DEV it wont generate rules for your scenario. So in the escenario you are describing in DEV with logical connectors but no physical ones you shouldn't be able to execute a risk analysis there.
Cheers,
Diego.

Similar Messages

  • GRC53 Rule Set Migrated into GRC10

    Gurus, has anyone encountered the following situation. We migrated our 53 rule set into GRC 10 using the Migration Tool. On the surface all of the rule objects seem to move across as they should. We then began to run our risk reports. We noticed that for the same user, in the same backend ECC system, we get varying results from our 53 Rule Set which is in our GRC10 system vs the 5.3 Rule Set executed from our old 5.3 system. We see more violations returned from our old 5.3 system; entire risks are not reported from the GRC10 system.
    Consequently, I began reviewing the functions (actions/permissions). I picked a specific risk that was returned by the 5.3 system and reviewed it, line by line - comparing the 53 Rule Set in GRC10 against the 53 Rule Set in the 5.3 system. Everything lined up, with the exception of the activity values. In the 53 Rule Set that was migrated into GRC10 the activity values are single digits (1,2,5, etc) where as in the 5.3 System the activates are two digits (01, 02, 05, etc), Since the values are mainatined in SAP as double digits, could this be causing this? I would hope this is not the culprit, but I am unsure where else to turn.
    I will say for those risks that were returned in the results, the activities in those functions were single digits as well.

    Hi Penn,
    Can you check if your default SoD risk level is "Critical" and hence all the conflicts are not being thrown in 10.0
    There is an SAP Note 1632864 where you need to maintain parameter 1024 and se tthe default risk level to High. Since there is no option of All in 10.0 similar to 5.3
    Thanks and Best Regards,
    Srihari.K

  • GRC 10: Default Rule sets

    Hi All.
    i am wondering whether we have default rule set for GRC10 as we found with GRC 5.3. Where do I find them in GRC 10 software download?
    rEgards,
    Faisal

    In GRC10 default rule set are available by BCset :
    GRAC_RA_RULESET_COMMON
    GRAC_RA_RULESET_JDE
    GRAC_RA_RULESET_ORACLE
    GRAC_RA_RULESET_PSOFT
    GRAC_RA_RULESET_SAP_APO
    GRAC_RA_RULESET_SAP_BASIS
    GRAC_RA_RULESET_SAP_CRM
    GRAC_RA_RULESET_SAP_ECCS
    GRAC_RA_RULESET_SAP_HR
    GRAC_RA_RULESET_SAP_NHR
    GRAC_RA_RULESET_SAP_R3
    GRAC_RA_RULESET_SAP_SRM

  • Access to update the GRC rule set is limited

    Hello - What is the process (tcode) to see who has access to update the GRC rule set?
    Thanks!

    Hi Sam,
       What is the version of your RAR (CC)? If it is CC 4.0 then you enter the product via tcode and go to rule architect to make changes. If you have CC 5.X then you go through the web browser and go to Rule architect to make changes to the rule set.
    The process to change a rule set is as below:
    1) Creats Function
    2) Create risk
    3) Create Rule
    Regards,
    Alpesh

  • Updating rule set in CC from SAP

    Hi - if anyone can help with this issue - I'd greatly appreciate it.
    We loaded CC 5.2 last year and loaded all of our custom transactions to the appropriate functions.  However, since then, there have been changes to standard and custom transactions (in the authorization objects) and those changes are not showing up in the rule set.  (we added new authorization objects)  Is there a way to have the rule set update automatically with these?
    We are running the two SAP jobs that export the texts and objects and then we have two jobs running daily in CC to bring in from those files.  We then have a full system sync running daily.  Updates are still not coming in.
    Any help is appreciated!
    Thanks,
    Elizabeth

    HI Elizabeth,
    When you say you have added new Authorization objects, do you mean to say that you have added to the roles?
    I strongly recommend to go to SU24 tcode and check whether the new Authorization objects are properly Check/Maintained to the respective Tcodes.
    Also merge all the new authorization data in all the roles and regenerate them.
    Also you need to update the rules once the above steps are done.
    Regards,
    Kiran Kandepalli.

  • Updating Compliance Calibrator Rule Set

    The business has decided to change a few rules by removing a couple of custom tcodes from the rule set.  In DEV I go into the Function and remove the objects associated with the tcode and disable the tcode.  After running the rule set update there is still some sort of tie.  I have created a test ID in DEV with a known issue around each of the changes.  I'm not getting a different result when running compliance calibrator.
    Any ideas?
    We are running R/3 4.6C and compliance calibrator 4.0

    Can you please check the following demo?
    [Virsa Compliance Calibrator Application for SAP v5.1 Demo|http://www.sdn.sap.com/irj/scn/elearn?rid=/library/uuid/d2f1cf9c-0d01-0010-2dac-aedd3c4f7f5b&overridelayout=true]
    Please give more details on the step where you got stuck.
    Regards,
    Dipanjan

  • Rule set Updates

    We started with Virsa CC 5.1 in 2006 now we are using CC 5.2
    If I go to the SAP Note 1173980 u2013 Q2 2008. Do I find all the Rule
    Updates from 2006 to 2008 or we need to implement all the below Virsa
    Rule updates.
    1061380 u2013 Q2 2006
    1035070 u2013 Q1 2007
    1083611 u2013 Q3 2007
    1173980 u2013 Q2 2008

    HI:
    You need to review each set of updates, and determine if they are applicable for your system.  Each subsequent rule set update issued does NOT include previous entries.
    It is up to each client to customize entries in the updates per their own requirements, but just taking the last one, means that you may miss some of the important updates in previous updates.
    Margaret

  • GRC Rule Set Updates

    Where can I fund updates made to the default rule set?

    http://service.sap.com/support
    Click on the Help & Support tab --> Search for SAP Notes.
    You will need a valid S-number to log in.
    Thanks!
    Ankur
    SAP GRC RIG

  • Best practice for the Update of SAP GRC CC Rule Set

    Hi GRC experts,
    We have in a CC production system a SoD matrix that we would like to modified extensively. Basically by activating many permissions.
    Which is a best practice for accomplish our goal?
    Many thanks in advance. Best regards,
      Imanol

    Hi Simon and Amir
    My name is Connie and I work at Accenture GRC practice (and a colleague of Imanolu2019s). I have been reading this thread and I would like to ask you a question that is related to this topic. We have a case where a Global Rule Set u201CLogic Systemu201D and we may also require to create a Specific Rule Set. Is there a document (from SAP or from best practices) that indicate the potential impact (regarding risk analysis, system performance, process execution time, etc) caused by implementing both type of rule sets in a production environment? Are there any special considerations to be aware? Have you ever implemented this type of scenario?
    I would really appreciate your help and if you could point me to specific documentation could be of great assistance. Thanks in advance and best regards,
    Connie

  • Multiple GRC rule set update

    we are having a custom rule set A loaded in GRC. Now we want another rule set B, with new risks and definition to be loaded in GRC. If we try to upload rule set B risks and functions via Upload function in GRC, would it overwrite the rule set A, or not.Just wanted to confirm whether existing rule set A would be affected or not, due to upload of rule set B.

    Hey Alpesh,
    Sorry, I haven't understand it correct. This is a question that will always be asked in the train.
    You wrote:
    "If you have created different files (e.g. risks, ruleset, function action, function permission etc.) and upload them via configuration -> rule upload then RAR will not overwrite your ruleset A and will only insert new rule set files."
    Is this just possible, if all IDs (risk, function, function action, function permission) will be changed before and could not be equal like in the rule set A? correct?
    What's about with the ALL.txt files, do I have to change/upload them as well again?
    Thanks for feedback,
    alwaly a pleasure!
    Greets
    Martin

  • Rule Set Update - Transactions Missing

    Hello,
    I’m having an issue when trying to add a transaction to a critical rule which is part of a logical system. When I look up the transaction
    against the logical system I can’t find it. But when I look it up against one of the connectors in the logical system I can find it. Any ideas why? I’ve run
    all the sync and regenerated the rule set. I’ve also double checked that the connector is part of the logical group.
    Thanks,

    Hi Colleen thanks for the response.
    I swear in the past you were able to pull in the transaction from the logical system but I can’t remember unfortunately. The person who built this rule set must have added these custom tcode when they did the initial upload. That must be how they were able to put them under the logical system?
    I’m wondering though, If I pull a transaction in from a specific connector won’t it only run against that connector when doing analysis? That seems odd since the logical system is to avoid that! How did you handle it? I also found that since the transaction was copied and pasted into the rule set that it’s not being analyzed during analysis.
    Maybe I can’t search on the logical system since the transaction doesn’t exist in both ECC systems I have grouped under it?
    I am on SP 13 now.

  • Do you trust the SAP standard rule set ?

    Hello all,
    I have the impression that, too often, the SAP standard ruleset has been taken for granted : upload, generate and use. Here is a post as to why not to do so. Hopefuly, this will generate a interesting discussion.
    As I have previously stated in other threads, you should be very careful accepting the SAP standard rule set without reviewing it first. Before accepting it, you should ensure that your specific SAP environment has been reflected in the functions. The 2 following questions deal with this topic :
    1. what is your SAP release  ? ---> 46C is different than ECC 6.0 in terms of permissions to be included in the function permission tab. With every SAP release, new authorization objects are linked to SAP standard tcodes. Subsequently some AUTHORITY-CHECK statements have been adapted in the ABAP behind the transaction code. So, other authorizations need to provided from an implementation point of view (PFCG). And thus, from an audit perspective (GRC-CC), other settings are due when filtering users' access rights in search for who can do what in SAP.
    2. what are your customizing settings and master data settings ? --> depending on these answers you will have to (de)activate certain permissions in your functions. Eg. are authorization groups for posting periods, business areas, material types, ... being used ? If this is not required in the SAP system and if activated in SAP GRC function, then you filter down your results too hard, thereby leaving certain users out of the audit report while in reality they can actually execute the corresponding SAP functionality --> risk for false negatives !
    Do not forget that the SAP standard ruleset is only an import of SU24 settings of - probably - a Walldorf system. That's the reason SAP states that the delivered rule set is a starting point. 
    So, the best practice is :
    a. collect SAP specific settings per connector in a separate 'questionnaire' document, preferably structured in a database
    b. reflect these answers per function per connector per action per permission by correctly (de)activating the corresponding permissions for all affected functions
    You can imagine that this is a time-consuming process due to the amount of work and the slow interaction with the Java web-based GRC GUI. Therefore, it is a quite cumbersome and at times error-prone activity ...... That is, in case you would decide to implement your questionnaire answers manually. There are of course software providers on the market that can develop and maintain your functions in an off-line application and generate your rule set so that you can upload it directly in SAP GRC. In this example such software providers are particularly interesting, because your questionnaire answers are structurally stored and reflected in the functions. Any change now or in the future can be mass-reflected in all (hundreds / thousands of) corresponding permissions in the functions. Time-saving and consistent !
    Is this questionnaire really necessary ? Can't I just activate all permissions in every function ? Certainly not, because that would - and here is the main problem - filter too much users out of your audit results because the filter is too stringent. This practice would lead too false negatives, something that auditors do not like.
    Can't I just update all my functions based on my particular SU24 settings ? (by the way, if you don't know what SU24 settings are, than ask your role administrator. He/she should know. ) Yes, if you think they are on target, yes you can by deleting all VIRSA_CC_FUNCPRM entries from the Rules.txt export of the SAP standard rule set, re-upload, go for every function into change mode so that the new permissions are imported based on your SU24 settings. Also, very cumbersome and with the absolute condition that you SU24 are maintained excellent.
    Why is that so important ? Imagine F_BKPF_GSB the auth object to check on auth groups on business areas within accounting documents. Most role administrator will leave this object on Check/Maintain in the SU24 settings. This means that the object will be imported in the role when - for example - FB01 has been added in the menu.  But the role administrator inactivates the object in the role. Still no problem, because user doesn't need it, since auth groups on business areas are not being used. However, having this SU24 will result in an activated F_BKPF_GSB permission in your GRC function. So, SAP GRC will filter down on those users who have F_BKPF_GSB, which will lead to false negatives.
    Haven't you noticed that SAP has deactivated quite a lot of permissions, including F_BKPF_GSB ? Now, you see why. But they go too far at times and even incorrect. Example : go ahead and look deeper into function AP02. There, you will see for FB01 that two permissions have been activated. F_BKPF_BEK and F_BKPF_KOA.  The very basic authorizations needed to be able to post FI document are F_BKPF_BUK and F_BKPF_KOA.  That's F_BKPF_BUK .... not F_BKPF_BEK. They have made a mistake here. F_BKPF_BEK is an optional  auth object (as with F_BKPF_GSB) to check on vendor account auth groups.
    Again, the message is : be very critical when looking at the SAP standard rule set. So, test thoroughly. And if your not sure, leave the job to a specialized firm.
    Success !
    Sam

    Sam and everyone,
    Sam brings up some good points on the delivered ruleset.  Please keep in mind; however, that SAP has always stated that the delivered ruleset is a starting point.  This is brought up in sap note 986996     Best Practice for SAP CC Rules and Risks.  I completely agree with him that no company should just use the supplied rules without doing a full evaluation of their risk and control environment.
    I'll try to address each area that Sam brings up:
    1.  Regarding the issue with differences of auth objects between versions, the SAP delivered rulset is not meant to be version specific.  We therefore provide rules with the lowest common denominator when it comes to auth object settings.
    The rules were created on a 4.6c system, with the exception of transactions that only exist in higher versions.
    The underlying assumption is that we want to ensure the rules do not have any false negatives.  This means that we purposely activate the fewest auth objects required in order to execute the transaction.
    If new or different auth object settings come into play in the higher releases and you feel this results in false positives (conflicts that show that don't really exist), then you can adjust the rules to add these auth objects to the rules.
    Again, our assumption is that the delivered ruleset should err on the side of showing too many conflicts which can be further filtered by the customer, versus excluding users that should be reported.
    2.  For the customizing settings, as per above, we strive to deliver rules that are base level rules that are applicable for everyone.  This is why we deliver only the core auth objects in our rules and not all.  A example is ME21N. 
    If you look at SU24 in an ECC6 system, ME21N has 4 auth objects set as check/maintain.  However, in the rules we only enable one of the object, M_BEST_BSA.  This is to prevent false negatives.
    3.  Sam is absolutely right that the delivered auth object settings for FB01 have a mistake.  The correct auth object should be F_BKPF_BUK and not F_BKPF_BEK.  This was a manual error on my part.  I've added this to a listing to correct in future versions of the rules.
    4.  Since late 2006, 4 updates have been made to the rules to correct known issues as well as expand the ruleset as needed.  See the sap notes below as well as posting Compliance Calibrator - Q2 2008 Rule Update from July 22.
    1083611 Compliance Calibrator Rule Update Q3 2007
    1061380 Compliance Calibrator Rule Update Q2 2006
    1035070 Compliance Calibrator Rule Update Q1 2007
    1173980 Risk Analysis and Remediation Rule Update Q2 2008
    5.  SAP is constantly working to improve our rulesets as we know there are areas where the rules can be improved.  See my earlier post called Request for participants for an Access Control Rule mini-council from January 28, 2008.  A rule mini-council is in place and I welcome anyone who is interested in joining to contact me at the information provided in that post.
    6.  Finally, the document on the BPX location below has a good overview of how companies should review the rules and customize them to their control and risk environment:
    https://www.sdn.sap.com/irj/sdn/bpx-grc                                                                               
    Under Key Topics - Access Control; choose document below:
        o  GRC Access Control - Access Risk Management Guide   (PDF 268 KB) 
    The access risk management guide helps you set up and implement risk    
    identification and remediation with GRC Access Control.

  • Downloading a single rule set out of N rule sets.

    HI All,
    We have defined 4 Rule sets for one particular system. Out of these one is the global rule set. Now, my requirement is to have oe more rule set, with 80% rules from global and then add the rest 20% myself. Would like to know if there is any way we can achieve this efficiently, other than creating manually all the 80% rules from GLOBAL rule set.
    Thanks a lot in advance.
    Regards,
    Hersh

    HI Jose,
    Well what you guided was perfectly fine an true in case of making changes to GLOBAL rule set. But any idea how we can make a new rule set out of the custom rule set i have already made.
    I have , in all 4 rule sets present at the moment in GRC - GLOBAL, CUST -1,2 and 3. Now, my requirement is to have a copy of CUST1 into new rule set CUST4, and I manually later on need to update CUST4 for some more risks in it. The problem i am facing is whenever i download the existing rule sets, it is not giving me an option to download just CUST1, but all of four rule sets get downloaded together. Whereas, i need just a copy of CUST1. Any ideas on this?
    Regards,
    Hersh.

  • Risk Analysis at user level shows nothing in all 3 views though at role level shows risks of global rule set

    I am configuring ARA 10.1 for a ECC 6.0 plug in development system and facing this issue. Risk Analysis at user level shows no data  in all 3 views though at role level shows risks of global rule set. I am using Global rule set. I generated all risks/functions & using connector group as SAP_ECCS_LG not SAP_R3_LG.I activated common, R/3 & ECCS BC sets. Added integration scenario for AUTH. Run all 4 sync jobs multiple times successfully. My system already has decentralised EAM 10.1 implemented & even used in production as BAU. I have checked at both chrome & IE. The misleading thing is that RFC is also working fine & I can see risks in Risk Analysis at role level & risky roles are even assigned to valid users.GRC is at SP4 & accordingly is the ECC 6.0 plug in. Thanks in Advance. Please  consider it urgent.

    Hi,
    Assign ECC connector to SAP_ECCS_LG group.
    Run the programs GRAC_PFCG_AUTHORIZATION_SYNCand GRAC_REPOSITORY_OBJECT_SYNC) in full synch mode(this might take time so better do this in background). Better do it sequentially.Check the logs of the jobs in SLG1 just to ensure everythings fine.
    Run ARA for a specific user and mention the connector for faster output. Ensure this user has the role with risks.Also as explained earlier check the GUID against user id in table GRACUSERROLE and using GRACROLE you can find out the technical name of the role updated in the table. This should be same as the backend role.
    Then run ARA and while doing so please ensure the selection screen doesnt have any unwanted default inputs. If followed correctly , this should be of help.  I am assuming the role analysis yielded correct risks as configured since this would mean that connector have correct actions and basic config is in place.
    Regards,
    Vivek

  • Non existing value EC for M_BEST_BSA / BSART used in rule set

    Hello,
    while implementing the 2010 rule set updates into our system, we realized that there is a value used that is not existing in the system.
    It is for object M_BEST_BSA, field BSART. The value is EC.
    In the rule update document from Q2 2010, there is the following comment:
    5. PR02 u2013 Maintain Purchase Order u2013 Upon review of this function with the rules mini-council, the decision was made to remove document type from the rules.  Previously, we delivered document types EC, FO and NB with our rules.  However, the majority of customers create custom document types for purchasing.  Many customers did not customize the rules, which results in only those users that had the standard EC, FO and NB document types being reported as having a risk.  Users who had the custom document types would not be reported, which results in false negative reporting.  Therefore, the decision was made to remove document type from our delivered rules.  This will force each customer to review their document types and edit this function to include all relevant document types so all users who have a risk are shown.
    However the value is still enabled in function PR04, even though it is not a valid value for field BSART. It is not existin in table T161, which holds the PO document types. It does not seem to exist since at least release 4.6C
    The value is inherited from the transactions ME28 and ME29N
    Does anyone know what it is about and why the value still is considered a standard value?
    I know this does not give me false conflicts, as the BSART values are used in condition OR.
    Why is the value not just removed, if it is not a valid value at all?
    edit:
    Sorry, forgot to mention, we use CC4.0 in an ECC6.0 system
    end of edit:
    Regards,
    Thomas Schaeflein
    IBM
    Edited by: Thomas Schaeflein on Jan 26, 2011 4:14 PM

    Start by saying bump.
    I've still no word from Adobe if they are doing anything with
    this problem. Any one had any replys from Adobe on it? Any one
    found a work around with recoding queries?

Maybe you are looking for