Uploading Critical Permissions in GRC Ruleset

Similar Messages

• Critical permissions are not showing in the risk analysis in GRC10.0

  Hi all,
  We noticed that critical actions are flagging the in risk analysis report but not the critical permissions.
  As far as I know all the settings are in place.
  Is any one has any idea why critical permissions are not flagging? Our GRC is at SP14.

  This has been resolved

• Include Custom transactions  GRC ruleset

  Hi Everyone,
  Can anyone please tell me the best strategy of including the Z & Y transactions in GRC ruleset.
  Our SU24 is not maintained , however I have run a program to get all the authority check for these Z transactions 
  and also segregated them based on business process , we have over 600 custom transactions  and they re compltley customized ones , they are no SAP standard programs in it.
  I have all the authority checks in place for these Z-transactions , now the question is how to group them under relevent fucntions
  I have used  following stategy  but it wasnt much helpful suign the CDHDR & CDPOS tables .
  since these are completley customized the change object they update  in CDHDR table  is being updated by another Z transaction .
  so I am bit lost , I am only left with an option of creating new fucntions. which is quite tedious
  any help would be much appreciated
  Best Regards
  Jhon

  Hi Jhon
  Deleting the standard ruleset takes about 1 minute if you obtain the script from SAP Support.
  If you do NOT delete the standard ruleset then
       To add your Custom Tcodes to existing functions you should use the Rule Architect, if you try to load (using the upload files) new versions of functions that already exist the results are not always as expected, eg: the functions existing content will be deleted
       You will NOT be able to overwrite existing risks using upload files, therefore you will be forced to use rule architect, however, new risks can be uploaded using the upload files
  If you do delete the standard ruleset then
      Add the new Tcodes and functions/risks etc into the upload files and upi do not need to use the Rule Architect
  There is no hard and fast rule as to when you should andshould not use Rule Architect and when you should revert to using upload files.  However, my rule of thumb is if I have more than 100 changes to make then I use the upload files option.
  However, the upload file option can be frustrating as the files have to be perfect in terms of syntax to load and a single space can cause the file to fail and this can be an issue to debug the file

• RAR 5.3: Uploading Critical Actions

  Hi,
  We have already a system with SoD Matrix already loaded and rules generated.
  Our question: Is it possible to upload critical actions (include in functions and these into risks) using "Rule upload" functionality or once the SoD Matriz is loaded not more risks can be uploaded using such functionality and must be entered manually?
  I remember there was a note related with the way rule upload works and the append / insert happening but I can not find it now.
  Any help on this?
  Many thanks in advance. Best regards,
     Imanol

  Hi Imanol,
  You can create txt files for new risks upload and do it. It will append the existing data. Just make sure that tcodes, objects and other required values are in place. Also, if a function / risk is existing, then modified data will not be applicable but it will throw error. But if your txt files are having all new data, then it will be uploaded successfully. We have done it, as our rulebook was prepared in installment and we uploaded SOD first and gave the risk alanysis to business before SAT risks were prepared and uploaded.
  Regards,
  Sabita

• New Z tcode which calls BAPI - add this to GRC RuleSet

  Hi,
  There is a development currently underway in house where a z transaction has been created which calls the BAPI:
  BAPI_ACC_GL_POSTING_POST
  I have been asked to add this transaction to the GRC RuleSet but i don't think there's any point in doing this yet as i don't feel the z transaction is calling an authority check in the right way.
  When i trace the test user, or check the transaction in RSABAPSC, i cannot see any posting activity taking place i.e. i cannot see ACTIVITY 01 being called anywhere.
  The developer added the FM Z_AUTH_BUKRS_FROM_BUKRS at my request but i think he should go further and add a check with an ACTIVITY 01. Only then will GRC be able to properly analyse this tcode for SOD violations because as-is, it's not calling enough.
  I hope i have explained this in enough detail.
  Has anyone come across an issue like this in the past? Any advice greatly appreciated.
  Regards,
  Colin

  Hi Colin
  You can still define your function but you do need to clarify what the checks should be. At the moment, your function defintion would be the S_TCODE for the Z transaction.
  However, if you just define it like that and there are additional checks then you increase the level of false positives. If there isn't then you are right that the code still needs to be hardened
  As you have mentioned a Z authority check none of us can comment on the security. Did you run a security trace on the Z transaction with the BAPI to see what is checked? How has the developer coded the authority check.
  I would push back if there is insufficient checks from a security point of view. But if the Z transaction activity forms part of a risk and is available to end users you should capture it and then start the remeidation/mitigation processes.
  Regards
  Colleen

• Photo upload file permissions?

  Hi,
  My website will give users the option to upload photographs which will be displayed on the website.
  Before a user can do this they must register or be logged in to their account.
  I will be using a shared hosting environment.
  My script does check the file size and type and only allows .jpg .gifs and .png.
  I need to set global permissions, is there a way of defining a registered user as the owner so that I only need apply owner permissions of 700 rather than setting at 777?
  My other concern is that the files that I upload the photos to is also the one that I link to from my web pages to display the images, should I be copying the uploaded images to another file then linking to that one to display the images?
  Hope I am making sense.
  Thank you in advance for your help and information.

  Hi Rob,
  Just to clarify your helpful comments, there are two comments that I am not fully understanding.
  Firstly yes I am allowing registered users to upload through http protocol.
  And yes the files that are being uploaded to will be under website ownership.
  As it will be shared apache hosting I need to set read write and execute permissions to allow the upload script to perform, which I have to do using chmod and assigning restrictive permissions if possible.
  Your comment: As long as the scripts performing the uploads are within the SAME ACCOUNT....
  The script is just there within the page, a user registers their details and then is allow to go to the page that upload information to the database and photos to the upload script, returning users, after log in is verified, are also allowed on the page that upload photos, DOES THAT MEAN THEY ARE WITHIN THE SAME ACCOUNT AS WEBSITE OWNER?
  Your comment:  Why do you feel you need to assign apache permissions to INDIVIDUAL USERS?
  I wanted to apply permission the the upload files but I thought the 'status' of my users would be like 'general public' I guess that ties in with the last comment about account ownership, for what ever reason I was thinking that a user, even if registered, would be just like a a public person and for them to be able to use the upload scripts I thought that I would need to somehow tell the files that this person was the 'owner' so that I could apply 700 permissions to the actual file rather than 777 permissions, I was trying to find a way to use a more restrictive permission level ( sorry if I didn't explain it well).
  So I am getting this right, I do hope so! A user on my website who is using the upload scripts has ownership permissions, so if I set the permissions on my upload file to 700, it will allow read, write and execute permission for the file and I don't need to set the status of my users to 'owner' they just will be as such the 'owner' because they are using the script?
  Thank you for your time a patience, I look forward to your reply and hopefully confirmation that i am now understanding this correctly.
  Best regards 
  Date: Sat, 17 Nov 2012 20:58:59 -0700
  From: [email protected]
  To: [email deleted]
  Subject: Re: photo upload file permissions? photo upload file permissions?
      Re: photo upload file permissions?
      created by Rob Hecker2 in Developing server-side applications in Dreamweaver - View the full discussion
  is there a way of defining a registered user as the owner so that I only need apply owner permissions of 700 rather than setting at 777?If users are uploading through the HTTP protocol, then the owner of the folders and files is going to be set to the website ownership.All files and folders will share the same ownership. As long as the scripts performing the uploads are within the same account, there should not be an issue, and you should be able to assign more restrictive permissions than 777. Why do you feel you need to assign apache permissions to individual users? (which you can't do anyway, using http)  It would be pretty easy using sessions and PHP  to keep user files separate from each other in unique folders. But if users will use the FTP protocol, the situation would be very different.
  Please note that the Adobe Forums do not accept email attachments. If you want to embed a screen image in your message please visit the thread in the forum to embed the image at http://forums.adobe.com/message/4855936#4855936
  Replies to this message go to everyone subscribed to this thread, not directly to the person who posted the message. To post a reply, either reply to this email or visit the message page: Re: photo upload file permissions?
  To unsubscribe from this thread, please visit the message page at Re: photo upload file permissions?. In the Actions box on the right, click the Stop Email Notifications link.
  Start a new discussion in Developing server-side applications in Dreamweaver by email or at Adobe Community
    For more information about maintaining your forum email notifications please go to http://forums.adobe.com/message/2936746#2936746.

• GRC Ruleset for Logistics (IS-D, IS-M)

  Dear All,
  I'm working on a GRC Implementation project & need GRC Ruleset for IS-Media & IS-D (Circulation) Modules. As No Standard rulset is available for these modules, any guidance on Custom ruleset will be of great help.
  Regards,
  Sudhakar S

  hi Nathan,
  SAP provide pre defined rules as text files in 5.x and as BC sets for activation in 10.0. You should be able to find the BC sets within your system (should contain the words GRAC and RULESET). Over the years the rule sets delivered by SAP have been updated and refined, but majority of the rules defined have remained the same as a whole.
  From these pre delivered rules you should be able to compare the "standard" definition to your custom rule definitions.
  I Hope that helps.

• GRC  RuleSet Upload for SAP 5.3

  All ,
  As a background , we are running on SAP GRC 5.3 Version . When we initially Installed SAP GRC , we created a Ruleset "SAP Rule Set " based on SAP Provided Functions & Actions. Then we created one more Rule set for Client named "GLOBAL". On Course of time , we lost SAP RuleSet , as Global Ruleset was somw how copied to SAP Provided Ruleset
  Now , we need to have a fresh SAP RuleSet for comparison purpose with Customer Rule Set "Global ". We got the files from SAP GRC Folder
  1) If we upload this Files whether it will overwrite all Available Ruleset in System , (Client Specific "Global "& SAP RuleSet ) or do we have an option just to upload to only one Rule Set . We dont want "Global" Ruleset to be overwritten ?
  2) Also , Can you please tell me the steps which we need to perform to get thet SAP Rule Set Updated ?
  Thanks ,
  Jerry George

  Hello Jerry,
  1) This point has been discussed so far in the forums, for example:
  Loading multiple rulesets?
  GRC AC Rule Sets
  2) There's no automatic procedure. check here:  Note 1604722:
  Customers that have implemented Risk Analysis and Remediation should have customized the ruleset to meet their business requirements. Therefore, changes to the SAP best practice ruleset cannot be systematically updated via SAINT as it would potentially overwrite this customization.
  However, customers may want to evaluate the changes incorporated into the most recent SAP ruleset to determine if the changes should be added to their own ruleset.  Any modifications the customer desires to make will need to be manually made by the customer via the Rule Architect feature of access risk management.  The configuration guides available on SAP Service Marketplace provide detailed instructions on how to update rules via the Rule Architect.
  Cheers,
  Diego.

• How to provide access to Critical Transactions in GRC AC 10.0

  +Hello Gurus,+
  +We are in phase of implementing GRC AC 10.0 , and have a requirement where there are "Critical Transactions" identified by the Business and if there is any end user who wants to access any specific "Critical Transaction" e.g. PA30 etc then it must automatically go to a specific Owner of that transaction.+
  +As far as i know , we can have a workflow for getting a role assigned, but not sure if it is possible to have a workflow where every "critical transaction" will have an owner and then on selection of the transaction it will trigger a workflow.+
  +I would also like to know what is a standard or rather best practice in SAP GRC , regarding providing access to "CRITICAL Transactions" ??+
  +We thought of creating a role containing multiple "Critical transactions" and then assigning to the firefighter ID , for which we have an approval workflow !! But that does not help , as assigning the role will give user access to some other "critical transactions" as well which we would like to control.+
  +Looking forward to know about the suggestion/solution for this issue.+
  +Thanks in advance.+
  +Regards,+
  +Victor+

  Hello,
  Victor Ger wrote:
  > +We thought of creating a role containing multiple "Critical transactions" and then assigning to the firefighter ID , for which we have an approval workflow !! But that does not help , as assigning the role will give user access to some other "critical transactions" as well which we would like to control.+
  > +Victor+
  I think that only one firefighter with all the critical transactions is not a good idea. I guess it's better to have different firefighters IDs assigned to different users. The point here is to decide if you really want to have a trace for all critical transactions executions.
  An example:
  Tx. SM37 is considered a critical transaction if the user has also the auth. object S_BTCH_ADM set to "yes".  This allows to delete or copy others user's jobs. This is and authorization that a Basis person must have. Do you really want to trace this?
  I think that force a Basis person to use a firefighter for this is nonsense, because this tx. is part of his/her job. Then, you should accept this sort of risks, otherwise you'll get the point where you replace the normal users with FF users. This is not the idea of FF.
  Of course, this is just a thought and all depends on your business requirements.
  Cheers,
  Diego.

• Upload SPM data in GRC 10.0 CEA

  In version 5.3 there was an upload functionality in the SPM cockpit for all the FF data (user, controllers, owners etc.)
  Is such a functionality also available for GRC 10.0 CEA? We are using CEA over 66 SID's and then it is a lot of work te create the users and connect them to their rol of controller/user. How can these elements be uploaded in mass?
  Can we use the transaction GRC_GRAC_MIGRATION for this? If that is the case does any one know the configuration of the data.dat files? I don't have a 5.3 version to access so I can't check this.
  GRACSPMUSERdata.dat
  GRACSPMIUSERTdata.dat
  GRACSPMOBJECTdata.dat
  GRACSPMOBJECTTdata.dat
  GRACSPMRCODEdata.dat
  GRACSPMRCODETdata.dat
  GRACSPMRCODESYSdata.dat
  GRACSPMCTRLdata.dat
  GRACSPMCTRLTdata.dat
  GRACSPMOWNERdata.dat
  GRACSPMOWNERTdata.dat
  If this is not a possibility, please advice how to create users in mass for CEA.
  Thanx.
  Best Regards,
  Jurgen.

  Good question, and the answer is not pretty.
  In Role-Based Firefighter Application, the firefighter ID on the target system contains the user's regular access plus his/her firefighter access.
  Reporting turns on when the user runs a transaction in the firefighter role.
  If the transaction is in both the user's regular access and the firefighter role, reporting will turn on because the firefighter role access is in use.
  The reports only track firefighter role usage.  So if a user runs a firefighter transaction but also uses access defined in the user's regular access, the only thing recorded is the transaction.
  If your company is not completely married to the idea of using Role-Based Firefighter Application, I suggest you consider the ID-Based Firefighter Application.  In this, there are separate firefighter IDs on the target system and a firefighter gains access to them by going into GRC and completing a form showing how the firefighter ID will be used, and then the GRC system will let the firefighter into the target system using that firefighter ID.

• Role Upload template for SAP GRC CUP 5.3

  Good Morning / Afternoon / Evening SAP Security Gurus,
  I am looking to upload end user roles via a role upload template spreadsheet for use in SAP GRC CUP 5.3.  I am referring specifically to the recommended template mentioned in step 11 of the 5.3 Post Installation CUP guide, so that roles can be picked within ERM for workflow.
  According to the guide, it recommends uploading from the backend systems via a spreadsheet - any template versions or advice on finalising this would be most appreciated.
  Best Regards
  Steve

  Thanks Ashish,
  Someone else recommended this option as well via another forum. Have tried it out and working fine. 
  Thanks for the reply
  Steve

• Critical transactions in GRC RAR 5.3

  Hi,
  we have an option in GRC RAR 5.3 to fetch the critical action report in informer. how can i add some more critical actions into the GRC, is there a facility in GRC RAR to add critical transactions or this should be done through backend??. kindly advice.
  thanks

  Hi,
  The process is very simple, identify your sensitive/critical transactions, make functions and then define risks as critical acttions in RAR. After generating rules, you will be able to run risk analysis for those critical/Sensitive transactions.
  Regards,
  Sabita

• Is there any way to Upload from Clipboard in GRC

  Hello, For a multi role/user analysis is there a way to mass upload all the roles/users from clipboard to the Multiple Selection window ?
  Thanks

  HI Prashanth,
  Not as of now, ranges can be an option though, if they can be applied. If you have maintained the Ids since the start of the implementation following some stanrds then its good or otherwise it might be a re-work to type again and again and concatenate the results.
  Regards,
  Hersh.

• [solved] vsftpd: Uploaded files are with permissions -rw-------.?

  Hello,
  I have a problem with the ftp server(vsftpd).The new files are saved with permissions 600 (rw ----). So apache server can't show them. Ftp access is configured with my local user and this home is in /srv/http.
  The trouble is the user config access...
  Last edited by felipe (2013-07-29 16:38:14)

  solved:
  acording to
  Q) Help! Uploaded files are appearing with permissions -rw-------.
  A1) Depending on if this is an upload by a local user or an anonymous user,
  use "local_umask" or "anon_umask" to change this. For example, use
  "anon_umask=022" to give anonymously uploaded files permissions
  -rw-r--r--. Note that the "0" before the "22" is important.
  A2) Also see the vsftpd.conf.5 man page for the new "file_open_mode"
  parameter.
  more info :
  https://security.appspot.com/vsftpd/FAQ.txt

• SAP GRC Access Control 5.3 .TXT - where to upload it

  Hi Experts,
  can anyone please tell me, I have to deploy/upload the patch:
  SAP GRC Access Control 5.3 .TXT SP04
  As I am new to GRC, can somebody please tell me where I upload/deploy this file.
  Is it on the server at operating system level, or through the application in the Web Browser ?
  Thanks and regards,
  Petr.

  HI ,
  As sahad said that is the right way to extract the *.SAR files the syntax is given below .
  for unix : SAPCAR -xvf /<path>/<filename>
  windows : SAPCAR -xvf <volume>:\<path>\<filename>
  If you donot specify the path then it would get extracted in the path where you are right now means the same location where you the *.SAR file is present and then you can upload .
  Then you can login into RAR portal and then go to configuration tab then click on utilities which would be the last option and then click on import and give the file location.