V10 - RA&R Rule set (Transport)

Hi,
We have heard that the new rule set in AC canu2019t be transported through the environments (DEV, QAS and PRD) in 10 as itu2019s seen as master data. Does this mean we maintain this in PRD?
Is this true?
Regards, Melvin

x
Hi,
I have a question regarding the rule sets. We do continue
changes on our rule sets as business risk services. We have found that we can
transport the rule set through transaction GRAC_RULE_TRANSPORT but have found
that this takes through the complete rule set. We are also aware that these
rules can be uploaded and downloaded directly in production.
My question what is the correct way in doing rule set maintenance
and what will be audit accepted.
Please let me know your feeling around this and any
practical ways you guys implemented will be appreciated.

Similar Messages

  • Updation of Rule-set in GRC10

    Hi,
    There is a requirement for us to update few risks(objects within the risk) for our non-business ruleset. What is the best suggested method to do this?
    ->Directly update from NWBC
    ->Download Rule-set and upload from SPRO
    ->Transport
    If any body can share their suggestions and steps, it would be great.
    Thanks,
    Sabitha

    Hello Sabitha,
    This is because you haven't created the connectors in DEV. do you have that connectors in SM59?? I recoomend to create the connectors and associate the to the logical system just to keep all the systems with the same info. you can create the connectors but it's not neccesary to fill all the data in SM59. Just create the connector with the name would be fine.
    If i modify the ruleset based on the connector group in development and transport the ruleset would all the physical systems still be listed in the drop down in Quality and Prod
    Yes, this will be deleted only if you transport the logical system configuration from DEV and it's not related to SoD rules transport.
    If we modify the ruleset based on connector group in development and transport , would it cause any inconsistency as it looks like the Quality and Prod the physical connectors are linked to the ruleset
    No. if you are working with the logical system and you haven't uploaded rules to the physical ones it has no effect.
    From your comment I understand that it does not matter about the physical systems as rule generation would take care of generating/linking the ruleset based on the systems assigned to the Connector Group/Logical Systems- If this is the case I am wondering why in development system even after the generation of rule-sets the physical systems are not available
    This is because you haven't created the connector or you haven't linked the connectors to te connector groups or you haven't enabled the connectors for the auth scenario.
    When generating rules the system generates the rules for the necessary logical systems. since you have none in DEV it wont generate rules for your scenario. So in the escenario you are describing in DEV with logical connectors but no physical ones you shouldn't be able to execute a risk analysis there.
    Cheers,
    Diego.

  • RAR: Global Rule set

    Hi,
    I am wondering if the latest global rule set contains the tcodes, authorization objects and values based on the latest version of SAP? If yes, can this global rule set be applicable for SAP version 4.7 ?
    Thanks,
    Debbie

    Hello Rajesh,
    Hope this information from SAP helps you.RAR Rule Update - Documentation
    It is not possible to programmatically send out updates to the default ruleset (i.e. via transports or STMS). 
    This is because rule uploads only overwrite and not append.  As every company should have made changes to their ruleset, SAP cannot send out rule updates as this would overwrite the customization done by each company
    Since the SAP acquisition of Virsa, there have been seven updates to the supplied ruleset which are described in detail in SAP notes below.
    1061380 u2013 Q2 2006
    1035070 u2013 Q1 2007
    1083611 u2013 Q3 2007
    1173980 u2013 Q2 2008
    1326497 u2013 Q2 2009
    1446680 u2013 Q2 2010
    1604722 u2013 Q3 2011
    These notes provide a company a detailed Word document that summarizes the changes made. 
    The company must go through these changes to evaluate if they agree with the SAP supplied change. 
    If they agree, the company will have to make the change manually via the Rule Architect.
    To get more details, please refer to note#986996
    Regards,
    Renuka

  • FBL5N - in Rule set - It is a Display customer line items

    Dear All,
    We observed that FBL5N - Display customer line items in Standard SoD rule set under function AR07  addressing a risk of S022.
    Unless there are t-codes of FD03 or FB02 this t-code does not allow to change the payment terms of the customer.
    We are having a challenge from the client that FBL5N is a display t-code and why it is there in rule set.
    Has anybody came across this scenario? If yes, what is the underlying risk for this FBL5N independently.
    Is there any SAP Note for this t-code like ME23N from SAP.
    Thanks and Best Regards,
    Srihari.K

    Hi Christian,
    We checked the authorization objects as well enabled in GRC rule set as below:
    F_BKPF_BUK - Docume t Authorization document for company codes - 01 or 02 - Enable.
    Inspite of this access, FBL5N cannot be used to change the document for payment terms and assignments without FB02 t-code
    assignment in the role.
    Independently FBL5N cannot be used for any change or create activity except Display customer line items.
    Please advise
    Thanks and Best Regards,
    Srihari.K

  • I have messages in mail that are color-coded as if by a rule, but I have no rules set. How can I correct this?

    The only rule that I ever had in Mail was the default one that color coded messages from Apple blue. I notice that some messages are color-coded brown and I have no rules set at al (hence no rule to turn off.)  Some of the messages are related to viewing online magazine, but not all.  How can I stop this?

    Hi. Thanks for your message.
    Well, I understand what you are trying to say but I thought it was easier to categorize in Apple Mail.
    On Entourage I just click twice on a sender address, record it on Address book and give it a colour that I previously defined as "Work", "Personal", "Customers", "Suppliers", "Friends" or whatever.
    As Apple Mail don't have Address Book as part of it but an outside feature it's very annoying. Of course I am used to use a software and I don't expect now Apple Mail do everything as Entourage but... as someone said it seems Apple Mail stopped in time. The recent version seems the first one ever issued. I hate the way Mail.app handles attachments by placing big chunky previews right in my email. I prefer them to be named attachments listed somewhere else, out of the content of my email. I don't if I can change this via terminal commands? Can you tell me if that is possible?
    I don't understand why Apple Mail have lots of plugins instead of a great improvment from the backstage.
    I use Apple computers since ever and I love this machines but sometimes I don't understand this lake of improvments.
    Take a look at this link:
    http://scottworldblog.wordpress.com/2009/10/12/microsoft-entourage-vs-apple-mail /
    Of course I don't agree 100% with him but some things are true...

  • Do you trust the SAP standard rule set ?

    Hello all,
    I have the impression that, too often, the SAP standard ruleset has been taken for granted : upload, generate and use. Here is a post as to why not to do so. Hopefuly, this will generate a interesting discussion.
    As I have previously stated in other threads, you should be very careful accepting the SAP standard rule set without reviewing it first. Before accepting it, you should ensure that your specific SAP environment has been reflected in the functions. The 2 following questions deal with this topic :
    1. what is your SAP release  ? ---> 46C is different than ECC 6.0 in terms of permissions to be included in the function permission tab. With every SAP release, new authorization objects are linked to SAP standard tcodes. Subsequently some AUTHORITY-CHECK statements have been adapted in the ABAP behind the transaction code. So, other authorizations need to provided from an implementation point of view (PFCG). And thus, from an audit perspective (GRC-CC), other settings are due when filtering users' access rights in search for who can do what in SAP.
    2. what are your customizing settings and master data settings ? --> depending on these answers you will have to (de)activate certain permissions in your functions. Eg. are authorization groups for posting periods, business areas, material types, ... being used ? If this is not required in the SAP system and if activated in SAP GRC function, then you filter down your results too hard, thereby leaving certain users out of the audit report while in reality they can actually execute the corresponding SAP functionality --> risk for false negatives !
    Do not forget that the SAP standard ruleset is only an import of SU24 settings of - probably - a Walldorf system. That's the reason SAP states that the delivered rule set is a starting point. 
    So, the best practice is :
    a. collect SAP specific settings per connector in a separate 'questionnaire' document, preferably structured in a database
    b. reflect these answers per function per connector per action per permission by correctly (de)activating the corresponding permissions for all affected functions
    You can imagine that this is a time-consuming process due to the amount of work and the slow interaction with the Java web-based GRC GUI. Therefore, it is a quite cumbersome and at times error-prone activity ...... That is, in case you would decide to implement your questionnaire answers manually. There are of course software providers on the market that can develop and maintain your functions in an off-line application and generate your rule set so that you can upload it directly in SAP GRC. In this example such software providers are particularly interesting, because your questionnaire answers are structurally stored and reflected in the functions. Any change now or in the future can be mass-reflected in all (hundreds / thousands of) corresponding permissions in the functions. Time-saving and consistent !
    Is this questionnaire really necessary ? Can't I just activate all permissions in every function ? Certainly not, because that would - and here is the main problem - filter too much users out of your audit results because the filter is too stringent. This practice would lead too false negatives, something that auditors do not like.
    Can't I just update all my functions based on my particular SU24 settings ? (by the way, if you don't know what SU24 settings are, than ask your role administrator. He/she should know. ) Yes, if you think they are on target, yes you can by deleting all VIRSA_CC_FUNCPRM entries from the Rules.txt export of the SAP standard rule set, re-upload, go for every function into change mode so that the new permissions are imported based on your SU24 settings. Also, very cumbersome and with the absolute condition that you SU24 are maintained excellent.
    Why is that so important ? Imagine F_BKPF_GSB the auth object to check on auth groups on business areas within accounting documents. Most role administrator will leave this object on Check/Maintain in the SU24 settings. This means that the object will be imported in the role when - for example - FB01 has been added in the menu.  But the role administrator inactivates the object in the role. Still no problem, because user doesn't need it, since auth groups on business areas are not being used. However, having this SU24 will result in an activated F_BKPF_GSB permission in your GRC function. So, SAP GRC will filter down on those users who have F_BKPF_GSB, which will lead to false negatives.
    Haven't you noticed that SAP has deactivated quite a lot of permissions, including F_BKPF_GSB ? Now, you see why. But they go too far at times and even incorrect. Example : go ahead and look deeper into function AP02. There, you will see for FB01 that two permissions have been activated. F_BKPF_BEK and F_BKPF_KOA.  The very basic authorizations needed to be able to post FI document are F_BKPF_BUK and F_BKPF_KOA.  That's F_BKPF_BUK .... not F_BKPF_BEK. They have made a mistake here. F_BKPF_BEK is an optional  auth object (as with F_BKPF_GSB) to check on vendor account auth groups.
    Again, the message is : be very critical when looking at the SAP standard rule set. So, test thoroughly. And if your not sure, leave the job to a specialized firm.
    Success !
    Sam

    Sam and everyone,
    Sam brings up some good points on the delivered ruleset.  Please keep in mind; however, that SAP has always stated that the delivered ruleset is a starting point.  This is brought up in sap note 986996     Best Practice for SAP CC Rules and Risks.  I completely agree with him that no company should just use the supplied rules without doing a full evaluation of their risk and control environment.
    I'll try to address each area that Sam brings up:
    1.  Regarding the issue with differences of auth objects between versions, the SAP delivered rulset is not meant to be version specific.  We therefore provide rules with the lowest common denominator when it comes to auth object settings.
    The rules were created on a 4.6c system, with the exception of transactions that only exist in higher versions.
    The underlying assumption is that we want to ensure the rules do not have any false negatives.  This means that we purposely activate the fewest auth objects required in order to execute the transaction.
    If new or different auth object settings come into play in the higher releases and you feel this results in false positives (conflicts that show that don't really exist), then you can adjust the rules to add these auth objects to the rules.
    Again, our assumption is that the delivered ruleset should err on the side of showing too many conflicts which can be further filtered by the customer, versus excluding users that should be reported.
    2.  For the customizing settings, as per above, we strive to deliver rules that are base level rules that are applicable for everyone.  This is why we deliver only the core auth objects in our rules and not all.  A example is ME21N. 
    If you look at SU24 in an ECC6 system, ME21N has 4 auth objects set as check/maintain.  However, in the rules we only enable one of the object, M_BEST_BSA.  This is to prevent false negatives.
    3.  Sam is absolutely right that the delivered auth object settings for FB01 have a mistake.  The correct auth object should be F_BKPF_BUK and not F_BKPF_BEK.  This was a manual error on my part.  I've added this to a listing to correct in future versions of the rules.
    4.  Since late 2006, 4 updates have been made to the rules to correct known issues as well as expand the ruleset as needed.  See the sap notes below as well as posting Compliance Calibrator - Q2 2008 Rule Update from July 22.
    1083611 Compliance Calibrator Rule Update Q3 2007
    1061380 Compliance Calibrator Rule Update Q2 2006
    1035070 Compliance Calibrator Rule Update Q1 2007
    1173980 Risk Analysis and Remediation Rule Update Q2 2008
    5.  SAP is constantly working to improve our rulesets as we know there are areas where the rules can be improved.  See my earlier post called Request for participants for an Access Control Rule mini-council from January 28, 2008.  A rule mini-council is in place and I welcome anyone who is interested in joining to contact me at the information provided in that post.
    6.  Finally, the document on the BPX location below has a good overview of how companies should review the rules and customize them to their control and risk environment:
    https://www.sdn.sap.com/irj/sdn/bpx-grc                                                                               
    Under Key Topics - Access Control; choose document below:
        o  GRC Access Control - Access Risk Management Guide   (PDF 268 KB) 
    The access risk management guide helps you set up and implement risk    
    identification and remediation with GRC Access Control.

  • Is it possible to add a firewall Filter or Rule Set to the Extreme Router (802.11n)

    Is it possible to add a firewall Filter or Rule Set to the setting for the Extreme Router (802.11n) like the following:
    "ALLOW TCP/UDP IN/OUT to 208.67.222.222 or 208.67.220.220 on Port 53"  and
    "BLOCK TCP/UDP IN/OUT all IP addresses on Port 53"
    The goal of this is to create a firewall rule to only allow DNS (TCP/UDP) to OpenDNS' servers and restrict all other DNS traffic to any other IPs.
    Or, alternatively is there a way to configure same applied to the Network preferences on IMAC OS X?
    Thanks and much appreciation to anyone who has any clue about this.

    Sorry, I think you've got it backwards.
    The concern is NOT that the child can make changes to our hardware/AEBS, or even our network software on my IMAC - nothing's been changed.
    BUT, he changed the dns settings on his OWN device (ie chromebook) to google public server, accessed the AE using our home wifi network BUT bypassed our dns settings. Capeesh?
    See: http://www.pocketables.com/2013/03/how-to-use-change-the-dns-settings-on-your-ch romebook-and-use-googles.html

  • Mulltiple Rule Sets in GRC 10.0 for one System

    Hi All,
    We do have 2 different companies working on one system and by that 2 different rule sets that are applicable.
    Due to that we are facing different problems we don't know how to solve yet but lets start with the first one dealing with the rule set that should be used in the access request.
    We want to determin which rule set should be used over the requested role (e.g. if role name contains 0001 use rule set 0001, if role name contains 0002 use rule set 0002).
    We have alerady tried several different senarios in BRF+ without success.
    Does anybody have a solution or at least an idea for this topic?
    Thank you all very much in advance!
    Eva

    Hi Ashish ,
    Thanks for your time . Let me explain you my requirement and would really appreciate if you would have some inputs here which would help me to design this .
    The actual client requirement is to design a CUP Workflow and If there are SOD issues identified, the workflow will need to go to a central team for them to address each issue. If this group decides to apply mitigating controls to the issues, the workflow must then go to the compliance group for them to review for appropriateness. Requirement is do a SoD analysis for every role change/add request , so that this group takes the appropriate action based on the SoD Analysis . For all my CUP request raised , i want system to do a SoD analysis and let this group know whenever there is a SoD found or just end the workflow if there is no risk.
    I am aware of the Risk analysis process for GRC 10.0 , however i want it to happen as a part of this work flow requirement.
    The requirement is to configure the access request work flow so that the end goal of work flow is just facilitation of an SOD review.  I hope i was able to explain my requirement . Thanks again for your help.
    Your valuable guidance would be really appreciated.
    Vikas

  • Best practice for the Update of SAP GRC CC Rule Set

    Hi GRC experts,
    We have in a CC production system a SoD matrix that we would like to modified extensively. Basically by activating many permissions.
    Which is a best practice for accomplish our goal?
    Many thanks in advance. Best regards,
      Imanol

    Hi Simon and Amir
    My name is Connie and I work at Accenture GRC practice (and a colleague of Imanolu2019s). I have been reading this thread and I would like to ask you a question that is related to this topic. We have a case where a Global Rule Set u201CLogic Systemu201D and we may also require to create a Specific Rule Set. Is there a document (from SAP or from best practices) that indicate the potential impact (regarding risk analysis, system performance, process execution time, etc) caused by implementing both type of rule sets in a production environment? Are there any special considerations to be aware? Have you ever implemented this type of scenario?
    I would really appreciate your help and if you could point me to specific documentation could be of great assistance. Thanks in advance and best regards,
    Connie

  • Access Control Rule Set deletion in GRC 10

    Greetings,
    Has anyone tried deleting rulesets or have experienced any issues while deleting rule sets in GRC 10. I have tried to delete them from SPRO as well as from Setup Tab in Access Control , however its not working for me . Even in SPRO , after chooseing the physical system and logical system infromation , it stays on that screen for ever and nothing happens.
    Any help or guidance here will be much appreciated.
    Thanks everyone for your valueable time.
    Vikas

    Hey ,
    There are no tricks or tips.  It was something stupid on my part.
    I Just had a look at the system again and found a function left in the system which was mapped to this Ruleset , so that was the only i was not able to delete the ruleset . As soon as i deleted that function , it worked .
    So i was able to delete the entire rule set after deleting all the risks and functions mapped to this rule set.
    Have a great day ahead ...
    Vikas

  • Rule set migration from GRC 5.3 to GRC 10.0

    Hello everyone,
    I ask you this question: if I want to migrate from GRC 5.3 to GRC 10.0, can I keep my old custom rule set with no modification or I have to make some changes to it to import in GRC 10?
    Thankyou in advance for the answers
    Greetings
    Gianluca
    Edited by: Gianluca Mocini on Apr 1, 2011 5:33 PM

    Hi,
      The migration utility is very simple. You install it on GRC 5.3 box and then select the items you want to migrate. It will generate tab limited text files and you can use those files to import data into 10.0 box.
    Regards,
    Alpesh

  • GRC 10.0 : Maximum number of Rule Sets

    Hi Experts,
    What is the maximum number of rule sets we can define in GRC 10.0?
    What could be the impact on performance if we defined a dozen of different rule sets?
    Best Regards,
    Nicolas

    Hi,
    In theory, you can have as many rulesets as you wish in the GRC 10 world. However, you rightly point out that there will be a substantial performance impact.
    The number of rulesets is not really the key element here but the number of risks and rules defined within them will be.
    If you know that you wish to manage a significant number of separate rulesets, be sure to spec them out accordingly and make use of the connector groups to rationalise the content as far as possible (e.g. group similar elements like Basis or systems together). You will also need to size the GRC system appropriately with a basis SME so that you can review the system performance appropriately.
    Simon

  • Reading rule sets from an XML file

    Hi all,
    How can I read rule sets from an XML file? I have been given some rules in XML
    format and using those I have to query some content. I am using WLP4.0
    Also how can I code rules in java?
    Thanks in advance.

    You can have the following classes:
    Players class deriving from Vector (or containing a vector), and then
    Player class with attribute 'name'.
    class Players
               Vector myVector = new Vector();
                void addPlayer(Player p)
                      myVector.add(p);
                Player getPlayer(int index)
                      myVector.get(index);
    class Player
             private String myName = null;
             Player(String name)
                    this.myName = name;
             String getName()
                    return myName;
    }Then while handling the SAX events you can do the following:
    class MySAXHandler implements ContentHandler (or whatever the itnerface is)
                 public void startElement(String name,....)
                          Players p = null;
                          if(name.equals("Players"))
                                 p = new Players();
                         else if (name.equals("Name"))
                                p.add(new Player(value));
    }HTH,
    Kalyan.

  • SAP BPM Flow Rule set error: Result for ResultSet is required.

    Hi ,
    I want to create of Rule set or Flow rule set inside "Process development" perspective.
    I have defined one process under "Processes" folder. After this, I want to create a rule set under "Rule Sets" folder.
    While creating a rule set, it prompts for "Result for ResultSet is Required" but I don't get anything in drop down select. Please help me whats going wrong here.
    Regards,
    Aman

    Hi Aman,
    Have you mentioned the Return Type in signature while creating RuleSet ?
    Refer the document : SAP NetWeaver Business Process Management Resource Center
    -Abhijeet

  • Migrating HBR Sequences into 11.1.2.x as Rule Sets

    Hi, has anyone been able to migrate sequences into Calc Manager?  With the method I'm trying, Calc Manager recognizes the rules and variables in the sequence(s) (will skip then when the Skip option selected), but the rule set does not appear (verified by <Find><Contains> search.
    -Vince

    Hi, has anyone been able to migrate sequences into Calc Manager?  With the method I'm trying, Calc Manager recognizes the rules and variables in the sequence(s) (will skip then when the Skip option selected), but the rule set does not appear (verified by <Find><Contains> search.
    -Vince

Maybe you are looking for

  • Firefox does not quit automatically after logging out of my computer

    Hey, everyone. Just curious if anyone has experienced a similar problem as me. I am working on a G5, running Mac OS X (10.4.8) using the newest verson of Firefox 1.5.07. Intermittently, I cannot log out of my computer without first closing Firefox. S

  • Why does InDesign always open multiple files in reverse number order?

    Whenever I select multiple InDesign files to open, despite being named accordingly Page_01, Page_02, Page_03, etc. InDesign always opens them in reverse order tabs. If I open 10 spreads at once instead of staring at page 1 I'm looking at the back. Is

  • Updating code for multiple apps at once?

    we have one base code for an app, and as people buy/sign up we create their custom version with their color scheme and graphics. is there any way to update all of the app code bases at once and push to all apps?

  • HELP !...getting ERROR: java.io.IOException: CreateProcess: ... error=3

    I use stand alone "XMLBeans survival kit" ( which I downloaded on 11/1/03 from BEA site ). I use its xmlbean.jar and it works fine. I did not use its "scomp" utility until today ( I used BEA's on-line compiler and it worked just great ). When I tried

  • Cold Fusion Communication

    I want to find out whether coldfusion can talk with SVN ,the reason is I should be able to download the component from SVN to my local system modify and then add it again to back to SVN or directly upload a new component from my local system to SVN.