- SAP Community
- Products and Technology
- Additional Q&A
- Regarding Rules, Functions and Risks
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Regarding Rules, Functions and Risks
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 04-24-2009 12:50 PM
Hello,
1. Does SAP provide a standard ruleset for SoD? Does it come with the AC 5.3 .SCA?
2. What is the relation between Rules, Risks, Functions and Business Process?
Thanks.
Accepted Solutions (0)
Answers (1)
Answers (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Gautam,
Yes the SAP standard ruleset comes with SAP GRC Access Control 5.3 package(zip file) and it contains SODs.
Business Process is like Procure to Pay, Order to Cash or you may categorize it as MM, SD etc so grouping of similar risks and analysing them is possible.
Functions are actions recognized as Tcodes in SAP terms- we identify similar nature of tcodes and create a function for them. Later we can create SOD risk or SAT risk(Sensitive Access tcodes) using those functions.
Rules depend upon risks - we have to generate them after creating risks.
Rulsets contain or defined as having all risks associated to Business Processes.
Regards-Sabita
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Gautam,
The process is-
You have one rulset defined say - XYZ(company or devision)
One Business Process say - BASIS
You create two functions each containing one tcode(SU01 / PFCG)
You define one risk as SOD and select Business Porcess- BASIS
Associate those 2 functions.
Select ruleset.
save and generate rule. There will be only one rule for it, because there is only one combination.
Suppose you create two functions containing two tcodes for each and create a risk, the rules will be 4(all permutation combinations).
Hope it helps.
Regards-Sabita
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
But Sabita, you are just assigning the 2 Functions to the Business Process.
Why do we need the Risk and Ruleset?
OR better off, why do we have a Business Process, why not just have the 2 functions and the Ruleset.
I am sorry to barge with so many questions, but could you please help me out with the significance of all these viz. Business Process, Function, Rule, Risk.
Any document or link would also help, as I wasn't able to find any good ones.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Gautam,
These are building blocks for rules. That is how CC/RAR rules are constructed. It could be different in other tools or if you do it via excel. I don't think Sabita can answer why do you need business process as you won't be able to define ruleset without basic building blocks? Basically, business process is the container for functions. Conflicting functions create rules and combination of t-codes and objects are risks. This whole setup starting from business process to risk is called a ruleset.
Regards,
Alpesh
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Gautam,
Alpesh is right, this is the way GRC CC is structured.
One ruleset contains business processes
Business process contains Risks
Risk is associated with functions
Functions contain tcode and/or authorization objects value
For your query - "But Sabita, you are just assigning the 2 Functions to the Business Process." - it is just for your given example. In Basis there are more than 100 sensitive tcodes for which we can define functions and risks.
The same is true for each module e.g. in FI.
Regards,
Sabita
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Gautam,
Just to make it more explanatory, lets take few examples for each entity:
1. Business Process (BP):
It can be a department, group or an independent functional unit in an organization. E.g Finance or HR or Material Management.
2. Function:
It can be a set of activites or say set of simlilar activities in a BP. E.g in SAP Security - SU01 and PFCG combination can be termed as a function - "User and role maintenence" .
3. Risk:
It can be a combination of 2 or more functions which when given to a single user, can be harmful to the organization.
4. Rule:
It is generated from Risks automatically. E.g if A and B are 2 funtions in a risk R, such that:
A has transactions X and Y and
B has transactions M and N
so there can be multiple rules generated here for Risk R , with the combinations like X and M rule, X and N rule, Y and M rule, Y and N rule etc.
5. Ruleset:
As the name suggest, is a set of Rules, generated from Risks. Two Rulesets may contain same, similar or dissimilar risks, based on the lanscape for which you want to use the ruleset. E.g you might have ruleset R1 having Risks 1 to N in your development system and you might have ruleset R 2 having Risks 1 to M in your Production system.
Hope this makes it a bit clearer to you know. For more dependencies within these entities and how they behave with eah other, I would suggest if you create each of them and then observe their linkages. The config guide from SAP would be more than enough for this purpose.
Regards,
Hersh.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Thanks everybody. Thanks for the replies. Each one of them was helpful.
I got the basics straight now.
So, while creating a new Rule, in this case with PFCG and SU01, what should be the order of things?
I mean first I create a Business Process, then functions, then Risk... OR is there no order.
How do I associate the Business Process with the Ruleset?
It would be helpful to get some document or link that would provide the process of creating Rules.
Can you guys help?
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Gautam,
Follow the path:
Service.sap.com/instguides > Installation and Upgrade guides> SAP Business Objects --> SAP Business Objects GRC.
Here you will find the guides you need.
Regards,
Hersh.
http://www.linkedin.com/in/hersh13
Edited by: HERSH GUPTA on Apr 26, 2009 2:22 PM
- Two main items (A+B) with one free item(C) how can we automatic determine in the Sales Order SD in Enterprise Resource Planning Q&A
- Mitigating gender bias with Job description Generator? in Human Capital Management Q&A
- 5 Reasons why Planners Should Consider the RISE with SAP Advanced Supply Chain Planning Package in Supply Chain Management Blogs by SAP
- SAP advanced treasury and risk management package for GROW with SAP in Financial Management Blogs by SAP
- Localized tables in CAP have no draft functionality in Technology Q&A
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.