Hi Sabita,

We have already created functions and risks for R/3 Prod system. This R/3 is not defined as Logical System during Post Installation. Now that we wanted to connect the same GRC to R/3 Development system as well. We wanted to run SoD analysis for the roles in Development system whenever a new role is created. For that we wanted to use the same SoD RULE SET configured for Production.

We did a similar kind of configuration to one of our clients and when we raised an OSS they suggested to create a Logical System for both DEV & PROD system and then Generate Rules using the LOGICAL SYSTEM u2013 GENERATE RULES option. When we are performing the same activity, the DEVELOPMENT system is not getting reflected here while running SoD ANALYSIS.

Do we need to export rules from PROD system i.e. R1P to LOGICAL SYSTEM i.e R1P/R2D as a destination and then Generate rules using the Logical Option button? Since this is production instance we would like to be very careful in handling this issue?

Are we missing some steps while creating LOGICAL SYSTEMS.

Thanks and Best Regards,

Sri.K

Dear Sri,

Yes the steps you have defined is right, but if it is live produciton system, then you must first test it on GRC DEV/QA system.

If you want to get all rules defined for Prod to bring into Logical system this is one option.

If your requirement is to run risk analysis before a role is generated in Dev system, one more option may apeal you.

In ERM, there is one option, system landscape, in that you can define risk analysis in one system(PROD) and role generation in another system(QA).

Anyway your risks are going to be same in both systems when you will use logical system. So better configure your ERM in this way.

We have done it in this way, we run risk analysis against risks defined in PRD and generate role in QA. Once testing is done, we download/uplod it from QA to PROD in backend system, it is in testing phase but working fine.

Regards,

Sabita

Hi Frank/ Sabita,

When you say export the functions and risks into Logical System. Do i need to export the entire rules from R1P and import the text file generated into LOGICAL SYSTEM. Then generate the rules once again using the LOGICAL SYSTEM --> Generate Rules.

Or only the Functions and Actions has to be exported and import into LOGICAL SYSTEM.

We have already created SoD rules for R1P system.If it is the case please let me know if the below procedure is correct or not

a) Create a LOGICAL SYSTEM with R1P/R2D - Attach 2 physical Systems i.e. R1P & R2D

B) Go to Utilities --> Export rules --> Select ALL . Then SOURCE is R1P - DESTINATION R1P/R2D (logical system exdefined)

C) A text file will be generated - save it in the local desktop

D) Upload this text file using IMPORT option under UTILITIES

E) Go to CONFIGURATON --> LOGICAL SYSTEM --> GENERATE RULES

Then all the t-codes under the function will be taking the logical system R1P/R2D changing the current config of R1P alone

Please confirm if the above procedure is correct or not.

Thanks and Best Regards,

Srihari.K

Dear Sri,

Yes your steps are correct and it should give you desired results.

Regards,

Sabita

Hi Sabita,

Thanks for confirmation. We will try this option and in case if any issues will come back

Best Regards,

Srihari.K

Hi All,

My question is closely related to your discussion here, and so I thought I'd ask you about it.

Background

I have installed GRC AC 5.3, and am in the process of configuring RAR. I have gone into RAR and have loaded the SU24 data etc., and created the systems.

There is one GLOBAL ruleset, with all the rules loaded.

I have subsequently created logical systems, much like in this post - a DEV, QA, PRD.

Having done this, I have reloaded the rules into RAR. While loading the rules into RAR, I had to select a logcal system, and I selected DEV.

Having generated the rules, I notice that the functions point to DEV, however I would like to use the same functions (and ruleset) against the PRD logical system.

Can I regenerate the rules to also use them against the PRD logical system? What steps should I follow in order to use the same rules on the DEV, QA and PRD logical systems? I don't mind reloading the rules.

Please let me know.

Thanks,

Santosh

Hi Santosh,

If i understand your query correctly, please follow the below steps.

1) Create logical system for Dev & Prd or what ever physical systems you want to attach to this logical system

2) Obtain rules from existing DEV sytsem i.export rules - give destination of the new logical system created while importing the rules

3) Then import rules for the new logical system

4) Run background job using the option under Logical System in Configuration menu.

This helps you in creating SoD rules for all the physical systems connected to Logical System. So, when you want to use for Dev instance you can select Dev system and then generate SoD analysis reports.

Hope this clarifies your query. Please let me know if you need further information.

Thanks and Best Regards,

Srihari.K

Hi Frank,

Thanks for your point, and I agree with you.

Santosh

Hello Everybody, I have some question about this topic, I am using CC 5.2 and I already have connected x SAP applications and x Oracle application on my tool, I am having the issue with some risk that exceed the limit of rules.. my plan is to do 2 logical system. One for SAP actions and permission and the other one for Oracle.

My first question is, If I am going to create a Logical System, I just need to relate the physical systems to this system, but in my physical systems I have a standard and Development (ZZ) actions, what can I do or what I need to put in every system, i.e in the Logical System I need to upload the standard actions & permissions and in the Physicals systems just the development?

The next question is, Do i need to delete some historical rule information in ACTRULE and ACTRULEHDR tables or just generate rule when I just create the Logical System.

Thanks a lot for your help.

Miguel