cancel
Showing results for 
Search instead for 
Did you mean: 

Blank values in RAR Rules - RAR (SAP GRC AC 5.3)

Former Member
0 Kudos

Hello,

We are working on the deployment of a GRC Access Control 5.3 system in a main customer and we have found next issues about AC 5.3:

When a rule with a Blank value in u201CValue Fromu201D and u201CValue Tou201D columns is set, RAR is not taking users with any u201CValue Fromu201D / u201C Value Tou201D for that rule. In fact we are seeing that only users with value: * in u201CValue Fromu201D column are taken. It doesnu2019t fit with the standard SAP practices. Could you confirm this issue? How could we set a rule for taking any value?

Rule Example:

Object: F_BKPF_BUK Field: ACTVT Value From: Value To: Condition: AND Status: ENABLE

User1 value:

Object: F_BKPF_BUK Field: ACTVT Value From: 4 Value To: (Itu2019s NOT taken)

User2 value:

Object: F_BKPF_BUK Field: ACTVT Value From: 5 Value To: (Itu2019s NOT taken)

User3 value:

Object: F_BKPF_BUK Field: ACTVT Value From: * Value To: (Itu2019s taken)

Best regards.

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
0 Kudos

You need to distinguish between the value in the authorization field of the object and the search pattern.

  • is only looking for the field name. It does not even care about the value.

Values '4' and '5' are not valid for F_BKPF_BUK (see table TACTZ) so unless you populate UST12-BIS (what you call "Value To:" then you won't get a result.

I faintly suspect that you are "cooking the books" at the file level, and are expecting the GRC system and possibly the ABAP system as well to use the same logic?

Can you explain what User1 + User2 are expected to achieve with these values.

The system does sometimes make DUMMY checks (see the ABAP key word documentation in transaction ABAPDOCU) but this is not the correct strategy to pass those checks in my opinion.

I also suspect that this is an "action" in the customer name space. Perhaps you are using an unreleased FM instead of a BOR object? See transaction BAPI for more infos and finding the correct BOR (Business Object Repository) so that your RAR is not confused by dodgey coding....

Cheers,

Julius