Steve,

Configuring multiple rulesets in RAR 5.3 is quite easy, for example you can upload SAP delivered standard ruleset files and then upload your customized ruleset.

Just ensure to use different naming convention for your customized risks than what SAP delivers. You can load multiple rulesets against same system.

While doing comparison schedule different risk analysis jobs based on number of rulesets in your system. You can then compare the output to do any further tweaking.

Regards,

Amol

>

> Just ensure to use different naming convention for your customized risks than what SAP delivers.
> 

That's exactly the problem. My ruleset from 5.1 uses risk names that clash with the ruleset from 5.3, because most of them are the original SAP risks. We have only a few custom risks.

It is easy enough to edit the text file to change the risk name, except that there're only 4 characters to use. If I could simply add "_51" or similar to the risk name, there'd be no problem. But with just 4-character names, how do I modify the old "B001" so it doesn't clash with the new "B001". Doing this for one or two risks is OK, but for hundreds I'd want an automatic rule and I don't see an obvious rule, given that the risk names don't stick to the same pattern.

This isn't a major problem, but I just think some more thought should have been put into the upgrade process. Surely people want to compare old and new rulesets, and not just stick to the one they started with years ago. An easy way of comparing rulesets would be a big help.

Steve.

I agree Steve. There isn't any automatic way to compare the rulesets. In your case manual processing would be needed either to rename your 5.1 ruleset logic (risks/function..etc) or to rename SAP delivered ruleset logic before uploading.

You will have to ensure that function names too are different as no two risks can have same function combination. You may want to first draft a strategy for function, risk naming in excel and then use it as a reference for all future SOD logic changes. It would involve one time effort.

In my opinion customer shouldn't change/tweak SAP delivered logic (risks/functions) instead they should create a separate customized version if need arises. This way you don't run into risk of losing the customization if you mistakenly upload SAP delivered rule logic and also you get the flexibility of comparing your logic with SAP's for future changes.

Regards,

Amol

>

> In my opinion customer shouldn't change/tweak SAP delivered logic (risks/functions) instead they should create a separate customized version if need arises. This way you don't run into risk of losing the customization if you mistakenly upload SAP delivered rule logic and also you get the flexibility of comparing your logic with SAP's for future changes.
>

Apart from deactivating SAP standard rules that aren't appropriate for us, we haven't changed any of the standard ones. Where necessary we've copied a standard one, changed it, and deactivated the original. This is true for both risks and functions.

Is it true that risks and functions with the same names in the 5.1 and 5.3 rulesets will be identical in all respects? If true, that would make things much easier, but I haven't read that guarantee anywhere. Can you point me to it? If not, is there a document that lists any changes to the rulesets? Again, I haven't seen that anywhere. I may have just not been looking in the right places.

Thanks,

Steve.

I don't think that risks and functions with the same names in the 5.1 and 5.3 rulesets will be identical in all respects because functions may be updated with new transaction codes which may not be there in the previous versions. I think there is no easier way but to manually update via the Rule Architect.

Steve,

What Partha suggested is correct. There is no guarantee that 5.1 and 5.3 risks will be same if they have same name. As the tcodes or even authorization objects may be changes. We did the same exercise here at my current client and we called it as 'Ruleset Redesign' and I had to create lots of functions and risks to keep our customization intact.

Regards,

Alpesh

>

> I don't think that risks and functions with the same names in the 5.1 and 5.3 rulesets will be identical in all respects because functions may be updated with new transaction codes which may not be there in the previous versions.

That's what I was expecting, and why I really want to compare the 5.3 and 5.1 rulesets. It may be that the 5.3 version of B001 is better than the 5.1 version, but I'll never know unless I can compare them side by side. And it seems there's no easy way of doing that. I might end up installing another RAR system just to hold the 5.3 ruleset while I compare it. That seems as easy as any other way.

It all seems like a lot of effort, and something that surely every GRC user needs to go through when they upgrade. This process needs to be much easier.

Steve.