on 10-29-2010 7:24 AM
Hello!
We have an issue. After installation few month ago we uploaded standard files (according to postinstall steps) and now we are trying to load modified action/permission files.
We have a problem with Rule Generation programm. During rule generation job we have got a problem:
"Error while executing the Job:ERROR: Risk: F001 has exceeded the maximum number of rules (46,655) that can be generated for a risk"
According to note #1310365 on our side for F001 is all correct: F001 risk consist of two Functions - GL01 and GL02. GL01 has 168 actions, and GL02 has 56 actions, i.e. total 9408 rules (168*56). We think that it happens because we uploaded files for all systems and groups (for DEV200, PRD400and their group ERP Systems; for PRD420 and its group CUA), in this case 9408 * 5 (number of systems)=47040.
We have tried to upload empty files (action/permission with only one string in each), we hoped that it cleaned all information, and after this we can load SoD again. But it doesn't help...
What can we do?
P.S. [thread |; has been watched
Regards,
Artem
Artem,
After close study , i think i found some key point.
Per SAP note 1310365, max number of risk allowed per function are
tcodes in function1 X tcodes in func2 X 3
per example in note
Suppose you have a risk (P086) that includes three functions:
MD12 with 21 actions
BR08 with 46 actions
TS22 with 34 actions
This particular risk applies to three different versions of SAP, all running on your environment. In this example, P086 translates to 98,532 distinct rules.
98,532 = 21x46x34x3
also since you had already uploaded standard rule sets........ and when you upload modified files....... it must be containing old tcodes also........ those should be removed.
regards,
Surpreet
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
per my knowledge below are tables related to Rules
VIRSA_CC_BUSPRC
VIRSA_CC_BUSPRCT
VIRSA_CC_FUNC
VIRSA_CC_FUNCT
VIRSA_CC_RISK
VIRSA_CC_RISKRS
VIRSA_CC_RULESET
VIRSA_CC_ACTRULE
virsa_cc_cract
virsa_cc_cractt
virsa_cc_crprm
virsa_cc_crprof
virsa_cc_crproft
virsa_cc_crrole
virsa_cc_crrolet
virsa_cc_funcprm
virsa_cc_prmrule
so delete data from these tables and reload the files (which contain standard and customized data)
may be cross check with SAP.
regards,
Surpreet
Artem,
i don't think Logical system will show up in these tables.
pls run query with VSYSKEY = 'CUA' on all the tables with VSYSKEY field
Also i am under assumpltion that none of the old data is required......... because next files you upload will not overwrite.... rather append to existing ones
regards,
Surpreet
Surpreet,
I've found that the data could be corrected in change mode under Rule Architect -> Function -> search, but now I have some doubts what should I do:
I can check all functions and delete unneed data only for DEV, PRD systems
or
I can check all functions and delete all data (for DEV, PRD, ERP, CUA)
I think that it's better to delete rows only for DEV, PRD (not for ERP, CUA) but I'm not sure how it will affect on functionality. Will left rows with ERP and CUA working good for their low-hierarchy systems (DEV, PRD)?
Unfortunalely this note doesn't suit to me, because I need only to change actions/permissions rules, i.e. I need:
1) upload new requirements of SOX;
2) generate rules;
3) generate new managements reports.
-
Summary, I need to get actual data for Informer.
If I use this note I delete old management reports and some vital data. But it's needed
Consider the 1st point:
I only need to actualize actions/permissions in functions for above aims.
Thank you Supreet for attention to my problem.
Regards,
Artem
well i want to run query with 'NOT EQUAL TO' , however whenever i put 'lessthan greaterthan' signs , they disappear after i Post message.
look like those are treated as html tags
please run query
select * from virsa_cc_actrule where vsyskey NOT LIKE 'ERP and vsyskey NOT LIKE 'CUA'
regards,
Surpreet
Supreet, I appreciate you for answers,
Problem with exceeded number has disappeared. I "resolved" it by reloading all config files again. Now I have new issue:
"Error while executing the Job:Cannot assign NULL to host variable 1. setNull() can only be used if the corresponding column is nullable. The statement is "INSERT INTO "VIRSA_... (see log for details)"
For this issue I implement recommendations of note 1362138 - Rule generation - null pointer exception virsa_cc_rtmap.
I got files via programms /VIRSA/ZCC_DOWNLOAD_DESC /VIRSA/ZCC_DOWNLOAD_SAPOBJ, reupload them and then started rule generation job again. But it was unsuccessfull.
How can I found out what exactly happened? What is tcode damaged?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
OSS has been opened
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Artem,
the new Risk file you upload, please change Risk Id....... name........
why create again for F001......
it will hardly matters, as long as RAR is reporting the risk......
please advice if there is any restriction related to that in your organization
regards,
Surpreet
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Surpreet!
We didn't change any function and risks. We've just assigned our transactions and permissions to standard functions.
For example, we found that ZTCODE suits to function BS00 and in standard file we've just add string
in action file:
BS00 <tab> ZTCODE <tab> 0
in permission file:
BS00 <tab> ZTCODE <tab> ZAutObj <tab> ZVALFRM <tab> ZVALTO <tab> 0
Then we reuploaded standard files with actions/permissions.
Other standard files stayed as they were.
Is it technically correct?
Regards,
Artem
then please create rules with DIFFERENT functions, and with DIFFERENT RISK ids (e.g. risk id be F021, rather than F001.....
basically you have to see, which function is too big, split it and combine with other function (which is small)
if both functions are big, then create two or three new functions, and new risk id
best you contact SAP (oss) and get this resolved......
regards,
Surpreet
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.