cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Rule Generation fails

Go to solution
former_member182655
Contributor

on ‎10-29-2010 7:24 AM

0 Kudos

Hello!

We have an issue. After installation few month ago we uploaded standard files (according to postinstall steps) and now we are trying to load modified action/permission files.

We have a problem with Rule Generation programm. During rule generation job we have got a problem:

"Error while executing the Job:ERROR: Risk: F001 has exceeded the maximum number of rules (46,655) that can be generated for a risk"

According to note #1310365 on our side for F001 is all correct: F001 risk consist of two Functions - GL01 and GL02. GL01 has 168 actions, and GL02 has 56 actions, i.e. total 9408 rules (168*56). We think that it happens because we uploaded files for all systems and groups (for DEV200, PRD400and their group ERP Systems; for PRD420 and its group CUA), in this case 9408 * 5 (number of systems)=47040.

We have tried to upload empty files (action/permission with only one string in each), we hoped that it cleaned all information, and after this we can load SoD again. But it doesn't help...

What can we do?

P.S. [thread |; has been watched

Regards,

Artem

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎11-02-2010 12:38 PM
0 Kudos

Artem,

After close study , i think i found some key point.

Per SAP note 1310365, max number of risk allowed per function are

tcodes in function1 X tcodes in func2 X 3

per example in note

Suppose you have a risk (P086) that includes three functions:

  1. MD12 with 21 actions

  2. BR08 with 46 actions

  3. TS22 with 34 actions

This particular risk applies to three different versions of SAP, all running on your environment. In this example, P086 translates to 98,532 distinct rules.

98,532 = 21x46x34x3

also since you had already uploaded standard rule sets........ and when you upload modified files....... it must be containing old tcodes also........ those should be removed.

regards,

Surpreet

Show replies
Show replies
former_member182655
Contributor
‎11-02-2010 12:53 PM
0 Kudos

ok,

but how could I delete unneeded data?

Which tool (path in config) could I use?

Former Member
‎11-02-2010 12:57 PM
0 Kudos

Hi Artem,

If you are on SP13, you have an option to delete the ruleset. Else, contact SAP to help you with a script.

Regards,

Raghu

Former Member
‎11-02-2010 1:03 PM
0 Kudos

per my knowledge below are tables related to Rules

VIRSA_CC_BUSPRC

VIRSA_CC_BUSPRCT

VIRSA_CC_FUNC

VIRSA_CC_FUNCT

VIRSA_CC_RISK

VIRSA_CC_RISKRS

VIRSA_CC_RULESET

VIRSA_CC_ACTRULE

virsa_cc_cract

virsa_cc_cractt

virsa_cc_crprm

virsa_cc_crprof

virsa_cc_crproft

virsa_cc_crrole

virsa_cc_crrolet

virsa_cc_funcprm

virsa_cc_prmrule

so delete data from these tables and reload the files (which contain standard and customized data)

may be cross check with SAP.

regards,

Surpreet

former_member182655
Contributor
‎11-02-2010 2:07 PM
0 Kudos

Dear Surpreet,

If I need to delete data in problematic functions may I delete only low-hierarchy rows (such as DEV, PRD) and leave only high-hierarchy logical systems (such as ERP, CUA)? Or I should delete all rows under selected functions and then reload files?

Regards,

Artem

Former Member
‎11-02-2010 2:32 PM
0 Kudos

Artem,

i don't think Logical system will show up in these tables.

pls run query with VSYSKEY = 'CUA' on all the tables with VSYSKEY field

Also i am under assumpltion that none of the old data is required......... because next files you upload will not overwrite.... rather append to existing ones

regards,

Surpreet

former_member182655
Contributor
‎11-02-2010 2:49 PM
0 Kudos

Surpreet,

I've found that the data could be corrected in change mode under Rule Architect -> Function -> search, but now I have some doubts what should I do:

I can check all functions and delete unneed data only for DEV, PRD systems

or

I can check all functions and delete all data (for DEV, PRD, ERP, CUA)

I think that it's better to delete rows only for DEV, PRD (not for ERP, CUA) but I'm not sure how it will affect on functionality. Will left rows with ERP and CUA working good for their low-hierarchy systems (DEV, PRD)?

Former Member
‎11-02-2010 3:03 PM
0 Kudos

pls refer to SAP note 1416728 also.

if you are on required SP

i am little confused....... do you want to keep old data also....... ?

regards,

Surpreet

former_member182655
Contributor
‎11-02-2010 3:15 PM
0 Kudos

Unfortunalely this note doesn't suit to me, because I need only to change actions/permissions rules, i.e. I need:

1) upload new requirements of SOX;

2) generate rules;

3) generate new managements reports.

-

Summary, I need to get actual data for Informer.

If I use this note I delete old management reports and some vital data. But it's needed

Consider the 1st point:

I only need to actualize actions/permissions in functions for above aims.

Thank you Supreet for attention to my problem.

Regards,

Artem

Former Member
‎11-03-2010 8:21 PM
0 Kudos

Artem,

i think i got hold of something........... this seems to be bug in code and there is workaround for this........

please run below query and let me know what result is shown

select * from virsa_cc_actrule where vsyskey <> 'ERP and vsyskey <> 'CUA'

regards,

Surpreet

former_member182655
Contributor
‎11-03-2010 11:38 PM
0 Kudos

Hello Supreet!

I've made some corrections in my configartion. Now I have the next result:

SQL> select count(*)from virsa_cc_actrule where vsyskey like 'ERP';

COUNT(*)

----

64654

SQL> select count(*)from virsa_cc_actrule where vsyskey like 'CUA';

COUNT(*)

----

64654

Former Member
‎11-04-2010 7:01 AM
0 Kudos

well i want to run query with 'NOT EQUAL TO' , however whenever i put 'lessthan greaterthan' signs , they disappear after i Post message.

look like those are treated as html tags

please run query

select * from virsa_cc_actrule where vsyskey NOT LIKE 'ERP and vsyskey NOT LIKE 'CUA'

regards,

Surpreet

former_member182655
Contributor
‎11-04-2010 10:25 AM
0 Kudos

Supreet, I appreciate you for answers,

Problem with exceeded number has disappeared. I "resolved" it by reloading all config files again. Now I have new issue:

"Error while executing the Job:Cannot assign NULL to host variable 1. setNull() can only be used if the corresponding column is nullable. The statement is "INSERT INTO "VIRSA_... (see log for details)"

For this issue I implement recommendations of note 1362138 - Rule generation - null pointer exception virsa_cc_rtmap.

I got files via programms /VIRSA/ZCC_DOWNLOAD_DESC /VIRSA/ZCC_DOWNLOAD_SAPOBJ, reupload them and then started rule generation job again. But it was unsuccessfull.

How can I found out what exactly happened? What is tcode damaged?

Answers (3)

Answers (3)

former_member182655
Contributor
‎11-04-2010 10:39 AM
0 Kudos

Continue here

Show replies
Show replies
former_member182655
Contributor
‎11-01-2010 12:33 PM
0 Kudos

OSS has been opened

Show replies
Show replies
Former Member
‎11-02-2010 11:31 AM
0 Kudos

hi Artem,

can you please check if you are using logical system....

and how does rules appear in virsa_cc_actrule

does rules exist only for logical system or individual system only

select * from virsa_cc_actrule where vsyskey <> 'name of logical system'

please check

regards,

Surpreet

former_member182655
Contributor
‎11-02-2010 11:59 AM
0 Kudos

Hmmm... I got this

SQL> select * from virsa_cc_actrule where vsyskey like 'name of logical system';

no rows selected

Former Member
‎11-02-2010 12:17 PM
0 Kudos

are you using logical system.. if yes....... what's it's name

regards,

Surpreet

former_member182655
Contributor
‎11-02-2010 12:37 PM
0 Kudos

Oh, excuse me

I gave the following requests:

SQL> select count(*) from virsa_cc_actrule where vsyskey like 'ERP';

COUNT(*)

----

675702

SQL> select count(*) from virsa_cc_actrule where vsyskey like 'CUA';

COUNT(*)

----

74105

Former Member
‎10-29-2010 7:48 AM
0 Kudos

Artem,

the new Risk file you upload, please change Risk Id....... name........

why create again for F001......

it will hardly matters, as long as RAR is reporting the risk......

please advice if there is any restriction related to that in your organization

regards,

Surpreet

Show replies
Show replies
former_member182655
Contributor
‎10-29-2010 8:56 AM
0 Kudos

Hi Surpreet!

We didn't change any function and risks. We've just assigned our transactions and permissions to standard functions.

For example, we found that ZTCODE suits to function BS00 and in standard file we've just add string

in action file:

BS00 <tab> ZTCODE <tab> 0

in permission file:

BS00 <tab> ZTCODE <tab> ZAutObj <tab> ZVALFRM <tab> ZVALTO <tab> 0

Then we reuploaded standard files with actions/permissions.

Other standard files stayed as they were.

Is it technically correct?

Regards,

Artem

Former Member
‎10-29-2010 10:59 AM
0 Kudos

please add this tcode via Rule Architect

then generate the rule.

regards,

Surpreet

former_member182655
Contributor
‎10-29-2010 11:20 AM
0 Kudos

Surpreet,

I just give an example. Frankly, I need to add about 1500 transactions. And it would be better to add them via excel, than by hands

Regards,

Artem

Former Member
‎11-01-2010 8:28 AM
0 Kudos

then please create rules with DIFFERENT functions, and with DIFFERENT RISK ids (e.g. risk id be F021, rather than F001.....

basically you have to see, which function is too big, split it and combine with other function (which is small)

if both functions are big, then create two or three new functions, and new risk id

best you contact SAP (oss) and get this resolved......

regards,

Surpreet

Ask a Question