@ Supreet,

Exactly, I too have the same understanding as you have mentioned about action rule and permission rule. However, I can see that there are entries in the VIRSA_CC_ACTRULE table. However, the table VIRSA_CC_PRMRULE is empty. Apart from the VIRSA_CC_PRMRULE table I can still see few tables are empty like VIRSA_CC_SYSTEM,VIRSA_CC_USRMAP, etc.

Also, I did check the Permission rules in the Rule Architect shows only "Transaction Code Check at Transaction Start" name in the Permission Object Column and "Transaction Code" name in the Field Column. No other authorization / permission object are present in the list.

I have doubled checked the function uploaded. I had also executed the Batch risk analysis on permission level.

@Frank,

I have enabled the activity 1 and 2 and generated the rules accordingly.

Regards,

Sahil

Edited by: Sahil Bhanushali on Nov 2, 2010 6:11 AM

if VIRSA_CC_PRMRULE table is empty then it means, there are no permission level rules in your table.

are these standard rules uploaded or have you done some customozation.

also please check below table also

VIRSA_CC_FUNC

virsa_cc_funcprm

please provide name of all the files you used upload and then generate rules, looked liked you missed the file which contain data for VIRSA_CC_FUNCPRM

regards,

Surpreet

File name is <basis/crm>_function_permission.txt

Edited by: Surpreet Singh Bal on Nov 2, 2010 11:46 AM

@ Surpreet,

I did check the table VIRSA_CC_FUNC and VIRSA_CC_FUNCPRM table are they look fine as I can see them populated.

Following are the file names that are uploaded:

1. Business Process.txt

2. Function Action.txt

3. Function_BP.txt

4. Function_Permission.txt

5. Function.txt

6. Risk.txt

7. Risk_Desc.txt

8. Risk_Ruleset.txt

9. Ruleset.txt

Regards,

Sahil.

Sahil,

what are values in your table VIRSA_CC_SAPOBJ

it contain SU24 data

regards,

Surpreet

and please paste few entries from your Function_Permission.txt file

Edited by: Surpreet Singh Bal on Nov 2, 2010 11:57 AM

@ Surpreet,

I did check the VIRSA_CC_SAPOBJ table at it does contain the uploaded SU24 data. I did upload the SAPOBJ file along with TEXT file before uploading the ruleset files (per the implementation steps)

Following are entries from the Function_Permission.txt file:

FP10TEST FB01 F_BKPF_BED ACTVT 1 2 OR 0

FP10TEST FB01 F_BKPF_BED BRGRU * 0

FP10TEST FB01 F_BKPF_BEK ACTVT 1 2 OR 0

FP10TEST FB01 F_BKPF_BEK BRGRU * 0

FP10TEST FB01 F_BKPF_BES ACTVT 1 2 OR 0

FP10TEST FB01 F_BKPF_BES BRGRU * 0

FP10TEST FB01 F_BKPF_BLA ACTVT 1 2 OR 0

FP10TEST FB01 F_BKPF_BLA BRGRU * 0

FP10TEST FB01 F_BKPF_BUK ACTVT 1 2 OR 0

FP10TEST FB01 F_BKPF_BUK BUKRS $BUKRS 0

FP10TEST FB01 F_BKPF_GSB ACTVT 1 2 OR 0

FP10TEST FB01 F_BKPF_GSB GSBER $GSBER 0

FP10TEST FB01 F_BKPF_KOA ACTVT 1 2 OR 0

FP10TEST FB01 F_BKPF_KOA KOART $KOART 0

FP10TEST FB01 F_FAGL_SEG ACTVT 1 2 OR 0

FP10TEST FB01 F_FAGL_SEG GLRRCTY * 0

FP10TEST FB01 F_FAGL_SEG SEGMENT * 0

Regards,

Sahil.

NOTE: I did check and noted that rule on Permission Level are not getting generated. Although when you execute Generate Rule from Configuration Tab, only Action level rules are generated NO permission level are generated.

Edited by: Sahil Bhanushali on Nov 2, 2010 8:26 AM

this is strange......

ok, can you please paste entries from VIRSA_CC_SYSTEMC table

sorry..... asking for so much data, trying to figure out where the issue could be......

regards,

Surpreet

and check none of the below table should be empty

VIRSA_CC_BUSPRC

VIRSA_CC_BUSPRCT

VIRSA_CC_FUNC

VIRSA_CC_FUNCT

VIRSA_CC_RISK

VIRSA_CC_RISKRS

and i hope you had maintained default ruleset in configuration.. tab

Edited by: Surpreet Singh Bal on Nov 2, 2010 2:04 PM

@ Surpreet:

No need to apologize Actually I am very thankful to you as you are taking time to resolve my issue.

Following is the output of the VIRSA_CC_SYSTEMC table:

Row VSYSKEY| SYSNAME| SYSTYPE| SYSCON1| SYSCON2| SYSCON3| SYSCON4| SYSCON5| STATUS| MGMTRLVNT| SYSCON6| SYSCON7| SYSCON8| SYSCON9| EXTOBJ|

1 DIHCLNTY00 DIH = HR Development + CUA SAP SAPJCO Y00_00_EN_SUPER RFC_GRC 7bkH3DDKUi0= 0 0 xx.xxx.xx.xxx sapgw00 N

2 DINCLNTY00 DIN = ECC Development + CUA SAP SAPJCO Y00_00_EN_SUPER RFC_GRC 7bkH3DDKUi0= 0 0 xx.xxx.xx.xx sapgw00 N

3 DIH DIH - HR Development System SAP SAPJCO Y00_00_EN_SUPER RFC_GRC 7bkH3DDKUi0= X 0 0 xx.xxx.xx.xxx sapgw00 N

4 PIHCLNTY00 PIH: HR Production SAP SAPJCO Y00_00_EN_SUPER rfc_grc 7bkH3DDKUi0= 0 0 xx.xxx.xx.xxx N

5 ECC 6.0 ECC landscape (PINCLNTY00 + QINCLNTY00 + DINCLNTY00) LSYS ECC 6.0 ECC 6.0 0 1

6 QIHCLNTY00 QIH: HR Quality SAP SAPJCO Y00_00_EN_SUPER RFC_GRC 7bkH3DDKUi0= 0 0 xx.xxx.xx.xxx sapgw00 N

7 QINCLNTY00 QIN: ECC Quality SAP SAPJCO Y00_00_EN_SUPER RFC_GRC 7bkH3DDKUi0= 0 0 xx.xxx.xx.xx sapgw00 N

8 PINCLNTY00 PIN: ECC Production SAP SAPJCO Y00_00_EN_SUPER rfc_grc 7bkH3DDKUi0= 0 0 xx.xxx.xx.xxx N

Also all the tables mentioned in the your message are populated appropriate .

Regards,

Sahil.

NOTE: I have raised an OSS message for this issue and even SAP is confused as why this problem has surfaced. Also as per note # 1121447 which says that from SP9 onwards VIRSA_CC_PRMRULE will no longer have any entries as the risk engine goes to each function definition when analyzing risks at the permission level.

Edited by: Sahil Bhanushali on Nov 2, 2010 12:51 PM

<<<<<1 DIHCLNT200 DIH = HR Development + CUA SAP SAPJCO 200_00_EN_SUPER RFC_GRC 7bkH3DDKUi0= 0 0 xx.xxx.xx.xxx sapgw00 N

2 DINCLNT200 DIN = ECC Development + CUA SAP SAPJCO 200_00_EN_SUPER RFC_GRC 7bkH3DDKUi0= 0 0 xx.xxx.xx.xx sapgw00 N >>>>>>>>>>>

above is confusing

two connection for same system ??

either system number should be different or client......

please check

regards,

Surpreet

Note : make sure SUPER exist in SMLG

Edited by: Surpreet Singh Bal on Nov 2, 2010 5:44 PM

@Surpreet:

if you check the two systems are different as follows:

- DIHCLNT200 - HR Development system

- DINCLNT200 - ECC Development system

Are you saying that the group SUPER should be maintained as logon group in SMLG? I did checked in SMLG there is NO SUPER maintained as user logon group in my system. Since it was not mentioned in any document we did not perform this activity.

Regards,

Sahil

RAR will check it technical level and 200_00_EN_SUPER refers to two same system with client 200 and system number 00, so this can cause issue.

also it is compulsary to have 'LOGON GROUP' in SMLG and same to be maintained in RAR connections. please create one..... so in your case with name SUPER.

regards,

Surpreet

@Surpreet:

I have created the SUPER user logon group for RAR.

But won't the RAR system also check the systems ip address?

Over here in my scenario at the client site, the as the HR development and ECC development have the same client number 200 and same system number 00 but different ip address.

Regards,

Sahil.

i doubt ....... please check with SAP

logic is all the tables refer to VSYSKEY to distinguish rule for two different systems....

check if in table VIRSA_CC_ACTRULE, you can distinguish between which rules are for HR and which for ECC........

select * from virsa_cc_ACTRULE where VSYSKEY = 'system name'

regards,

Surpreet

@Surpreet:

As previously mentioned I have raised the issue to SAP. But now I shall ask this additional question to them too.

The following two query generates correct result

- select * from VIRSA_CC_ACTRULE

- select * from virsa_cc_ACTRULE where VSYSKEY = 'system name'

I also did a quick check by picking up samples to check whether it is present for all the relevant system. I am thoroughly confused as why isn't the permission rules are not generated.

Regards,

Sahil.

Sahil,

please do below steps, and if still issue is not resolved........ i give up.......

1. open one of DIHCLNT200 in change mode

2. select connection type as 'local file'

3. Save

4. now logoff and login again

5. run analysis at permission level and let me know the result

regards,

Surpreet

@ Surpreet

I tried all the steps as you mentioned and it did not work. As I had raised an OSS message, SAP said that they is bug in the SP 12 and hence please install SP 13 patch 2 to resolve the issue. We had opened the connection for SAP but they could not resolve the problem and the only solution they provided is upgrade to SP 13 patch 2.

Regards,

Sahil.

Yes...........

SAP note- 1168120