on 06-05-2012 12:33 PM
Dear SAP GRC Gurus
I have a query on recommended approach to GRC Ruleset management, we are using GRC 10 and implementing ARA and SPM.
The approach we have taken to-date is to: maintain an offline copy of the standard GRC ruleset. We had planned to commence modifications to
existing standard ruleset. We have now compiled list of custom z transactions and identified which functions they should reside within. Critical and sensitive transactions and roles are also identified.
I have investigated this topic and found little concrete information on recommended approach. We want to ensure we are not creating any potential issues in relation to upgrades etc. Can you advise on your approach? Did you create a duplicate/customised ruleset in GRC and deactivate the original ruleset? Did you assign a new naming convention to the duplicate/customised ruleset to identify it as custom e.g. Z? My concern with this is the step away from
the intuitive F*, S*, P* etc. Where risk FI001 would then become ZFI001 and require *F* search.
Please advise on best approach which will allow for easiest upgrade process? Advise if there is anything I have missed. Any insight or experiences would be greatly appreciated.
Many Thanks, Gráinne
Hi Gráinne,
Your approach is sound and steady, which is a good thing. It is a good idea to have your own custom naming convention, but there is nothing wrong with just modifying the SAP standard delivered ruleset, with brand new custom risk definitions and functions beginning with a "Z" prefix etc. You don't strictly have to step away from the intuitive F*, S*, M* etc, as the actual Risk may still be valid for your custom rule set.
Many companies may not have a custom SAP GRC rule set defined prior to the implementation of the tool, therefore the standard delivered rule set is a good starting point, with the aim of customisation over time to effectively build up/trim the rule set to the companies requirement.
As long as you have an offline copy backed up on a regular basis, I would advise you to maintain and build up the rule set as your company finds comfortable to make the most out of the risk analysis and support your remediation and audit efforts.
All the best
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Grainne,
Approach you are choosing is the correct approach. Standard ruleset delivered by SAP is based on best practices and usually all the customer reviews/customizes/updates them before using them for their business.
You can update the TEXT files delivered by SAP with your customized data and then upload them into GRC box.
This is what the best practices are.
Refer to below SAP Notes which are related to Rules. Hope this helps.
Thanks & Regards
Neeraj
986996 - GRC Access Control- Best Practice for Rules and Risks
1611006 Risks are not showing in SoD report that should
1604722 Risk Analysis and Remediation Rule Update Q3 2011
1600667 Transactions that conflict with themselves
1552985 F110S rule incorrect - lists F_REGUL_KO should be F_REGU_KOA
1541577 Impact of S_TABU_NAM in Risk Analysis and Remediation
1535330 Compliance Calibrator 4.0 - Full Rule Deletion
1519557 Rules by Process under Rule Library do not show numbers
1446680 Risk Analysis and Remediation Rule Update Q2 2010
1349969 Function AR04 - incorrect permission activated
1326497 Risk Analysis and Remediation Rule Update Q2 2009
1238023 New authorizations not updating in rule set
1173980 Risk Analysis and Remediation Rule Update Q2 2008
1133589 CC 5.x - How to build rules for "all" or "any" values
1083611 Compliance Calibrator Rule Update Q3 2007
1061380 Compliance Calibrator Rule Update Q2 2006
1050832 ME23N in Compliance Calibrator (RAR) Default rules
1035070 Compliance Calibrator Rule Update Q1 2007
1033326 Risk Analysis and Remediation Rule Upload guidance
Thanks & Regards
Neeraj
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.