on 07-18-2012 12:34 PM
Hi,
Please can someone please explain the relation between rules and risks in SAP GRC..
rdgs..........kk
Hi Krishna,
PFB Descrition in general terms:-
1. Risk:
It can be a combination of 2 or more functions which when given to a single user, can be harmful to the organization.
2. Rule:
It is generated from Risks automatically. E.g if A and B are 2 funtions in a risk R, such that:
A has transactions X and Y and
B has transactions M and N
so there can be multiple rules generated here for Risk R , with the combinations like X and M rule, X and N rule, Y and M rule, Y and N rule etc.
3. Ruleset:
As the name suggest, is a set of Rules, generated from Risks. Two Rulesets may contain same, similar or dissimilar risks, based on the lanscape for which you want to use the ruleset. E.g you might have ruleset R1 having Risks 1 to N in your development system and you might have ruleset R 2 having Risks 1 to M in your Production system.
Hope this makes it a bit clearer to you to know. For more dependencies within these entities and how they behave with eah other, I would suggest if you create each with the help of config guide from SAP, that would be more than enough for this purpose.
Best Regards,
Akhil Chopra
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Sorry ..i am not able to get the correct meaning of the below sentance..
"
so there can be multiple rules generated here for Risk R , with the combinations like X and M rule, X and N rule, Y and M rule, Y and N rule etc.
Could you please clarify a bit more..
your help is much appreciated..
rgds..........kk
Hi KK,
Risks :-
A risk is an object that associates two or more conflicting functions or it is defined as two or more actions or permissions that, when available to a single user, or single role, profile, organizational \level, MIC, or HR Object, create the possibility of error or irregularity.
There are thousands of action combinations that can be categorized as risks. Risks can also be defined by different combinations of permissions associated with specific actions. Another name for combinations of two or more actions is functional group. Individualusers, roles, or profiles can access risks or functional groups to perform a specific business function.
Rules:-
You associate all of your risks with your rule set; rules are risk-specific. During configuration you identify the risks in your business, then at the business level you defineand create the risks, correlate them 1:1 with transaction code combinations, and assignRisk IDs and other fields to the risks.
At the security level, an administrator creates corresponding functions and associates each function to a business process.
Functions tell the system to create the rules; the application auto-generates the rules to oppose the risks.
In theRule Architect tab, you do not directly create your rules; rather, you create or identify a risk and, then, Risk Analysis and Remediation generates the rules.To identify the Risks produced in Risk Analysis reports, you need to identify thecombinations of actions and permissions that represent conflicts.
The Rule Architect provides many of the tools you need to define SoDs risks and business processes.
I hope this information helps you to distinguish between Risks and Rules.
Regards,
Yukti
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Krishna,
In addition to Vit reply, you can also ref SAP Note for better understandin of the concept.
#1262329: The Differences between Action Level and Permission Level
#1593056: Best Practices for Remediation of Segregation of Duties risk
#1600667: Transactions that conflict with themselves
Along with this you can also ref the Guides available on SMP.
Regards,
Shaily
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
If you ask Mr Google: risk rules grc - you get this:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.