cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Custom Rule Sets in GRC AC 10

Go to solution
Akshay_G
Contributor

on ‎06-25-2013 7:51 AM

0 Kudos

Hi GRC Experts,

We are trying to create custom Rule Sets in GRC AC 10 specific to our org. risks.

Recently we have also upgraded GRC to SP12.

We downloaded the Custom Rule Set from Virsa 4.0 and formatted it in GRC AC 10 Format before uploading.

I have few queries regarding this:

1) In GRC, I see that rule set Download/Upload is System (Connector) Specific. In the drop down of System's field, the connectors (RFC to Back-ends) are coming along with the logical groups (Group of Connectors). Which is to be used?

2) Please help me understand, we have connectors (as in the RFC to Back-end ERP Systems), then we have Connector Groups (In SPRO, which in turn contains connectors), how does GRC connect from/to back-end system? Using Connector or Groups? While running risk analysis which is used? Connectors or Groups? I am quite confused with the Connector groups vs Connectors!

3) After uploading the Custom Rule Set, we will have to do a Rule Generation, right? So if the rules have been uploaded successfully followed by Rule Generation, we should be able to see the Custom Additions in NWBC, right?

Regards,

Akshay.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Akshay_G
Contributor
‎06-27-2013 7:43 AM
0 Kudos

We identified there was a difference in the formatting of Download from VIRSA Rule Set Dump, and what was supposed to be uploaded to GRC AC 10. In particular, in the Risk Definition file which has got: Risk_ID--Funct1--Funct2--BizProcess and so on, we observed by downloading the GLOBAL rule set from GRC that there are 4 TABS between 2nd Function and the business process, which opens for the possibility in GRC that a risk can have combination of more than 2 functions, also there are standard risks with single functions. We did not consider this earlier.

So now I have downloaded the GLOBAL rule set dump from GRC, and used that formatting to create my custom rule set and then uploaded it. Voila! it went like a charm.

However, we uploaded the new rule set as Z* with overwrite assuming that, GLOBAL would not be overwritten, But everything was wiped off and only the new Z* rule set got populated.

So we restored GLOBAL via BC Set and then re-uploaded the complete Z* rule set with append mode, which clarifies the overwrite and append as simply as it means. Overwrite is overwrite ALL for sure.

Regards,

Akshay.

Show replies
Show replies

Answers (2)

Answers (2)

former_member184114
Active Contributor
‎06-25-2013 9:45 AM
0 Kudos

Akshay,

Please find below answers to your queries:

1. As you know, the logical group is the grouping of backend systems. Therefore, if you want your rule set to affect some group of the back end systems, then please select the defined logical group. Otherwise, if you want you rule set to affect only one system, then please select respective RFC system connector.

2. Let me help you understand this. Connector group is quite "Relative" word. Considering above explanation of mine, if you "want" your rule set to affect multiple systems at one shot, then you go ahead and make use of connector group (which is defined in SPRO, in turn consisting of multiple back end systems (RFCs)).

3. Of course, you are very right. You need to generate the rule set once it is successfully uploaded. Definitely, you would be able to see all your customization in NWBC (under Functions...etc)

Hope this has cleared your doubts

Regards

Show replies
Show replies
Akshay_G
Contributor
‎06-25-2013 11:01 AM
0 Kudos

Hi,

Thanks for the quick response. I totally agree with you on Conn. Groups vs Logical Connectors.

Regarding the upload of Rule Sets, I have tried it both the ways using Connector & Connector Group.

My connector is LESCLNT140 and Connector group is SAP_R3_LES which contains only 1 connector that is LESCLNT140.

Upload of Rule set says successful, after which I generate rules with Risk ID = *

This also happens completely, but now if I go to check Functions/Risks/Rule Set nothing new (Custom) is added, not even the Business Processes & Sub processes in SPRO.

Anyhow the upload is not happening successfully.

So we started to do this manually. We have total of 100 custom risks, we have defined few in entirety and generated them and we are getting these custom risks on Performing SOD Risk Analysis.

But batch upload of Rule Set is not happening. We are uploading rules from Text Files (Tab-Delimited), any suggestions on what could be the reason?

Regards,

Akshay.

former_member193066
Active Contributor
‎06-25-2013 11:25 AM
0 Kudos

Hello,

Upload of rule set is sucessfull but business process is blank?

did you try to select overwrite at the bottom of screen incase you are not using any other rule set.

please check connector, application type should be SAP both for connector and logical group.

incase file format is not perfect , other way is activate standard BC set. download the rule set and use thier forma and upload the one you have created.

Regards,

Prasant

former_member184114
Active Contributor
‎06-25-2013 12:18 PM
0 Kudos

Akshay,

Good to hear that half of your problem got solved

As far upload, I would suggest you to kindly upload one function/risk/BP...(as a test) and check if they are getting updated. From your explanation, I could only make out that "upload" is a problem here!

Therefore, please double check if you are using correct format. I would suggest that download the existing rule set and then try to take only one function/BP/risk....and modify them and upload with option "Append".

Please update here later.

All the best!

Regards

Akshay_G
Contributor
‎06-26-2013 4:32 AM
0 Kudos

Hi Prasant,

Nothing is successful if we do "Upload Rule Sets".

So we have started to do it manually in NWBC.

We used append, while uploading and is it like, that this the new Rule Set other than GLOBAL.

So for the first time overwrite is to be used? If I use overwrite, I guess it should not overwrite anything in GLOBAL , right?

Connector group type is "Logical Group"

Connector group Connection Type is "SAP"

Target Connector Connection Type is "SAP"

Before uploading the Custom Rule Set, we verified it with the GLOBAL rule set from GRC.

Formatting seems to be consistent, but we will try once again.

Regards,

Akshay.

Akshay_G
Contributor
‎06-26-2013 4:35 AM
0 Kudos

Hi GRC Consultant (It would be great to know your real name )

Yeah, we will try to download the GLOBAL rule set dump and modify it for one custom risk and try to upload. Seems like this suggestion could work out. Will post soon!

Thanks again.

Regards,

Akshay.

former_member193066
Active Contributor
‎06-26-2013 4:57 AM
0 Kudos

Hello Akshay,

I had same issue with demo enviroment.

what i did is reactivated ruleset(do not reactivate common BC set,reactivate specific one)

Then download them make necessay changes and upload it.

Regards,

Prasant

former_member184114
Active Contributor
‎06-26-2013 6:29 AM
0 Kudos

Akshay,

Please download the "GLOBAL" rule set and then name it like "Z<Your Company Name>". Please replace "GLOBAL" in all the file with "Z<Your Company Name>" . This will make you customized rule set. Do not forget to select option "APPEND". Since you are adding a new customized rule set to an existing one. In case if you have any problems, you can again refer back to SAP delivered GLOBAL rule set.

Having done this, you will find 2 rule sets: GLOBAL and Z<Your Company Name>. Then again download your Z<Your Company Name> rule set and then start adding/deleting/modifying required changes to this rule set and this time please select "OVERWRITE" option. Since you are modifying the existing rule set.

Hope this clarifies the process!

Regards,

Former Member
‎06-26-2013 1:56 PM
0 Kudos

Akshay,

Too bad there is not a "LOVE" button, "like" is not strong enough for how I feel about this comment of yours:

Akshay Gupta wrote:
Hi GRC Consultant (It would be great to know your real name )

My personal approach is to not respond to people who operate on SCN under fake names. If we can't know who they are, they are not really members of the community. Just my opinion, but rewarding fakes with genuine engagement only encourages them to continue.

Cheers,

Gretchen

Akshay_G
Contributor
‎06-27-2013 7:16 AM
0 Kudos

Hi Gretchen,

I totally agree with you on how this should be put to check.

I mean this is a unique situation here, that member's are not operating under real alias but are still actively participating within the SAP Community.

Even, I have seen members operating under the names of Organization's like XYZ Consulting Pvt. Ltd on SCN. I feel that SCN as an eco-system has been very supportive and there is not a pinch of hostility. Infact, the way this community functions encourages members to come out of there shell and engage more.

Still, as I said, this is an ambivalent situation here, but I too feel there should be some check in place for this kind of engagement by the moderators. It is absurd to actively participate (which i dearly appreciate) under a unreal alias. SCN is a platform of real engagement, collaboration with nearly more than 2.5 Mil members. It's not some odd-regular networking platform built in a day. It has got some real credibility here, where folks with rich SAP experience also come under the same roof.

This needs its due check, my two cents. Perhaps, a more open discussion on this by others would be even worth it, for the way you and I feel about it.

Regards,

Akshay.

Akshay_G
Contributor
‎06-27-2013 7:52 AM
0 Kudos

Regarding the OVERWRITE mode of Rule Upload, what I observed is:

1) If you have only one rule set initially which is GLOBAL, and you upload custom rule set with OVERWRITE, GLOBAL will be lost.

2) To retain GLOBAL and upload custom, you must use append.

3) Now, if you would like to update your custom rule set, you mention you must use overwrite. Will it not, wipe off GLOBAL along with old Custom Rule Set and will replace it with New Custom Rule set. But you have lost GLOBAL! So overwrite is really not the correct mode, if you would like to work only with custom rules. I believe you will have to use append and validate if GLOBAL is as it is and Custom is appended (updated). Other wise, download the GLOBAL  and then Upload GLOBAL with overwrite followed by New Custom Rule set with append.

Let me know, if I am wrong here!

Regards,

Akshay

former_member184114
Active Contributor
‎06-30-2013 6:35 AM
0 Kudos

Akshay,

Good to see all your valuable inputs and efforts

I totally agree to your point numbers 1 and 2.

As far point#3, I believe you will have to use "append" mode while uploading the modified custom rule set. This will "update" the custom rule set with the changes you have incorporated in it. Of course, "overwrite" will remove everything currently existing and replace it with the new one. 

Regards

former_member193066
Active Contributor
‎06-25-2013 8:48 AM
0 Kudos

Hello,

you can use ruleset either specfic to connector or logical group.

if you upload for connector will be specific to that connector.

if you use for logical group ,which ever system is defined to that logical group the ruleset will be aplicable for those system,this actually simplifies your effort.

example :if you have 3 system which can share same rule set, you dont need to upload specific to connector you can upload to logical group they all can share same ruleset.

Yes,after uploading nce you generate you will be able to see them in NWBC.

Regards,

Prasant

Show replies
Show replies
Ask a Question