on 06-28-2013 11:05 AM
Hi All,
I am working on VIRSA CC 4.0 to GRC 10 Migration.
I have downloaded Ruleset from VIRSA 4.0. & Uploaded to GRC using SPRO.
I have found mismatch in search type value (AND instead of OR) after checking in the permission tab of the function.(But this problem for some functions mostly for those functions which have ACTVT field value. )
But No violations found in the risk analysis for those affected functions (I have sync repository & also generate rule).
What I should do in such case?
Thanks in advance.Any Help is Appreciated.
Regards ,
Parag.
Hi All,
After exploring more on the above issue i have concluded that
Actually, GRC does not allow mix of AND and OR for the multiple values
of the same field within an authorization object group.
If this is the case then system will automatically change the values.
Please ref SAP Note #1330165 for more detail on this.
Regards,
Parag.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Parag Kumbhar
Check this note
Note 865572
Note 1790454
Regards,
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
As per your reply I have given input to User Level Rask Analysis as per below screenshot:-
Refer Image 1.(Input for risk analysis)
But It only show risk on ACTION level not for PERMISSION level as per below screen shots:-
Action Level:-
Refer Image 2.(Action Level)
Permission Level:-
Refer Image 3.(Permission Level)
Kindly guide me to understand why it is showing different result for all same input value except type of Report. (Action/Permission level).
Regards,
Parag.
Hello,
You have dwloaded from table all 7 files converted them to appropriate 9 file and uploaded?
and generated ruleset?
could you please try to create 1 risk maunally and test the same?
i feel it migt be issue with the format you have uploaded.
you can activate BC set and test as well and use the standard format,then change as per your downloaded ruleset and upload by selecting overwrite option.
Regards,
Prasant
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Prasant,
First of all thanks for your guidance.
As per your opinion whenever I have tried to create risk manually the search type value in the function permission table shows AND even if I entered it OR after saving the function.Mostly I have faced this problem where the field value is ACTVT & the status of function is Active .
If I changed the status of the function from active to inactive & I entered the value of search type
OR then the value remain as it is.(Does not changes to AND).
Regards,
Parag.
Hello All,
Risk found if i have performed access risk analysis on Action level but risk not found if I have performed it on Permission level for same System,User,Risk type,Rule set,User type.
I have uploaded value as per below format using tab delimited text files.
Uploaded Format:-
Function ID | Transaction | Object | Field | From Value | To value | Search Type | Status |
ZF19 | VL01 | V_LIKP_VST | ACTVT | 1 | 1 | OR | 0 |
ZF19 | VL01 | V_LIKP_VST | ACTVT | 4 | 4 | OR | 1 |
ZF19 | VL01 | V_LIKP_VST | VSTEL | $VSTEL | $VSTEL | AND | 1 |
ZF19 | VL01N | V_LIKP_VST | ACTVT | 1 | 1 | OR | 0 |
ZF19 | VL01N | V_LIKP_VST | ACTVT | 4 | 4 | OR | 1 |
ZF19 | VL01N | V_LIKP_VST | VSTEL | $VSTEL | $VSTEL | AND | 1 |
The values gets uploaded in GRC format as per below format.
GRC format:-
Function ID | Transaction | Object | Field | From Value | To value | Search Type | Status |
ZF19 | VL01 | V_LIKP_VST | ACTVT | 1 | 1 | AND | 0 |
ZF19 | VL01 | V_LIKP_VST | ACTVT | 4 | 4 | OR | 1 |
ZF19 | VL01 | V_LIKP_VST | VSTEL | $VSTEL | $VSTEL | AND | 1 |
ZF19 | VL01N | V_LIKP_VST | ACTVT | 1 | 1 | AND | 0 |
ZF19 | VL01N | V_LIKP_VST | ACTVT | 4 | 4 | OR | 1 |
ZF19 | VL01N | V_LIKP_VST | VSTEL | $VSTEL | $VSTEL | AND | 1 |
The value of search type changed (AND instead of OR) for uploaded format mostly where field value is ACTVT & status is active.
Kindly help me to resolve GRC format issue.Thanks in advance......!!!
Regards,
Parag.
You are trying to use excel to make changes .
ensure 01 should not be 1.
example
from value of actvt should be 01 and 04 not 1 and 4
and use SAP format..
what i meant ver here is
when you open it in excel it will not identify "0" before "1"
like if it is 01 if you open in excel it will be 1.
esnure it always 01.
u will find the risk.
Regards,
Prasant
Hi Prasant,
I have tried as you said above but issue is not resolved as displayed in below screenshots.
Uploaded Format:-
ZF19 | VL01 | V_LIKP_VST | ACTVT | 01 | 01 | OR | 0 |
ZF19 | VL01 | V_LIKP_VST | ACTVT | 04 | 04 | OR | 1 |
ZF19 | VL01 | V_LIKP_VST | VSTEL | $VSTEL | $VSTEL | AND | 1 |
ZF19 | VL01N | V_LIKP_VST | ACTVT | 01 | 01 | OR | 0 |
ZF19 | VL01N | V_LIKP_VST | ACTVT | 04 | 04 | OR | 1 |
ZF19 | VL01N | V_LIKP_VST | VSTEL | $VSTEL | $VSTEL | AND | 1 |
GRC Format:-
ZF19 | VL01 | V_LIKP_VST | ACTVT | 01 | 01 | AND | 0 |
ZF19 | VL01 | V_LIKP_VST | ACTVT | 04 | 04 | OR | 1 |
ZF19 | VL01 | V_LIKP_VST | VSTEL | $VSTEL | $VSTEL | AND | 1 |
ZF19 | VL01N | V_LIKP_VST | ACTVT | 01 | 01 | AND | 0 |
ZF19 | VL01N | V_LIKP_VST | ACTVT | 04 | 04 | OR | 1 |
ZF19 | VL01N | V_LIKP_VST | VSTEL | $VSTEL | $VSTEL | AND | 1 |
Kindly help me to resolve this issue.
Regards,
Parag.
Hi Prasant,
Mismatch found in the Search type on Function permission table while uploading Custom Rule Set
System Information:
GRC Version: SAP GRC Access Control 10.0 SP12 [GRCFND_A - V1000 – 0012]: System LEG Client 100
Underlying SAP Platform: Netweaver 7.02 AS ABAP
Backend ERP System: ERP6 EHP6 AS ABAP with GRC Plug-in GRCPINW - V1000_700 – 0006: System LES Client 140
Problem Description:
We have uploaded SOD rules (Custom Ruleset ) in the LEG system client 100 using transaction code SPRO and we also generated the rule set After uploading the rules we have checked in the LEG system using transaction code NWBC .We observed that mismatch found in the search type values on the permission tab of the functions. Search type values are AND even though we uploaded it as OR not for all functions but mostly for functions having Field values ACTVT & function status is ACTIVE.
Our observation regarding to these issue are as below:-
1) Rule Set download was OK to Excel Files
2) Text Files used for Rule Set upload also have the same correct values.
3) The issue is not related to download/upload but is in the system.
4) On manually correcting the Search Type fields from AND to OR and saving it, it again changes to AND
5) On Deleting the permission definitions and creating new from Scratch with Search type OR and saving it again also converts it back to AND
6) This behaviour only in cases where the permission status is Active.
Here we show some sample functions facing issue.
Uploaded Format:- ( Function permission table )
Refer Image scn 0
GRC format (Mismatch i.e. Got converted into AND instead of OR):-
Refer Image scn 1
After checking in the GRC we found the search type has been changed to AND even though we have uploaded OR for two places in the ZF18.
After checking in the GRC we found the search type has been changed to AND even though we have uploaded OR for two places in the ZF19.
For further analysis, We have performed Risk Analysis user level & Report Option type Action Level.
shows risk
We have performed Risk Analysis user level & Report Option type Permission Level.
Doesn't show risk
Regards,
Parag.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.