on 08-05-2013 3:20 PM
Hello All,
I have a requirement to a create rule and rule sets in GRC 5.3 (RAR), I believe we need to create a risk then system will generate rule accordingly. Can someone please shred some light on how we create rule and rule sets in real time rar system? Currently, we have 4rule sets in our system.
I am new to this community, any suggestions or documentation would be a great help.
Please let me know if any further information is needed from my end.
Thanks!
Regards,
Preethi G
Hi Preeti
Honestly go to the SAPMarketplace for Installation and Upgrade Guides. Obtain the SAP GRC 5.3 Configuration Guide and it steps you through everything. This guide is quite comprehensive on the configuration and tips/recommendations.
You need to define you connectors (and logical systems if you are using them) and upload your authorisation text files, etc. You then go to Rule Architect to define your functions, risk and rule sets
Regards
Colleen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Colleen,
Thanks for replying!
In the configuration guide, its mentioned more about 'Rule Upload' (which is usually done while setting up first rule set in the system). My requirement is-> to create a new ruleset (which can have exixtsing functions as well), once this rule set is live we will only use this new rule set and the existing one will be deleted from the system. Hence I believe I should go with the 'Import rules' option (Under Rule Architect) rather then 'Rule upload' option (under configuration). Please suggest if "import rules" or "rule upload" will be applicable for my case.
Additionally I have below two doubts:
1. If I am going through 'Import rules' option, do I still need to define connectors (as mentioned earlier I am not setting up new GRC system, I am just creating a new rule set in an existing GRC system, as my knowledge I need not define connectors just rule import will do)? We have only one logical system.
2. How do we export the existing rulesets? I want to check for functions/actions and their respective permissions for existing ruleset. I am trying to export the existing rule set from Rule Architect -> Utilities -> Export, but when I am opening the file in notepad, its not very clear, it is not showing the respective permissions, just functions and actions,am I doing something wrong here?. Wanted to know how can I find the detailed existing rule set report.
Thanks for your patience in reading my big email . Would really appreciate if you can share your thoughts at the earliest as I am very close to project deadline.
Best Regards,
Preethi
Risks are associated with rulesets, and you can have a single risk in multiple rulesets. I don't think there's an easy way to do that via import/export though. And if you want to decide on a risk by risk basis it will be easier to do it directly in the application I would think.
You are right, the export format isn't very human readable. It isn't meant to be. The permissions are in there, at least for me when I export. I find it easier to check these things directly in the application, personally.
is right - you should really read through the guides. They are pretty comprehensive.
Steve.
Preethi,
The subtext of Colleen and Steve's very polite and kind responses to you is that there are hundreds of SCN members following the GRC space, and you waste *everyone*'s time by not doing what Colleen said, which is to find and read the documents she directed you to *before* asking questions. We all have busy day jobs and projects with deadlines. Annoying your fellow SCN members gets one a reputation, but not a good one. Not only would you and your clients be better served if you would learn GRC *before* attempting to implement it, I suggest that it would serve you well to learn to be a good SCN member. I suggest reviewing the space Getting Started with SCN.
Good luck with your project.
Gretchen
Hi Preethi
Happy to provide feedback and clarification but putting a bold and underline that I should respond to you "at the earliest" so you can do your PAID job is probably not the best approach when requesting FREE advise from this community. For me, I had a public holiday and was making the most of it as well as a day job.
If you have a new installation you will need to upload the rules. Functions reference Connectors. So you can build a function against a specific connector or a logical group. As per the configuration guide, SAP Recommends using the Logical Connector to define rules and then map your connectors to the logical (much easier to add systems and also reduces rule size) - seems like you are intending to do that.
Which option to use depends on the files:
If you really get it wrong with your rule load, then delete them and start again - mistakes are a good way of learning what not to do! You'll also learn how the delete functionality works.
For your doubts
Good luck on your deadline and project. We all have a first time using GRC.
If you are still having trouble, please actually explain what you have attempted to do (screen shots if necessary) and what you have also looked at (SAP Notes, Configuration Guide, other SCN posts). In doing this, the community can provide clarification and advise as opposed to basic knowledge transfer and training.
Regards
Colleen
@Colleen: I truly appreciate you guys for helping me and your fellow techies. ‘at the earliest’ was a request for help and definitely ‘not’ in a demanding tone. On a daily basis you may have hundreds of questions to be answered, hence I just highlighted ‘at the earliest’ to highlight the urgency of my query so that it can be addressed on priority, but then again I am not demanding for a fast answer. I surely understand that everyone has their own project deadlines to deal with and you guys will answer at your best possible time.
Back to my question, may be I should explain my requirement in more detail. GRC5.3 system is already implemented in my project we are not in the implementation/configuration phase, hence I got confused when you have suggested me to refer the configuration/installation guides. We already have SAP provided rulesets in system. Now we want two new customized rulesets for our system. 1. SOD ruleset and 2. Critical action ruleset.
So I believe I should follow the below steps in order to create new customized rulesets appropriate to our business. Please confirm which of the below processes (1&2) is correct/best practice:
Process 1
1. - Define actions/permissions based on our requirement -> Example: new action:AA
2. - Map these newly defined action/permissions to new function ids -> Example: new function XX00, map action ‘AA’ under function ‘XX00’.
3. - Map the new function XX00 under new risk ids -> Example: new risk RR00, map new function ‘XX00’ under the risk ‘RR00’.
4. - Map the new risk RR00 to the new ruleset.
5. - Export the txt file from system, just ‘business processes’, ‘rulesets’, ‘functions’, risks’. No need to export ‘rules’, ‘critical roles’ etc.
6. - Edit the text file by maintaining the rulesets/risks/functions/actions/permissions data in their respective tables.
7. - Import the text files, rules will be generated automatically and new ruleset has now been created in the system
Process 2
1. - Create Risk and ruleset manually from ‘Rule architect’. Just the risk/ruleset creation, no data to be maintained now. Data will be maintained after we import the updated text file.
2. - Export the txt file from system, just ‘functions’. No need to export ‘risks’, ‘rulesets’,‘rules’, ‘critical roles’ etc
3. - Edit the text file by maintaining the new functions/actions/permissions data in their respective tables.
4. - Import the text files and manually assign the new functions & rulesets to the newly created risk ids.
5. - After saving risks, rules will be generated automatically and the data (functions/actions/permissions) will now be attached to risks and rulesets
UUUploading 9 text files as stated in configuration guide should be performed during the new GRC5.3 set up only. To create tailored ruleset we use ‘Import’ option from ‘Rule Architect’, please correct me if I am wrong.
Do we also have to run any synchronization or background job in Production after the ruleset creation?
Please let me know if in case I you need further information.
Thank you very much for your help.
Best Regards,
Preethi
HI Preethi
Thank you for taking the time to provide clarification. I apologise for misinterpreting (and missing the "currently we have 4 rulesets in our system) and I think we can put it down to a simple misunderstanding in communication - something which can easily happen in written communication. Just a small note - bold and underline typically does imply attention and urgency required.I had considering editing my response and removing my criticism as with hindsight I now consider it to be an overreaction. However, I will not as this post has been up a few days and has been quite harsh on you.
Your follow up post is the type of quality postings we should see on this forum. There are many people on the forum how have similar questions and by explaining where you are at it helps us to clarify. I, too, started in the same situation
My reason for referring people to the GRC 5.3 Configuration Guide is because this is one of the better guides I have seen. Unlike GRC10 (which really you need to attend the training), this guide provides the How to perform Rule Set maintenance. I see it as both a configuration guide and a work instruction because it is that detailed.
If you already have GRC RAR live in your system I recommend Option 2 - Using Rule Architect Export/Import functionality or use the front-end to manually create the ruleset, risks and functions.
For your clarifications in Process 2....working through each point you made - you are right about the Uploading of the 9 files. You already have a live system.
Editing the File in Excel
As an extra recommendation: keep a backup copy of the file you exported for the ruleset and do not modify. I you make a major mistake, you can restore your ruleset by loading this file.
In GRC 5.3 there is not authorisation sync job etc. You might need to look at you background jobs for batch risk analysis as you may need new jobs for the new rule sets.
Is this helping or am I confusing the situation further?
With your clarifications, you may find a other community members jumping in and helping you out
Hi Colleen,
I am glad that the miscommunication is now clear . I have a habit of writing everything in detail, I thought this might be annoying for a moderator to respond to such huge messages, but I appreciate you answering to my questions with full details. You didn’t confuse me at all.
Please excuse me if anything looks elementary/basic. I just want the discussion to be descriptive so that even a beginner can understand well this thread.
I believe you’re suggesting to update the rulesets/risks/functions everything in the file and import it. However I see a glitch here, if you observe the risk table VIRSA_CC_RISK, it has columns -> ‘UPDDATE’ ‘UPDTIME’ ‘UPDUSER’. These columns cannot be maintained manually, these are updated by the system. Hence we should create and assign the functions manually (in my case I have only 15risks to be created so manual work will not be too much).
I do not agree with your point “You cannot just export Functions. In GRC 5.3, the Export Functionality makes you export 5 parts: Business Processes, Rule Set, Risk, Functions and Rules.”. In GRC 5.3 you can surely choose the functions and it will select ‘just’ the business processes automatically. I can download just the functions and business processes (PFB the screenshot). If you choose Risks in that case I agree it will select all, as you mentioned rulesets,risks,buisness processes and functions.
So in short, I think its alot easier to just to download the functions (as no. of functions are less in the system when compared to rules, there can be thousands of rules per risk, rule are huge in the system), append our changes and import. Afterwards create rulesets/risks manually and assign the functions/rulesets to the risks manually.
PS: If we choose to download rules, as the file will be so big there is a chance we might not be able to export the full file (happened with me ) and we might import the same partially downloaded file. In case of functions this will never happen, as function file is small, so there is no danger of exporting partial data.
Please correct me if I am wrong in any of the points here.
Thanks for your time and patience.
Preethi G
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.