cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Rule creation in GRC5.3 (RAR)

Go to solution
Former Member

on ‎08-05-2013 3:20 PM

0 Kudos

Hello All,

I have a requirement to a create rule and rule sets in GRC 5.3 (RAR), I believe we need to create a risk then system will generate rule accordingly. Can someone please shred some light on how we create rule and rule sets in real time rar system? Currently, we have 4rule sets in our system.

I am new to this community, any suggestions or documentation would be a great help.

Please let me know if any further information is needed from my end.

Thanks!

Regards,

Preethi G

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Colleen
Advisor
Advisor
‎08-12-2013 1:19 AM
0 Kudos

Hi Preeti

Honestly go to the SAPMarketplace for Installation and Upgrade Guides. Obtain the SAP GRC 5.3 Configuration Guide and it steps you through everything. This guide is quite comprehensive on the configuration and tips/recommendations.

You need to define you connectors (and logical systems if you are using them) and upload your authorisation text files, etc. You then go to Rule Architect to define your functions, risk and rule sets

Regards

Colleen

Show replies
Show replies
Former Member
‎08-13-2013 9:34 AM
0 Kudos

Hi Colleen,

Thanks for replying!

In the configuration guide, its mentioned more about 'Rule Upload' (which is usually done while setting up first rule set in the system). My requirement is-> to create a new ruleset (which can have exixtsing functions as well), once this rule set is live we will only use this new rule set and the existing one will be deleted from the system. Hence I believe I should go with the 'Import rules' option (Under Rule Architect) rather then 'Rule upload' option (under configuration). Please suggest if "import rules" or "rule upload" will be applicable for my case.

Additionally I have below two doubts:

1. If I am going through 'Import rules' option, do I still need to define connectors (as mentioned earlier I am not setting up new GRC system, I am just creating a new rule set in an existing GRC system, as my knowledge I need not define connectors just rule import will do)? We have only one logical system.

2. How do we export the existing rulesets? I want to check for functions/actions and their respective permissions for existing ruleset. I am trying to export the existing rule set from Rule Architect -> Utilities -> Export, but when I am opening the file in notepad, its not very clear, it is not showing the respective permissions, just functions and actions,am I doing something wrong here?. Wanted to know how can I find the detailed existing rule set report.

Thanks for your patience in reading my big email . Would really appreciate if you can share your thoughts at the earliest as I am very close to project deadline.

Best Regards,

Preethi

Former Member
‎08-13-2013 11:15 AM
0 Kudos

Risks are associated with rulesets, and you can have a single risk in multiple rulesets. I don't think there's an easy way to do that via import/export though. And if you want to decide on a risk by risk basis it will be easier to do it directly in the application I would think.

You are right, the export format isn't very human readable. It isn't meant to be. The permissions are in there, at least for me when I export. I find it easier to check these things directly in the application, personally.

is right - you should really read through the guides. They are pretty comprehensive.

Steve.

Former Member
‎08-13-2013 2:13 PM
0 Kudos

Preethi,

The subtext of Colleen and Steve's very polite and kind responses to you is that there are hundreds of SCN members following the GRC space, and you waste *everyone*'s time by not doing what Colleen said, which is to find and read the documents she directed you to *before* asking questions. We all have busy day jobs and projects with deadlines. Annoying your fellow SCN members gets one a reputation, but not a good one. Not only would you and your clients be better served if you would learn GRC *before* attempting to implement it, I suggest that it would serve you well to learn to be a good SCN member. I suggest reviewing the space Getting Started with SCN.

Good luck with your project.

Gretchen

Colleen
Advisor
Advisor
‎08-15-2013 12:12 AM
0 Kudos

Hi Preethi

Happy to provide feedback and clarification but putting a bold and underline that I should respond to you "at the earliest" so you can do your PAID job is probably not the best approach when requesting FREE advise from this community. For me, I had a public holiday and was making the most of it as well as a day job.

If you have a new installation you will need to upload the rules. Functions reference Connectors. So you can build a function against a specific connector or a logical group. As per the configuration guide, SAP Recommends using the Logical Connector to define rules and then map your connectors to the logical (much easier to add systems and also reduces rule size) - seems like you are intending to do that.

  

Which option to use depends on the files:

  • Use the Configuration > Rule Upload if you have multiple files (i.e. the original files from SAP). Refer page 51 of Configuration Guide. You migth need to do find and replace for the Connector value to match your logical system in the Function files
  • Use Rule Architect > Import Rules if you have a single file with all the rules (or specific system). Most likely you already completed the export step

 

If you really get it wrong with your rule load, then delete them and start again - mistakes are a good way of learning what not to do! You'll also learn how the delete functionality works.

For your doubts

  1. Connectors are needed regardless - you can defined the logical connector and load the rule against it
  2. Use the Rule Architect> Export Rules step. The data will be there if you selected rules, functions, actions, permissions, etc. If you are not seeing anything go and look at a specific function and see if you actually have permissions defined (possibly you did not upload the permissions text file)

Good luck on your deadline and project. We all have a first time using GRC.

If you are still having trouble, please actually explain what you have attempted to do (screen shots if necessary) and what you have also looked at (SAP Notes, Configuration Guide, other SCN posts). In doing this, the community can provide clarification and advise as opposed to basic knowledge transfer and training.

Regards

Colleen

Former Member
‎08-22-2013 8:14 AM
0 Kudos

@Colleen: I truly appreciate you guys for helping me and your fellow techies. ‘at the earliest’ was a request for help and definitely ‘not’ in a demanding tone. On a daily basis you may have hundreds of questions to be answered, hence I just highlighted ‘at the earliest’ to highlight  the urgency of my query so that it can be addressed on priority, but then again I am not demanding for a fast answer. I surely understand that everyone has their own project deadlines to deal with and you guys will answer at your best possible time.

Back to my question, may be I should explain my requirement in more detail. GRC5.3 system is already implemented in my project  we are not in the implementation/configuration phase, hence I got confused when you have suggested me to refer the configuration/installation guides. We already have SAP provided rulesets in system. Now we want two new customized rulesets for our system. 1. SOD ruleset  and 2. Critical action ruleset.

So I believe I should follow the below steps in order to create new customized rulesets appropriate to our business. Please confirm which of the below processes (1&2) is correct/best practice:

                                                                                Process 1

1.  - Define actions/permissions based on our requirement -> Example: new action:AA

2.  - Map these newly defined action/permissions to new function ids -> Example: new function XX00, map action ‘AA’ under function ‘XX00’.

3.  - Map the new function XX00 under new risk ids -> Example: new risk RR00, map new function ‘XX00’ under the risk ‘RR00’.

4.  - Map the new risk RR00 to the new ruleset.

5.  - Export the txt file from system, just ‘business processes’, ‘rulesets’, ‘functions’, risks’. No need to export ‘rules’, ‘critical roles’ etc.

6.  - Edit the text file by maintaining the rulesets/risks/functions/actions/permissions data in their respective tables.

7.  - Import the text files, rules will be generated automatically and new ruleset has now been created in the system

                                                                  Process 2

1.  - Create Risk and ruleset manually from ‘Rule architect’. Just the risk/ruleset creation, no data to be maintained now. Data will be maintained after we import the updated text file.

2.  - Export the txt file from system, just  ‘functions’. No need to export ‘risks’, ‘rulesets’,‘rules’, ‘critical roles’ etc

3.  - Edit the text file by maintaining the new functions/actions/permissions data in their respective tables.

4.  - Import the text files and manually assign the new functions & rulesets to the newly created risk ids.

5.  - After saving risks, rules will be generated automatically and the data (functions/actions/permissions) will now be attached to risks and rulesets

UUUploading 9 text files as stated in configuration guide should be performed during the new GRC5.3 set up only. To create tailored ruleset we use ‘Import’ option from ‘Rule Architect’, please correct me if I am wrong.

       Do we also have to run any synchronization or background job in Production after the ruleset creation?

Please let me know if in case I you need further information.

Thank you very much for your help.

Best Regards,

Preethi

Colleen
Advisor
Advisor
‎08-23-2013 12:14 AM
0 Kudos

HI Preethi

Thank you for taking the time to provide clarification. I apologise for misinterpreting (and missing the "currently we have 4 rulesets in our system) and I think we can put it down to a simple misunderstanding in communication - something which can easily happen in written communication. Just a small note - bold and underline typically does imply attention and urgency required.I had considering editing my response and removing my criticism as with hindsight I now consider it to be an overreaction. However, I will not as this post has been up a few days and has been quite harsh on you.

Your follow up post is the type of quality postings we should see on this forum. There are many people on the forum how have similar questions and by explaining where you are at it helps us to clarify. I, too, started in the same situation

My reason for referring people to the GRC 5.3 Configuration Guide is because this is one of the better guides I have seen.  Unlike GRC10 (which really you need to attend the training), this guide provides the How to perform Rule Set maintenance. I see it as both a configuration guide and a work instruction because it is that detailed.

If you already have GRC RAR live in your system I recommend Option 2 - Using Rule Architect Export/Import functionality or use the front-end to manually create the ruleset, risks and functions.

For your clarifications in Process 2....working through each point you made - you are right about the Uploading of the 9 files. You already have a live system.

  • You do not need to create the "shell" of the rule set or risks as you can defined this in your text file
  • You cannot just export Functions. In GRC 5.3, the Export Functionality makes you export 5 parts: Business Processes, Rule Set, Risk, Functions and Rules. If you only select Functions you will receiving an information message and it will automatically select. This to ensure the entire ruleset for a system is one file and avoid corruption
  • Open the File in Excel and Edit file as necessary (see notes at the bottom)
  • When you import the file you will have to replace all rules in the system or for the specific system you wanted to maintain. This is why the Export forces you to export all 5 rule set pieces as what is in the system is replace and not an append
  • You will then need to generate the rule set

Editing the File in Excel

  • If you want to retain the existing rules - ruleset, functions, risk you must keep them in the file
  • If you want to copy the existing rules and then maintain your own custom version then copy the rules into a new sheet. Apply some formula (e.g. add a 'z' in front of each ruleset, risk and function Id) and then append this data back to the original file
  • If you want to add your new custom functions, including the actions and permissions add them to the sheet.

As an extra recommendation: keep a backup copy of the file you exported for the ruleset and do not modify. I you make a major mistake, you can restore your ruleset by loading this file.

In GRC 5.3 there is not authorisation sync job etc. You might need to look at you background jobs for batch risk analysis as you may need new jobs for the new rule sets.

Is this helping or am I confusing the situation further?

With your clarifications, you may find a other community members jumping in and helping you out

Former Member
‎08-23-2013 10:15 AM
0 Kudos

Hi Colleen,

I am glad that the miscommunication is now clear . I have a habit of writing everything in detail, I thought this might be annoying for a moderator to respond to such huge messages, but I appreciate you answering to my questions with full details. You didn’t confuse me at all.

Please excuse me if anything looks elementary/basic. I just want the discussion to be descriptive so that even a beginner can understand well this thread.

I believe you’re suggesting to update the rulesets/risks/functions everything in the file and import it. However I see a glitch here, if you observe the risk table VIRSA_CC_RISK, it has columns -> ‘UPDDATE’ ‘UPDTIME’ ‘UPDUSER’. These columns cannot be maintained manually, these are updated by the system. Hence we should create and assign the functions manually (in my case I have only 15risks to be created so manual work will not be too much).

I do not agree with your point “You cannot just export Functions. In GRC 5.3, the Export Functionality makes you export 5 parts: Business Processes, Rule Set, Risk, Functions and Rules.”. In GRC 5.3 you can surely choose the functions and it will select ‘just’ the business processes automatically. I can download just the functions and business processes (PFB the screenshot). If you choose Risks in that case I agree it will select all, as you mentioned rulesets,risks,buisness processes and functions.

So in short, I think its alot easier to just to download the functions (as no. of functions are less in the system when compared to rules, there can be thousands of rules per risk, rule are huge in the system), append our changes and import. Afterwards create rulesets/risks manually and assign the functions/rulesets to the risks manually.

PS: If we choose to download rules, as the file will be so big there is a chance we might not be able to export the full file (happened with me ) and we might import the same partially downloaded file. In case of functions this will never happen, as function file is small, so there is no danger of exporting partial data.

Please correct me if I am wrong in any of the points here.

Thanks for your time and patience.

Preethi G

Colleen
Advisor
Advisor
‎08-24-2013 11:00 PM
0 Kudos
Hi  You are correct about the fields for export. I was doing a different scenario in the system (possibly rules or risk) and it automatically selected the others. I tried just functions and its fine. In not knowing how many risks you needed to create I thought you might be copying the standard rule set.  When you add the number of risks to detail then manual seems reasonable too. They are many different ways to achieve it. It's not about your approach being right or wrong. What you suggests seems valid for the outcome you are after. Possibly try this in your non prod system first?  As an aside, when you create a post it's not to and for the moderator (e.g. I'm not one). Put as much or as little detail as you believe is relevant to explain yourself. In this community extra info can be good as it shares knowledge but can also increase discussion  Cheers Coleen
Former Member
‎08-26-2013 3:29 AM
0 Kudos

Hi Colleen,

Thanks for your valuable feedback.

Regards,

Preethi

Answers (0)

Ask a Question