cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Updation of Rule-set in GRC10

Go to solution
Former Member

on ‎03-04-2014 4:45 AM

0 Kudos

Hi,

There is a requirement for us to update few risks(objects within the risk) for our non-business ruleset. What is the best suggested method to do this?

->Directly update from NWBC

->Download Rule-set and upload from SPRO

->Transport

If any body can share their suggestions and steps, it would be great.

Thanks,

Sabitha

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member204204
Active Participant
‎03-04-2014 5:17 AM
0 Kudos

Hi Sabitha,

You can do this directly from NWBC ->Setup -> Access Risks and then open the risk id which you want to update give the required details in the Functions tab and in the rule set tab and then save it if you have not configured Risk Maintenance workflow or it will route for approval if you have configured.

Also make sure that you have added the values(Tcode/object) in the Functions before making changes to the Risk id, then generate the rules.

Also check if the parameters 1001/1002 is set to yes so that you will get the change history of that particular activity performed.

Download/Upload/transport will be time consuming so you can directly make the changes in the NWBC tab itself.

Download/Upload is done when you have huge data to be modified for minor changes you can always make it in NWBC.

Show replies
Show replies
Former Member
‎03-04-2014 9:45 AM
0 Kudos

Hi Neeraj,

Thanks, but we want to only use the transport option provided. Do you have any document detailing the steps.

Regards,

Sabitha

former_member204204
Active Participant
‎03-04-2014 10:28 AM
0 Kudos

Hi Sabita,

Please go to SPRO ->IMG->GRC->Access Control->Access Risk Analysis->Sod Rules->Transport SOD Rules

After clicking on the Transport SOD rules you can give the physical/logical system details and then you can create a transport request for the same.

Hope this helps.

Regards,

Neeraj Agarwal

dyaryura
Active Participant
‎03-04-2014 3:33 PM
0 Kudos

Hello Sabita,

The steps are very simple. You have to transport as described by Neeraj and later generate SoD rules in the destination system. If You have a QA System you can easily check that the changes were transported successfully and later you can import to production.

By the way... are you using logical systems? is the connector where you have the changed rules present in both DEV and PRD??

Cheers,

Diego.

Former Member
‎03-05-2014 11:24 AM
0 Kudos

Hi Diego,

Thank you for the reply.

I have got a connector group where the development,Quality and Prod systems are maintained for our GRC system.

Our approach is to download the rule-set from Production, Upload in Development ->make changes and Transport.

My question is :- When I try to download the ruleset, I get an option to download the ruleset based on the Connector group in the Development GRC box, but in the Quality and Production systems if I navigate to SPRO->Governance Risk and Compliance->Access COntrol->Access Risk Analysis->Download SOD rules-> Here I get a list of all systems included in the connector group as well as the "Connector Groups".

Please let me know if we should download the ruleset based on the connector group or the individual system.

Thanks,

Sabitha

dyaryura
Active Participant
‎03-06-2014 12:02 AM
0 Kudos

Hello Sabitha,

the pint is that the connector group has to be with the same name for transport:



I have got a connector group where the development,Quality and Prod systems are maintained for our GRC system.

this connector group or logical system should exist in DEV, QA and PRD with the sae name. you have to download the rules from this logical connector in PRD and then upload to the same connector in DEV.



Please let me know if we should download the ruleset based on the connector group or the individual system.

That's depends on how you've uploaded the rules. if in PRD you uploaded the rules to Physical connector and not to the logical you wont get information in the function-actions and function permissions files when downloading the ruleset.

Cheers,

Diego.

Former Member
‎03-06-2014 7:31 AM
0 Kudos

Hi Diego,

In production if I navigate to SPRO->Governance,Risk and Compliance->Access Control->Access Risk Analysis->Download SOD rules then I can only see all the systems listed in the drop down :-"System" , but in Development GRC box , if I try to download the SOD rules then I can see only the Connector Group/Logical group listed in the "System" field/drop down.

Can you suggest if there is an inconsistency in the way the rules have been uploaded in the Development and Production boxes.

I need to modify the ruleset and transport, so would it be safe to modify the rule-set based on the connector group in development and transport across(in spite of knowing the difference in the way the riles have been linked in to the connector group/physical systems).

The connector group or logical system does exist in DEV, QA and PRD with the same name, just that Qa and Prod have the connector group+physical systems listed and the Dev system only has the Connector group.

Thanks for all your help. Much Appreciated.

Cheers,
Sabitha

dyaryura
Active Participant
‎03-06-2014 6:01 PM
0 Kudos

Hi Sabitha,

I cannot understand what you're saying regarding you see diferent things in DEV than QA. can you paste some screens?

It doesn't matter the physical systems you ave in the connector, the rule generation will take care of generating the rules for the corresponding systems.

Cheers,

Diego.

Former Member
‎03-07-2014 9:43 AM
0 Kudos

Hi Diego,

In development, when I try to download the SOD rules, I can see only the "Connector Groups" in the "System" drop down field.Below is the screen shot showing the three connector groups that are available.

In Quality and Production, When I try to download the SOD rules, I can see all the "Physical Systems" listed in the "System" drop down list.The Connector Group is also available in the drop-down. Below is the screen shot showing the physical systems:-

My question is:-

  • If i modify the ruleset based on the connector group in development and transport the ruleset would all the physical systems still be listed in the drop down in Quality and Prod
  • If we modify the ruleset based on connector group in development and transport , would it cause any inconsistency as it looks like the Quality and Prod the physical connectors are linked to the ruleset
  • From your comment I understand that it does not matter about the physical systems as rule generation would take care of generating/linking the ruleset based on the systems assigned to the Connector Group/Logical Systems- If this is the case I am wondering why in development system even after the generation of rule-sets the physical systems are not available

Cheers,
Sabitha

Former Member
‎03-07-2014 1:51 PM
0 Kudos

Hi,

Does any one also know the Ruleset comparison program name in GRC10.

I tried running the Ruleset comparison option from Access Ruleset Maintenance->Rulesetup->Ruleset Comparison, there is an option to select Risks,Actions,Permission, however on running the comparison tool no risks/action/permission is getting populated in the output report. Is this a bug? has any one else faced this issue?

Cheers,
Sabitha

dyaryura
Active Participant
‎03-08-2014 12:39 AM
0 Kudos

Hello Sabitha,

This is because you haven't created the connectors in DEV. do you have that connectors in SM59?? I recoomend to create the connectors and associate the to the logical system just to keep all the systems with the same info. you can create the connectors but it's not neccesary to fill all the data in SM59. Just create the connector with the name would be fine.



If i modify the ruleset based on the connector group in development and transport the ruleset would all the physical systems still be listed in the drop down in Quality and Prod

Yes, this will be deleted only if you transport the logical system configuration from DEV and it's not related to SoD rules transport.



If we modify the ruleset based on connector group in development and transport , would it cause any inconsistency as it looks like the Quality and Prod the physical connectors are linked to the ruleset

No. if you are working with the logical system and you haven't uploaded rules to the physical ones it has no effect.



From your comment I understand that it does not matter about the physical systems as rule generation would take care of generating/linking the ruleset based on the systems assigned to the Connector Group/Logical Systems- If this is the case I am wondering why in development system even after the generation of rule-sets the physical systems are not available

This is because you haven't created the connector or you haven't linked the connectors to te connector groups or you haven't enabled the connectors for the auth scenario.

When generating rules the system generates the rules for the necessary logical systems. since you have none in DEV it wont generate rules for your scenario. So in the escenario you are describing in DEV with logical connectors but no physical ones you shouldn't be able to execute a risk analysis there.

Cheers,

Diego.

Former Member
‎03-11-2014 6:18 AM
0 Kudos

Hi Diego,

Thanks for the response. The issue was that the when we tried to generated the rules from SPRO, the rulesets were not getting generated properly, however when I tried to generate from front end, I believe the rulesets got generated and now I can see the physical systems while trying to download the SOD rules.

I will now try to modify the rule set based on logical group and then transport it across and check the results.

Thanks for all the help

Cheers,

Sabitha

Answers (0)

Ask a Question