cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC 10 ARA - How do i add Z Authorisation Objects to the RuleSet

Go to solution
Former Member

on ‎03-11-2014 4:01 PM

0 Kudos

Hi All,

I can't seem to get this to work. I'm trying to add 4 bespoke authorisation objects to the RuleSet. These objects relate to budget upload directly from MS Excel and are not associated with any transaction code.

Is that where the problem lies? Does GRC insist on associating these objects with a Permission Group (transaction) when creating the Function? I've tried adding a Z in to Permission Group and it accepts it but i can't get any violations back even after generating the RuleSet. Do these Functions need to be added in to Critical Action or Critical Permission Risks?

Can these never be part of the SOD result set? Can we only report on specific authorisation objects in terms of their sensitivity as opposed to their SOD impact?

Any help greatly appreciated. Is there a course i should attend? A colleague attended GRC 300 but this appeared to be more BASIS related.

Regards,

Colin

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Colleen
Advisor
Advisor
‎03-12-2014 12:47 AM
0 Kudos

Hi Colin

A ruleset is a container of risks and risks contains functions. Actions (transactions) and Permissions (authorisations) are define the function.

You need to either maintain an existing function and add your Z Permission Group to it or you need to create a new function with the Z Permission Group and then assign it to a risk (or create a new risk). After that you need to generate the ruleset to obtain the changes.

In terms of what to do, are you trying to say if a user has any of the custom objects then you want it to flag as a risk? If you so you need to build a function and add those permission groups in and then create a critical permission risk that you add the function to. You assign it to the ruleset when you define the risk. At the end you generate the risk.

There have been a few questions regarding critical actions/permissions and how to add a permission group without an associated action. Have a look at SCN and sap marketplace from some KB articles.

e.g

GRC300 is the course for Access Controls and it not Basis only. Perhaps your colleague attended GRC100 as it is the overview of the component and explains integration with Access Controls, Process Controls and Risk Management.

Good luck with it

Regards

Colleen

Show replies
Show replies
Former Member
‎03-12-2014 9:32 AM
0 Kudos

Thanks Colleen,

None of those previous threads came up when i was searching in SCN. Must not have been entering a keyword that hit the metadata.

Anyway, Note 1744355 looks good. I did not know about the wildcard characters ^!. I had tried Z and Y previously but to no avail.

One other question; when in the Function, does it matter whether the Status is Active or Inactive:

When i check other Functions which contain transactions, the Status in the Permissions tab is Inactive.

Regards,

Colin

Colleen
Advisor
Advisor
‎03-12-2014 9:39 AM
0 Kudos

YYou mark what is required for the permission as active

eg if you consider a risk to be act 01 then you need to set as active

if you say a user must have act 01 and act 03 for it to be a risk then you set both as active and use the AND condition

wwhen you execute risk analysis if the user has those values they will show on the report

Former Member
‎03-12-2014 2:48 PM
0 Kudos

OK Colleen,

Thanks again. However, i still can't get any violations to appear when i run the SOD report at role level with the options ticked for Critical Action & Critical Permission.

For example, i have one Critical Permission Access Risk setup which contains one Function. This Function contains one Permission as below:

When i run an SOD report for a role which has this specific value or a * for DICBERCLS, I get No Violations back in the result set.

Have you any other ideas? Am i doing something wrong?

Regards,

Colin

Colleen
Advisor
Advisor
‎03-13-2014 3:20 AM
0 Kudos

Hi Colin

First up - If you are considering a risk someone with access to the ZHRC group you might want to add ACTVT 01 OR 02 to the condition otherwise you will get false positives for display access (03)

Next parts...

  • Have you assigned this function to a critical risk?
  • Is the risk part of a ruleset?
  • Did you generate the rule?
  • How have you executed the risk analysis (there have been quite a few posts on this - e.g. don't leave empty fields in your selection criteria)?
  • Is "SAP R3" a physical system (a connector with SM59 definition) or a logical system? You may need to check your integration framework

If your colleague has attended GRC300 course and has the manual you might want to have a look. Again search SCN (or google SCN + search) for Risk Analysis and Integration Framework to obtain the steps.

You want to run it for Critical Permission but your risk needs to defined that way too.

Regards

Colleen

Former Member
‎03-13-2014 10:45 AM
0 Kudos

OK Colleen,

I have it working now. Thanks again for all of your helpful advice.

The GRC300 manual is quite poor (really just exercises and solutions) but it does have some good bits of information if you're willing to dig for it.

One last question; it seems whenever i try to add ACTVT 01 or 02 to the condition and click on Save, it automatically changes it back to AND as opposed to OR.

Do you know why that happens? There is no ACTVT 01 for Auth Object S_TABU_DIS.

Regards,

Colin

Colleen
Advisor
Advisor
‎03-13-2014 11:02 AM
0 Kudos

You're right act 01 not for that objecf

it would be AND as it's two different fields. OR would apply if you had say  ACTVT 02 Or 03  AND DIBERCLS ZHCR. If that's not what you mean I'm unsure (sorry).

the GRC300 seems poor but actual contains all,the steps. 12-18 months ago GRC 10 didn't have much material. Scn, sap marketplace, wiki, etc has a heap of more material now. There are a great group on this community who are producing fantastic material that us better than the manual

gglad to hear its working.  Please make sure you close the thread and add any comments that you did to resolve Iif not already mentioned here

cheers

Colleen

Answers (0)

Ask a Question