Solved: Ruleset Maintenance

former_member275658 · ‎06-25-2014

Hi Gurus,

We just went live with SAP and GRC (EAM and ARA). I compared the transactions present in our role design versus the GRACFUNCT table to find the missing t-codes in the ruleset. I was surprised to see more than 450 standard transactions are missing in the custom ruleset.

Our consultants configured this ruleset by just copying the standard ruleset which brought only 50% of the t-codes compared to our role design.

Now the consultants are gone and I was not present during that period.. How should I proceed from here ?

Regards,

Salman

Colleen · ‎06-25-2014

Hi Salman

The ruleset is about identifying transactions that pose a risk (either as by itself as critical access or as a combination by segregation of duties risk)

The standard rule set is a starting point. Your next step is to work through your transaction and decide with business process experts if any of them need to be reported on as risks. For example, if the transaction is a report only and has not means to edit data (consider jumping via menu and drill down) then you probably don't need that in your ruleset. You could, however build a dummy function to capture these decisions but do not add the function to a risk.

You then need to establish a process to periodically review your rule set and also link in with change management process for adding new transactions to design or changing of security authorisation in programs to decide if the rule set must be updated. This periodic review can incorporate SAP's release of changes to the standard ruleset

Regards

Colleen

Ruleset Maintenance

Accepted Solutions (1)

Accepted Solutions (1)

Answers (0)

Issue while settling WBS in GJ8G

Re: TRS_SEC_ACC default field for ftr_create (fiel...

Re: Using BAPI_BUPA_FS_BPADDITION_CHANGE to update...

ACH/ WIRE RETURN Process in S/4 Hana

Re: Interest Posting is generated on the same date...