cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Uploading permissions

Go to solution
former_member182655
Contributor

on ‎03-24-2015 12:03 PM

0 Kudos

Hi all!

I'm trying to extend standard functions to get a new condition for a risk. To achieve this aim, I added the following strings in my Fun-Act and Fun-Perm files in accordance with the note 1225227 - How to upload the functions containing only permissions 5.x

Fun-Act file contains:

BS11    ^!DEV_RSK    0

BS02    ^!DEV_RSK    0

Fun-Perm file contains:

BS11^!DEV_RSKS_DEVELOPOBJTYPEDEBUGOR0
BS02^!DEV_RSKS_DEVELOPACTVT2OR0

So, I've got:

Then I started SoD generation, and after it I performed risk analysis.

However, my hope to get the risk (B001) for the attached roles was ruined.

All connector types are maintained under "Maintain Connection Settings"

Synchronization jobs are finished.

How can I get risk for my roles?

Any help will be appreciated.

Regards,

Artem

Z_RISK_SE11_auth.txt.zip
Z_RISK_DEBUG_auth.txt.zip
Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎03-24-2015 4:32 PM
0 Kudos

As per SAP note http://service.sap.com/sap/support/notes/1225227 the prefix "^!" should work.

Previously in a rule set I have done the following

Function Action

     ZCP8 ^!CP 0

(i.e. tells GRC to look for the permissions only, the tcode ^!CP is a dummy placeholder for the Action entry). Maybe try to make the dummy action code with less characters (i.e. total less than 8-chars in length).

Function Permission

   

ZCP8^!CPS_DEVELOPDEVCLASS0*Z*OR0
ZCP8^!CPS_DEVELOPOBJNAME0*Z*OR0
ZCP8^!CPS_DEVELOPACTVT33OR0
ZCP8^!CPS_DEVELOPP_GROUP0*Z*OR0
ZCP8^!CPS_DEVELOPOBJTYPEFUGRFUGRAND0
ZCP8^!CPS_DEVELOPOBJTYPEPROGPROGAND0

This has worked for me at all times, so I can only presume that it may be worth trying to have less characters in the actual Action/tcode entry (8 or less in total) and also try uploading the rule set in the form of a text file from the back end.

Show replies
Show replies
former_member182655
Contributor
‎03-25-2015 7:40 AM
0 Kudos

Hello Harinam!

Thank you for reply! Yesterday, in the end of the day, I made a simple test for a role, it contains two tcodes included in functions that conforms to a risk. But the simulation gave me the same result: No violations

Based on the documentation all the configuration activities are made correct. Connector exists (no authorisation issues); It's assigned to a logical group SAP_CRM_LG; BCSets were activated, Connector is assigned to AUTH, PROV, ROLMG, SUPMG, functions were adopted as I mentioned, risks were generated. No errors or warnings in SLG1, connection works fine.

What can be wrong with risk analysis?

Regards,

Artem

Former Member
‎03-25-2015 12:24 PM
0 Kudos

Artem,

Are you certain that you (re) generated your rules after making these risk updates? It is easy to overlook that step.

Gretchen

Former Member
‎03-25-2015 4:39 PM
0 Kudos

Can you share a screenshot of the Function Action?

Secondly, did you set the risk type to "Critical Permission" in the rule set?

And finally, when performing a risk analysis, are you running it on default settings or ensuring "Critical Permissions" is ticked for analysis? Once the results are received, you may have to change the settings in reported analysis to display critical permission risks.

Hopefully the points above are either verified or maybe resolve your issue.

former_member182655
Contributor
‎03-26-2015 1:35 PM
0 Kudos

Hi Gretchen,

Thank you for response!

Yes, I'm sure that the generation was performed. I checked that using column "Last updated" in SOD risk overview.

Regards,

Artem

former_member182655
Contributor
‎03-26-2015 1:56 PM
0 Kudos

Hi Harinam,

My role contains the following tcodes (I suppose it would be easier to finish with actions and then with permissions):

SU53
PFCG
SU01
STMS
SE10
SE09
SE06
SE03
SE01

Selection describes the risks I'm expecting to get

Functions of the risks

But when I start simulation I get nothing (SSDCLNT200 is in SAP_CRM_LG):

Or when I start risk analysis:

So, I don't understand why this happens...

I'm also confused with Simulation option and Risk Violations. As I've understood Simulation is used for analysis "what we will get if assign role", but Risk Violations is used for current account violations (for SAP_ALL it finds risks). Am I right?

I don't want to cry about the past, but in GRC 5.3 it was more intuitive and easier

Regards,

Artem

former_member182655
Contributor
‎03-26-2015 1:58 PM
0 Kudos

I don't set critical actions in functions, because I use standard settings (of BCSets). Even if I tick every option for Type, I get no violations.

I'm lying... I get this for critical actions

But where are my SU01, SE09, STMS, PFCG and so on?

Regards,

Artem

Answers (1)

Answers (1)

former_member182655
Contributor
‎03-31-2015 1:40 PM
0 Kudos

This message was moderated.

Show replies
Show replies
Ask a Question