cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Mutiple Ruleset with Different Risk ID Level

Former Member

on ‎07-05-2016 3:47 AM

0 Kudos

Hi Everyone:

I have 2 SAP systems A & B connecting to GRC 10.1. System A connects to GRC via connector A and system B connects to GRC via connector B.  Each system A & B has its own ruleset. Two ruletsets of A & B are appended to each others (with separate connector) and are called with one unique name "Global" in GRC. So, I have only one ruleset ID, which is Global, in GRC.

If users want to run ARA SOD analysis on A, they select ruleset Global with connector A (field System). Similarly, to run SOD report on B users select ruleset Global with connector B.

Now, due to auditor's request, client wants to customize the level of risk ID in system B --- but not affecting A.

For example: risk ID M004 has default risk level as Medium. Client wants to keep level Medium for M004 in A but want to change risk level to High for same risk M004 in B.

At risk level set up (Low, Medium, High) it does not have the place specifying connector A or B.

What is the best approach to accomplish this requirement (since we have only one ruleset called Global) ? Thank you for your advices.

Best Regards,

Andy

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

plaban_sahoo6
Contributor
‎07-05-2016 6:05 AM
0 Kudos

Hi,

Could you let us know, why A and B had diff. rulesets, earlier. Are both A &B the same component? i think they are not. So, your existing 'Global' already has 2 sub rulesets, one for each component, which means Ruleset of A is not applicable for B, and vice-versa. So, Risk id M004 is not applicable for one of A and B. So, you can change the level of M004.


If A and B are same components, or if you are using Cross-Risk analysis, then changing of Risk level, will impact the other connector.


Regards

Plaban

Show replies
Show replies
Former Member
‎07-05-2016 1:00 PM
0 Kudos

Hi Plaban,

Both A & B are ECC6 non HR system. Yes, A & B have different rulesets and ruleset of A can't be used for B (and vice-versa).

One ruleset called global, which has 2 sub-rulesets : one for A and one for B. Now, the requirement is change risk M004 to High level for B while keeping standard level Medium for A.

In other words, ruleset of A will have risk M004 as Medium and ruleset of B will have risk M004 as High.

In A we use ARA & EAM.

In B we use ARA only.

Regards,

Andy

plaban_sahoo6
Contributor
‎07-05-2016 2:05 PM
0 Kudos

Hi Andy,

Could you say, If M004, assigned to connector B or A? if it is assigned to both, then you certainly cannot have 2 Risk levels, for 1 Risk id. So, you would have to create a copy of M004, and assign it only, to A. Make this new Risk of level Medium, while retaining the old risk to level High, and assigning it, only to B.

Regards

Plaban

Former Member
‎07-05-2016 3:16 PM
0 Kudos

Hi Plaban,

M004 is assigned to both connectors A & B. I know your approach; with this client may need to create a customized risk, let's say, ZM004 (copy from M004) and change risk level to High.

Someone suggested to create 2 separate rulesets, for example:  GLOBAL_A and GLOBAL_B.

Each ruleset is connected to separate connectors A & B. Then in GLOBAL_B clients can change M004 to High while retaining M004 as Medium in GLOBAL_A.

Is this feasible ?

Regards,

Andy

premb
Product and Topic Expert
Product and Topic Expert
‎07-05-2016 4:42 PM
0 Kudos

Riskid is not connected to any connector and shared across the ruelset. Hence you cannot have two levels. You can check the risk definition. It is not possible but only by having copy of same risk with different name and assign to different ruleset name.

Thanks
Prem

plaban_sahoo6
Contributor
‎07-06-2016 3:32 AM
0 Kudos

Risk id is made up of function, which is linked to connectors. That is how, Risk id is linked to connectors.

premb
Product and Topic Expert
Product and Topic Expert
‎07-05-2016 6:04 AM
0 Kudos

Not sure, you can do with same riskid. You may have to copy of same risk with different name.

Thanks

Prem

Show replies
Show replies
former_member185447
Active Contributor
‎07-05-2016 5:00 AM
0 Kudos

Hello Andy,

You can build multiple rulesets here say GLOBAL_A and GLOBAL_B and then build a BRF+ Rule and map it against the specific connector. Go through the following SAP Note which will give you a idea on what you need to do.

2066491 - How to Set up Multiple Rule Sets for Access Request

Regards,

Rakesh Ram M

Show replies
Show replies
plaban_sahoo6
Contributor
‎07-05-2016 6:17 AM
0 Kudos

Hi,

I think the Note does not give the correct answer, as no Decision table specifies the input column and the Output/Result column.

So, how would the particular Ruleset be called.

Regards

Plaban

Ask a Question