Total Pageviews

Thursday, 18 September 2014

Modification of Risk Analysis Rule Set - 10.x


A common problem for SAP Access Control customers migrating to Access Controls 10.1 is that they want to take advantage of rule set changes made since their last rule set update, but they don’t want to lose the customizations they’ve made to their existing rule set. The business may also require a copy of the rule set for review by an external auditing firm or for backup purposes.

These tasks can be accomplished via two (2) Access Control transactions: GRAC_DOWNLOAD_RULES and GRAC_UPLOAD_RULES.

This blog will define the contents of the GRC rule set and will demonstrate how to download/upload the Access Risk Analysis Rule Set. Once downloaded, the rule set can be modified using Excel and functions such as CONCATENATE, COUNTIF, and VLOOKUP to add rule sets>risks>functions to a new namespace, such as "Z_".

SAP delivers a canned SoD rule set to run Risk Analysis reports against users, roles, profiles and HR objects. Companies are encouraged to modify the base rule set to meet their unique needs. Rule Set customization is accomplished via three (3) means:

  1. Direct modification of functions and risks in NWBC via WorkCentre: Setup>Function/Access Risks/Rule Sets
  2. Mass modification of functions in NWBC via WorkCentre: Setup>Function>Mass maintenance.
  3. Mass modification of functions and risks via GRAC_DOWNLOAD_RULES and GRAC_UPLOAD_RULES.

The rule set is created during configuration, via BCSET activation using t_code SCPR20. This table lists the canned rules in SAP Access Control 10.x.

BC Set ID
BC Set description
GRAC_RA_RULESET_COMMON
Rule Set for Common rules
GRAC_RA_RULESET_JDE
BC Set for AC Rules for JDE
GRAC_RA_RULESET_ORACLE
BC Set for AC Rules for ORACLE
GRAC_RA_RULESET_PSOFT
BC Set for AC Rules for PeopleSoft
GRAC_RA_RULESET_SAP_APO
BC Set for AC Rules - SAP APO
GRAC_RA_RULESET_SAP_BASIS
BC Set for AC Rules - SAP BASIS
GRAC_RA_RULESET_SAP_CRM
BC Set for AC Rules for SAP CRM
GRAC_RA_RULESET_SAP_ECCS
BC Set for AC Rules for SAP ECCS
GRAC_RA_RULESET_SAP_HR
BC Set for AC Rules for SAP HR
GRAC_RA_RULESET_SAP_NHR
BC Set for AC Rules for SAP R3 less HR Basis
GRAC_RA_RULESET_SAP_R3
BC Set for AC Rules for SAP R3
GRAC_RA_RULESET_SAP_SRM
BC Set for AC Rules for SAP SRM


The only mandatory BC set for activation is GRAC_RA_RULESET_COMMON. GRAC_RA_RULESET_SAP_R3 contains both HR and BASIS rule sets (SAP note 1033326)

All BC sets listed above, once activated will be automatically combined into the “Global” rule set
BC Set Example.jpg

SAP provides download and upload functionality via two (2) transactions:

GRAC_DOWNLOAD_RULES and GRAC_UPLOAD_RULES.

grac_download.jpg

88.jpg


The rule set is exported and imported via nine (9) individual files. The files can be named anything; however naming the files after its contents is useful for organizational purposes.


The following section lists a brief description, the format of the file exports and the NWBC screens associated with the file.




09.jpg                     
Business Process:

Business Process defines the business process, language, and business process description.

business_process_1.jpg

NWBC Business Process correlation:

61.jpg

Function:

Function defines the function, language, function description and single or cross system reference.

function_2.jpg

NWBC Function correlation:

62.jpg

Function Business Process:

Function to Business Process associates functions to business processes.

3.jpg

NWBC Function to Business Process correlation:

63.jpg
Function Actions:

Function to Actions associate’s functions to t_codes and if the function is active or inactive.

4.jpg
NWBC Function to Actions correlation:

64.jpg

Function Permissions:

Function to Permissions associates functions to t_codes, the perspective authorization objects, field values, operators and active or in-active status.

5.jpg


NWBC Function to Permissions correlation:

65.jpg
Rule Set:

Rule Set defines the rule set, language and rule set description.

6.jpg

NWBC Rule Set correlation:

66.jpg

Risk:

Risk associates risks to functions, business processes, defines the priority of the risk, what type of risk, and active vs non-active status.

7.jpg

NWBC Risk correlation:

67.jpg

Risk Description:

Risk Description defines the risk, language and risk description.

99.jpg

NWBC Risk Description correlation:

68.jpg


Risk Rule Set Relationship:

Risk Rule Set Relationship associates risks to a rule set.

9.jpg

NWBC Risk Rule Set Relationship correlation:

69.jpg


Merging Rule Sets:

struggled with writing this section, because the details of the GRC rule set are proprietary SAP information. I would have loved to have done a demo here but any concrete examples shown merging rule sets could be  viewed as divulging this proprietary information.

That said, the Excel COUNTIF,CONCATENATE, and VLOOKUP functions are key to helping you identify records not contained in one of the rule sets you’re working on merging. Here are some key takeaways for those of you engaged in rule set merging: 

Key takeaways for mass modification of rule set:


    1. When downloading the rule set, please note that function to actions and function to permissions are dependent on the logical group selected. Example:
      1. If you select the APO logical group. Only APO FUNCTION_ACTIONS and APO FUNCTION_PERMISSIONS are contained in the FUNCTION_ACTIONS and FUNCTION_PERMISSIONS downloaded file.
    2. When downloading the rule set, please note that selecting a connector i.e. (ECDCLNT100) FUNCTION_ACTIONS and FUNCTION_PERMISSIONS will have no data.
    3. Active and Non-Active status in RISK, FUNCTION_PERMISSIONS, and FUNCTION_ACTIONS key:

                                                   
Active
Non-Active
0
1


The primary method of updating the Access Control rule set is through NWBC and the Setup WorkCentre. Updating the Access Risk Analysis rule set via GRAC_DOWNLOAD_RULES and GRAC_UPLOAD_RULES is still viable and should be considered during migrations, mass maintenance or to meet business requirements.