This blog defines the content of the GRC rule set and shows how to download/upload the access risk analysis rule set. Once downloaded, the rule set can be edited using Excel and functions such as CONCATENATE, COUNTIF, and VLOOKUP to add rules>risk>function sets to a new namespace such as Z_. Let`s say you have SAP ECC, SAP APO, and SAP SRM systems in your environment. Therefore, in this scenario, you must install a common rule set (1), which contains all business processes such as basic SRM, financial, CRM, and so on, the R3 rule set (11) contains all the risks associated with R3, the APO rule set (5), and the SRM rule set (12). Enable the rule set in this order so that you can enable the rule sets. Once you need to generate a set of rules so that it can be populated. We walk you through your journey, from compliance awareness to defining and implementing a set of rules, etc. for XAMS CRAF, SAP GRC Access Control, and SAP IAG. Whether it`s creating a coordinated final rule set or supporting developing a rule set with “ECS meets XAMS”. In any case, our goal is to be your competent and reliable partner for risk management. Creating a rule set is not a one-time task. A set of rules must be constantly revised, expanded or adapted.
Changed processes mean changed risks and therefore also different rules. So what are the most common problems, why is there no set of rules or why does it no longer meet the requirements? Our experience shows that this is often one of the following reasons: SAP provides download and upload capabilities via two (2) transactions: When downloading rules, you must select the system as SAP_NHR_LG and SAP_BAS_LG to obtain the information required for the permissions function and the actions functions in the file. Given SAP`s ever-increasing demands and risks, challenges arise in creating and maintaining tailor-made rules for the respective GRC solutions. For analysis, reporting, and processing of system authorizations and settings, a constantly updated and maintained set of rules ensures secure administration in the SAP system. This is a new implementation and a set of global rules enabled. I downloaded files from the global 9 rule set with the selection of SAP_R3_LG logical system. We first analyze the requirements of the new set of rules. For example, we record compliance requirements from a regulatory and ICS perspective and verify all existing regulations.
In the next step, we check your own development to identify and correct missing or incorrect authorization checks. Hi Jonathan. Nice document – just an observation. If you download the rule set, it is best to download it in .txt format. When opening in Excel, make sure to set the value fields (especially in the function authorization file) as text fields, otherwise you will lose the leading zeros in fields such as Activity. Therefore, risk analysis will produce false positives when you run risk reports. To monitor risks, a set of rules forms the basis for performing risk analysis in the SAP system. Based on the rulebook, critical permissions and segregation of duties (SoD) conflicts can be reviewed and resolved regularly or on a case-by-case basis through critical combinations of permissions. When downloading the rule set, select System as the connector group/logical group (SAP_R3, SAP_APO, SAP_CRM, etc.), then only you can get Functon for actions and function for authorization data.
With the help of our services, we assess the requirements individually and, depending on the catalogue of requirements and legal regulations, we can acquire the basic knowledge and necessary know-how. We help you determine which risks are relevant to you and jointly define the right set of rules for your GRC solution. If you already have a rule set in use, we help you keep your current rule set up to date, identify optimization potentials, and establish best practices. In addition, maintenance of SU24 defaults plays a central role, as critical permissions relevant to the rule set can be assigned to a transactional context.