Download, Modify and Upload the Access Risk Analysis Rule Set in SAP Access Control 10.x.

A common problem for SAP Access Control customers migrating to Access Controls 10.1 is that they want to take advantage of rule set changes made since their last rule set update, but they don’t want to lose the customizations they’ve made to their existing rule set. The business may also require a copy of the rule set for review by an external auditing firm or for backup purposes.

These tasks can be accomplished via two (2) Access Control transactions: GRAC_DOWNLOAD_RULES and GRAC_UPLOAD_RULES.

This blog will define the contents of the GRC rule set and will demonstrate how to download/upload the Access Risk Analysis Rule Set. Once downloaded, the rule set can be modified using Excel and functions such as CONCATENATE, COUNTIF, and VLOOKUP to add rule sets>risks>functions to a new namespace, such as “Z_”.

SAP delivers a canned SoD rule set to run Risk Analysis reports against users, roles, profiles and HR objects. Companies are encouraged to modify the base rule set to meet their unique needs. Rule Set customization is accomplished via three (3) means:

1. Direct modification of functions and risks in NWBC via WorkCentre: Setup>Function/Access Risks/Rule Sets
2. Mass modification of functions in NWBC via WorkCentre: Setup>Function>Mass maintenance.
3. Mass modification of functions and risks via GRAC_DOWNLOAD_RULES and GRAC_UPLOAD_RULES.

The rule set is created during configuration, via BCSET activation using t_code SCPR20. This table lists the canned rules in SAP Access Control 10.x.

The only mandatory BC set for activation is GRAC_RA_RULESET_COMMON. GRAC_RA_RULESET_SAP_R3 contains both HR and BASIS rule sets (SAP note 1033326)

All BC sets listed above, once activated will be automatically combined into the “Global” rule set

SAP provides download and upload functionality via two (2) transactions:

GRAC_DOWNLOAD_RULES and GRAC_UPLOAD_RULES.

The rule set is exported and imported via nine (9) individual files. The files can be named anything; however naming the files after its contents is useful for organizational purposes.

The following section lists a brief description, the format of the file exports and the NWBC screens associated with the file.

Business Process:

Business Process defines the business process, language, and business process description.

NWBC Business Process correlation:

Function:

Function defines the function, language, function description and single or cross system reference.

NWBC Function correlation:

Function Business Process:

Function to Business Process associates functions to business processes.

NWBC Function to Business Process correlation:

Function Actions:

Function to Actions associate’s functions to t_codes and if the function is active or inactive.

NWBC Function to Actions correlation:

Function Permissions:

Function to Permissions associates functions to t_codes, the perspective authorization objects, field values, operators and active or in-active status.

NWBC Function to Permissions correlation:

Rule Set:

Rule Set defines the rule set, language and rule set description.

NWBC Rule Set correlation:

Risk:

Risk associates risks to functions, business processes, defines the priority of the risk, what type of risk, and active vs non-active status.

NWBC Risk correlation:

Risk Description:

Risk Description defines the risk, language and risk description.

NWBC Risk Description correlation:

Risk Rule Set Relationship:

Risk Rule Set Relationship associates risks to a rule set.

NWBC Risk Rule Set Relationship correlation:

Demo of how to download a rule set in SAP Access Control 10.1:

GRAC_DOWNLOAD_RULES

Downloading the Access Control Rule Set via GRAC_DOWNLOAD_RULES. Choose format and accept pop-ups.

Demo of how to upload a rule set in SAP Access Control 10.1:

GRAC_UPLOAD_RULES

Uploading the Access Control Rule Set via GRAC_UPLOAD_RULES. Choose format and accept pop-ups.

Merging Rule Sets:

I struggled with writing this section, because the details of the GRC rule set are proprietary SAP information. I would have loved to have done a demo here but any concrete examples shown merging rule sets could be  viewed as divulging this proprietary information.

That said, the Excel COUNTIF,CONCATENATE, and VLOOKUP functions are key to helping you identify records not contained in one of the rule sets you’re working on merging. Here are some key takeaways for those of you engaged in rule set merging:

Key takeaways for mass modification of rule set:

1. When downloading the rule set, please note that function to actions and function to permissions are dependent on the logical group selected. Example:
   1. If you select the APO logical group. Only APO FUNCTION_ACTIONS and APO FUNCTION_PERMISSIONS are contained in the FUNCTION_ACTIONS and FUNCTION_PERMISSIONS downloaded file.
2. When downloading the rule set, please note that selecting a connector i.e. (ECDCLNT100) FUNCTION_ACTIONS and FUNCTION_PERMISSIONS will have no data.
3. Active and Non-Active status in RISK, FUNCTION_PERMISSIONS, and FUNCTION_ACTIONS key:

The primary method of updating the Access Control rule set is through NWBC and the Setup WorkCentre. Updating the Access Risk Analysis rule set via GRAC_DOWNLOAD_RULES and GRAC_UPLOAD_RULES is still viable and should be considered during migrations, mass maintenance or to meet business requirements.