A common problem for SAP Access Control customers migrating to Access Controls 10.1 is that they want to take advantage of rule set changes made since their last rule set update, but they don’t want to lose the customizations they’ve made to their existing rule set. The business may also require a copy of the rule set for review by an external auditing firm or for backup purposes.


These tasks can be accomplished via two (2) Access Control transactions: GRAC_DOWNLOAD_RULES and GRAC_UPLOAD_RULES.


This blog will define the contents of the GRC rule set and will demonstrate how to download/upload the Access Risk Analysis Rule Set. Once downloaded, the rule set can be modified using Excel and functions such as CONCATENATE, COUNTIF, and VLOOKUP to add rule sets>risks>functions to a new namespace, such as “Z_”.


SAP delivers a canned SoD rule set to run Risk Analysis reports against users, roles, profiles and HR objects. Companies are encouraged to modify the base rule set to meet their unique needs. Rule Set customization is accomplished via three (3) means:


  1. Direct modification of functions and risks in NWBC via WorkCentre: Setup>Function/Access Risks/Rule Sets
  2. Mass modification of functions in NWBC via WorkCentre: Setup>Function>Mass maintenance.
  3. Mass modification of functions and risks via GRAC_DOWNLOAD_RULES and GRAC_UPLOAD_RULES.


The rule set is created during configuration, via BCSET activation using t_code SCPR20. This table lists the canned rules in SAP Access Control 10.x.

BC Set ID

BC Set description

GRAC_RA_RULESET_COMMON

Rule Set for Common rules

GRAC_RA_RULESET_JDE

BC Set for AC Rules for JDE

GRAC_RA_RULESET_ORACLE

BC Set for AC Rules for ORACLE

GRAC_RA_RULESET_PSOFT

BC Set for AC Rules for PeopleSoft

GRAC_RA_RULESET_SAP_APO

BC Set for AC Rules – SAP APO

GRAC_RA_RULESET_SAP_BASIS

BC Set for AC Rules – SAP BASIS

GRAC_RA_RULESET_SAP_CRM

BC Set for AC Rules for SAP CRM

GRAC_RA_RULESET_SAP_ECCS

BC Set for AC Rules for SAP ECCS

GRAC_RA_RULESET_SAP_HR

BC Set for AC Rules for SAP HR

GRAC_RA_RULESET_SAP_NHR

BC Set for AC Rules for SAP R3 less HR Basis

GRAC_RA_RULESET_SAP_R3

BC Set for AC Rules for SAP R3

GRAC_RA_RULESET_SAP_SRM

BC Set for AC Rules for SAP SRM


The only mandatory BC set for activation is GRAC_RA_RULESET_COMMON. GRAC_RA_RULESET_SAP_R3 contains both HR and BASIS rule sets (SAP note 1033326)

All BC sets listed above, once activated will be automatically combined into the “Global” rule set

BC Set Example.jpg

SAP provides download and upload functionality via two (2) transactions:


GRAC_DOWNLOAD_RULES and GRAC_UPLOAD_RULES.


/wp-content/uploads/2014/04/grac_download_427366.jpg


/wp-content/uploads/2014/04/88_436385.jpg

The rule set is exported and imported via nine (9) individual files. The files can be named anything; however naming the files after its contents is useful for organizational purposes.


The following section lists a brief description, the format of the file exports and the NWBC screens associated with the file.

/wp-content/uploads/2014/04/09_428368.jpg                     

Business Process:


Business Process defines the business process, language, and business process description.


/wp-content/uploads/2014/04/business_process_1_427368.jpg


NWBC Business Process correlation:


/wp-content/uploads/2014/04/61_437438.jpg


Function:


Function defines the function, language, function description and single or cross system reference.


/wp-content/uploads/2014/04/function_2_427369.jpg


NWBC Function correlation:


/wp-content/uploads/2014/04/62_437439.jpg


Function Business Process:


Function to Business Process associates functions to business processes.


/wp-content/uploads/2014/04/3_427370.jpg


NWBC Function to Business Process correlation:


/wp-content/uploads/2014/04/63_437440.jpg

Function Actions:


Function to Actions associate’s functions to t_codes and if the function is active or inactive.


/wp-content/uploads/2014/04/4_427371.jpg

NWBC Function to Actions correlation:


/wp-content/uploads/2014/04/64_437444.jpg


Function Permissions:


Function to Permissions associates functions to t_codes, the perspective authorization objects, field values, operators and active or in-active status.


/wp-content/uploads/2014/04/5_427372.jpg



NWBC Function to Permissions correlation:


/wp-content/uploads/2014/04/65_437445.jpg

Rule Set:


Rule Set defines the rule set, language and rule set description.


/wp-content/uploads/2014/04/6_427373.jpg


NWBC Rule Set correlation:


/wp-content/uploads/2014/04/66_437446.jpg


Risk:


Risk associates risks to functions, business processes, defines the priority of the risk, what type of risk, and active vs non-active status.


/wp-content/uploads/2014/04/7_427374.jpg


NWBC Risk correlation:


/wp-content/uploads/2014/04/67_437447.jpg


Risk Description:


Risk Description defines the risk, language and risk description.


/wp-content/uploads/2014/04/99_436231.jpg


NWBC Risk Description correlation:


/wp-content/uploads/2014/04/68_437448.jpg



Risk Rule Set Relationship:


Risk Rule Set Relationship associates risks to a rule set.


/wp-content/uploads/2014/04/9_427376.jpg


NWBC Risk Rule Set Relationship correlation:


/wp-content/uploads/2014/04/69_437449.jpg


Demo of how to download a rule set in SAP Access Control 10.1:


GRAC_DOWNLOAD_RULES


Downloading the Access Control Rule Set via GRAC_DOWNLOAD_RULES. Choose format and accept pop-ups.


Demo of how to upload a rule set in SAP Access Control 10.1:


GRAC_UPLOAD_RULES


Uploading the Access Control Rule Set via GRAC_UPLOAD_RULES. Choose format and accept pop-ups.


Merging Rule Sets:


I struggled with writing this section, because the details of the GRC rule set are proprietary SAP information. I would have loved to have done a demo here but any concrete examples shown merging rule sets could be  viewed as divulging this proprietary information.


That said, the Excel COUNTIF,CONCATENATE, and VLOOKUP functions are key to helping you identify records not contained in one of the rule sets you’re working on merging. Here are some key takeaways for those of you engaged in rule set merging:


Key takeaways for mass modification of rule set:



    1. When downloading the rule set, please note that function to actions and function to permissions are dependent on the logical group selected. Example:
      1. If you select the APO logical group. Only APO FUNCTION_ACTIONS and APO FUNCTION_PERMISSIONS are contained in the FUNCTION_ACTIONS and FUNCTION_PERMISSIONS downloaded file.
    2. When downloading the rule set, please note that selecting a connector i.e. (ECDCLNT100) FUNCTION_ACTIONS and FUNCTION_PERMISSIONS will have no data.
    3. Active and Non-Active status in RISK, FUNCTION_PERMISSIONS, and FUNCTION_ACTIONS key:

                                                   

Active

Non-Active

0

1



The primary method of updating the Access Control rule set is through NWBC and the Setup WorkCentre. Updating the Access Risk Analysis rule set via GRAC_DOWNLOAD_RULES and GRAC_UPLOAD_RULES is still viable and should be considered during migrations, mass maintenance or to meet business requirements.


To report this post you need to login first.

12 Comments

You must be Logged on to comment or reply to a post.

  1. Chantel van der Walt

    Hi Jonathan.  Nice document – just one observation.  When downloading the ruleset, it is best to download it in .txt format. When opening in Excel, ensure you define the value fields (especially in the Function Permission file) as text fields otherwise you loose the leading zeros on fields like activity.  This leads to the Risk analysis giving false positives when you run risk reports. 

    (0) 
  2. Rafi Ahmed Syed

    Hi Jonathan ,

    This article is very helpfull ,

    However i have a question ?

    When i download SOD rules in XLS or TXT file

    Function permissions and Function actions files are empty

    any idea why ?

    reason no changes are in effect when i upload it

    (0) 
    1. Siva Charan Reddy

      Hi Syed,

      Please select System filed as Connector Group/Logical Group(SAP_R3, SAP_APO, SAP_CRM etc.) when downloading Ruleset then only you can get Functon to Actions and Function to Permissions data.

      Capture1.JPG

      Regards,

      Charan

      (0) 
  3. Sindhu Shet

    Hi Syed,

    While downloading the rules you need to select the system as SAP_NHR_LG and SAP_BAS_LG, so you will get the required information for Function to Permissions and Functions to actions in the file.

    Regards,

    Sindhu

    (0) 
  4. Shankar Chinnapappain

    Hi All,

    I have few queries about creating Custom Rule Set (should be copied from SAP Standard GLOBAL ruleset). It is fresh implementation and activated Global ruleset. I have downloaded Global rule set 9 files with selecting logical system SAP_R3_LG.

    1. Is this logical system correct to download Standard GLOBAL ruleset?
    2. Now I believe need to change all standard names (function id / risk id / ruleset) with custom names ‘prefix with Z’
    3. Then upload updated 9 files with selecting System name as ECC logical system.

    Please correct me if I am wrong.

    Regards

    Shradha

    (0) 

Leave a Reply