6 Replies Latest reply: May 17, 2013 2:50 AM by Colleen Lee RSS

GRC 10 AC BC Sets: Implications and suggestions.

Ronnie Sullivan
Currently Being Moderated

Dear experts,

 

Going through the SAP installation document I found information related to BC sets activation. Was keen to know what these ae and what impact they have on the implementation? For example, If i do not activate the relevant BC set for rulesets, what would go wrong?

 

We are implementing SAP GRC 10 Access Controls and for the ruleset part I am not sure which amongst the following should I ask the basis team to activate:

 

GRAC_RA_RULESET_COMMON           SOD Rules Set

GRAC_RA_RULESET_SAP_BASIS       SAP BASIS Rules Set

GRAC_RA_RULESET_SAP_ECCS       SAP ECCS Rules Set

GRAC_RA_RULESET_SAP_HR             SAP HR Rules Set

GRAC_RA_RULESET_SAP_NHR          SAP R/3 less HR Basis Rules Set

GRAC_RA_RULESET_SAP_R3             SAP R/3 AC Rules Set

 

We are on ECC 6 at the moment. We do utilise some HR functionalities in ECC 6 but would not like to define any risks/rules for HR within GRC AC at the moment as these are not very critical to us and are monitored externally. Any helps/suggestions/insights would be highly appreciated.

 

Many thanks.

Ronnie.

  • Re: GRC 10 AC BC Sets: Implications and suggestions.
    Colleen Lee
    Currently Being Moderated

    Hi Ronnie

     

    These BC sets would populate the Function and Risk definition for the GLOBAL ruleset in RAR. They are the SAP delivered baseline.

     

    I cannot see how not activating them would cause system issues. These BC sets are a starting point for creating your SoD Matrix. You would still need to go in and review the matrix and maintain (there was a good discussion in this community a couple of weeks relating to this topic).

     

    In relation to you comment "would not like to define any risks/rules" you have two options should you activate them:

    • Go in and deactivate each risk you don't want to use
    • Create a New Rule set in RAR by copying the risks from the standard ruleset and run your risk analysis on this rule set instead of global

     

    Both of these activities can be completed in NWBC or via mass load in IMG.

     

     

    SAP has a note about their ruleset:

    Note 986996 - GRC Access Control- Best Practice for Rules and Risks

     

    If you are still unsure it might be worth looking at the BC Set via transaction SCPR20 so you can see which tables are impacted.

    • Re: GRC 10 AC BC Sets: Implications and suggestions.
      Paul Matthews
      Currently Being Moderated

      Hi Colleen,

       

      You mention in several posts to GENERATE the BC Sets after they have been activated - is the generation done via GRAC_GENERATE_RULES or is there another procedure/TC ?

       

      I didn't see any information in either GRC300 or the implementation, post, preimplementation or other documents which state that BC Sets need to be generated - but I know your speaking from actual experience and implementation, so I will take your advice.

       

      Also how do you deactivate a BC once it's activated. In my landscape, we have some JDE, Oracle BC Sets activated which we won't be utilising.

       

      Many thanks once again.

       

      Paul

      • Re: GRC 10 AC BC Sets: Implications and suggestions.
        Colleen Lee
        Currently Being Moderated

        HI Paul

         

        Generate Rule Set

         

        yes that is that program/transaction

         

        BC Sets populate the IMG data. In the GRAC_RULESET* tables these populate the proposed SAP SoD Rule set. the guides and GRC material will have a section on the SoD Rule sets. After you make a change to the rule set (function, risk or rule set) you must generate the rule set (updates some other tables) for it

         

        You can either use the transaction you listed or you can go into NWBC Master Data for Function or Risk and select them and press generate button.

         

        You aren't really generating the BC set (hence why post-implementation guide does not tell you to do this). You are actually working through the Risk Analysis and Remediation configuration setup.

         

         

        Deactivating a BC Set

        You do this by removing the configuration. For the JDE/etc ones you can rule the Rule Deletion program "Delete SoD Rules". However, before you run this you must complete the generate step (it was mentioned in GRC300 course guide - I suspect it's to do with what sequence the deletion program hits the tables)

         

        The rule set configuration for RAR is a bit different to most BC activation/deactivation as it's really master data instead of configuration, although mass maintenance for rule sets is accessible via IMG.

         

        For the deletion you can choose the JDE_LG, etc values.

  • Re: GRC 10 AC BC Sets: Implications and suggestions.
    Neeraj Manocha
    Currently Being Moderated

    Hi Ronnie,

    Just to add what Colleen rightly said.... SAP provides standard best practices rules and if you would like to use them, you need to activate the Rules BC Sets.

    If you don't activate these and would like to have your own Custom created rules, that would be absolutely okay. You can create your own functions, risks, ruleset based upon your company rules regulation and use them for running risk analysis.

     

    If you would like to use standard ruleset, you need to first activate BC Set GRAC_RA_RULESET_COMMON. This is a base of all the rules. So once this is activated, you can activate other required BC Sets based upon your landscape setup. R3 BC set covers all the SAP system rules. ORelse, if your landscape has only HR or Non-HR, you can activate those based upon your requriements.

     

    You may also would like to review below document which talks about First Risk Analysis and it's setup.

     

    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/40535c03-9666-2e10-33a4-b6b003dac3cb?QuickLink=index&overridelayout=true&50968377363826

     

    Hope this helps.

     

    Thanks & Regards

    Neeraj

    • Re: GRC 10 AC BC Sets: Implications and suggestions.
      Ronnie Sullivan
      Currently Being Moderated

      Colleen, Neeraj,

       

      Thanks for your insights and links that you provided. It certainly added to my knowledge. However, also, something specific that I was looking for (as stated in my original post) was -

       

      I am not sure which amongst the following should I ask the basis team to activate: 

       

      GRAC_RA_RULESET_COMMON           SOD Rules Set

      GRAC_RA_RULESET_SAP_BASIS       SAP BASIS Rules Set

      GRAC_RA_RULESET_SAP_ECCS       SAP ECCS Rules Set

      GRAC_RA_RULESET_SAP_HR             SAP HR Rules Set

      GRAC_RA_RULESET_SAP_NHR          SAP R/3 less HR Basis Rules Set

      GRAC_RA_RULESET_SAP_R3             SAP R/3 AC Rules Set

       

      We are on ECC 6 at the moment. We do utilise some HR functionalities in ECC 6 but would not like to define any risks/rules for HR within GRC AC at the moment as these are not very critical to us and are monitored externally.

       

      Any helps/suggestions/insights on this would be highly appreciated. What is not clear from SAP documentation is what is the difference between some of these BC sets,  specifically

      GRAC_RA_RULESET_SAP_R3             SAP R/3 AC Rules Set and

      GRAC_RA_RULESET_SAP_ECCS       SAP ECCS Rules Set and

      GRAC_RA_RULESET_SAP_R3             SAP R/3 AC Rules Set

       

      which makes it confusing for me to decide which one should I be using.

       

      Many thanks.

      Ronnie.

      • Re: GRC 10 AC BC Sets: Implications and suggestions.
        Colleen Lee
        Currently Being Moderated

        HI Ronnie

         

        I found myself in a similiar situation of what to activate. As this is master data and can easily be deleted via NWBC or mass updated I chose to activate them all

         

        My approach

        • Activate all BC Sets for Rule Set (except for non-SAP systems as they are not in my landscape - JDE, PSOFT and ORACLE)
        • Export the rulesets and work with Internal Controls to determine which risks are application to our system
        • Create a new Ruleset
        • Copy the SAP standard risk into my new ruleset
        • Work again with Internal Controls to identify any other risks which are not in the rule set (in particular custom transaction codes or SU24 value changes)

         

        My reasons:

        • Able to see the full list of SAP standard ruleset to analyse as starting point
        • in this case for a BC set it's "master data" and can be easily modified
        • When SAP releases new changes/recommendations I can add them to the GLOBAL ruleset and then compare them to my custom ruleset
        • Consider future growth of SAP system - what if you organisation decides HR ruleset is now importance or a new module is incorporate into your system? By having the global rulset there as a comparison you can easily identify new proposed functions and risks and update your custom rulset

         

        So by activating them all you ultimately review them all and make a complete and comprehensive decision of which ones you do require

         

        Alternatively, you can choose to activate none and build you ruleset from the beginning. I'm not sure if anyone has chosen this option as SAP has started the work for you

         

        What is the difference in them???

        In relation to difference between the sets, again you can look at the contents of the BC sets before you activate them. You may want to export the data and analyse it before you are comfortable to advise your BASIS team to activate them. You can also choose to compare the BC rulesets to see the difference between them

         

        The key difference I see with them is the connector group (not sure if you had 3 sets but think you mentioned one twice) -

        • GRAC_RA_RULESET_SAP_R3 is for SAP_R3_LG
        • GRAC_RA_RULESET_SAP_ECCS is for SAP_ECC_LG

         

        The BC sets for each area can be updated the same functions (e.g a function could cover different systems).

Actions