Hi Chinmaya ,

Thanks for your reply and really appreciate your help

I am only trying to update critical permissions for my system . Risk analysis works fine for action , permissions and critical actions however now i have to upload those permissions so that i can do analysis based on these permissions. I have about 80 existing functions which have these critical permissions mapped to so manually creating them would take a long time.

I have updated my function_action and function_permission file with " ^!XXXXXX " updated in place of tcode information so that i can now map these critical permissions to these existing functions. i just want to confirm if uploading these two files will make critical permissions work as i don't want to mess with my existing rule set .

I hope i was able to explain you the scenario. Looking forward to your guidance here.

Vikas

Hi Vikas,

I have updated my function_action and function_permission file with " ^!XXXXXX " updated in place of tcode information so that i can now map these critical permissions to these existing functions. i just want to confirm if uploading these two files will make critical permissions work as i don't want to mess with my existing rule set . 

Why are you modifying the SAP delivered xml files. You can't keep on changing them and uploading back to SAP. If you wish to create new risks for critical actions, you have to do that manually in the RAR system from the Rule architect tab.

First create your Functions --> and then Critical permissions --> and update the ruleset.

I am not sure why you are trying to upload your custom critical permission data manually again.

Regards,

Raghu

Hi Raghu ..

Thanks for your reply .

I am not modifying any SAP delivered xml files , i was just trying to make changes to my rule set to have critical permission added to it. This issue is now resolved however let me explain so that everyone our here in forum is aware of the procedure.

I was trying to upload these critical permissions in GRC 10 Box . Manually creating 100+ functions and then creating risks mapped with them doesn't make sense as it would have taken a lot of time so i updated my existing rule set to have these critical permissions updated . I exported my rule set from the system and added new function's to Function_action and function_permission data with " ^! " in place of Tcodes so that system doesn't consider this value while doing the analysis at critical permissions file . After updating my existing rule set i used the Overwrite option as my ruleset has my existing working functions plus the changes that i have made to include critical permissions. So , Its working fine now and i was able to do the analysis .

Sap Note 1225227 was very helpfull here.

Vikas

Hi Vikas,

Great to hear and yes your approach is correct and time saver.

Thanks for sharing the SAP Notes and your explanation and yes it helps few people who has similar issue.

Regards,

Raghu

Hi All,

I am trying to upload functions containing only permissions in GRC AC 10.0. The sap note 1225227 says clearly that the trick referenced above, does not apply for this system. Does anyone know how to solve this problem?

Thank you very much,

Regards,

Hi Mercedes,

I know this is an old post.

I've read the note you mentioned, so I created the function in GRC manually via NWBC. After that I downloaded the rule set and I found the ^! as in 5.3, for example:

ZD04    ^!S_DEVELOP    S_DEVELOP    ACTVT    01    02    OR    0

ZD04    ^!S_DEVELOP    S_DEVELOP    OBJTYPE    DEBUG        AND    0

So I've uploaded the files as in 5.3....but how did you solve this issue?

Cheers.

Diego.

Hello,

The prefix "^!" <add whatever characters after> in the T-code column does work. I have uploaded 5.3 custom rule sets into GRC AC 10.0 without any issues. I recall talking to SAP last year and experimenting with the rule set operands (AND/OR) etc, and we found that the rule set logic/convention remains the same.

To be honest, if you know what you are doing with the text files and there are a huge amount of rules to update (and I mean different individual updates that are not possible via the Mass Maintenance tool), I do not see an issue of updating it via re-upload and generation in the Development system (and then transport through the GRC landscape). the obvious benefit is that you can validate the entries and text via the editing tool used.

Obviously, I would advise an end customer to not risk this approach and maintain individual updates via the front-end and transport them across the landscape.

Thanks.

Hi Harinam!

Man thanks for your input.

I agree with you regarding the AND/ OR logic, I'd like a change there. For example I have the following:

and if i want to check S_CTS_ADMI OR S_CTS_SADMI I have to create to groups ZB02 (for S_CTS_ADMI) and ZB03(for S_CTS_SADM).

Thanks for sharing your ideas!

Cheers,

Diego.

Hi Harinam,

We tried with the prefix "^!" <add whatever characters after> this indeed works. The function is saved without actions.

After mass generating the access risks, rules for these specific risks were not created.

To solve this we had to go to the function itself via NWBC and manually push the "save"button. After this was done AC was able to create the rules for these risks.

Is there a solution for this issue?

Kr

Which Support Pack is your GRCFND_A component? I have also had mixed success with rule set generations via the back end in some earlier SP levels.

Hi,

This is V1000 SP13

kr