Add to collection(s) Add to saved
  1. No category
Uploaded by Rohit Pahari

986996 E 20210907

2021-09-07
986996
986996 - GRC Access Control- Best Practice for Rules
and Risks
Version
Language
Priority
Release Status
Component
21
English
Recommendations / Additional Info
Released for Customer
GRC-SAC-ARA ( Access Risk Analysis )
Type
Master Language
Category
Released On
SAP Note
English
Consulting
11.01.2021
Please find the original document at https://launchpad.support.sap.com/#/notes/ 986996
Symptom
Explanation of delivered Risk Analysis and Remediation rules.
Other Terms
SAP Compliance Calibrator, Risk Analysis and Remediation, rules, functions,
risks, ruleset, RAR, CNV
Reason and Prerequisites
How was the decision made to build the rules and risks that are found in the
rule set delivered with SAP CC?
Solution
Best practices for controls state that the company's environment is the primary
consideration for establishing controls. This is the same for Segregation of
Duty rules.
We provide a set of rules that we have found hit the majority of global
requirements for the basic processes: Finance, Procure to Pay, Order to Cash,
etc. Special rules have been provided for other specialty areas by working with
partners and customers for CRM, HR, and ECC, etc. The whole purpose is to
provide our customers a solid starter set rather than building rules from
scratch. The delivered ruleset is meant to cover the major risk areas present in
the majority of customers. Not every SAP application is included in the
delivered ruleset and at this point, there are no plans to further develop
additional industry specific component or add-on product rules.
The time the company spends is to make sure the risks are appropriate for their
implementation of SAP and adding custom related transactions, rather than
starting from scratch.
A zip file presentation has been attached that explains the ruleset update
process as well as a summary of the number of rules delivered and what areas are
covered.
The rules were created on a 4.6c system, with the exception of transactions that
only exist in higher versions. The underlying assumption is that we want to
© 2021 SAP SE or an SAP affiliate company. All rights reserved
1 of 5
2021-09-07
986996
ensure the rules do not have any false negatives. This means that we purposely
activate the fewest authorization objects required in order to execute the
transaction.
If new or different auth object settings come into play in the higher releases
(4.7, 640 and 700) and you feel this results in false positives (conflicts that
show that don't really exist), then you can adjust the rules to add these
authorization objects to the rules.
Again, our assumption is that the delivered ruleset should err on the side of
showing too many conflicts which can be further filtered by the customer, versus
excluding users that should be reported.
The data contained in the default ruleset is the same regardless of the version
of Risk Analysis and Remediation (Compliance Calibrator) implemented (4.0, 5.1,
5.2 or 5.3). The main difference is just in the format. In 4.0, it is not
possible to create single function risks. For that reason, Critical Action risks
are delivered as part of the Critical Transaction table and not as individual
Functions and Risks. In 5.X, the Critical Actions are delivered as individual
Functions and Risks that are incorporated into the normal ruleset. However,
please understand the actual Critical Transactions are the same in 4.0 and 5.X.
A best practice when modifying or customizing the SAP delivered ruleset is to
first check the Risk Description and try to understand the exact business risk.
Then check the Function Descriptions (involved in those risks) and try to
understand which Business area these Functions belong to. We recommend to keep
all actions/transaction codes, of identical nature, into one Function. If you
are able to relate any of your transaction codes (which is not part of Standard
Ruleset) to any business area and further into Functions, then you can add them
accordingly and can customize your rules as per your requirements."
WHAT IS LATEST IN SAP STANDARD RULESET ?
• Latest delta updates in existing ruleset for R3 was in 2014. (refer to KBA
2109459 for more details).
• After 2014, there was a new development in SAP Standard ruleset with SRM
Webdynpro rules in 2015. (refer to KBA 2171822 for more details)
• After SRM new development, there was a new development with HANA Ruleset in
2017. (refer to KBA 2524840 )
• After HANA Ruleset development, there was a new development with S4HANA
Ruleset in 2018. (refer to KBA 2539742 )
• There was delta update for S4HANA & Fiori Ruleset in Q3, 2018. (refer to KBA
2678236 )
• ISU Ruleset delivered in Q3, 2018 (refer to KBA 2685974 )
• S4HANA & FIORI Ruleset Delta update in Q4, 2018) (refer to KBA 2724526 )
• There was a addition of fiori apps and services in BC set
GRAC_RA_RULESET_S4HANA_ALL in Q4, 2020 (refer to KBA 3010795)
• Delivered FIORI Apps & ODATA Services into standard ruleset: Rules delivered
by SAP Standard Ruleset are based upon best practices which are more generic
and relevant for most of the industries & customers. We have some Business
Processes (order to cash, hire to fire, etc.) covered, hence only FIORI apps
& Services rules which are related to those Business Processes are added. In
addition, not every FIORI app or Service poses a risk. You can display the
SAP Standard Ruleset delivered for FIORI apps and ODATA Services by looking
in transaction SCRP20. Open the BCSet GRAC_RA_RULESET_S4HANA_ALL in display
mode to see relevant rules containing FIORI apps ([FAPP] prefix) and ODATA
Services ([SVC] prefix).
For more information, see:
2681886 - Instructions to create custom Risk for Fiori Apps or ODATA
Services in addition to SAP Standard Ruleset
2655122 - Prefix / Abbreviation requires with Action for creating & running
© 2021 SAP SE or an SAP affiliate company. All rights reserved
2 of 5
2021-09-07
986996
risk analysis
This document refers to
SAP
Note/KBA
Title
2724526
GRC - Access Control - Access Risk Management Rule Update Q4, 2018
2685974
SAP GRC Access Control - standard SOD rules enhancement for SAP's Industry-Specific Solution ISU
2678236
GRC-Access Control-Access Risk Management Rule Update Q3,2018 - Delta changes in S4HANA /
Fiori ruleset
2524840
GRC - Access Control - Access Risk Management Rule Update Q3, 2017 - HANA Plugin
2171822
SAP GRC Access Control - standard SOD rules for SRM Webdynpro Application
2109459
GRC - Access Control - Access Risk Management Rule Update Q4, 2014
2539742
GRC - Access Control - Access Risk Management Rule Update Q1, 2018 - S/4 HANA
1611006
Risks are not showing in SoD report that should
1604722
Risk Analysis and Remediation Rule Update Q3 2011
1600667
Transactions that conflict with themselves
1552985
F110S rule incorrect - lists F_REGUL_KO should be F_REGU_KOA
1541577
Impact of S_TABU_NAM in Risk Analysis and Remediation
1535330
Compliance Calibrator 4.0 - Full Rule Deletion
1519557
Rules by Process under Rule Library do not show numbers
1446680
Risk Analysis and Remediation Rule Update Q2 2010
1349969
Function AR04 - incorrect permission activated
1326497
Risk Analysis and Remediation Rule Update Q2 2009
1238023
New authorizations not updating in rule set
1173980
Risk Analysis and Remediation Rule Update Q2 2008
1133589
RAR- How to build rules for "all" or "any" values
1083611
Compliance Calibrator Rule Update Q3 2007
1061380
Compliance Calibrator Rule Update Q2 2006
1050832
ME23N in Compliance Calibrator (RAR) Default rules
© 2021 SAP SE or an SAP affiliate company. All rights reserved
3 of 5
2021-09-07
986996
1035070
Compliance Calibrator Rule Update Q1 2007
1033326
Risk Analysis and Remediation Rule Upload guidance
This document is referenced by
SAP Note/KBA
Title
3010795
GRC - Access Control - Access Risk Management Rule Update Q4, 2020
2171822
SAP GRC Access Control - standard SOD rules for SRM Webdynpro Application
1999708
SOD rules are not generated after completing rule generation job.
1960531
GRC - Access Control - Access Risk Management Rule Update Q4, 2013
1799659
Rules are not generated due to short dumps
1780236
Unable to retrieve the Risk Analysis result
1600667
Transactions that conflict with themselves
1611006
Risks are not showing in SoD report that should
1604722
Risk Analysis and Remediation Rule Update Q3 2011
1541577
Impact of S_TABU_NAM in Risk Analysis and Remediation
1552985
F110S rule incorrect - lists F_REGUL_KO should be F_REGU_KOA
1446680
Risk Analysis and Remediation Rule Update Q2 2010
1033326
Risk Analysis and Remediation Rule Upload guidance
1535330
Compliance Calibrator 4.0 - Full Rule Deletion
1519557
Rules by Process under Rule Library do not show numbers
1061380
Compliance Calibrator Rule Update Q2 2006
1238023
New authorizations not updating in rule set
1050832
ME23N in Compliance Calibrator (RAR) Default rules
1349969
Function AR04 - incorrect permission activated
1133589
RAR- How to build rules for "all" or "any" values
1326497
Risk Analysis and Remediation Rule Update Q2 2009
1083611
Compliance Calibrator Rule Update Q3 2007
1173980
Risk Analysis and Remediation Rule Update Q2 2008
© 2021 SAP SE or an SAP affiliate company. All rights reserved
4 of 5
2021-09-07
986996
1035070
Compliance Calibrator Rule Update Q1 2007
Attachments
File Name
986996_RAR_Rule_Updates.zip
File Size
74
Mime Type
application/x-zip-compressed
Terms of use | Copyright | Trademark | Legal Disclosure | Privacy
© 2021 SAP SE or an SAP affiliate company. All rights reserved
5 of 5
Related documents
UYEN getBackgroundReport
UYEN getBackgroundReport
Beyond-Technologies-SAP-PP-Functional-Consultant
Beyond-Technologies-SAP-PP-Functional-Consultant
Sample Parent / Teacher Conference Form
Sample Parent / Teacher Conference Form
2672041 FF Web Based COnfiguration
2672041 FF Web Based COnfiguration
Delphi
Delphi
Download