cancel
Showing results for 
Search instead for 
Did you mean: 

CC 4.0 vs AC 5.3 vs GRC 10 - Rule Processing

Former Member
0 Kudos

Hi Everyone

On my project we have identified a difference in the processing of the rules in Access Controls.

In the following example:

Risk F052 is

Function GL01 Function AR07

Tcd FB01 Tcd FB01

Auth Object F_BKPF_KOA VS. Auth Object F_BKPF_KOA

Field KOART Field KOART

VALUE S VALUE D

If the Role/User that is being tested has the values

Tcd FB01

Auth Object F_BKPF_KOA

Field KOART

VALUE *

In RAR 5.3 the user/role being tested DOES NOT match the conditions of the rule as the rule is processed LITERALLY i.e. is looking for an authorisation value of S or D combined, therefore no issue is reported.

In CC 4.0 the user/role being tested DOES match the conditions of the rule as the rule is processed with SOME INTERPRETATION i.e. is looking for an authorisation value of S or D combined or * [which is the authorisation equivalent of both S and D], therefore an issue IS reported.

Access Controls RAR 5.3 only looks for EXACTLY what you asked for it to look for, it does not understand that in a ROLE an u201C*u201D is a wild card that means all values.

We are aware that sap note u201C1133589 - RAR 5.3 How to build rules for -all- and -any- valuesu201D, but:

1. u2018Is there a sap note or best practice guide that would mention this change in processing from CC 4.0 [interpretation] to RAR 5.3 [literal]?u2019.

2. u2018Will the processing revert back to the CC4.0 [ABAP interpretative processing] in RAR 10.0?u2019

Regards

Simon

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
0 Kudos

Hi Simon,

Why we have same tcode in two functions???

That works in CC 4.0.

However per my knowledge, in RAR 5.3, you define in only in one function.

Please try that, may be that will solve the issue.

And which SP level of RAR you are on?

Regards,

Surpreet

Former Member
0 Kudos

Sorry the questions appear to have been lost in the original posting, because of the example:

They are:

1. u2018Is there a sap note or best practice guide that would mention this change in processing from CC 4.0 interpretation to RAR 5.3 literal?u2019.

2. u2018Will the processing revert back to the CC4.0 ABAP interpretative processing in RAR 10.0?u2019

The RAR SP question is not relevant as the change in processing of a "*" is present in all the SPs of RAR, when compared to CC 4.0.

regards

Simon

Edited by: Simon Carty on Jan 11, 2011 3:11 PM

Former Member
0 Kudos

Hi Simon,

Per my knowledge only change between CC 4.0 & RAR 5.3 is

In CC rules were generated and stored in database table.

However in RAR, rules generated at runtime, they are same as - is in your Function.

Regards,

Surpreet

Former Member
0 Kudos

Unfortunately Supreet that is not correct.

In CC 4.0 if your rule says look for a "*" value it will treat it as a wild card, and therefore pick up all the values.

In RAR 5.3 if your rule says look for a "*" value it will NOT treat it as a wild card and look for the actual value of "*" in the object. RAR 5.3 uses the "$" as the wildcard.

Hence my questions about how will GRC 10 treat a "*" in the ruleset and has SAP documented this difference in processing between RAR 5.3 and CC 4.0, as SAP NOTE 1133589 refers to this difference but only in passing.

regards

Simon

Ignore the bold above as the forum is picking up the two "*" values as bold deliniators.

Edited by: Simon Carty on Jan 11, 2011 4:07 PM

Former Member
0 Kudos

Hi Simon,

No problem

thanks for sharing, I was not aware of this.

so this means you have to create one more Risk like

RISK00101 F_BKPF_KOA KOART *

RISK00101 S_TCODE TCD FB01

Best will be you create critical permission rules with * value

Regards,

Surpreet

pls put your query in thread

http://forums.sdn.sap.com/thread.jspa?threadID=1838935&tstart=0

which is about GRC 10 and Kunal Kant is doing GRC 10 Ramp up implementation

Edited by: Surpreet Singh Bal on Jan 11, 2011 8:48 PM

Former Member
0 Kudos

Hi guys,

After spending alot of time worrying more about 10.0 functionalities working correctly and getting used to customising workflows in it's new avatar of MSMP's and BRFplus, I have now had the time to think of other pending questions and come across this thread about rule sets and wild card entries.

With 5.X, we all understood that '' did not really mean a 'wild card / any values' entry, but it meant the rule set would only report violations where the value '' was actually present within the field values for that particular auth object.

Given GRC AC is now back on ABAP, I too would have assumed that the rule set engine may revert back to the ABAP way of analysing ''s etc, but this does not seem to be the case. The new version seems to have brought through the GRC 5.X terminology and risk analysis engine into Version 10.0. I ran a Critical Permission check on a role, which contains S_TABU_DIS (Actvt 02 and DICBERCLS = ZCC), but it reported no violations as the rule set is looking for DICBERCLS = ''. Obviously some end users are surprised by this, given GRC 10.0 is now back on ABAP.

I don't think this is a major issue, but it would be nice to know if the wildcard entry (any value) '$' is still applicable for 10.0, or if there are any issues with using it in a rule set.

Many thanks

Edited by: Kaushal Vastani on Mar 1, 2012 3:33 PM

simon_persin4
Contributor
0 Kudos

Hi All,

Confirmed ...

  • in the ruleset will look explicitly for *

$ in the ruleset will look for any value.

Simon