Skip to Content
Former Member
Jun 05, 2012 at 11:33 AM

Should we copy and adapt standard GRC Ruleset?


Dear SAP GRC Gurus

I have a query on recommended approach to GRC Ruleset management, we are using GRC 10 and implementing ARA and SPM.

The approach we have taken to-date is to: maintain an offline copy of the standard GRC ruleset. We had planned to commence modifications to
existing standard ruleset. We have now compiled list of custom z transactions and identified which functions they should reside within. Critical and sensitive transactions and roles are also identified.

I have investigated this topic and found little concrete information on recommended approach. We want to ensure we are not creating any potential issues in relation to upgrades etc. Can you advise on your approach? Did you create a duplicate/customised ruleset in GRC and deactivate the original ruleset? Did you assign a new naming convention to the duplicate/customised ruleset to identify it as custom e.g. Z? My concern with this is the step away from
the intuitive F*, S*, P* etc. Where risk FI001 would then become ZFI001 and require *F* search.

Please advise on best approach which will allow for easiest upgrade process? Advise if there is anything I have missed. Any insight or experiences would be greatly appreciated.

Many Thanks, Gráinne