Skip to Content
avatar image
Former Member

GRC 10 AC BC Sets: Implications and suggestions.

Dear experts,

Going through the SAP installation document I found information related to BC sets activation. Was keen to know what these ae and what impact they have on the implementation? For example, If i do not activate the relevant BC set for rulesets, what would go wrong?

We are implementing SAP GRC 10 Access Controls and for the ruleset part I am not sure which amongst the following should I ask the basis team to activate:

GRAC_RA_RULESET_COMMON SOD Rules Set

GRAC_RA_RULESET_SAP_BASIS SAP BASIS Rules Set

GRAC_RA_RULESET_SAP_ECCS SAP ECCS Rules Set

GRAC_RA_RULESET_SAP_HR SAP HR Rules Set

GRAC_RA_RULESET_SAP_NHR SAP R/3 less HR Basis Rules Set

GRAC_RA_RULESET_SAP_R3 SAP R/3 AC Rules Set

We are on ECC 6 at the moment. We do utilise some HR functionalities in ECC 6 but would not like to define any risks/rules for HR within GRC AC at the moment as these are not very critical to us and are monitored externally. Any helps/suggestions/insights would be highly appreciated.

Many thanks.

Ronnie.

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

2 Answers

  • Best Answer
    Apr 19, 2013 at 04:43 AM

    Hi Ronnie,

    Just to add what Colleen rightly said.... SAP provides standard best practices rules and if you would like to use them, you need to activate the Rules BC Sets.

    If you don't activate these and would like to have your own Custom created rules, that would be absolutely okay. You can create your own functions, risks, ruleset based upon your company rules regulation and use them for running risk analysis.

    If you would like to use standard ruleset, you need to first activate BC Set GRAC_RA_RULESET_COMMON. This is a base of all the rules. So once this is activated, you can activate other required BC Sets based upon your landscape setup. R3 BC set covers all the SAP system rules. ORelse, if your landscape has only HR or Non-HR, you can activate those based upon your requriements.

    You may also would like to review below document which talks about First Risk Analysis and it's setup.

    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/40535c03-9666-2e10-33a4-b6b003dac3cb?QuickLink=index&overridelayout=true&50968377363826

    Hope this helps.

    Thanks & Regards

    Neeraj

    Add comment
    10|10000 characters needed characters exceeded

    • HI Ronnie

      I found myself in a similiar situation of what to activate. As this is master data and can easily be deleted via NWBC or mass updated I chose to activate them all

      My approach

      • Activate all BC Sets for Rule Set (except for non-SAP systems as they are not in my landscape - JDE, PSOFT and ORACLE)
      • Export the rulesets and work with Internal Controls to determine which risks are application to our system
      • Create a new Ruleset
      • Copy the SAP standard risk into my new ruleset
      • Work again with Internal Controls to identify any other risks which are not in the rule set (in particular custom transaction codes or SU24 value changes)

      My reasons:

      • Able to see the full list of SAP standard ruleset to analyse as starting point
      • in this case for a BC set it's "master data" and can be easily modified
      • When SAP releases new changes/recommendations I can add them to the GLOBAL ruleset and then compare them to my custom ruleset
      • Consider future growth of SAP system - what if you organisation decides HR ruleset is now importance or a new module is incorporate into your system? By having the global rulset there as a comparison you can easily identify new proposed functions and risks and update your custom rulset

      So by activating them all you ultimately review them all and make a complete and comprehensive decision of which ones you do require

      Alternatively, you can choose to activate none and build you ruleset from the beginning. I'm not sure if anyone has chosen this option as SAP has started the work for you

      What is the difference in them???

      In relation to difference between the sets, again you can look at the contents of the BC sets before you activate them. You may want to export the data and analyse it before you are comfortable to advise your BASIS team to activate them. You can also choose to compare the BC rulesets to see the difference between them

      The key difference I see with them is the connector group (not sure if you had 3 sets but think you mentioned one twice) -

      • GRAC_RA_RULESET_SAP_R3 is for SAP_R3_LG
      • GRAC_RA_RULESET_SAP_ECCS is for SAP_ECC_LG

      The BC sets for each area can be updated the same functions (e.g a function could cover different systems).

  • Apr 19, 2013 at 03:30 AM

    Hi Ronnie

    These BC sets would populate the Function and Risk definition for the GLOBAL ruleset in RAR. They are the SAP delivered baseline.

    I cannot see how not activating them would cause system issues. These BC sets are a starting point for creating your SoD Matrix. You would still need to go in and review the matrix and maintain (there was a good discussion in this community a couple of weeks relating to this topic).

    In relation to you comment "would not like to define any risks/rules" you have two options should you activate them:

    • Go in and deactivate each risk you don't want to use
    • Create a New Rule set in RAR by copying the risks from the standard ruleset and run your risk analysis on this rule set instead of global

    Both of these activities can be completed in NWBC or via mass load in IMG.

    SAP has a note about their ruleset:

    Note 986996 - GRC Access Control- Best Practice for Rules and Risks

    If you are still unsure it might be worth looking at the BC Set via transaction SCPR20 so you can see which tables are impacted.

    Add comment
    10|10000 characters needed characters exceeded

    • HI Paul

      Generate Rule Set

      yes that is that program/transaction

      BC Sets populate the IMG data. In the GRAC_RULESET* tables these populate the proposed SAP SoD Rule set. the guides and GRC material will have a section on the SoD Rule sets. After you make a change to the rule set (function, risk or rule set) you must generate the rule set (updates some other tables) for it

      You can either use the transaction you listed or you can go into NWBC Master Data for Function or Risk and select them and press generate button.

      You aren't really generating the BC set (hence why post-implementation guide does not tell you to do this). You are actually working through the Risk Analysis and Remediation configuration setup.

      Deactivating a BC Set

      You do this by removing the configuration. For the JDE/etc ones you can rule the Rule Deletion program "Delete SoD Rules". However, before you run this you must complete the generate step (it was mentioned in GRC300 course guide - I suspect it's to do with what sequence the deletion program hits the tables)

      The rule set configuration for RAR is a bit different to most BC activation/deactivation as it's really master data instead of configuration, although mass maintenance for rule sets is accessible via IMG.

      For the deletion you can choose the JDE_LG, etc values.