on 2015 Mar 24 12:03 PM
Hi all!
I'm trying to extend standard functions to get a new condition for a risk. To achieve this aim, I added the following strings in my Fun-Act and Fun-Perm files in accordance with the note 1225227 - How to upload the functions containing only permissions 5.x
Fun-Act file contains:
BS11 ^!DEV_RSK 0
BS02 ^!DEV_RSK 0
Fun-Perm file contains:
|
So, I've got:
Then I started SoD generation, and after it I performed risk analysis.
However, my hope to get the risk (B001) for the attached roles was ruined.
All connector types are maintained under "Maintain Connection Settings"
Synchronization jobs are finished.
How can I get risk for my roles?
Any help will be appreciated.
Regards,
Artem
As per SAP note http://service.sap.com/sap/support/notes/1225227 the prefix "^!" should work.
Previously in a rule set I have done the following
Function Action
ZCP8 ^!CP 0
(i.e. tells GRC to look for the permissions only, the tcode ^!CP is a dummy placeholder for the Action entry). Maybe try to make the dummy action code with less characters (i.e. total less than 8-chars in length).
Function Permission
ZCP8 | ^!CP | S_DEVELOP | DEVCLASS | 0* | Z* | OR | 0 |
ZCP8 | ^!CP | S_DEVELOP | OBJNAME | 0* | Z* | OR | 0 |
ZCP8 | ^!CP | S_DEVELOP | ACTVT | 3 | 3 | OR | 0 |
ZCP8 | ^!CP | S_DEVELOP | P_GROUP | 0* | Z* | OR | 0 |
ZCP8 | ^!CP | S_DEVELOP | OBJTYPE | FUGR | FUGR | AND | 0 |
ZCP8 | ^!CP | S_DEVELOP | OBJTYPE | PROG | PROG | AND | 0 |
This has worked for me at all times, so I can only presume that it may be worth trying to have less characters in the actual Action/tcode entry (8 or less in total) and also try uploading the rule set in the form of a text file from the back end.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Harinam!
Thank you for reply! Yesterday, in the end of the day, I made a simple test for a role, it contains two tcodes included in functions that conforms to a risk. But the simulation gave me the same result: No violations
Based on the documentation all the configuration activities are made correct. Connector exists (no authorisation issues); It's assigned to a logical group SAP_CRM_LG; BCSets were activated, Connector is assigned to AUTH, PROV, ROLMG, SUPMG, functions were adopted as I mentioned, risks were generated. No errors or warnings in SLG1, connection works fine.
What can be wrong with risk analysis?
Regards,
Artem
Can you share a screenshot of the Function Action?
Secondly, did you set the risk type to "Critical Permission" in the rule set?
And finally, when performing a risk analysis, are you running it on default settings or ensuring "Critical Permissions" is ticked for analysis? Once the results are received, you may have to change the settings in reported analysis to display critical permission risks.
Hopefully the points above are either verified or maybe resolve your issue.
Hi Harinam,
My role contains the following tcodes (I suppose it would be easier to finish with actions and then with permissions):
SU53 |
PFCG |
SU01 |
STMS |
SE10 |
SE09 |
SE06 |
SE03 |
SE01 |
Selection describes the risks I'm expecting to get
Functions of the risks
But when I start simulation I get nothing (SSDCLNT200 is in SAP_CRM_LG):
Or when I start risk analysis:
So, I don't understand why this happens...
I'm also confused with Simulation option and Risk Violations. As I've understood Simulation is used for analysis "what we will get if assign role", but Risk Violations is used for current account violations (for SAP_ALL it finds risks). Am I right?
I don't want to cry about the past, but in GRC 5.3 it was more intuitive and easier
Regards,
Artem
This message was moderated.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.