cancel
Showing results for 
Search instead for 
Did you mean: 

Monthly GRC Ruleset Review & Completeness - Audit Review Guideance Request

former_member245311
Participant
1,002

Dear Friends, We are in the process of building a process to review changes done with GRC rule set ( as per below audit request ).

Topic: Custom T-Codes: - Validation of custom T-Codes being included in the Ruleset: -

When Business Owners determine an SOD conflict does exist for a new custom t-code they are to add it to the ruleset.
Build a review for ruleset and to validate custom t-codes causing SOD conflicts are included and tracked in the ruleset.

Current process: -

A. How do we perform changes to your rule set?
Ans: - Currently it is manually done in D, Q and P.

B. Do you change in dev/quality and transport to prod?
Ans: - It's not done via transport but manually it's updated.

I would request your insights for: -

* What should be reviewed \ captured to find the changes done with GRC ruleset for a specific month year.

* What are the aspects which need to be included \ captured in monthly GRC ruleset completeness and accuracy documentation.

Or

* Please reference any SAP help documentation which would help in building process for this monthly review.

Thanks
Raj

PS: -

GRC 12.0 SP05 is current version of GRC

former_member230681
Participant
0 Kudos

Hi Rajashekar,

Here are my thoughts on the ask:

1)What should be reviewed \ captured to find the changes done with GRC ruleset for a specific month year.

Answer:-Change logs can be reviewed. Refer to thread https://answers.sap.com/questions/12717209/sap-grc-access-control-ruleset-change-log.html where change log report information is mentioned (extract from the thread :You can access using Change Log report. Also you can get the details from change document tables CDHDR and CDPOS with following ObjectClass names:

  • GRAC_FCTLOG
  • GRAC_RSKLOG
  • GRAC_RULESETLOG

)

2)What are the aspects which need to be included \ captured in monthly GRC ruleset completeness and accuracy documentation.

Answer:-Screenshot showing change log from previous month and change log from current month. In case there was any change done, approval or likely should be included in the documentation which can show that change was approved and legitimate .

I hope this is helpful.

Thanks

Anika

Accepted Solutions (0)

Answers (0)