cancel
Showing results for 
Search instead for 
Did you mean: 

Rule Generation fails

former_member182655
Contributor
0 Kudos
98

Hello!

We have an issue. After installation few month ago we uploaded standard files (according to postinstall steps) and now we are trying to load modified action/permission files.

We have a problem with Rule Generation programm. During rule generation job we have got a problem:

"Error while executing the Job:ERROR: Risk: F001 has exceeded the maximum number of rules (46,655) that can be generated for a risk"

According to note #1310365 on our side for F001 is all correct: F001 risk consist of two Functions - GL01 and GL02. GL01 has 168 actions, and GL02 has 56 actions, i.e. total 9408 rules (168*56). We think that it happens because we uploaded files for all systems and groups (for DEV200, PRD400and their group ERP Systems; for PRD420 and its group CUA), in this case 9408 * 5 (number of systems)=47040.

We have tried to upload empty files (action/permission with only one string in each), we hoped that it cleaned all information, and after this we can load SoD again. But it doesn't help...

What can we do?

P.S. [thread |; has been watched

Regards,

Artem

View Entire Topic
Former Member
0 Kudos

Artem,

After close study , i think i found some key point.

Per SAP note 1310365, max number of risk allowed per function are

tcodes in function1 X tcodes in func2 X 3

per example in note

Suppose you have a risk (P086) that includes three functions:

  1. MD12 with 21 actions

  2. BR08 with 46 actions

  3. TS22 with 34 actions

This particular risk applies to three different versions of SAP, all running on your environment. In this example, P086 translates to 98,532 distinct rules.

98,532 = 21x46x34x3

also since you had already uploaded standard rule sets........ and when you upload modified files....... it must be containing old tcodes also........ those should be removed.

regards,

Surpreet

former_member182655
Contributor
0 Kudos

ok,

but how could I delete unneeded data?

Which tool (path in config) could I use?

Former Member
0 Kudos

Hi Artem,

If you are on SP13, you have an option to delete the ruleset. Else, contact SAP to help you with a script.

Regards,

Raghu

Former Member
0 Kudos

per my knowledge below are tables related to Rules

VIRSA_CC_BUSPRC

VIRSA_CC_BUSPRCT

VIRSA_CC_FUNC

VIRSA_CC_FUNCT

VIRSA_CC_RISK

VIRSA_CC_RISKRS

VIRSA_CC_RULESET

VIRSA_CC_ACTRULE

virsa_cc_cract

virsa_cc_cractt

virsa_cc_crprm

virsa_cc_crprof

virsa_cc_crproft

virsa_cc_crrole

virsa_cc_crrolet

virsa_cc_funcprm

virsa_cc_prmrule

so delete data from these tables and reload the files (which contain standard and customized data)

may be cross check with SAP.

regards,

Surpreet

former_member182655
Contributor
0 Kudos

Dear Surpreet,

If I need to delete data in problematic functions may I delete only low-hierarchy rows (such as DEV, PRD) and leave only high-hierarchy logical systems (such as ERP, CUA)? Or I should delete all rows under selected functions and then reload files?

Regards,

Artem

Former Member
0 Kudos

Artem,

i don't think Logical system will show up in these tables.

pls run query with VSYSKEY = 'CUA' on all the tables with VSYSKEY field

Also i am under assumpltion that none of the old data is required......... because next files you upload will not overwrite.... rather append to existing ones

regards,

Surpreet

former_member182655
Contributor
0 Kudos

Surpreet,

I've found that the data could be corrected in change mode under Rule Architect -> Function -> search, but now I have some doubts what should I do:

I can check all functions and delete unneed data only for DEV, PRD systems

or

I can check all functions and delete all data (for DEV, PRD, ERP, CUA)

I think that it's better to delete rows only for DEV, PRD (not for ERP, CUA) but I'm not sure how it will affect on functionality. Will left rows with ERP and CUA working good for their low-hierarchy systems (DEV, PRD)?

Former Member
0 Kudos

pls refer to SAP note 1416728 also.

if you are on required SP

i am little confused....... do you want to keep old data also....... ?

regards,

Surpreet

former_member182655
Contributor
0 Kudos

Unfortunalely this note doesn't suit to me, because I need only to change actions/permissions rules, i.e. I need:

1) upload new requirements of SOX;

2) generate rules;

3) generate new managements reports.

-


Summary, I need to get actual data for Informer.

If I use this note I delete old management reports and some vital data. But it's needed

Consider the 1st point:

I only need to actualize actions/permissions in functions for above aims.

Thank you Supreet for attention to my problem.

Regards,

Artem

Former Member
0 Kudos

Artem,

i think i got hold of something........... this seems to be bug in code and there is workaround for this........

please run below query and let me know what result is shown

select * from virsa_cc_actrule where vsyskey <> 'ERP and vsyskey <> 'CUA'

regards,

Surpreet

former_member182655
Contributor
0 Kudos

Hello Supreet!

I've made some corrections in my configartion. Now I have the next result:

SQL> select count(*)from virsa_cc_actrule where vsyskey like 'ERP';

COUNT(*)

----


64654

SQL> select count(*)from virsa_cc_actrule where vsyskey like 'CUA';

COUNT(*)

----


64654

Former Member
0 Kudos

well i want to run query with 'NOT EQUAL TO' , however whenever i put 'lessthan greaterthan' signs , they disappear after i Post message.

look like those are treated as html tags

please run query

select * from virsa_cc_actrule where vsyskey NOT LIKE 'ERP and vsyskey NOT LIKE 'CUA'

regards,

Surpreet

former_member182655
Contributor
0 Kudos

Supreet, I appreciate you for answers,

Problem with exceeded number has disappeared. I "resolved" it by reloading all config files again. Now I have new issue:

"Error while executing the Job:Cannot assign NULL to host variable 1. setNull() can only be used if the corresponding column is nullable. The statement is "INSERT INTO "VIRSA_... (see log for details)"

For this issue I implement recommendations of note 1362138 - Rule generation - null pointer exception virsa_cc_rtmap.

I got files via programms /VIRSA/ZCC_DOWNLOAD_DESC /VIRSA/ZCC_DOWNLOAD_SAPOBJ, reupload them and then started rule generation job again. But it was unsuccessfull.

How can I found out what exactly happened? What is tcode damaged?