Tips and Tricks for GRC 10.1 Access Risk Analysis : Copying and Updating the GLOBAL Rule-Set

Hi all,

I know it’s been a while! I wanted to key everyone in on my first trick for your GRC Access Control 10.1 Implementation and this one is all about Access Risk Analysis.

Before you implement ARA, it’s best to create a separate connector and connector group for each system. This will allow you to have different role owners across systems and associate risks to different systems as well. Long-term, it will make your GRC maintenance much more manageable.

After completing post-install steps and ARA configuration steps, the generic GLOBAL rule-set will automatically be associated with sap connector group R3. However, you will most likely need to do rule-set updates to massage the generic rule-set a bit and account for any custom transactions, customs critcal actions, critical permissions and critical roles and profiles.

My recommendation is to copy the GLOBAL rule-set by downloading it and re-naming it (the below link is the one I found the most useful for instructions on how to do this). When you download the GLOBAL rule-set you can also make additions and modifications that are befitting to your business. By doing this you can freely make changes while still maintaining the integrity of the SAP standard to refer back to. Multiple custom rule-sets can be created to serve various purposes. Once the rule-set name has been changed and necessary changes have been completed, you can upload the custom rule-set to your system specific connectors via the same too (again refer to the link below).

Downloading and Uploading GRC Access Control Rule-Set Valuable Link

A few additional notes on the issues I found with the SAP generic GLOBAL rule-set:

1. Many transactions do not have account types activated, so false positives can occur unless they are activated if you have your roles broken up by customer, vendor, G/L and Asset account types.

2. Some of the activity types are not set up correctly in the functions. Many activies are set as “1” for instance instead of “01”, 2 instead of “02”, etc. etc. You will get false negatives (THE WORST KIND) if you don’t fix this when uploading the custom version of your rule-set.

2 Go-Lives in 2 weeks.


Your Happy Sleep-Deprived Security & GRC Consultant


4 thoughts on “Tips and Tricks for GRC 10.1 Access Risk Analysis : Copying and Updating the GLOBAL Rule-Set

  1. If we have different connector groups for different systems (for example connector group for ECC, Connector group for CRM, connector group for SRM) then do we need to create different rule sets for each connector group?

    • Hi Atul, I’m just seeing this now!

      You don’t need to create different rule-sets for each connector unless you want. The relationship between the rule-set and connector is set up with the functions and you can associate as many connectors as you like to each.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s