I know it’s been a while! I wanted to key everyone in on my first trick for your GRC Access Control 10.1 Implementation and this one is all about Access Risk Analysis.
Before you implement ARA, it’s best to create a separate connector and connector group for each system. This will allow you to have different role owners across systems and associate risks to different systems as well. Long-term, it will make your GRC maintenance much more manageable.
After completing post-install steps and ARA configuration steps, the generic GLOBAL rule-set will automatically be associated with sap connector group R3. However, you will most likely need to do rule-set updates to massage the generic rule-set a bit and account for any custom transactions, customs critcal actions, critical permissions and critical roles and profiles.
My recommendation is to copy the GLOBAL rule-set by downloading it and re-naming it (the below link is the one I found the most useful for instructions on how to do this). When you download the GLOBAL rule-set you can also make additions and modifications that are befitting to your business. By doing this you can freely make changes while still maintaining the integrity of the SAP standard to refer back to. Multiple custom rule-sets can be created to serve various purposes. Once the rule-set name has been changed and necessary changes have been completed, you can upload the custom rule-set to your system specific connectors via the same too (again refer to the link below).
Downloading and Uploading GRC Access Control Rule-Set Valuable Link
A few additional notes on the issues I found with the SAP generic GLOBAL rule-set:
1. Many transactions do not have account types activated, so false positives can occur unless they are activated if you have your roles broken up by customer, vendor, G/L and Asset account types.
2. Some of the activity types are not set up correctly in the functions. Many activies are set as “1” for instance instead of “01”, 2 instead of “02”, etc. etc. You will get false negatives (THE WORST KIND) if you don’t fix this when uploading the custom version of your rule-set.
2 Go-Lives in 2 weeks.
Your Happy Sleep-Deprived Security & GRC Consultant