Managing Rulebooks
Rulebooks define the rules for the separation of duties (SoD) and sensitive access (SEN) that you will be testing for within the application. A rulebook is composed of rules and the associated permissions that make up their risk.
Access Risk Management provides rulebooks containing more than 240 SoD risks and 8 sensitive access risks. While the default rulebooks cover most organizations' needs, you can customize your rulebooks to create or add a new rule, exclude a rule from analysis, change risk ratings, add custom transaction codes, and more.
Once you understand rulebook logic, you can edit rulebooks using the Rulebook Dashboard online or by editing and importing an .xlsx document.
Understanding Rulebook Logic
Rulebooks are a collection of rules that determine what type of access is considered a risk. They can contain both SEN and SoD rules. To determine risks, rules use business functions and their related permissions to identify potentially risky access.
Rulebook Definitions
-
Rules: The possible combinations of transactions and permissions that compose a business risk. Sensitive access rules are made up of one business function. SoD rules have two or more business functions.
-
Business functions: Collections of access that provide the ability to perform activities associated with part of a potentially risky action. Each business function contains permissions represented through transaction codes and authorization objects that define access.
-
Transaction codes: Transaction codes used when executing a task. Transaction codes, or TCodes, are the first authority check performed as part of an analysis and are used to group the related authorization objects associated with the access in a business function.
-
Authorization objects: Objects containing authorization fields and values that represent data and activities. These are used to grant and check authorizations down to the most granular level. Authorization objects are grouped together and can be edited in the TCode.
You can view your rulebook information down to the authorization values in the Rulebook Dashboard.
The following logic examples demonstrate how these objects work together to create rules that identify risks.
TCode Logic
TCode logic is used to determine if all, or just one, of the transaction codes are required for a user or role to access the business function.
To view the TCode and object logic of a business function, select the
Info icon next to the business function name.
For example, if a business function has 2 TCodes and their related authorizations, and the TCode logic is set to OR, then the user or role will have access to that business function if they have the first or the second TCode.
If the logic is set to AND, then the user or role will need both transaction codes to have access to the business function.
Authorization Object Logic
Object logic is used to determine if all, or just one, of the authorization objects are required for a user or role to have access to the transaction code.
If the logic is AND, all authorization objects are required.
If the logic is OR, then only one of the authorization objects is required.
The example above shows the TCode SE38 and its authorization objects. There are 2 different objects.
If the object logic is set to OR, the user or role will have access to TCode SE38 if they have the object S_PROGRAM or S_DEVELOP. If the logic is set to AND they will need both authorization objects.
Field and Value Logic
There is also field and value logic, which is used to determine the field and value criteria for a user or role to have access to the authorization object.
Logic is set for the fields and the values as follows:
-
Within the Same Field Value - A user can have any of the values. The example above shows an OR between ACTVT 01 and 02 for auth object F_BKPR_KOA.
-
Between Different Field Values - A user needs to have access to a value from each of the fields. The example above shows an OR for ACTVT 01 and 02 and an AND between fields ACTVT and KOART for auth object F_BKPF_KOA.
-
For this user to be considered as having access to auth object F_BKPF_KOA, they need KOART K AND (ACTVT 01 OR ACTVT 02).
Editing Rulebooks Online
The rule hierarchy and details are displayed in the Rulebook Dashboard.
Select RULEBOOKS and choose ALL RULEBOOKS. Select the View
Rulebook icon next to a rulebook to display the Rulebook Dashboard.
In the Rulebook Dashboard, you can change rules, business functions, and transaction codes and their associated authorization objects.
Rulebook Dashboard Options
- Add a new or existing rule to the rulebook.
- Edit a rule’s details.
- Remove a rule from the rulebook.
- Add a new or existing business function to the rule.
- Edit a business function's details.
- Remove a business function from a rule.
- Add a new transaction code to a rule.
- Edit the objects, fields, and values in the transaction code.
- Remove a transaction code from a business function.
Managing Rules
The Rule Dashboard shows you the rules in that rulebook. You can expand each rule to display its business functions, permissions, and authorization objects and their values.
-
To edit rule details, select the Info icon
in the rule row, make your edits, and select Save.
-
To add an existing rule to a rulebook, select + ADD and the Add icon
on the rule row. You can use the search field above to search for rules.
-
To add a new rule, select + New, enter the rule details, and select Save.
-
To remove a rule, select the Remove icon
.
Note
Removing a rule, existing or new, removes the mapping of the rule to the rulebook. Other rulebooks using this rule are not affected.
Managing Business Functions
To display a rule’s business functions, select the Expand icon next
to a rule name. A sensitive access rule contains one business function.
An SoD rule contains more than one business function.
- To edit business function details, select the Info icon
in the business function row, make your edits, and select Save.
- To add a business function to a rule, select the Add icon
on the rule row.
- To add an existing business function, select Add Business
Function and choose an existing business function. Select the
Add icon
in the business function row to add it to the rule.
- To add a new business function to a rule, select New Business Function, enter its details, and select Save.
- To add an existing business function, select Add Business
Function and choose an existing business function. Select the
Add icon
- To remove a business function from a rule, select the Expand
icon
on the rule row and select the Remove icon
. Removing a business function cannot be undone.
Note
If all business functions are removed from a rule, an alert will notify you that the rule is incomplete. Add a new or existing business function to complete the rule.
Managing Permissions
To display a business function’s transaction codes that manage
permissions, select the Expand icon next to a business function.
-
To edit TCode details, select the Info icon
in the TCode row, select or change the name, and add or delete objects, fields, or values. Select Save.
-
To add a TCode to a business function, select the Add icon
on the business function row, and select Add Permission.
- Name and add objects to the TCode. Select Save to add the permissions to the business function.
-
To remove a permission from a business function, select the Remove icon
in the permission row. Removing a permission cannot be undone.
Note
If all business functions are removed from a rule, an alert will notify you that the rule is incomplete. Add a new or existing business function to complete the rule.
Editing Rulebooks Offline
You can also edit existing or create new rulebooks by exporting and importing .xslx files. This allows you to tailor your rulebooks offline to bring into Access Risk Management.
To edit an existing rulebook:
-
Export your rulebooks and select the Export All option.
-
Use the tabs at the bottom to display the different components of the rulebook, such as rule mappings, business processes, and rule mitigations. Refer to Understanding Rulebook Logic for guidance on editing your rulebook.
-
Make your edits and import the new rulebooks to Access Risk Management.
Warning
Select Export All to ensure nothing is lost or overwritten when importing the new rulebook into Access Risk Management. Use caution when importing new rulebooks as they overwrite all existing ones.
Creating New Rulebooks
Access Risk Management provides a template you can use to create a new rulebook.
-
Select RULEBOOKS and choose ALL RULEBOOKS.
-
Select Import.
-
Select Download Template and enter your rule information in the .xlsx file. Refer to Understanding Rulebook Logic for guidance.
-
Import the rulebook.
Exporting Rulebooks
You can download rulebooks as .xlsx documents to use outside of the platform.
- Select RULEBOOKS and choose ALL RULEBOOKS.
-
To export specific rulebooks, select the checkbox next to individual rulebooks and select Export Selected. To export all rulebooks, select Export All.
-
You will be redirected to the Data Exports tab of the Activity History page. Select Download next to the completed report.
Importing Rulebooks
If you choose to create a new rulebook or edit an existing one, you must import it into Access Risk Management to provide the information needed to identify and manage risks.
Warning
Importing new rulebooks overwrites all existing rulebooks.
To import a rulebook:
-
Select RULEBOOKS and choose ALL RULEBOOKS.
-
Select Import.
-
Use the Import Type dropdown menu to select the type of rulebook you are importing.
-
Select Select files… and choose the .xlsx file to upload. You can repeat this step to import additional rulebooks.
-
Select Upload to add your rulebook to Access Risk Management.
You can view your rulebook in the Rulebook Dashboard.
Viewing Rulebook Changes
Access Risk Management automatically tracks rulebook changes. You can download a log of changes that occurred during a specified time frame.
To generate a change log:
- Select Rulebooks > All Rulebooks.
- Select the checkboxes next to the rulebooks you want to include in the change log.
-
At the top, enter a date or select the Toggle Calendar icon
to set the date to begin reporting and the date when the change reporting will stop.
-
Select Download Logs.
- You will be redirected to the Change Logs tab of the Activity History, where the log is queued for generation. When the change log is completed, a Download button will appear. Select it to download the change log.
Note
It may take a moment for the change log to generate and the Download button to display. Select the Refresh icon above the Action column to update the Activity History page.