Rulebooks define the rules for the separation of duties (SoD) and sensitive access (SEN) that you will be testing for within the application. A rulebook is composed of rules and the associated permissions that make up their risk.
Access Risk Management provides rulebooks containing more than 240 SoD risks and 8 sensitive access risks. While the default rulebooks cover most organizations' needs, you can customize your rulebooks to create or add a new rule, exclude a rule from analysis, change risk ratings, add custom transaction codes, and more.
Most implementations define somewhere between 50-500 rules in any given rulebook. If you find you need to define more than 500 rules, you should engage an SAP advisory partner for help clearly defining your security needs and creating a rulebook that meets those needs.