This page contains: Hide
A rule contains one or more conditions used to identify risks in a business process. Data extracted from ERP tables is analyzed against rules. If the extracted data satisfies the conditions of a rule, it is termed a violation or an exception. IRC reports these violations and allows for further corrective action.
Rules can be created for the following types of Insights:
Authorizations Insight
Note: After an Authorizations Insight rule is created, click the Rule Details Report button to view and download a report containing the details and conditions for that rule in an Excel format. The report time displayed is according to the IRC application sever time zone.
Rule Details report cannot be generated for Authorizations Insight for ION Applications rules and Authorizations Insight for Lawson rules.
User Activity Insight
Process Insight
Configuration Insights
You can build rules for Authorizations Insights only after data is extracted from the application into IRC. Rules for Authorizations Insights vary, depending on the ERP application and the rule type selected.
Click here to view the ERP systems for which Authorizations Insights rules can be created:
To create an Authorizations Insight rule:
Add information on the General Information panel as explained below.
Provide the risk description, control objective, and assign owners for the rule.
Specify the compensating controls to be attached to the rule, the object attributes to be excluded and the users to be notified when violations are reported against this rule.
Click the Conditions tab.
Provide the rule conditions
Click Save to save the rule. The rule now appears in the list of rules for the selected rule book.
Note:Click Enable Notification to notify users via email about the events relevant to this task.
On the Add Notification page displayed, if you subscribe to the event ‘Rule in Rule Book Violation, then post-analysis e-mail that is sent to the specified user.
For more details, refer to the Configuration Settings Guide.
Provide details for the new rule on the following panels:
Use this panel to provide the following general information about the rule:
Use this panel to:
Exclude objects from rules
Assign compensating controls
Define the users who should receive email notifications if this rule is violated.
You can perform the following actions from this panel:
Create a compensating control, provided you have the permissions to do this. If you do not have the required permissions, the New tab for creating the compensating control is not displayed on the user interface.
Provide the names of the users who should receive the notification
Use the Conditions tab to build a rule condition for defining the rule criteria. Extracted data is analyzed against these rule conditions. The structure of your rule condition depends on the Insight and the rule type selected.
The Authorizations Insight has following two types of rules:
Sensitive or Conflict rule: While creating a rule when you select Sensitive or Conflict rule as the rule type on the Rule Details tab then, by default, a sensitive rule can be created on the Conditions tab. To create a conflicts rule, click the Convert to Conflicts Rule button on the Conditions tab. The Conditions tab also displays the Recent and Favorites panels:
The number of rows of information displayed on the rule builder tree panel, the Favorites panel, and the Recent panel are configured from the Page Options panel on the Preferences page.
Limits rule: A limits rule can be created on the Conditions tab when the rule type is selected as Limits rule on the Rule Details tab. A limits rule limits the access to a role/responsibility to a predefined number of users.
In case of secured connections, users creating a rule will be able to view and browse objects from only those connections that they have access to.
For details on building rule conditions, refer to the respective sample rules:
Sample rules for Authorizations Insight for ION Applications
Sample Rules for Authorizations Insight for SAP Enterprise Portal
Note: By default, the maximum number of records that can be analyzed in a single or multiple rule conditions is one hundred million. The GenRuleEngineConfig.xml file enables you to configure this setting.
For details, refer to the respective Configuration Settings Guide.
Rules for the User Activity Insight are created to analyze data extracted for the User Activity Insight. When the extracted data violates a User Activity Insight rule, IRC reports a violation.
To create an User Activity Insight rule:
Add information on the General Information panel as explained below.
Provide the risk description, control objective and assign owners for the rule.
Specify the users to be notified when violations are reported against this rule.
Click the Conditions tab.
Provide the rule conditions
Click Save to save the rule. The rule now appears in the list of rules for the selected rule book.
Note: Click Enable Notification to notify users via email about the events relevant to this task.
Provide details for the new rule in the following panels:
Use this panel to provide the following general information:
The Notifications panel enables you to send an email notification to specific users in case this rule is violated. There are two ways to do this:
Use the Conditions tab to build rule conditions for defining the rule criteria. Extracted data will be analyzed against these rule conditions. The structure of your rule condition depends on the Insight and the rule type selected.
There is one basic rule type for the User Activity Insight for SAP:
Sensitive or Conflicts rule: While creating a rule when you select Sensitive or Conflict rule as the rule type on the Rule Details tab then, by default, a sensitive rule can be created on the Conditions tab. To create a conflicts rule, click the Convert to Conflicts Rule button on the Conditions tab.
The Conditions tab also displays the Recent and Favorites panels:
The number of rows of information displayed on the rule builder tree panel, the Favorites panel and the Recent panel are configured from the Page Options panel on the Preferences page.
In case of secured connections, users creating a rule will be able to view and browse objects from only those connections that they have access to.
For details on building rule conditions, refer to the Sample Rules for User Activity Insight.
Note: By default, the maximum number of records that can be analyzed in a single or multiple rule conditions is one million. The GenRuleEngineConfig.xml file enables you to configure this setting .
For details, refer to the respective Configuration Settings Guide.
Click the Test Rule tab to test your rule and verify whether the rule returns the expected results. For details on testing your rule refer to the section below.
Process Insight rules include rules for Lawson, ION Application and SAP.
Rules for the Process Insights can be broadly classified as follows:
Simple rule
Duplicate rule
Baseline rule
Math rule
SQL rule
To create a Process Insight rule:
Add information on the General Information panel as explained below.
Provide the risk description, the control objective, and assign owners for the rule.
Specify the compensating controls to be attached to the rule, and the object attributes to be excluded.
Click the Conditions tab to build the rule condition.
Click the Reporting Fields tab to add the reporting fields and the rule summary.
Click the Test Rule tab to test the rule for any exceptions, if required.
Click Save to save the rule. The rule now appears in the list of rules for the selected rule book.
Note:
Click Enable Notification to notify users via email about the events relevant to this task. On the Add Notification page displayed, if you subscribe to the event ‘Rule in Rule Book Violation, then post-analysis e-mail that is sent to the specified user will contain the following hyperlinks depending on the settings configured in the SetNotifications.xml.
Exception Browser
Business Process Exception Report
Exception Browser and Business Process Exception
For more details, refer to Platform - Configuration Settings document.
Provide details for the new rule in the following panels:
Use this panel to provide the following general information about the rule:
Use this panel to:
Exclude objects from rules
Assign compensating controls
Define the users who should receive email notifications if this rule is violated.
You can perform the following actions from this panel:
Compensating controls are a list of instructions, procedures or agreements that support the existence of an exception. They are used to mitigate any potential risk as a result of objects excluded from a rule.
Exclusions are objects that may be authorized to perform certain actions that generate exceptions. Such objects need to be excluded from the rule so that they are not included in the list of exceptions.
All exclusions have an expiry date which specifies how long the exclusion is valid for the rule. The expiry date can be set from the Document Exclusions page and is modifiable. After the expiry date, the object will no longer be excluded from the rule.
Objects can be excluded from a rule directly, by associating parameters with a base rule or through a parameter list.
You can also send an email notification to specific users in case a rule is violated. This can be done by providing names of the users who will receive the notification or by using a parameter.
This panel enables you to:
The Conditions tab enables you to select rule objects and define rule conditions. To do this, click the Add/Edit Rule Conditions. A pop-up window opens, displaying the following tabs:
For details on building rule conditions for different rule formats, refer to the respective Sample Rules:
Note: By default, the maximum number of records that can be analyzed in a single or multiple rule conditions is one hundred million. The GenRuleEngineConfig.xml file enables you to configure this setting.
For details, refer to the respective Configuration Settings Guide.
When building a rule for Process Insight rule type, you have the option to test your rule against the extracted data in the database to ascertain whether:
The rule returns the expected results
Any data meets rule criteria
Note: If a rule is violated, an entry is made in the log file specified in the Violation Log File field on the Configuration page.