Business roles in GRC  AC

Similar Messages

• Business Roles Provisioning - Issue

  Hi All,
  We are on GRC SP13.
  We are using business roles for provisioning.
  When i select "CHANGE ACCOUNT" request type and request for business roles through GRC, roles are being assigned to UserID and everything is working fine.
  Issue is with the notification mail user is getting after provisioning. My notification email has details as shown below.
  Hi Padmavathi Sai,
  The Request number : 453 , has been processed and the Request is Closed. The details are as follows:
  PREDDY User created in XXXXXXX
  XXXXXXXXX Business role assigned to PREDDY
  Kind regards,
  Access Control Administrator
  PREDDY UserID is already available in the target system and user selected change account request type, but notification email says that user is created
  Anyone came across this issue?
  Regards,
  Sai.

  Hi Colleen,
  I am using the standard notification template GRAC_AR_CLOSE.
  Hi %FIRST_NAME% %LAST_NAME% (%USER_ID%),
  The Request number : %REQNO% , has been processed and the Request is
  Closed. The details are as follows:
  %PROVISIONING%
  Kind regards,
  Access Control Administrator
  %PROVISIONING% variable shows mail notification as I have mentioned above
  Can you help me with this?
  Regards,
  Sai.

• Mass recertification of business roles

  Hi community,
  I was wondering if there is a possibility to perform a mass recertification of business roles in GRC frontend. Via Role Maintenance, one can re-certify each role manually, but if you have 10.000 roles, this is obviously not a solution.
  I did not find any suitable way via Mass Update, or I kind of overseen the attribute. Do you know any way to perform a mass role recertification in NWBC?
  Thanks in advance.
  Kind regards,
  EM

  Hi Eric,
  I guess there is no mass certification.Raise a message to SAP for confrmation and share the update.
  It would be helpful..
  Thanks,
  Mamoon

• GRC 10 - Business role, no role owner but associated role have owner....

  Dear All,
  In GRC 5.3 we perform the following mapping:
  Business Role A mapped with (no owner)
  - Technical Role 1 (from ECC with Owner1)
  - Technical Role 2 (from CRM with Owner2)
  - Technical Role 3 (from HR with Ownwer3)
  IN GRC 5.3 we have a business role mapped with multiple child role(techinical role) from other system.
  GRC 5.3 request is able to close and provisioned as it can see owners from child role.
  Now in GRC 10, we did the same. Create a business role, then mapped the child role (technical role). Unfortunately, when manager approves the workflow reroute to "NO OWNER DETOUR PATH" because it cannot see the technical role owner.
  Seems like GRC 10 is only looking at business role owner. We are unable to add Owner1, Owner2, Owner3 to the business role because when one of the owner approves, it will provision all the technical roles. We might have owners who will reject their role.
  Please advice.
  Jacky

  Hi Mustafa,
  you can use end user personalization to avoid a role owner to approve roles for himself. Define a dedicated EUP for role owner stage and restrict via "Approve/Reject Own Requests" like shown below:
  Does this answer your question?
  Regards,
  Alessandro

• IDM GRC Business Role managment

  Hi experts,
  We integrated SAP IDM with GRC,
  Now our requirement is creating a business in IDM/GRC, request for business role is raised for IDM and approved by role owner in GRC after risk analysis.
  But SAP said business roles and portal groups are not supported between the systems.
  Kindly suggest how to accomplish this.
  Regards,
  Jaya

  Hi Jaya,
  Yes I remember this is possible. You can setup a customize attribute in GRC privileges. And put the business role name into this attribute.
  Try this URL, but perhaps your GRC consultant should read it instead of you.
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d0e2c628-2690-2e10-0d82-dbf1931db2cd?QuickLink=index&overridelayout=true&51565377381172
  After creating the attribute, you need to revise the GRC framework to include this attribute (business role name) in your request.
  I don't have a working IDM system (with GRC integration) with me. I could not provide you more details.
  Cheers,
  Chenyang Xiong

• GRC 10.1 Business role and HR Trigger

  Hello, masters and GURUs.
  I have recently deployed HR trigger in our system, and it works fine -  creating requests for lock or unlock users.
  But i am wondering if it is possible to create access request not only for the systems, but also for business roles using standard functionality.
  For example:
  We'v department where people must have the same authorization to do their job.
  When they hire a new employee, HR triggers this event(only for this department) and creates access request with pre-defined business roles.
  I hope, i explained good enough my idea.
  I will be very thankful for any thoughts or ideas.
  With best regards, Ivan.

  Hi Ivan,
  There is a functionality of default roles, that you could use to add roles to your request by implementing this logic in your BRF rule for HR triggers.
  The bad news is that assignment for the default roles based upon Department is not supported.
  There are only a certain fields which are supported for the Default Roles assignment, below:
  Business Process, Business Subprocess, Company, Role Critical Level, Functional Area, Landscape, Location, Project Release, Role sensitivity, and System.
  Lets suppose you can use Functional Area instead of Department. You will need to maintain Default Roles settings in SPRO, at REQUEST level, (parameters 1302, 2009, 2010, 2011, 2012, 2013).
  In NWBC>Access Management>..>Default Roles, make sure that the entry maintained there (for attribute Functional Area) has SYSTEM set to "All Systems" or "All system in the role Landscape".
  This should work.
  Note 1964884 has a correction for this functionality, so if you go for it, make sure to have this Note applied.
  Now, if any of the fields available for Default Roles will be good for your scenario, then it will not be possible to use Role Defaults, thus I am not aware of any customization on this area.
  Hope this helps!
  Luciana.

• GRC 10 BRM - Approve Single Role assignment in Business Roles

  Hello,
  I want to set up a workflow where any Single Role assigned to a Business Role requires an approval of the Single Role Owner.
  The thing is that my customer doesn't have a Security Administrator, so what they want is that each Single Role Owner could be aware when their roles are assigned to a Business Role, especially when the Business Role Owner is another person.
  Once the Business Role is created, the provisioning would be in charge of Business Role Owners.
  Do you know any way to configure this?
  Thanks,
  Fernando

  Hi Claudio - thanks for breaking it down
  @ Fernando - for the Role Approval Methodology you need to split your approval out to be based on request type. Claudio has shown this up above already. In continuing his example, where the business role goes to path C - you would then have Path C do a line by line approval based on the single role owners
  By using this role approval methodology your single role approvers are indirectly allowing  any user who are approved the business role via an access request and that request is approved by business role owner (which is role owner).
  As mentioned - you are using two different workflow process ids
  Role Build - using BRM to approve the single roles being part of the business role
  Access Assignment - approving the user to receive the business role which includes the single roles
  Regards
  Colleen

• Use GRAC_USER_ACCES_WS to provision Business Role

  I have situation where I need to provision several hundred users across 90 business roles. I have been experimenting with FM GRAC_IDM_USR_ACCS_REQ_SERVICES (underlying FM for enterprice service GRAC_USER_ACCES_WS) to automate mass provisioning using GRC access requests. I figured out how to use the FM to provision technical roles to users but cannot get it to work for GRC Business Roles.
  If the service cannot provision business roles, that would imply that an IdM would also not be able to do so. We are currently looking at IdM (non-SAP) solutions. Now I wonder if the value of business roles we are building will be diminished if an IdM is used.
  Is it possible to provision business roles using the service and/or FM? If so, any details on the input values required would be much appreciated.

  Hi Harinam,
  Thanks for the details. I have already raised a OSS message to SAP.
  I have implemented SAP note 1930923 in GRC sandbox system and can see that the mail issue I am reporting was no longer appearing. But I have seen new one this time
  After note implementation: (Change Account Request Type with Business Role Assignment)
  Hi GRC User Demo 1 (Z_GRAC_USER1),
  The Request number : 592 , has been processed and the Request is Closed. The details are as follows:
  XX Business role assigned to Z_GRAC_USER1
  Kind regards,
  Access Control Administrator
  Before and After note implementation: (Change Account Request Type with Business Role removal)
  Hi GRC User Demo 1 (Z_GRAC_USER9),
  The Request number : 593 , has been processed and the Request is Closed. The details are as follows:
  YY Role removed from Z_GRAC_USER9 ( )
  Kind regards,
  Access Control Administrator
  Now the issue during role assignment is resolved, but during role removal mail notification says role has been removed from user and ends with empty brackets ().
  For single roles in this brackets it usually fills the system name. May be for business roles since there will not be any specific system it is coming empty, but I think SAP should fix this.
  Let me know if you are also facing the same
  Since you confirmed that you are using business roles, let me know any critical issues which you came across as part of SP13 as we are also on SP13 and could be helpful.
  Thanks once again for taking your time in replying for my issue.
  Regards,
  Sai.

• Business Roles - Risk analysis

  Hi All,
  We are on GRC SP13.
  We are using business roles for provisioning to end users.
  When role owner is performing risk analysis for business roles, results are proper according to defined ruleset only if "SYSTEM" field is empty.
  If system is selected, then results shows that "NO VIOLATIONS".
  Is this the standard behaviour for risk analysis of business roles or Am i missing anything?
  Looking for your advise on this.
  Regards,
  Sai.

  Hi Jaya,
  Yes I remember this is possible. You can setup a customize attribute in GRC privileges. And put the business role name into this attribute.
  Try this URL, but perhaps your GRC consultant should read it instead of you.
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d0e2c628-2690-2e10-0d82-dbf1931db2cd?QuickLink=index&overridelayout=true&51565377381172
  After creating the attribute, you need to revise the GRC framework to include this attribute (business role name) in your request.
  I don't have a working IDM system (with GRC integration) with me. I could not provide you more details.
  Cheers,
  Chenyang Xiong

• SOD User Violation report by Business Role

  All,
  Is there a current method for generating a User violation report that shows all SOD's via the technical role and which Business role that, the Technical role is associated to in GRC?
  Currently the reports that I am seeing do provide the transaction, authorization, and technical role level of any violation and what business process triggered it but does not show which business role(s) that these conflicting SOD's reside in.  (especially if a user is assigned to 2 or more business roles)
  Audit is pulling reports of users with SOD's and asking to re-mediate the SOD but currently we have to do dumps of all of the business roles a user is assigned to and then compare the role listed in the violation with the technical roles listed in the assigned business roles of the user.
  is this available at all?  or maybe in 10.1?

  Dear Michael,
  yes exactly - the new feature comes with the note. It is also possible to implement this note in 10.0 (it's included in SP17 but can be implemented earlier).
  See the following screenshot how it looks like in an productive environment after implementing this note:
  [BR] stands for Business Role.
  Hope this answer the question.
  Bestregards,
  Alesandro

• Business Roles configuration for ARM

  Hi Gurus,
  We have implemented ARM piece of AC but now we have a requirement to map our security technical roles to business roles. Can we create and use business roles without using BRM ?
  Example: Create/maintain single roles in backend (ECC/BW etc) and import in GRC then map single roles to Business roles for requestors to select.
  Regards,
  Salman

  Yes Salman,
  You can use BRM to create business roles to group roles as per your requirement. You need to confirm the check box for connection group as Business, as below:
  As you mentioned, I assume you have defined the Methodology Processes and Steps for role maintenance then under NWBC, you would be able to see role type as Business.
  Hope you completed the action for: Deactivate Role Types
  Let us know if you need more info on this or for any issues.
  Regards,
  Ameet

• Mass Reprovisioning Business Roles

  Hello,
  I have a situation where we are updating 100+ existing business roles that are currently assigned to user for our next release of SAP. I am wondering, is there a way to update the business role via import template (add / remove roles) and then push the changes out to users on a mass level?
  We use the role methodology “provisioning” stage to push these changes under normal circumstance but with 100+ roles that would be quite cumbersome.
  I also know there is an option under Role Update > Authorization Data Sync, but that doesn’t appear to update the user assignment. Only authorization under the role. 
  Any suggestion would be appreciated!

  Business Roles concept and usability in GRC AC10 - Governance, Risk and Compliance - SCN Wiki
  the link above says that "update assignment" button will do the update and will be enabled when the business role has been provisioned at least once.
  I guess this is what you have already tried, but i can see your dilemma when you may have many business roles. I wish there was an option under the mass update functionality (unless I have not found it).
  maybe it's time to go to #ideaplace.

• Error while creating Business Role

  Dear Frnds,
  I am working on webclient , am trying set a Business Role of my own .But it say "You Cannot Assign one PFCG role to different business roles" .As when i copy the standard business role to that role there  is no  PFCG role assigned. Here i tried copying IC web Manager and do .
  Can anyone guide me to solve this.
  Appreciate your Help and Thanks in Advance.
  Cheers
  Ram

  Guys,
  I got resolved , Follow the Note :-1077251.
  Thnxs
  Ram

• Assigning Business Roles - No such task exists

  I am trying to create a user ID and assign a Business Role in the process.  The attribute that I am using is MXREF_MX_ROLE.  It is defined as a multivalue system attribute with a data type of entry reference and the reference type in MX_ROLE.
  From my workflow task, I can select the role from the selection window but when I click OK to save to the identity store, I get an error "You have tampered with the params".  From the Monitor UI, I see the message "Failed setting value for attribute Member of Role.  No such task exists"
  I have a Modify User task that uses the same attribute.  When I attempt to use it, I get the "Failed setting value for attribute Member of Role.  No such task exists".  But I do not get the "you have tampered with the params" message.
  I am only trying to set this in the identity store right now.  I am not yet ready to provision to my ABAP system.
  Any assistance is appreciated.

  Hi Lori,
  in case you have linked privileges to your role, SAP NW IdM searches for tasks in the related repository (as stated in the attribute MX_REPOSITORYNAME of your privileges). Type in the ID of some test tasks in the repository constants MX_DEPROVISIONTASK, MX_PROVISIONTASK and MX_MODIFYTASK and see if it works.
  Otherwise, there could be a missing relation the other way round from the role to the user. See if there is a MXMEMBER_MX_PERSON attribute in your role.
  Best regards,
  Nils

• Individual Account Creation in IC_AGENT business role.

  Hi,
  After system got upgraded from 6.0 to EHP1, marketing attributes are not working as expected.
  When i create an Individual Account type in ZIC_AGENT business role, it gets created successfully but its marketing attributes are not getting set when i check in the Account overview.
  There is a BADI implementation of "BUPA_GENERAL_UPDATE", i debugged and found that in FM "CRM_MKTBP_READ_KSSK_AUSP", system is trying to get the attributes from table "ausp"
        select * from ausp into table et_ausp
            where partner_guid = lv_guid
            and klart = 'BUP'.
  I think, somewhere configurations are not done correctly. But i am aware where i check all these configurations for markting attributes corresponding to BP. If you know then please let me know.
  Thanks
  Raman.

  Hi,
  You can check it in ,
  MARKETINGPRO ( business role ) -> Marketing ( work center ) -> attribute Sets
  search for the specific attribute/attribute set. go to OV page ..there will b check box for person and organization.
  Regards
  Sandeep Kumar B