Compliance Calibrator 5.2 and position based user role provisioning

Similar Messages

• Employee/Supervisor and position based hierarchy combination

  Hi All,
  Can Employee/Supervisor and position based approval hierarchy used in the same Business Group? If I have OU1 and OU2 belonging to BG1. Can OU1 use employee supervisor and OU2 use position based?
  Please throw some light on this setup and limitations.
  Regards,
  Praveen

  Setup-->Financial Options-->Human Resources tab -->Use Approval Hierarchies check box. If you check uses approval hierarchies based on positions if not uses the employee hierarchy (supervisor in employee).
  Thanks
  Nagamohan

• IDM, GRC and position based security

  We use position based security in our ERP  system and are implementing GRC.  In our BI system the roles are directly assigned to the User ID, but we need them to dynamically update if a position change occurs.  We have this functionality working in QAS by implementing CUA, but we are considering if IDM can be used instead.  There seems to much less documentation on how to configure IDM with position based security (compared to CUA), so I have a few questions.
  Assuming IDM is receiving its provisioning requests from GRC, can it be configured to provision a role to the position on one system and a user on another?     
  How can IdM be configured to react to a position change and update the roles appropriately?
  Has anyone implemented GRC and IDM with position based security?
  Regards,
  Wayne

  Hi Wayne,
  In IdM, you can define business roles (for your positions) and map these to the technical roles that you can distribute to your SAP systems.
  You can configure IdM to react to changes in your HCM system and automatically create and distribute roles based upon e.g. the new job description of a user.
  I've attended Teched, and the SAP recommendation is to use IdM to manage your users and do the provisioning and to use GRC for compliance checking.
  So in HCM the position of a user changes (e.g. promotion), IdM picks this up and proposes a set of roles for the user, IdM sends this to GRC via web service, GRC checks for compliance (SOD) issues and if there are none, GRC tells IdM all is OK, then IdM starts the provisioning. If GRC reports issues, you should have a workflow in place to handle these.
  This is all theory though, I'm just getting started with IdM myself.
  Kind regards,
  Dagwin

• Compliance Calibrator for SRM and SCM???

  Hello,
  Can we use the compliance calibrator for the modules like SRM and SCM? Do we get any ruleset for these modules from SAP or need to create ourself?
  Thanks in advance
  Eric

  Alexander,
  Thanks for your prompt response. But the note available from SAP is not included SCM?
  <b>Note 1033326 - Compliance Calibrator 5.2 Rule Upload</b>
  SOD Action and Permission level rules are provided for R/3, APO, ECCS, CRM
  and SRM. HR and Basis rules are included in the R/3 but also broken out
  separately.
  Could you tell me what all other modules are included in the standard ruleset?
  Thanks in advance
  Eric

• GRC Compliance Calibrator 5.3 and the "action" field for S_TCODE.

  Dear GRC gurus,
  I have read the threads here on the search terms for the "action" field in the "function" definitions, but not found a clear answer... so forgive me for asking a possibly obvious question.
  When implementing the technical rules for the function, it seems that the "action" field is included in the check even if it's value is not in the "permissions" of object S_TCODE. But there is no "look up" nor validation (how could there be from the Java system?) on what that value is.
  Appart from the fact that one might be tempted to enter some nonesense text in there, what is the logic behind the checks in the coding if it happens to fit a tcode name and is this field truncated at any points?
  The reason for asking, is that we have some critical functions in the system for which we do not care how the user gets to it (tcode's... , rfc's..., service's... etc) but want to analyze whether the users can infact use the function (as opposed to attempt to start it). This makes sense in many business functions, and for the "basis" stuff which is critical it should be clear).
  What we wanted to do was "name" the action by it's well known transaction code (in a symbolic sort of way, for the business users... to be able to recognize it, symbolically... although S_TCODE does not have an activity field........) but not have it checked in the rule set at the technical level. The standard delivered rules seemed to do the same thing... but we are still stuck on the s_tcode check because we dont want it in some cases and have good reasons for this.
  - Can anyone confirm how this really works? For example wild carding FB* as the action name?
  - Assuming our above analysis is correct, which tricks can you recommend (add a "dummy" action?; add a * action?; a possible naming convention?) to shed the harness of the tcode check (or having to document all of the buggers in the actions...) but still make it useable for the only slightly technically inclined folks who do understand that there are enough tcodes or it is critical enough that we should not rely on the "very general" protection provided by tcodes?
  Bad news, future insights and work-arounds are all welcome
  Cheers,
  Julius
  Edited by: Julius Bussche on Dec 10, 2008 11:30 PM

  Thank you Sam and also Kaushal for searching
  This describes exactly what we were looking for and the manual load / merge was also the intention using the file as the "master" to maintain and not make changes within the application.
  Thanks again. I will try it out.
  Cheers,
  Julius

• Assigning Queries and workbooks to user roles

  Hi Guys,
  I was hoping that someone could explain, how the queries, workbooks and Web Templates can be assigned to roles.
  What are the steps involved in creating the roles and assigning the queries.
  How are these reports accessed by the users (by URLs or through SAP GUI) If I would want to use the URLs to access them, how do I open the workbooks?
  I seem to have a lot of questions, hope to find answers to a few of them.
  Thanks,
  Doniv

  Hi Doniv,
  Queries, workbooks and web templates can be assigned to roles during the time that they are being saved. The assignment can also take place in PFCG > role. These kind of roles are usually basic placeholders that are assigned to different users as per requirements. This ensures that the usersa can see only those objects which are on the roles assigned to them.
  The workbooks are not accessed by a URL in the internet explorer, they are accessed in the BEx Analyser.
  Hope this helps...

• Compliance Calibrator SOD Conflict (FI01 and FB05)

  I was hoping that someone could provide some insight as to why the "FI01 - Create Bank" and "FI02 - Change Bank" transactions would create a risk (in Compliance Calibrator) when coupled in the same security role with the "FB05 - Post with Clearing" transaction.  The risk description given by Compliance Calibrator is "Maintain bank account and post a payment from it".
    The FI01 and FI02 t-codes appear to only create/change routing numbers or addresses for banks.  There is no ability to create or change an actual bank account.  This alone doesn't seem to create a conflict when coupled with a posting transaction.  Is there possibly some functionality that I am missing?

  Hi Joshua,
  I strongly agree with you that there is no SOD conflict technically with FI01, FI02 with FB05 although the wording of the SOD conflict in a business sense meaning Maintain Bank Accounts vs Posting Payments sounds more like a Conflict.
  I dont see by anyway how you can maintain actual bank account in either FI01, FI02.
  FI01 and FI02 - Maintain Bank Info like Bank Address, Bank Key and soforth.
  FB05 - Make Payments to various accounts.
  Regards,
  Kiran Kandepalli.

• Structural Authorisation & Position Based Role Mapping ( Indirect Roles)

  Hi
  I have few queries on Structural Authorization & Position Based Role Mapping (Indirect Role Assignment).
  This is a public sector implementation. We are migrating from the traditional based (assigning roles to users) to Indirect role assignment.
  1. Can we integrate both structural authorizations and position based role mapping in one system?
  2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.
  3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.
  4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.
  Any help or suggestions on the above would be appreciated.
  Thanks and Regards
  Arun R

  Hi
  1. Can we integrate both structural authorizations and position based role mapping in one system?
  Yes you can.  Structural authorisations and position based role mapping can be assigned to the same org plan in SAP.
  2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.
  No, the SAP role is unique to the postion it is assigned to. But remember not all employees will be assigned to a position - in this case you have to assign the sap role directly to the user in SU01/SU01
  3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.
  Create user in SU01.SU10 first before creating infotype 105 in PA30.
  4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.
  *When a users assignment in the org structure changes then you must run RHRPROFL0 to update the user assignment to the new position.   
  Also the number of days an employee can have access to their previous data is controlled by the parameter is called ADAYS - tx OOAC .  SAP currently defaults this to 15 days and this is used  to control the number of days that the employee can still access the data they created even though they are assigned to a different organisation with different authorisations.
  Hope this helps.
  Charmaine

• Position Based Security

  Hi All,
  How to find out whether the security implemented is position based or role based. and in position based is there any difference in delaing with authorisation changes,  compared to roled based security.
  Can some one please let me know the information.
  Regards,
  Sandhya

  Hi,
  the difference is on how you assign the roles to users. Position based means that roels are assigned according to the position the user has in the org-structure.
  Roles are assigned to the position and each user who is assigned to the position gets those roles assigned.
  You can identify such roles as they are assigned indirectly (blue colour in SU01 and PFCG(tab users)) and if hr-org is activated and maintained in your system.
  Administrators should know of how they assign roles in your system. Just ask them.
  b.rgds,
  Bernhard

• Update on Management View in VIRSA Compliance Calibrator 5.2

  Hello,
  is there a way to delete the Data for the Management View in VIRSA Compliance Calibrator 5.2 and then make a full new data load.
  When I select Full Synchronisation and Management Reports in the Schedule Analysis, the system does not update the Management View correctly, the Management Report shows still roles which are already deleted in the SAP-System.
  Thanks

  Hi,
       You can do a Full sync of Users and Roles first which will be ovewrite and then run the Batch Risk Analysis Management Reports.
        You can try this exercise first if it does not work then go ahead with Alpesh's advice.
  Thanks
  Darshan

• Compliance Calibrator Default Rules Upload Files

  I'm implementing Compliance Calibrator 5.1, and I'm at the point where I need to upload the default rule-set.  However, I cannot locate the flat files required for the initial rule-set upload (i.e. business process, function, and risk definitions).  I've read through the user guides, but they don't seem to reference exact file names or specify where the files would be located after install.  Thanks in advance for your help.

  Varun,
  you may get a quicker answer to your question in the GRC forum
  Governance, Risk and Compliance (SAP GRC)

• Compliance Calibrator 5.1 Risk Categories

  Hello.
  Is there a difference in the way the systems reacts to a risk category i.e. if the risk is classified as High, does it stop a user from doing something? Is there any difference between medium and low or are the categories merely used in the risk analysis reports as a statistic?
  Thanks.

  It is still preventative in that you can perform a risk analysis simulation.  That is, you can test for risks <i>before</i> you grant the user access.  It is also preventative in that it is testing segregation of duties controls, which are a type of preventative control.
  Risk Terminator leverages from the Compliance Calibrator rule-sets and basically modifies the user maintenance and role maintenance tcodes to add a risk-analysis step in there.  So, for example, if you are maintaining a role, when you go to generate, it will perform a risk analysis and you will have to document the reasons for creating/changing a risky role.  Same when you assign roles to a user that combine to cause a risk.  So, yes, Risk Terminator is also preventative.  As is Access Enforcer.

• Compliance Calibrator 5.2 Install Question

  I am at a customer site installing Compliance Calibrator.  We have followed the installation steps as outlined in the CC5_2_Install_700.pdf and everything has been going smoothly.  We have restarted our instance and now we are trying to verify that it has installed properly.  On page 44 of the guide, it says:
  The Virsa Compliance Calibrator banner appears. This verifies that your installation was successful. There is no content below the banner until you:
  - create JCo destinations.
  - assign a role, provisioned to perform all Virsa Compliance Calibrator transactions, to a back‐end user account.
  However, when we go to the URL as described in the guide, we get the netweaver login screen, but when we try to login, it doesn't show us the banner as described above.  Instead it appears that the login has been rejected, though no rejection error message is displayed. 
  What step may we have missed?
  Thanks,
  Santosh Krishnan

  Also please check what Language you have set for the user you are logging in with.
  You must have created one user to access Virsa CC. Please check language option. If it is empty, kindly set to English
  This should solve your problem.
  Regards,
  Faisal

• Compliance Calibrator 4.0 - importing Long Risk Detailed Description text

  We just installed Compliance Calibrator, in Production, and we need to import the Long Detailed Description text, for each risk, from client 000 to our production client (600).
  Our Basis staff do not want to unlock the system for client copy imports.  Is there another way of importing the Long Detail Description text for each risk, into Production, without unlocking the system for client copying?

  Hi, when you transport with Utilities -> Rule Transport , the Long Risk DEsc is not transported ?
  Claudio

• Convert from Compliance Calibrator 4.0 to Risk Analysis and Remediation 5.2

  Hello Forum,
  I'm looking for other opinions on converting Compliance Calibrator (CC) 4.0 to Risk Analysis and Remediation (RAR) 5.2 (formerly CC)
  I have inherited responsibility for RAR and need to upgrade it to the 5.2 level; our current ECC level prevents us from going to 5.3
  I found a process that will unload the data from CC 4.0 and be imported into RAR 5.2
  I want to understand the definitions that comprise the RAR and was thinking about recreating the definitions in 5.2 based on what is already defined in the CC 4.0 system; I have time to do this since there is no definitive deadline that would make it impossible to meet
  Currently, I have the following definitions:
  Business Process 6 entries
  Functions 47 entries
  Risks 147 entries
  Mitigating Controls 40 entries
  Would others find this approach acceptable and reasonable even though I would be entering all the information? Basically, it would be like defining the data for the very first time if this was NEW software
  I would expect to come away with a good understanding of how everything ties together; at this point, I am only looking to create the necessary data that would allow for producing SOD reports that show all users with "risks" have been mitigated with acceptable controls
  Thanks for your responses in advance
  Jerry
  Ryerson, Inc
  630-758-2021

  Thanks for the reply
  I have the migration guide and have reviewed it; I have actually played around a bit with obtaining the file from CC 4.0; I found that the data records may need some adjustments to be compatible with RAR 5.2; one of the reasons that may be leading me to do everything from scratch
  The definitions currently defined were completed by an outside source and the mitigated controls were defined by the Internal Audit area
  I'm not sure if they were mixed with the defaults
  I'm not sure at this point what impact or changes I would experience if I use the "default" supplied rules set but I expect to find out
  Thanks again for your reply
  Jerry