GRC 10 Role Management - Mass Role Derivation

Similar Messages

• FM to create role derived from other role

  Hi,
  I have to create roles derived from other roles. i need FM which can create roles derived from other roles. can anybody help me.
  Thanks in advance.

  Try BAPI_BUPA_ROLE_ADD_2
  Refer: http://abap.wikiprog.com/wiki/BAPI_BUPA_ROLE_ADD_2

• My iPod and iPhone are not recognized in Windows 7 iTunes. I've reinstalled iTunes and restarted windows. Now iPod briefly displays, then device manager mass storage shows a yellow exclamation point. iPhone doesn't display in iTunes at all. Please ad

  My iPod and iPhone are not recognized in Windows 7 iTunes. I've reinstalled iTunes and restarted windows. Now iPod briefly displays, then device manager mass storage shows a yellow exclamation point. iPhone doesn't display in iTunes at all. Please advise

  Try Andrei Cerbu's post here, JF Fourie's post here, or see TS1538: iOS: Device not recognized in iTunes for Windows, in particular section 5, forcing a driver update. See also TS1363: iPod: Appears in Windows but not in iTunes.
  tt2

• Repository manager mass lookup calls

  Does anyone know of any documentation on what is expected from the repository manager mass lookup calls? These have to be implemented for searching with TREX to work.
  I think the first method is fairly simple:
  public List lookup(
       List ridList,
       boolean contentToBeFetched,
       List propertyNamesToBeFetched)
       throws ResourceException,      OperationNotCompletedException
  For the given list if RIDs, it should return a single ArrayList containing:
  1) a handle for each rid
  2) an InputStream for each rid if contentToBeFetched == true
  3) an IProperty for each RID and each IPropertyName specified in propertyNamesToBeFetched
  This means that the return list will contain objects of three types: IResource, InputStream and IProperty.
  Frankly, I have no idea of what to return for the second method:
  public List lookup(
       List ridList,
       Map content,
       Map properties,
       String[] permissionNames)
       throws ResourceException, OperationNotCompletedException
  Is there any documentation for these what these methods should return? What do the Maps content and properties contain? What do I do with permission names?
  Many thanks!
  -Alex

  Hi Alex,
  unfortunately the documentation of RM developemnt is not yet finished, but I'd like to clearify some of your issues:
  1) The java.util.List objects returned by teh lookup() methods should contain IResourceHandle objects from the RMs implementation
  2) The java.util.Map objects in the public List lookup( List ridList,Map content,Map properties,String[] permissionNames) method can optionally be pre-filled with content references and properties. The map has to be filled with IResourceHandle object as keys and a reference to its IContent object or IPropertyMap object as the value of the map.
  If the maps are not filled the RF will call the getContent() and getProperties() methods from the ContentManager and PropertyManager aspects.
  Regards,
  Thilo

• GRC BRM: Update Org Levels of derived roles

  Dear GRC experts,
  we are using the GRC BRM Master Derived concept and have around 100 Master roles in place.
  I understand that the Org Levels of derived roles are only once set per Org Value Map during the initial (Mass) Derivation.
  If we add a transation like VA01 to a Master role this also adds some new Org Levels to the Master role. Via "Propagate to Derived roles" the new transaction and object values are added into the Derived roles.
  For the new Org Levels these are added also but the values are not the one from the Org Value Map of the Derived role but exactly the same values of the Master Role.
  Using "Derived Role Org. values Update" does not help us here to update the corresponding Derived roles as no change to the Org Value Map has been done.
  In case a Master role has 40 different Derived roles associated this would require to update manually any of the Derived roles for adjusting the new Org Levels.
  Does anybody know how to automate this task?
  Many thanks for your help!
  Regards,
  Markus

  Hi Markus Richter
  Once you maintain the imparting role and propagate to the derived role, the derived roles will inherit the new org values from the imparting. So that at least has the org values in the derived roles but not the correct values
  Next up is to try to use the Mass Maintain Roles to update the derived roles with correct values from the org map (ensure org maps were updated first) mentioned in post
  Mass Child role Org value update in GRC 10
  Does this work for you as an approach?
  Regards
  Colleen

• GRC AC 10.0 Mass risk analysis vs. Role level analysis

  Hello GRC experts,
  I urgently need your advice on the issue  with deactivated permission objects which are identified as risks in the mass role analysis.
  For example, in one role we have deactivated the permission object: S_ARCHIVE, and there are No activities maintained.
  But in the mass role risk analysis  and in the CUP request this object S_ARCHIVE with the ACTVT 01 is displayed as risk. As you can see in the screenshot, there are no activites maintained at all. We have created the MSMP workflow where all CUP requests with risks should go the the Security Stage. Now we have the situation that even though our roles are clean, they are forwared to the Security stage. It is a huge problem, because our security stage has no even more to to, than before using GRC! Because the dectivated objects are identified as risks.
  Please advise me, how to solve the problem. Did I missed some config parameters or is it a well known problem?
  We are on SP14, AC 10.0.
  At the single role level there are no risks displayed.
  Thanks in advance,
  regards
  Sabrina

  Hi Sabrina,
  check note
  http://service.sap.com/sap/support/notes/2036645
  Please let me know if it works.
  Regards,
  Alessandro

• GRC - SOD Conflict Management (SAP Role Substitution)

  Hi,
  I am looking to see how others handle SAP Role Substitution and SOD conflicts.
  For example, a person is going to be out on vacation for a few day and assigns their roles to another employees to continue with daily tasks....SOD risks result because of the temporary assignment and role combinations....what are you guys doing to manage, and monitor this sort of activity?
  Your help and comments greatly appreciated!

  Hi
  As already stated by Martin, one of the option for handling adtional backup access to users could be through Superuser Privilage management(If GRC has been implemented with your client). This would allow detailed reporting at transaction level for audit purposes.
  If GRC is not implemented with your client then any additional access which is resulting in SoD, there has to a proper documentation of temporary access assignment to users(For Audit purpose). Mitigation control should be documented and submitted by the supervisor of the user to the SoD team to ensure proper compliance is in place for the additional access provided to the user.
  Thanks.
  Anjan

• IDM GRC Business Role managment

  Hi experts,
  We integrated SAP IDM with GRC,
  Now our requirement is creating a business in IDM/GRC, request for business role is raised for IDM and approved by role owner in GRC after risk analysis.
  But SAP said business roles and portal groups are not supported between the systems.
  Kindly suggest how to accomplish this.
  Regards,
  Jaya

  Hi Jaya,
  Yes I remember this is possible. You can setup a customize attribute in GRC privileges. And put the business role name into this attribute.
  Try this URL, but perhaps your GRC consultant should read it instead of you.
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d0e2c628-2690-2e10-0d82-dbf1931db2cd?QuickLink=index&overridelayout=true&51565377381172
  After creating the attribute, you need to revise the GRC framework to include this attribute (business role name) in your request.
  I don't have a working IDM system (with GRC integration) with me. I could not provide you more details.
  Cheers,
  Chenyang Xiong

• GRC 10 Role based firefighter multiple users

  Hi All
  We are using GRC AC 10 SP12 and have Role based EAM implemented. We are looking at way to prevent the same user from being assigned multiple firefighters or a way for approver to know that another Firefighter ID is already assigned to this user?
  Thanks in advance
  Regards
  Vijaya

  Hi Vijaya,
  You can train approvers to Click on existing assignment button(in Access Request) to know the roles already assigned.
  And if in your environment, FF roles has distinguished naming convention then it can easily be identified
  by role owners.
  Thanks,
  mamoon

• Master role-derive role concept and FICO role in dev system!!!

  Hi all,
  I have created a master role with t-codes
  AWUW
  BAPI
  BD10
  BD100
  BD101
  BD102
  BD103
  BD104
  BD105
  BD11
  BD12
  BD13
  BD14
  BD15
  also included object PLOG where maintained org data
  and created a derived role from that master role and generated from the master role.
  After that I wanted to change the org level but the system is not allowing me to change, although I selected the values from the F4 screen.
  Now I want to maintain seperate org value of each of the derived role...and when adjusted from the master role..these maitained value should not vanished.
  How should I proceed???
  I have another issue....I am now in Dev system....I need to create a role with FICO module with SPRO....
  Should I go ahead and cread a role and assign FICO block and assign SPRO...will that be sufficient??
  Thanks in Advance
  Regards,
  Souren

  Yes, It seems that you have broken the org level by directly making changes in the org level field inside pfcg.
  One way to correct this is to regenerate the role in expert mode by selecting the option 'Delete and recreate profile and authorizations' (in case you want to correct it for all the org level fields.).
  If you want only for PLOG, then delete this object and add again. Then go to organization level tab at the top and give the required value. Do this in the master role and generate and push the changes to derived role. Now, goto derived role and make the org level change the same way you did for parent role..
  For your second question, you will have to see what all auth objects are being checked by SPRO for a FICO module assosciate. You can create a test role with SPRO in it and then do authorization trace through ST01 to see what all objects are checked when they work.

• SAP GRC - ERM - Role update issue - Business Process and Subprocess

  Hello Friends:
  We are NOT currently maintaining Business processes or sub processes in GRC 5.3 for all roles. We don't want to maintain them in GRC 10 when we upload the roles. These 2 fields are Mandatory in GRC 10.0 - Can we make them NOT mandatory and leave them blank?? Currently we are facing some issues in uploading the roles
  Please advise.
  Regards
  Ashish

  Dear Ameet:
  I just dislike the idea where SAP has made options for Business Process and Subprocess columns mandatory in uploading the roles as well from backend.
  I am NOT using BRM, but still need to upload the roles for SAP to recognize them to be assigned to the users in GRC 10.0
  I was facing the issues in uploading the roles initially, but now i have made it simple - just assign all the roles without the information of being FI or SD or Mm - to IT00 business process and sub process. So, all the roles are now uploaded to the system. I was just curious to know if they can me made Non-mandatory field by any settings.
  But anyways, thanks for your input.
  Regards
  Ashish Desai

• Authorization in APO: org level concept (parent role -- derived role) ?

  Hello experts,
  we want to introduce some authorization / roles in APO using the typical R3 concept of having a "parent role" and derive "single roles" from such a parent role and change the "org levels" inside the single role. Testing this with master data objects like C_APO_LOC (location in APO) it seems to me that APO doesn't know about "org levels".
  Whenever I create a parent role (lets say "Z_PAR_ROLE_LOC_MASTER") to access /SAPAPO/LOC3 (Location master data) and create a single role out of it (derive it into Z_SINGLE_ROLE_LOCMASTER_1234") and enter the location ID 1234 ... regenerating and populating a change from the parent role "Z_PAR_ROLE_LOC_MASTER" does immediately wipe out the location ID 1234 maintained before in the single/derived role "Z_SINGLE_ROLE_LOCMASTER_1234".
  My question: is this by design that APO does not know about "org levels" or is there something special I have to consider using PFCG correctly in SCM (I can see the "Org Level" button but it says there are no org levels) ?
  Regards
  Thomas

  I got the solution - the profile generation was missing !

• Master role-derive role concept?

  Hi all,
  I have created a master role with t-codes
  AWUW
  BAPI
  BD10
  BD100
  BD101
  BD102
  BD103
  BD104
  BD105
  BD11
  BD12
  BD13
  BD14
  BD15
  also included object PLOG where maintained org data
  and created a derived role from that master role and generated from the master role.
  After that I wanted to change the org level but the system is not allowing me to change, although I selected the values from the F4 screen.
  Now I want to maintain seperate org value of each of the derived role...and when adjusted from the master role..these maitained value should not vanished.
  How should I proceed???
  Thanks in advance
  Regards,
  Souren

  you should refer to the SECURITY forum at Security

• Master role & Derived role concept

  Hi Friends ,
  We have master and drive role concept in our project . ABC_XXXX (Master role )  ABC_1000(Derived role) (1000= company code)
  Now we need to maintain some values in master roles lets say display :03 .  Should we regenrate deived role  as well ?
  If we regenrate derived role  , Do inhertiance relatioship breaks? and we need to maintain company code =1000 value again ?
  Please suggest.
  regards

  Forgot to answer some more questions you had asked. Adding them here:
  Now we need to maintain some values in master roles lets say display :03 . Should we regenrate deived role as well ?
       - use the steps I mentioned in my earlier reply to re-generate derived roles from the Master role.
  If we regenrate derived role , Do inhertiance relatioship breaks?
           - please use the steps I suggested, the inheritance will not break. And this is an advantage of Master-->derived role.thats the meaning of having this concept in SAP.
  and we need to maintain company code =1000 value again ?
  --- No you dont need to. (you can check and see this manually).
  Hope it helps...
  Soumya
  Edited by: Soumya Thomas on May 20, 2010 12:34 PM
  Edited by: Soumya Thomas on May 20, 2010 12:35 PM

• GRC 10 Role Import error(Master role does not exist) in SP12

  Hi,
  We have completed connectors part and ran sync jobs successfully.
  We have given required inputs in Define Criteria,Select Role Data in Role Import.When we submit this,only few roles are successfully imported.
  It is giving error like Master role does not exist(some roles) but it is successful for few other roles. 
  We have tried with SKIP option in role authorization source as per a note but it is not successful for all the role import and getting above mentioned error.
  Please check and advice.
  Thanks & Regards,
  Koteswara Rao.

  Hi Koteswara
  Have you confirmed in SAP that your ZM* roles are definitely imparting roles only? When you tried to upload them on second attempt, did you relaunch the the role import screen to ensure any buffering completely cleared?
  Another thing to try - import the master role and then exit NWBC and run the repository synch job. Go back to NWBC and attempt to import the derived roles to see if error is gone?
  If these don't work for you it may be time to contact SAP. I assume it was the following note you referred to: 1576321 - Import derived role without master role
  Also, this topic was raised in SCN last year (unfortunately the thread was not updated with the solution). Possibly reach to the thread owner and see if they will login to SCN and update it Role import failed with Master role  does not exist in SP13
  Regards
  Colleen