GRC BRM: Update Org Levels of derived roles
Dear GRC experts,
we are using the GRC BRM Master Derived concept and have around 100 Master roles in place.
I understand that the Org Levels of derived roles are only once set per Org Value Map during the initial (Mass) Derivation.
If we add a transation like VA01 to a Master role this also adds some new Org Levels to the Master role. Via "Propagate to Derived roles" the new transaction and object values are added into the Derived roles.
For the new Org Levels these are added also but the values are not the one from the Org Value Map of the Derived role but exactly the same values of the Master Role.
Using "Derived Role Org. values Update" does not help us here to update the corresponding Derived roles as no change to the Org Value Map has been done.
In case a Master role has 40 different Derived roles associated this would require to update manually any of the Derived roles for adjusting the new Org Levels.
Does anybody know how to automate this task?
Many thanks for your help!
Regards,
Markus
Hi Markus Richter
Once you maintain the imparting role and propagate to the derived role, the derived roles will inherit the new org values from the imparting. So that at least has the org values in the derived roles but not the correct values
Next up is to try to use the Mass Maintain Roles to update the derived roles with correct values from the org map (ensure org maps were updated first) mentioned in post
Mass Child role Org value update in GRC 10
Does this work for you as an approach?
Regards
Colleen
Similar Messages
-
Authorization in APO: org level concept (parent role -- derived role) ?
Hello experts,
we want to introduce some authorization / roles in APO using the typical R3 concept of having a "parent role" and derive "single roles" from such a parent role and change the "org levels" inside the single role. Testing this with master data objects like C_APO_LOC (location in APO) it seems to me that APO doesn't know about "org levels".
Whenever I create a parent role (lets say "Z_PAR_ROLE_LOC_MASTER") to access /SAPAPO/LOC3 (Location master data) and create a single role out of it (derive it into Z_SINGLE_ROLE_LOCMASTER_1234") and enter the location ID 1234 ... regenerating and populating a change from the parent role "Z_PAR_ROLE_LOC_MASTER" does immediately wipe out the location ID 1234 maintained before in the single/derived role "Z_SINGLE_ROLE_LOCMASTER_1234".
My question: is this by design that APO does not know about "org levels" or is there something special I have to consider using PFCG correctly in SCM (I can see the "Org Level" button but it says there are no org levels) ?
Regards
ThomasI got the solution - the profile generation was missing !
-
Org data in Derived role differ from Parent role
Hi there
I need some help please, I am in the process of creating various parent / derived roles and have found that when I update the parent role (org data) and I do a generate do a derived role update the values in the org data is not correctly pulled through to the derived roles.
e.g.
In the parent role for Org data "Purchase Org" the previous value was "/" so that it could be specified in the derived roles should they require the split on this field, however the business has decided that they do not require a restriction on this field so I went back to the parent role and changed the value to "*", so I generated the parent role, updated the derived roles, but when I go to any of my derived roles that field value is still blank, it did not pull through the value * .
We are currently on
SAP_ABA 701 0005 SAPKA70105
SAP_BASIS 701 0005 SAPKB70105
I have created the derived roles with the parent role as the derived from role, it does pull through the values but just does not update it once I do make changes.
Your help / suggestions would really be appreciated as I need to create MANY roles.
Regards
SonjaHi Sonja,
obviously there is a misunderstanding of how the derivation works....
> Thanks guys for the feedback, but surely I do not only need to maintain the ORG data in the derived roles individually, if I have got an Org field that should be the same for all the derived roles I must be able to update the Parent role with this value which then upon generate, and generate / activate the derived roles must update the derived roles.
-->no.
Only the first time of derivation, if the field content in the derived roles are initial...
help.sap.com:
quote
The organization level data is only copied the first time the authorization data is adjusted for the derived role. If data is maintained for the organizational levels in the derived role, and if you have maintained the organizational levels using the dialog box, the data is not overwritten by another conciliation (See SAP Note 314513).
unquote
The whole stuff: http://help.sap.com/saphelp_nw70ehp2/helpdata/en/1c/c38028816c11d396bc0000e82de14a/frameset.htm
otherwise the maintained org.fieldvalues would get overwritten by the value of the master role every time. And that is exactly, what has to be avoided!
b.rgds, Bernhard -
Changing Organization level for derived roles
Dear All,
Below is my query:
When there is any requirement to change the organization level of a derived role, we go to the role and change the organization level manually.
We have derived our roles, based on the units(company codes).
Now we have a scenario, where we need to add one unit in a particular derivation of all roles.
Please suggest if there is any way of updating the organization level in mass for a specific derivation.
Regards,
Reshma Vijayan.Colleen Lee wrote:
At least with this option you are using the PFCG functionality and not hitting the tables directly
Hi Reshma, Colleen,
Some additional warnings about manipulating the downloads:
The downloadfile is a fixed record length text file, do not mess up the data positions.
Be aware of case (upper/lower) when manipulating the file.
Make sure you do a unicode download to preserve special characters in the menu texts.
There are very, very few checks done on the file contents when uploading again. It will allow you to pollute your AGR* tables in such a way you'll need an ABAP-er or SQL-savvy colleague to clean up the mess. It is very close to manipulating the tables directly.
I once managed to get entries into AGR_1251 which didn't show up in PFCG and wouldn't even disappear from the tables after I had deleted the roles in question.
And yes, I still use this method, but I won't advise it to anyone I cannot personally train to be aware of the pitfalls ;-)
Jurjen -
Question on org level values in derived roles
I have a set of derived roles for a retail org.
They have set the org level for the WERKS object to the store number i.e. 0012. in the M_MSEG_LGO, M_MSEG_WMB, and M_MSEG_WWE but set it to "" in the M_MRES_WWA and M_MSEG_WWA. Needless to stay the "" is overiding the site restriction.
My question is, how can they allow store to store transfers and goods issues for other sites but only do POs and goods receipts for their default store?
If the transactions in the role are using the same object, it doesn't seem like it can be done but I am told it can! I can't figure it out. Can anyone assist?
ThanksIf you are talking about straight authorization object ( then your design cannot go with derived role concept )
If your controls are only through the organizational object only then derived role design will help
If its a mix of both standard object + organizational level object derived role will not help you.
Please note
the WERKS is the organization level in your case the plan value is 0012
do not set the values in parent role and also do not populate this value were its "$werks"
what is TCODE you are using ?
Edited by: Franklin Jayasim on Jul 21, 2010 11:45 PM -
ERM 5.3 (SP12) Derived Role Update Problem
Hello Experts,
I have a question.
We have a master role/derived role set up in the back-end system. We are trying to update a master role and its derive roles in ERM via PFGC sync.
Our problem:
We can add a transaction to a master role no problem in ERM via PFCG sync (adding a transaction code in the back-end and sync to ERM) However, we are unable to update the transaction for derived roles (nothing happens for derived roles in ERM).
If I am correct, we don't have to add a transaction to each derived role manually, and we should be able to update derived roles automatically once we update a transaction in a master role.
Please just note that we successfully imported all the master/derived roles from our back-end system, and we are not try to create a derived role in ERM at this time. All we want right now is to update a master role and its derived roles in ERM via PFCG sync.
If you can, please advice.
HMGo to the TXT file , cut the last line from the AGR_1252 (rtable and insert it to the top of the lines ( AGR_1252) , and reimport it will work I had the same problem in my previous implementation.
try for one parent & child role
This is a known problem with SAP they will rectify it in SP12/SP13 or so -
ERM: Importing Derived Roles Problem
Hello All,
It appears that if I download and mass import 1 derived role at a time, the ERM mass import works perfectly. But, if I download the same successful derived roles and import them together, the ERM mass import does not import all the role details. Instead, it drops the role description and long description.
This problem occurs if I upload 2 or more derived roles at a time.
Any ideas?
System Details: GRC AC SP12, VIRSANH 12, VIRSAHR 10.
-DylanHi Dylan -
We have found a work around for this, but before I list the steps let me not be presumptuous in my explanation as you must have both the parent roles uploaded in ERM in addition to updating the "Primary Org. Level File" with the appropriate data prior to loading the derived roles.
Upon downloading the derived roles from the backend, 3 files are exported [Bulk File, Info File & Org File] and this is true for all roles that are exported. However, only when derived roles are exported will the Org File be populated with data (i.e. role name). This makes sense because the only time this Org File is needed is when you import derived roles, all other roles only require the Bulk & Info File.
Our guess was the way it was supposed to work is that the Org values were supposed to be exported into this file with the role names, however the Org Level & Value fields are blank. We tried multiple combination of populating this file, but continued to get the same import error. We eventually figured out a way to update this file to pull in all of the Org level data:
*NOTE we found the most success with Mass Import files with the following extension: Bulk - .txt, Info - .xls, Org - .xls
As stated before, the derived role Org file auto-populates the role names that were downloaded. In the 'Derived Orl Level' & 'From Value' fields you need only populate the first value from the 'AGR_1252' table listed in the Bulk file.
Example:
In the Bulk file we have a role: ZD:HR_AT_ANALYST and the first value listed for line AGR_1252 is the client number+role name then the Derived Orl Level and Value. So we populated our Org file to look like this.
Role Name --->>> Derived Org Level --->>> From Value
ZD:HR_AT_ANALYST --->>> KORSS --->>> NRPC
ZD:HR_BN_PAYROLL_DSPLY --->>> PERSA --->>> *
ZD:HR_PY_AT_ANALYST --->>> BURKS --->>> NRPC
If the file is populated this way, somehow it magically picks up the remaining Org Level Data for role when loaded. So the file does not have to actually have all of the values for each role. I can be tedious to sift through the bulk file for the values, but there are quick ways to do it in excel.
Hope this helps, -
Org Level, fund center/cost center level restriction for tcodes????
I am looking to see whether org level restriction and cost center/fund center level restriction is possible for certain set of transactions.
I am using USOBX table for this analysis. This table has a check flag field ( same as in SU24) which says whether the Tcode (program) does the authority check for certain auth objects. Example- X (checked but not maintained in USOBT). This table pulls up several authorization objects under the 'X' category. However, when I do the System trace for the same tcode, all the objects (marked as X) are not captured. Instead only a few are captured.
Can we rely on the USOBX data or should we do system Trace for every tcode. I am just pulling a report and not creating roles at this point. So trace is time consuming. But data reliability is equally important.
My objective is to verify whether org level and cost center/fund center level restriction is possible or not for some tcodes.
Do you have any suggestion to achieve this faster (through USOBX or any other means)?
Thanks in advance
KeeI would suggest you to check USOBX_C and USOBT_C instead of USOBX and USOBT as it will have your customization as well and not just the standard ones given by SAP.
Also when check field is X ...it means the object is checked but not maintained for the t-code as you already said but I am not sure how much it will help you as the they will not be pulled by PFCG when you are creating the role until you change the object to Check / maintain . When you do that the check field will be Y and not X. So basically it is the Y one which you need to see.
Going for trace is time consuming for every t-code and I am not sure if it really needed. When your roles are in testing phase and are tested by the functional team or the team which needs it and if they are missing some object, you can run a trace and find the missing object....
I am not sure on what basis you want to change some field to Org level ...but typically it is done if you want to do segregation of roles based on these org level. There could be various other reasons and it is better to talk to your functional counterparts before changing a field to Org level.
for ex : If you want to segregate on company code, you will create co. code as Org level and create roles for different company code. -
Mass Role Import -- 9000 derived roles with 9 org Levels, how to get TXT
Hello,
I hava a problem.
I want to use the (Mass Role Import) Bulk Role Import element in the ERM (SAP GRC AC 5.3 )for importing SAP roles (I only found that way to import roles from SAP).
I have 100 primary roles and more or less 9000 derived roles with 9 org Levels.
Is there a way to get this 9000 derived roles with their 9 org Levels in a TXT file?. Or do I have to do it manually this part to insert it in the "Bulk Role Import ".
Can someone help me?
Thank you in advance.
Pablo Mortera.Hi Mike,
what kind of TA´s are in your role. Is it possible to integrate a "dummy" TA (without conflicting
your SOD)?
In my example I have CO TA´s bundled in a role:
Role: ZXXXX_O:CO_ORDERMANAGER_CRE - CO Order Manager Pflege
with
KO01 Create Internal Order ...
KO02 Change Order ...
KO04 Order Manager ...
KOK2 Collective Proc. Internal Orders ...
KOK4 Aut. Collect. Proc. Internal Orders
update this role with TA KO01 and KOKRS will be available for derivation.
Done this manually without import in ERM.
Reg,
Ulrich -
GRC BRM TCodes of Role cannot be updated
Hi Expert,
I am facing problem in creating role from BRM, while trying to Genearte the role from Generate Stage of Role Methodology. I am getting the error when I click on Generate button under Generate Roles tab.
When I click on Generate button it opens a new screen with stages, 1 Select system and roles 2 Schedule 3 Analysze Risk 4 Confirmation.
In the Analyze Risk stage when I click on Submit button post risk analysis, i get the error "TCodes of Role Z:ECC_Test cannot be updated (System).
Please let me know if anybody is facing issue and have reached to some solution.
Thanking you in advance.
Thanks & Regards,
Jatin.Hi, Jatin.
I am in SP6 and facing the same issue. SAP tell you something?
In my case the transactions added in pfcg are maintained in SU24.
Also, I am facing an issue when copy authorization from a function in RAR: "Authorization data cannot be updated".
Please, tell me if you have news.
Regads, -
GRC 10: How to upload Org Level Rules in GRC 10?
Hello Friends,
we have implemented GRC 10 recently but missed to move org level rules from GRC 5.3 to 10. I don't see an option to load org rules in SPRO. Can you please let me know how can i load org rules from 5.3 to 10 with out disturbing the existing risks / functions? or is there an option to update tables directly for org rules?Hi Colleen Lee,
Thank you for your response. Yes i see Master Data > Exception Access Rules > Organizational Rules and i am able to create org rules but i am trying to find an option to upload all at a time as we have around 50 org rules and have 2600 lines in it. creating manually will take so long and looking for alternate.
Thanks & Regards
Pradeepthi -
Mass role Import in ERM "unable to determine matching org. level" Error
I am trying to upload the Derived Roles into the ERM. I have already uploaded all the Parents Roles. The volumes of the Derived Roles is huge in my SAP Backend system.
I am not able to understand what should be the content of Org File which we upload. Please correct if I am wrong
1>Example a role Z_TEST_D is derived from Z_TEST on the org levels EKGRP,KOART,GSBER,WERKS.
2>I have run Org Synchronization Job in the ERM
3>Downloaded Z_TEST (Parent Role) and uploaded it into ERM(It was easy because there was no org file)
4> Downloaded Z_TEST_D(Derived Role) through /VIRSA/RE_DNLDROLES Tcode in backend.
5>Downloaded the AGR_1252 information for this role which contained the Org levels and values
6>I put all those information into the Org File and then tried to upload it throws me the error Role Z_TEST_D : not imported; unable to determine matching org. level for WERKSin the system
So I again tried with the another method by changing the input sheet for the Org File
Z_TEST_D BUKRS 0* 9*
Z_TEST_D EKGRP *
Z_TEST_D KOART *
Z_TEST_D GSBER *
Z_TEST_D WERKS *
and tried to upload it again gave me the same error. I have checked the ERM all these Org Levels are fetched into the ERM. I am not sure if I am missing any basic things.
Current Support pack: SP10 Hot Fix 2.
Please share your experience and best practice to upload the roles,Hello Rahul,
I had that same problem with SP10 also. The way I resolved itand this sounds crazywas to move that WERKS line up one or two rows.
The problem I noticed was not with all derived roles, but when there was a problem, it was always the last line of the Org file for the role that was causing the problem. And the problem was not always WERKS either.
If the next time you run it, the error occurs on the "new" last line (e.g. GSBER), move that line up also. Eventually they all make it in. I have not seen this problem repeated in SP12. Don't delete the line, just shift the order within the number of rows the role has.
P.S. I have several hundred derived roles, about 10 - 15% had this import problem.
-Dylan -
GRC AC ARA v10 SP13 - Org Rule Org Level Missing
Hi Experts!
Testing ARA Organization Rules soon and have noticed that one of my key Org Levels, $BUKRS, is missing. I have not yet used this functionality on this system. I am already doing the following:
running the authorization sync job daily (we are in the middle of multiple project builds)
checked the target systems USORG table for Org Level $BUKRS entry.
active ruleset function has that Org Level $BUKRS entry and it appears on the Risk Analysis reports
All other Org Levels are available to use except for this one. Any ideas!
Thanks in advance.
-johnAlessandro,
Ran both sync jobs again, but it is still not (see below). Checked the logs to be sure it completed.
We do have two different ECC system connectors (One Production landscape, the other Project landscape), but both have the USORG table for Org Level $BUKRS entry.
Any other ideas? Is there a GRC ARA GRAC* table I can update or check for this?
Thanks,
-john -
Org Level Roles / Authorization Object Roles
Hi board,
I have heard of the concept to use roles with "Organizational Values" only and no other authorization values contained. Similar the idea to exclude special authorization objects from common roles and combine them in dedicated special ones to prevent accidential "double usage".
The first may help to control the overall number of roles coming up after deriving single/composite roles for many levels.
My questions are:
- Is it technically feasible (for a large-scale company)?
- What is your experience?
- Drawbacks?
Kind regards and many thanks for your help,
RichardRichard Hösl wrote:
> Hi there,
>
> that was fast, amazing. Thanks a lot and my appologies for not finding the other thread from the beginning. I can see drawbacks, nevertheless it is still temptating due to the fact that derivation for over 30 countries will produce a huge number of roles. Not from the system performance point of view, just to handle this amount will be painful.
>
> Given the assumtion that it is not a good idea to use "Org Value Roles", are you deriving on on composite or on single level?
>
> Kind regards,
>
> Richard
Hi Richard,
It is a very tempting approach, but completely wrecks the standard auth concept and unless you are 100% tight on controlling it, can get very messy.
A good way of looking at it is that you have 2 roles - one contains transactions & the other one a big bucket of authorisations which support those transactions. That bucket invariably contains more authorisations than the transactions require. Given that it is at the authorisation object level that the important security is provided, this method has it's drawbacks........
If you have organisational complexity then you should look elsewhere to simplify.
By consolidating your roles (e.g. if we take a risk based design approach, typically around 80% of an accountants role will be the same anywhere in the business) and building at a higher level, you need to create fewer variants (which you might be able to use derived roles for).
Put the effort in the design stage and it will pay dividends later on down the line.
Building at a higher level than task also forces the business to look at roles and responsibilities and to standardise as much as possible.
Cheers
Alex -
Derived Role generation in BRM
Hi,
In BRM while creating a parent role, corresponding derived roles are created and sent for approval.
Post approval, the roles are generated, in the foreground confirmation message states that Parent + derived roles all are successfully generated.
In the backend system the derived role's "Authorization" tab is with a status yellow and profile is not generated. However, the derived role has all the relevant values in it and the last changed by / date is appropriate to reflect the changes done.
Can some one please point to a solution to this? We have raised an OSS for this about a month back and applied suggestions from SAP without any result.
Version - GRC 10.0 SP10
Thanks,
SammukhHello Andrzej
Yes, the derived roles are in status complete. After generation of all the roles (parent+derived) the derived roles move to the maintain test cases phase. Here we maintain the test cases and close the methodology. Post this the derived roles' status become complete.
Yes, we did try re-generating them manually from mass generation from GRC. The result is same. In fact the surprising thing is following:
1. Derived role is complete and in not generated state.
2. Mass generated from GRC - still not generated.
3. Manually generated in backend system - roles are now generated.
4. Mass generated from GRC again - status that was generated from point 3 before changed to not generated again.
Looks like the generation from GRC itself is the problem, but we are unable to pin-point the issue.
Thanks
Sammukh
Maybe you are looking for
-
Nic transfers out but can't receive packets. Need (IRQ?) help.
The other day, I was having trouble with an Intel board with an on board Realtek nic. (see http://forum.java.sun.com/thread.jspa?threadID=5282653&tstart=0) I'm having a similar problem now with a Gigabyte 8i865GME-775 with an Intel 8550 onboard nic.
-
How do I get rid of faint white boxes around images?
Some files that I have printed have faint white boxes around images. The images were saved in photoshop with transparent backgrounds that seem to be showing up faintly in the final printed image. Does anyone know how I can get rid of this problem?
-
Do I use InDesign or Illustrator?
I have only ever used Photoshop for pieces of artwork and I now need to create high-res in-store signage for digital print. I am not sure which programme would be better to use for this: InDesign or Illustrator? Most artwork will already exist, I may
-
I NEED HELP!!!!!! i changed my apple id and my password (for the apple id), but on my ipod and mac book pro my old apple id keeps showing up for icloud, and i cant put either password!!! Trust me i tried.. What should i do???? So please help!!!!!!
-
Why can't I Merge to HDR from lightroom 5 to photoshop 13?
Every time I try to merge 3 bracketed images to HDR in photoshop, I get an error saying it can't open the application, even though photoshop does open up. The images just don't appear and it sits on a blank template. Joe