GRC EAM Authorizations: Few Anomalies in Standard Roles

Hi GRC/ Security Experts,
To brief you quickly, we have an SAP GRC AC 10 SP13 about to be deployed with ARA & EAM Modules as a first phase deployment.
All of the functionality is almost setup, just refining few things before going live.
About the GRC Authorizations, I observed few anomalies in the standard delivered SAP Roles for EAM.
I am aware that processes & compliance's, can vary from organization to organization. I am trying to redesign some of the EAM related authorizations, especially for Firefighter Owner/Controller.
In the standard delivered EAM roles, there are few things missing and few unnecessarily attached.
I am already aware of the provided information in the following resources:
- 1730649 - Firefighter owner can assign ANY Firefighter ID to Firefighter User
- 1663949 - EAM: Authorization Fixes for Central Owners and Reason Codes and have referred to EAM Authorization
- EAM Authorization Concepts & Guide
- GRC AC Latest Security Guide.
I am wondering, many of GRC AC 10 implementations must have gone live by now, and how can be the following authorization hardening concerns be addressed.
I observed the following anomalies, and used ST01 tracing to refine and address few of them still some of them I cant seem to get hold of:
1) [SOLVED] EAM Owners should technically not be allowed to Create/Maintain Reason Codes, that should be EAM Administrator's task. This was addressed by adjusting the auth objects from Owner's Role and only Reason Codes Display was provisioned to the owner's, hence this is addressed.
2) [SOLVED] EAM Owners should not be allowed to Create/Maintain EAM Controllers. This is a grey controversy I believe, as in my organization EAM Controller is treated on even Higher Scale than Owner and thus EAM Controller maintenance should only be done by the EAM admin rather than EAM Owner. This also I have addressed by adjusting few auth objects, which leaves the EAM Owners with Display only access of EAM Controllers.
3) [UNSOLVED] EAM Owner is able to assign any Firefighter ID to End-User: This is anomaly as per me, and is also specified in notes 1730649 & 1663949, but I find it hard to figure out the real solution of that specific issue. The notes just point to EAM Authorization Guide, which explain the GRC Authorization concept in general, which I of course get it. The GRC SP13 is already higher than the one applicable for the issue.
Technically EAM Owner should only be able ASSIGN the FF IDs that are Owned by him, this I cant seem to figure out how exactly.
I have gone through the Authorization Guide, Security Guide, Played too much with System Trace ST01 trying to redesign the authorizations. How would you have done it? This wasn't there in Virsa earlier, it used to bug you back saying that FF ID is not owned by you.
4) [UNSOLVED] Similarly like above, EAM Owner is able to modify assignments/delete assignments of any FF ID. This is of course cascaded from the above issue. I believe it doesn't has to be like this, EAM Owner should only be able to access/modify/maintain the FF IDs owned. Maintenance of the FF IDs not owned by EAM Owner should be truly abstained.
5) EAM Owners should not be able to Add/Delete the Assignments of Owner with FF ID. This is the starting point of the Firefighter Structure and must be restricted to EAM Administrator. In the Standard EAM Owner role, an EAM Owner can created another OWner, assign a FF ID to another Owner, Delete a Owner-FF ID assignment. EAM Owner should have display only access as far as it is concerned about the EAM Owners access Area. This one I have yet to test, which I think would be possible. Can't get hold of points 3 & 4.
I have already studied/implemented the suggestions/recommendations/corrections from Authorization Guide.
But i still feel that these are few loopholes and must be closed before I conclude the implementation.
What do you think?
Would truly appreciate, if you can point out the objects and values that can help to address the open issues.
Apologies, for such a lengthy post, but the authorization goes deep here I guess and ST01 isn't helping me anymore to get over this.
Regards,
Akshay

Hi Colleen,
Thanks for your reply, I was sure I will be getting first response from you, as you are really proactive in GRC Space.
W.r.t. your suggestions:
1) I am not able to follow what you mean by "Are you able to try debugging "CALL METHOD cl_grac_auth_engine=>authority_check" ?? I am not much of a ABAPper/DEBUGGer, but if you can point what exactly is to be done/or to be get done I wouldn't mind getting my hands dirty at this too.
Correct me if I am wrong, do you imply that, even though the specified correction in note is available in system (SP13), still this inbuilt authority check is not happening and is being bypassed?
2) I checked the EAM Authorization Guide for Auth Object GRAC_USER.
With what you feel in the below message of yours=>
Starting to wonder if it is as the EAM Guide attached to the above notes mentions authorisation GRAC_USER which contains a field for user (quote from guide below).
User ID : This Field Specifies which firefighter users you can Display and Perform other activities based on the Activity Field .
That suggests you need different roles to restrict owners? I would have thought SAP would differentiate between authorisation to maintain FF as and Administrator versus Owner allow access to their Ids.
I would have thought Administrator would get the GRAC* authorisations whilst Owners would obtain access via owner setup (mapping for FF Id)
I went back to the EAM Guide and tried to put it all together to make sense.
With my below observations, I think too that there is no such thing as mapping of FF ID with the Owner, out of the Box in GRC AC 10 so that Owner is able to access only the FF IDs owned.
So, if that would be true, then to achieve this sort of wish, I would have to have separate roles from each EAM Owner specifying, the FF IDs that particular EAM Owner is able to access. And then there would be n number of Roles for n number of Owners, which is subject to change and has to be maintained again. Then also, the FF ID owned could also be added/removed etc, Whoa! That wouldn't make me far away from rationalizing the whole objective.
I just wonder, if this is actually Ok? If there is no approach to this, would it be OK to let any EAM Owner work with any FF ID subject to their own desire.
Anyways, check this out below , I will sideways open a message with SAP just to have my closure.
From EAM Authorizations Guide in the note=>
Now from the EAM Owner's Role=>
This no where mentions of Restricting the FF IDs in the Role, if at all this concept exists, it would be through some internal check like the one above i.e. CALL METHOD cl_grac_auth_engine=>authority_check or something.
Also, found these few specifications as well, which affirms the same I believe.
Much thanks for your effort and patience.
Regards,
Akshay

Similar Messages

Break sap standard role into two sub roles

hi,
i have one SAP standard role. now i want to break this role into two sub roles. how shall do it.
please suggest me.
regards
ramesh
Edited by: Ramesh Sammiti on Jul 31, 2008 11:00 AM

Hi Ramesh,
When you say that you want to split the SAP Standard role into two roles:
1.Do you mean to say that you want to split the transactions and authorization data of the SAP Standard role into two separate Z* or Y* roles?
2.Do you want to copy the SAP Standard role into two different Z* or Y* roles and then modify the authorization data according to your company's requirements?
In the above two scenarios you must copy the SAP Standard role into Z* or Y* roles in PFCG transaction with the appropriate naming convention and make necessary changes in both the transaction data and the authorization data.
Please be clear which SAP Standard role you are willing to split into roles and i can provide more details.
Hope this helps.
Regards,
Kiran Kandepalli

Standard roles, groups, profiles of a rfc-user

hi,
can anybody tell me please, which are the standard roles, groups and profiles of a rfc-user in our sap xi-system?
thanks.
regards
Stefan

Hi,
Check the links for authorizations.
http://www.erpgenie.com/sap/netweaver/xi/xiauthorizations.htm
also check if your user have this roles in abap stack TECODE su01
SAP_XI_ADMINISTRATOR
SAP_XI_CONFIGURATOR
SAP_XI_CONTENT_ORGANIZER
SAP_XI_DEVELOPER
SAP_XI_DISPLAY_USER
SAP_XI_MONITOR
SAP_ALM_ADMINISTRATOR
SAP_J2EE_ADMIN
SAP_SLD_ADMINISTRATOR
SAP_SLD_CONFIGURATOR
SAP_SLD_DEVELOPER
SAP_XI_ADMINISTRATOR_ABAP
SAP_XI_ADMINISTRATOR_J2EE
SAP_XI_CONFIGURATOR_ABAP
SAP_XI_CONFIGURATOR_J2EE
SAP_XI_ID_SERV_USER
SAP_XI_IR_SERV_USER
SAP_XI_RWB_SERV_USER
SAP_ALM_CUSTOMIZER
SAP_BC_BASIS_ADMIN
SAP_BC_BASIS_MONITORING
ARG_XI_DEV
Thanks,
Vijaya.
Edited

Standard roles for fico/mm/sd

hi guru's
please tell me SAP Standard authorization roles related to FICO/SD/MM/PP
thanks
Ramesh

Look in PFCG for the standard roles delivered by SAP, they start with "SAP".
Also do a search in this forum for standard roles.

Customer role from sap standard role SAP_SM_SCHEDULER_DIS or SAP_SM_SCHEDUL

HIi,
according SAP Note Note 1054005 - FAQ: Job Scheduling Management with SAP Solution Manager we want to design a customer role with this roles as templates.
But:
There are a lot of open authorization objects.
We need proposal how to fill this role with adequate values.
Does anybody has designed customer roles from that standard roles ?
What values are advisable ?
Regards,
Roland Fischl

Dear Aviya Paul,
1. Who will responsible for Authorization Matrix?
Authorization Matrix that define "what position may have access to which authorization/ role" shall be developed by User (Management), with support from BASIS. User is the one who have the authority to decide, while BASIS should help User in understanding the technical knowledge of access authorization.
2 to 5. BASIS.

Deletion of SAP standard roles

I have been asked by the client if we could delete all of the SAP standard roles. I think there are many good reasons not to delete them, but does anyone know what SAP's official recommendation would be to that question and could you point me to the documentation or SAP Note where that recommendations is written?
So far all I have found is the following documentation(http://help.sap.com/saphelp_47x200/helpdata/en/52/67164b439b11d1896f0000e8322d00/frameset.htm) saying that:
Do not change the delivered standard roles (SAP_), but rather only the copies of these roles (Z_). Otherwise, the standard roles that you have modified will be overwritten by newly delivered standard roles during a later upgrade or release change.
But it does not say that you should never delete them.
Br,
Jon

Christensen Jon Jagd wrote:>
> The client want's to "clean up" the authorizations concept by deleting all of the unused roles. And all the SAP_* roles are not assigned to any users (and not generated neither).
I've seen that before, the urge to clean up...... unused roles aren't the worst thing to happen on a system, as long as they're part of the concept.
Come to think of it. I'd delete them from my test and prod systems to avoid confusion and/or (mis)use, but not from dev. On dev the majority of roles is not assigned to users anyway........
> But I would like to know if for example "SAP recommends that you do NOT delete system delivered roles".
I don't think such advice exists. Try to convince the client they should be kept on dev for future reference. Delete them on the other systems to clean up. Everybody happy.
Jurjen
Edited by: Jurjen Heeck on Feb 12, 2008 10:16 AM

Issue on copying standard role

Dear Guru's,
We're implementing E-rec system and we have two users name as user1 & user2, standard role was assigned to both the users
User1 - SAP_RCF_EXTERNAL_CANDIDATE
User2 - SAP_RCT_UNREGISTERED_CANDIDATE
webdynpro application was working fine with the above roles.
Once we made a copy of the standard role z-role, we assigned the z-role to those users and removed the standard role. After assigning the z-roles for the above user, the webdynpro application was not funtioning properly. Only I can see the initial screen, the next screen is not responding.
Could anyone suggestion me on this.
regards,
Guna

Hi,
the most common reason for this error is a missing change in the customer version of role SAP_RCF_UNREGISTERED_CANDIDATE. The sap standard role contains the name of role SAP_RCF_EXTERNAL_CANDIDATE in the authorization object S_USER_AGR field ACT_GROUP. People often forget to change this to the name of the client role.
In spite of the e-rec mechanism that the service user assigns the authorization to the external candidates user by assigning a reference user, it still needs the authorization to assign the roles and profiles the reference user has as if it would assign the them directly. If you do not put the name of the customer copy of role SAP_RCF_EXTERNAL_CANDIDATE into your copy of SAP_RCF_UNREGISTERED_CANDIDATE the user creation can't be done properly and the appiication runs into an error when it tries to switch the session to the user.
Kind Regards
Roman

Creating standard roles transaction

Hello,
Please let me know transaction code of standard roles creation in SAP Business Workflow.
Regards,
Amey

Create Roles
The role also contains the authorizations users need to access the transactions, reports, web-based applications and so on, contained in the menu.
You can assign a role to an unlimited number of users.
Procedure
To create a single role:
1.     Choose the pushbutton Create role or the transaction PFCG in the initial transaction SAP Easy Access. You go to the role maintenance.
2.     Specify a name for the role.
The roles delivered by SAP have the prefix 'SAP_'. Do not use the SAP namespace for your user roles.
SAP does not distinguish between the names of simple and composite roles. You should adopt your own naming convention to distinguish between simple and composite roles.
3.     Choose Basic maintenance (in the Profile, Other objects menu).
4.     Choose Create.
5.     Enter a meaningful role description text. You can describe the activities in the role in detail.
You may use an existing role as a reference.
6.     Assign transactions, programs and/or web addresses to the role in the Menu tab. The user menu which you create here is called automatically when the user to whom this role is assigned logs on to the SAP System. You can create the authorizations for the transactions in the role menu structure in the authorizations tab.
If you want to call the transactions in a role in another system, enter the RFC destination of the other system in the Target system field.
You should only use RFC destinations which were created using the Trusted System concept () to guarantee that the same user is used in the target system. This is only necessary if you want to navigate via the Easy Access Menu in the SAPgui.
If you use the Workplace Web Browser, you can use any destination containing a logical system with the same name.
If the Target system field is empty, the transactions are called in the system in which the user is logged on.
You can also specify a variable which refers to an RFC destination. Variables are assigned to the RFC destinations in the transaction SM30_SSM_RFC.
To distribute the role into a particular target system, specify the target system (its Release must be 4.6C) and choose Distribute. This function is most useful when you use the Workplace.
You can create the user menu:
o     from the SAP menu
You can copy complete menu branches from the SAP menu by clicking on the cross in front of it in the user menu. Expand the menu branch if you want to put lower-level nodes or individual transactions/programs in the user menu.
o     from a role
this function copies a defined role menu structure in the same system into the current role. You can also copy the menu structure of a role delivered by SAP. Click on the menu branches and copy them.
o     from an area menu
You can copy area menus (SAP Standard and your own) into a role menu. Choose an area menu from the list of menus and copy the transactions you want.
o     Import from file
See Upload/Download roles.
o     Transaction
You can put a transaction code in the user menu directly.
o     Program
This function puts programs, transaction variants or queries in the user menu. They need not be given a transaction code.
ABAP Report
Choose a report and a variant. You can skip the selection screen.
You can generate a transaction code automatically and copy the report description by setting checkboxes.
SAP Query
Enter a user group and query name. If the query has a variant, you can specify it. You can also specify a global query. See Query work areas.
Transactions with variants
The system administrator can create transaction variants in the SAP System Personalization. Transaction variants adjust complex SAP System transactions to customer business processes, by e.g. hiding superfluous information and adding other information such as pushbuttons, text or graphics. You can put a transaction variant call in a user menu by entering the transaction code and variant which you created in the transaction SHD0.
BW report
Include a Business Information Warehouse report. Enter the report ID.
ReportWriter, Search, Report
These function put other application-specific report types in the user menu.
o     Others
Enter other objects:
Web address or file
Enter internet/intranet links with a descriptive text and the web address. You can enter a file name if the browser can call an application.
Drag and relate component
Enter the component name.
Knowledge Warehouse link
Use the Document field possible entries help. Choose the information object type. You go to a selection screen in which you can search for the object in the Knowledge Warehouse.
There are other pushbuttons for editing the user menu. Choose a menu entry with the cursor before you call one of the following functions.
Function:     Meaning
Create folder
Group transactions, programs, etc. in a folder
Change node text
Change a menu entry text
Move down
Move a menu entry down one place
Move up
Move a menu entry up one place
Delete nodes
Delete a menu entry
Any subnodes are also deleted.
Delete all nodes
Delete the complete role menu
Translate node
Translate a menu entry
Documentation
Display the documentation of transactions, programs, etc.
Find doc.
Find programs
You can restructure the menu by Drag & Drop.
The Menu tab status is red if no menu nodes are assigned. If at least one menu node is assigned, the status is green.
You can assign Implementation Guide (IMG) projects or project views to a role under Utilities  Customizing auth. Do this to generate IMG activity authorization and assign users. The authorization to perform all activities in the assigned IMG projects/project views is generated in profile generation. You make the assignments in a dialog box. Choose Information to display more information on using this option.
7.     Save your entries.
You have created a role.

User Management - Standard role.

Hi All,
I have to assign standard roles for User's to their respective modules/Areas (e.g MM,SD,QM,PP,FI).
I have searched on sdn regarding this but not got the solution.
So, if anyone has idea related User Management pls share.
All the answers r gr8ly appriciated.
Regards,
San

Hi,
Pls chk this links;
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a07122ae-8216-2a10-c9a5-996717a0648b
SAP BW Authorization
Regards
CSM Reddy

Download all roles Individually and list all the SAP standard roles

Hi ,
I have two questions .
1. I want o download all the roles individually in SAP.
2. I want to list all the SAP standard roles whose profile is generated.
Can anyone help me . to achieve this

Dear,
I am no sure what kind of problem you have faced that requires revert back. Which took 2 days. If it's for mass role revert back then mass role download should work. If it few selective role then change history should help you out.
Anyway I might pull this out of the topic.
Even you download mass role in a single file then also if you want then can upload a single role only with 2-3 mins spending on replace function in notepad!!
Let say you have taken 1000 role in a single file and want to upload a specific role only. Open the file (copy of the file) in a notepad. Now replace(Ctrlh) LOADED_AGRS with nothing. Find(Ctrlf) the role you want to upload. In begining of that line paste LOADED_AGRS
Above file will upload the specific role only.
Regards,
Arpan Paik

SAP standard roles for Mii inside of objects?

Hi,
It is our practice to rename SAP standard roles we plan to use "as is" to our company's naming convention. I am being told by an Mii implementer that Mii uses the standard role names in objects and that by changing these names to our convention, I will create "complications" in their implementation process. I find this hard to believe, it would be a departure from what (little) I know about SAP and how they handle authorizations and roles. It also seems to be very limiting when it comes to customization in the future.
Is this true? Does Mii name standard roles inside of objects? (These "objects" were not clearly defined to me and I plan on calling a meeting so they may show me examples.)
Anyone else on Mii have this issue?

As far as I know, in Mii a user typically needs at least one of these roles:
SAP_XMII_User
SAP_XMII_Developer
SAP_XMII_Administrator
You can of course add additional roles with the authorization the different users require using your own naming convention.
I think this is what the Mii implementer is talking about.
Good luck!

Standard Role to Middleware (data exchange)

Hello
We have a SAP CRM Project where customer is very restrictive with authorizations management in productive systems .
We can’t assign a SAP_ALL to connection user (RFCUSER) for data exchange and we are trying to find a standard role pfcg with all necessary authorization in SAP CRM & SAP ECC to exchange master data & ERP customizing.
I’m worried about this because if I use a trace (ST01) to identify authorization objects I could create an incomplete role.
Does anybody have any information about this issue? Do you Know a standard role to fullfil this security requirement?
Thanks in advance,
Pilar.

I see to many variables here to solve this with the standard roles
You can analyze the users who have roles in both systems for the objects that will be integrated and assign those roles to the RFC users...I don't know, just an idea

A Few Anomalies

After waiting a long time I was finally able to upgrade my iMac and install Aperture. For the most part I am pleased with A3 except for getting used to certain anomalies and instability issues encountered in this early version.
I have used iPhoto for as long as it has been out, but wanted more power to handle my growing image collection. I started taking digital pictures with a Kodak DC 120 camera (anyone interested in an antique?) so some of my older pictures are pretty low resolution, and I still shoot with an older Canon PowerShot. I say this because I believe it contributes to one of the anomalies I have run into in A3.
Magnification - on most of my photos I am able to magnify the image as expected, but on my older lower resolution images A3's magnify behaves strangely. For some reason A3's magnify tool will not work. In iPhoto the same image magnifies correctly. I called Apple about this but they were unable to explain it or help. The only suggestion made was that low res images may not be able to be magnified, however I can find no documentation of this.
*Red Eye Tool* - I struggled with getting this tool to work, but after much experimentation I discovered that the size of the cursor is the crucial factor. If the cursor is to small the red-eye effect tool will not work at all. Increasing the size of the cursor solves the problem. Even after discovering this, photos with red eye are poorly corrected in A3, while in iPhoto the correction is excellent.
*Inconsistent application of tool effects* - when using the adjustment tools I find that the way they are applied to the image is not consistent. Most of the tools show the immediate effect of the tool, except for the Red-eye tool and the Crop tool. With these two tools you have to exit the tool or click on some other tool to see the effect applied. This took some getting use to, because at first it appeared that the tools did not work. In iPhoto, these tools use an apply button so you do not have to exit the tool to see it applied.
*Strange interface* - I use keywords extensively, and love the keyword generator feature of nested keywords. This is very helpful in organizing keywords. What is a little strange is the clunky way one has to apply them. The drag and drop method is cumbersome. the buttons which you can display at the bottom of the window is much better, but groupings are limited to 20 buttons, so you end up using the drag and drop method. The search window for keywords lists all of your keywords in one huge alphabetical list and all organization you did in the keyword generator is lost. This seems very strange. Why use nesting of keywords if you can't see the nesting when you need to do a search? It also seems strange that when a nested keyword is applied its related keywords are ignored. For example if I create a nest as follows People>Extended Family>Grandfather Arvid>Bud's family, and apply the keyword _Bud's family_ to a photo, all the higher categories are ignored and only the keyword _Bud's family_ is applied. If I want the other keywords to also apply I have to shift click on the group and drag it over, again the advantage of nesting is lost. Seems like this good idea was not fully developed in A3
*Unexpected crashes, and lock-ups* - I have experienced several crashes of A3 when using tools or editing things like keywords. When this happens the notify Apple box appears and I send it to Apple with my comment, relaunch the program and continue to work. I never seem to loose data so that is a plus. I have also had a couple of lock-ups when the spinning wheel of death appears on the screen. This happened when the program was trying to update thumbnails. I keep the activity monitor open so I can see what is going on. I have had to force quit the program and relaunch.
It appears that A3 is in serious need of an update, but that is not unexpected with this being the 3.0 version. On the whole the program works very well and I am pleased with it. The program is very fast in its 64bit mode, even if, as I have read in this discussion, the iMac boots into 32bit. I am anxiously awaiting an update from Apple.

No version of DW will manage links that are embedded in
javascript - is that
what you mean?
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.dreamweavermx-templates.com
- Template Triage!
http://www.projectseven.com/go
- DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs,
Tutorials & Resources
http://www.macromedia.com/support/search/
- Macromedia (MM) Technotes
==================
"Hendersonville" <[email protected]> wrote
in message
news:f0j0fp$nlp$[email protected]..
> There are a few anomalies with templates in Dreamweaver
Version 4 such as
> using DHTML addressing. Have these been fixed in Version
8?

Standard roles in BW (SU01) to use BPC 10.1?

Hi experts,
I'm currently working on BPC 10.1 and I'm trying to figure out which roles are necessary in tc SU01 to use BPC 10.1. The 10.0 security guide specified two standard roles needed for the users, /POA/BUI_FLEX_CLIENT and /POA/BUI_UM_USER. However the 10.1 security guide does not say anything about standard roles so I'm wondering if it's the same roles as in 10.0...
Please advise
Best regards,
Lars

Hi Shekar,
The solution provided by the Note 2068917 can resolve the issue.
It worked for me. Just create an ABAP program with the following code and execute it.
Please provide the appropriate 'username' and '_AppsetName' as per your requirement.
DELETE FROM RSBPC_WEB_UP　WHERE　user_id　=　'username'　AND　NAME　=　'colSeq'　AND　CATEGORY　=　'members_AppsetName'.
WRITE　SY-SUBRC　　.

Standard Role "SAP_QAP_BW_DASHBOARDS" Unavailable in ECC System

Hello Experts.
We are trying to Implement Embedded Analytics in our R3 system, from the SAP documentation I came to know that in order to execute the standard Reports/Dashboards as a pre-requisite we need to have the role "SAP_QAP_BW_DASHBOARDS" assigned to user. but we are unable to find the mentioned standard role in our system.
We have already raised an OSS message but it is also of not much help.
we are at SAP ECC 6.0 EHP 6.
Any help/comment would be appreciated.
Thanks & Regards
Neeraj.

We also got a reply from SAP saying
"The role SAP_QAP_BW_DASHBOARDS was never delivered (and it was not
planned to be delivered, too). This role was just meant for SAP
internal usage during dashboard development. Thus, the documentation
which states that you should assign this role to your users for
dashboard usage is incorrect."
and they suggested we shall create our roles on our own based on our business need, for example how the roles shall look like they have created a note "2001264" where its clearly mentioned how to create the role.
Hope this help to anyone else having the same problem.
Thanks & Regards
Neeraj.

GRC EAM Authorizations: Few Anomalies in Standard Roles

Similar Messages

Maybe you are looking for