GRC - SOD Conflict Management (SAP Role Substitution)

Similar Messages

• Cross Organization SOD Conflict in SAP GRC

  Hi,
  I have a quick question:
  Does SAP GRC allow you to capture cross Organization level value conflict. I just checked the Auth. Object for Org level Company code with $BUKRS under transaction codes in Functions, this shows disabled by default.
  Example: If I have access to  SU01 in Company Code 1 and access to PFCG in Company Code 2 will this be risk based on SAP standard SOD Rule set.
  Your quick response will be appreciated. Thaning you in advance.
  Thanks & Regards,
  Abhimanu Kumar Singh

  Hi
  As already stated by Martin, one of the option for handling adtional backup access to users could be through Superuser Privilage management(If GRC has been implemented with your client). This would allow detailed reporting at transaction level for audit purposes.
  If GRC is not implemented with your client then any additional access which is resulting in SoD, there has to a proper documentation of temporary access assignment to users(For Audit purpose). Mitigation control should be documented and submitted by the supervisor of the user to the SoD team to ensure proper compliance is in place for the additional access provided to the user.
  Thanks.
  Anjan

• Active Directory, GRC, and Identity Management

  I had originally posted this in the Security forum, but was directed here:
  A client I am working at would like to explore using Active Directory groups to assign SAP roles to users, both portal roles and ABAP roles. They are currently using Microsoft AD. However they have a requirement to use GRC Access Controls (v5.2) to assist with role maintenace and assignment for SOX compliance. I have been told that the Identity Management product can assist with integrating GRC and AD that will still allow for SOD checking/SOX compliance while role assignments can take place in AD.
  Does anybody have experience with using Identity Management either with or without GRC? Does in work with Microsoft AD or is it is own AD product? What was your experience with it?
  Are there any other products that can be recommended that will allow for integration between GRC Access Controls and Microsoft AD?
  Steve

  Hi Steve,
  We integrated SiteMinder(eTrust) from CA with the Portal and it is pretty good and stable.
  The one thing i like with SiteMinder is they are pretty stable and once it is configured the maintenance is very less and it is very stable also.
  Also, they provide integrations with major webservers and application servers.
  Cheers, Nag

• Announcing General Availability of PowerShell Connector and Release Candidate of Generic SQL and SAP Roles/Users

  The FIM team is pleased to announce the availability of some additional Connectors for FIM2010R2.
  General Availability of PowerShell Connector
  The PowerShell Connector can be used to communicate with a system through PowerShell scripts. This allows an easy and flexible way to communicate with other systems but also to pre-/post-process data and files before handed over to the FIM Synchronization
  Service. We believe the community will help providing scripts for this Connector for various systems and will open a place where scripts can be published for reuse.
  TechNet docs:  
  http://go.microsoft.com/fwlink/?LinkID=393057
  Download:         
  http://go.microsoft.com/fwlink/?LinkID=393056
  Release Candidate of Generic SQL Connector
  The Generic SQL Connector will allow you to connect to any database where you have an ODBC driver available. It enables new features compared to the built-in MA such as support for Stored Procedures, running SQL scripts, built-in delta import support, import
  multiple object types, connect to multiple tables, and much more. This Connector is built on ECMA2.3 which allows schema discoverability to be customized in the Sync Engine UI. A pre-release of the next Sync Engine hotfix is included with the Connector download
  and is required for the Connector to work.
  Download:         
  https://connect.microsoft.com/site433/Downloads/DownloadDetails.aspx?DownloadID=52652
  Release Candidate of SAP Users and Roles/Groups
  The updated SAP templates for Users and Roles/Groups allows you to manage Users, Roles, and Groups in SAP. This also include password sync for Users to SAP. The Connector will make sure roles are represented as groups to make it possible to manage these
  with bhold. This template will require the previously published WebService Connector:
  http://go.microsoft.com/fwlink/?LinkID=235883.
  Download:         
  https://connect.microsoft.com/site433/Downloads/DownloadDetails.aspx?DownloadID=52651
  If you have participated in any other Connector preview program you will have access to the Release Candidate downloads. If you have not participated before then to get access to the preview programs on Connect either join the program “Identity and Access
  Management”, “FIM Synchronization Service Connectors Pre-release” on
  http://connect.microsoft.com/directory or follow this link
  http://connect.microsoft.com/site433/SelfNomination.aspx?ProgramID=6709&pageType=1
  We have also published an update to the Generic LDAP Connector adding support for some additional LDAP directories, see
  http://support.microsoft.com/kb/2936070/. If you have additional LDAP directories you think we should support, please feel free to contact me.
                  On behalf of the FIM Sync team,
                  /Andreas Kjellman

  On Tue, 18 Mar 2014 08:09:43 +0000, David Burghgraeve wrote:
  We've been using the OpenLDAPXMA to be able to connect to ACF2 CA-LDAP (from Computer Associates) running on a IBM Z-OS Mainframe System. We've been using it for password synchronization since 2004 on MIIS. Today it's still used via the
  OpenLDAPXMA (64bit) on FIM 2010 R2.
  We had to tweak the password management component in the OpenLDAPXMA to support the error messages we get from the ACF2 System, as we support a multi-master password setup between Mainframe and Active Directory (one can change the password on
  MF and/or on Windows). by example  "LDP0406E ACF2 error modifying lid(ACF00155 NEW PASSWORD CANNOT BE THE SAME AS CURRENT PASSWORD)".
  Additionally, we cannot get the delta import to work with the CA-LDAP, there's no capability in it and we tried to use the time attribute to use in the query for recent changes, but it does not work. (I think we need it in a large integer format
  or unix time integer).
  Would be great to have Microsofts' support in this :)
  In a case like this where your follow-up has nothing to do with the
  original post you should create a new thread.
  Having said that, neither of the MAs to which you refer are official
  Microsoft MAs and as such there is no support from Microsoft available.
  Also, keep in mind that the ECMA1/XMA extensibility framework has been
  deprecated and replaced by the ECMA 2.0. You should plan on replacing
  existing ECMA1 management agents with ECMA2.0 connectors.
  Paul Adare - FIM CM MVP
  "It's 106 light-years to Chicago, we've got a full chamber of anti-matter,
  a half a pack of cigarettes, it's dark, and we're wearing visors."
  "Hotsync." -- Paul Tomblin & Peter da Silva

• How to synchronize Identity System Roles with SAP Roles?

  Hello, experts!
  Could you give me an advice?
  I'm trying to perform role syncronization between SAP R/3 and Identity Manager, but the default task definition (Resource Role Synchronizer) can't find a
  SAP resource (for example method getResourcesSupportingObjectTypes can't find resource with attribute type activityGroups (SAP Roles)).
  Do you have an experience with syncronization SAP and IDM Roles ?
  How it is possible?
  Thank you!

  May be somebody knows what odjectType attributes like Roles (activityGroups) or Profiles has?

• Compliance Calibrator SOD Conflict (FI01 and FB05)

  I was hoping that someone could provide some insight as to why the "FI01 - Create Bank" and "FI02 - Change Bank" transactions would create a risk (in Compliance Calibrator) when coupled in the same security role with the "FB05 - Post with Clearing" transaction.  The risk description given by Compliance Calibrator is "Maintain bank account and post a payment from it".
    The FI01 and FI02 t-codes appear to only create/change routing numbers or addresses for banks.  There is no ability to create or change an actual bank account.  This alone doesn't seem to create a conflict when coupled with a posting transaction.  Is there possibly some functionality that I am missing?

  Hi Joshua,
  I strongly agree with you that there is no SOD conflict technically with FI01, FI02 with FB05 although the wording of the SOD conflict in a business sense meaning Maintain Bank Accounts vs Posting Payments sounds more like a Conflict.
  I dont see by anyway how you can maintain actual bank account in either FI01, FI02.
  FI01 and FI02 - Maintain Bank Info like Bank Address, Bank Key and soforth.
  FB05 - Make Payments to various accounts.
  Regards,
  Kiran Kandepalli.

• BO authorization model with sap roles / access tot folders, functionalities

  Hi Specialists,
  As authorization cunsultant in BI, I have little knowledge of the security setup in Business Objects.
  I have to setup an authorization model were the authorizations are assigned via sap roles in the backend BI system. These roles are imported in BO were they can serv as 'user groups' and access to folders, functionalities.
  Can anyone provide me a overview, guide, training document... on how the authorizations are managed in BO and best practice when they are linked to sap backend roles.
  The goal will be to user the sap BI backend roles and user them to grant users in BO specific access to specific folders. Eg; User A can access folders 1 as "refresher only", User B is able to publish reports in folder 2, User C has only view access in folder 2...
  Any help would be great!
  Thanks very much in advance.
  rgrds
  Kristof

  Hello,
  this is the best approach you mentioned here.
  I prefer to create roles serverd as functionalities in the Backend. For Example you have a "View" role, a "Refresh" role and so on.
  On the other hand i saw some setups where there is only on role in the Backend with all the BO Users. Then you have to create you functional groups in BO and have to assign the Users there to the Groups.
  Check the Adminguide of BO XI 3.1 for more Informations.
  Regards
  -Seb.

• What SAP roles can be imported?

  Hello all
  I installed SAP integration kit, JCO 2.1.9 is installed. In CMC I'm able to go to management -> authorization -> SAP and entered appropriate settings for our authorization system (SysID, client, application server, system number, user, password, ...). In the tab "role import" I see some roles... but not all the ones I would have expected.
  Can anyone tell me what makes a SAP role being visible / selectable for import? Does a SAP role in SAP system (transaction PFCG) need some special tweaking in order to make it available in CMC? Unfortunately I couldn't find any useful information on this.
  Thanks a lot
  Renaud

  Hi,
  roles which do contain assigned users.
  Ingo

• Basic manager/employee role with MSS/ESS content

  hey
  which role should I give my manager/employee in the R/3 system so they got the right permission?
  Now I have to add SAP_ALL and SAP_NEW to there profiles or I get error messages saying they don't have the right permission.
  In the portal my manager has rol com.sap.pct.mss.manager
  and my employee has rol com.sap.pct.ess.employee_self_service
  thanks in advance

  hi lien
  u can assign SAP_EMPLOYEE_ERP role to employee which is composite role.
  which contain following role.
  SAP_BC_EMPLOYEE
  SAP_BC_ENDUSER
  SAP_ESSUSER_ERP
  SAP_HR_EMPLOYEE_DE_ERP
  SAP_HR_EMPLOYEE_US_ERP
  SAP_HR_PA_XF_EXPERT
  mainitian the authorization for all role using tcode-pfcg, generate the profiles and completet the user comparisation.
  if u don't have the full authorization for PFCG ask ur basis person to do this.
  (this is usefull to RUN ESS from portal)
  or if u used custom role than
  make sure your user will need authorization object (S_SERVICE)
  add this object in the Role that u used. (PFCG)
  if u have any query revert me back.
  regards,
  kaushal

• Erro when importing SAP roles into BO Edge XI 3.1

  Hello,
  I'm currently setting up the SAP Best Practices on a BO Edge XI 3.1 system (32 bit) and trying to link up with an SAP ECC 6 EHP 4 system (64-bit).
  When getting to the authorisation step I go to the CMC > Authentication > SAP > Role IMport.
  There I receive following error: 
  JCO.classInitialize(): Could not load middleware layer 'com.sap.mw.jco.rfc.MiddlewareRFC' JCO.nativeInit(): Could not initialize dynamic link library sapjcorfc. Found version "2.1.9 (2010-01-28)" but required version "2.1.8 (2006-12-11)".
  After closing and re-entering the same tab I receive following message: org.apache.jasper.JasperException
  I have not even the possibility to enter the roles manually. The system doesn't allow me.
  There is no specific SNC security set up for my SAP system.
  I have been able to connect to the logical system of SAP because when I updated on the tab: "Entitlement Systems" it proposed my logical system name that I created in SAP.
  As I found on another SAP forum the version 2.1.9 should also be the good version.
  Can someone help me out with this one (does anyone has still the older SAP Java connector version 2.1.8)?
  thanks in advance
  Thierry

  Hello,
  That's what i did but didn't help.
  I finally managed to find the problem. I had also to install a file named librfc32.dll in the same directory. When installing the necessary files apparently the version of this file librfc32.dll was not the correct one because it didn't match with the version that is installed together with the Sap gui (I presume). So by re-installing the former version of this file librfc32.dll it finally worked.
  thanks anyway

• Issue in creating dev plan in talent management specialist role

  Hi ,
  I am facing issue in creating development plan through talent management specialist role . Actually in one system I have 2 location one is india & another one is USA . its working for india but when I search india employee its show no employee found . can you please guide me
  Tarun

  Hi Luke ,
  According to one of your article , I run  HRALXSYNC in r/3 , in that all indian employee are green but USA employee in RED . I found following error , can you please guide me that what is mean by that ?
  The error occurred in program CL_HRRCF_INFOTYPE=============CM003 line 117
  Qualification 90007487 does not exist
  The incorrect HR object has the key 01NA90011026
  The incorrect infotype record is 40601NA900110265105    1  1900010199991231
  The error occurred in program CL_HRRCF_QUALIFICATION========CM001 line 69
  Serious error; see log
  The error occurred in program CL_HRRCF_CANDIDATE_INFOTYPE_BLCM00B line 99
  Serious error; see log
  The error occurred in program CL_HRRCF_INFOTYPE=============CM003 line 117
  Qualification 90007487 does not exist
  The incorrect HR object has the key 01NA90011026
  The incorrect infotype record is 40601NA900110265105    1  1900010199991231
  The error occurred in program CL_HRRCF_QUALIFICATION========CM001 line 69
  Serious error; see log
  The error occurred in program CL_HRRCF_CANDIDATE_INFOTYPE_BLCM00B line 99
  Thanks
  Tarun

• Information about SAP Strategy Management (SAP SM)

  Hello,
  I want to know where I can find information about SAP Strategy Management (SAP SM). This is an application that was bought from PILOT.
  Is it easy to customize like the SEM-CPM-BSC????
  Is it an addon in the BW or ECC????
  Is it all browser type application???
  Thank you in advance...
  Pablo Mortera.

  Greetings Pablo,
  Thanks for your interest in SAP Strategy Management (SSM). More information can be found on the BPX site for Corporate Performance Management.
  https://www.sdn.sap.com/irj/sdn/bpx-cpm
  On that page is a short demonstration of SSM. There are two other sections on that page -"Key Topics" and "Best Practices" have links for more information about Strategy Management.
  On the SAP.com global site, there is also information about Strategy Management, including white papers.
  http://www.sap.com/solutions/performancemanagement/strategy/index.epx
  Please review all this information and let me know if you have additional questions about SAP Strategy Management.
  Regards,
  Bob

• How to get web application to use Tuscany without conflicting with SAP SDO

  Hi,
  We are attempting to run a web application on SAP NetWeaver CE 7.1 SP1 which uses Tuscany SDO.  As it now stands We must use Tuscany because the web application will not run with the SAP SDO implementation provided by Netweaver. To ensure that Tuscany is loaded with priority, we have packaged the Tuscany JAR files and their dependencies as a heavy resource, as described here:
  http://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/60642a88-95fe-2b10-d387-a245d48fc257?overridelayout=true
  The final check showed that Tuscany was correctly deployed as a heavy resource and included the following JAR files:
  common-2.2.3.jar
  ecore-2.2.3.jar
  ecore-change-2.2.3.jar
  ecore-xmi-2.2.3.jar
  tuscany-sdo-impl-1.1.1.jar
  tuscany-sdo-lib-1.1.1.jar
  tuscany-sdo-tools-1.1.1.jar
  xsd-2.2.3.jar
  We also verified that the web application using Tuscany has a hard reference to the Tuscany heavy resource.
  However, when we try to run the web application, the following error is logged:  java.lang.LinkageError: Class commonj/sdo/DataGraph violates loader constraints
  The issue is definitely due to some kind of classloading conflict with the SAP SDO library, as the application runs normally when SAP SDO is manually removed from the classpath. Doing this on a production system is unfortunately not an option, though.
  So the question is: how to get web application to use Tuscany without conflicting with SAP SDO?

  I took a look at the "printerReady" example.  Looks like I may be able to use the InetPing (...) function to ping through a range of IP addresses looking for a response.
  Any ideas on how to find the MAC address associated with the IP addresses that respond?
  We may have multiple units responding and the MAC address will allow the operator to determing which unit to connect to.
  I'll try the InetPing to see how it works,
  Kirk

• User does not appear in group created from SAP role

  Hello --
  I have a user that has logged into InfoView successfully with SAP authentication and is showing in the CMC under the "User List." When I view the list of users in the group that was created from the SAP role he was a part of, he is not there.   When I go to the user account and view "Member of," the group IS shown in the list. 
  Any idea?  Any way I can "refresh" the group or anything like that?
  Thanks
  Casey

  Thanks for the replies.
  We are on XI 3.1 FP1.8 and we do have a CMS cluster.  Server reboots this weekend seem to have resolved the problem. I am curious why this question was asked, though:
  "Did you reassign the user to another SAP role after the user has already logged at least once in the InfoView?"
  Is this something that could have caused the problem or is it a possible workaround if we run into the issue again? 
  Thanks again...
  Casey

• Duet Enterprise 1.0 SP2 - SAP Role based authantication

  Hi All,
  We have implemented Duet Enterprise 1.0 SP2 in our landscape. Now we try to implement SAP Role based authantication.
  But don't know which role to assign for which authorisation. In my scenario i have created 2 users. For one user i want to have only read access to all lists (Contact, Employee, etc) and for another user i want to have all acess (read, write, modify, delete) on all lists available at sharepoint.
  Can someone help me to tell what roles (template) need to assign for what operation.
  Which roles i do assign to user in SAP that which ristrict users access at Sharepoint.
  Thanks & Regards
  Virender Solanki
  09818316550

  Hi Binson,
  I want to ristrict the crude operation (create, update etc) by giving roles in backend system. i am able to apply restriction at sharepoint end but i don't want that. i want SAP role based security.
  So i want, according to given roles in backend system user is able to do operations at sharepoint.
  Thanks & Regards
  Virender Solanki