IDM & GRC (including Firefighter ) role in SAP Security

Similar Messages

• Role of SAP security design consultant

  Hi All,
  what role does a  SAP HR (SAP Security Design) Consultant play?
  how different is it from a regular SAP HR?
  pls let me know
  regards,
  Pratik

  What i assume is you will have to understand different roles of users in that company who will need access to Hr system, and classify under catogories, set up roles and define authorisation profiles, set up structural authorisations based on clients requirements.
  as far as HR is concerned you need to understand different authorisation objects,roles, profiles available in standard SAP ystem and set up new ones add some additional privileges etc whereever required. get your self familiar with various HR authorisation Objects etc.
  Also lil bit of user management, reporting on Infoytpes, tracking changes, modiufication to business critical transactions etc.

• Role of a Security Consultant in an SAP implementation Project

  Hi All,
  What is the role of a Security Consultant in an SAP implementation Project and the stages in which he is involved?

  Hello Mohammed,
  The role of a Security consultant in any SAP product implementation (not just GRC) is wide enough and it's hard for anyone to sum up on a single forum post. Still I can give you some pointers.
  Security consultants come from different backgrounds, some from networking, database administration, infrastructure and even development like me. They contribute enormously to any product implementation from scratch (landscape design) to go-live (and continuous maintenance) so they are active on every phase of the implementation.
  Following are some of the activities they may perform (or participate)
  -System Landscape Design (work closely with BASIS and DBAs)
  -Check Infrastructure feasibility from security perspective (For Portals exposed to internet or extranet work closely with network providers for firewall security, VPS etc.)
  -Propose security guidelines, access policies, disaster recovery plan, business continuity roadmap (work closely with information security consultants and internal auditors or risk management teams)
  - Implement SAP solution specific Security measures (involves almost every SAP solution) for example: SAP R/3 security, GRC, BW/BI, HR, FI, Portal security etc.
  - participate in application integration for example: LDAP, IDM, SAP UME, shared directories etc (User master records security is on high priority).
  -   Check for any possible backdoor access vulnerabilities (ex: open RFCs, function modules like ping_rfc), and it involves almost all SAP solutions and there are special procedures to analyze such vulnerabilities.
  there are many such activities that a security consultant perform on day to day basis. Please do not interprete the above mentioned activities (entirely) as a criteria for any security consultant profile. There are many many possibilities for a security consultants to work from pen testing to SoD violation remediation. That's why I said it's not easy to sum up security.
  Always remember, Security and GRC are two sides of a coin they work together. however GRC is more of a combination of policy, regulation, events and involves management participation whereas security is a purely technical practice.
  You may also be interested to know what it takes to become a forensic security specialist.  Take a quick look at [http://amudee.com/?p=378|http://amudee.com/?p=378]
  Best Regards,
  Amol Bharti

• IDM GRC Business Role managment

  Hi experts,
  We integrated SAP IDM with GRC,
  Now our requirement is creating a business in IDM/GRC, request for business role is raised for IDM and approved by role owner in GRC after risk analysis.
  But SAP said business roles and portal groups are not supported between the systems.
  Kindly suggest how to accomplish this.
  Regards,
  Jaya

  Hi Jaya,
  Yes I remember this is possible. You can setup a customize attribute in GRC privileges. And put the business role name into this attribute.
  Try this URL, but perhaps your GRC consultant should read it instead of you.
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d0e2c628-2690-2e10-0d82-dbf1931db2cd?QuickLink=index&overridelayout=true&51565377381172
  After creating the attribute, you need to revise the GRC framework to include this attribute (business role name) in your request.
  I don't have a working IDM system (with GRC integration) with me. I could not provide you more details.
  Cheers,
  Chenyang Xiong

• Any ideas on restricting userID Role Assigment within the SAP Security Team

  Hello,
  I have gotten a request to look into restriction of assignment of roles to oneself within the company SAP Security Team. Thoughts I have come up with so far involve the use of UserID User Groups, Role Assignment Ranges, and forcing all role assignements for all userIDs through GRC-AC CUP for QA and Prod. Has anyone come up with a workable solution that is outside of these suggestions that they have put into practice?
  Thanks in advance for your help!
  John

  Hi John,
  There can be a manual control in place and individual should not assign role/s to himself / herself.
  Otherwise, security team members can be assigned to a specific group (let say Security) and they shouldn't have access to authorization S_USER_GRP with ACTVT 22 & CLASS - Security.There should be a dedicated power user to assign the role/s to the security team members and this can be auditted (SM20 log for manual super user / FireFighter log for FireFighter user).
  Thanks
  Prasanna

• GRC 10 EAM - Unable to assign Firefighter roles to owners

  Greetings SAP gurus,
  I am currently on a new GRC 10 installation and having issues with the Emergency Access Management (EAM) component previously known as FireFighter or SPM.  Note: We are trying to implement the Firefighter ''Role-Based" Approach.
  Issue: We are unable to assign EAM roles to owners within NWBC. Click on 'Assign owners to Firefigher ID's and provision Firefighter ID's to firefighters' via the Access Management Tab within NWBC, option Superuser Assignment. Click on Assign.  We are able to find the owners, but when I search for roles to assign, I get the error, 'No records found for the search criteria entered''.
  We are on SP7.
  Items completed:
  1) All post installation tasks were completed correctly, i.e. BC sets activated, connector groups created and working.
  2) EAM roles created on target system and imported via BRM.
  3) EAM role properties edited for "Firefighting' usage in BRM, role owners defined, functional areas defined, business process and sub process areas defined.
  4) Access control owners (i.e. role owners and controllers) defined.
  5) The ID being used for configuration is currently assigned all GRC_NWBC roles available.
  6) The connector groups are working fine and we are using for the Access risk Analysis component which is working fine.
  7) The post EAM configuration steps has been completed.
  Has anyone else experienced a similar issue?  I look forward to your responses.
  Rgds,
  Prevlin Moodley

  Hello Prevlin,
  Are you using a FF role owner for the assignment. This might be helpful:
  [Note 1289579 - Firefighter Owner additional authorization for Role based FF|https://service.sap.com/sap/support/notes/1289579]
  Cheers,
  Diego.

• Advice needed: what does your company log for SAP security role changes?

  My client has a situation where for many years, they never logged changes to SAP security roles.  By that I mean, they never logged even basic details, like who requested a change, tested it, approved it, and what changed!!  Sadly their ticketing system is terrible, completely free-form text and not even searchable. 
  Does anyone here use Word docs, Excel sheets, or some other way to capture security role change details?   What details do you capture?  What about Projects, that involve dozens of changes and testing over several months?
  I plan to recommend, at least, they need to use a unique# (a ticket#, or whatever) for every change and update the same in PFCG role desc tab, plus in CTS description of transports... but what about other details, since they have a bad ticketing system?  I spoke with internal audit and change Mgmnt "manager" about it, and they are clueless and will not make recommendations.  It's really weird but they will get into big trouble eventually without any logs for security changes!

  Does anyone here use Word docs, Excel sheets, or some other way to capture security role change details? What details do you capture? What about Projects, that involve dozens of changes and testing over several months?
  I have questions:
  a) Do you want to make things straight
  b) Do you want to implement a versioning mechanism
  c) You cannot implement anything technical, but you`re asking about best "paper" practise?
  The mentioned scenarios can be well maintained if you use SAP GRC Solutions 10 (Business Role Management)
  Task Based, Approvals, Risk Analysis, SOD and role generation and maintenance in a structured way (Business Role Management). Workflow based, staged process with approvals.
  PFCG transaction usage will be curtailed to minimum if implemented fully.
  Do we really want to do things "outside" PFCG?
  @all:
  a) do you guys use custom approval workflows for roles?
  b) how tight your processes are? how much paperwork, workflow, tickets, requests and incidents you have to go through to change a role?
  c) who is a friend of GRC here, raise your hand
  Cheers Otto
  p.s.: very interesting discussion, I would like to learn something here about how it works out there in the wild

• Role of Solution Manager in SAP Security.

  Hi
  Can anyone help me to understant the role of SAP Solution Manager in SAP Security.   Link to any relevant document is appreciated.
  Thanks you all.

  Hi,
  First understand and decide what each consultant is going to do in the system. Like Technical Consultant will take care of Installation, Setting Up Landscape, Setting up TMS etc.
  Project Manager will create projects, Handle roadmaps etc.
  Segregating this way will help you defining the Roles in the system. I would also suggest you to have authorization Matrix in a Spreadsheet.
  The authorization can also be categorized based on Operational processing.
  Check this link.
  http://help.sap.com/saphelp_sm40/helpdata/en/24/c7baad86044eacb7203cdd341211a9/content.htm
  For authorization in Servicedesk.
  Check page 35 in this link.
  https://websmp207.sap-ag.de/~sapidb/011000358700001197002005E/Addtional_Information.pdf
  http://help.sap.com/saphelp_nw2004s/helpdata/en/52/6714a9439b11d1896f0000e8322d00/content.htm
  Rewads point if help ful
  Thanks
  Pankaj Kumar

• Standard AC Roles in SAP GRC AC 5.3

  Hello,
  Can anyone list the STANDARD AC ROLES in SAP GRC AC 5.3 Suite for
  1- RAR,
  2- SPM,
  3- CUP,
  4- RT,
  5- ERM,
  6- GRC PC 2.5
  7- GTS,
  8- GRC Repository.
  I know that the Standard AC Roles that are delivered for CUP are
  1- AEADMIN,
  2- AESecurity &
  3-AEApprover.
  Each role comes with different actions in them.
  I need similar type of standard AC roles for the above listed modules.
  Thanks!!!

  Hello Varun,
  Below are answers to your statements.
  1- There are no portal roles for AC5.3 as such. There is portal role for RM which you have already found.
  **ANSWER 1: *There are portal roles for AC 5.3. Kindly see the link http://help.sap.com/saphelp_grcpc30/helpdata/en/27/c67fe32e684e4c85125645dc5918ee/frameset.htm.***
  *The role I found in from the above link.*
  2- To access AC5.3 applications from portal you would have to create IViews etc.
  ANSWER 2 Since SAP provides the predelivered roles, as seen in HELP.SAP.COM in above link, we need not create iViews. The custom IViews are required for custom roles, not the standard roles**
  Thanks!!!
  Edited by: abdul haleem on Jul 21, 2009 9:44 AM

• SAP Security Report for single and composite roles

  Hi
    I have a requirement to create a cutomize report in SAP Security.
  I have to display Composite roles,corresponding single roles,the tcodes assigned to those single roles and the description of t- codes. The selection screen has composite roles,single role and T-code which are optional.User can enter selection in any of the selection critreria.How should I go on this?If user gives only composite roles on the selection for e.g 'TEST'. for this role I get suppose 3 child roles 'TEST1' 'TEST2' 'TEST3' from table AGR_AGRS.Now to get the tcodes i go to table 'AR_1251' and I get the tcodes.
  But if user give only single role on the selection for eg 'TEST2' ,for this single role 'TEST2' there would be multiple composite roles.for e.g, 'TEST' 'SAP1' 'SAP2' etc..Now if go to get the tcodes for this single role in AGR_1251,I will ceatainly get the tcodes for eg MM01,FB01,etc.But then how would I know whether MM01 belongs to composite role 'TEST' SAP1' or SAP2' for the single role 'TEST2'.
  Please advise.
  Thanks
  Edited by: Julius Bussche on Aug 13, 2009 4:52 PM
  Subject title improved

  I though of seperate selection options for singles and composites, but you also said:
  > But if user give only single role on the selection for eg 'TEST2' ,for this single role 'TEST2' there would be multiple composite roles.
  My suggestion would be to build better single roles, but that is just me...
  Cheers,
  Julius

• Part-time OR online Phd sap security GRC

  Please help
  I am from India and intrested in part-time online Phd (sap security GRC) i have recently done my M.phil and MCA (both part-time) and working in IT industry for 10 years and for SAP security for over 5+ years.PleaseGuide me , I have done all my studies through distance education as I belong to poor financial background but I am studing as I have very strong desire for education.
  Thanks in advance

  Hello
  I know that Central Michigan University has an online MBA with SAP emphasis:
  http://www.cel.cmich.edu/onlinemba/SAP/
  And they recently introduced two online Doctoral programs in Health Administration and Education (teaching), but not IT or business.
  Also look at the list of universities in India that are members.  Go to our Program Overview at University Alliances Overview
  And you will find a link on the right to "University Alliances around the World".  I know that Symbiosis offers some distance learning programs, but maybe not in SAP yet.
  It could be worth taking time to contact them about your request.
  Good Luck
  Bob LoBue

• How does my role as a SAP SECURITY ADMIN dfiffre frm upgrade n implementati

  hi Gurus ,
  i am new to this Security i just want to know how does my role as a security admin differ ..in a implementation project and in a upgrade project ........pls answer this ..............n can i get any doc abt the tables n the objects .............related to security .......................  any links or docs u can mail me at [email protected]
  thank you

  A few inputs from my end....
  Implementation --> starting from role naming conventions to role design,sod conflicts, master child relations and documentation.
  Upgrade --> If from 4.0 versions to higher versions then its something similar where we convert profiles to Roles and then redesign them to SOD conflicts..
  But in case of higher upgrades then the java component access and the segregation of duties for these components as well have to be considered...
  Hope it helps...
  Vbr,
  Sri
  Award points for helpful answers

• GRC -IdM integration (HCM IdM GRC IdM)

  Hi IdM & GRC Gurus,
  We want to implement a scenario where IdM (7.1) gets user data from HCM, followed by Workflow and SoD analysis in GRC (5.3) and Finally IdM performing the Provisioning (HCM > IdM > GRC > IdM), however I donu2019t see any documentation for this exact scenario. If SAP's direction is for IdM being provisioning solution and not GRC (CUP), the above scenario should be implemented. SAP documentation "SAP IdM Compliant Provisioning using GRC Access Control Configuration Guide. PDF" is similar but here GRC (CUP) is doing the final provisioning.
  I have following questions
  1     Which Framework should be imported in IdM to implement IdM - GRC integration, where IdM gets user data from HCM, followed by Workflow and SoD analysis in GRC and Finally IdM performing the Provisioning (HCM > IdM > GRC > IdM)?
  2     GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc) that is available on SDN, is based on HCM to IdM followed by GRC conducting SoD analysis and provisioning. Can the same framework be used for a scenario where IdM does the provisioning in the last step (same as question 1)?
  3     "If answer to question 2 is yes? What are the changes/customization required to GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc)? As per the limitations (page 37) mentioned in the document SAP IdM Compliant Provisioning using GRC Access Control Configuration Guide. PDF, ""It is not possible to only carry out a check for Segregation of Duties, without having the
  request provisioned to the GRC Access Control back-ends. It means that the Identity Center
  cannot just ask if a certain entitlement assignment is valid.
  If the request is approved, the accounts and role assignments will always be performed in
  the GRC Access Control back-end systems."" If this is true, how can we impliment HCM > IdM > GRC > IdM (IdM doing provisioning in the end)?"
  4     If GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc) is implemented along with HCM framework (SAP Provisioning Framework_Folder.mcc) and HCM_Staging_Area_Identity store.mcc, which Identity Store should GRC Provisioning Framework be imported (HCM_Staging_Area OR SAP_Master)?
  Regards,
  Anurag

  Hi Joel,
  within the VDS you create a local user ('HR_USER') and you choose some password. Later while configuring the HCM system you use these credentials to define the connection from HCM to the VDS.
  Kind regards
  Frank

• Frustrated. Need Advice on SAP Security Implementation!!!

  I'm very frustrated with my latest project and I would really appreciate your feedback.
  I recently joined a company that's implementing SAP. They are already in the realization phase and will soon enter the final preparation stage. I was brought in to implement SAP Security. I was provided with a  compiled list of roles and tcodes based on the blueprints from the teams and this was my starting point.
  I wanted to do a presentation with the teams so that we all know what my expectations/requirements are from them and vice versa. In preparation for this, I gathered their processes from their blueprints. I wanted them to break each processes into detailed activities/tasks/functions. From there, they can identify the tcodes and then the roles. I also wanted to do this approach because the company is following SOX regulations. I showed this to my team lead and the PM and the PM adviced me not to go with this strategy because there would be too much work involved. I wanted this approach because I also wanted to do the SOD but I was told not to do it because it would only confused them. He just wanted to work on polishing the list of roles and tcodes.
  Some teams leads are all experienced people while other teams are not because they are working with an employee from the company. Kinda like a partnership, 1 is a consultant while the other is a team lead from the company. Which I believe is normal practice so that there is knowledge transfer.
  So I had my presentation and I found out that most of the team leads have not seen this compilation of roles and tcodes. I also found out that even though they are already in the realization stage, majority of the teams have no idea what roles to give nor do they know who to give it to. I also asked for the org chart from the HR team but I was told that they still don't have it and cannot give it to me. They even asked me why I need it. They also informed me that HR structural authorizations are not going to be implemented and yet nobody can give me a damn good reason why. All they tell me is that because they don't need it.
  So as you can see, I'm not getting the cooperation/support I need to be able to do my job properly. How can I when every strategy I wanted to do is being turned down? What should I do? Really need your advice on how to proceed. Your inputs are highly appreciated.
  Thanks in advance!

  Julius, Auke and Alex,
  Im sure everyone would agree that the advice you guys offer is more than valuable. Thank you for that.
  I myself have been encountering the same situation that Litz is facing except for that in my case the Management is very co-operative (and trust me, this helps a lot). My problem is that neither me nor my Management know what access  needs to be given to Consultants or IT Staff after GoLive or even now.The Functional Consultants "don't have the time" to tell me what Tcodes they need access to, and they insist that they should have sap_all, and I have no idea what access they SHOULD have.
  I was going to post another thread for my questions but I guess there are already too many which address the same issue. These threads did give me a good insight on how SAP Security should be managed, and I was able to get some of it chalked out. I have a few questions though, which I wasn't too sure about even after reading through the countless threads.
  Most consultants in my company had sap_all in QA since no one knew what they should be have and often had we noticed that they would be playing with the Basis Tcodes. Now knowing what they have been doing in QA, I do not want to give them sap_all in Prod (although they insisted) at any cost. So, I made a role (z:sap_all), copied sap_all, disabled Basis Tcodes and assigned it to them. Then I kept adding Tcodes one by one on request basis.
  We haven't gone Live (they say that we are still in testing phase since the final cutover is due in the next few weeks) yet and I know that this cannot work after Go-Live since z:sap_all has Tcodes like SE38, AL11, SM50 etc in Prod. They say that they need these to do processing and it is okay to give it to them since we haven't gone live. I would also like to mention that my company is trying to get SOX compliant and needs these things in place.
  I have been entrusted a BIG responsiblity and am trying my best to live up to the expectations and I am relying yon you guys to help me out.All the Business Roles are in place, and its just the IT roles that I'm worried about.
  So, my questions are
  1. Until how long is it okay for Functional Consultants to have this kind of access in Prod ?
  2. After we Go-Live, would a display only role for all functional Tcodes suffice for them ? Or should they have Basis Tcodes too ? If yes, which ones (Im asking this because I know that it should be minimal)
  3. I have been to told to create an "IT-Support role" by the Manager of the Implementation Partner for after GoLive. But he has no idea what T-codes it should have or what it does. Any ideas on this ?
  4. I have read about the "firefighting role". Im guessing that the IT Support Role is the same as this. But what exactly does the firefighting role have? And in what situations is it assigned?
  5. How important is the period before the final Cutover important as far as SOX compliance goes?
  A little enlightenment on the common issues encountered after Go Live would also help me assess the situation a lot better.
  I hope Im not asking too much of your time here. Thank you again guys !! Appreciate it !
  Kunal

• GRC AC Request Role Creation

  Hello all,
  I noticed that by default GRC AC doesn´t have a Request Type for Role Creation. Normally how this is done? I mean, if someone realizes that a new role is necessary, how can this person report the need for a new role creation? What are my option here?
  Regards,
  SAP Legend

  Hi SAP Legend,
  You can not request a new role to be created via an Access Request workflow. You still need a business governance strategy where someone has to raise a request outside of the GRC system for the new roles through the right channels deemed fit in your company to get the new role made. Maybe you have a support ticketing system in place or some SAP security department you can raise the formal requests to.
  The BRM Role creation/maintenance workflow runs separately from the Access Request workflow. Further more, the definition and creation process of roles via GRC should only involve and be used by Business Process Owners/Role Owners and the Authorisation security team only, i.e. not general end users.
  A role build methodology will have to be set up and then the underlying approval workflows (based in MSMP technology also, like the AR workflow).
  Once the role has been built (either via back end PFCG) or via GRC using the BRM methodology and approval flows, the role will be available to the end user to request via AR.
  Hope that helps.