Standard AC Roles in SAP GRC AC 5.3

Similar Messages

• Tcodes & Roles for SAP GRC AC 5.3 SPM in R/3

  Hello,
  After installing part of the SAP GRC AC 5.3 SPM in the Tcode SAINT (R/3).
  I want to know what Tcodes do I need to use the Tcode /VIRSA/VFAT.
  Or what type of roles do I need. Is there some.
  I have read the PDF "SAP Governance, Risk & Compliance Access Control 5.3 - 02 Post-Installation - SPM.pdf", and I have seen some roles. Are this the standard roles for the SPM in R/3?
  Best Regards.
  Pablo Mortera.

  Hi Pablo,
  In 5.3 we can use the SPM by two different ways.
  1. FFID based: In this you make a user as a FFID and then you use this FFID to perform all the actions.
  User based roles are for the above.
  3. Role based: In this you assign the roles(maintained in SPM) to the user.
  Role based roles are for above.
  The basic diffeence is in first one you use user (FFID) to perform the activities whereas in second you use role (which are maintained in SPM).
  You can get more details of this in user guide and configuration guide.
  Regards,
  Shweta

• SAP GRC AC 5.3 Roles provisioning

  Dear all,
  Anyone knows if SAP BW, SAP XI, SAP WF and SAP SP are standard sopported by SAP GRC AC for the roles provisioning?
  Thanks for your help!
  Kind regards,
  Sergio

  Hi Sergio,
  let's put the answer the other way round to make it easy.
  AC 5.3 CUP can provision ABAP roles and UME/Portal roles. Not more not less.
  This means if you have a solution which needs additonal provisioning to be done (e.g. CRM business partner assignment) then CUP won't be able to do that.
  Best,
  Frank

• Best practices / preferred usage of SAP standard (delivered) roles

  Dear Experts,
  When going about designing roles for a new system, what is the preferred usage on SAP standard/delivered roles?  I was thinking of using them as a "base", then tweaking auth objects here and there to make the roles work but the more I work with them, I find it may be better to create roles entirely from scratch.  A lot of the time, I find a lot of inactivated auth objects or objects that seem to not really be needed when looking at the t-codes offered in the menu (S_TCODE).
  In that case, I figured it might be cleaner if I started creating roles and adding t-codes via the Menu and maintaining only the auth objects that are proposed in PFCG (and adding a few if necessary).
  Do people typically build their roles around these the standard SAP role set or is it preferred to create your own and only use the SAP standard roles as reference (i.e. the t-codes offered in the menu, etc.)?
  Thanks for any insights!

  > When going about designing roles for a new system, what is the preferred usage on SAP standard/delivered roles?
  Those are provided by SAP as a reference so that you can consult with the Authorization Structure of a Standard Position / Task for which you are going to create your own role. For e.g. what are the TCodes, values of Objects should be given to users for their tasks.
  I was thinking of using them as a "base", then tweaking auth objects here and there to make the roles work but the more I work with them, I find it may be better to create roles entirely from scratch.
  Absolutely! Please do not use SAP delivered roles for you use and also don't try to alter any values.
  A lot of the time, I find a lot of inactivated auth objects or objects that seem to not really be needed when looking at the t-codes offered in the menu (S_TCODE).
  >
  > In that case, I figured it might be cleaner if I started creating roles and adding t-codes via the Menu and maintaining only the auth objects that are proposed in PFCG (and adding a few if necessary).
  >
  > Do people typically build their roles around these the standard SAP role set or is it preferred to create your own and only use the SAP standard roles as reference (i.e. the t-codes offered in the menu, etc.)?
  >
  Yes.. as reference.. as you say..
  Regards,
  Dipanjan

• Role Upload template for SAP GRC CUP 5.3

  Good Morning / Afternoon / Evening SAP Security Gurus,
  I am looking to upload end user roles via a role upload template spreadsheet for use in SAP GRC CUP 5.3.  I am referring specifically to the recommended template mentioned in step 11 of the 5.3 Post Installation CUP guide, so that roles can be picked within ERM for workflow.
  According to the guide, it recommends uploading from the backend systems via a spreadsheet - any template versions or advice on finalising this would be most appreciated.
  Best Regards
  Steve

  Thanks Ashish,
  Someone else recommended this option as well via another forum. Have tried it out and working fine. 
  Thanks for the reply
  Steve

• What BAPI's use the ERM of the SAP GRC AC 5.3 to create the roles in the R/

  Hello,
  Does somebody knows what BAPI's use the ERM of the SAP GRC AC 5.3 to create the roles in the R/3?
  Thank you in advance.
  Pablo Mortera.

  Pablo,
     I don't have access to the system right now. Go to SE38 and search for 'Virsa' BAPIs...it will list all the ERM BAPIs under RE. The naming convention is pretty straightforward so you will be able to find a create role BAPI. If you open this BAPI, you will be able to find the SAP delivered BAPI which is being used in PFCG.
  Alpesh

• Help with Role Attribute config in ERM in SAP GRC AC 5.3

  Hello, 
  I have a doubt.
  We are configuring the Role Attributes of the ERM in SAP GRC AC 5.3.
  Where can I get the Business Process & sub-process of a SAP ECC 5.0, in witch Tcode?
  An in the part of u201CProject/Releaseu201D where can I get this element from SAP ECC 5.0?
  Thank you in advance.
  Best regards.
  Pablo Mortera.

  Pablo,
     You won't be able to get BP, SBP and Project/Release information from any Tcode. Whenever security admin creates a role, they assign the role to a Business process, functional area etc. This information comes from Business.
  Project/Release field is used to identify the project name for which this role is being created/maintained.
  These are role attributes which help in role documenation so business needs to decide about the association.
  Regards,
  Alpesh

• SAP GRC - ERM - Role update issue - Business Process and Subprocess

  Hello Friends:
  We are NOT currently maintaining Business processes or sub processes in GRC 5.3 for all roles. We don't want to maintain them in GRC 10 when we upload the roles. These 2 fields are Mandatory in GRC 10.0 - Can we make them NOT mandatory and leave them blank?? Currently we are facing some issues in uploading the roles
  Please advise.
  Regards
  Ashish

  Dear Ameet:
  I just dislike the idea where SAP has made options for Business Process and Subprocess columns mandatory in uploading the roles as well from backend.
  I am NOT using BRM, but still need to upload the roles for SAP to recognize them to be assigned to the users in GRC 10.0
  I was facing the issues in uploading the roles initially, but now i have made it simple - just assign all the roles without the information of being FI or SD or Mm - to IT00 business process and sub process. So, all the roles are now uploaded to the system. I was just curious to know if they can me made Non-mandatory field by any settings.
  But anyways, thanks for your input.
  Regards
  Ashish Desai

• Disabled standard role com.sap.pct.pdk.JavaDeveloper

  Hi - I've logged an OSS but if anyone can help me quicker it ould be most appreciated;
  the role com.sap.pct.pdk.JavaDeveloper can be found in the portal
  content location
  pcd:portal_content/com.sap.pct/platform_add_ons/com.sap.pct.pdk/Roles/com.sap.pct.pdk.JavaDeveloper
  when i double click on that role it shows only one Workset called
  Examples and within it a workset called OBN Examples
  I searched the SDN and found this post:
  /community [original link is broken]
  forumID=53&threadID=19464&messageID=162992
  which sounded exactly right. sure enough the role was assigned to the
  administrator.once i removed it, the role is now not working for any of
  my logons - test users or Administrator.
  in addition we do not have the object com.sap.pdk.JavaDeveloper in our
  system.
  help
  andy

  sorry, probably haven't explained it well enough.
  it used to have lots of entry points, yes. but none of them were visible in the portal catalogue, except one "Examples"
  the linked post describes exactly the same problems. when i followed the recommended steps "remove the role from the Administrator account" in that post, the role stopped working, apart from the "Examples" workset. Apparently we are not using NWDI and apparently this has some relevance, in that we can't create the system alias for the webDynpro as the post also recommends.
  to recap - the standard role, since unassigning it from the administrator account, now does not function for any user. only the workset "Examples" is visible in the role. this was the case before. trying to view the other objects in the role is the reason I was working on it., since we have a requirement to add the Portal Logviewer in to the content developer role, without giving them the whole of the PDK/PRT  maintenance applications. it now transpires that they were not displaying and were hidden becasue they are not Iviews, but are components accessed directly.
  Does it need to be rebuilt? if so , how?
  thanks ,
  andy

• SAP GRC 5.3 - Standard Text files for RAR - Are they complete

  Dear All,
  Whether the standard text file SoD rule set provided by SAP covers all the standard SAP transaction codes which are available in ECC6.0 and other systems as well.
  Because we found that there are some t-codes which are not form part of Standard SoD Rule set say eg., MIGO_TR - Transfer posting, ME11, ME58 - Create PO, CKME - Release planned prices etc.,. like this there are some standard t-codes which are not part of the functions in standard rule set
  We have a challenge from the client that Standard rule set provided by SAP might have covered all the standard t-codes for SoD rule set and it has to be only customized to the extent of Custom t-codes (Y & Z T-codes).
  Is this correct? How frequently the text files are updated. I remember the last release of text files is along with 5.3 version and there is no change from then onwards i.e. increasing t-codes in functions or increase in risks.
  Please advise.
  Thanks in Advance,
  Best Regards,
  Srihari.K

  Sri,
  From SAP: u201CThe SAP ruleset will never be 100% complete as the definition of "complete" is unique for each company.  SAP goal is to ensure that the rules we provide are accurate and address the major segregation of duties concerns.u201D
  A clear point that reflects that, it is that you will have to do the exercise to identify, analyze and include every Z (custom) transactions used by your customer within the standard SoD Matrix that SAP provides.
  SAP provides updates for the Rule Set every Quarter.
  To get the latest SoD Matrix and key information regarding this topic please refer to SAP Notes:
  986996
  1326497
  Hope it helps. Regards,
    Imanol

• SAP Enterprise Portal 7.0 Error while customizing Standard  Admin roles.

  Hi All,
  I have a business requirement of Creating Transport role which should access only Transport Navigational Tab in Enterprise Portal 7.0.
  Because we can't give Standard Administrator roles to Users.
  For that, I have created a role and added Standard System admin role as role to role and i hide the Navigational tabs except Tranport Tab (by changing Properties of ''Invisible in Navigational areas of System Admin role'')
  I have assigned this role to a user. and i have also given read/write permission to folders and in security zones. Export is working o.k and when i click on browse tab in import it is showing-->>
  "Unexpected error. Check the log files for details."
  I have checked logfiles and i didn't find any thing.
  Any ideas??
  Your early response would be highly appreciated.
  Thanks in advance,
  Khasim.

  Hello Khasim,
                      My name is Mohammed and I am talking from chicago. I am facing problem in EP 6.0 Authorization.
  First of explain me what is Security Zone. why it is used
     I have created one new role and added system admin role(inbuild role) into new role. Is that possible to restrict all portal content folder. I want to show only centain folder and other foldr should be invisible or not able to see.
  Example
                New Role
                            added system admin role
  When user login and he should be only see his folder in portal content not others folder. So if you have solution or detail explaination please send me info to mtajamulatgmail.com or call me 7735010306
  Thanks
  Mohammed

• SAP GRC CUP password issue

  Hi,
  to get user password, i set email reminder, closing as send password in mail No and password display period : 0.It throws a password as sap default string .How can it be standard password,so user can reset by entering it.In SAP GRC 5.3 AC-CUP 5.3_05.0, I can't see password self service tab too.Is there any better way so user can get password in email as sap standard in 8 words (number , letters or any special characters as set like us).

  when i try to create request type for password self service. i have only these actions to select
  CREATE_USER  Create User 
    CHANGE_USER  Change User 
    DELETE_USER  Delete User 
    LOCK_USER  Lock User 
    UNLOCK_USER  Unlock User 
    ASSIGN_ROLES  Assign Roles 
    SUPER_USER_ACCESS  Super User Access 
    USER_DEFAULTS  User Defaults 
  i can't see any action for password self service in configuration->request type-> create  option.please answer it.

• SAP GRC PC 10.1 Policy Management

  Hi Gurus,
  I am performing a Policy Management Cycle in SAP GRC PC 10.1, and I find the following problem. The approver receives in the Workinbox the notification for perform the approval of the policy, and, if he decide Send to Rework, no one receives the rework, but if I activate a fallback user, he receives everything
  I configured the following business events in the SPRO Actibity : "Maintain Custom Agent Determination Rules".
  Business
    Event
  Role
  Entity ID
  Subtype
  Business Event
    Name
  0FN_AHISSUE_DEFAULT_PRC
  1
  SAP_GRC_SPC_CRS_POLICY_OWNER
  POLICY
  Default processor for ad-hoc issue
  0FN_AHISSUE_DEFAULT_PRC
  1
  SAP_GRC_SPC_GLOBAL_ORG_OWNER
  ORGUNIT
  Default processor for ad-hoc issue
  0FN_POLICY_APPROVE
  1
  SAP_GRC_SPC_CRS_PLC_APPR
  POLICY
  Approve policy
  0FN_POLICY_DEFAULT_APPR
  1
  SAP_GRC_SPC_GLOBAL_ORG_OWNER
  ORGUNIT
  Default apporver for policy
  0FN_POLICY_DEFAULT_APPR
  2
  SAP_GRC_SPC_GLOBAL_ORG_ADMIN
  ORGUNIT
  Default apporver for policy
  0FN_POLICY_REVIEW
  1
  SAP_GRC_SPC_CRS_PLC_REVIEW
  POLICY
  Review policy
  0FN_ISSUE_NOTIFY
  1
  SAP_GRC_SPC_CRS_POLICY_OWNER
  POLICY
  Send notification to object owner
  I am working with a copy of the standard roles, so I configure the table with the copy of these roles.
  In the transaction SWIA an error appears which says in field Executed Action: "No Action". I am wondering if maybe it could happens because user WF_BATCH (user used for the workflow) doen't have enought authorizations.
  I also test it in the sandbox and it works perfect (without fallback and with SAP_ALL in WF_BATCH user).
  Some help will be appreciated.
  Thanks!

  Hello Giridhar,
  What parameters are you referring to?
  You meant the parameters in General Configuration in AC?
  Best Regards,
  Fernando

• Automatic Creation of Roles and Role Mappings in GRC

  Hi,
  we are planning to use SAP Identity Management and SAP GRC Access Management.
  In SAP IDM we have defined several business roles that contain privilieges in SAP systems. When a user is requesting a role, the request will first be sent to SAP GRC for approval and risk checking.
  In order to get this to work, we need to load the business roles of SAP IDM into SAP GRC and we also need to configure the role mapping between the business roles and the technical SAP privileges.
  From what I understood, this could be implemented by loading the required information via Excel filles into SAP IDM.However, this is a quite cumbersome and error-rpone approach an we would like to automate this.
  Is there a way to use e.g. web service calls to create/delete roles and role mappings in SAP GRC?
  BTW: is a documentation of all available GRC web service calls and their parameters available?
  Thanks for your help in advance!
  Best regards
  Tom

  Hi Tom,
  as stated before, the web service description is in the config guide.
  Unfortunately there is no web service to create roles or even mappings in CUP - this is one of many I would also like to se created
  I don't think in your context you will be able to directly send Business Roles to CUP. The role mapping only happens after you send the request, so I'm not sure if that's in time for risk analysis - you will need to try that.
  Are you a customer or a consultant - anyway, feel free to contact me if you need further help integrating CUP and IdM. This is an evolving interface with many possible scenarios, so it's not easy to give you good advise without seeing the full picture.
  Frank.

• SAP GRC 10.0 Risk Management - Forecasting Horizon Scoring Analysis Mode

  Hi everyone,
  In SAP GRC 10.0 Risk Management Support Package 7, we need to assess a corporate risk by performing an automatic analysis aggregation based on a scoring analysis profile.
  The problem is that corporate risks must be created based on a forecasting horizon.
  So, can we create forecasting horizons with scoring analysis mode? How? Must be enabled through customizing or applying a SAP note?
  Best Regards,
  Chema Traveso

  Hi,
  I think this is still user-specific, as it was in 5.X. I have checked the new GRC authorisation object parameters delivered within the roles and also tried to see if a Admin user was able to see all the variants created by the different users, but so far I have not found a solution.
  It may be worthwhile to raise this in "IdeaPlace", hoping it gets enough votes and SAP's attention for implementing in a future Support Pack delivery.