Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Seperating SoD results reports by org unit

Former Member
0 Kudos

Hi GRC gurus,

I was looking into CC 5.2 to find a way to seperate the access to SoD reports based on the org unit being analyzed.

This is a topic in itself, but my question is whether there is a way to control access to the output of the results based on org unit.

I found a VRAT object (from memory it was the Business Unit object ...0006) with this description and documentation, but it is not used anywhere in the coding...........

Is this different in 5.3? Or have I missed something?

Our other option is to put another layer of security ontop of the output, either by sending the results or downloading them to other storage media for access.

Cheers,

Julius

1 ACCEPTED SOLUTION

koehntopp
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Julius,

you can run risk analysis by Org Level, which will report only violations for a certian Org Unit.

Does that help?

Frank.

9 REPLIES 9

koehntopp
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Julius,

you can run risk analysis by Org Level, which will report only violations for a certian Org Unit.

Does that help?

Frank.

Former Member
0 Kudos

>

> you can run risk analysis by Org Level, which will report only violations for a certian Org Unit.

That is a challenge in itself because of the dependency on org customizing (SPRO...).

In this case: Some processes (e.g. Treasury, just as an example) and some business orgs. (e.g. inter-company shells) would like to train their key users to be able to do this analysis themselves. They actually want this, which is great! For the rest an output report sent by someone else (including a batch process etc) and a follow-up is normally enough.

The problem is that if they want to do this themselves, then in the case of some processes they would like to exclude anyone else from analyzing roles which grant access to their special processes which are largely org independent but would like to see the transactional authority to certain orgs (more precisely accounts) in other orgs.

Certain other org units which are legal entities take SoD seriously and would like to analyze their internal processes (which often have * org values as they have central functions, or are in some cases decentral with only * org as it made no difference...) without other users running the same checks having access to their roles if they enter * in the selection.

I understand that this is anyway a mammoth task for various orgs and systems and the org setup and customizing in SPRO is largely ignored, so the best option is to control the reporting output (centrally) and send it to those who are authorized. This was my "gut feeling" and idea to set it up with selection rules (variants).

Why I asked this question is because some managers want their own folks to do the online analysis as well, and I found the Business Unit object (which promised half the solution) but was not used in the coding anywhere.

We will be upgrading our 5.2 GRC to 5.3 soon, but I was curious to know whether something like this already exists works, or is in the pipeline?

Cheers,

Julius

ps: This is not a development request. Infact I would be insulted if SAP developed this before adding an AD configurable and LDAP capable method to FM SSFT_PPPI_SIGN for the SIGNING_METHOD parameter

koehntopp
Product and Topic Expert
Product and Topic Expert
0 Kudos

What 5.3 brings to the table is exporting reports to BI.

Using that, you could separate reports through BI authorizations.

Yes, not perfect, but maybe the best you can get right now.

Frank.

Former Member
0 Kudos

Thanks Frank,

I will leave it open for a little while still. Perhaps others have different workable solutions to share, or a Ninja turns up and knows some cool trick

Cheers,

Julius

Former Member
0 Kudos

hi,

I have and additionnal question: where do you define/syncronize organizational units in CC? Because at the moment in Risk analysis, our organizational menu is empty.

Regards,

Julien

koehntopp
Product and Topic Expert
Product and Topic Expert
0 Kudos

From the manual:

The Org. User Mapping menu item allows you to specify a system that contains

organizational user data you want to add to or synchronize within Compliance

Calibrator.

􀁘 To add or update user information within Compliance Calibrator:

1 Choose Configuration > Org. User Mapping.

From the System ID drop‐down menu, choose the system that contains the user data

you want updated within Compliance Calibrator.

2 In the User field and the to field, enter a user range to update.

To update all user information, click Search and enter the first listed user in the User

field and enter the last listed user in the to field.

3 To perform an ad hoc (one time) update, click Foreground. If the system contains a

large volume of user data or if you want to synchronize Compliance Calibrator data

periodically, click Background and schedule the intervals at which this update

should occur.

Former Member
0 Kudos

Hi,

In response to the original post around CC 5.2 - wouldn't a rule set defined for the relevant business unit go some way to solving the problem?

Then the business unit would only use the specific rule set when running the analysis.

From the Java side there isn't any standard method provided to restrict or manage user access at such a detailed level.

If the analysis is run from the ABAP side, then I suppose a custom exit would be the only option - but again the problem is how to link a business unit with a specific list of risks.

Or have I missed the boat completely?

I haven't played around with the BI reports for 5.3 yet, but I guess the challenge would be around the available info objects when trying to restrict the report output.

Regards

Former Member
0 Kudos

> I have and additionnal question: where do you define/syncronize organizational units in CC? Because at the moment in Risk analysis, our organizational menu is empty.

We are not that far yet, but have some workshops lined up so when I come accross that as a possibly solution, or additional question (to my question) then I will post it.

Perhaps if you create your own thread then then it would no longer be dependent on mine only...

Cheers,

Julius

Former Member
0 Kudos

Howzit S Morar! Nice to hear from you again.

Thanks for the suggestions! We have upgraded to 5.3 now and will be looking into these possibilities - you understood correctly.

I sort of have a sympathy with the GRC developers because it is tough for them to know (all) about how the roles are designed (singles, composites, derived...) and how the system is configured (like org setup in SPRO...), so to make all combinations configurable in rules (we plan to build from the bottom => see [this thread|😉 and then still logically control accesss to it is a tough call.

I still think that any tool which could provide an IF-THEN-ELSE operator for rules built from the bottom and which read the correct tables would be a "home run".

Back to topic: I am pretty sure that a reporting layer ontop of the results is the most pragmatic way (and least complex way) to go. But we will test this in the next weeks and if something is worth reporting as progress I will update the thread.

Any other ideas anyone? (moving to a different planet is currently not within the budget, but some folks who have to use this thing probably wouldn't mind it...

Cheers,

Julius