06-03-2009 10:09 PM
Hello all,
When adding new component to the system (for example starting implementation of the CO module) and the role owners and IT users need to create a lot of roles with a lot of transaction/authorization objects u2013 what is the best way to create those masses of roles?
Thanks
Rothem
06-03-2009 10:11 PM
Rothem,
Is this related to any GRC product? Can you be more specific?
Regards,
Alpesh
06-03-2009 10:18 PM
Hi Alpesh
This question relates to ERM in AC.
Thanks for your answers
Rothem
06-04-2009 6:53 AM
Hi,
You have to check authorization matrix, based upon them, you need to create Business process, sub - process, and create Roles one by one.For initial role creation , better to turn workflow off for them, it will go to generation in one flow.
To turn off workflow, you need to create a methodology which contains only Definition, Authorization, Risk Analysis and Generation. Create one condition group which is associated with new BP and sub -BP say CO and CO-SP and apply new methodology to this condition group. You existing BP roles will follow existing workflow but this new one will get generated without workflow.
After creating all roles in ERM, you may opt for mass maintainance to generate them to backend instead of generating one by one.
Regards,
Sabita
06-04-2009 8:25 AM
Hello Rothem,
If you mean how would GRC Role Expert (ERM) help you with this, then I would say it can not help you with the same as only mass changes, generation and upload are allowed in the tool, not mass creation.
On the other hand if you need to know how in SAP you can create Mass Roles, then I would suggest you to use the transaction SCAT which can help you a lot with the Mass role creations.
Regards,
Hersh.
http://www.linkedin.com/in/hersh13
Edited by: HERSH GUPTA on Jun 4, 2009 12:55 PM
06-07-2009 7:08 AM
Hi All
Thanks for your answers, I would like to specify more:
What is your recommendation when needed to create a lot of roles at once:
· Use ERM for one role at a time creation? The downside is that it can take a lot of time but then the ERM is in sync with the ECC roles
· Use PFCG/SCAT and manually import roles by excel upload from ECC? The downside is that the user will need to make sure every time that all roles import into ERM
Thanks
Rothem
06-08-2009 5:47 AM
Hi Rothem,
If you are using Risk Terminator, then Role creation from ECC will also check for risks.
But better do it through ERM, in that way you are confirmed that there are no risks in Roles.
Regards,
Sabita
06-08-2009 6:51 AM
Hi
If you planning to implement a new module you should consider to hire a security expert. He/she will be able to draw out an authorization concept for you. With clean master roles it is possible to generate high volume of derived roles in PFCG. The roles should be finally tested along with rest of the module during the integration tests. After acceptance they can be uploaded to CUP (or ERM and then CUP).
Vit
Edited by: Vit Vesely on Jun 8, 2009 7:51 AM