- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- Tool for preventing role conflicts
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Tool for preventing role conflicts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2010 8:03 AM
Hi,
I was wondering if there is a way to define which roles should not go together and to notify a admin when he trys to assign two roles to one user, that there is a conflict.
Example:
Role 1: can enter Good receipts
Role 2: can accept differences between purchase order and good receipts
In case the admin wants to assign both roles to one user, I like to notify him that this is not a good thing to do.
Thanks in advance for your help
Torsten
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2010 11:18 AM
Torsten,
first of all, you don't want to look at roles, you need to consider the critical combinations of authorization objects and transactions, no matter where they originate.
That quickly gets complex, which is why SAP promotes the BusinessObjects GRC Access Control solution, where Risk Analysis and Remediation (formerly "Compliance Calibrator") is the analysis engine.
The reports Julius mentioned are a bit like that, but they quickly get difficult to manage, and don't talk to the business users well. In the end, what you want is more than just prevent those combinations:
- document the criteria you chose to discover bad authorizations to explain to your external auditors
- a workflow that documents role requests, risks in there and how you dealt with them
- the ability to simulate alternative solutions (what if I take away a role the user already had?)
- document exceptions (we know it's bad, but the user just has to do that sometimnes)
Finally, let me point you to the BPX pages on GRC where you can find white papers and more http://www.sdn.sap.com/irj/bpx/grc , and to the BPX GRC forums
Frank.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2010 8:15 AM
Hi,
GRC is the tool that can be used to search which roles are confilcting. Not sure about the message you can generate or not. Using GRC tool, you can find it out whether roles are conficting.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2010 8:15 AM
Hi Torsten,
SAP tool built for the checking such conflicts is Compliance Calibrator(Java - RAR). We followed a process where in before assigning role to any userId we use to simulate it in CC and check for any conflicts. If there are any then it should be either mitigated or approved as an exception.
You can also implement below process by customizing SU01, take a help of developer and tell him your requirements. You can set up the workflow. You should also be ready with the rules/SOD conflicts which will be flagged by this customized Tcode.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2010 9:48 AM
Also take a look at report RSUSR008_009_NEW and the documentation on it. CHeck the SAP notes on the search patterns to use as well.
Cheers,
Julius
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2010 11:18 AM
Torsten,
first of all, you don't want to look at roles, you need to consider the critical combinations of authorization objects and transactions, no matter where they originate.
That quickly gets complex, which is why SAP promotes the BusinessObjects GRC Access Control solution, where Risk Analysis and Remediation (formerly "Compliance Calibrator") is the analysis engine.
The reports Julius mentioned are a bit like that, but they quickly get difficult to manage, and don't talk to the business users well. In the end, what you want is more than just prevent those combinations:
- document the criteria you chose to discover bad authorizations to explain to your external auditors
- a workflow that documents role requests, risks in there and how you dealt with them
- the ability to simulate alternative solutions (what if I take away a role the user already had?)
- document exceptions (we know it's bad, but the user just has to do that sometimnes)
Finally, let me point you to the BPX pages on GRC where you can find white papers and more http://www.sdn.sap.com/irj/bpx/grc , and to the BPX GRC forums
Frank.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2010 11:49 AM
GRC tools are very effective and best . However, they also cost very much. You can also check in market for some cheaper solutions. Before considering of implementation please check with SAP for the price.
Regards,
Gowrinadh
- SAP Managed Tags:
- Security
