cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Can SPM connect to more than one RAR instance?

Go to solution
Former Member

on ‎01-11-2010 4:29 PM

0 Kudos

Hi,

I have a DEV GRC instance and production GRC instance.

I am connecting my DEV GRC to my DEV & QAS SAP systems and am configuring superuser privilege manager on the DEV & QAS SAP systems.

I am connecting my PRD GRC RAR system to my DEV, QAS and PRD SAP systems. I am wondering can I configure SPM on my QAS SAP system so that it links to both my DEV GRC and PRD GRC systems?

Thanks,

Niamh

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎01-11-2010 7:38 PM
0 Kudos

Niamh,

SPM and RAR have one to one relationship so I don't know anyway you can connect SPM to more than one RAR instance. RAR, SPM, CUP and ERM are not separate products anymore. They are part of Access Control and they all go together as different components of Access Control.

Alpesh

Show replies
Show replies

Answers (4)

Answers (4)

Former Member
‎01-17-2010 7:48 PM
0 Kudos

thanks All,

that answers my question. I only need to connect one system anyway now.

Thanks,

Niamh

Show replies
Show replies
koehntopp
Product and Topic Expert
Product and Topic Expert
‎01-11-2010 10:58 PM
0 Kudos

Niamh,

first of all - why would you want to do that?

SPM uses RAR to display SoD violations in SPM sessions. What would be the benefit of doing that on two different systems, probably with differing rule sets...?

Frank.

Show replies
Show replies
former_member366047
Contributor
‎01-11-2010 11:02 PM
0 Kudos

Frank,

Before the fix, there were some reports from customers that it was possible to access a production system from FireFighter in a Quality system, which is a huge risk.

This is possible before the FFID password were encrypted.

Ankur

SAP GRC RIG

koehntopp
Product and Topic Expert
Product and Topic Expert
‎01-12-2010 7:49 AM
0 Kudos

Ah, ok.

But that refers to the authorizations of the FF Users - what exactly does that have to do with RAR at all, or even accessing two RAR instances simultaneously?

Sorry, I still don't get your original question - must be too early for me, let me get another coffee

Frank.

Former Member
‎01-12-2010 11:39 AM
0 Kudos

Frank,

I'm with you on that one!

Niamh,

The original question seems to be about referring to two separate RAR systems from one SPM implementation. Is that correct?

I am not sure what the end goal of this is as RAR is only the repository for risk and SoD data?

In any case, only one connector ID can be defined in the SPM config and therefore only one destination can be identified. (Unless you have configured your infrastructure with lots of virtual hosts etc.).

If the question is about being able to jump from one system to another using a FFID then that is indeed a different problem but I see no reference to that in the question, just the response!

Simon

former_member366047
Contributor
‎01-12-2010 6:25 PM
0 Kudos

I apologize, folks.

I think I had too much coffee yesterday!

Ankur

SAP GRC RIG

former_member366047
Contributor
‎01-11-2010 10:43 PM
0 Kudos

Niamh,

The password for the FFID is always automatically and dynamically generated in the production system where the user is starting a FFID session, when an user tries to logon by the use of that FFID.

Thus if someone tries to access to the production system from the development system via RFC connection by the use of that FFID, he/she (who is trying the access to the production system) don't have any way to generate and know the actual password, and the access to the production system is impossible.

I hope that answers your question.

Ankur

SAP GRC RIG

Show replies
Show replies
former_member366047
Contributor
‎01-11-2010 10:43 PM
0 Kudos

Niamh,

The password for the FFID is always automatically and dynamically generated in the production system where the user is starting a FFID session, when an user tries to logon by the use of that FFID.

Thus if someone tries to access to the production system from the development system via RFC connection by the use of that FFID, he/she (who is trying the access to the production system) don't have any way to generate and know the actual password, and the access to the production system is impossible.

I hope that answers your question.

Ankur

SAP GRC RIG

Show replies
Show replies
Ask a Question