on 02-09-2010 9:19 PM
Hello,
Is there a way, once roles are established, to assign people to roles in bulk and then provision to the SAP landscape without going through individual CUP requests? We want to preassign people to roles en mass before go-live.
Thanks,
Kurt
Kurt,
we often get that kind of request, but this is not what CUP was made for.
You usually have hundreds or thousands of users with different role combinations. Potentially each of those might have an SoD issue, which you would all want to approve in one step.
If it's about documentation of the initial roles, do that with a CATT and have someone sign off a piece of paper. Then start a risk analysis process to make sure all potential SoD issues are being adressed.
Anything else is just an attempt of documenting a proper compliant process that never happened.
Frank.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Frank,
You are right, we have thousands of users with different combinations. I also realize this is not what CUP is used for.
Our current methodology is to pre-assign roles to users during a workshop setting or some other working forum. The reason being, is we want the users to be active in SAP (ECC, SRM, Portal, MDM, etc.) when we go-live. Those users are in GRC and we use User Access Review and RAR to perform SOD analysis. At some point all users are ready to go in GRC but they are not provisioned to the SAP landscape. Currently we create a security file extract from a custom application that is used to configure users in SAP. I'd like to eliminate that custom application and do this using GRC.
I am wondering if this capability could be achieved through report or extracts from GRC.
Regards,
Kurt
Hi Kurt,
the question is - where would you want to define the users (master data, roles)?
Doing that in GRC one by one is possible today. What you want is a mass upload, but where does the data come from? Who creates the file that assigns roles to users??
If you have that, you could use the CUP request submission web service from an ABAP and put the requests into CUP like that.
You could then either approve them one by one (as you should), or chose a specific request type that goes through with no approval, but is recorded in CUP.
Basic question remains: where does the input come from?
Frank.
Hi again Frank,
Yes how the users are assigned to roles is part of the challenge and a separate topic. Currently we do that manually in a custom tool. Then we load that into GRC and SAP somehow. I would like to be able to do all that within GRC and not use the custom tool which is basically a DB with a spreadsheet style user interface.
As Ankur suggests, sounds like I can use the copy request feature with multi user option. This would work well for segmented populations of users. Actually if I defined these high level segments for all users I could then use GRC CUP to set the attributes for a segment, then upload the users for that segment and do that for all segments.
Thanks for your thoughts/questions,
Kurt
Hi Kurt,
sorry, I still fail to see why you would do that.
In my experience there are rarely enough identical users to make multi-user requests an option, and if you're not doing it with a proper approval workflow it has no value anyway.
What you might do is upload with an eCATT and then kick off a user review process in CUP - that would be a much better way.
Frank.
Hi Frank,
Thanks again for your ideas. Your getting closer to our current solution where we upload a "provisioning" file to SAP for bulk people to role assignment during cutover. Roles and people are loaded, then we run SOD checks and resolve issues.
The provisioning file is created in a custom role design solution that I want to eliminate. I'd like to be able to do the same using GRC alone.
Regards,
Kurt
Hi all,
Where can I get a spreadsheet template in order to upload the users that I want to assign the roles to?
Regards,
Thami
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Frank,
In order to do a mass upload you need to have a spreadsheet with the usernames, firstname, lastname and e-mail address of the people you want to give roles to. I needed the order of this template. Don't worry I found it. The order is usernames, firstname, lastname and e-mail address seperated by TAB delimited (saved as .txt)
Kurt,
You can use the copy request feature in CUP, then choose the Multi User option and you can upload your users via a spreadsheet. All of your users will all have the same roles and same attributes you checked off before the import screen.
Thanks!
Ankur
SAP GRC RIG
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.