cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Bulk provisioning from GRC to SAP landscape for go live?

Go to solution
Former Member

on ‎02-09-2010 9:19 PM

0 Kudos

Hello,

Is there a way, once roles are established, to assign people to roles in bulk and then provision to the SAP landscape without going through individual CUP requests? We want to preassign people to roles en mass before go-live.

Thanks,

Kurt

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

koehntopp
Product and Topic Expert
Product and Topic Expert
‎02-10-2010 11:17 AM
0 Kudos

Kurt,

we often get that kind of request, but this is not what CUP was made for.

You usually have hundreds or thousands of users with different role combinations. Potentially each of those might have an SoD issue, which you would all want to approve in one step.

If it's about documentation of the initial roles, do that with a CATT and have someone sign off a piece of paper. Then start a risk analysis process to make sure all potential SoD issues are being adressed.

Anything else is just an attempt of documenting a proper compliant process that never happened.

Frank.

Show replies
Show replies
Former Member
‎02-10-2010 3:55 PM
0 Kudos

Frank,

You are right, we have thousands of users with different combinations. I also realize this is not what CUP is used for.

Our current methodology is to pre-assign roles to users during a workshop setting or some other working forum. The reason being, is we want the users to be active in SAP (ECC, SRM, Portal, MDM, etc.) when we go-live. Those users are in GRC and we use User Access Review and RAR to perform SOD analysis. At some point all users are ready to go in GRC but they are not provisioned to the SAP landscape. Currently we create a security file extract from a custom application that is used to configure users in SAP. I'd like to eliminate that custom application and do this using GRC.

I am wondering if this capability could be achieved through report or extracts from GRC.

Regards,

Kurt

koehntopp
Product and Topic Expert
Product and Topic Expert
‎02-10-2010 5:23 PM
0 Kudos

Hi Kurt,

the question is - where would you want to define the users (master data, roles)?

Doing that in GRC one by one is possible today. What you want is a mass upload, but where does the data come from? Who creates the file that assigns roles to users??

If you have that, you could use the CUP request submission web service from an ABAP and put the requests into CUP like that.

You could then either approve them one by one (as you should), or chose a specific request type that goes through with no approval, but is recorded in CUP.

Basic question remains: where does the input come from?

Frank.

Former Member
‎02-17-2010 4:23 PM
0 Kudos

Hi again Frank,

Yes how the users are assigned to roles is part of the challenge and a separate topic. Currently we do that manually in a custom tool. Then we load that into GRC and SAP somehow. I would like to be able to do all that within GRC and not use the custom tool which is basically a DB with a spreadsheet style user interface.

As Ankur suggests, sounds like I can use the copy request feature with multi user option. This would work well for segmented populations of users. Actually if I defined these high level segments for all users I could then use GRC CUP to set the attributes for a segment, then upload the users for that segment and do that for all segments.

Thanks for your thoughts/questions,

Kurt

koehntopp
Product and Topic Expert
Product and Topic Expert
‎02-22-2010 11:38 AM
0 Kudos

Hi Kurt,

sorry, I still fail to see why you would do that.

In my experience there are rarely enough identical users to make multi-user requests an option, and if you're not doing it with a proper approval workflow it has no value anyway.

What you might do is upload with an eCATT and then kick off a user review process in CUP - that would be a much better way.

Frank.

Former Member
‎02-24-2010 5:01 PM
0 Kudos

Hi Frank,

Thanks again for your ideas. Your getting closer to our current solution where we upload a "provisioning" file to SAP for bulk people to role assignment during cutover. Roles and people are loaded, then we run SOD checks and resolve issues.

The provisioning file is created in a custom role design solution that I want to eliminate. I'd like to be able to do the same using GRC alone.

Regards,

Kurt

koehntopp
Product and Topic Expert
Product and Topic Expert
‎02-24-2010 8:23 PM
0 Kudos

Hi Kurt,

I understand what you're trying to do, but I'm afraid that's simply not part of the functionality right now...

Frank.

Former Member
‎02-24-2010 9:03 PM
0 Kudos

Frank,

I understand. Perhaps a good topic for the community to address as a best practice until addressed in future releases.

Regards,

Former Member
‎11-28-2010 5:24 AM
0 Kudos

Hello,

We're facing the same issue...any feedback or lessons learned that could be shared?

Thanks,

Glen

Answers (2)

Answers (2)

Former Member
‎09-01-2011 8:50 AM
0 Kudos

Hi all,

Where can I get a spreadsheet template in order to upload the users that I want to assign the roles to?

Regards,

Thami

Show replies
Show replies
koehntopp
Product and Topic Expert
Product and Topic Expert
‎09-01-2011 10:16 AM
0 Kudos

Hi Thami,

what exactly would you want to "upload" to where...?

Frank.

Former Member
‎10-17-2011 1:17 PM
0 Kudos

Hi Frank,

In order to do a mass upload you need to have a spreadsheet with the usernames, firstname, lastname and e-mail address of the people you want to give roles to. I needed the order of this template. Don't worry I found it. The order is usernames, firstname, lastname and e-mail address seperated by TAB delimited (saved as .txt)

former_member366047
Contributor
‎02-09-2010 10:44 PM
0 Kudos

Kurt,

You can use the copy request feature in CUP, then choose the Multi User option and you can upload your users via a spreadsheet. All of your users will all have the same roles and same attributes you checked off before the import screen.

Thanks!

Ankur

SAP GRC RIG

Show replies
Show replies
Former Member
‎02-09-2010 11:27 PM
0 Kudos

Follow what Ankur mentioned. That is the only way to mass provision users in CUP.

Make sure to create a request for a sample user with all the necessary roles and then go to Copy request to copy roles.

Regards,

Alpesh

Ask a Question