Hi Alex

I read a lot of positives from your mail and it is quite encouraging

> Are you a consultant or an internal resource?

Hmmm......I am a consulant (hope it is not a bad qualification to have )

> If you are a consultant then you will, in my experience, cost your client more implement this properly than you would be to buy a product. There are some good products out there that are relatively inexpensive to buy and implement.

> If you want to go ahead with it then that's cool and you are approaching it the right way.

I dont understand, are you suggesting that there would huge maintenance activities involved?

I have a base matrix proposed, accepted and approved by the internal compliance team, the internal audit team and the external auditors (one of the big four, unethical to mention the name )

I have a list of conflcit groups and not allowed combinations and the transactions in each coflcit group and the Authorization objects with activites that are checked .

I have 3000+ roles in the system and one of the proposals (infact it is 60%through with the development) is to have a new transaction created for user maintenance (ZSU01 replacing SU01) and in this , in the roles tab, the idea is to change the way it looks and split the screen into 3 parts, one part shows the roles that are already assigned to the user, the other part is more of a search engine that allows you to search for all possible roles (Domain wise or country wise, as maybe the case) and assign the needed roles. when the search engine identifies a role with a particular transaction, it is then validated by checking Z-Table entries on whether the role can be combined with what the user already has, and disallow if it is not a accepted combinatiom. Workflow approvals should follow for such cases.

Well the problem here is, I am dead against this idea: Having a table with 3000 roles and their probable combinations sounds like a nightmare, every inclusion of a transaction to a role - could change the table entires. in short it becomes a "Live" system on its own.

Whereas, if we confgure the critical combinations based on the agreed rule set , this wouldnt change for a long time and making use of the availabel reports would be better (It would mean a big bg effort for configuring the critical cobinations, and also look at few modifications to the report) - this is my idea, what do you think - does it sound ok?

Hi Frank,

I knew you would respond i have read your related posts . No offence meant but somehow i feel that GRC is wrapped in cotton wool in your reply to Alex

Anyway, my personal opinion is that tools are made availbale because no end user in any company wanted to understand how the technical set-up,the audit compliace, the compensation controls, risk mitigation and remediation all work together..........and i personally feel it is NOT as complex as it SOUNDS. It is difficult - no doubt on that, but i think if you get the hang of it, it could be a worthwhile effort

And for the preventive part you mention, i would like to customize the report so that i can check the user level SOD before anything is added, i guess it makes sense that way.

>

> Of course you can do that and most likely it will work for your current scenario, the consideration is whether it's worth the effort of doing it vs. buying some standard package on the market.

Hi Shekar - with ref to your consultant/non consultant question, this comment from sums it up for me to be honest.

The time to get RSUSR008_009_NEW up and running is not inconsiderable. I have spent weeks on some projects configuring it and just as long training people how to use it properly. I doubt I would even take on an engagement where this was required considering that there are better products out there for a range of different budgets.

From your description of the ZSU01 and big table, I agree with you that it's not a good idea as there is no content check.

Frank,

In all fairness, the client i work for would love to know that there is a possibility.For the client, every penny saved is a penny earned and they would love to entrust such a job to a consultant (so that it gives easy target practice) - it is a matter of money over a young dispensable consultants' grey cells

I dont really know if i end up doing all the effort, but atleast i know that it could be attempted.

thanks for your inputs

• I would like to keep the thread open for some time to see some more opinions on the topic and ANY kind of Encouragement on the task being attempted ( I feel like i just started from CAMPVII on a long climb )

>

> From your description of the ZSU01 and big table, I agree with you that it's not a good idea as there is no content check.

I am glad that there is someone who agrees with me on this topic, i think i will print this post to show it to the "wizard" who penned the development request for ZSU01

>

> there are better products out there for a range of different budgets.

I will try to look up for a few, but do let me know if there is something you personally felt was good

Would appreciate a few more ideas/suggestions on this topic.

Just wanted to keep in the first page for a day more no reposnes today and i will close it tommorrow

My contribution:

> Just wanted to keep in the first page for a day more

Please don't do that. Imagine if everybody did...

Interested folks will find your thread anyway and may only read the forum once a week.

Cheers,

Julius

I thought you would have more to add to the topic

Considering that you had a discussion in an other post on this topic earlier with Frank and you were suggesting that it would be a good idea to work on the report

> > Just wanted to keep in the first page for a day more

> Please don't do that. Imagine if everybody did...

>

sorry, for that - it was a real cheap trick

> it was a real cheap trick

That is exactly what RSUSR008_009_NEW is as well.

It is simple and it works, but is not state-of-the-art technology.

If you keep it simple and go for the important critical authorizations and show-stopper type of SoD conflicts (forget about S_TCODEs..) then you will cover a lot of your risks with 40% of the effort.

The main buggers are that it is "local" to each client, and when you apply support packs you don't get updates for your functions and actions like you do with GRC.

On the otherhand, no brainstorming session in a land far away will introduce some theoretical fluffy-stuff into your system either, like some other tools do when you adopt their rulesets and click on "Go".

All-in-all, the industry norm seems to have settled into buying the best ruleset as a prepackage and mitigate from there to make the redlights go away. Given the options and the proximity to the original development, I would go for SAP GRC, particularly if you have the licenses already.

Another aspect to this is that no one has mentioned what to do with customer coding yet and a prepackaged ruleset cannot possibly deliver that for you. You can only do this yourself. Since [SAP Note 978447|https://service.sap.com/sap/support/notes/978447] you can now simply place a * into RSUSR008_009_NEW and click "Go"...

Cheers,

Julius

well...............i can only partially agree to what you say. If considerable time and some concrete effort is spent, i am sure one can make a wonderful rule-set and i am also not completely convinced tha the report is a throw-away

GRC is the last and least preferred in the environment i work in and they have their valid reasons for it, so forget about it

I dont know yet if i will still configure the report (quite a few approvals are pending) and build my own Z that would call the report and display things as i conceive, but if i do it, I hope i have your assurance that it will be a front pager on the forum

> If considerable time and some concrete effort is spent, i am sure one can make a wonderful rule-set and i am also not completely convinced tha the report is a throw-away

Yes, this is definately true and I don't see why only partial agreement is needed.

I have used it before and am currently using it for one landscape as well because the customer does not have a GRC license included in their agreement.

We developed our own emergency user solution and I threw in my collection of RSUSR008_009_NEW rules which I have built up over the years, with a few tweaks. It took one day and was finished.

But if you know what you are doing and have already paid the licenses, then you can get GRC-RAR, CUP, SPM and self-service installed and up&running within a week as well.

Of course the real work starts once you get the results of whichever "Go" button you click on. So.... "it depends" is the averall answer, excluding custom coding

Cheers,

Julius

sometimes I hate giving away on a good thought, i look at this is based on a few things:

1. The client has NO idea of procuring GRC

2. they tried building their own Z-Program, which for me looks and feels filthy (read the above exchanges, you would understnad why i say this)

3. The client & I are happy with the rule-set we have

4. I think it is a matter of a task being very time taking and difficult one - but not a "impossible one ", or is it?

the reason i wanted to hear from you is, i read in the other post that you worked on this report and i wanted to know if it is a impossible effort or if it is not worth trying (like modifying SSM2 suggestios i had )

I can plan, check, design, write the development request - but cannot code........I cannot debug to death and understand how difficult or complex the code is and that was the precise reason i wanted the experts views

Then go for RSUSR008_009_NEW and keep an eye on OSS notes for it.

If you have questions, then feel free to ask.

Cheers,

Julius

I am pleased, i am closing the thread. will definitely post again if i find my way with it

cheers, and thanks to all

Thanks a lot to everyone who contributed on this topic.

I configured RSUSR008_009_NEW and am pleased with what it shows. I havent tried it in the Production environment in real time, but in the development system it works the way i wanted it to work (but with a slow response time

you guys were great and your advices have been invaluable

Hi Chandrashekhar

Congrats on finishing your task on RSUSR008_009_NEW.

How much time did it take? I am contemplating to use this.

Looking forward to your valuable suggestions / approach / procedure followed.

Thanks

Yogesh

Hi Alex

I searched ASAP and SAP Service Market Site but couldn''t find the Standard SoD Matrix. Can you please help me by revealing its location?

Thanks

Yogesh