Thanks Alpesh. That helps.

Alpesh,

1. Are there any other impacts in RAR and ERM if we use Position based security in SAP HR. I understand in RAR reports, we can see the risks, based on the users or roles that have conflicts. If we use PBS, how does RAR work to display the conflicts.

2. I know we can assign mitigating controls to users who have conflicts so that we can filter them in RAR reprots. How does this work in PBS model ?

Would appreciate if you could provide any information.

Thanks

Kumar

Hi Alpesh,

You said:

"I would recommend to hold off position based security till the next version of CUP releases...which will fully support structural authorizations."

Can you please clarify whether the pain-point of CUP is with position-based security or structural authorizations? Roles assigned to the position may be either HCM user roles and/or user roles for other SAP modules. The HCM user roles may not necessarily contain structural authorizations.

An additional question that I have is, if you do not designate roles by positions (i.e. position-based security), but require strucutral authorizations to be assigned to users to restrict access to HCM data, which is done in ECC via OOSB, can CUP handle that?

Regards,

Juliet

HI Kumar,

Position Based security works fine with CUP 5.3 SP7 onwards, basically you should use HR Triggers functionality to make full use to CUP to automate the position based security. You can map all your actions which you are performing in PA40 through HR Triggers in CUP. For example, New Hire action will automatically create a request in CUP for New User Account. So, I would suggest look into HR Triigers and indrect proviosining works fine if you give the position number in the request. But there is no support for creating a request for a position from Request End User Screen you have to logon with Approver Access and create the request from inside. ONLY thing which is not posible is position level mitigation using CUP, though there is a work around for that, you can manage position level mitigations in RAR directly and keep updating that information.

@Juliet: Yes you can assign the Structural Profiles (OOSB) which you have created in HR system, while creating the reqest in CUP there is button called "Select PD Profiles", that will take you the list of profiles maintained and you can assign any of those.

I hope this will resolve most of the confussions and doubts about Positions Based or Indrect Provisioning through CUP for both of you.

Cheers!!!

Tavi

SAP Security & GRC Consultant.

Tavi,

Thanks for your note. I appreciate it.

Could you please shed some light on the following questions. We are still debating whether to use Position based security or not.

1. How does the "Risk analysis" and "simulate" feature work in CUP when Position based security(PBS) is used. Does CUP consider all the roles that are there in the position( to which the user is assigned to) for risk analysis and simulation.

2. Though we create solid positions in SAP HR, in real world there will be always some need to add some roles to users. in that case, with PBS, When the approver finds a conflict during approval process during additional access request, can he remove the offending roles to remove an SOD or partial approval. if so, will CUP remove those roles from the position the user belongs to.

I would really appreciate if you could provide any information with respect to this.

Thanks

Hi all,

We are implementing SAP GRC ARA 10.0. How does ARA anlyze structural/PD profiles if they are not based on Authorization concept?

Thank you!