cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Question on number of distinct SAP instances that can be supported by GRC

Former Member

on ‎09-09-2010 6:23 AM

0 Kudos

Hi Gurus,

We are trying to explore the feasibility of using the capabilities GRC access control (specially CUP and RAR) for user provisioning and ensuring compliance.

We currently have a number of distinct SAP instances with completely different user bases and following different user provisioning processes.

Is it possible that a single GRC installation can support multiple ECC instances? Do all users need to exist in a single ECC system for GRC to work?

I was looking at the installation guides in Service Marketplace and it mentioned that a total of 21 systems can be connected using Adaptive RFCs. Using JCo the number essentially becomes limitless as long as you can suitable size your GRC server.

Also in such a system where GRC handles the user provisioning needs for multiple systems, how does the pricing structure work out?

Regards,

Aninda

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎09-09-2010 6:52 PM
0 Kudos

Hello Aninda -

It is definitely possible for a single GRC AC instance to be used for multiple ECC instances, and you are correct that you can connect more than the 21 adaptive RFC connections using JCos for the excess numbers.

Given that you have multiple distinct ECC instances, you will need to keep in mind that you need a 'Default' risk rule set in RAR, particularly since CUP will only analyze against the 'Default' rules. This means that you may need to find some common ground with which to define the risks / SODs across your different systems.

Also, your users do not necessarily need to be in a single data source, and it doesn't have to be one of the ECC systems. The UME can be mapped to an ABAP stack, used as a stand-alone DB, or mapped to one or more LDAP directories. The decision of which route to take should be made on whatever solution is the best fit for your organization. As for the user data in CUP, you can map to any number of ECC systems, and/or LDAP directories... again, for whatever is the best fit for your organization.

As far as pricing... that is generally something that you need to take up with your SAP rep as they would be the best source for that info.

Regards,

Robert Robeson

Show replies
Show replies
Former Member
‎09-13-2010 7:46 AM
0 Kudos

Hi Robert,

Thanks for your reply. You mentioned the necessity for a default rule set. I think as part of RAR configuration, you have the option of creating multiple rule-sets? Shouldn't this then allow me to have different rules for different R/3 instances?

Also in your words ...."Also, your users do not necessarily need to be in a single data source, and it doesn't have to be one of the ECC systems. The UME can be mapped to an ABAP stack, used as a stand-alone DB, or mapped to one or more LDAP directories. "

I have never worked too closeley with UME but I was under the impression that the UME ALWAYS had to be mapped to a single ABAP stack. If it can be mapped to one or more LDAP systems, it would go a long way in solving the problem of different user bases for different systems.

Finally, is it possible to use GRC only as a user provisioning tool for some of the ECC instances? in other words we would not like to upload any rules for them.

Regards,

Aninda

Former Member
‎09-13-2010 2:49 PM
0 Kudos

Hi Aninda,

Allow me to reply. You are right about multiple rule sets. But that is the RAR component. When doing analysis for a provisining request, it will always analyze it against the rule set marked as default in RAR.

UME doesnt need to use have ABAP as a datasource. It can also use a UME database, single or multiple LDAP, or LDAP(s) + UME database as a source.

We use LDAP as read only + UME for those users that are not registred in the AD domain (e.g. external users). All user maintenance in UME done trough CUP.

Regards,

Vit

koehntopp
Product and Topic Expert
Product and Topic Expert
‎09-13-2010 7:46 PM
0 Kudos

Hi Aninda,

you can define your risks differently for each system if necessary. Most of the time you may find that rules/risks will be identical for most systems. There's also something called organisational rules which you can use to define different risks for different parts of the organisation.

User source for UME is not directly link to RAR or CUP. For UME, you can use local DB, ABAP or LDAP, and for CUP you can use totally different systems again, if necessary - there is a lot of flexibility.

Your last question does not make sense to me - RAR (risk analysis) and CUP (provisioning) can both be used for different systems. The systems used for provisioning do not necessarily need risk analysis, you can also use provisioning without risk analysis. If you need risk analyss for some, one way is not to create rules for the other systems, so it will simply show "no risks".

Frank.

Former Member
‎09-14-2010 3:51 AM
0 Kudos

Thanks everyone for your inputs. Your comments have helped me to better understand the way forward.

Frank, I am unfamiliar with organisational rules as mentioned by you. I will surely try to investigate further as we even have situations where different companies in the same instance want different rule sets.

I am marking the question as answered.

Ask a Question