07-21-2011 2:48 PM
Hi,
What is the ideal composition of an implementation team for implementing Access controls ( functional consultant,W/flow consultant,Basis guys) and what is the normal duration.Pl assume that AC talks to SAP ECC only ,no development is involved and that we are not responsible in designing the functions,actions and permissions.
How AC 10 is different from AC 5.3 from the above perspective?
Thanks in advance.
Ramesh
07-21-2011 3:47 PM
Hi Ramesh,
The composition and team size depends on the size of your system, i.e., Roles, Users, No.of Risks etc., No one can easily define the size of the team without knowing your current system design. But, you may need to have atleast a couple of Basis, Security consultants to implement/configure your GRC system.
Further the risks will be identified and further security design should be identified by the functional leads or the BPOs, and based on their inputs and the changes required, the span of the project will be fixed.
Normally it may take about 4-6 months as per my knowledge.
GRC 10 works on BO and has different features when compared to GRC 5.3. Implementation wise there should not be much differences.
Regards,
Raghu
07-21-2011 3:47 PM
Hi Ramesh,
The composition and team size depends on the size of your system, i.e., Roles, Users, No.of Risks etc., No one can easily define the size of the team without knowing your current system design. But, you may need to have atleast a couple of Basis, Security consultants to implement/configure your GRC system.
Further the risks will be identified and further security design should be identified by the functional leads or the BPOs, and based on their inputs and the changes required, the span of the project will be fixed.
Normally it may take about 4-6 months as per my knowledge.
GRC 10 works on BO and has different features when compared to GRC 5.3. Implementation wise there should not be much differences.
Regards,
Raghu
07-21-2011 4:34 PM
Hi,
Raghu makes some useful points to say that there is no firm answer without understanding your organisation.
I would take a skillset approach to defining the implementation team.
It also depends massively on the scope of the GRC functionality being delivered.
You will definitely require a mix of skills including the following but that does not necessarily mean a 1:1 ratio for skills and resources:
Business Engagement,
Business Analysis
Project Management
Security & authorisations technical skills
GRC Administration / Configuration
Basis / Netweaver Support
GRC 10.0 represents a significant architectural shift which will require a slightly different skillset.
You may require additional support in the form of SAP Business Workflow (although not very much), ABAP Developer / Debuggers / Netweaver Business Client.
With regards to timelines, this can fluxuate massively depending on the scope and scale of the project.
I have worked on projects with a minimal scope and with minimal organisational complexity where the implementation was in the order of weeks.
Similarly, in complex organisations with a larger scale functional requirement, the implementation effort can be months. If remediation is also deemed part of the project then it moves more towards years depending on the organisation and security design.
I hope this helps.
Simon
07-21-2011 4:58 PM
Thanks Simon.
I just want the skill composition from the technical perspective - the skill sets that are required for requirement gathering,project management may be ignored.
For a vanilla implementation in a " not so big,not so complex" firm what are the minimum skillsets that we need to have for implementing AC?
I do understand that without knowing the project intricacies it will be difficult to answer these questions.Albeit in real world guesswork / certain assumptions are being made.Am trying to understand this.
Regards
Ramesh
07-21-2011 5:59 PM
Hi Ramesh,
The basic requirement is a security/GRC and a Basis consultant without which you can't take up the implementation. Further, you may need atleast 1 functional guy in each area (as mentioned normally it is the business owners) who should decide on mitigations and remediations of the risks in the system. Infact they own the area and should decide how to go with the risks in their area.
Hope this helps!!
Regards,
Raghu