- SAP Community
- Products and Technology
- Additional Q&A
- GRC 10 Role Management - Mass Role Derivation
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
GRC 10 Role Management - Mass Role Derivation
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 08-23-2011 4:39 PM
Hi All -
Does anyone know if it is possible to propagate the authorization data from multiple parent roles to their relevant child derived roles in mass in GRC 10?
Using the standard 'Role Management -> Role Maintenance' feature you can propagate one parent role's auth data to all it's children derived roles; or alternatively if accessing one child role you can copy the auth data from the parent role. Either of these options would require you to open each parent role or each child role to push/pull auth data from a parent role to a child role.
If this is not possible, it seems to leave a gap in the process of creating derived roles in mass?
Via the 'Role Mass Maintenance -> Role Derivation' feature you can create derived roles in mass across multiple parent roles with multiple levels of derivation from each using Org Maps. This will crate my derived roles and populate the organizational values only in PFCG. You can also update the derived role's org values in mass if they change by updating your Org Maps and using the 'Role Mass Maintenance -> Derived Role Org values Update' feature.
However these features do not propagate the non-org authorizations from the parent roles. Without a way to push/pull the non-org authorizations from the parent to the child, creating all the derived roles in mass doesn't quite actually create usable roles.
I've noticed when propagating authorization on a one-by-one basis, GRC creates a background job "Auth Data Propagate". I'm really just hoping there is a way to do this in mass and I am just missing the obvious. I also know it would be possible via an eCATT script directly in SAP, but I'm looking specifically for options via the GRC tool.
Thanks for the help!
Accepted Solutions (0)
Answers (3)
Answers (3)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Nathan,
there is a solution through CSI tools
This application allows 'many parents'-to-'many deriveds' mass propagation of role content.
It also supports the restriction of non-org values, where SAPGRC only includes org vals in the org map. It also supports the creation of and hierarchical org tree of organisations (max 10 levels deep). By doing so, (non-)org values for a deeper org node can be inherited by 'higher' nodes. Eg. if you add a plant code for 1 site, that plant code is also added in the display role at country level.
if you're interested to see it in action, mail me sam dot szafranski at axl-trax.com.
Grtz-sam
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Bumping this one too. Any solutions for this?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Nick -
I actually just received a "final" response from SAP OSS support on this one. Had a note open for the past 9 months or so where apparently the product management & development teams were discussing this issue. The last update I received was about 10 days ago and essentially said this is not currently part of the tool:
"This is an enhancement and is not currently supported. We will take it up in a future release. Please log this in the ideaplace under Access Controls"
While I respect the decision, I can't necessarily say I agree that a "Mass Derivation" tool is working as intended if it cannot push / copy authorizations from a parent to a child role. If it can't create roles that are actually usable it would seem to be an issue with the current solution rather than a future enhancement imo.
The best workaround to this, is to utilize an eCATT script to go through all your derived roles you create in mass via GRC and have it go into PFCG and 'copy from' the parent authorizations and then regenerate the profiles. That will give you actually complete & usable roles in a semi-automated fashion.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Bumping this up again. Anyone using role management on GRC 10 yet?
We've identified several true bugs with the mass role maintenance features in GRC 10 I'll be opening up OSS support messages for here and I'll probably just open this item up as well. I technically wouldn't classify this as a bug though - more just a missing feature that really limits the usefulness of the new mass derivation features.
I was really hoping I was just overlooking some way you could acheive this via GRC
Thanks!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Advanced Returns Management for Supplier Returns in Spend Management Blogs by SAP
- Mastering Procurement Analytics: Essential Strategies and Safeguards for Success in Spend Management Blogs by SAP
- Enhance your SAP Datasphere Experience with API Access in Technology Blogs by SAP
- Supporting Multiple API Gateways with SAP API Management – using Azure API Management as example in Technology Blogs by SAP
- SAP Sustainability for Financial Services - Portfolio and Solutions in Financial Management Blogs by SAP
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.