In my organisation business people own the roles, and some owners are very knowledgeable, but sadly a few are not.

We have a role database, that gives owner for access and changes, and then specific authorisers for access and changes in case of staff being out of the office.

We use these in various workflow application (all outside of SAP) to ensure role requests can be approved. Once a request is approved by a role owner, CUP style checks are done - mainly via Virsa Compliance Calibrator (remember that!) and risk free requests are then provisioned.

Downside is having to maintain the database of information, when people move on (upwards or out of the organisation) and ensuring everyone who has a role owner / approval responsibility actually takes the task seriously.

Would be better to try to have this in SAP, but with our external database, you can query this from the intranet, when requesting access.

> 
> BTW "everybody went for GRC" is a really strong claim. From my experience not everyone went to GRC.
> 

We do a lot of GRC work so our client base is well represented in that area, however I would be very surprised if there were >50% of UK companies using SAP that use a GRC tool.

Otto - a few clients have solutions similar to that Julius mentioned, although sometimes it's web-based. Others use spreadsheets or custom databases.

> Interesting point, Arpan. Auditors. Are auditors hapoy with Excel "owners"? I cannot imagine that.

Frequently yes. They will perform sample testing to ensure that the listed owners have approved any changes.

> Another way of asking my question is: why companies establish the role ownership. Why do they need it?

They need to ensure that those with responsibility for processes and data certify the users who are able to perform (parts of) those processes and access that data. Generally role owners or approvers with delegated authority approve one or both of the user and the roles which they use to access that functionality and data.

> You mentioned that role owner is involved in "approval workflow", when somebody request a role, right? Do companies really involve business users (the role owner) when a need to change the role arises for example? Do the owners do the testing of roles? Do companies ask the role owners to review the assignment to users?

Very briefly, mostly, sometimes, yes

Most companies involve the business or their nominated representatives when a change to a role occurs. The roles are the method by which users interact with their processes and data so it makes sense that they approve changes to how the interaction occurs, any controls in place etc. Of course, the real trick here is to ensure that the business understands what they are approving and the context in which they are approving this. Being able to communicate this is one of the hardest yet most important part of the job!

Owners will sometimes test the roles but usually it will be someone nominated on their behalf.

Where joiner, mover, leaver processes are not good then access creep will happen. Over time users move jobs and their access isn't revoked. Temporary accesses are left permanently etc. User access review / recertification is an important control to monitor this. In the worst case users access isn't removed but if the owner of the process and / or data accepts the risk then that's fine. A good JML process will reduce the likelyhood of this happening.

> I know, I know, too much philosophy, but I think I know how this is suppose to work, but don`t have enough numbers or evidence to learn how other companies do that. And there is a difference between "best practise" (ideas above) and "real life" (which is often different).
> Cheers Otto

Questions are always good, we should always ask why we are doing these things and challenge the "status quo".

Additionally it is very unfair on the poor basis guy to have to make business access decisions.

9 times out of 10 they get the better of you and you assign / build roles according to the principle of least resistance...

Role ownership is the IMO the first key step in the right direction.

Cheers,

Julius

Gold,

First of all, I'm glad for the feedback.

I´ve exposed an example with a critical transaction. I mean, the role owner could define critical actions that would like to be informed when some user perform such action.The module SPM of GRC covers some of this ideas. I didn´t mean to control every user movement, It's impossible to work without a sort of "trust" relationship.

Thank you very much indeed for your responses

Diego.

> best i've seen is my previous company where Functional Analyst teams (OTC, ATR, MTS, etC) each had a security lead, who owns all roles for the area. 

> I think role ownership is a bad idea.  Roles are just fragments of a bigger business process.

I'm not sure I understand the distinction. You still have "ownership" in both of your scenario's however the model of implementation is different.

For cross-area roles, it was an informal discussion and one FA was picked to represent and approve the change.

This is an interesting comment, as it requires data classification and ownership within the boundaries of single roles - to be able to build bigger and better ones which closely match the job function.

Does the role provide access to data which has a critical classification? If so, then (a) who owns those sets of data requiring approval to be included in the role and (b) who approves the assignments of the role knowing that they access the sets of data?

It is imaginable that for users from a certain job function or having a certain org-type attribute the process could be simplified and for others it should be a significant hurdle if they have nothing to do with the role. In an organization anything bigger than a restaurant I cannot imagine this being done properly without a tool and some degree automation and a rule set behind it.

I think role ownership is a bad idea. 

Did they plan spin-the-bottle to decide or what happened?

Cheers,

Julius

Hi Experts,

I just want to give my opinion regarding this topic. I´m far to be an expert. I just pick one nice definition from this article (http://www.sdn.sap.com/irj/bpx/go/portal/prtroot/docs/library/uuid/80c094de-90aa-2910-02b8-e31a6f5ff0c2)

Business Process Owners (BPOs) - staff responsible for protecting the integrity the information and processes supported by an IT system. BPOs are in charge of

u2022 Identifying risk and/or approving controls for monitoring risks

u2022 Approving remediation to address user access issues in the IT system

u2022 Designing alternative controls to mitigate Segregation-of-Duties issues

u2022 Communicating access assignments or role changes

Recommended by this note: 1593056

The concept of role owner should be connected with the concept of BPOs.

The BPO of the corresponding area (MM,IT,TR, etc.) could be the role owner of all the roles inside his/her area.

Example scenario: a user u201CAu201D change the configuration of the client because he/she has the role u201CZ_CLIENT_ADMINu201D assigned. Due to this change a fraud or a system damage occurs. Who should take over this situation?. I think, the role owner could be, because he/she is responsible to the changes done with the transactions contained by the role (i.e SCC4) and he/she also participated in the assignment role assignment in some stage of the workflow.

Regards,

Diego.

The "data owner" of SCC4 should be "basis team" in client '000' as it is not a "Business Process".

Client '066' should be deleted ideally (as user Earlywatch has this there as well). You also dont need to restrict the cost center reporting if user SAP* does not exist somewhere... (also "basis owned" unless not taken care of).

Etc.. (black box)... etc...

Problem solved IMO.

Now what is with the cost center reports? That is where the noise starts IMO.

- Do you want to ask each cost center owner about their requirements? (remember that they will not want their own controllers to see where they put benzin in their car and when!)

- Do you want to talk to higher management to decide on a policy (and company culture...) about cost centers.

--> You need to find the real data owner and decision maker (relatively quick and efficient role built is possible) and not the hordes of people who will want to have something to say at the meetings (chances are good that you will never go live)

Cheers,

Julius

ps: However if you can use Analysis Authorizations in a clever extracted way and defer the folks from the meetings to the portal, then a consultant or developer probably owns the process...

> That means: if he is supposed to be responsible for every transaction in every role he "owns", he would have to spend all his working hours monitoring what people do with his roles... or not? It feels like he would not have time for real work, if you build this concept like this. Of course I exaggerate, I am known for it, but still, it feels that way.

I don't see that as being any different to all the other "everyday" activities which people perform. A manager can't monitoring all the phone calls of people in their department as it would be impossible to track. A phone call can cause havoc that an malicious PO or refund cannot if there are the right controls in place.

This is where security must be put in context. We have owners of business processes who identify the risks and the controls they feel mitigate them to an acceptable level (or they just accept them). The trick is to be able to successfully articulate what a role does in the context in which it is being used.

"Running FB01 for company code 1000" means much less than "post a manual journal entry for the head office". This is another argument for the "job role" approach - either physically represented by 1 role or as a virtual construct.

A manager will know what their staff jobs are and they should do what they need to do to gain assurance that their teams can do what they are supposed to do in the system which supports their business processes.

Cheers

Hi

Role ownership is a hinterland (is that the correct word?) where role owners rely on security to help guide them in their decisions (permissions/ account types yadayada). The roles (job/composite/etc) are dynamic and need constant review to keep them in check(IMO).

A spreadsheet/matrix of what users user groups should do is a nice to have in a clearly defined org with set business processes but, in reality, it's a bxxxh to follow quickly in admin when you get the 'but they also need to.. in their old job'

Cheers

David

Can't spell BXXXh

Edited by: David Berry on Nov 28, 2011 12:27 AM