- SAP Community
- Products and Technology
- Additional Q&A
- Understanding ERM and CUP integration in AC 10.0
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Understanding ERM and CUP integration in AC 10.0
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 11-18-2011 4:48 PM
Iu2019m reaching out in hopes to get a better understanding of how AC 10.0 is meant to handle the ERM and CUP integration (Iu2019m still stuck on the old names :). Any feedback would be greatly appreciated.
Currently, we have a requirement to setup the GRC Production box so it can provision user access in the Production ECC but create security roles in Development ECC. This is typically what we see since most clients want to follow their manual transport process to get the security roles from Dev --> QA --> Prod.
Something I noticed in CUP is when a user adds a role to the request form u2013 the role is associated to a system (i.e. Production ECC or Development ECC). If we create a role using ERM and it only gets generated in Development ECC u2013 will we be able to select this role in CUP for user assignment in Production ECC? (assuming itu2019s been transported outside of GRC)
Note: At this point the new role will only be associated to Development ECC from a GRC perspective? So if we assign it in CUP u2013 it will only be associated to Development ECC...?
Do we have to manually perform another u201Crole import / syncu201D from the Production ECC to sync the roles so theyu2019re available in CUP?
This is based on the understanding that CUP looks for available roles for assignment from ERM rather than the Production ECC. Is that correct? Can we have CUP look in the backend rather than ERM?
My question is around the manual u201Crole import / syncu201D that needs to get performed for CUP. Is this really mandatory based on the requirements? It would mean I need to perform a u201Crole import / syncu201D every time a new role is created/deleted/changedu2026 Maybe Iu2019m missing something with the new 10.0 integration / functionality? Are other companies doing something different?
Please let me know what you think. Your insight is greatly appreciated!
Accepted Solutions (0)
Answers (1)
Answers (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Madhu,
Hope you are well. If I have read your post correctly, in your case I would probably create the roles via PFCG in the actual back-end systems and carry on using the transport system described. You don't need to create and maintain the actual roles from BRM (ERM).
As you have pointed out, utilise BRM to import the roles, so they can be used for assignment via CUP. In your case, use the Mass Role Import utility within GRC 10 and import the roles from the Production system. This functionality will also allow you to define the role credentials (Role Owner, Functional Area etc).
Hope that helps.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
koehntopp
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
I don't see him saying that.
You can perfectly use BRM to create roles in DEV, then transport to PRD manually. You just need to tell CUP that the roles are available in PRD, too, then you can request them there.
Each role has attributes that define in which systems it should be available for requests.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Frank,
Thanks for clarifying.
Can you clarify what you mean when you say "you just need to tell CUP that the roles are available in PRD"? What does this mean?
This goes back to the original question - do we need to perform another import of the roles from ECC PRD to ERM? My understanding is that the ERM role repository is looking at my original import of roles and then each role I create using ERM after that. How will it know which roles are in PRD if I don't do a routine synch?
Also, you mentioned "each role has attributes that define in which systems it should be available for requests", where does this get defined? I believe you are referring to the "Role Status" which is set to Development, Production or Testing. I only see the ability to set this during the Role Import, but what about roles which have been created using ERM. I don't see it in the Role details screen - where is the setting?
koehntopp
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
koehntopp
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Possible applications the RFWT0010 Program in SAP in Financial Management Blogs by SAP
- Standard integration templates in Talent Intelligence Hub in Human Capital Management Blogs by SAP
- Working Time Account v TOIL Account in Time Sheet in Human Capital Management Q&A
- SAP Business Network For Logistics - Carrier Side ANSI-X12 EDI Setup and Testing for Road in Supply Chain Management Blogs by SAP
- Hack2Build on Business AI – Highlighted Use Cases in Technology Blogs by SAP
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.