- SAP Community
- Products and Technology
- Additional Q&A
- How to provide access to Critical Transactions in ...
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
How to provide access to Critical Transactions in GRC AC 10.0
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 01-26-2012 10:03 AM
+Hello Gurus,+
+We are in phase of implementing GRC AC 10.0 , and have a requirement where there are "Critical Transactions" identified by the Business and if there is any end user who wants to access any specific "Critical Transaction" e.g. PA30 etc then it must automatically go to a specific Owner of that transaction.+
+As far as i know , we can have a workflow for getting a role assigned, but not sure if it is possible to have a workflow where every "critical transaction" will have an owner and then on selection of the transaction it will trigger a workflow.+
+I would also like to know what is a standard or rather best practice in SAP GRC , regarding providing access to "CRITICAL Transactions" ??+
+We thought of creating a role containing multiple "Critical transactions" and then assigning to the firefighter ID , for which we have an approval workflow !! But that does not help , as assigning the role will give user access to some other "critical transactions" as well which we would like to control.+
+Looking forward to know about the suggestion/solution for this issue.+
+Thanks in advance.+
+Regards,+
+Victor+
Accepted Solutions (1)
Accepted Solutions (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hello,
> +We thought of creating a role containing multiple "Critical transactions" and then assigning to the firefighter ID , for which we have an approval workflow !! But that does not help , as assigning the role will give user access to some other "critical transactions" as well which we would like to control.+
> +Victor+
I think that only one firefighter with all the critical transactions is not a good idea. I guess it's better to have different firefighters IDs assigned to different users. The point here is to decide if you really want to have a trace for all critical transactions executions.
An example:
Tx. SM37 is considered a critical transaction if the user has also the auth. object S_BTCH_ADM set to "yes". This allows to delete or copy others user's jobs. This is and authorization that a Basis person must have. Do you really want to trace this?
I think that force a Basis person to use a firefighter for this is nonsense, because this tx. is part of his/her job. Then, you should accept this sort of risks, otherwise you'll get the point where you replace the normal users with FF users. This is not the idea of FF.
Of course, this is just a thought and all depends on your business requirements.
Cheers,
Diego.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hello Diego,
Good Morning !!
Thank you for your reply !!
So far the power users have identified critical transactions in FICO(10), HR(16) and few in SD(9), which sum up to 35 critical transactions.
My query is , what is the standard best practice regarding assigning single critical transaction to a user.
e.g.) A User: XYZ belongs to SD and for some reason , he wants access to only one FI critical transaction(e.g.OB08).
Is there any way where we can have an owner for various critical transactions and when any critical transaction is selected there should be a workflow triggered for it ??
Or is it only possible by creating a common role for all critical transactions module wise and then assigning it to FF ID.
e.g) FF for FICO(with 16 critical transactions) , FF for SD and so on .
The drawback of this approach is the end user will have access to other critical transactions too, which we want to avoid.
Please guide me in this scenario.
Thank you.
Regards,
Victor
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hello Victor,
I want to take your example of OB08 to develop an idea.
OB08 is a customizing transaction, the best practice for this is to change the exchange rates in the customizing client and move the modifications to the production client using a transport request. Your transport procedure should be enough control for the changes. But, this case is a very special case, and and probably a lot of customers maintain the table directly in prd (example here: ). You can also activate the table logging () for this specific table if you want to trace the changes.
Anyway, I think role-based firefighter could be an option for your scenario:
Cheers,
Diego.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Answers (0)
- SAP Build Process Automation Pre-built content for Finance Use cases in Technology Blogs by SAP
- SAP Ariba Procure to Order 2405 Release Key Innovations in Spend Management Blogs by SAP
- How to use Digital Manufacturing MDOs within PPD Example: Where-Used Report with Follow-up Actions in Product Lifecycle Management Blogs by SAP
- Explore the Enhanced New Hire Experience in SAP SuccessFactors Onboarding in Human Capital Management Blogs by SAP
- Why Financial Health Reviews are Crucial in Supplier Evaluation in Spend Management Blogs by SAP
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.