cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Missing Authorizations Scenario (SU53) in GRC AC 10

Former Member

on ‎02-15-2012 12:56 PM

0 Kudos

Hello Gurus,

Good evening !!

I was wondering how can GRC AC 10 system help when an end user has missing authorizations ??

General scenario is if an end user hits a transaction and gets "Not Authorized" , he will send a SU53 screenshot and depending on that the Basis/Security person will assign a role or directly add a transaction to his "Base/Default" roles.

I am unable to visualize , how can we handle this scenario of missing authorizations in CUP or BRM .

Please provide me your inputs on the same.

Thanks in advance.

Regards,

Victor

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎02-15-2012 1:36 PM
0 Kudos

Hi Victor,

I know that if you don't have the right roles/authorisations assigned you are either:

1) Not shown that screen/functionality within NWBC

2) If you do try to perform a task for which you don't have the access assigned, an error message appears on the screen e.g.

"No authorization to change process SAP_GRAC_ACCESS_REQUEST." with a red error icon.

I tried to look at SU53 records for the user I got that error with, but it didn't seem to produce a error report.

Have you tried switching a trace on the user? Not tried it myself, but worth a shot.

Show replies
Show replies
Former Member
‎02-15-2012 1:47 PM
0 Kudos

Hello Kaushal,

I am not sure if you understood my issue.

My issue is , our GRC system is connected to various ERP systems .

Now if any ERP user has missing authorizations , then he would send a SU53 screenshot (prior to GRC).

So my question here is "How do we handle or cater to the "Missing Authorizations" scenario in GRC system.

I hope this will help you understand my problem.

Thanks in advance.

Regards,

Victor

Former Member
‎02-15-2012 9:59 PM
0 Kudos

Hi Victor.

Am I correct in understanding that your concern is more about how the Security admin will determine which role/access to assign to the user given the SU53 report?

Personally, I would still use a report like SUIM within the local system to determine the correct role to assign to the user (if they should have it in the first place). Obviously ensure that the required roles are imported into the GRC system.

In summary, use your "As-is" process to identify what the authorization issue is, as well as the method for determining which role to provide to the user to resolve the issue, but the only thing that has changed is the "how to assign the access" i.e. you are not using SU01/PFCG as it would be hoped that you are using the GRC Access Request functinality to submit the role request/s.

I hope that has cleared up the initial misunderstanding I had.

Former Member
‎02-16-2012 1:16 AM
0 Kudos

Hello Victor,

GRC won't help you with this point. If you have missing authorizations, you have either to correct a role or to assign the proper role to a user. At this point GRC comes into scene to answer you the questions: If I assign role R to user A, will this generate new risks on user A? or If I change the role R, will this change generate new SoD conflicts in the role R itself or in the users who have the role R assigned?... This is what GRC will answer you, and have such an automatic tool is great.

For missing authorizations you'll need to work with SUIM, SU53, ST01, etc. You can evaluate the changes in a sandbox system for example, with a test user and a test role to make sure that the changes you're performing are correct.

Hope this answers your question.

Cheers,

Diego

Ask a Question