07-02-2012 1:02 AM
Hi Gurus,
For RAR HR, Mostly risks / controls are created on based up on the objects, where as in ECC risks are created based on tcodes / functions, is that my understanding is correct ? also let me know if there is a place to find a document on HR risks and steps to take care while creating risks in RAR..
Thanks
07-02-2012 3:56 AM
Hi Arun,
Though there is no particular document for RAR HR but yes I have found some related information to this topic.
In SAP HR, customers have the ability to further restrict users as to what they can do using structural authorizations. This is on top of the standard HR security transactions and authorization objects.
There are two ways to implement structural authorization in SAP HR:
1. Context Based - this is done using the delivered sap authorizationobjects p_orgincon and p_orgxxcon.2. Standard way using pd profiles which are assigned to users in theorganizational structure, via infotype 1017. See link below for moreinformation on using pd profiles
http://help.sap.com/saphelp_40b/helpdata/en/bb/bdb338575911d189240000e8323d3a/frameset.htm
If a you are using context based structural autorization, RAR can be used to analyze for conflicts.
Rules are created to include thep_orgincon and p_orgxxcon authorization objects as these provide the structural authorization.
See sap note 1173980 as the p_orginconauthorization object was added to the delivered rules but in disabled status. THis sap note includes a word document that explains this in more detail. If a customer uses the pd profiles to do structural authorization, this can NOT be analyzed by RAR.
In order for something like this to be evaluated, supplemental rules would have to be used. However, it cannot be used for structural authorizations because there is no single table that holds the linkage between user ID and pd profile. Without this single table, RAR is unable to perform analysis of pd profiles.
You may also refer the following SAP notes as well:-
986996- GRC Access Control- Best Practice for Rules and Risk
1593056 Best Practices for Remediation of Segregation of Duties
1388333 Structural Authorizations - considered in risk analysis
For further details you may also refer to GRC 5.3 Configuration Guide available in Service Market Place.
Regards,
Yukti
07-02-2012 3:56 AM
Hi Arun,
Though there is no particular document for RAR HR but yes I have found some related information to this topic.
In SAP HR, customers have the ability to further restrict users as to what they can do using structural authorizations. This is on top of the standard HR security transactions and authorization objects.
There are two ways to implement structural authorization in SAP HR:
1. Context Based - this is done using the delivered sap authorizationobjects p_orgincon and p_orgxxcon.2. Standard way using pd profiles which are assigned to users in theorganizational structure, via infotype 1017. See link below for moreinformation on using pd profiles
http://help.sap.com/saphelp_40b/helpdata/en/bb/bdb338575911d189240000e8323d3a/frameset.htm
If a you are using context based structural autorization, RAR can be used to analyze for conflicts.
Rules are created to include thep_orgincon and p_orgxxcon authorization objects as these provide the structural authorization.
See sap note 1173980 as the p_orginconauthorization object was added to the delivered rules but in disabled status. THis sap note includes a word document that explains this in more detail. If a customer uses the pd profiles to do structural authorization, this can NOT be analyzed by RAR.
In order for something like this to be evaluated, supplemental rules would have to be used. However, it cannot be used for structural authorizations because there is no single table that holds the linkage between user ID and pd profile. Without this single table, RAR is unable to perform analysis of pd profiles.
You may also refer the following SAP notes as well:-
986996- GRC Access Control- Best Practice for Rules and Risk
1593056 Best Practices for Remediation of Segregation of Duties
1388333 Structural Authorizations - considered in risk analysis
For further details you may also refer to GRC 5.3 Configuration Guide available in Service Market Place.
Regards,
Yukti
07-02-2012 3:57 AM
Hi Arun,
You may also take reference of SAP note- "1277627 -Additional Info for PD Profiles: Access Control v4.0/5.X"
Regards,
Yukti