09-05-2012 6:46 PM
Hello Experts,
In our GRC 10 system around 20 users showed up in risk analysis through profile not by role. When I checked their access in SAP I don't see the role associated with this profile but the profile is there in the master data. I tried SUIM report to find out how they got this profile but failed. If anyone knows a way to find out how they got this profile that would be great. Any suggestions or best practice to remove this risk would also help.
Thanks
Afsar
09-07-2012 4:01 AM
Hello Afsar,
Do you perform a daily user comparison? This is usually scheduled via PFUD or the report PFCG_TIME_DEPENDENCY. Can you check in table UST04 if the users have the profiles??
If a role assignment is due or if you remove roles directly from PFCG instead of SU01 for example, profiles are not adjusted automatically....
Cheers,
Diego.
09-10-2012 4:53 PM
No, we don't perform PFUD on a daily basis. I double checked the history and found out that these useres once use to have the role but it was been removed. However the profile didn't got removed. Can I just delete the profile from user master data?
09-11-2012 2:58 AM
Hi!,
If you have removed the profile form PFCG or the role is due the profile will be there assigned to the user until you perform a user master comparison. You have to perform it daily, user comparison is very important! . You can try first to perform a user comparison in PFCG for the role you mentioned, and the profile assignment should disappear.
Cheers,
Diego.
09-11-2012 10:16 AM
You really really need to catch up on Basis Security tasks... there is little use implementing GRC risk analysis if you're not following the basic profile maintenance procedures....
09-07-2012 9:42 AM