Solved: Guidance needed for User Access Review in AC 10

Former Member · ‎01-11-2013

Hello,

We are in the process of migrating the SPM and RAR 5.3 functionalities to 10.0 with in implementation goal of April 2013. We are not migrating and not utilizing the functionalites of BRM and ARM at this time. We have not configured BRM and ARM in our migration process (with the exception of the common component settings that are required for the full functioning of EAM and ARA).

With that said, we are interested in looking into User Access Review functionality. We are interested in configuriing UAR and implementing in Production for our SAP security audit.

We are looking at the AC 10 User Access Review Reference Guide at the moment and I find this document very helpful.

What I am looking for is guidance from the community on best practice to move forward with configuring UAR for AC 10 without full configuration/utilization of the BRM and ARM functionalites.

Is this common to do?
Is it feasable?
What are your experiences with UAR in AC 10?
Are there key configurations that need to be in place that are not referenced in the UAR Guide provided by SAP?
Most of our roles we want managers to review. However, role owners review other roles. What is best practicing for removing certain roles from the manager review and only allowing them to be reviewed by role owner?

A couple more things:

In our testing environment, when I run the job GRAC_ROLEREP_ROLE_SYNC, nothing happens. No roles get "synced" to the "repository." I am not sure why. I am not fully certain what this job does. The GRAC_ROLEREP_USER_SYNC job works correctly for all connectors.
At first glance, the tricky part will be the Importing Roles piece. We will want to import roles from 5 connector systems. We store Role Owner in a customized field so I'm thinking we'll want to perform the import from a file and verify the role owners are mapped correctly, the detailed descriptions are all there, etc. Any thoughts on best practice around doing this?

Thank you for taking the time to read this. Any guidance or information would be greatly appreciated. Let me know if I need to clarify any of the above.

Jes

FilipGRC · ‎01-12-2013

Hi Jes,

starting from the end

program GRAC_ROLEREP_ROLE_SYNC synchronizes role master data from designated backend system. This is part of Repository object sync, and it can be run in inc of full sync mode. Job should be run on weekly basis. It depends on language and connector selected.

After you have successfully run this job you should next Import roles for each of your 5 systems so - go in to:

Access Management > Role Mass Maintenance > Role Import. The Role Import screen appears.

After you run this job successfully - your role repository is ready to be updated with all important information like role ex. role owner or manager to do this you need to go to:

Access Management > Role Management > Role Maintenance.

Once you open it - you should be able to see the list of roles - this is the place where you can update all roles with important information like owner, business porcess, sub-process, etc, This functionality is a part of Business role management.

Coming back to begining of your question - I would not recommend going for UAR 0 without full configuration/utilization of the BRM and ARM functionalities. This is integrated solution - I have already implemented 3 full cycle and always we went through ARA, SRM, BRM and MSMP (ARM) path. Other order is possible however you need to first understand the data dependency structure and coninstraints in the tool to pick up piece and pieces.

Hope this help,

Filip Nowak

Former Member · ‎05-10-2016

This message was moderated.

Guidance needed for User Access Review in AC 10

Accepted Solutions (1)

Accepted Solutions (1)

Answers (1)

Answers (1)

Group valuation in intercompany scenario

Re: Could we use one SOM with two different Catalo...

Re: Evaluation groups for Fixed Assets

Difference between Last quarter and last fiscal qu...

Re: Bulgaria moving to EURO