cancel
Showing results for 
Search instead for 
Did you mean: 

GRC10 - SAP Standard Single Profile (Import)

former_member274402
Participant
0 Kudos

Hi,

We are in the process creating business roles and our thought this process we are planning to provision our access over clients. We have some
clients where we want to provision SAP standard profiles to and have not found a place to import these profiles to GRC … I could be mistaken. Would you please advise if you have imported profiles into 10 to do provisioning to SAP clients?

Single profile wanted to import is: S_A.SYSTEM >

 

Regards, Melvin

Accepted Solutions (1)

Accepted Solutions (1)

Colleen
Advisor
Advisor
0 Kudos

Gretchen's right about this - use PRF for Role type (SAP Profile). Before importing, check you have the Role Type activated and have not enforced a naming convention for PRF in IMG.

In GRC, Profiles are a type of Role (it can be a bit confusing when referring to Role Repository for SAP Profiles). Make sure you don't import the generated profiles as GRC/plug in system won't allow you to provision them to users.

former_member274402
Participant
0 Kudos

Hi,

Thanks, it worked. I have the role uploaded into 10, but know I have the following issue :-), sorry dumping this in the pot.. We are creating business roles provisioning access over all tiers and clients:

Would you be able to advise why the following might occur: ->> All SYNC Jobs ran...

When activating the profile for provisioning I am able to see, request the profile and it provisions to the DEV clients fine from here.

 

When creating a business role the profile does not pull through?
Why do you think is?

Regards, Melvin

Colleen
Advisor
Advisor
0 Kudos

Hi Melvin

The Add Role for this section deliberately excludes role type = PRF for Profile. I suspect business roles only take the single, derived, composite roles (three types of SAP technical roles) and other business roles

If you want to enable SAP_ALL level access, you might need to build a single role with the SAP_ALL access and then map that to the business role. Each enhancement pack, etc you will need to check if new objects have been introduced.

former_member274402
Participant
0 Kudos

Hi,

  1. I hear and thanks for the feedback … I would not want to
    build a SAP_ALL role I want to import the profile. This will be additional work
    every time SP comes out making sure the profile is still insync with the roleAny other thoughts?

Cheers, Melvin

Colleen
Advisor
Advisor
0 Kudos

I guess the reality of the business role - it's meant to reflect a person's job/position in non-technical language

best practice SAP security is to not assign SAP_ALL or standard profiles to end users. If you need to assign the profile then you will need to create an PRF entry into the repository for it. Users will then have to request a PRF role instead of the business role.

By adding SAP_ALL in your repository you can then use the synch to update post SPs.

Former Member
0 Kudos

Hi colleen,

Need a help regarding TPL role import.

Can the Template type role be imported as when i am trying it says "Role Type TPL Invalid for PFCG Role Import".

Thanks in Advance, it would be a great help

Ankit sharma.

Colleen
Advisor
Advisor
0 Kudos

Hi Ankit

I'm not going to be much help here. I recall reading or being told that Template Role was not supported for Role Import. However, without being able to find notes, etc I can't confirm

For Role Type PFCG that will only allow SAP Single and Composite Roles

Regards

Colleen

Former Member
0 Kudos

Hi Colleen,

Thanks for the reply, yes rightly said TPL cannot be uploaded .

here is one small query as well.

I was able to do the Mass role import for a connector group, i require help on provisioning side. as you see attached snapshot if we do the mass role import, the default value for "Provisining allowed" and "Allow Auto Provisioning" is YES, can this be changed to NO as default.

Thanks and regards

Ankit sharma

Colleen
Advisor
Advisor
0 Kudos

Have you tried performing mass update on the roles after you import them?

Answers (1)

Answers (1)

Former Member
0 Kudos

Melvin,

We have not imported SAP delivered profiles but profile is an available "role type" in the mass role import template, so I would expect that to work for your use case.

REF: Column C header

Role Type [SIN / DRD / COM / BUS / PRF / PDP / GRP / TPL] [Mandatory]

Have you tried using the mass role import template?

Regards,

Gretchen

former_member274402
Participant
0 Kudos

No luck ... on the import emplate, I could be doing it wrong though ...

Regards, Melvin