cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC 10 - Options for making non-SAP Roles Selectable on Access Request

Go to solution
Former Member

on ‎05-16-2013 4:44 AM

0 Kudos

Hi All,

I was curious if others have experiences or ideas on the best approach for making non-SAP roles selectable on a GRC Access Request?  The non-SAP roles would be trigger a manual provisioning step within the request workflow.

This was a simple process in GRC5.3 CUP via a role import from file into the GRC5.3 CUP tool.  With the 5.3 import, all the non-SAP roles were selectable for provisioning.   In GRC10, the non-SAP roles can be easily imported into BRM via template file upload, but are not selectable via an Access Request form.

  • We have our non-SAP systems setup as Logical Connectors via SM59.
  • We are able to import these roles in BRM using the “Role Import” feature using the role template files.
  • The non-SAP roles are successfully imported & exist in BRM with Production setting
  • They are not possible to add to an Access Request.  We believe this is due to the flag on the BRM record under: Additional Details > Provisioning > Role Exists = NO

It does not appear that this field can be maintained via BRM.   Is there any way we can force this synchronization directly from BRM to ARM?

It is our understanding that this “Role Exists” flag is updated via the GRC Repository Synchronization jobs.  When the synchronization runs against the back-end connector and locates the role, it determines it exists (YES) and the role is selectable via an Access Request.  Ultimately this seems to link the BRM role ID found in the GRACROLE table (where our non-SAP roles exist) to the GRACRLCONN table via the AC_REF_ROLE_ID field for each connector.

What options may be out there for this synchronization for non-SAP systems?  Or is there some competely different alternative approach we should be considering?

We are starting to investigate using the Legacy System file server import feature that is out there for Risk Anlaysis.  Has anyone used Legacy System import to get non-SAP roles into ARM for a provisioning request?  Due to a large # of non-SAP logical connectors, I'd hope to avoid this option as that would require a load of all non-SAP roles into BRM + managing a legacy file(s) for each non-SAP connector.

I appreciate any thoughts or experiences!

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member246428
Explorer
‎05-31-2013 1:57 PM
0 Kudos

Hi Nathan,

As you rightly mentioned apart from GRACROLE, roles need to exist in GRACRLCONN table for them to be available for selection on Access Requests.

For Legacy file system type connectors only option to sync roles into repository is by configuring Logical file path, names through tcode FILE and maintaining the logical file path against Connector in AUTH scenario.

I have done this before for demonstration at one of my customer. You would need to setup periodic process for keeping the roles in GRC repository (ARA) / (BRM) synced with Legacy application.

Regards,

Amol

Show replies
Show replies

Answers (4)

Answers (4)

Former Member
‎11-20-2013 8:29 PM
0 Kudos

We are having same issue why trying to provision AD Groups. This was possible with 5.3. Has anyone been successful in provisioning AD groups?

Thanks

Anthony

Show replies
Show replies
GBP
Explorer
‎11-20-2013 9:19 PM
0 Kudos

The issue is resolved. Once the AD group is imported into BRM, you have to do the full sync for that particular connector and then it will show up in the access request creation.

Thanks,

Gautam.

Former Member
‎06-10-2013 4:28 AM
0 Kudos

Hi Nathan,

The scenario that you are requesting is not possible. You cannot select the Non- SAP role in the access request.

Hope this helps

Best Regards,

Nandita,

Show replies
Show replies
Former Member
‎06-07-2013 1:29 PM
0 Kudos

Trevor & Amol - Thanks for the thoughts & responses.

Trevor - We also opened a message asking for a more efficient way to manage this process, but were essentially told no such solution exists beyond legacy file system sync.  Unfortunately for us creating the non-SAP roles directly in GRC as template role type or even business role type was not possible as all of our requests come into GRC via webservice submission via an IDM tool (rather than being submitted within GRC through its Access Request Form) - template role type & business role type are not supported via IDM/webservice provisioning.

We have ~60 non-SAP systems to provision for so the prospect of managing 60 different legacy system files & structures just to sync roles that we've already loaded into BRM seemed a bit burdensome.  After brainstorming various options we came up with for our scenario was an 'easier' workaround:

We chose to actually create our non-SAP roles in an unused ABAP system as PFCG roles (just role name & description were maintained and loaded via eCATT).  We then changed our ~60 non-SAP connectors from SM59 Logical Connectors to RFC Connectors.  We pointed each of these non-SAP RFC connectors to the same back-end ABAP system were we had created our non-SAP roles.  We were then just able to leverage the standard ABAP system RFC repository sync programs to bring these roles into the GRC repository so that the GRACRLCONN table thinks they "exist" and are available to be requested.

Show replies
Show replies
trevor_wyatt
Discoverer
‎06-05-2013 10:23 PM
0 Kudos

We have the same issue and an open message with SAP to find a better way than to do a legacy file sync.  In 5.3 it was pretty simple, but in 10.0 it takes too much syncing to make your roles available.  Although my work around is to just import the roles as a template role rather than a technical role and then they are available on the request.  The downside to that is they are not associated with a specific system.  Thanks

Show replies
Show replies
Ask a Question