cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Using RAR 5.3 to test SAP role changes against production users

Go to solution
Former Member

on ‎05-21-2013 8:20 PM

0 Kudos

Our Security group manages the SAP roles.  They want to be able to make a role changes in one of our test SAP sytems, and then run a Risk Analysis report in our test RAR system to see what affect this change would have against production users.  Basically, if we make X change to a role, are we going to suddenly have 999,999 SODs show up when we move that role change into production.  They currently are trying to do this by running a Similation using the Role Level analysis report, and I'm not sure if they are doing this correctly.  I'm not sure if it works the way they think it works.  I know we can use RAR to test RULE changes, wasn't sure if we can also use it to tes ROLE changes.

We are on GRC 5.3 SP18, and we are not using the ERM system.

Thanks.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

kevin_tucholke1
Contributor
‎05-23-2013 3:54 PM
0 Kudos

Bob:

In 5.3, you would need to find all the users with the particular role (either directly or indirectly assigned) and make the same authorization change simulation at the user level as you would when doing the role simulation.

This is a limitaiton of the AC5.3 system.  SAP Access Control v10.0 has 'Impact Analysis' available when doing role authorization simulations, but that feature is not available in v5.3.

Also, to clarify your comment on 'rule changes'.  You are not able to simulate RULE changes only Authorization Changes.  You can simulate authorization changes on Users / Roles / Profiles.

Thanks,

Kevin Tucholke

Message was edited by: Kevin Tucholke

Show replies
Show replies
Former Member
‎05-23-2013 8:09 PM
0 Kudos

Currently, they are running a Role Level Risk Analysis simulation report.  On the top part they are selecting the production SAP system and the Composite role that contains the role they are changing.  On the Simulation part, they are selecting the test SAP system and the singel role they are changing.

They say this way is supposed to pull the users/roles from the production system (because that is what is entered in the top part), and the role changes from the test system (because that is what is entered in the bottom/simulation part).

Will this work the way they think it will?

If not, what will it do?

Thanks.

Former Member
‎05-27-2013 4:07 AM
0 Kudos

Dear Bob,

Running the simulation will help you identify the riks that the user will possess if you assign that role to

that user. The security group is doing the correnct way. Running the simulation is the best way to identify the Violation's without actually assigning that role to the user.

Thanks & Regards

Japneet Singh

Former Member
‎05-28-2013 2:39 PM
0 Kudos

OK, so if they are running it correctly then we have something wrong with our RAR system.

If they run the simulation with the same system in both the top and bottom sections (either test/test or prod/prod), they get 10 SODs for 2 risks.

(NOTE: The test system used here was copied from production on 05/10, so they shoud be very similar, if not exactly the same.)

If they mix the systems (either test/prod or prod/test), then they only get 6 SODs for 1 risk.

They are saying they didn't make any change that should affect SODs.  If that is true, then they should get the same number of SODs for any combination of systems.

Thanks.

Answers (0)

Ask a Question