cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Connector Group Setup (best practice)

Go to solution
former_member86670
Explorer

on ‎06-21-2013 10:23 AM

0 Kudos

Hi GRC colleagues,

I have a question related to the connector group setup.

We are on GRC AC 10.0 (SP 😎

We curently support the following system landscapes with our SAP GRC Production system

Solman (DEV/PRD)

ECC (DEV/PRD)

BW (DEV/PRD)

On the dev systems we use role management and risk anaylsis

on the prd systems we use provisioning and risk analysis.

For each system landscape we created a connector group.

and assigned the DEV and PRD connectors to it.

Is this the right way to do so? We notice that when creating an access request (for Production) the GRC system also shows the DEV systems in the selectable systems and in the role search both the roles on DEV and PRD are shown. This is not what we would like. we only want the PRD system  and roles to be selectable.

How can we manage that? Do we need to create specific connector groups for PRD only? or did we overlook something?

Thanks a lot for your help!!

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎06-22-2013 7:28 AM
0 Kudos

Dear Dave,

Your landscape looks good.Try restricting access to the user who is creating request only for the production system (Field GRAC_SYSID). Let me know if this is helpful.

Best Regards,

Mohammed

Show replies
Show replies

Answers (4)

Answers (4)

former_member86670
Explorer
‎08-01-2013 9:06 AM
0 Kudos

All,

Thanks a lot for your answers.

I will have a look in the authorization object to see if this will help us.

About the role search. I meant the role search in ARM (when selecting the roles to be added to the request). There I would expect only roles for PRD to appear, but I guess that is not possible.

Regards,

Dave.

Show replies
Show replies
Former Member
‎08-02-2013 10:34 AM
0 Kudos

Have you tried to accomplish your objective via the role name field in authorization object S_USER_AGR? Of course you need to set up a role naming convention differentiating development roles from production roles

Former Member
‎07-31-2013 1:47 PM
0 Kudos

Hi Dave,

Nuno & Mohammed are correct. Within authorization object GRAC_SYS the are three important authorization fields, ACTVT, GRAC_ENVRM and GRAC_SYSID

ACTVT: 03 (display) 02 change

GRAC_ENVRM DEV, QAS, PRD

GRAC_SYSID, your connectors

First how are the authorization field values of this object been setup in the assigned GRC roles? You can check this via table AGR_1251

Second if both role maintenance and role search in done from the same GRC environment it is not that unlogic for all the connectors to appear

Good luck

Show replies
Show replies
Former Member
‎06-23-2013 10:32 AM
0 Kudos

Hi Dave,

hope everything is going well with you.

regarding your question, if you don't want to see the DEV connectors when searching for the systems in production for a specific scenario, the only way to exclude them is by restricting the authorizations.

Try restricting the authorization object GRAC_SYS in your roles for the relevant scenario.

http://scn.sap.com/thread/3328001

Good luck.

Kind regards,

NJ

Show replies
Show replies
former_member671670
Explorer
‎06-22-2013 7:09 PM
0 Kudos

Hello Dave ,

Connectors mapped to connector group will always show while you do role search .Hence DEV system will always visible in role search .

But if you want to control the role appearing by you can do it in Provisioning tab under Additional Details tab in BRM as shown below

you need to set the "provision Allowed parameter" to NO for Dev system and YES for PRD system.

by doing that, you will get only roles mapped to PRD will appear in Role search option in access request.

Regards

Rajendra

Show replies
Show replies
Ask a Question