cancel
Showing results for 
Search instead for 
Did you mean: 

Role assignments in GRC 10

santosh_krishnan2
Participant
0 Kudos

Hi folks,

I know you all have "struggled" with this before, and I wanted to ping you on this.

I've looked at the entire list of GRC roles and assigned them to test users according to the arguably obvious names of the roles.  However, users don't always get all the authorizations that they need.

Here's my specific role assignment quandary.

I want new users to be able to request roles and Firefighter IDs in the GRC central system.  These users are going to use Firefighter IDs for some of their jobs.

I have assigned the following roles (renamed into customer namespace, but the rest of the role names are the same as delivered):

ZGRAC_ACCESS_REQUESTER

ZGRAC_BASE

ZGRAC_END_USER

ZGRAC_NWBC

ZGRAC_SUPER_USER_MGMT_USER

These roles do not allow the user to actually list out the available Firefighter IDs, making it impossible to complete the access request.  To help identify the issue, I assigned role ZGRAC_ALL, which is the super admin GRC role, and this allowed the user to list out the available Firefighter IDs.  I then did some deductive reasoning and found the two objects below. 

GRFN_API

GRFN_CONN

Providing these objects in a test role allowed the test user to list out the Firefighter IDs, but the user wasn't able to look at the systems available to choose from.  Please refer to screenshots to see what I mean.

So now, I'm just trying to understand the minimum set of roles and objects required for the following types of users:

  • Generic user who's requesting a new role in the GRC system  to be assigned to their user master
  • Generic user who will be a firefighter, requesting a firefighter ID in the GRC system
  • Access Request approver folks who need to approve these requests
  • Firefighter owners and controllers who will have to approve that assignment request, and then go in and review the logs and approve it
  • Any other defined user type that you know of which I should probably be asking over here

Thanks guys.  I really appreciate this.

Screenshot notes:  The one with the badly scrawled ME in it is what I see when I go in as an admin (note that there is a system name indicated in the dropdown and the associated firefighter ID).

The one with the badly scrawled "test user" doesn't have a system name indicated, but when I hit the go button, it shows the ID available.

The test user only has the roles mentioned above PLUS the two objects in a test role.

Santosh

Accepted Solutions (1)

Accepted Solutions (1)

Colleen
Advisor
Advisor
0 Kudos

Hi Santosh

I recommend you treat GRC security access no more special than you would if you had to build an ERP security role

Start with your requirements - which you have and prototype. It's the best way to learn and understand how functionality is restricted. Create a test user and build a test role that you can keep topping up the authorisations as you encounter issues based on SU53/ST01. for NWBC screen layout there are some KB articles on how to configure your own launchpad if you want to restrict as well

Good luck with it.

Regards

Colleen

santosh_krishnan2
Participant
0 Kudos

Thanks. I don't think the client has enough time to do this, which is what I'd recommended to begin with.

However I'll engage in a short version of what you suggest.

Santosh

Colleen
Advisor
Advisor
0 Kudos

I don't think the client has enough time to do this

Sadly, this is all too familiar and the client usually realises too late why we make the time for security (usually coincides with audit season).

Good luck in convincing your client security is worth the investment.

Regards

Colleen

Answers (0)