on 12-09-2013 1:37 AM
Hi,
I need some advice on restricting the target system access.
Currently my GRC 10 is connected to 3 different ERM systems. We have 3 different support group users and would like to restrict them to perform RAR for a particular system.
eg. User A only can perform ARA & EAM in System A with Ruleset A, User B only can perform ARA & EAM in System B with Ruleset B & etc
I've tried to restrict all the auth obj field GRAC_SYSID & GRAC_RSET for User A & User B.
However, the restriction only reflected on Access Dashboard. The Users still can access to all system & all ruleset when they perform User level RAR & User Level Simulation etc.
Please advise how can do the restriction on system & ruleset access?
Thank You.
Hi Rachel,
Please check if the solution mentioned at http://scn.sap.com/thread/3277336 answers you question.
BR
Sebastian
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Sebastian,
Thanks for your kind help.
The solution given there is for restricting user to access on a particular ruleset.
Do you have any idea how to restrict the user to access on a target system? The screenshot that I captured above, user can search and access to all the system (CNCCLNT205, PXECLNT100, Z9E). Is there any object that I can restrict the user to access to only 1 target system (eg. PXECLNT100) rather than all the systems?
I've restricted all the auth obj field GRAC_SYSID to connect to system PXECLNT100 only. However, user still can access to other system (CNCCLNT205, Z9E etc)
Thank you.
BR,
Rachel
Hi Rachel,
Did you restrict authorization object GRAC_SYS (field GRAC_SYSID)?
I have restricted this object. The result is that a user can run risk analysis only for restricted systems and also create access requests only for restricted systems. Restriction might also affect mitigation assignment and other system-specific tasks. Did not test every side-effect so far.
We are on Support Pack 12. In case you have an older SP you might need to implement notes like 1824694 - Connector authorization check missing in simulation
Since authorizations add up please make also sure that authorization is not assigned via another role.
Best Regards
Sebastian
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.