on 05-28-2014 6:13 PM
Hello Experts,
We have a requirement where we need to provision user in ECC DEV and QA system from GRC Prod.
At role owner stage we have made risk analysis mandatory.But while provisioning in DEV and QA only,we want this risk analysis mandatory step to be exempted.It should work with PROD. Because in DEV and QA environment ,users will have wider access and risks will be high.
Any thoughts on how to accomplish this .Also how recommended is this to provision users in DEV and QA through GRC Prod system.
Thanks,
Mamoon Rashid
Hi Mamoon,
You will need BRF+ initiator rule to achieve these which will follow the path based on initiator condition which would be system ID, so if request is created for DEV and QUA it will follow separate path which would be having no mandatory risk analysis.
Or if you want you can create routing rule too to route request to different path if it is for specific system.
BR,
Mangesh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Exposing GRC production server to ECC6 Development and Quality server for provisioning is not recommended. GRC landscape is not mentioned by you but hope is would be GRC-DV, GRC-QA and GRC-PD.
Although as you mentioned that in development and qa server users having wider authorization then little scope for provision through GRC and role owner approval.
In Development and QA server you may keep GRC Administrator as role owner. So every request will come to GRC administrator for approval which he may approve. For production request will go to actual role owner.
Regards
Sanjay
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Sanjay:
I am surprised at your comment about not exposing PRD SAP Access Control to DEV and QAS target systems. In fact, I recommend this all the time (with exception that I will explain below).
To be able to have a single system for end users to request access for the entire SAP footprint (and others platforms if connected) is widely recommended. I have done this successfully many times and know of many companies using SAP Access Control that are using their SAP Access Control system in this fashion.
To go even a little beyond that, if you are using BRM functionality to it's fullest, you MUST connect your DEV systems to PRD GRC in order to maintain your roles.
This is achieved as stated above by using a custom initiator. With that you can send individual line items down different paths (i.e. Production Access path, Non Produciton Access Path) when in 1 you can require risk analysis to be run, and in another have it not be required. In fact, these paths don't even have to be the same.
Now for the exception. In SAP Access Control 10.0, when using Business Roles there is something that you must understand. Due to the fact that when you create a Business Role you assign the technical role to the Business Role at the LANDSCAPE level. When that business role is then requested, the user is assigned the technical roles in ALL physical systems in the attached role Landscape.
This issue has been corrected in version 10.1. In this version, SAP has added a column called ENVIRONMENT into the line item area of the request. This is used for Business Roles and the user can then decide which environment that you want the technical roles to be provsioned in. It uses the designation that you give for the system in configuration set up of the connector where you specify what environment the connector is. There are 3 choices for this: Production / Test / Development.
Thanks,
Kevin Tucholke
Principal Consultant
SAP America
Hello Experts,
Any solution for this..
Thanks,
Mamoon
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi All,
For our new account wf we have only one stage of role owner where risk analysis is mandatory.Can we route this another path having role owner stage where risk analysis is not mandatory(For QA and DEV).
As there is only one stage it will go to noraml role owner ,Once he approve then only it should go to routed path.Is my undersatanding correct?
Thanks,
Mamoon
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Mamoon,
this can be achieved using BRF+, just add condition in BRF+ decision table which is connector and you will achieve the path the way you want it to be.
Also after the role owner stage if you want to redirect to other stage, you need to create a routing rule and then for QA and DEV you direct to a stage where risk analysis is not mandatory.
so it can be achieved in 2 ways.
Thanks and Regards
Ankit Sharma
Hi Mamoon
You can do this in fairly straightforward way. Define mitigation controls for all the risks that are flagged by the system for DEV and QA environments. So what it means that even though the system shows lot of risks because of wide open authorizations, these risks are treated as mitigated which means that you can still go ahead and provision those users even though there are risks.
Going into PRD, you may not define any mitigation controls as these are genuine risks and hence system would not provision the users if there are risks associated.
Hope this helps.
Snehal Pandya
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.