cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Provisioning in DEV and QA through GRC

Go to solution
mamoonr
Active Participant

on ‎05-28-2014 6:13 PM

0 Kudos

Hello Experts,

We have a requirement where we need to provision user in ECC DEV and QA system from GRC Prod.

At role owner stage we have made risk analysis mandatory.But while provisioning in DEV and QA only,we want this risk analysis mandatory step to be exempted.It should work with PROD. Because in DEV and QA environment ,users will have wider access and risks will be high.

Any thoughts on how to accomplish this .Also how recommended is this to provision users in DEV and QA through GRC Prod system.

Thanks,

Mamoon Rashid

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎05-29-2014 11:36 AM
0 Kudos

Hi Mamoon,

You will need BRF+ initiator rule to achieve these which will follow the path based on initiator condition which would be system ID, so if request is created for DEV and QUA it will follow separate path which would be having no mandatory risk analysis.

Or if you want you can create routing rule too to route request to different path if it is for specific system.

BR,

Mangesh

Show replies
Show replies
mamoonr
Active Participant
‎06-10-2014 11:14 AM
0 Kudos

HI Mangesh,

Could you please let me know how routing rule should be?

Will it be same as initiator,with decision table?

Thanks,

Mamoon

Former Member
‎06-10-2014 1:55 PM
0 Kudos

Hi Mamoon,

Yes, it will be same as condition table adding one more column for system.

BR,

Mangesh

former_member187795
Participant
‎06-11-2014 7:32 AM
0 Kudos

Hi Mamoon,

You can create a decision table similar to this

Regards,

Sai.

Answers (4)

Answers (4)

sanjay_pawar3
Discoverer
‎06-21-2014 2:36 PM
0 Kudos

Exposing GRC production server to ECC6 Development and Quality server for provisioning is not recommended. GRC landscape is not mentioned by you but hope is would be GRC-DV, GRC-QA and GRC-PD.

Although as you mentioned that in development and qa server users having wider authorization then little scope for provision through GRC and role owner approval.

In Development and QA server you may keep GRC Administrator as role owner. So every request will come to GRC administrator for approval which he may approve. For production request will go to actual role owner.

Regards

Sanjay

Show replies
Show replies
kevin_tucholke1
Contributor
‎06-21-2014 3:47 PM
0 Kudos

Sanjay:

I am surprised at your comment about not exposing PRD SAP Access Control to DEV and QAS target systems.  In fact, I recommend this all the time (with exception that I will explain below).

To be able to have a single system for end users to request access for the entire SAP footprint (and others platforms if connected) is widely recommended.  I have done this successfully many times and know of many companies using SAP Access Control that are using their SAP Access Control system in this fashion.

To go even a little beyond that, if you are using BRM functionality to it's fullest, you MUST connect your DEV systems to PRD GRC in order to maintain your roles.

This is achieved as stated above by using a custom initiator.  With that you can send individual line items down different paths (i.e. Production Access path, Non Produciton Access Path) when in 1 you can require risk analysis to be run, and in another have it not be required.  In fact, these paths don't even have to be the same.

Now for the exception.  In SAP Access Control 10.0, when using Business Roles there is something that you must understand.  Due to the fact that when you create a Business Role you assign the technical role to the Business Role at the LANDSCAPE level.  When that business role is then requested, the user is assigned the technical roles in ALL physical systems in the attached role Landscape.

This issue has been corrected in version 10.1.  In this version, SAP has added a column called ENVIRONMENT into the line item area of the request.  This is used for Business Roles and the user can then decide which environment that you want the technical roles to be provsioned in.  It uses the designation that you give for the system in configuration set up of the connector where you specify what environment the connector is.  There are 3 choices for this:   Production / Test / Development.

Thanks,

Kevin Tucholke

Principal Consultant

SAP America

Arif1
Active Participant
‎06-21-2014 7:42 PM
0 Kudos

Hi Kevin,

thanks for your replay, but how in GRC v10.0 system will be identified for business roles?

Regards,

Arif

mamoonr
Active Participant
‎06-22-2014 5:26 AM
0 Kudos


Hi Kevin,

Thanks for your valuable input..I would rephrase Arif's question that How GRc 10.0 would recognise business role for a particular landscape.

Thanks,

Mamoon

mamoonr
Active Participant
‎06-19-2014 6:30 PM
0 Kudos

Hello Experts,

Any solution for this..

Thanks,

Mamoon

Show replies
Show replies
Former Member
‎06-20-2014 1:53 PM
0 Kudos

Hi Mamoon,

Did you run a test which shows failure?

BRF Plus Line by line shall capture business role if used Role connector instead of connector(system).

Can you share audit log?

Arif1
Active Participant
‎06-20-2014 4:42 PM
0 Kudos

Hi Mamoon,

Business Roles is the combination of Technical roles. and Technical roles depends on system.

you can create Single role or composite roles which depends on system.

Regards,

Arif

mamoonr
Active Participant
‎06-20-2014 6:21 PM
0 Kudos

Hi Nishant,

Yes I tested it with business role.Request could not be submitted as it was unable to  resolve path.

For technical role request get submitted.As in decision table I have maintained connection as one condition.

Thanks,

Mamoon

mamoonr
Active Participant
‎06-20-2014 6:24 PM
0 Kudos

Hi Arif,

I understand this but we have this requirement that only business role can be provisioned not roles.

Thanks,

Mamoon

mamoonr
Active Participant
‎06-18-2014 7:31 AM
0 Kudos

Hi All,

For our new account wf we have only one stage of role owner where risk analysis is mandatory.Can we route this another path having role owner stage where risk analysis is not mandatory(For QA and DEV).

As there is only one stage it will go to noraml role owner ,Once he approve then only  it should go to routed path.Is my undersatanding correct?

Thanks,

Mamoon

Show replies
Show replies
Former Member
‎06-18-2014 7:57 AM
0 Kudos

Hi Mamoon,

this can be achieved using BRF+, just add condition in BRF+ decision table which is connector and you will achieve the path the way you want it to be.

Also after the role owner stage if you want to redirect to other stage, you need to create a routing rule and then for QA and DEV you direct to a stage where risk analysis is not mandatory.

so it can be achieved in 2 ways.

Thanks and Regards

Ankit Sharma

mamoonr
Active Participant
‎06-19-2014 8:27 AM
0 Kudos

HI Ankit,

It works fine for technical role where system is specified. But for Business role there is no system.

How we can route to different path via BRF.?

Thanks,

Mamoon

Former Member
‎05-28-2014 8:23 PM
0 Kudos

Hi Mamoon

You can do this in fairly straightforward way. Define mitigation controls for all the risks that are flagged by the system for DEV and QA environments. So what it means that even though the system shows lot of risks because of wide open authorizations, these risks are treated as mitigated which means that you can still go ahead and provision those users even though there are risks.

Going into PRD, you may not define any mitigation controls as these are genuine risks and hence system would not provision the users if there are risks associated.

Hope this helps.

Snehal Pandya

Show replies
Show replies
mamoonr
Active Participant
‎06-18-2014 7:36 AM
0 Kudos

Hi Snehal,

How could this be achieved in 10.0?

Thanks,

Mamoon

Ask a Question