on 08-14-2014 8:30 AM
Dear All
When i try to run Role level risk report & open the screen - I would like to know if there is a possibility of restricting the SAP standard roles from being displayed for selection.
Currently we are using 10.1 & i have setup the excluded values & running the batch risk analysis only on custom roles.
then also my risk report shows SAP standard roles, appreciate your advice
Raju
Dear Raju,
based on your attachment you don't have an exclusion for SAP* roles? Only an exclusion for user SAP* is defined.
Did you try also to exclude SAP* for roles?
Regards,
Alessandro
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Alessandro
I presume the value which has already been filled in the exclude roles option like A* to X* should have taken care of my requirement to exclude the SAP standard roles?
hence i am intrigued to know is i need to explicitly specify each SAP standard role starting names into the exclude list.
Thanks
Raju
Hi Raju,
sorry - my mistake. The configuration is set correctly.
But please be aware that the excluded values are only for the batch risk analysis and not for the real-time analysis. See the difference here:
In case you run the real-time analysis you have to exclude the values in the selection screen analog your definition in spro.
Does this answer the question?
Regards,
Alessandro
Dear Alessandro
I would like to turn off the SAP standard roles being displayed for selection - so that external functional leads can just search of the custom end user roles we have created for them..
that is my objective for restricting the display of these standard roles.
if this is not a standard feature then i will have to train them on how to exclude the standard roles manually for each & every user.
Thanks
Raju
Hi Raju,
did you consider restricting the roles via authorization? With authorization object GRAC_ROLE you can ensure that a user cannot run the risk analysis for specific roles.
Let me give you an example:
Define your values in GRAC_ROLE object. In my scenario I only allow roles starting with C:*
The user is able to select the role from the selection list:
But the user isn't allowed to run the risk analysis, which is restricted with GRAC_ROLE object:
In SLG1 you see the error in more detail:
I am aware that this is not the preferred solution which you are looking for, but at least a possibilty to restrict roles you don't want to analyze.
Please let me know if that helps.
Best regards,
Alessandro
Sorry for the late reply, saw your posting only now:
Go to table GRACRLCONN. There the synched roles are stored.
Select your CONNECTOR and ROLE_NAME SAP_*
Select all roles and go to Table Entry - delete all.
The roles will not be shown in the selection screen, will not be included in the risk analysis.
Bad news: this has to be done after each Repository Synch.
Bad enough that while scheduling the Repository sync you cannot exclude entries.
Regards,
Dina
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.