cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP standard roles shown inside Role selection criteria

Go to solution
Former Member

on ‎08-14-2014 8:30 AM

0 Kudos


Dear All

When i try to run Role level risk report & open the screen - I would like to know if there is a possibility of restricting the SAP standard roles from being displayed for selection.

Currently we are using 10.1 & i have setup the excluded values & running the batch risk analysis only on custom roles.

then also my risk report shows SAP standard roles, appreciate your advice

Raju

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

alessandr0
Active Contributor
‎08-14-2014 10:34 AM
0 Kudos

Dear Raju,

based on your attachment you don't have an exclusion for SAP* roles? Only an exclusion for user SAP* is defined.

Did you try also to exclude SAP* for roles?

Regards,
Alessandro

Show replies
Show replies
Former Member
‎08-14-2014 1:43 PM
0 Kudos

Hi Alessandro

I presume the value which has already been filled in the exclude roles option like A* to X* should have taken care of my requirement to exclude the SAP standard roles?

hence i am intrigued to know is i need to explicitly specify each SAP standard role starting names into the exclude list.

Thanks

Raju

alessandr0
Active Contributor
‎08-14-2014 2:05 PM
0 Kudos

Hi Raju,

sorry - my mistake. The configuration is set correctly.

But please be aware that the excluded values are only for the batch risk analysis and not for the real-time analysis. See the difference here:

In case you run the real-time analysis you have to exclude the values in the selection screen analog your definition in spro.

Does this answer the question?


Regards,

Alessandro

Former Member
‎08-14-2014 2:58 PM
0 Kudos

Dear Alessandro

As per your last statement - "Exclude the values in the selection screen analog your defintion in SPRO"

Could you elaborate on the path to set the exclusion values in SPRO?

Like SPRO-> ???

Thanks

Raju

alessandr0
Active Contributor
‎08-14-2014 3:11 PM
0 Kudos

SPRO > GRC > AC > Access Risk Analysis > Batch Risk Analysis > Maintain Exclude Objects for Batch Risk Analysis.

The selection screen must be defined in NWBC (you can save your selections as a variant for later usage).

Regards,

Alessandro

Former Member
‎08-14-2014 3:38 PM
0 Kudos

Dear Alessandro

I would like to turn off the SAP standard roles being displayed for selection - so that external functional leads can just search of the custom end user roles we have created for them..

that is my objective for restricting the display of these standard roles.

if this is not a standard feature then i will have to train them on how to exclude the standard roles manually for each & every user.

Thanks

Raju

alessandr0
Active Contributor
‎08-14-2014 3:58 PM
0 Kudos

Hi Raju,

did you consider restricting the roles via authorization? With authorization object GRAC_ROLE you can ensure that a user cannot run the risk analysis for specific roles.

Let me give you an example:

Define your values in GRAC_ROLE object. In my scenario I only allow roles starting with C:*

The user is able to select the role from the selection list:

But the user isn't allowed to run the risk analysis, which is restricted with GRAC_ROLE object:

In SLG1 you see the error in more detail:

I am aware that this is not the preferred solution which you are looking for, but at least a possibilty to restrict roles you don't want to analyze.

Please let me know if that helps.


Best regards,

Alessandro

Answers (1)

Answers (1)

Former Member
‎11-20-2014 11:37 AM
0 Kudos

Sorry for the late reply, saw your posting only now:

Go to table GRACRLCONN. There the synched roles are stored.

Select your CONNECTOR and ROLE_NAME SAP_*

Select all roles and go to Table Entry - delete all.

The roles will not be shown in the selection screen, will not be included in the risk analysis.

Bad news: this has to be done after each Repository Synch.

Bad enough that while scheduling the Repository sync you cannot exclude entries.

Regards,

Dina

Show replies
Show replies
Ask a Question