cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Role Methodology Access Restriction

Go to solution
Former Member

on ‎03-02-2015 7:01 AM

0 Kudos

Hi,

We are implementing BRM for a client. And the client wants to divide the role methodology authorizations among 3 set of admins. Meaning the

  • First set of admins can only Define Role, Maintain Authorizations and Derive Roles.
  • Second set of users can do Risk Analysis and assign Mitigation controls, Attach Test Cases and Initiate Approval and the
  • Third set of admins can do Role Generation.

How do we achieve this? Can we restrict the above set of users to see only those Tabs(see below screen) which suit their Job?

Regards,

Mohamed Fazil

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

madhusap
Active Contributor
‎03-02-2015 8:27 AM
0 Kudos

Hi Fazil,

We also have similar requirement where the team which creates roles through BRM are not aware of Risk analysis process and they don't want to perform risk analysis task. Below are steps we are following.

Role Management Team:

  • They receive a Service request for Creation of New Roles/Modification of existing roles from the Local Admin team with authorizations details.
  • Once received they will create role through BRM, and completes the steps Define Role and Maintain Authorization Data
  • Once they complete these steps will inform the GRC support team through Email to perform risk analysis for the roles which they created/modified.

GRC Support Team


  • GRC Support team will run Risk Analysis and Impact analysis for the role and if there are any risks will share the details with the Local Admin team (one who initiates role changes) who in turn will mitigate the risk or suggest to cancel the changes.
  • If mitigate the risk, then it goes for Mitigation Assignment Approver and once approved, Local admin team informs the GRC Support team
  • GRC Support team verifies and then informs the Role Management team to proceed with next steps.

Role Management Team:

  • After confirmation from GRC support team, Role management team initiates the approval and up on approval will generate the role.

Basically, we defined this for a client based on their requirement and they are following the same as part of their Post Go-Live Operations & Support (O&S) process. By this we are making clear that the concerned team is responsible for any discrepancies.

I am not sure whether you can restrict the steps in a methodology process based on authorizations or any other way. Let us check if the experts any advise for this even I am looking forward for that.

Regards,

Madhu.

Show replies
Show replies
alessandr0
Active Contributor
‎03-02-2015 10:11 PM
0 Kudos

Dear both,

did you check authorization object GRAC_ROLED? Never tested this, but you can restrict the activity as follows:

01Create
02Change
03Display
06Delete
08Change History
38Perform
61Export
64Generate
71Analyze
90Copy
91Maintain Approvers
B3Derive
FSSearch All Roles
V1Compare
V2Synchronize
V3Maintain Authorization
V4Maintain Test Results
V5Assign Default Roles
V6Certify
V7Reaffirm

For example if the role management team should not be allowed to generate the roles do not give authorization for the same.

Does that answer the question?

Regards,

Alessandro

Former Member
‎03-04-2015 7:27 AM
0 Kudos

Thanks Alessandro It works.

Answers (1)

Answers (1)

Former Member
‎03-03-2015 9:12 AM
0 Kudos

Hi Mohamed,

Administrators can take action , as per authorizations assigned to them. So, i think there is no substantial meaning of dividing role methodologies as per Admin.

Normally, methodology is divided as per type of roles(eg. single, composite) or System or Landscape, and not on Definition/Risk Analysis/Role generation because every role has to go through all the steps.i.e a role which is defined, will go through Risk Analysis and then generation.

Regards

Plaban

Show replies
Show replies
Colleen
Advisor
Advisor
‎03-03-2015 9:17 AM
0 Kudos

Hi Plaban

Large SAP sites with regional and country specific teams would have a requirement to split the different methodology steps between different members. Also, some might have the role definition and testing sit with Functional whilst the Authorisations sit with security. Some have role derivation and org value updates sit with one team whilst the rest sit with another.

This all comes back to business process for role management design. Splitting between role types is more common.

Regards

Colleen

Ask a Question