cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Access Request for Business Role Management

Go to solution
Former Member

on ‎03-04-2015 9:03 AM

0 Kudos

Dear Experts,

Did any one implemented a solution for requesting of modification of role through access request  / requesting for creation of new role through GRC. currently in standard application what is available is role methodology is automated but request for role creation or update is not available? any workaround or similar requirement you get from business please share

Thanks and Regards 

Mujtaba Siddiqui

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎03-04-2015 9:20 AM
0 Kudos

Dear Mujtaba,

        Have you tried modifying the role methodology process steps to meet your requirement. Try putting Approval as 2nd stage soon after Define Role, so that before the admin adds any authorizations in PFCG, he can get an approval from the Role Owner.

But probably you may have to add Approval stage after Derivation also, so that the added T codes and authorization objects are reviewed by the owner before the role generation happens.

I haven't tested this though, but let us know if this works.

Regards,

Mohamed Fazil

Show replies
Show replies
Former Member
‎03-04-2015 9:38 AM
0 Kudos

Dear Mohammed, 

thanks for your quick reply! 

basically my question is before starting role design methodology as the process of role design started based on request trigger from business to role designer to modify the role or create new My Question is there anyway to automate such request in GRC?

and about your valuable suggestion is in the mid of role design process not indicating the initiation request as role designer start design only after request from business and this request is not automated   

Thanks and Regards 

Mujtaba Siddiqui

Former Member
‎03-04-2015 10:08 AM
0 Kudos

Hi Mujtaba,

The key consideration here could be who is the approver? the business or the security role building team?

With BRM, you could have the business initiate the role definition in NWBC, and then apply a approval step which could go to the security team, who then actually add in the actions and permissions.

As pointed out by Mohammed in the earlier response, this is possible to meet your requirements.

You are right that by default there is no real direct trigger from the very beginning of a business requesting a brand new role to be built. However, many organisations have a Service-desk ticket system in place that sits outside of GRC and caters for all organisational requests. My opinion would be that such a service should be used by the business as the actual initiator for a role build request. Then once the ticket is accepted by the Security team, they can initiate the definition of the role build in BRM and then the business can approve the actual build in GRC before generation.

Hope some of the points and suggestions raised can be considered to help you define your end-to-end process.

Former Member
‎03-04-2015 11:56 AM
0 Kudos

Dear All, 

Thank you both for your valuable suggestion in my opinion giving access of defining role to the business is some how not suggested as the business is not fully aware of how to make the naming convention and landscape for a role specially if its technical role as well controlling business for role design methodology will be difficult as the object of security is not giving a control on each phase of the methodology 

regarding the IT service desk what you mentioned its near solution but what i know there is no integration between service desk and GRC if its there please let me know?. 

any thoughts for adding a ticket number while creation / modification of role specially this ticket number must be added as a list as catering new ticket number for each change

Thanks and Regards 

Mujtaba SIddiqui  

Former Member
‎03-04-2015 12:38 PM
0 Kudos

Dear Mujtaba,

       Of course Business cannot understand technical stuff and hence cannot define role.

As far as my understanding is concerned Harinam was suggesting a service Desk which is completely isolated from GRC. And a written approval over mail be taken from Business and attached in the service Request. After this, the technical Admin can go ahead and define the role and the role content owner(technically sound) can approve its contents(T codes, authorizations, org values etc.).

And as far as your last query of linking ticket number and the role is concerned, you may add the ticket number in the additional details field . Please see below screen shot. As and when any chages are done to the role, the details of the service request number and little description about that may be added in the below area.

Hope this helps you.

Regards,

Mohamed Fazil

alessandr0
Active Contributor
‎03-04-2015 12:47 PM
0 Kudos

Dear Mujtaba,

how about "misusing" the ARM functionality? Define a new request type without an action. With the help of templates you can specify what needs to be included in the request (e.g. Description field can be pre-configured with: Transactions, Authorization data, org levels, etc. what must be filled by the end user... a basic input template, very basic actually ). Reroute this request type to a dedicated path and dedicated approvers.

Never set up such scenario, but basically it would work (even though it is very very very basic).

Let us know.

Regards,

Alessandro

Former Member
‎03-04-2015 12:47 PM
0 Kudos

Dear Fazil, 

Well that I missed its a good idea !!

Thanks and Regards 

Mujtaba Siddiqui

madhusap
Active Contributor
‎03-04-2015 12:55 PM
0 Kudos

Hi Mujtaba,

While creating a role using GRC BRM you've got the possibility to enter a customer specific Ticket ID after maintain the authorizations at the NWBC GRC front-end system.


Required Settings:

  1. SPRO --> SAP Customizing Implementation Guide --> Governance, Risk and Compliance --> Access Control --> Maintain Configuration Settings --> Set ParamID: 3008 = YES

  1. Launch NWBC --> Create a new Single Role --> Define Role --> Maintain Authorizations (at the Backend) --> Synch. With PFCG (at the NWBC) --> Enter Ticket ID at the pop-up-window.

Regards,

Madhu.

Former Member
‎03-04-2015 1:02 PM
0 Kudos

Dear Alessandro, 

Good suggestion Initially I thought the same but took step back when i see no action existing related to BRM hence there would be no integration with role creation methodology let me try and get back if possible  

Thanks and Regards 

Mujtaba Siddiqui

Answers (1)

Answers (1)

Former Member
‎03-07-2015 10:38 AM
0 Kudos

Dear Experts,

I have submitted this issue in the ideas.sap.com place, i request if all of you login and vote up for the idea this will be helpful for development team to develop it in next release of GRC 

please go to the below link and vote up

https://ideas.sap.com/ct/ct_list.bix?c=4F27C74D-5330-4569-8199-D69072C0D4AE

Thanks and Regards 

Mujtaba Siddiqui 

Show replies
Show replies
Ask a Question