Hello!

We have 3 different SAP ECC systems connected to our GRC system: NC1, NC2 and NCQ. I am trying to restrict the user's access so they are only able to see users and roles from their own organization (i.e. users from NC1 should not see users or roles from NC2 and NCQ)

I created a copy of the ACCESS_REQUESTER composite role so I could change authorization objects and assign only NC1 and created the following:

Z:ACCESS_REQUESTER_NC1

  Z:GRAC_ACCESS_REQUESTER_NC1

  Z:GRAC_BASE_NC1

  Z:GRAC_DISPLAY_ALL_NC1

  Z:GRAC_NWBC_RESTRICTED_NC1

I selected GRCNC1010 as connector ID for the following auth. objects in all roles and assigned the composite role to user REQUESTER_1

GRAC_USER

GRAC_SYSTM

GRAC_SYS

With this role, the user is only able to see NC1 system and roles, and only able to search for NC1 users, but still if I type in an user ID from another system and hit enter, the information is populated on user details tab. - I tried with an user from NC2 that does not exist in NC1, I can't search for it but I can view his information on user details tab. We are using HR as data source for user source search and user details tab.

In summary: even with system restriction to only search and view information from NC1, if I type in the user ID from another system and hit enter, the information on User Details tab is still populated.

Any ideas on how I could restrict this?