- SAP Community
- Products and Technology
- Additional Q&A
- Maintain Mapping for Actions and Connector Groups
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Maintain Mapping for Actions and Connector Groups
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 01-12-2016 10:56 AM
Hello, Experts!
Could you help me to clarify one customization for GRC AC - "Governance, Risk and Compliance->Access Control->Maintain Mapping for Actions and Connector Groups"?
There is mentioned only BRM scenario in the description “In this Customizing activity, you can assign the actions to a connector group, and then select the default connector for each group.
In Business Role Management, there are four phases for which you need to assign a connector. The phases are associated with the following actions:…”
Also, this customization mentioned only in the guide for BRM which I found on SCN.
Did I get it right that this customization didn’t take into account, for example, in Access request scenario?
Regards,
Julia
Accepted Solutions (1)
Accepted Solutions (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Julia,
The IMG Activity Documentation is confusing. You are correct that this config is not just for BRM. This activity controls which GRC functions are enabled for the different systems connected in your landscape.
- 0001 Role Generation - BRM
- 0002 Role Risk Analysis - ARA
- 0003 Authorization Maintenance - ARA & BRM
- 0004 Provisioning - ARM (Access Request)
- 0005 HR Triggers - ARM
Therefore, depending on what functionality of GRC you are implementing, you should choose the actions appropriately.
Example of this configuration:
- If you have 2 systems that GRC is integrating with, and using all functionality: ECC and BW
- Add each system connector within the Logical Groups; Add each action per connector.
- You should have 5 entries per LG that the connector is associated with. ex: "ECC Production" should have 5 entries, 1 for each action.
- If "ECC Production" is assigned to SAP_BAS_LG and SAP_NHR_LG (examples) then you would have 10 total entries for this system - 5 entries per LG, which include all of the actions listed above.
- The total entries for this scenario would be 20 total:
- SAP_BAS_LG - ECC Production - Action 0001
- SAP_BAS_LG - ECC Production - Action 0001
- ...
- Add each system connector within the Logical Groups; Add each action per connector.
The "Default" connector needs to be chosen per LG and per Action. Therefore, in the above scenario, you would check-box "Default" as "ECC Production" for every LG-Action combination (10 total).
This is a confusing piece of configuration, so if it is not clear let me know what your difficulties are an I can try to better explain.
Regards,
Ken
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Ken!
Thank you so much for the detailed explanation and for your help!
Could you help me with the next scenario?
For example, the landscape for ECC system includes 3 system. We add all these systems for the PROV scenario to be able to assign roles in DEV, QAS and PROD systems. Does customization "Governance, Risk and Compliance->Access Control->Maintain Mapping for Actions and Connector Groups" helps us to assign roles only in PROD system by defult?
Regards,
Julia
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
For Provisioning, I would say you need to configure Actions 0002, 0003, and 0004 because you will likely be performing risk analysis within the access request for provisioning. I would recommend configuring all actions for the non-prod systems and leaving out Role Generation from Prod so that you don't accidentally generate roles directly in production. This will allow you to use the full capability of GRC in the future if your org decides to do so.
Regarding the "default", no, setting PRD to default for each scenario action will not limit provisioning to PRD alone. When you select roles within an Access Request, the roles are specific to the different connectors. Therefore, you will be able to search and choose roles from all systems, and you can even add roles from multiple systems - when approved the user's account will be provisioned in the systems that were included in the request (by virtue of having the systems roles included in the request).
Before being able to add roles in a request, you will need to "import" the roles via Access Management in NWBC. Additionally, after importing roles into the GRC repository, you must perform a Repository Object Sync job in "FULL" mode, not "incremental". Otherwise, the roles will not be found while searching within the request.
Hope this helps!
Ken
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Ken!
Thank you again!!!!
We use GRC 10.1. I've found one interesting parameter - 2048 "Default provisioning environment for business role"
Use this parameter to set the default provisioning environment for business roles. For
example, if you set the parameter to TST then when a user submits a request for a
business role the default provisioning environment is Test.
The possible values for this parameter are:
DEV - Development
PRD - Production
TST - Test
Have you used it? It might to help assign business roles in production system by default. I've forgotten to write then we assign only business roles to end users.
Regards,
Julia
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Julia:
That is exactly what that parameter is used for. Due to the fact that roles attached to the Business Role are attached at a LANDSCAPE level, which usually includes all instances for a particular SAP environment (i.e. PRD, TST, DEV). This will default the ENVIRONMENT field on an access request so that the roles to be assigned by the business role are provisioned to that environment. If you need to have the business role provisioned to multiple environments then you just need to add an additional entry with the business role and a different environment.
Hope this clarifies.
Kevin Tucholke
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Answers (1)
Answers (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Could anyone help me?
Any information would be appreciated.
Thank you in advance!
Regards,
Julia
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Characteristic and Class Assignment UIBB Missing from Basic Data Details (MDG-M UI) in Technology Q&A
- Announcement: New integration platform in SAP Business Network for Logistics in Supply Chain Management Blogs by SAP
- SAP PaPM Cloud Universal Model: Deploy your environment via Manage Containers in Financial Management Blogs by SAP
- 10+ ways to reshape your SAP landscape with SAP Business Technology Platform – Blog 4 in Technology Blogs by SAP
- SAP Document and Reporting Compliance - 'Colombia' - Contingency Process in Technology Blogs by SAP
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.