Skip to Content

Decentralized Org Unit maintenance in GRC Process Control 10.0/10.1

In GRC Process Control 10.0/10.1,  Organization maintenance is decentralized from the  user ability to:

  • Maintain role assignment for the Organization
  • Ability to assign subprocess to the Organization.

It is possible to customize roles and model authorization, such that :

1) User is only  authorized to maintain the role assignments on ORGUNIT.

2) User has the ability to maintain only GENERAL DATA (in General tab) of ORGUNIT.

3) User has the ability to only maintain sub-process assignment on ORGUNIT.

With the decentralized model, SAVE button is enabled on ORGUNIT OIF and we can have segregation of authorization to multiple responsible users assigned to customized roles. Off course, we can have a combination of authorizations from 1),2) and 3) above.


Let us try to understand and model a role ZORG_MAINTAIN using the authorization object GRFN_API.


CASE 1 :Subprocess assignment on ORGUNIT

ACTIVITY : CREATE, CHANGE,DISPLAY

DATAPART : SUBPROCESS

ENTITY: ORGUNIT

SUBENTITY : *

Now we need to define this role for Corporate or OrgUnit via Entity Role assignment.

In transaction SPRO, execute:

GRC->General Settings->Authorizations->Maintain Entity Role Assignment

Now assign the test user(SAINIAM1) in this case for a CORPORATE/ORGUNIT to custom role ZORG_MAINTAIN.

HR table HRP1852 holds the user and role assignment,verify to see that assignment is done.

Execute NWBC with test user SAINIAM1 and verify that the user has the ability to assign sub-process to ORGUNIT.

The user has no ability to maintain the Roles for the ORGUNIT .

The user is not able to maintain the ORGUNIT general attributes as well.

Click on'Assign Subprocess' button.

There is no popup to select any subprocess. Well, that happens because the user is not authorized to display Central objects i.e.

Central Process, Central Subprocess. So let us re-generate our custom role with these required authorizations.

Now the user has the ability to maintain subprocess to ORGUNIT.

Let us re-generate custom role to tweak the authorization, such that user only has the authorization to maintain GENERAL attributes of the ORGUNIT.

CASE 2: General tab attributes maintenance on ORGUNIT

ACTIVITY : CREATE, CHANGE,DISPLAY

DATAPART : DATA

ENTITY: ORGUNIT

SUBENTITY : *

Execute NWBC to verify that user is only authorized to maintain the general attributes of ORGUNIT and not authorized to maintain role assignment or subprocess assignment for the ORGUNIT.

Now we can tweak authorization and regenerate role to have the user ability to maintain only 'Role' assignment for the ORGUNIT. In this case, user is not responsible for 'GENERAL' data maintenance or 'Subprocess' assignment for the ORGUNIT.

CASE 3 General tab attributes maintenance on ORGUNIT

ACTIVITY : CREATE, CHANGE,DISPLAY

DATAPART : ROLE

ENTITY: ORGUNIT

SUBENTITY : *

As a summary, we can tweak authorization in GRC Process Control 10.0/10.1 to have different users responsible for DATA, SUBPROCESS and ROLE assignments in single ORGUNIT.

No comments