Embed Size (px)
Citation preview
7/25/2019 Role Import in BRM
http://slidepdf.com/reader/full/role-import-in-brm 1/16
Role Import in BRM
The purpose of this section is to explain the role import features in GRC 10 and to discuss
about all prerequisites for role import to avoid any issues. In this document import of
composite roles was discussed rather than sinle roles.
Role Import Prerequisites
• Roles can be imported directly from the bac!end "#$ system or usin a role
authori%ation data &le.
• 'e&ne Role "election criteria (li!e )usiness $rocess* "ub process* $ro+ect*
,unctional #rea etc.- and import data source.
• Roles have to exist in the bac!end system.
• Role sync +ob has to be performed. Very Important step/
• Roles from bac!end system can be downloaded by executin
Tcode /N/GRCPI/AC_ROLE_DNLD or by executin the
proram /GRCPI/GRIA_DNLDROLES in "2.
• 3aintain parameters 3!" path* 33 value and download roles with .txt &le (,ile
location- and .xls (Role Info ,ile-
• 3aintain business process* sub process* $ro+ect* Role status* "ystem
#lphanumeric (4-/ etc. in theRole In#o $ile downloaded from bac!end system. Role
status is %ery important attri&ute. 5nly roles which are maintained with status as
6PRD or 'PRO7 (dependin on your GRC "$- in )R3 will be available for selection for
users durin access request creation.
• To maintain production status* Go to I3G 89 Governance Ris! and Compliance
89 #ccess control 89 Role 3anaement 89 3aintain Role "tatus
7/25/2019 Role Import in BRM
http://slidepdf.com/reader/full/role-import-in-brm 2/16
• 3a!e sure to chec! the $R5':CTI5; "T#T:" chec!box for the status
(Recommended is $R' or $R5 ('ependin on your GRC "$-* but '< and T"T can be
chec!ed as production status based on the testin environment-.
• )ased on $R5':CTI5; "T#T:" settins con&ured* ma!e sure each role status isset accordinly.
• 3a!e sure that Pro%isionin( Allo)e* +a( an* Auto Pro%isionin( +a( is &e
set to ,- .-ES0 in the role info &le.
• 3a!e sure PROV scenario has been maintained for the connector for which you
are importin the roles. 1est pra2ti2e is to lin all t4e inte(ration s2enarios
A5678PROV8ROL9G8S5P9G to e%ery 2onne2tor to a%oi* any *is2repan2ies/
• 3aintain 3appin for #ctions and Connector Groups = nsure connection roup in
place for 000> $rovisionin
• 5nce Role Info ,ile is maintained with all required attributes* save this &le in Text
Tab 'elimited format.
• ;ow we will have two &les which can be used for role import* Role #uthori%ation
text &le and Role Info text tab delimited &le.
Role Import in N:1C
• ?oon to GRC frontend application (either usin $ortal or ;@)C-
• Go to A#ccess 3anaementA @or!Centre.
• Clic! on option ;Role Import; under ;Role 9ass 9aintenan2e;. Bou will et
below screen.
7/25/2019 Role Import in BRM
http://slidepdf.com/reader/full/role-import-in-brm 3/16
• In this *o2ument* we will discuss on role import feature by considerin Import
"ource as 6$ile on Destop7 for Role #ttribute "ource and 6$ile on Destop7 for Role
#uthori%ation "ource7.
• Role Attri&ute Sour2e <Note Role #uthori%ation "ource can be s!ipped if youdo not want to maintain authori%ations in )R3 and +ust want to use roles for provisionin
purposes only/
• 3a!e sure that all the sin(le roles asso2iate* to t4e 2omposite roles are
alrea*y importe* into GRC box before your try to import the composite roles.
• 3a!e sure that all the *eri%e* or impartin( roles asso2iate* )it4 t4e
9aster or Parent roles are alrea*y importe* into GRC box before your try to import
the 3asterD$arent roles.
• #lso ma!e sure that #uthori%ation "ync +ob is already run and successfully&nished for the connector aainst which you are tryin to import the sinleDcomposite
roles. 5therwise it ives an error messae EFComposite Roles relation attri&ute an*
Aut4ori=ation *o not mat24.7
• @hile importin role template loo!s li!e as shown below.
Composite Role Asso2iate* sin(le roles
B$1HHHHHHHHHHHHH BHHHHHHHHHHHHHHHH
B1HHHHHHHHHHHH
B4HHHHHHHHHHHHHHHH
B$4HHHHHHHHHHHHHH BHHHHHHHHHHHHHHH
7/25/2019 Role Import in BRM
http://slidepdf.com/reader/full/role-import-in-brm 4/16
B>HHHHHHHHHHHHHH
BJHHHHHHHHHHHHHHHH
• $rovide application type* ?andscape name* role name and other role details as per
your requirement in the below screenshot and clic! on ;ext button.
De>nition Criteria• Appli2ation 6ype It should be selected as "#$. If you are creatin a )usiness
Role* then it must be selected as )usiness Role.
• Lan*s2ape This should be selected as the connector roup name and in case of
a )usiness Role* select it as ERole 3anaement )usiness GroupsF
• O%er)ritin( E?istin( Roles This option overwrites the roles already existin in
the system if this selected as EBesF. If you do not want to overwrite the Roles* select it as
;o.
Role Sele2tion Criteria@
• Sour2e System Connector name from where the Role will be fetched.
• Role 5p*ate* A#ter "pecify a date after which the Role was updated.
• All Roles e?2ept SAP Pre*e>ne* Roles Tic! the chec! box if you want toimport all the Roles into )R3 except "#$ $rede&ned Roles.
• Role $rom an* Role 6o "pecify a rane in between the Roles should be fetched.
• 9et4o*olo(y Status This is important because this will decide whether the
Role will be imported as ECompleteF or EInitialF. Role 3ethodoloy is the process followed for
role creation and maintenance operation.
• In the below screen* select the Role Info &le and Role authori%ation &le which was
earlier saved in des!top as shown below and clic! on ;ext button.
7/25/2019 Role Import in BRM
http://slidepdf.com/reader/full/role-import-in-brm 5/16
• 5nce you clic! on ;ext button* you will et the below screen and from here you
can select 6Pre%ie) all roles7 button and can chec! if the roles are bein shown before
schedulin the Role Import +ob. If the roles are displayed and everythin is &ne* clic! on
;ext button.
• 5nce you clic! on ;ext button* you will et the below screen and from here you
can execute role import +ob either in bac!round or ,oreround* dependin on thevolume of roles bein imported
7/25/2019 Role Import in BRM
http://slidepdf.com/reader/full/role-import-in-brm 6/16
• 5nce roles are imported you will et a screen as shown below which shows how
many roles imported and how many roles not.
GRC Role 9ana(ement S2enarios in 1R9 an* P$CG
• In ;@)C* you have Role 3aintenance9Role Import lin!. <ia this lin! you can brin
roles existin in GRC pluins (for instance CC* )@* and CR3- and synchroni%e them in
the GRC Repository tables.
In GRC"8 )e 4a%e t4ese possi&le s2enarios@
• RD roles are only synced by the role sync +ob* and never imported into )R3. @e
call them bac!end roles. In this case* the role exists only in table GRACRLCONN. #nd it
can be deleted directly from $,CG* as the role sync will run and capture the deletion* and
remove the role
from GRACRLCONN table.
• RD roles are synced by the role sync +ob* and are I3$5RT' into the )R3 tool* via
lin! ARole ImportA in ;@)C. In this case* the role exists in )R3. @e call it )R3 role. In this
case* the role exists in both tables GRACROLE* and GRACRLCONN. #nd it should only
be deleted from
)R3. @hen it is deleted from )R3* it will be removed from )R3 and also a bac!round
+ob will automatically start to remove the role from $,CG and
from GRACROLE and GRACRLCONN tables* and all other related tables*
li!e GRACROLEAPPRVR (for approvers-.
7/25/2019 Role Import in BRM
http://slidepdf.com/reader/full/role-import-in-brm 7/16
• If you delete a )R3 role from $,CG directly* you brea! the whole chain. #nd it
introduces inconsistencies to the application.
To improve this document further with diKerent issues caused durin role import* please
share if you have any details so that it would be easy for the people who are searchin
for help on this topic
Common Issues *urin( Role Import
• Role import doesnLt show all roles durin A$review RolesA. $lease implement below
note in that scenario.
12MNMNJ = Role import does not show roles in the preview
Also check scn discussion on the same Role Import doesnLt select all roles from source system
1JNO41 = Import derived role without master role
1JN0MN1 = Composite roles cannot be imported without sinle roles
Posted by Anil KC at 16:45 No comments:Email ThisBlogThis!Shae to TitteShae to "aceboo#Shae to Pinteest$abels: %&C AC 1'(1)1'
Mitigating Control Life Cycle A high amount of time during a SAP GRC project will be spent on defining processes and responsibilities. My
suggestion is to think in lifecycles for getting a better understanding of the processes and who is taking oer the
responsibilty.
!n this post ! would like to clarify the lifecycle of Mitigating Controls. ! hae grouped them into four steps Create"
Change" #elete and Reiew. Please see for each step e$pected %asks and who is inoled.
&n re'uest from Colleen ! hae additionally added the RAC! matri$ to see who
is Responsible" Accountable"Consulted and Informed for each step. Please be aware that this is ery much
depending on the point of iew and can be different in your organi(ation. My considerations are commonsenseand pretty much of thinking in smooth processes throughout a global enterprise.
7/25/2019 Role Import in BRM
http://slidepdf.com/reader/full/role-import-in-brm 8/16
Creation of Mitigating Controls
Tasks
#efine the control including)
• Control description
• Control execution
• Control approver and control monitor
• 'ocumentation of control execution
• Reports used to monitor the ris!
Involved functions
• Control 5wner
• Internal Control responsible
• "#$ GRC responsible
Changing of Mitigating Controls
Tasks
Change the control for e$ample)• Control description
7/25/2019 Role Import in BRM
http://slidepdf.com/reader/full/role-import-in-brm 9/16
• Control execution
• Control approver and control monitor
• 'ocumentation of control execution
• Reports used to monitor the ris!
Involved functions
• Control owner
• Internal Control responsible
• "#$ GRC responsible
Deletion of Mitigation Controls
Tasks
• 'elete the mitiatin control within "#$ GRC #C
• 'ocument the decision of deletion of the mitiatin control
Involved functions
• Control 5wner
• Internal Control responsible
• "#$ GRC responsible
Reviewing of Mitigating Controls
6ass
7/25/2019 Role Import in BRM
http://slidepdf.com/reader/full/role-import-in-brm 10/16
• #nalyse if maintained controls within "#$ GRC are still valid
• #nalyse if the mitiatin controls are coverin the ris! fully
• Test the eKectiveness of the mitiatin controls
Involved functions
• Control owner
• Internal Control responsible
• "#$ GRC responsible
!f you want to hae further information or contribute in this blog post do not hesitate to contact me or reply to this
post directly.
Posted by Anil KC at 16:*+ No comments:Email ThisBlogThis!Shae to TitteShae to "aceboo#Shae to Pinteest$abels: %&C AC 1'(1)1'
Mitigating Control Creation
1. )efore creatin mitiatin controls you need to create a Root 5r entry* this
replaces the )usiness :nits in previous #C versions. ;aviate to the I3G under "hared
3aster 'ata "ettins and create a Root 5r as shown below
7/25/2019 Role Import in BRM
http://slidepdf.com/reader/full/role-import-in-brm 11/16
*. +ou will need to)• Create :ser in ":01 master in GRC.
• Run the user sync +obs in GRC.
• ;@)C = #ccess 3anaement = #ccess Control 5wners = Create an entry and select
owner type as 3itiation 3onitor or 3itiation #pprover
7/25/2019 Role Import in BRM
http://slidepdf.com/reader/full/role-import-in-brm 12/16
• ;@)C= 3aster 'ata P 5rani%ation = #ssin user in 5wner tab. #fter assinin the
user to the orani%ation then user can be maintained as 3itiation #pproverD3onitor
durin 3itiation Control creation wor!Qow.
,. -ow create mitigation control from -/C 01 Setup 01 Mitigation Controls 01 Create
7/25/2019 Role Import in BRM
http://slidepdf.com/reader/full/role-import-in-brm 13/16
!n SP2," when we are adding actions in the reports tab" an error message pop0up as shown below.
ithout the report the mitigation saes without issue. ! am also adding the Action alue by clicking 34"
searching and then adding it. %o resole this implement SAP -ote) 1M0414M = :nable to save
3itiation control after addin #C Report
9iti(ation 9onitor@ Mitigation monitor is the one who would be checking whether mitigation is
being performed. %his monitoring can be done either manually or alerts can be sent to the monitor.
5Reports5 which are maintained in reports tab of mitigating control" will trigger an e0mail to the
Mitigation approer if control monitor does not run that report with in the fre'uency mentioned.
Alerts can be set through the program mentioned below by e$ecuting the
%code GRAC_ALER6_GENERA6E
7/25/2019 Role Import in BRM
http://slidepdf.com/reader/full/role-import-in-brm 14/16
9iti(ation Appro%er@ Mitigation Approers are assigned to controls and are responsible for
approing changes to the control definition and assignments when workflow is enabled. !n GRC 26.6
we hae predefined workflow for this. e need to maintain the below configuration settings in SPR&.
1elo) mentione* stan*ar* )or+o)s nee*s to &e ena&le*
Issues )it4 Deletion o# 9iti(ation Controls or 9C assi(nments@
When deleting Mitigation Controls or Mitigation control assignments, we used to a get a
message task executed but deletion was not happening. After implementing the steps
mentioned below issue was resolved.
2.Run transaction SM,6
*. #isplay the iew GR3-PAR7-% in change mode
,. Add new line
7/25/2019 Role Import in BRM
http://slidepdf.com/reader/full/role-import-in-brm 15/16
4. 7ntity 8 S9/PR&C7SS
:. Parent 8 &RG9-!%
9iti(ation Control Assi(nment :or+o)
!n GRC we hae standard SAP proided workflow for Mitigation control assignment. ! hae come
across few 'ueries w.r.t this workflow as the mitigation assignment approer is not able to iew the
details as the 5;!7 #7%A!<S5 button is greyed out as shown in below screen.
SAP has confirmed that this is the standard functionality and has release a note to inform all the
users. Please check the below note for the same.
1M111>O = <iew 'etails is rey out in the 3itiation Control #ssinment #pprover screen
9iti(ation Controls B Deletin( Root or( Issues
hen few users tried to delete the root organi(ations which were created as part of creating mitigation
controls through %code PP&M" they were getting some error message as shown below.
Assignment to subordinate objects (Organizational unit ABCD, for example),
not possible
Resolution@
7$ecute the report R=R=#<66 and from here try to delete the root. orgs and the issue will be fi$ed
and they will be remoed. /ut one thing to make sure is all the all the objects under the root org are
deleted prior to this.
7/25/2019 Role Import in BRM
http://slidepdf.com/reader/full/role-import-in-brm 16/16
6ransport Or(ani=ational 5nits 9iti(ation Controls
%here is no %ransport Mechanism to moe the /usiness 9nits>&rgani(ational 9nits ? Mitigation
Controls
from one <andscape to another <andscape in GRC Suite" because it is Master #ata.
%here is no #ownload ? 9pload functionality aailable for these Controls to moe from one
<andscape
to another. &rgani(ational 9nits ? Mitigation Controls are tied together as these are shared among
GRC Access Controls ? Process Controls.
+ou need to recreate it in #estination 7nironment as %ransport>Moement is not possible.
hen you create the &rgani(ational 9nit with the #escription in GRC" the System will generate a
uni'ue number for &rgani(ation 9nit" which will be different for each system. %hat was the
reason" we need to recreate &rgani(ational 9nit in each System.
/ut" Mitigating Control Assignments of 9ser>Role>Profile>9ser &rg>Role &rg can downloaded from
one <andscape ? can upload it to another <andscape.
Most conenient way to change e$isting mitigations is to use standard A/AP program for download
and upload.
Go to SA,@ and use the following programs)
GRAC9P<&A#M!%ASS!G-M7-%S
GRAC#&-<&A#M!%ASS!G-M7-%S
&nce you hae downloaded the full list into an 7$cel file you can do your adjustments and upload it
again. =ope this would be helpful
