I would like to invite thoughts on "Authorization Synchronization" job's importance in Risk Analysis.
As name itself says, this will pull all the details: Org. values, transaction and objects from respective connector. As we know, this is pulled and kept locally in GRC system.
One direct impact of this is, when we create a new function, transaction codes are displayed for respective logical group in which back end system is defined. If we dont run this authorization synchronization job and try to add any tcode in a new function, this does NOT display the details of that tcode. And also, it will not list all the relevant authorization objects in "Permission" tab.
What I am looking for is, how this "pulled" authorizations from back end system is important in performing risk analysis. Does it mean that after synchronizing the authorizations with back end system, GRC makes use of this while performing risk analysis for roles and users?
Because, I noticed some dependency of risk analysis on this. I firstly synchronized all users/roles with back end systems. Then ran risk analysis. It did not show any risks, though there were many risks in the roles.
Then I created test function and added a tcode in it. It did not show me any description of that tcode and while searching any tcode, it did not fetch any results. Without any doubt, no objects were listed for that tcode.
Then I ran "Authorization Synchronization" job, ran risk analysis, I started getting violations for roles! Then again I added a new tcode in the test function, this time, it showed all the tcodes pulled from back end system with objects.
Is it like while performing risk analysis GRC uses: Roles/Users from back end system + Synchronized Authorization Objects from back end
system + Rule Set in GRC system?
I need to clear this concept. Please share your valuable inputs.