Skip to Content
avatar image
Former Member

GRC Business Role question

Hi all.

I have some questions regarding Business Roles and user relationship.

Lets imagine:


  • I have a Business role BR1 containing two single roles A and B
  • Now, i assign to a new user through the R/3 SU01 transaction roles A and B.


Questions are:

  • Is GRC aware that this user has assigned the Business Role BR1?
  • Is it possible to let to GRC know what is the mapping?


I have these question due i have assigned singles roles to users and i would like the requestors would be able to create requests to remove only Business Roles. However as the initial roles load was done diretly into R/3, GRC does not contain the relationship between user-business role.


Any solution?


Kind regards and thank you,


Sara.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Best Answer
    avatar image
    Former Member
    Jan 09, 2015 at 04:01 PM

    Hi Sara,

    I hope you are keeping well.


    In summary, GRC only knows that a Business Role has been assigned to a user If it has been assigned from the GRC front end (i.e.via a Access Request). If you try to assign the individual roles directly in SU01 (i.e. trying to mimic a manual assignment of a business role), GRC will have no knowledge of this and treat it as a direct manual technical role assignment.

    It may be a good idea to create an additional workflow request type and path with minimum/no approval stages to allow you to perform mass business role assignment updates for users via GRC. You can secure the access to this request by ensuring only system admins have the ability to execute and access the new request type.


    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi Sara,

      I don't think there is a OSS note available to describe this behaviour "officially" I am only going by the experience I have had in using the Business roles concept over the last 2 years or so.

      After trying many different methods of using Business roles, either via BRM or by simply uploading the definitions via the import sheets, I have found that assignments of business roles is only recognised and managed by the GRC system itself. Unfortunately, it is not smart enough to tally up manually assigned roles in the back end as a Business Role composition.

      the following Notes and articles of interest could help you conclude your findings confidently to be presented back to the customer:

      Business Roles concept and usability in GRC AC10 - Governance, Risk and Compliance - SCN Wiki

      The following entry (plus SAP note to support article) may make you realise the certain restrictions in using Business Roles. This is where I started to get slightly frustrated with the functionality.

      Recommendations for using Business roles provisioning in access request

      http://service.sap.com/sap/support/notes/1981001


      I believe for Business roles to be fully utilised and fully operational, they have to be assembled and assigned from Day 1 to all initial users in the landscape.


      Or a retrofit exercise takes place where the business roles are assigned to existing users to replace their technical assigned roles (i.e. ones either done manually in back end or via ARM).