Skip to Content
avatar image
Former Member

Restricting Firefighter Access Request in GRC 10

Hi,

We are trying to implement SAP GRC 10 Firefighter Access Request.

Requirement: Finance users should see only Finance Firefighter ID's to select from the drop down box but not Security Firefighter ID's.

Please advise if this restrictions is possible at the Firefighter ID level. We were able to restrict Firefighter access at the system level with Connectors. We couldn't find any auth object to restrict the Firefighter ID at the ID level.

Thank you,

Krishna

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    avatar image
    Former Member
    Nov 03, 2015 at 01:23 AM

    Krishna,

    You may explore user groups (which in combinations with system level restrictions you already have can work pretty well)

    But rather than going through such an effort, using an easy to understand naming convention for your FF IDs may work better. In cases where a FFID request has to be made by someone other than end user (on end user's behalf i.e. is delegated), the business requirement you are working on may become too restrictive. So a naming conventions as simple as F_ECC_SEC01 may work better than altering the BRF+ rules.

    Regards

    Shivraj Singh

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Shivraj,

      Thank you for your quick response.

      I tried user groups but, it was not helpful to restrict at the FF ID level.

      We already have easy to understand naming convention for our FF ID's in place but we wanted to see if we can restrict the ID's with respect to the Department.

      Regards,

      Krishna

  • Nov 03, 2015 at 04:13 AM


    Hi Krishna,

    the standard SAP user role SAP_GRAC_END_USER, provides auth. object GRAC_USER. Could you check if User id/User group can be used to restrict FF id selection.

    Regards

    Plaban

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Plaban,

      Thank you for your advise!

      Auth object GRAC_USER from end user role did not allow me to restrict the FF ID's at the ID level. I was able to restrit at the system level but not at the FF ID level.

      Regards,

      Krishna

  • avatar image
    Former Member
    Oct 05, 2016 at 01:24 PM

    Hi Krishna,

    Could you please check below 2 authorization objects if it helps for restriction.

    GRAC_FFOWN

    GRAC_SYS

    Regards,

    Varun Jain

    Add comment
    10|10000 characters needed characters exceeded