Skip to Content

SAP GRC 10.0 Bus Role assignments

The organization I work for has used the concept of "Business Roles" for some time before the implementation of SAP GRC 10.0. We have a outside database that lists the Business Role and the associated technical roles that are assigned to all users. This has provided a great data source for populating the template and loading the business roles to SAP GRC 10.0. My issue, To allow our users to see what access that they have and other users have I need to map the end users to these business roles in GRC. This will allow specifically our trainers (who are responsible for submitting the provisioning request) the ability to see what business roles are assigned to specific users. The trainers and end users do not understand a technical role but do understand the business role model. My question:

How do I update GRC to show these mappings for users that already exist in SAP and no update is required on the back end system.

Add comment
10|10000 characters needed characters exceeded

1 Answer

  • Posted on Jun 17, 2019 at 05:55 AM

    Hi Michael,

    It is good that you have already created "Business Roles" in SAP GRC.

    As you already understood, Business roles are designed to make end user selection easy while submitting an access request but at the end of the day users get provisioned with technical roles which are inside the business role.

    Only GRC system will store the User to Business role assignment details as this helps if the biz role need to be de-provisioned from users or to push the updates of the business role to the users from GRC BRM.

    For your scenario you may need to reassign the roles to the users via GRC Business roles to achieve your objective. This could be a tedious exercise as you have to remove the existing roles and assign the same roles via GRC Business roles.

    Adding to it currently there is no mass business role assignment function available too.

    You can refer below SAP Notes.

    2511074 - Is there a program for Mass Business Role Update Assignment in GRC AC 10.0?

    2116829 - Mass load of Business role assignments to users

    Proposed Workaround

    Create a new MSMP workflow path with some new request type which can route the requests with that request type 'No Approval' path (i.e. requests get auto approved and roles are auto provisioned).

    Then create Multi-User access request to assign business role to your Users using the new request type which will get routed to No APPROVAL path.

    Note: Make sure that the role assignments does not cause any SoD/CA risk violations.

    Since this is a big and tedious exercise try to do it in batches with different groups or departments of users.



    Add comment
    10|10000 characters needed characters exceeded