Skip to Content
1

Regarding ARA Sync Jobs vs Ruleset

Mar 14, 2017 at 09:07 PM

150

avatar image

Hi Experts,

I have the following issues/questions while working on the ARA.

1. I know that PFCG_AUTHORIZATION_SYNC job will bring in the new Auth objects, values from SU24 to GRAC tables/Ruleset but wanted to know the below.

1. All new objects either brought in initially with actions or as part of changes for actions are at inactive status when loaded in to GRC and it is up to us to active the required critical objects? same with values/permission level? irrespective of check "YES" "NO" in SU24.

2. What if an object is removed or tcode is deleted? will it reflect the same in GRAC tables, i mean will it be removed from permissions under actions, actions will be automatically deleted from functions?

3. Also, if we update the GRC Ruleset (Action Permission, Actions) files (deactivating or changing couple of t-codes, permissions, values) will the PFCG_AUTHRIZATION_SYNC program will bring back the deactivated objects as active once the sync job is run. will any of the SYNC job overwrite the changes we make using GRAC_UPLOAD_RULES t-code. are they dependent? If not the sync jobs are to only update the Authorizations master data in to GRC?

Thanks,

Sri,

10 |10000 characters needed characters left characters exceeded

Good question and I also have these doubts.

There could be one article dedicated only to the details of all sync jobs in GRC.

0

There is a good article from Luciana Ullmann about it here:

https://wiki.scn.sap.com/wiki/display/GRC/The+Repository+-+GRC+Access+Control+10.0

Regards,

Marcelo

0
* Please Login or Register to Answer, Follow or Comment.

1 Answer

Best Answer
Marcelo Monsores Mar 15, 2017 at 09:37 AM
0

Hi Sri.

The PFCG_AUTHORIZATION_SYNC only updates authorization master data in GRC AC. They will be used only when creating new functions or inserting actions or permissions in your existing ones. This synch job alone doesn't mess with your existing functions (and rules, consequently).

Regards,

Marcelo

Show 7 Share
10 |10000 characters needed characters left characters exceeded

Thank you very much Marcelo, this is excellent. Also, wanted to know about points 1 and 2 i mentioned. please let me know if you could provide some information on points 1 and 2.

Thanks,

Sri

0

Hi Sri.

PFCG_AUTHORIZATION_SYNC won't make changes to your existing ARA Functions. No actions or permissions will be automatically added/removed/changed to/from your already existing functions (and risk/rules, consequently) by PFCG_AUTHORIZATION_SYNC, even in a disabled state. If it finds something new or changed, it will have effect only on what you do from that point on. You would have to manually update your old Functions in this case.

Regards,

Marcelo

0

Ok Thanks Marcelo, then how the initial permissions are loaded in to the system is it by default values from SAP Global ruleset or PFCG_AUTHORIZATION_SYNC or someother program will bring those values from SU24 to GRACFUNCPRM table.

Thanks,

Sri

0

Hi Sri.

To load the initial permission sets from your systems, you need to use PFCG_AUTHORIZATION_SYNC against them.

To create your first ruleset, you can do it from scratch using this synch data or you can ignore it on a first instance and load SAP standard one by activating GRAC_RA_RULESET_* BC Sets in SCPR20. Then you can edit and update it with your synch data by deleting and reinserting actions.

Regards,

Marcelo

0
Marcelo Monsores

Ok,Thank you so much very helpful, also then when we run this program GRAC_PFCG_AUTHRIZATION_SYNC on a daily basis will this overwrite the changes we make to the GRACACTPRM file through upload rules or NWBC?

Thanks,

Sri.

0

Hi Sri.

Rules maintenance through NWBC or upload doesn't mess with GRACACT* tables. It only changes GRACBPROC, GRACRULESET, GRACFUNC* AND GRACSODRISK* tables.

GRACACTION, GRACAUTHPERM, GRACACTPERM and their sisters are only changed by GRAC_PFCG_AUTHRIZATION_SYNC, and old values are overwriten by new ones. These tables are used as reference when manually updating your rules.

Regards,

Marcelo

0
Marcelo Monsores

Thanks Marcelo for your help. sorry for the late response.

Thanks,

Sri

0