on 08-09-2009 12:16 PM
Hello,
We are in process of SAP GRC AC 5.3 implementation, and our SAP System is not updated to SU24 (Authorization objects), in which USOBT_C is populated.
In GRC AC 5.3 Pre-implementation checklist, it is mentioned about the above, being necessary.
If the SAP System is not updated to SU24, then what is the other way, to upload authorization objects in RAR Post-Install Steps, after we have already completed SAP GRC Tools ( all the SCA files) install and backend RTA installation?
Thanks!
Abdul,
I don't know of any other automated way as the program is written to extract information from SU24. You can manually create the tab limited file which will take you some time.
Regards,
Alpesh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
In your ERP system, schedule the two jobs (daily/weekly) and write the files to the application server.
In GRC, you can also do the import as a scheduled background job, which then accesses the files created in the previous step (provided the file system is accessible from GRC).
That's it - no more worries
Frank.
Thanks Frank for this valuable information.
In your ERP system, schedule the two jobs (daily/weekly) and write the files to the application server.
Question 1: What parameters should I give to the two jobs to write to the files on application server?
Question 2: Can I use the filesystem as /usr/sap/trans/eps/in or any other filesystem?
In GRC, you can also do the import as a scheduled background job, which then accesses the files created in the previous step (provided the file system is accessible from GRC).
Question 3: Should I use RAR for importing the files from filesystem, created in above step, as a scheduled background job?
Thanks!
Hi all,
I did follow the suggested steps by Frank, scheduled jobs on ECC and uploaded the files in RAR. However, the permissions in GRC have not been updated with the values from ECC files, even though the status of the jobs are successfully completed. Any thoughts / suggestions?
Thanks,
Gustavo
Hello Frank,
ok, I just see there is the possibility to upload server files, too. Seems I was too blind last time I looked in there.
Question answered (by myself)
to automate the upload of the SU24 data extract, which upload interface in the configuration tab do I have to use?
As per now, I know the sequence of steps to do is:
1. Create file (automated via batch job) from SU24 (report /VIRSA/ZCC_DOWNLOAD_SAPOBJ)
2. convert to UTF-8 format (how can this be automated?)
3. upload periodically into RAR via background job (from AIX based file system !)
Maybe you or anyone else can help me here.
Thanks
Thomas
Edited by: Thomas Schaeflein on Sep 23, 2009 3:30 PM
Abdul,
SU24 is used by GRC CC to define the authorization objects it should analyse in order to determine whether a certain access is granted to a user.
The system considered that if you are maintaining SU24 then all auth objects set to check are in fact required by a transaction in order to execute the functionality within it. GRC uses su24 as your default mapping of auth objects and field values to tcodes.
If you dont maintain su24 regularly when modifying security then you can still upload the SU24 data, however, there is a higher likelihood you will have false positives in your results. The end result is that your implementation team will have to invest more time in adjusting the rule book to increase the accuracy of the analysis results.
I hope this helps.
hi
1. Create file (automated via batch job) from SU24 (report /VIRSA/ZCC_DOWNLOAD_SAPOBJ)
==> SA38 --> Background --> create a variant where you fill out the value for the server + filename (no extension needed for filename) --> schedule periodically
2. convert to UTF-8 format (how can this be automated?)
--> not necessary ; in my system it is UTF-8 by default
3. upload periodically into RAR via background job (from AIX based file system !)
--> configuration tab --> upload objects --> permission --> choose system --> leave local file blank and fill out server location (drive letter) --> click background and schedule the job daily. This is not a heavy job, therefore daily.
Sam Szafranski
Senior Consultant
axl & trax
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You can upload SU24 file of any system. Download SU24 from a system where you have USOBT_C table maintained.
and upload the same in CC .
Regards,
Surpreet
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
I agree with Alpesh there is no other way to upload of SU24 auth objects. If you are not running your analysis at permission level for now you can continue without it by running analysis at Action level. Later you can upload it and run analysis at permission level.
Thanks,
Darshan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.