Skip to Content
avatar image
Former Member

Query

Hi All,

I m Learning and implementing GRC in a Manufaturing company.

I have a query in maintainence of enabler role in ECC 6.0...

for creation ef enabler role should we pick authorisation objects from all master role or respective master roles ? if from respective master roles then why ? n what is the implication if i maintained from all master roles ?

help me in this issue.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

5 Answers

  • avatar image
    Former Member
    Sep 22, 2010 at 03:10 PM

    per my understanding your query is more security related.

    please post in security forum.

    Regards,

    Surpreet

    Add comment
    10|10000 characters needed characters exceeded

  • Sep 23, 2010 at 04:51 PM

    THis will depend entirely on what you wish to achieve.

    If you are creating enabler roles for a specific piece of functionality, you should refer to the individual master roles which relate to that functionality.

    There is no point in having enabler roles based on all master roles as you could then end up facilitating additional undesired access or creating unnecessary authorisations within each of these roles.

    Enabler roles rely on a very stringent security design and should not be undertaken lightly. It is very easy to end up with lots of unnecessary roles which cause huge issues for support and are difficult to then remediate.

    Simon

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Simon Persin

      Hi Simon,

      Thanks for replying.. i will post ma query in Security forum as suggested and will take a step after that as redesigning 9000 Enabler roles gonna be a big task.

      Let me know the security Courses which u suggested,, are they online courses and how can i approach for their reading material and all.

      Regards,

      Muskaan

  • avatar image
    Former Member
    Sep 23, 2010 at 10:54 PM

    > I m Learning and implementing GRC in a Manufaturing company.

    > I have a query in maintainence of enabler role in ECC 6.0...

    > for creation ef enabler role should we pick authorisation objects from all master role or respective master roles ? if from respective master roles then why ? n what is the implication if i maintained from all master roles ?

    >

    I just couldn't understand the comment "All Master Roles" ?????

    If you are working in a Master-Derive role concept then for each Derive role there should be only One Master role and Not more that that. So it does mean that you have to have the derivation made from the Respective Master Role.

    Please post this kind of queries (out of GRC) in Security forum. Also allow me to be frank to suggest you for the SAP course ADM 940.

    regards,

    Dipanjan

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Sep 24, 2010 at 01:12 PM

    Hi muskaan - definitely more of a security question and you'd likely get a bit more response there although the answer to your question would not chagne.

    I just wanted to jump in and second what Simon has warned about. You'd likely be best off taking a step back, and considering your design approach, what goals you are trying to acheive with your security design, what limitations or security considerations exist in your environment, and how you can best get to your end goal.

    Since an enabler methodology is not your standard security design approach, it is very easy to implement it inappropirately and get yourself into a messy situation in short order. I would not recommend to use an enabler design, unless you have or are working with those who have implemented the design successfully in the past and can coach you on a structured implementation methodolgy. I have seen this methodology work great at many places (where it was done correctly), but have also seen it create a lot of headaches when it was implemented without the right experience.

    Edited by: TDCumm16 on Sep 24, 2010 8:13 AM

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi there,

      Thanks fopr replying to the thread.

      I am working under the guidance of PWC and these guys are well proficient in this . I am stucked because of the situation i am facing for enabler roles. well i will post this in security forum and will take a step after that.

      Regards,

      Muskaan

  • avatar image
    Former Member
    Sep 27, 2010 at 12:01 PM

    Hi Muskaan,

    Best of luck resolving your issue.

    I believe from a more strategic or overall design perspective you should work to ensure you are approaching your role design in the most efficient manner. The primary advantage of your approach is to alleviate the burden of managing complex and deep organizational security requirements. Given the role counts you have mentioned and the estimation for # of days to adjust your roles, it sounds as if you are not harnessing the most important advantage of the methodology.

    To specifically address your question on how to adjust your roles. Please ensure that you are managing your enabler roles using a derivation approach. Create a parent/template master enabler role from which your individual enabler roles are derived from. This will ensure any additional roles created or changes to your structure can be easily managed. For initial builds (or maybe a re-build in your case) utilizing eCATT scripts can be a big time saver to create or change a large number of roles in a more programmatic manner.

    Add comment
    10|10000 characters needed characters exceeded

    • I completely agree that using derivation is a good idea.

      eCATT scripts are another example of a good tool when used properly but Be warned that unless you are experienced in using it, you can again mess up your system authorisations very quickly.

      Get the design sorted first and really work out what you are trying to do. Then work out how you are going to do it.

      Little steps eh?! 😉

      Simon