Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Query

Former Member
0 Kudos

Hi All,

I m Learning and implementing GRC in a Manufaturing company.

I have a query in maintainence of enabler role in ECC 6.0...

for creation ef enabler role should we pick authorisation objects from all master role or respective master roles ? if from respective master roles then why ? n what is the implication if i maintained from all master roles ?

help me in this issue.

10 REPLIES 10

Former Member
0 Kudos

per my understanding your query is more security related.

please post in security forum.

Regards,

Surpreet

simon_persin4
Contributor
0 Kudos

THis will depend entirely on what you wish to achieve.

If you are creating enabler roles for a specific piece of functionality, you should refer to the individual master roles which relate to that functionality.

There is no point in having enabler roles based on all master roles as you could then end up facilitating additional undesired access or creating unnecessary authorisations within each of these roles.

Enabler roles rely on a very stringent security design and should not be undertaken lightly. It is very easy to end up with lots of unnecessary roles which cause huge issues for support and are difficult to then remediate.

Simon

0 Kudos

Hi Simon,

Thanks for replying to the thread...

As per the org structure of the company for the purpose of GRC we have divided in to 27 functions say finance, DO, Planiing etc.

Now say if i take DO (Depot Officer)function then there are 14 master roles say goods inwards, sales order mgmt, sales invocing etc,

Now for all these master roles we have some enabler roles say plant, Sales Org, Sales Areas etc,

for all these enabler roles i have picked authorisation object from all master roles by mistake. Now the problem i m facing is that maintenance of unncessesary auth objects as u mentioned. what u will sugeest should i maintain it in the rite manner or can i do some changes in this structure ??? Coz to rectify this mistake it will take around 15 days data work job as i have created almost 9000 enabler roles.

plz suggest

0 Kudos

Hi there,

From your last post, it seems like whichever path you take, you will have a fair amount of work to do. Correcting over 9000 enabler roles will not be fun.

I would be inclined to recommend that you revisit your security role design. As mentioned before, there is potential for using the enabler concept but it must be controlled to guard against such situations as you have experienced.

You may find it more appropriate to remove these roles and re-implement the design. Perhaps using the Template and derived role concept or using a much more restrictive enabler concept if you truely awant to administrate authorisations in this manner.

As mentioned in the other posts, perhaps the SAP Security courses ADM940, 950 would be of assistence if you have not already attended.

Simon

0 Kudos

Hi Simon,

Thanks for replying.. i will post ma query in Security forum as suggested and will take a step after that as redesigning 9000 Enabler roles gonna be a big task.

Let me know the security Courses which u suggested,, are they online courses and how can i approach for their reading material and all.

Regards,

Muskaan

sdipanjan
Active Contributor
0 Kudos

> I m Learning and implementing GRC in a Manufaturing company.

> I have a query in maintainence of enabler role in ECC 6.0...

> for creation ef enabler role should we pick authorisation objects from all master role or respective master roles ? if from respective master roles then why ? n what is the implication if i maintained from all master roles ?

>

I just couldn't understand the comment "All Master Roles" ?????

If you are working in a Master-Derive role concept then for each Derive role there should be only One Master role and Not more that that. So it does mean that you have to have the derivation made from the Respective Master Role.

Please post this kind of queries (out of GRC) in Security forum. Also allow me to be frank to suggest you for the SAP course ADM 940.

regards,

Dipanjan

Former Member
0 Kudos

Hi muskaan - definitely more of a security question and you'd likely get a bit more response there although the answer to your question would not chagne.

I just wanted to jump in and second what Simon has warned about. You'd likely be best off taking a step back, and considering your design approach, what goals you are trying to acheive with your security design, what limitations or security considerations exist in your environment, and how you can best get to your end goal.

Since an enabler methodology is not your standard security design approach, it is very easy to implement it inappropirately and get yourself into a messy situation in short order. I would not recommend to use an enabler design, unless you have or are working with those who have implemented the design successfully in the past and can coach you on a structured implementation methodolgy. I have seen this methodology work great at many places (where it was done correctly), but have also seen it create a lot of headaches when it was implemented without the right experience.

Edited by: TDCumm16 on Sep 24, 2010 8:13 AM

0 Kudos

Hi there,

Thanks fopr replying to the thread.

I am working under the guidance of PWC and these guys are well proficient in this . I am stucked because of the situation i am facing for enabler roles. well i will post this in security forum and will take a step after that.

Regards,

Muskaan

Former Member
0 Kudos

Hi Muskaan,

Best of luck resolving your issue.

I believe from a more strategic or overall design perspective you should work to ensure you are approaching your role design in the most efficient manner. The primary advantage of your approach is to alleviate the burden of managing complex and deep organizational security requirements. Given the role counts you have mentioned and the estimation for # of days to adjust your roles, it sounds as if you are not harnessing the most important advantage of the methodology.

To specifically address your question on how to adjust your roles. Please ensure that you are managing your enabler roles using a derivation approach. Create a parent/template master enabler role from which your individual enabler roles are derived from. This will ensure any additional roles created or changes to your structure can be easily managed. For initial builds (or maybe a re-build in your case) utilizing eCATT scripts can be a big time saver to create or change a large number of roles in a more programmatic manner.

0 Kudos

I completely agree that using derivation is a good idea.

eCATT scripts are another example of a good tool when used properly but Be warned that unless you are experienced in using it, you can again mess up your system authorisations very quickly.

Get the design sorted first and really work out what you are trying to do. Then work out how you are going to do it.

Little steps eh?!

Simon