09-12-2011 11:53 PM
Hello,
I have gotten a request to look into restriction of assignment of roles to oneself within the company SAP Security Team. Thoughts I have come up with so far involve the use of UserID User Groups, Role Assignment Ranges, and forcing all role assignements for all userIDs through GRC-AC CUP for QA and Prod. Has anyone come up with a workable solution that is outside of these suggestions that they have put into practice?
Thanks in advance for your help!
John
09-13-2011 8:29 AM
Hi,
another way is to use identity management solution. Any IdM is pretty flexible. SAP has it's own solution called SAP Netweaver Identity Solution. There is a section dedicated to IdM here on SDN.
Cheers
09-14-2011 11:34 AM
Hi John,
There can be a manual control in place and individual should not assign role/s to himself / herself.
Otherwise, security team members can be assigned to a specific group (let say Security) and they shouldn't have access to authorization S_USER_GRP with ACTVT 22 & CLASS - Security.There should be a dedicated power user to assign the role/s to the security team members and this can be auditted (SM20 log for manual super user / FireFighter log for FireFighter user).
Thanks
Prasanna