Skip to Content

Role ownership survey

Hello ladies and gentlemen,

I would like to know if you (customer) or your customers use a role ownership (PFCG ABAP roles).

There is a field in AGR_DATEU for that, which was created before everybody went for GRC, so I don`t think that one is used anywhere in ECC for example. But I still know many companies have established this "role ownership" and I would like to know how people do it out there in the wild.

Do you use Excels for that? Do you have a custom table to store that information? Do you do role reviews, role assignment reviews performed by the role owners? It is all connected and I have no idea if there is a mainstream solution widely spread, if there are special tricks people use, so I thought I could ask you what do you do.

Thanks,

cheers Otto

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

4 Answers

  • Best Answer
    author's profile photo Former Member
    Former Member
    Posted on Nov 13, 2011 at 03:28 PM

    I have one customer who maintain a list of "requestable roles" in a custom table and there an owner is included. From their portal the users can see this catalogue of roles and request them (the request mails go to the owner).

    I am sure there are a few similar solutions out there as it is quite simple and GRC CUP is basically the same principle.

    So... is anyone doing it differently? 😉

    Cheers,

    Julius

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member

      In my organisation business people own the roles, and some owners are very knowledgeable, but sadly a few are not.

      We have a role database, that gives owner for access and changes, and then specific authorisers for access and changes in case of staff being out of the office.

      We use these in various workflow application (all outside of SAP) to ensure role requests can be approved. Once a request is approved by a role owner, CUP style checks are done - mainly via Virsa Compliance Calibrator (remember that!) and risk free requests are then provisioned.

      Downside is having to maintain the database of information, when people move on (upwards or out of the organisation) and ensuring everyone who has a role owner / approval responsibility actually takes the task seriously.

      Would be better to try to have this in SAP, but with our external database, you can query this from the intranet, when requesting access.

  • Posted on Nov 13, 2011 at 10:30 PM

    Hi Otto,

    every company has this role ownership established but some of them don't know about it 😊 The worst case scenario (common one) is that all roles are owned by IT. In this case you don't have to maintain ownership of the role. The best scenario is that almost all roles are owned by business. As usual, there are many solutions but IMO the best suitable solution for this is IdM (don't have too much experience with CUP but IdM seems to be more flexible). You even have attribute MX_OWNER on role entry to capture who owns this role. It's also pretty flexible. It can be user, group or so on. You get out of the box provisioning audit. Hence you can easily perform an audit of role assignments.

    BTW "everybody went for GRC" is a really strong claim. From my experience not everyone went to GRC.

    Cheers

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member

      Gold,

      First of all, I'm glad for the feedback.

      I´ve exposed an example with a critical transaction. I mean, the role owner could define critical actions that would like to be informed when some user perform such action.The module SPM of GRC covers some of this ideas. I didn´t mean to control every user movement, It's impossible to work without a sort of "trust" relationship.

      Thank you very much indeed for your responses 😊

      Diego.

  • author's profile photo Former Member
    Former Member
    Posted on Nov 15, 2011 at 06:26 PM

    this is a great thread.

    here at this weird company where I am at, they have a big Excel listing most roles, with a role owner. It gets reviewed and updated yearly. It is terrible process. the role owners usually don't know what they "own" and rubberstamp every change requested, or they don't know the full effect on a business process for proposed changes. Some role owners are smart, but its very rare. Especially in global regions where they have 1 or 2 role owners for everything, it's so stupid.

    best i've seen is my previous company where Functional Analyst teams (OTC, ATR, MTS, etC) each had a security lead, who owns all roles for the area. The role naming convention embedded these area names in the role name. This person gathered any consent from the business, and it was mandatory for them to attend change meetings to represent the change. For cross-area roles, it was an informal discussion and one FA was picked to represent and approve the change. These roles got special attention at change approval meetings.

    I think role ownership is a bad idea. Roles are just fragments of a bigger business process.

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Alex Ayers

      Hi

      Role ownership is a hinterland (is that the correct word?) where role owners rely on security to help guide them in their decisions (permissions/ account types yadayada). The roles (job/composite/etc) are dynamic and need constant review to keep them in check(IMO).

      A spreadsheet/matrix of what users user groups should do is a nice to have in a clearly defined org with set business processes but, in reality, it's a bxxxh to follow quickly in admin when you get the 'but they also need to.. in their old job'

      Cheers

      David

      Can't spell BXXXh

      Edited by: David Berry on Nov 28, 2011 12:27 AM

  • author's profile photo Former Member
    Former Member
    Posted on Nov 30, 2011 at 04:43 PM

    Here's a question -

    We keep getting Idm vendor sales folks in here who tout that their product will allow BPOs the ability to make changes to roles themselves like adding a transaction or an authorization object. That has always sounded like a disaster waiting to happen to me. Has anyone implemented this? And did disaster ensue?

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.