<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>Question Re: Role Methodology Access Restriction in Additional Q&amp;A</title>
    <link>https://community.sap.com/t5/additional-q-a/role-methodology-access-restriction/qaa-p/10919679#M135076</link>
    <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Dear both,&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;did you check authorization object GRAC_ROLED? Never tested this, but you can restrict the activity as follows:&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;TABLE&gt;&lt;TBODY&gt;&lt;TR&gt;&lt;TD&gt;01&lt;/TD&gt;&lt;TD&gt;Create&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;02&lt;/TD&gt;&lt;TD&gt;Change&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;03&lt;/TD&gt;&lt;TD&gt;Display&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;06&lt;/TD&gt;&lt;TD&gt;Delete&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;08&lt;/TD&gt;&lt;TD&gt;Change History&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;38&lt;/TD&gt;&lt;TD&gt;Perform&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;61&lt;/TD&gt;&lt;TD&gt;Export&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;64&lt;/TD&gt;&lt;TD&gt;Generate&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;71&lt;/TD&gt;&lt;TD&gt;Analyze&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;90&lt;/TD&gt;&lt;TD&gt;Copy&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;91&lt;/TD&gt;&lt;TD&gt;Maintain Approvers&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;B3&lt;/TD&gt;&lt;TD&gt;Derive&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;FS&lt;/TD&gt;&lt;TD&gt;Search All Roles&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;V1&lt;/TD&gt;&lt;TD&gt;Compare&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;V2&lt;/TD&gt;&lt;TD&gt;Synchronize&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;V3&lt;/TD&gt;&lt;TD&gt;Maintain Authorization&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;V4&lt;/TD&gt;&lt;TD&gt;Maintain Test Results&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;V5&lt;/TD&gt;&lt;TD&gt;Assign Default Roles&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;V6&lt;/TD&gt;&lt;TD&gt;Certify&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;V7&lt;/TD&gt;&lt;TD&gt;Reaffirm&lt;/TD&gt;&lt;/TR&gt;&lt;/TBODY&gt;&lt;/TABLE&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;For example if the role management team should not be allowed to generate the roles do not give authorization for the same.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Does that answer the question?&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Regards,&lt;/P&gt;&lt;P&gt;Alessandro&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
    <pubDate>Mon, 02 Mar 2015 22:11:00 GMT</pubDate>
    <dc:creator>alessandr0</dc:creator>
    <dc:date>2015-03-02T22:11:00Z</dc:date>
    <item>
      <title>Role Methodology Access Restriction</title>
      <link>https://community.sap.com/t5/additional-q-a/role-methodology-access-restriction/qaq-p/10919677</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Hi,&lt;/P&gt;&lt;P&gt;We are implementing BRM for a client. And the client wants to divide the role methodology authorizations among 3 set of admins. Meaning the &lt;/P&gt;&lt;UL style="list-style-type: disc;"&gt;&lt;LI&gt;&lt;STRONG&gt;First set of admins&lt;/STRONG&gt; can only &lt;STRONG&gt;Define Role, Maintain Authorizations and Derive Roles&lt;/STRONG&gt;. &lt;/LI&gt;&lt;LI&gt;&lt;STRONG&gt;Second set of users&lt;/STRONG&gt; can do &lt;STRONG&gt;Risk Analysis and assign Mitigation controls, Attach Test Cases and Initiate Approval &lt;/STRONG&gt;and the &lt;/LI&gt;&lt;LI&gt;&lt;STRONG&gt;Third set of admins&lt;/STRONG&gt; can do &lt;STRONG&gt;Role Generation&lt;/STRONG&gt;.&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;How do we achieve this? Can we restrict the above set of users to see only those Tabs(see below screen) which suit their Job?&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;IMG class="migrated-image" src="https://community.sap.com/legacyfs/online/storage/attachments/storage/7/jiveimages/655826" width="450" /&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Regards,&lt;/P&gt;&lt;P&gt;Mohamed Fazil&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Mon, 02 Mar 2015 07:01:37 GMT</pubDate>
      <guid>https://community.sap.com/t5/additional-q-a/role-methodology-access-restriction/qaq-p/10919677</guid>
      <dc:creator>Former Member</dc:creator>
      <dc:date>2015-03-02T07:01:37Z</dc:date>
    </item>
    <item>
      <title>Re: Role Methodology Access Restriction</title>
      <link>https://community.sap.com/t5/additional-q-a/role-methodology-access-restriction/qaa-p/10919678#M135075</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Hi Fazil,&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;We also have similar requirement where the team which creates roles through BRM are not aware of Risk analysis process and they don't want to perform risk analysis task. Below are steps we are following.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;STRONG style="text-decoration: underline;"&gt;Role Management Team:&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;They receive a Service request for Creation of New Roles/Modification of existing roles from the Local Admin team with authorizations details.&lt;/LI&gt;&lt;LI&gt;Once received they will create role through BRM, and completes the steps Define Role and Maintain Authorization Data&lt;/LI&gt;&lt;LI&gt;Once they complete these steps will inform the GRC support team through Email to perform risk analysis for the roles which they created/modified.&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;STRONG style="text-decoration: underline;"&gt;GRC Support Team&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&lt;STRONG style="text-decoration: underline;"&gt;&lt;BR /&gt;&lt;/STRONG&gt;&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;GRC Support team will run Risk Analysis and Impact analysis for the role and if there are any risks will share the details with the Local Admin team (one who initiates role changes) who in turn will mitigate the risk or suggest to cancel the changes.&lt;/LI&gt;&lt;LI&gt;If mitigate the risk, then it goes for Mitigation Assignment Approver and once approved, Local admin team informs the GRC Support team&lt;/LI&gt;&lt;LI&gt;GRC Support team verifies and then informs the Role Management team to proceed with next steps.&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;STRONG style="text-decoration: underline;"&gt;Role Management Team:&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;After confirmation from GRC support team, Role management team initiates the approval and up on approval will generate the role.&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Basically, we defined this for a client based on their requirement and they are following the same as part of their Post Go-Live Operations &amp;amp; Support (O&amp;amp;S) process. By this we are making clear that the concerned team is responsible for any discrepancies.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;I am not sure whether you can restrict the steps in a methodology process based on authorizations or any other way. Let us check if the experts any advise for this &lt;SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.sap.com/1200/images/emoticons/happy.gif"&gt;&lt;/SPAN&gt; even I am looking forward for that.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Regards,&lt;/P&gt;&lt;P&gt;Madhu.&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Mon, 02 Mar 2015 08:27:51 GMT</pubDate>
      <guid>https://community.sap.com/t5/additional-q-a/role-methodology-access-restriction/qaa-p/10919678#M135075</guid>
      <dc:creator>madhusap</dc:creator>
      <dc:date>2015-03-02T08:27:51Z</dc:date>
    </item>
    <item>
      <title>Re: Role Methodology Access Restriction</title>
      <link>https://community.sap.com/t5/additional-q-a/role-methodology-access-restriction/qaa-p/10919679#M135076</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Dear both,&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;did you check authorization object GRAC_ROLED? Never tested this, but you can restrict the activity as follows:&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;TABLE&gt;&lt;TBODY&gt;&lt;TR&gt;&lt;TD&gt;01&lt;/TD&gt;&lt;TD&gt;Create&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;02&lt;/TD&gt;&lt;TD&gt;Change&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;03&lt;/TD&gt;&lt;TD&gt;Display&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;06&lt;/TD&gt;&lt;TD&gt;Delete&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;08&lt;/TD&gt;&lt;TD&gt;Change History&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;38&lt;/TD&gt;&lt;TD&gt;Perform&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;61&lt;/TD&gt;&lt;TD&gt;Export&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;64&lt;/TD&gt;&lt;TD&gt;Generate&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;71&lt;/TD&gt;&lt;TD&gt;Analyze&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;90&lt;/TD&gt;&lt;TD&gt;Copy&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;91&lt;/TD&gt;&lt;TD&gt;Maintain Approvers&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;B3&lt;/TD&gt;&lt;TD&gt;Derive&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;FS&lt;/TD&gt;&lt;TD&gt;Search All Roles&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;V1&lt;/TD&gt;&lt;TD&gt;Compare&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;V2&lt;/TD&gt;&lt;TD&gt;Synchronize&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;V3&lt;/TD&gt;&lt;TD&gt;Maintain Authorization&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;V4&lt;/TD&gt;&lt;TD&gt;Maintain Test Results&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;V5&lt;/TD&gt;&lt;TD&gt;Assign Default Roles&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;V6&lt;/TD&gt;&lt;TD&gt;Certify&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;V7&lt;/TD&gt;&lt;TD&gt;Reaffirm&lt;/TD&gt;&lt;/TR&gt;&lt;/TBODY&gt;&lt;/TABLE&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;For example if the role management team should not be allowed to generate the roles do not give authorization for the same.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Does that answer the question?&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Regards,&lt;/P&gt;&lt;P&gt;Alessandro&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Mon, 02 Mar 2015 22:11:00 GMT</pubDate>
      <guid>https://community.sap.com/t5/additional-q-a/role-methodology-access-restriction/qaa-p/10919679#M135076</guid>
      <dc:creator>alessandr0</dc:creator>
      <dc:date>2015-03-02T22:11:00Z</dc:date>
    </item>
    <item>
      <title>Re: Role Methodology Access Restriction</title>
      <link>https://community.sap.com/t5/additional-q-a/role-methodology-access-restriction/qaa-p/10919680#M135077</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Hi Mohamed,&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Administrators can take action , as per authorizations assigned to them. So, i think there is no substantial meaning of dividing role methodologies as per Admin.&lt;/P&gt;&lt;P&gt;Normally, methodology is divided as per type of roles(eg. single, composite) or System or Landscape, and not on Definition/Risk Analysis/Role generation because every role has to go through all the steps.i.e a role which is defined, will go through Risk Analysis and then generation. &lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Regards&lt;/P&gt;&lt;P&gt;Plaban&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Tue, 03 Mar 2015 09:12:31 GMT</pubDate>
      <guid>https://community.sap.com/t5/additional-q-a/role-methodology-access-restriction/qaa-p/10919680#M135077</guid>
      <dc:creator>Former Member</dc:creator>
      <dc:date>2015-03-03T09:12:31Z</dc:date>
    </item>
    <item>
      <title>Re: Role Methodology Access Restriction</title>
      <link>https://community.sap.com/t5/additional-q-a/role-methodology-access-restriction/qaa-p/10919681#M135078</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Hi Plaban&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Large SAP sites with regional and country specific teams would have a requirement to split the different methodology steps between different members. Also, some might have the role definition and testing sit with Functional whilst the Authorisations sit with security. Some have role derivation and org value updates sit with one team whilst the rest sit with another.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;This all comes back to business process for role management design. Splitting between role types is more common.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Regards&lt;/P&gt;&lt;P&gt;Colleen&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Tue, 03 Mar 2015 09:17:49 GMT</pubDate>
      <guid>https://community.sap.com/t5/additional-q-a/role-methodology-access-restriction/qaa-p/10919681#M135078</guid>
      <dc:creator>Colleen</dc:creator>
      <dc:date>2015-03-03T09:17:49Z</dc:date>
    </item>
    <item>
      <title>Re: Role Methodology Access Restriction</title>
      <link>https://community.sap.com/t5/additional-q-a/role-methodology-access-restriction/qaa-p/10919682#M135079</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Thanks Alessandro &lt;SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.sap.com/1200/images/emoticons/happy.gif"&gt;&lt;/SPAN&gt; It works.&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Wed, 04 Mar 2015 07:27:13 GMT</pubDate>
      <guid>https://community.sap.com/t5/additional-q-a/role-methodology-access-restriction/qaa-p/10919682#M135079</guid>
      <dc:creator>Former Member</dc:creator>
      <dc:date>2015-03-04T07:27:13Z</dc:date>
    </item>
  </channel>
</rss>

