topic UME security vs ABAP security object level in Application Development and Automation Discussions

UME security vs ABAP security object level

Former Member — Wed, 03 Oct 2007 15:10:32 GMT

We installed Virsa Compliance Calibrator & Access Enforcer and trying to configure security in UME to control user access so that besides action level security, we need further restriction on for example, Functional Area, cost center & department access. Does UME have lower level authorization restriction capabilities similar to that of ABAP authorization object level security? If not, how can we utilize ABAP Virsa security objects to control JAVA front end access?

Your advice is much appreciated.

Thanks,

Re: UME security vs ABAP security object level

Former Member — Wed, 03 Oct 2007 16:00:12 GMT

Jessica,

Why do you want to go so granular in AE and CC? Are you concerned of the reports that are generated from CC.

Since Virsa is not built like the ABAP backend, you can only manage the GRC roles at the UME level. You will have the different roles in the UME for administrator, reporter, viewer, approver, and such.

Re: UME security vs ABAP security object level

Former Member — Wed, 03 Oct 2007 16:24:25 GMT

Hi Gabriel,

Thanks for replying, we need to go so granular because we have many different business units and our roles are built and grouped per BU so that each business unit BPO can only make AE requests, do reporting risks & approve for roles that they own.

Thanks,

Jessica

Re: UME security vs ABAP security object level

Former Member — Wed, 03 Oct 2007 20:34:44 GMT

Jessica,

Based on your comment <i>"...each business unit BPO can only make AE requests, do reporting risks & approve for roles that they own."</i>, can you tell me how your organization goes about actually assigning security? Does the BPO make the request then Security Admins assign the role, or what is your process?

Thanks,

Sandy

Re: UME security vs ABAP security object level

Former Member — Wed, 03 Oct 2007 21:28:37 GMT

Hi Sandy,

Yes BPO submit user and role change requests for their own business units only. For example Finance department has a set of roles that only assigned to their group and Sales department has their own set of roles. Each business unit has a BPO and when creating request can only view and select their roles to change. Security Admin(third party) checks for SOD using an existing tool and processes the request if no SODs exists. Security requests also need to tie to cost centre for request cost distribution.

We are exploring using ABAP side of VIRSA authorization objects but not sure how to link AE front end to the ABAP authorization check.

We added a custom field 'Cost Centre' in AE configuration. Do you or anyone know where we can add user exits in VIRSA to populate custom fields?

Thanks

Re: UME security vs ABAP security object level

Former Member — Thu, 04 Oct 2007 04:18:34 GMT

CC 5.2 does not have the object level security restrictions possible in the ABAP version, and it is not possible to use ABAP objects to secure JAVA access. As SAP continues to develop the 5.x version of the product, I am sure they will continue to close the gaps between the ABAP and JAVA versions of the product in future releases.

I have heard that SAP GRC does not push existing 4.0 customers to 5.0, 5.1, or 5.2 because they are aware of these functionality gaps.

Re: UME security vs ABAP security object level

Former Member — Thu, 04 Oct 2007 04:25:50 GMT

AE 5.2 provides a field mapping capability that allows you to map AE fields (including custom fields) to SU01 fields. This is located at Configuration -> Provisioning -> Field Mapping.

Documentation is sparse on this functionality so be sure to perform adequate testing.

Re: UME security vs ABAP security object level

Former Member — Tue, 09 Oct 2007 18:25:02 GMT

I'm not aware of a way to limit requestor access (you can request anything visible); however, you can provide direction by populating an attribute field (i.e. company) with valid company values for each role. When a requestor searches for a role, if they filter by the appropriate company, they will only see valid roles for the request. I did, however, point the request authentification towards a 'fake LDAP'. This prevents individuals without specific UME credentials from submitting a request.

However, you can restrict approvers using a custom approver/determinator. In my case, I wanted to use a combination of "role" and "usergroup" to determine approver, rather than use one approver set for all requests. I have implemented and confirmed this works. The unfortunate side affect, is that you have to maintain a seperate file for this custom A/D (which you have to refer to /append for any request for role approver information).