Community
Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Manager RSECADMIN with GRC?

Former Member

‎2011 Mar 25 2:59 PM

0 Likes
605

Hi,

I've been studying about GRC, but I'm not finding anything to talk about the possibility to manage RSSM and RSECADMIN, both in SAP BI7, with GRC. Is it possible to manage the authorization objects with GRC? Or only PFCG is possible.

Thanks,

André

4 REPLIES 4
Read only

Former Member

‎2011 Mar 25 4:16 PM

0 Likes
537

Hi Andre,

Not sure what exactly you are looking for , but here are some points to be noted

1. User/ Role administration is always done directly in SAP (ECC, BI, ..etc)

2. RSECADMIN is used to create the analysis authorization role which can be directly assigned to the users or can be linked to PFCG role via auth. object S_RS_AUTH and then assigned to the users

3. RSSM is an obsolete tcode from BI 7.0 version

4. GRC (Governance Risk and Compliance) is to report role/user level SOD conflicts/Sensitive access, manage emergency , super user access ..etc

Hope this helps!

Regards,

Laxman

Read only

Former Member

‎2011 Mar 25 6:06 PM

0 Likes
537

Hi Andre,

To follow up on what Laxman said, yes, you utilize PFCG to maintain your basic authorizations in a BI system, and S_RS_AUTH object is in fact critical to this.

I also used a combination of RSECADMIN, RSECPROT, and some functions of RSA1 (for infoobject names, etc) to administer analysis authorizations in my BI landscape.

Read only

Former Member

‎2011 Mar 25 6:21 PM

0 Likes
537

Moved to the GRC forum....

You can define whatever you want as an "action". Behind the "action" you can define your RSECADMIN related auths and field values for the ABAP auth objects which control the assignment.

It depends on how consistently you use them or possibly even determine the AA auths from the ERP ABAP roles? (this works nicely if it is already in place...).

Cheers,

Julius

Read only

koehntopp
Product and Topic Expert
Product and Topic Expert
In response to Former Member

‎2011 Mar 26 8:41 AM

0 Likes
537

I have the suspicion the question was more about CUP than RAR, i.e. can you automatically invoke extra steps other than assigning a PFCG role.

- in 5.3 you can't. I usually add a dummy role via role mapping which remonds the extra role owner to perform some manual steps

- AC10 will have BRFplus rules which might allow you to add function module based activities in a notification rule.

Frank.