Community
Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

UME security vs ABAP security object level

Go to solution
Former Member

‎2007 Oct 03 4:10 PM

0 Likes
793

We installed Virsa Compliance Calibrator & Access Enforcer and trying to configure security in UME to control user access so that besides action level security, we need further restriction on for example, Functional Area, cost center & department access. Does UME have lower level authorization restriction capabilities similar to that of ABAP authorization object level security? If not, how can we utilize ABAP Virsa security objects to control JAVA front end access?

Your advice is much appreciated.

Thanks,

1 ACCEPTED SOLUTION
Read only

Go to solution
Former Member

‎2007 Oct 04 5:18 AM

0 Likes
756

CC 5.2 does not have the object level security restrictions possible in the ABAP version, and it is not possible to use ABAP objects to secure JAVA access. As SAP continues to develop the 5.x version of the product, I am sure they will continue to close the gaps between the ABAP and JAVA versions of the product in future releases.

I have heard that SAP GRC does not push existing 4.0 customers to 5.0, 5.1, or 5.2 because they are aware of these functionality gaps.

7 REPLIES 7
Read only

Go to solution
Former Member

‎2007 Oct 03 5:00 PM

0 Likes
756

Jessica,

Why do you want to go so granular in AE and CC? Are you concerned of the reports that are generated from CC.

Since Virsa is not built like the ABAP backend, you can only manage the GRC roles at the UME level. You will have the different roles in the UME for administrator, reporter, viewer, approver, and such.

Read only

Go to solution
Former Member
In response to Former Member

‎2007 Oct 03 5:24 PM

0 Likes
756

Hi Gabriel,

Thanks for replying, we need to go so granular because we have many different business units and our roles are built and grouped per BU so that each business unit BPO can only make AE requests, do reporting risks & approve for roles that they own.

Thanks,

Jessica

Read only

Go to solution
Former Member
In response to Former Member

‎2007 Oct 03 9:34 PM

0 Likes
756

Jessica,

Based on your comment <i>"...each business unit BPO can only make AE requests, do reporting risks & approve for roles that they own."</i>, can you tell me how your organization goes about actually assigning security? Does the BPO make the request then Security Admins assign the role, or what is your process?

Thanks,

Sandy

Read only

Go to solution
Former Member
In response to Former Member

‎2007 Oct 03 10:28 PM

0 Likes
756

Hi Sandy,

Yes BPO submit user and role change requests for their own business units only. For example Finance department has a set of roles that only assigned to their group and Sales department has their own set of roles. Each business unit has a BPO and when creating request can only view and select their roles to change. Security Admin(third party) checks for SOD using an existing tool and processes the request if no SODs exists. Security requests also need to tie to cost centre for request cost distribution.

We are exploring using ABAP side of VIRSA authorization objects but not sure how to link AE front end to the ABAP authorization check.

We added a custom field 'Cost Centre' in AE configuration. Do you or anyone know where we can add user exits in VIRSA to populate custom fields?

Thanks

Read only

Go to solution
Former Member
In response to Former Member

‎2007 Oct 04 5:25 AM

0 Likes
756

AE 5.2 provides a field mapping capability that allows you to map AE fields (including custom fields) to SU01 fields. This is located at Configuration -> Provisioning -> Field Mapping.

Documentation is sparse on this functionality so be sure to perform adequate testing.

Read only

Go to solution
Former Member

‎2007 Oct 04 5:18 AM

0 Likes
757

CC 5.2 does not have the object level security restrictions possible in the ABAP version, and it is not possible to use ABAP objects to secure JAVA access. As SAP continues to develop the 5.x version of the product, I am sure they will continue to close the gaps between the ABAP and JAVA versions of the product in future releases.

I have heard that SAP GRC does not push existing 4.0 customers to 5.0, 5.1, or 5.2 because they are aware of these functionality gaps.

Read only

Go to solution
Former Member

‎2007 Oct 09 7:25 PM

0 Likes
756

I'm not aware of a way to limit requestor access (you can request anything visible); however, you can provide direction by populating an attribute field (i.e. company) with valid company values for each role. When a requestor searches for a role, if they filter by the appropriate company, they will only see valid roles for the request. I did, however, point the request authentification towards a 'fake LDAP'. This prevents individuals without specific UME credentials from submitting a request.

However, you can restrict approvers using a custom approver/determinator. In my case, I wanted to use a combination of "role" and "usergroup" to determine approver, rather than use one approver set for all requests. I have implemented and confirmed this works. The unfortunate side affect, is that you have to maintain a seperate file for this custom A/D (which you have to refer to /append for any request for role approver information).