Financial Management Blogs by Members
Dive into a treasure trove of SAP financial management wisdom shared by a vibrant community of bloggers. Submit a blog post of your own to share knowledge.
cancel
Showing results for 
Search instead for 
Did you mean: 
alessandr0
Active Contributor
30,501

Dear all,


the motivation to write this document comes because I have been asked several times by users on SCN and by Email to provide best-practice approach with synchronisation jobs. In every GRC implementation project synchronisation jobs need to be scheduled to ensure that the necessary data from the backend systems are present in the GRC system. In this document I would like to share my experience in setting up the ordering and the frequency of synchronisation jobs required for SAP Access Control.

Please note that the frequency can vary in your projects based on the requirements you have. From my experience the following listing is a good approach to start with.

JobDescriptionProgramFull / IncrementalFrequencySystem / Connectors
Authorization DataThis job synchronizes the PFCG master data (SU24 values) from the backend system.GRAC_PFCG_AUTHORIZATION_SYNC n/aWeeklyDevelopment and productive systems
Repository ObjectsThis job synchronizes users, roles and profile data to the repository in Access Control.GRAC_REPOSITORY_OBJECT_SYNC FullWeeklyAll connected systems
Repository ObjectsThis job synchronizes users, roles and profile data to the repository in Access Control.GRAC_REPOSITORY_OBJECT_SYNCIncrementalHourlyAll connected systems
Transaction UsageThis job retrieves the executed transactions and usage date from the backend system.GRAC_ACTION_USAGE_SYNC n/aDailyProductive systems
Role UsageThis job retrieves the role usage information from the backend system.GRAC_ROLE_USAGE_SYNC n/aDailyProductive systems
Batch Risk AnalysisThis job updates the management reports used in NWBC.GRAC_BATCH_RISK_ANALYSIS FullMonthlyDepending on rule set definition
Batch Risk AnalysisThis job updates the management reports used in NWBC.GRAC_BATCH_RISK_ANALYSIS IncrementalDailyDepending on rule set definition
EAM Master DataThis job synchronizes the master data on the backend system to the Access Control repository.GRAC_SPM_SYNCn/aHourlyAll systems where FF is defined
EAM LogsThis job synchronizes the logs of firefighting activities from the backend system and store in Access Control repository.GRAC_SPM_LOG_SYNC_UPDATE n/aHourlyAll systems where FF is utilized
Email RemindersThis job is used to send email reminders to an approver for pending access requests.GRFNMW_BATCH_EMAIL_REMINDERn/aDailyFor MSMP processes in use


I recommend to run the jobs in the order as listed above. The repository object synchronisation job can also be run dedicated for users, roles and profiles. If run dedicately, also run in sequence as follows: users, roles and profiles.

In order to enable User Access Review (UAR) the following four jobs need to be run in its order:

  1. Role synchronisation (is part of the job GRAC_REPOSITORY_OBJECT_SYNC, can also be run individually with program GRAC_ROLEREP_ROLE_SYNC).
  2. User synchronisation (is part of the job GRAC_REPOSITORY_OBJECT_SYNC, can also be run individually with program GRAC_ROLEREP_USER_SYNC).
  3. Action Usage synchronisation (program GRAC_ACTION_USAGE_SYNC).
  4. Role Usage synchronisation (program GRAC_ROLE_USAGE_SYNC).

Please find detailed information regarding the repository jobs (authorization data, repository objects, transaction and role usage) on SAP Wiki: The Repository - GRC Access Control 10.0 - Governance, Risk and Compliance - SCN Wiki

Looking forward to your valuable feedback and your experience you have made in your projects. Other approaches can be implemented in this document.


Best regards,

Alessandro

9 Comments
Labels in this area