Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Position based provisioning with GRC Business Roles

Go to solution
heco_mark
Explorer

on ‎2019 Jul 26 12:50 AM

0 Likes
2,929

Hello,

Has anyone implemented position based provisioning with GRC Business Roles? Contrasting from the standard HR trigger which provisions/deprovisions technical or composite roles only for ECC, we are interested in a similar trigger that will provisions/deprovision with GRC Business Roles and therefore update user accesses in all connected systems (ECC, BI, CRM, GRC, Fiori, etc).

Can this be achieved through standard SAP--perhaps BRF+ or MSMP or does this require custom development?

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (1)

Accepted Solutions (1)

RameshVithanala
Active Participant
‎2019 Jul 31 1:44 PM
0 Likes

Hi Mark,

If you have SuccessFactors with HCI or DELL BHOOMI. With SFSF, HCI, BRF+ and Rule to Role Mapping, yes you can provisioning/deprovisioning Business Roles based on changes to user position.

Rule to Role mapping will have the Rules which will reside in GRC

EX:AP Position + CC = AP Rule and Assign all the BR to that rule. When BRF+ rule call that AP Rule all the necessary BR's will be assigned.

I tested the provisioning based on the SFEC HR Trigger for position and its working as expected, but I had some small issues with deprovisioning based on the SFEC HR Trigger for position(SAP might have fixed it by now)

Thanks

Ramesh

Show replies
Show replies

Answers (2)

Answers (2)

RameshVithanala
Active Participant
‎2019 Jul 30 4:44 PM
0 Likes

Hi Mark,

Provisioning of Business Roles to Position(Org Request) is not possible and also Provisioning of Business Role to users via position using traditional HR Trigger is also not possible. But you can achieve the same using SFEC HR Trigger(SFEC HR Trigger Rule)

Traditional HR Trigger will assign the relationship B 007 on the table HRP1001 only for Technical Role & Composite Role not for Business Role(as its virtual container)

Thanks

Ramesh

Show replies
Show replies
heco_mark
Explorer
‎2019 Jul 31 3:34 AM
0 Likes

Hi Ramesh: we have SuccessFactors with HCI. With SFSF, HCI, BRF+ and Rule to Role Mapping, we can achieve provisioning/deprovisioning Business Roles based on changes to user position?

former_member444004
Explorer
‎2020 Apr 22 11:15 PM
0 Likes

"Business Role to users via position using traditional HR Trigger is also not possible".

It's possible provide business role by HR Position using "Default role" feature to select the Business Role by attribute "Location". The "AC Field Name": LOCATION should be mapped on HR connector on action 0004 (Provisioning) to System Field Name: POSITION and "Table Name": IS_ISHRDATA and must maintaing configuration settings parameters (1302: NO, 2009: YES, 2010: 023, 2011: REQUEST, 2013: LOCATION) to Location atribute can be used as trigger to "Default role'.

Note: the HR Connector should also be maintained on User Details Data Source as HR and included on Integration Scenario "PROV".

rubens_muller
Participant
‎2021 Apr 30 6:19 PM
0 Likes

Security Team

Hi,

Can you inform a Blog that can help me follow this recommendation?

Thank you very much, friend

madhusap
Active Contributor
‎2019 Jul 26 12:46 PM
0 Likes

Hi Mark,

You can try using Mapped Roles option without any additional enhancement.

Assign roles to positions in ECC or S4HANA and the for those roles maintain mapped roles in GRC. During HR Triggers both Position based and mapped roles will be provisioned to the users.

Your mapped roles could be roles from other target systems like CRM, BW, PORTAL etc.

Common roles required for the users can be assigned using default roles during HR Triggers.

Regards,

Madhu

Show replies
Show replies
heco_mark
Explorer
‎2019 Jul 31 2:50 AM
0 Likes

Hi Madhu: we did look at the mapped roles method but decided against it during our implementation project. If we updated the mapping, there was no automated way to propagate the change to the users.

Ask a Question