cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Regarding ARA Sync Jobs vs Ruleset

Go to solution
sreekanth_sunkara
Active Participant

on ‎2017 Mar 14 9:07 PM

1,220

Hi Experts,

I have the following issues/questions while working on the ARA.

1. I know that PFCG_AUTHORIZATION_SYNC job will bring in the new Auth objects, values from SU24 to GRAC tables/Ruleset but wanted to know the below.

1. All new objects either brought in initially with actions or as part of changes for actions are at inactive status when loaded in to GRC and it is up to us to active the required critical objects? same with values/permission level? irrespective of check "YES" "NO" in SU24.

2. What if an object is removed or tcode is deleted? will it reflect the same in GRAC tables, i mean will it be removed from permissions under actions, actions will be automatically deleted from functions?

3. Also, if we update the GRC Ruleset (Action Permission, Actions) files (deactivating or changing couple of t-codes, permissions, values) will the PFCG_AUTHRIZATION_SYNC program will bring back the deactivated objects as active once the sync job is run. will any of the SYNC job overwrite the changes we make using GRAC_UPLOAD_RULES t-code. are they dependent? If not the sync jobs are to only update the Authorizations master data in to GRC?

Thanks,

Sri,

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
gustavo_soares
Participant
‎2017 Mar 14 11:41 PM
0 Kudos

Good question and I also have these doubts.

There could be one article dedicated only to the details of all sync jobs in GRC.

Monsores
Active Participant
‎2017 Mar 15 9:40 AM
0 Kudos

There is a good article from Luciana Ullmann about it here:

https://wiki.scn.sap.com/wiki/display/GRC/The+Repository+-+GRC+Access+Control+10.0

Regards,

Marcelo

Accepted Solutions (1)

Accepted Solutions (1)

Monsores
Active Participant
‎2017 Mar 15 9:37 AM
0 Kudos

Hi Sri.

The PFCG_AUTHORIZATION_SYNC only updates authorization master data in GRC AC. They will be used only when creating new functions or inserting actions or permissions in your existing ones. This synch job alone doesn't mess with your existing functions (and rules, consequently).

Regards,

Marcelo

Show replies
Show replies
sreekanth_sunkara
Active Participant
‎2017 Mar 15 3:22 PM
0 Kudos

Thank you very much Marcelo, this is excellent. Also, wanted to know about points 1 and 2 i mentioned. please let me know if you could provide some information on points 1 and 2.

Thanks,

Sri

Monsores
Active Participant
‎2017 Mar 20 4:50 PM
0 Kudos

Hi Sri.

PFCG_AUTHORIZATION_SYNC won't make changes to your existing ARA Functions. No actions or permissions will be automatically added/removed/changed to/from your already existing functions (and risk/rules, consequently) by PFCG_AUTHORIZATION_SYNC, even in a disabled state. If it finds something new or changed, it will have effect only on what you do from that point on. You would have to manually update your old Functions in this case.

Regards,

Marcelo

sreekanth_sunkara
Active Participant
‎2017 Mar 20 5:17 PM
0 Kudos

Ok Thanks Marcelo, then how the initial permissions are loaded in to the system is it by default values from SAP Global ruleset or PFCG_AUTHORIZATION_SYNC or someother program will bring those values from SU24 to GRACFUNCPRM table.

Thanks,

Sri

Monsores
Active Participant
‎2017 Mar 20 6:28 PM
0 Kudos

Hi Sri.

To load the initial permission sets from your systems, you need to use PFCG_AUTHORIZATION_SYNC against them.

To create your first ruleset, you can do it from scratch using this synch data or you can ignore it on a first instance and load SAP standard one by activating GRAC_RA_RULESET_* BC Sets in SCPR20. Then you can edit and update it with your synch data by deleting and reinserting actions.

Regards,

Marcelo

sreekanth_sunkara
Active Participant
‎2017 Mar 20 6:52 PM
0 Kudos

Ok,Thank you so much very helpful, also then when we run this program GRAC_PFCG_AUTHRIZATION_SYNC on a daily basis will this overwrite the changes we make to the GRACACTPRM file through upload rules or NWBC?

Thanks,

Sri.

Monsores
Active Participant
‎2017 Mar 22 1:02 PM
0 Kudos

Hi Sri.

Rules maintenance through NWBC or upload doesn't mess with GRACACT* tables. It only changes GRACBPROC, GRACRULESET, GRACFUNC* AND GRACSODRISK* tables.

GRACACTION, GRACAUTHPERM, GRACACTPERM and their sisters are only changed by GRAC_PFCG_AUTHRIZATION_SYNC, and old values are overwriten by new ones. These tables are used as reference when manually updating your rules.

Regards,

Marcelo

sreekanth_sunkara
Active Participant
‎2017 Mar 27 5:29 PM
0 Kudos

Thanks Marcelo for your help. sorry for the late response.

Thanks,

Sri

Answers (0)

Ask a Question