cancel
Showing results for 
Search instead for 
Did you mean: 

SAP SOLMAN configuration validation vs SAP GRC Rulesets

Gregnol
Explorer
0 Kudos

Wondering if anyone has compared the two tools for evaluating users with specific authorizations.

Solman Configuration validation allows for the creation of a configuration store where you can maintain specific authorization combinations that are determined high risk or something that you would like to monitor. You create this as a baseline and monitor your target systems to evaluate if any users are in violation of any authorization combos. A report can then be scheduled to run with results saved. Alerts can probably be configured or monitored via a dashboard.

Within GRC you can build the same authorization combinations as part of a ruleset and schedule the evaluation. Results can be reviewed and actions can be taken.

Is there a benefit or need to use both? Can anyone think of the advantages or disadvantages of either tool?

Thank you

Accepted Solutions (1)

Accepted Solutions (1)

Colleen
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Robert

must admit I'm not across the SolMan piece (but am curious). Do you have a link to the doco or which part of SolMan you can do this in?

For SolMan, is it just critical actions that you can configure or is it also combination of actions to obtain segregration of duties?

Does SolMan support cross-system risk analysis (conflicting functions are in two different systems)

In addition to the above 2 clarifications, SAP Access Control also provides pre-delivered global rule set content for a baseline; ability to assign mitigating controls; dashboard reporting, easily configurable workflows and alerts, etc.

Of course, SAP Access Control is an additional license and installation whilst Solution Manger would already be in the on-prem landscape.

Cheers

Colleen

Gregnol
Explorer
0 Kudos

Hi Colleen,

Here are some links to the SAP note that describes how the configuration validation tool works.

https://launchpad.support.sap.com/#/notes/2253549
https://support.sap.com/en/alm/solution-manager/expert-portal/change-diagnostics/configuration-valid...
https://wiki.scn.sap.com/wiki/display/TechOps/ConfVal_Security#ConfVal_Security-anchor

From my understanding you can monitor combinations of actions. I'm not sure if you can do cross-system as the configuration validation is meant to measure a baseline system against target systems.

Here is a screenshot of the baseline provided by SAP. It looks very similar to the functions defined in GRC.

Colleen
Product and Topic Expert
Product and Topic Expert

Hi Robert

Thanks for the note - I'm in that note all the time for the attached ZIP file but hadn't been looking at SolMan side of it much.

Ah, I suspect this is what the Security Optimisation Service, etc is based on as well and looks like pre-SAP Access Control configuration of critical action reports via SUIM RSUSR008_NEW and RSUSR009_NEW

SolMan appears to support the critical actions and less the segregation of duties (though looks technically possible to come up with a rule.

For example, GRC ruleset has an SOD risk for Security: SU01 Maintain User/Assign Role in conjunction with PFCG change permissions. The risk is the ability to create a ficitious user or elevate your own privileges, etc.

There are several ways users can do this (SU01, SU10, PFCG for assignments) whilst role maintenance can include (PFCG, SE38/SA38 programs, SUPC, etc).

In SAP Access Control, you would define two functions (one for maintain user and one for maintain roles) and add each transaction/action and permission combination. When generating the rule set, GRC figures out every permutation to meet the risk

In Solution Manager, you would probably need to figure out every permutation yourself and define it as a critical combination (i.e. unique COMB_ID). E.g PFCG_SU01 would be S_TCODE PFCG AND SU01 AND all the other S_USER authorizations.

Also, SAP Access Control does provide the rule set as starting content and provide lifecycle management integration for your role design and user provisioning. You can then simulate the risk before your make the changes via your 'what if analysis' and finally define and assign mitigating controls where you cannot remediate.

Finally, you may find a different audience of users. SAP Access Controls lends itself more towards a business audience (with training), such as Internal Controls or Process Owners. SAP Solution Manager - for this specific functionality - would be more the Basis/Platform or Security team.

Regards

Colleen

Answers (0)