SAP GRC 10.0/10.1/12.0 – Role Import Functionality
The purpose of this document is to explain the role import features in GRC 10 and to discuss about all prerequisites for role import to avoid any issues. In this document import of composite roles was discussed rather than single roles.
Role Import Prerequisites
- Roles can be imported directly from the backend SAP system or using a role authorization data file.
- Define Role Selection criteria (like Business Process, Sub process, Project, Functional Area etc.) and import data source.
- Roles have to exist in the backend system.
- Role sync job has to be performed. [Very Important step]
- Roles from backend system can be downloaded by executing Tcode /N/GRCPI/AC_ROLE_DNLD or by executing the program /GRCPI/GRIA_DNLDROLES in SE38.
- Maintain parameters 3021 path, 3003 value and download roles with .txt file (File location) and .xls (Role Info File)
- Maintain business process, sub process, Project, Role status, System [Alphanumeric (32)] etc. in the Role Info File downloaded from backend system. Role status is very important attribute. Only roles which are maintained with status as “PRD or “PRO” (depending on your GRC SP) in BRM will be available for selection for users during access request creation.
- To maintain production status, Go to IMG => Governance Risk and Compliance => Access control => Role Management => Maintain Role Status
- Make sure to check the PRODUCTION STATUS checkbox for the status (Recommended is PRD or PRO (Depending on your GRC SP), but DEV and TST can be checked as production status based on the testing environment).
- Based on PRODUCTION STATUS settings configured, make sure each role status is set accordingly.
- Make sure that Provisioning Allowed flag and Auto Provisioning flag is be set to “Y (YES)” in the role info file.
- Make sure PROV scenario has been maintained for the connector for which you are importing the roles. [Best practice is to link all the integration scenarios AUTH,PROV,ROLMG,SUPMG to every connector to avoid any discrepancies]
- Maintain Mapping for Actions and Connector Groups – Ensure connection group in place for 0004 Provisioning
- Once Role Info File is maintained with all required attributes, save this file in Text Tab Delimited format.
- Now we will have two files which can be used for role import, Role Authorization text file and Role Info text tab delimited file.
Role Import in NWBC
- Logon to GRC frontend application (either using Portal or NWBC)
- Go to “Access Management” WorkCentre.
- Click on option ‘Role Import’ under ‘Role Mass Maintenance’. You will get below screen.
- In this document, we will discuss on role import feature by considering Import Source as “File on Desktop” for Role Attribute Source and “File on Desktop” for Role Authorization Source”.
- Role Attribute Source [Note: Role Authorization Source can be skipped if you do not want to maintain authorizations in BRM and just want to use roles for provisioning purposes only]
- Make sure that all the single roles associated to the composite roles are already imported into GRC box before your try to import the composite roles.
- Make sure that all the derived or imparting roles associated with the Master or Parent roles are already imported into GRC box before your try to import the Master/Parent roles.
- Also make sure that Authorization Sync job is already run and successfully finished for the connector against which you are trying to import the single/composite roles. Otherwise it gives an error message ‘’Composite Roles relation attribute and Authorization do not match.”
- While importing role template looks like as shown below.
Composite Role Associated single roles
- Provide application type, Landscape name, role name and other role details as per your requirement in the below screenshot and click on Next button.
- Application Type: It should be selected as SAP. If you are creating a Business Role, then it must be selected as Business Role.
- Landscape: This should be selected as the connector group name and in case of a Business Role, select it as ‘Role Management Business Groups’
- Overwriting Existing Roles: This option overwrites the roles already existing in the system if this selected as ‘Yes’. If you do not want to overwrite the Roles, select it as No.
Role Selection Criteria:
- Source System: Connector name from where the Role will be fetched.
- Role Updated After: Specify a date after which the Role was updated.
- All Roles except SAP Predefined Roles: Tick the check box if you want to import all the Roles into BRM except SAP Predefined Roles.
- Role From and Role To: Specify a range in between the Roles should be fetched.
- Methodology Status: This is important because this will decide whether the Role will be imported as ‘Complete’ or ‘Initial’. Role Methodology is the process followed for role creation and maintenance operation.
- In the below screen, select the Role Info file and Role authorization file which was earlier saved in desktop as shown below and click on Next button.
- Once you click on Next button, you will get the below screen and from here you can execute role import job either in background or Foreground, depending on the volume of roles being imported
- Once roles are imported you will get a screen as shown below which shows how many roles imported and how many roles not.
GRC Role Management Scenarios in BRM and PFCG
- In NWBC, you have Role Maintenance>Role Import link. Via this link you can bring roles existing in GRC plugins (for instance ECC, BW, and CRM) and synchronize them in the GRC Repository tables.
In GRC10, we have these possible scenarios:
- R/3 roles are only synced by the role sync job, and never imported into BRM. We call them backend roles. In this case, the role exists only in table GRACRLCONN. And it can be deleted directly from PFCG, as the role sync will run and capture the deletion, and remove the role
from GRACRLCONN table.
- R/3 roles are synced by the role sync job, and are IMPORTED into the BRM tool, via link “Role Import” in NWBC. In this case, the role exists in BRM. We call it BRM role. In this case, the role exists in both tables GRACROLE, and GRACRLCONN. And it should only be deleted from
BRM. When it is deleted from BRM, it will be removed from BRM and also a background job will automatically start to remove the role from PFCG and from GRACROLE and GRACRLCONN tables, and all other related tables, like GRACROLEAPPRVR (for approvers).
- If you delete a BRM role from PFCG directly, you break the whole chain. And it introduces inconsistencies to the application.
To improve this document further with different issues caused during role import, please share if you have any details so that it would be easy for the people who are searching for help on this topic
Common Issues during Role Import
- Role import doesn’t show all roles during “Preview Roles”. Please implement below note in that scenario.
Also check scn discussion on the same Role Import doesn’t select all roles from source system