Technical Articles
SAP GRC 10.0/10.1/12.0 – Role Import Functionality
The purpose of this document is to explain the role import features in GRC 10 and to discuss about all prerequisites for role import to avoid any issues. In this document import of composite roles was discussed rather than single roles.
Role Import Prerequisites
- Roles can be imported directly from the backend SAP system or using a role authorization data file.
- Define Role Selection criteria (like Business Process, Sub process, Project, Functional Area etc.) and import data source.
- Roles have to exist in the backend system.
- Role sync job has to be performed. [Very Important step]
- Roles from backend system can be downloaded by executing Tcode /N/GRCPI/AC_ROLE_DNLD or by executing the program /GRCPI/GRIA_DNLDROLES in SE38.
- Maintain parameters 3021 path, 3003 value and download roles with .txt file (File location) and .xls (Role Info File)
- Maintain business process, sub process, Project, Role status, System [Alphanumeric (32)] etc. in the Role Info File downloaded from backend system. Role status is very important attribute. Only roles which are maintained with status as “PRD or “PRO” (depending on your GRC SP) in BRM will be available for selection for users during access request creation.
- To maintain production status, Go to IMG => Governance Risk and Compliance => Access control => Role Management => Maintain Role Status
- Make sure to check the PRODUCTION STATUS checkbox for the status (Recommended is PRD or PRO (Depending on your GRC SP), but DEV and TST can be checked as production status based on the testing environment).
- Based on PRODUCTION STATUS settings configured, make sure each role status is set accordingly.
- Make sure that Provisioning Allowed flag and Auto Provisioning flag is be set to “Y (YES)” in the role info file.
- Make sure PROV scenario has been maintained for the connector for which you are importing the roles. [Best practice is to link all the integration scenarios AUTH,PROV,ROLMG,SUPMG to every connector to avoid any discrepancies]
- Maintain Mapping for Actions and Connector Groups – Ensure connection group in place for 0004 Provisioning
- Once Role Info File is maintained with all required attributes, save this file in Text Tab Delimited format.
- Now we will have two files which can be used for role import, Role Authorization text file and Role Info text tab delimited file.
Role Import in NWBC
- Logon to GRC frontend application (either using Portal or NWBC)
- Go to “Access Management” WorkCentre.
- Click on option ‘Role Import’ under ‘Role Mass Maintenance’. You will get below screen.
- In this document, we will discuss on role import feature by considering Import Source as “File on Desktop” for Role Attribute Source and “File on Desktop” for Role Authorization Source”.
- Role Attribute Source [Note: Role Authorization Source can be skipped if you do not want to maintain authorizations in BRM and just want to use roles for provisioning purposes only]
- Make sure that all the single roles associated to the composite roles are already imported into GRC box before your try to import the composite roles.
- Make sure that all the derived or imparting roles associated with the Master or Parent roles are already imported into GRC box before your try to import the Master/Parent roles.
- Also make sure that Authorization Sync job is already run and successfully finished for the connector against which you are trying to import the single/composite roles. Otherwise it gives an error message ‘’Composite Roles relation attribute and Authorization do not match.”
- While importing role template looks like as shown below.
Composite Role Associated single roles
YP1_XXXXXXXXXX_XXX YJ_XXXXXXXX_XXXXXXXX
YJ1_XXXXXX_XXXXXX
YJ2_XXXXXXXXX_XXXXXXX
YP2_XXXXXXXXX_XXXXX YJ3_XXXXXXX_XXXXXXXX
YJ4_XXXXXXX_XXXXXXX
YJ5_XXXXXXXXXXX_XXXXX
- Provide application type, Landscape name, role name and other role details as per your requirement in the below screenshot and click on Next button.
Definition Criteria
- Application Type: It should be selected as SAP. If you are creating a Business Role, then it must be selected as Business Role.
- Landscape: This should be selected as the connector group name and in case of a Business Role, select it as ‘Role Management Business Groups’
- Overwriting Existing Roles: This option overwrites the roles already existing in the system if this selected as ‘Yes’. If you do not want to overwrite the Roles, select it as No.
Role Selection Criteria:
- Source System: Connector name from where the Role will be fetched.
- Role Updated After: Specify a date after which the Role was updated.
- All Roles except SAP Predefined Roles: Tick the check box if you want to import all the Roles into BRM except SAP Predefined Roles.
- Role From and Role To: Specify a range in between the Roles should be fetched.
- Methodology Status: This is important because this will decide whether the Role will be imported as ‘Complete’ or ‘Initial’. Role Methodology is the process followed for role creation and maintenance operation.
- In the below screen, select the Role Info file and Role authorization file which was earlier saved in desktop as shown below and click on Next button.
- Once you click on Next button, you will get the below screen and from here you can execute role import job either in background or Foreground, depending on the volume of roles being imported
- Once roles are imported you will get a screen as shown below which shows how many roles imported and how many roles not.
GRC Role Management Scenarios in BRM and PFCG
- In NWBC, you have Role Maintenance>Role Import link. Via this link you can bring roles existing in GRC plugins (for instance ECC, BW, and CRM) and synchronize them in the GRC Repository tables.
In GRC10, we have these possible scenarios:
- R/3 roles are only synced by the role sync job, and never imported into BRM. We call them backend roles. In this case, the role exists only in table GRACRLCONN. And it can be deleted directly from PFCG, as the role sync will run and capture the deletion, and remove the role
from GRACRLCONN table.
- R/3 roles are synced by the role sync job, and are IMPORTED into the BRM tool, via link “Role Import” in NWBC. In this case, the role exists in BRM. We call it BRM role. In this case, the role exists in both tables GRACROLE, and GRACRLCONN. And it should only be deleted from
BRM. When it is deleted from BRM, it will be removed from BRM and also a background job will automatically start to remove the role from PFCG and from GRACROLE and GRACRLCONN tables, and all other related tables, like GRACROLEAPPRVR (for approvers).
- If you delete a BRM role from PFCG directly, you break the whole chain. And it introduces inconsistencies to the application.
To improve this document further with different issues caused during role import, please share if you have any details so that it would be easy for the people who are searching for help on this topic
Common Issues during Role Import
- Role import doesn’t show all roles during “Preview Roles”. Please implement below note in that scenario.
1897975 – Role import does not show roles in the preview
Also check scn discussion on the same Role Import doesn’t select all roles from source system
1576321 – Import derived role without master role
1570971 – Composite roles cannot be imported without single roles
What are the Prerequisite of role Import?
Hi Wasim,
This document has a clear heading under which prerequisites are clearly discussed. Please check it out.
Regards,
Madhu.
Madhu,
Very nice document. Just one observation: in our SP12 system we had to reconfigure to change PRD to PRO , then reimport to change the corresponding attribute for all the production roles in order to get roles to come into the request when using Copy Request functionality. It was quite a bit of work to do in all three tiers but that was the solution offered by AGS.
Another tip concerning role imports: if it errors on any role, sometimes you will get an explanation as to the cause of the error, and other times there is no explanation at all and you just have figure out what you did wrong.
Regards,
Gretchen
Hi Madhu
Nice piece going through a topic that's had quit a few questions in SCN recently 🙂
Possibly you could add:
Tiny critique (sorry but it's he pedantic in me)... try using a solid square to block out sensitive information instead of the red squiggles (if using MS Paint for your screenshots it's easier to do)
Regards
Colleen
Hi Gretchen and Colleen,
Thank you so much for your valuables inputs and suggestions. I have included the topics highlighted by you in the same document.
Regards,
Madhu.
thanks for fixing the screen shots up - much easier to read and look at them 🙂
Great to see you producing this material!
Hi Madhu/Colleen:
I am NOT using BRM. to manage roles in my system - Do I still have to import both the files - Role Authorization text file and Role Info text tab delimited file.? I believe importing Role Info file is enough. Your input is very valuable. Please advise.
Regards
Ashish
Hi Ashish,
If you don't want to maintain your roles in BRM, no need to have Role authorization text file and you can skip it. Actually we are also not using BRM 🙂
Regards,
Madhu.
Thanks a BUNCH! Made my life a little easier. Assigning Business processes; subprocesses and approvers to each role is also a big task.
Once again I appreciate your quick reply,
Hi Ashish
if using CUP/ARQ - be careful that the agent for role owner won't work if you don't maintain it
Regards
Colleen
Is there a way we can make the Business Process and Sub Process NOT mandatory while importing the roles to GRC 10.0 - BRM?
Hi Ashish
If you were to manually create the role in BRM are you required to complete those fields?
Regards
Colleen
Yes Colleen. They are mandatory while creating role in BRM - BUT, I am not using BRM at the moment. I am using PFCG to maintain roles in the backend. But, for AC to identify the roles, in the target system, i need to upload them in ERM. (Ofocurse you knew that)
Regards
Ashish
The problem is that you are still storing them in the BRM repository so SAP is going to make mandatory. the upload would not know if you use BRM or not
as great as intergration is, this is an example of the downside
Great work.
Regards,
Jay
A Big Thanks ...
Very good Explanation..
Excellent Job
Some Generic comments: Some roles are NOT maintained as ACTIVE roles in ERM - (GRC 5.3); and I just wanted to upload the only currently active ECC roles from ERM to GRC 10 - ECC landscape (BRM).
Interesting facts (advantages):
1. Roles - deleted in back-end systems and are active in 5.3 but NOT removed from 5.3 - cannot be uploaded to BRM (GRC10) if not found in back-end system
2. All the Parent roles which are NOT maintained in 5.3 as active roles, MUST be imported to BRM as they might have some child roles, that are ACTIVE. IF you need to upload child role - the PARENT must be uploaded FIRST.
3. Make sure you make 3 separate files when you upload the roles. a. Parent roles - NOT to be assigned to anyone (as per most of the companys' policy) - so provisioning should NOT be allowed b. Single roles (which are not derived and parent) - provisioning must be allowed c. Derive roles - provisioning must be allowed and master role must be mentioned - YOU NEED ONE MORE FILE - IF YOU ARE USING COMP ROLES.
Once again, good job Madhu.
Regards
Ashish
Thanks Ashish for adding in more details which would be very helpful for the people with same issue.
Regards,
Madhu.
Hello Colleen Ashish and Madhu.
I would need some help. I have imported a role with both Role Atrributes and Role Authorization options. Role import into GRC10 is success. The purpose is just for ARQ and not for BRM. But I need to assign Role Owners since that is going to be the approver in the ARQ workflow. Somehow, I am unable to assign the Role owner to a role when I go to Role Maintenance - > Owners/Approvers tab. I see that area is not greyed out but it does not allow me to add an owner. The user is correctly tagged as "Role Owner" in the Role Owner option. Basically the 3 options Add, Remove and Default approvers - all are greyed out.
Any help is appreciated.
Thanks
Snehal Pandya
Hi Snehal:
Sorry for the late reply. If you are not using BRM, you just need toimport one file. Do you import role as Complete and in PRD status? You can assign approvers in the import file itself. If you have already imported the role, you can search for that role and than open it and make modifications to approver.
Regards
Ashish
Hi,
When ARA runs a risk analysis, does it ALWAYS communicate with the back-end systems to fetch the role contents ?
Meaning .. although you might have decided to go through with the import of the "Role authorization file", would the risk engine ignore the fact that the role content is sitting inside GRC .
My logic is .. not having to communicate with the back-end system would mean a serious time-saver for the risk engine to produce audit results;
thanks for the replies,
Hello Sam:
The users are not in GRC systems even if you have the roles with authorization in GRC systems. So, the risk analysis is done on user based or role based, it checks for the connector and run it. If you have roles in GRC systems, you can use GRC connector and execute risk analysis. You are right, it would save time for AUDIT reports, but we rather have correct report than fast report.
Hope this helps.
Regards
Ashish
Due to the low performance I was convinced GRC fetches constantly..
Now, I have confirmation. Thanks
Hi Madhu,
I am not using BRM. So, i have not uploaded role auth. file . I am only using provisioning . so, i have uploaded the Composite and single roles. But when i open the composite role, tab 'Roles' does not show it's single roles. how to show the single roles ?
Regards
plaban
Hi Plaban
did you upload the single roles first before you uploaded the composite roles?
Regards
Colleen
Hi colleen,
I uploaded the single roles first, and then composite role
Regards
plaban
Nice document mandhu , thank you
Nice document. But I have a question.
If any modification is done in composite role like add/remove single roles, then we must re-import the single/composite role in GRC system to be in sync with back end system. Do we have any program that can be run in background every week such that it automatically gets re-imported without manually re-importing it. Thanks.
Regards,
Surya
I have issue while doing role import, can anyone help me out? We have implemented ARM and BRM is not implemented. I'm try to do role import using excel file for ARM roles purpose, while I'm doing I'm getting an error "Correctly define the logical connection in CCITS" does any one has idea?
Hello All,
We have an issue with Role Approvers/Role Owners, we have imported the roles along with approver and alternate approver through the template and the role import is fine as if you search roles in role search through NWBC i am getting both the approvers, but during request provisioning (when a access request is submitted it shows only one approver and also whether the approver is not there or not maintained, the request is getting failed, can any one help me or guide me on the same.
Thanks in Advance.
Hallo,
According to which principle is the business and sub-process assigned?
The composite roles are named after departments. Is there any suggestions on how to choose the processes? Should I take the SAP standard processes or deposit new ones in the SPRO?
Thanks for your help.
Ilona
I am fairly new to GRC. We are wanting to continue to maintain our roles via PFCG but do user provisioning via GRC. There are several comments in this blog that mention that method but I am not clear on which configuration steps mentioned in this blog actually need to be performed to use our preferred method.
Statements in blog that mention my scenario:
'Role Attribute Source [Note: Role Authorization Source can be skipped if you do not want to maintain authorizations in BRM and just want to use roles for provisioning purposes only]'
and
'R/3 roles are only synced by the role sync job, and never imported into BRM. We call them backend roles. In this case, the role exists only in table GRACRLCONN. And it can be deleted directly from PFCG, as the role sync will run and capture the deletion, and remove the role from GRACRLCONN table.'
Thank you,
Myra Gill
I figured it out. There are two files, I only need to load the 'Role Attribute Source' and not the other file.
Sorry, the wording was confusing !!