The purpose of this document is to explain the role import features in GRC 10 and to discuss about all prerequisites for role import to avoid any issues. In this document import of composite roles was discussed rather than single roles.


Role Import Prerequisites


  • Roles can be imported directly from the backend SAP system or using a role authorization data file.

  • Define Role Selection criteria (like Business Process, Sub process, Project, Functional Area etc.)  and import data source.

  • Roles have to exist in the backend system.
  • Role sync job has to be performed. [Very Important step]
  • Roles from backend system can be downloaded by executing Tcode /N/GRCPI/AC_ROLE_DNLD or by executing the program /GRCPI/GRIA_DNLDROLES in SE38.

  • Maintain parameters 3021 path, 3003 value and download roles with .txt file (File location) and .xls (Role Info File)


  • Maintain business process, sub process, Project, Role status, System [Alphanumeric (32)] etc. in the Role Info File downloaded from backend system. Role status is very important attribute. Only roles which are maintained with status as “PRD or “PRO” (depending on your GRC SP) in BRM will be available for selection for users during access request creation.
  • To maintain production status, Go to IMG => Governance Risk and Compliance => Access control => Role Management => Maintain Role Status
  • Make sure to check the PRODUCTION STATUS checkbox for the status (Recommended is PRD or PRO (Depending on your GRC SP), but DEV and TST can be checked as production status based on the testing environment).
  • Based on PRODUCTION STATUS settings configured, make sure each role status is set accordingly.
  • Make sure that Provisioning Allowed flag and Auto Provisioning flag is be set to “Y (YES)” in the role info file.
  • Make sure PROV scenario has been maintained for the connector for which you are importing the roles. [Best practice is to link all the integration scenarios AUTH,PROV,ROLMG,SUPMG to every connector to avoid any discrepancies]
  • Maintain Mapping for Actions and Connector Groups – Ensure connection group in place for 0004 Provisioning
  • Once Role Info File is maintained with all required attributes, save this file in Text Tab Delimited format.
  • Now we will have two files which can be used for role import, Role Authorization text file and Role Info text tab delimited file.

Role Import in NWBC


  • Logon to GRC frontend application (either using Portal or NWBC)


  • Go to “Access Management” WorkCentre.
  • Click on option ‘Role Import’ under ‘Role Mass Maintenance’. You will get below screen.

  • In this document, we will discuss on role import feature by considering Import Source as “File on Desktop” for Role Attribute Source and “File on Desktop” for Role Authorization Source”.
  • Role Attribute Source [Note: Role Authorization Source can be skipped if you do not want to maintain authorizations in BRM and just want to use roles for provisioning purposes only]
  • Make sure that all the single roles associated to the composite roles are already imported into GRC box before your try to import the composite roles.
  • Make sure that all the derived or imparting roles associated with the Master or Parent roles are already imported into GRC box before your try to import the Master/Parent roles.
  • Also make sure that Authorization Sync job is already run and successfully finished for the connector against which you are trying to import the single/composite roles. Otherwise it gives an error message ‘’Composite Roles relation attribute and Authorization do not match.”
  • While importing role template looks like as shown below.

Composite Role                                     Associated single roles

YP1_XXXXXXXXXX_XXX                             YJ_XXXXXXXX_XXXXXXXX

                                                              YJ1_XXXXXX_XXXXXX

                                                              YJ2_XXXXXXXXX_XXXXXXX

YP2_XXXXXXXXX_XXXXX                            YJ3_XXXXXXX_XXXXXXXX

                                                              YJ4_XXXXXXX_XXXXXXX

                                                              YJ5_XXXXXXXXXXX_XXXXX

  • Provide application type, Landscape name, role name and other role details as per your requirement in the below screenshot and click on Next button.

Definition Criteria

  • Application Type: It should be selected as SAP. If you are creating a Business Role, then it must be selected as Business Role.
  • Landscape:  This should be selected as the connector group name and in case of a Business Role, select it as ‘Role Management Business Groups’
  • Overwriting Existing Roles: This option overwrites the roles already existing in the system if this selected as ‘Yes’. If you do not want to overwrite the Roles, select it as No. 

Role Selection Criteria:

  • Source System: Connector name from where the Role will be fetched.
  • Role Updated After: Specify a date after which the Role was updated.
  • All Roles except SAP Predefined Roles: Tick the check box if you want to import all the Roles into BRM except SAP Predefined Roles.
  • Role From and Role To: Specify a range in between the Roles should be fetched.
  • Methodology Status: This is important because this will decide whether the Role will be imported as ‘Complete’ or ‘Initial’. Role Methodology is the process followed for role creation and maintenance operation.

  • In the below screen, select the Role Info file and Role authorization file which was earlier saved in desktop as shown below and click on Next button.

  • Once you click on Next button, you will get the below screen and from here you can select “Preview all roles” button and can check if the roles are being shown before scheduling the Role Import job. If the roles are displayed and everything is fine, click on Next button.

  • Once you clickon Next button, you will get the below screen and from here you can execute role import job either in background or Foreground, depending on the volume of roles being imported

  • Once roles are imported you will get a screen as shown below which shows how many roles imported and how many roles not.

GRC Role Management Scenarios in BRM and PFCG

  • In NWBC, you have Role Maintenance>Role Import link. Via this link you can bring roles existing in GRC plugins (for instance ECC, BW, and CRM) and synchronize them in the GRC Repository tables.

In GRC10, we have these possible scenarios:

  • R/3 roles are only synced by the role sync job, and never imported into BRM. We call them backend roles. In this case, the role exists only in table GRACRLCONN. And it can be deleted directly from PFCG, as the role sync will run and capture the deletion, and remove the role
    from GRACRLCONN table.

  • R/3 roles are synced by the role sync job, and are IMPORTED into the BRM tool, via link “Role Import” in NWBC. In this case, the role exists in BRM. We call it BRM role. In this case, the role exists in both tables GRACROLE, and GRACRLCONN. And it should only be deleted from
    BRM. When it is deleted from BRM, it will be removed from BRM and also a background job will automatically start to remove the role from PFCG and from GRACROLE and GRACRLCONN tables, and all other related tables, like GRACROLEAPPRVR (for approvers).

  • If you delete a BRM role from PFCG directly, you break the whole chain. And it introduces inconsistencies to the application.


To improve this document further with different issues caused during role import, please share if you have any details so that it would be easy for the people who are searching for help on this topic


Common Issues during Role Import


  • Role import doesn’t show all roles during “Preview Roles”. Please implement below note in that scenario.

1897975 – Role import does not show roles in the preview

Also check scn discussion on the same Role Import doesn’t select all roles from source system

1576321 – Import derived role without master role

1570971 – Composite roles cannot be imported without single roles

To report this post you need to login first.

29 Comments

You must be Logged on to comment or reply to a post.

  1. Gretchen Lindquist

    Madhu,

    Very nice document. Just one observation: in our SP12 system we had to reconfigure to change PRD to PRO , then reimport to change the corresponding attribute for all the production roles in order to get roles to come into the request when using Copy Request functionality. It was quite a bit of work to do in all three tiers but that was the solution offered by AGS.

    Another tip concerning role imports: if it errors on any role, sometimes you will get an explanation as to the cause of the error, and other times there is no explanation at all and you just have figure out what you did wrong.

    Regards,

    Gretchen

    (0) 
  2. Colleen Hebbert

    Hi Madhu

    Nice piece going through a topic that’s had quit a few questions in SCN recently 🙂

    Possibly you could add:

    • Expand role import sequence (e.g. composite must have single roles first) to include derived roles must have imparting too
    • Define Criteria – add a bit of an explanation for the role methodology (what the impact to BRM workflow if you choose Complete, etc)
    • Integration Framework in place as a pre-req (I realise it’s obvious but business role didn’t appear in a drop down originally as it had to be configured)

    Tiny critique (sorry but it’s he pedantic in me)… try using a solid square to block out sensitive information instead of the red squiggles (if using MS Paint for your screenshots it’s easier to do)

    Regards

    Colleen

    (0) 
  3. Madhu Babu Sai Post author

    Hi Gretchen and Colleen,

    Thank you so much for your valuables inputs and suggestions. I have included the topics highlighted by you in the same document.

    Regards,

    Madhu.

    (0) 
      1. ashish desai

        Hi Madhu/Colleen:

        I am NOT using BRM. to manage roles in my system – Do I still have to import both the files – Role Authorization text file and Role Info text tab delimited file.? I believe importing Role Info file is enough. Your input is very valuable. Please advise.

        Regards

        Ashish

        (0) 
        1. Madhu Babu Sai Post author

          Hi Ashish,

          If you don’t want to maintain your roles in BRM, no need to have Role authorization text file and you can skip it. Actually we are also not using BRM 🙂

          Regards,

          Madhu.

          (0) 
          1. ashish desai

            Thanks a BUNCH! Made my life a little easier. Assigning Business processes; subprocesses and approvers to each role is also a big task.

            Once again I appreciate your quick reply,

            (0) 
                  1. ashish desai

                    Yes Colleen. They are mandatory while creating role in BRM – BUT, I am not using BRM at the moment. I am using PFCG to maintain roles in the backend. But, for AC to identify the roles, in the target system, i need to upload them in ERM. (Ofocurse you knew that)

                    Regards

                    Ashish

                    (0) 
                    1. Colleen Hebbert

                      The problem is that you are still storing them in the BRM repository so SAP is going to make mandatory. the upload would not know if you use BRM or not

                      as great as intergration is, this is an example of the downside

                      (0) 
  4. ashish desai

    Some Generic comments: Some roles are NOT maintained as ACTIVE roles in ERM – (GRC 5.3); and I just wanted to upload the only currently active  ECC roles from ERM to GRC 10 – ECC landscape (BRM).

    Interesting facts (advantages):

    1. Roles – deleted in back-end systems and are active in 5.3 but NOT removed from 5.3 – cannot be uploaded to BRM (GRC10) if not found in back-end system

    2. All the Parent roles which are NOT maintained in 5.3 as active roles, MUST be imported to BRM as they might have some child roles, that are ACTIVE. IF you need to upload child role – the PARENT must be uploaded FIRST.

    3. Make sure you make 3 separate files when you upload the roles. a. Parent roles – NOT to be assigned to anyone (as per most of the companys’ policy) – so provisioning should NOT be allowed  b. Single roles (which are not derived and parent) – provisioning must be allowed c. Derive roles – provisioning must be allowed and master role must be mentioned – YOU NEED ONE MORE FILE – IF YOU ARE USING COMP ROLES.

    Once again, good job Madhu.

    Regards

    Ashish

    (0) 
  5. Sam Szafranski

    Hi,

    When ARA runs a risk analysis, does it ALWAYS communicate with the back-end systems to fetch the role contents ?

    Meaning .. although you might have decided to go through with the import of the “Role authorization file”, would the risk engine ignore the fact that the role content is sitting inside GRC .

    My logic is .. not having to communicate with the back-end system would mean a serious time-saver for the risk engine to produce audit results;

    thanks for the replies,

    (0) 
    1. ashish desai

      Hello Sam:

      The users are not in GRC systems even if you have the roles with authorization in GRC systems. So, the risk analysis is done on user based or role based, it checks for the connector and run it. If you have roles in GRC systems, you can use GRC connector and execute risk analysis. You are right, it would save time for AUDIT reports, but we rather have correct report than fast report.

      Hope this helps.

      Regards

      Ashish

      (0) 
  6. Plaban Sahoo

    Hi Madhu,

    I am not using BRM. So, i have not uploaded role auth. file . I am only using provisioning  . so, i have uploaded the Composite and  single roles. But when i open the composite role, tab ‘Roles’ does not show it’s single roles. how to show the single roles ?

    Regards

    plaban

    (0) 
  7. Surya Appala

    Nice document. But I have a question.

    If any modification is done in composite role like add/remove single roles, then we must re-import the single/composite role in GRC system to be in sync with back end system. Do we have any program that can be run in background every week such that it automatically gets re-imported without manually re-importing it. Thanks.

    Regards,

    Surya

    (0) 
  8. Venkata Ramalinga raju Gottumukkala

    I have issue while doing role import, can anyone help me out? We have implemented ARM and BRM is not implemented. I’m try to do role import using excel file for ARM roles purpose, while I’m doing I’m getting an error “Correctly define the logical connection in CCITS” does any one has idea?

    (0) 

Leave a Reply