Enabling Business Role updates to existing assigned users
Summary
With the availability of defining Business roles within GRC AC 10.0, provisioning initial access to users across multiple landscapes with a single combined role is possible.
However, there have been questions raised by many in regards to how you update/synchronise actual technical role assignments embedded within the Business Role assigned to users via GRC.
For example; If a new R/3 role has been added to the Business role definition, how do you update the assignment to the 55 users already assigned to the Business role? It is impractical to raise a new change request via Access Request Management for all the assigned users for the same role again, as it would create unnecessary requests (and maybe agitate the approvers involved).
Thankfully, within GRC 10.0/1, it is possible to synchronise the technical role assignments via the Role Maintenance screen in NWBC, but it requires a few tweaks within the GRC system.
Part 1 Enable the hidden Methodology step “Provisioning”
Note – These steps needs to be done on both 10.0 and 10.1, as the SAP BC-set delivered Default Methodology is missing the required Step definition.
1. Go to SPRO and open the following node menu: Governance, Risk and Compliance > Access Control > Role Management > Define Methodology Processes and Steps
2. Click “Define Steps” and then “New Entries” – By default, the BC set delivered methodology steps is missing “Provisioning” from the defined list.
3. Select the action “Provisioning” and enter is as “Active” and enter the Phase text details “Provisioning”
4. Save any transport prompt
5. Under “Define Methodology”, select the methodology to update and then click “Methodology Process Step”
6. Ensure the final step “Provisioning” is added to the methodology
7. The new methodology step should be visible now within the “Role Maintenance” functionality of BRM (on NWBC side)
The button will be enabled when:
• The Business role has already been provisioned at least once
• The Business role has changed and technical roles have been added or removed
The button will be disabled when:
• The Business role has not been provisioned via request yet
• The Business role has already been provisioned at least once, but there are no users currently assigned (the Business role has been later removed from the users)
Part 2 Updating Cluster class
A runtime error has been observed within GRC AC 10.0 (not 10.1, as it seems the cluster class has been delivered correctly) when clicking the “Update Assignment” button. The error appears as follows: Parameter has invalid value: Parameter SYST_DATE/SYST_TIME has invalid value 00000000/000000.
The cause of the issue is that the correct configuration is missing in the view cluster: GRFNVC_PLUSG for the provisioning background job.
To fix this, implement the steps provided in SAP note 1837416 (described below)
1. Go to transaction code SE54
2. Click on the button “Edit view Cluster”, followed by “Test”
3. Enter the Table/view “GRFNVC_PLUSG” and click “Test”
4. Select the Node “Plan Activity for Access Management” under the Dialogue structure
5. Select Plan Usage GRAC_BRLP and double click on it.
6. Enter the correct ABAP class as “CL_GRAC_ERM_BROLE_BG”. (This value may have been set up/delivered incorrectly before, hence the error).
NOTE: If the entry “GRAC_BRLP” does not exist, you can create it as per SAP note 1837416
- Click on New Entries
- Enter the following fields and save:
Plan Usage: GRAC_BRLP
Activity Name: Access Control Business Role Provisioning Background Job
App-component: GRC-AC.
ABAP class: CL_GRAC_ERM_BROLE_BG (note SAP note 1837416 mentions CL_GRAC_BROLE_BG, but this does not work)
With this fix, you should now be able to successfully maintain and provision Business role updates to all users via the Role Maintenance screen.
SAP Notes in relation to this topic
1) http://service.sap.com/sap/support/notes/2130921
Business Role Methodology contains multiple steps including “Provisioning” and under “Provisioning” steps there is “Update Assignment” button. When customer clicks on “Update Assignment” button, notification is triggering to all the end users whom this business role is assigned and notifying the access changing. But there is no way to control this notification.
The SAP note provides correction instructions that introduces a new configuration parameter ID to control if emails are sent out to users during the “provisioning update” scenario (param ID 3029 – Send Notification to End User on Update Assignment)
2) http://service.sap.com/sap/support/notes/2095630
It seems there is a program issue in 10.1 whereby the updates are not working correctly when a new derived role is added or a existing role is removed from the business role definition. Seems to state the note is part of SP08 for 10.1. No clear indication of if this behavior is reported or fixed for 10.0.
3) http://service.sap.com/sap/support/notes/2116829
I presume that the fact there is no “Mass assignment” feature available for Business Roles from BRM means that there is no “Mass Update Assignment” feature available at all either (i.e. running a “Provision update assignment” job for many business roles in a single attempt. SAP suggest utilising the “Multiple User Request” option to control mass assignments of business roles.
Hi Harinam,
Great way to summarize the ideas.
Saw some discussions over the update on Business role with the issues on link "update assignment" is invisible, even I was not sure of what was missing out there, but by reading this blog, now I know what needs to be done. Must say.. Good Job 🙂
Cheers,
Ameet
The fact that an end-to-end explanation was not out there prompted me to gather my consolidated notes and make this blog entry. Hope it helps the users of Business Roles within the SCN community.
Hello Harinam,
Thanks a lot for this post....went through the discussions in the forum but this summarized all. Also, its more like a spoon feeding....The step by step document really helped me to understand why the update assignment and provisioning is missing....
Thanks a lot once again.
Regards,
Deepak M
Hi Harinam,
Very helpful document 🙂 Thanks a lot 🙂
Regards,
Madhu.
Hi all.
Thanks for this helpful documentation.
I have another questions regarding Business Roles and user relationship.
Lets imagine:
Questions are:
I have these question due i have assigned singles roles to users and i would like the requestors would be able to create requests to remove only Business Roles. However as the initial roles load was done diretly into R/3, GRC does not contain the relationship between user-business role.
Any solution?
Kind regards and thank you,
Hi Sara,
business roles are logical roles that are only known by the Access Control application. The backend systems (R/3, BW, etc.) don't know this particular construct. Hence if you assign the two single roles directly via SU01 the system doesn't know that this is similar than a business role. Also GRC doesn't know that mapping as it might be also possible to assign technical roles (e.g. single or composite roles) directly to a user.
Please also see parameter 4011 (Allow deletion of technical roles if part of business role) as this parameter can restrict you from removing technical roles when they are part of the business role.
Hope this helps.
Regards,
Alessandro
Hi Hariman,
great document - thanks a lot for sharing.
I have already set up the system as shown in your document. When updating the assignments an email is created and sent to all users that have the business role assigned saying that their assignments have been changed.
Do you know how this notification can be customized and even removed (as we don't want to have email notification to end users in this particular case). We are on 10.1 SP6.
Looking forward to your valuable feedback.
Thanks a lot.
Regards,
Alessandro
Hi Alessandro,
Thank you for the appreciation.
I will be honest and say I was not aware that in 10.1 a email get's sent out automatically after the background job has been performed to "update assignments" in the Users profiles with the newly added roles.
I have implemented this at a customer on 10.0, but not seen any emails sent out to users (SP 14). I am wondering if this behaviour is support pack specific or 10.1 specific. If I do find out, I will provide an update on this page. I have set this up on a 10.1 sandbox system, but it was on SP04.
In addition, one thing that bugs me is the fact that there is no "Mass update assignments" capability, i.e. imagine you updated over a 100 business roles and imported the updated definition into BRM via the import sheets. With the current functionality available, I would have to open up each individual Business role in "Role Management" and go to the "Provisioning" phase of the role and set up the "Update Assignment" job individually.
I believe, to make this tool much more efficient, a "mass update assignment" program/functionality should be provided. Having said that, it would also be good to switch off the emails you refer to if such a program exists! 🙂
Dear both,
I have submitted the mass update functionality in the idea place. Would be great to get your vote for it:
Mass Update Business Role Assignments : View Idea
Thanks and regards,
Alessandro
Hi Alessandro,
The notification template for the mails you mention is under "GRAC_BRM_PROV_UPDATE_NOTIFY"
I have not yet found a way to stop these mails myself 🙁 . Would post a reply if I get to stop it.
Thanks
Sammukh
Hi Sammukh,
I presume the notification is sent out directly via the execution of the program, like how the PSS emails are sent out to users once their passwords have been reset.
I am wondering if with some good ABAP skills maybe the program could be altered to stop sending out emails, or if there is a neat way to apply a filter in SOST so emails created by this program are not delivered.
I guess the change of ABAP/program code is not really a SAP supported idea.
Hi Hari,
Yes I guess so too. There are other notifications like, alerts etc which are also program tied and not configurable to be turned off / sent to a different recipient. So this seems to be another of that sorts.
Thanks
Sammukh
Dear both,
thanks a lot for your answer. I'll probably open an OSS message and ask SAP for help.
Please let me know if you have any idea 🙂 I will also keep you updated.
Thanks and regards,
Alessandro
Dear all,
SAP has released a new note to restrict the notification to the end user with parameter setting.
Please see note: http://service.sap.com/sap/support/notes/2130921
@Hari; would be great to include in your blog.
Best regards,
Alessandro
I have found a few interesting SAP OSS notes in relation to "Update Assignments" feature discussed in the article.
http://service.sap.com/sap/support/notes/2095630 - It seems there is a program issue in 10.1 whereby the updates are not working correctly when a new derived role is added or a existing role is removed from the business role definition. Seems to state the note is part of SP08 for 10.1. No clear indication of if this behavior is reported or fixed for 10.0.
http://service.sap.com/sap/support/notes/2116829 - I presume that the fact there is no "Mass assignment" feature available for Business Roles from BRM means that there is no "Mass Update Assignment" feature available at all either.