In line with my other documents ARA – For the new kid on the block, EAM – For the new kid on the block & ARM – For the new kid on the block this is the final installment of the four components that comprise GRC AC. The objective of this post is to help people who are new to this neck of the woods/Access Control, an overview of my understanding of what BRM is all about and how it works.
As usual feel free to skip it if you are well versed in this topic, however please do stick around and feel free to enlighten me with your expertise if I made any mistakes or if you would like to correct/add more on/to this topic.
|Business Role Management (BRM)|
This is same as PFCG in R/3 where you build a role. BRM is a web based application that automates the creation and management of Roles. Unlike in the backend system, BRM enforces best practices to ensure that the Role development, testing and maintenance is consistent across the entire implementation, resulting in lower ongoing maintenance and painless knowledge transfer.
BRM provides Role Owners and Security Administrators with the means to create and maintain role definitions, identify potential audit and segregation of duties issues. It empowers them to document important role information that can be of great value for better role management.
One key element of provisioning in BRM is the identification and mitigation of risks at an early stage, even before the creation of the roles. Risks can be identified as a conflict within a single role, composite role, derived role and templates respectively. This is done with the help of ARA, which provides means to quantify the risks associated with roles and suggests possible remediation and mitigation control procedure.
Business Role concept is the new addition to ERM (5.3). Business roles are system independent, which means you can assign a technical role from one system and another from a different system. A bit like Composite roles but the difference is, roles are not restricted to one system. Although a Business role gets assigned to an end user, it will not be reflected in the backend system. All he/she will be provisioned is a group of technical roles that are associated with the Business Role.
This pretty much is the gist of BRM and should be enough to get you started. For a more comprehensive understanding/configuration and other bits and pieces on this topic, please check out the links in the following document put together by Alessandro, which covers everything in detail. Please check under Business Role Management (BRM).