Is GRC 10.x better than GRC 5.3?
As a foreword I would like to use popular Rolling Stones’ song adopted to the topic of the article.
When I’m customizin’ my GRC
And that support comes in the message
It’s tellin’ me more and more
About some useless information
Supposed to fire my imagination
I can’t get no, oh no, no, no
Hey hey hey, that’s what I say
Here on SCN and on SAP promo materials everybody can read about the powerful tool – BRF+ and very flexible workflow of the new GRC. So, I will not be arguing with those promises, but I would like to share my experience. Now we are reimplementing GRC, we just try to make the same settings in GRC 10 that we have in GRC 5.3. During the reimplementation we have faced with the non-resolving issues and I hope that this article “fire your imagination”.
The first issue
Really we don’t have so many issue, but they stuck our project. The first thing is CUA setting. I don’t know for what purpose SAP made “Maintain CUA Settings” in SPRO. In fact, it doesn’t work. Why have I decided so?
I have CUA with 3 systems (SSDCLNT001 – CUA central system, SSDCLNT200 – CUA managed system, GRDCLNT200 – CUA managed system), it configured in (I call it) Mix mode. Mix means that we use many parameters (such as name, user type, format…) set as global, and the others (such as roles, profiles, user parameters…) set as local.
We were surprised when had known that this configuration is not supported by the new GRC.
Quote from the message
I had discussions with our architect and other technical experts on
this. Currently it is not possible to consider the mixed settings and
hence would request you to maintain them as globally in the SCUM
settings in order to resolve your issue.
Of course, during the correspondence, we tried to use “Maintain CUA Settings”, but I was advised to not use it at all. Even if use global or local settings. Here is the question for experts: what is the purpose of this setting?! More over if I set here CUA-manager system and CUA-managed system and not activate “CUA Global System”, I get the dump: OBJECTS_OBJREF_NOT_ASSIGNED_NO CX_SY_REF_IS_INITIAL CL_WDR_INTERNAL_WINDOW========CP
The second issue
BRF+ is really great thing and MSMP too! But… it is not flexible for logically standard scenario. When we started to implement new GRC I see that systems go as independent items in the request and should be approved as roles. Finally, systems go not just as an attribute of the request (like it was in 5.3), but they have owners. However, to customize simple workflow is not possible:
1st stage – Manager selects systems and roles.
2nd stage – Systems should be approved/rejected by the owners.
3rd stage – Roles should be approved/rejected by the owners, and the roles assigned to the rejected systems should be rejected automatically.
Doesn’t it seem logically simple?
In fact, it’s not possible using the standard tools to realize this scenario. You may say: Use ABAP. But for what we need ‘flexible’ BRF and MSMP then?
I should thank Madhu Babu for his helpful blog http://scn.sap.com/community/grc/blog/2014/03/24/grc-request-with-both-system-and-role-line-items
He does a great work, and I see that he is one the most active contributor on scn! Unfortunately, the above configuration doesn’t resolve the issue. Imagine that you are a role owner, you get a request with, say, 20 roles. You analyse them, wright some comment, in common, waste your time to process the roles. In parallel, some system owner doesn’t think that the user of the request must have the access to the system and reject system assignment. In the result, user will not get the access to the system and the roles (for which you and the other owners have wasted the time!).
I should also thank Marina Volynets, because she tried to help me find out that the issue cannot be resolved with the standard tools.
The third issue
BRF+ in its decision table must have approvers for each item in the request, otherwise we get “No agent found” on the workflow level. There no option in MSMP to send all line items without approvers to the next stage. Previously (in 5.3), all orphaned roles go to the next stage. Yes, it might be a breach in the security area, but why 10.x doesn’t have an option (check box, for example) to pass forward orphaned items?
From my point of view, we get a new GRC that is neither better nor worse than the previous. They are the same with slight differences.
I hope that my article will raise a wave of indignation and experts provide their view on the issues. Maybe someone points me that I’m wrong or points me on the idea place… If someone has issues to add to the article, you are welcome!