Dear all,

the motivation to write this document comes because I have been asked several times by users on SCN and by Email to provide best-practice approach with synchronisation jobs. In every GRC implementation project synchronisation jobs need to be scheduled to ensure that the necessary data from the backend systems are present in the GRC system. In this document I would like to share my experience in setting up the ordering and the frequency of synchronisation jobs required for SAP Access Control.

Please note that the frequency can vary in your projects based on the requirements you have. From my experience the following listing is a good approach to start with.

Job Description Program Full / Incremental Frequency System / Connectors
Authorization Data This job synchronizes the PFCG master data (SU24 values) from the backend system. GRAC_PFCG_AUTHORIZATION_SYNC n/a Weekly Development and productive systems
Repository Objects This job synchronizes users, roles and profile data to the repository in Access Control. GRAC_REPOSITORY_OBJECT_SYNC Full Weekly All connected systems
Repository Objects This job synchronizes users, roles and profile data to the repository in Access Control. GRAC_REPOSITORY_OBJECT_SYNC Incremental Hourly All connected systems
Transaction Usage This job retrieves the executed transactions and usage date from the backend system. GRAC_ACTION_USAGE_SYNC n/a Daily Productive systems
Role Usage This job retrieves the role usage information from the backend system. GRAC_ROLE_USAGE_SYNC n/a Daily Productive systems
Batch Risk Analysis This job updates the management reports used in NWBC. GRAC_BATCH_RISK_ANALYSIS Full Monthly Depending on rule set definition
Batch Risk Analysis This job updates the management reports used in NWBC. GRAC_BATCH_RISK_ANALYSIS Incremental Daily Depending on rule set definition
EAM Master Data This job synchronizes the master data on the backend system to the Access Control repository. GRAC_SPM_SYNC n/a Hourly All systems where FF is defined
EAM Logs This job synchronizes the logs of firefighting activities from the backend system and store in Access Control repository. GRAC_SPM_LOG_SYNC_UPDATE n/a Hourly All systems where FF is utilized
Email Reminders This job is used to send email reminders to an approver for pending access requests. GRFNMW_BATCH_EMAIL_REMINDER n/a Daily For MSMP processes in use

I recommend to run the jobs in the order as listed above. The repository object synchronisation job can also be run dedicated for users, roles and profiles. If run dedicately, also run in sequence as follows: users, roles and profiles.

In order to enable User Access Review (UAR) the following four jobs need to be run in its order:

  1. Role synchronisation (is part of the job GRAC_REPOSITORY_OBJECT_SYNC, can also be run individually with program GRAC_ROLEREP_ROLE_SYNC).
  2. User synchronisation (is part of the job GRAC_REPOSITORY_OBJECT_SYNC, can also be run individually with program GRAC_ROLEREP_USER_SYNC).
  3. Action Usage synchronisation (program GRAC_ACTION_USAGE_SYNC).
  4. Role Usage synchronisation (program GRAC_ROLE_USAGE_SYNC).

Please find detailed information regarding the repository jobs (authorization data, repository objects, transaction and role usage) on SAP Wiki: The Repository – GRC Access Control 10.0 – Governance, Risk and Compliance – SCN Wiki

Looking forward to your valuable feedback and your experience you have made in your projects. Other approaches can be implemented in this document.

Best regards,

Alessandro

To report this post you need to login first.

7 Comments

You must be Logged on to comment or reply to a post.

      1. Rakesh Ram

        Hello Banzer,

        Another great document from you.

        Thanks a lot….keep posting….Missing these stuff since many days.

        Regards,

        Deepak M

        (0) 
  1. Priyanka Mathur

    Hi Alessandro,

    It’s simple yet critical.

    I think every time I schedule these for different projects  I go back to SPRO to check the order or check my previous work to ascertain the right frequency.

    We act so lazy sometimes.. thanks again for putting this together.

    Thanks.

    Priyanka

    (0) 
    1. Alessandro Banzer Post author

      Dear Shreeni,

       

      I don’t know a SNOTE that is giving recommendations about the frequency. However, there are some blogs and wikis from SAP guys giving suggestions. My listing above is the result of multiple implementations (small to huge). Based on your requirements it might slightly change.

       

      Regards,

      Alessandro

      (0) 

Leave a Reply