SAP Access Control – Synchronisation Jobs Ordering and Frequency
the motivation to write this document comes because I have been asked several times by users on SCN and by Email to provide best-practice approach with synchronisation jobs. In every GRC implementation project synchronisation jobs need to be scheduled to ensure that the necessary data from the backend systems are present in the GRC system. In this document I would like to share my experience in setting up the ordering and the frequency of synchronisation jobs required for SAP Access Control.
Please note that the frequency can vary in your projects based on the requirements you have. From my experience the following listing is a good approach to start with.
|Job||Description||Program||Full / Incremental||Frequency||System / Connectors|
|Authorization Data||This job synchronizes the PFCG master data (SU24 values) from the backend system.||GRAC_PFCG_AUTHORIZATION_SYNC||n/a||Weekly||Development and productive systems|
|Repository Objects||This job synchronizes users, roles and profile data to the repository in Access Control.||GRAC_REPOSITORY_OBJECT_SYNC||Full||Weekly||All connected systems|
|Repository Objects||This job synchronizes users, roles and profile data to the repository in Access Control.||GRAC_REPOSITORY_OBJECT_SYNC||Incremental||Hourly||All connected systems|
|Transaction Usage||This job retrieves the executed transactions and usage date from the backend system.||GRAC_ACTION_USAGE_SYNC||n/a||Daily||Productive systems|
|Role Usage||This job retrieves the role usage information from the backend system.||GRAC_ROLE_USAGE_SYNC||n/a||Daily||Productive systems|
|Batch Risk Analysis||This job updates the management reports used in NWBC.||GRAC_BATCH_RISK_ANALYSIS||Full||Monthly||Depending on rule set definition|
|Batch Risk Analysis||This job updates the management reports used in NWBC.||GRAC_BATCH_RISK_ANALYSIS||Incremental||Daily||Depending on rule set definition|
|EAM Master Data||This job synchronizes the master data on the backend system to the Access Control repository.||GRAC_SPM_SYNC||n/a||Hourly||All systems where FF is defined|
|EAM Logs||This job synchronizes the logs of firefighting activities from the backend system and store in Access Control repository.||GRAC_SPM_LOG_SYNC_UPDATE||n/a||Hourly||All systems where FF is utilized|
|Email Reminders||This job is used to send email reminders to an approver for pending access requests.||GRFNMW_BATCH_EMAIL_REMINDER||n/a||Daily||For MSMP processes in use|
I recommend to run the jobs in the order as listed above. The repository object synchronisation job can also be run dedicated for users, roles and profiles. If run dedicately, also run in sequence as follows: users, roles and profiles.
In order to enable User Access Review (UAR) the following four jobs need to be run in its order:
- Role synchronisation (is part of the job GRAC_REPOSITORY_OBJECT_SYNC, can also be run individually with program GRAC_ROLEREP_ROLE_SYNC).
- User synchronisation (is part of the job GRAC_REPOSITORY_OBJECT_SYNC, can also be run individually with program GRAC_ROLEREP_USER_SYNC).
- Action Usage synchronisation (program GRAC_ACTION_USAGE_SYNC).
- Role Usage synchronisation (program GRAC_ROLE_USAGE_SYNC).
Please find detailed information regarding the repository jobs (authorization data, repository objects, transaction and role usage) on SAP Wiki: The Repository – GRC Access Control 10.0 – Governance, Risk and Compliance – SCN Wiki
Looking forward to your valuable feedback and your experience you have made in your projects. Other approaches can be implemented in this document.
Here's comes the other great initiative and good info from Alessandro.
Keep posting. 🙂
Thanks Katrice 🙂 difficult to find time to write documents... the night is too short 🙂
Another great document from you.
Thanks a lot....keep posting....Missing these stuff since many days.
It's simple yet critical.
I think every time I schedule these for different projects I go back to SPRO to check the order or check my previous work to ascertain the right frequency.
We act so lazy sometimes.. thanks again for putting this together.
If possible can you please provide us a SNOTE with the suggestions
Thanks in advance
I don't know a SNOTE that is giving recommendations about the frequency. However, there are some blogs and wikis from SAP guys giving suggestions. My listing above is the result of multiple implementations (small to huge). Based on your requirements it might slightly change.
Hi Alessandro, very usefull document.
About the GRAC_SPM_WORKFLOW_SYNC you did not mention?
The GRAC_ACTION_USAGE_SYNC for large instances it is better to be run hourly.