SAP Access Control – Synchronisation Jobs Ordering and Frequency
the motivation to write this document comes because I have been asked several times by users on SCN and by Email to provide best-practice approach with synchronisation jobs. In every GRC implementation project synchronisation jobs need to be scheduled to ensure that the necessary data from the backend systems are present in the GRC system. In this document I would like to share my experience in setting up the ordering and the frequency of synchronisation jobs required for SAP Access Control.
Please note that the frequency can vary in your projects based on the requirements you have. From my experience the following listing is a good approach to start with.
|Job||Description||Program||Full / Incremental||Frequency||System / Connectors|
|Authorization Data||This job synchronizes the PFCG master data (SU24 values) from the backend system.||GRAC_PFCG_AUTHORIZATION_SYNC||n/a||Weekly||Development and productive systems|
|Repository Objects||This job synchronizes users, roles and profile data to the repository in Access Control.||GRAC_REPOSITORY_OBJECT_SYNC||Full||Weekly||All connected systems|
|Repository Objects||This job synchronizes users, roles and profile data to the repository in Access Control.||GRAC_REPOSITORY_OBJECT_SYNC||Incremental||Hourly||All connected systems|
|Transaction Usage||This job retrieves the executed transactions and usage date from the backend system.||GRAC_ACTION_USAGE_SYNC||n/a||Daily||Productive systems|
|Role Usage||This job retrieves the role usage information from the backend system.||GRAC_ROLE_USAGE_SYNC||n/a||Daily||Productive systems|
|Batch Risk Analysis||This job updates the management reports used in NWBC.||GRAC_BATCH_RISK_ANALYSIS||Full||Monthly||Depending on rule set definition|
|Batch Risk Analysis||This job updates the management reports used in NWBC.||GRAC_BATCH_RISK_ANALYSIS||Incremental||Daily||Depending on rule set definition|
|EAM Master Data||This job synchronizes the master data on the backend system to the Access Control repository.||GRAC_SPM_SYNC||n/a||Hourly||All systems where FF is defined|
|EAM Logs||This job synchronizes the logs of firefighting activities from the backend system and store in Access Control repository.||GRAC_SPM_LOG_SYNC_UPDATE||n/a||Hourly||All systems where FF is utilized|
|Email Reminders||This job is used to send email reminders to an approver for pending access requests.||GRFNMW_BATCH_EMAIL_REMINDER||n/a||Daily||For MSMP processes in use|
I recommend to run the jobs in the order as listed above. The repository object synchronisation job can also be run dedicated for users, roles and profiles. If run dedicately, also run in sequence as follows: users, roles and profiles.
In order to enable User Access Review (UAR) the following four jobs need to be run in its order:
- Role synchronisation (is part of the job GRAC_REPOSITORY_OBJECT_SYNC, can also be run individually with program GRAC_ROLEREP_ROLE_SYNC).
- User synchronisation (is part of the job GRAC_REPOSITORY_OBJECT_SYNC, can also be run individually with program GRAC_ROLEREP_USER_SYNC).
- Action Usage synchronisation (program GRAC_ACTION_USAGE_SYNC).
- Role Usage synchronisation (program GRAC_ROLE_USAGE_SYNC).
Please find detailed information regarding the repository jobs (authorization data, repository objects, transaction and role usage) on SAP Wiki: The Repository – GRC Access Control 10.0 – Governance, Risk and Compliance – SCN Wiki
Looking forward to your valuable feedback and your experience you have made in your projects. Other approaches can be implemented in this document.