The challenges of GRC 10 Access Control “ownership”
I have sat on both sides of the table: I have been the consultant working with clients to implement SAP GRC Access Control components, and I have been a customer member of the project teams. In today’s tight budgetary climate, exploitation projects are sometimes the best way to get project funding: configuring and implementing some additional component of a solution already bought, installed, and licenses paid. Thus, on the one hand, such exploitation projects can be huge wins: the customer gets more value from a solution already live, for better ROI. So what’s not to like?
Here is the part that can be overlooked in those rosy, halcyon early days post go-live of the additional component. Chances are good that your project scope went to go-live, with the consultancy providing some limited time of “hypercare.” Hurrah, it works! They are using it! The process works as designed and documented. The project sponsors are happy. Bye bye, good luck, it’s been great, let us know when you are ready for the next step in the roadmap. And on down the road they go to their next engagement.
Now you have to support this thing, possibly with just a few tweaks to your previous support processes, but other times the new solution requires processes that are brand new, with new risks and opportunities.
That’s no biggie, there are bound to be lots of blogs, wikis, and presentations online covering leading practices for production support for all of the Access Control components. Mmm, noooo, not really. SCN has a treasure trove of resources for going from installation to the go-live, like those listed in this compendium,
and discussions with tips for dealing with all kinds of issues and the “undocumented features” of some support packs, but production support? Welcome to “ownership:” you are on your own.
To be honest, it is not so surprising; the majority of the people who post on SCN do not work in production support, maybe never have, or are only called in when something is broken. Yes, there are some SAP customers who post here, but we seem to be rather in the minority. And who among the customers is going to boldly proclaim that they can advise on leading practices? Perhaps some of us just need a bit of encouragement.
Presentations at TechEd? If only; something process oriented would be considered “not technical enough.” The SAPInsider GRC Conference? No, not there either. The SAP user groups? On ASUG.com I found some great presentations on new features and roadmaps, use cases and implementation case studies, and one excellent presentation on administering your GRC system, but even that one was focused on best practices for dealing with problems. It seems that production support processes are not glamorous or exciting enough for presentations.
I plan to post a few specific questions but this is my ask to followers of this space: anyone who has any great ideas for production support processes for the GRC Access Control components- the field is wide open! You are cordially invited to step right up and share your experiences, especially those who have been doing it for years. Once we get this new process sorted out, I will publish a post, but don’t wait for me. You don’t have to claim that you have all the answers, or that your processes are one size fits all. Just sharing what works for you might help the next poor sod who implements that component and then says to herself. OK, now what?