SAP IAG – Access Analysis
Access Analysis plays a crucial role in IAG to provide several functionalities to manage the potential occurrence of risks and their proper handling. Ruleset is foundation of all these functionalities of Access Analysis.
In this blog post, I have tried to provide answers to few questions regarding Access Analysis, which can be beneficial to those who are new to this subject.
How to get default standard ruleset?
Scenario 1- IAG Standard Edition
Create a case against the component GRC-IAG-AA to load the ruleset for connected target systems(Cloud, On-Premise systems)
Scenario 2- IAG Integrated Edition (Bridge scenario)
- Rulesets for On-Premise system should be synched from Access Control to IAG by executing Risk Definition Sync Job in IAG
- Case should be created against component GRC-IAG-AA to load the ruleset for cloud systems
Note – The standard rulesets are currently available for APO, BASIS, HR, R3, SRM, S4HANA On-premise, S4HANA Cloud, ARIBA, SuccessFactors, Fieldglass, IBP.
What is Business Function Group?
If you are familiar with the concept of Connector Groups in GRC AC, then Business Function Group will not be a new concept to you. The Business Function Groups are mandatory for setting up the rulesets as every single group represents a specific ruleset. It will be used to structure the various target systems which are connected to SAP Cloud Identity Access Governance and therefore will be used for the creation of functions.
Business Function Group can be either a single logical group representing a collection of same system types or it can be a cross-system group representing a collection of different systems.
How to get Business Function Group in IAG System?
The Business Function Groups are delivered out-of-the box (in combination with the default delivered ruleset), or you can build your own Business Function Groups.
In case of IAG Bridge Scenario, Connector Groups of On-Premise systems from GRC system get synched under Business Function Group by running Risk Definition Sync Job in IAG.
How to create Custom Ruleset in IAG?
You can follow below steps:
- Export the standard ruleset (e.g., SAP_ARIBA_LG) from Rules tile of IAG
- Make changes in the file of rulesets (e.g. add the custom rulesets in addition to the standard)
- Change the file folder name (e.g.-SAP_ARIBA_LG to CUST_ARIBA_LG) and then import that back.
- When you import back, IAG will create one more Business Function Group say CUST_ARIBA_LG, and the custom rulesets will be loaded under this.
- Add System details under new Business Function Group and run Access Analysis job in IAG.
Note –To avoid performance issues, 2 to max 3 functions per risk should be maintained in risk definitions.
How to transport ruleset from one IAG system to another (e.g. non-prod to production)?
There is no transport mechanism available for this. Ruleset needs to be manually exported from one system and imported to another.
I hope that the provided answers regarding Access Analysis will bring clarity and offer valuable guidance for individuals working with Access Analysis Services.
Note : Please share your feedback or thoughts in a comment below.
Nice document and well explained.
Thank you Ramesh.