With the availability of defining Business roles within GRC AC 10.0, provisioning initial access to users across multiple landscapes with a single combined role is possible.
However, there have been questions raised by many in regards to how you update/synchronise actual technical role assignments embedded within the Business Role assigned to users via GRC.
For example; If a new R/3 role has been added to the Business role definition, how do you update the assignment to the 55 users already assigned to the Business role? It is impractical to raise a new change request via Access Request Management for all the assigned users for the same role again, as it would create unnecessary requests (and maybe agitate the approvers involved).
Thankfully, within GRC 10.0/1, it is possible to synchronise the technical role assignments via the Role Maintenance screen in NWBC, but it requires a few tweaks within the GRC system.
Part 1 Enable the hidden Methodology step “Provisioning”
Note - These steps needs to be done on both 10.0 and 10.1, as the SAP BC-set delivered Default Methodology is missing the required Step definition.
1. Go to SPRO and open the following node menu: Governance, Risk and Compliance > Access Control > Role Management > Define Methodology Processes and Steps
2. Click “Define Steps” and then “New Entries” – By default, the BC set delivered methodology steps is missing “Provisioning” from the defined list.
3. Select the action “Provisioning” and enter is as “Active” and enter the Phase text details “Provisioning”
4. Save any transport prompt
5. Under “Define Methodology”, select the methodology to update and then click “Methodology Process Step”
6. Ensure the final step “Provisioning” is added to the methodology
7. The new methodology step should be visible now within the “Role Maintenance” functionality of BRM (on NWBC side)
The button will be enabled when:
• The Business role has already been provisioned at least once
• The Business role has changed and technical roles have been added or removed
The button will be disabled when:
• The Business role has not been provisioned via request yet
• The Business role has already been provisioned at least once, but there are no users currently assigned (the Business role has been later removed from the users)
Part 2 Updating Cluster class
A runtime error has been observed within GRC AC 10.0 (not 10.1, as it seems the cluster class has been delivered correctly) when clicking the “Update Assignment” button. The error appears as follows: Parameter has invalid value: Parameter SYST_DATE/SYST_TIME has invalid value 00000000/000000.
The cause of the issue is that the correct configuration is missing in the view cluster: GRFNVC_PLUSG for the provisioning background job.
To fix this, implement the steps provided in SAP note 1837416 (described below)
1. Go to transaction code SE54
2. Click on the button “Edit view Cluster”, followed by “Test”
3. Enter the Table/view “GRFNVC_PLUSG” and click "Test"
4. Select the Node “Plan Activity for Access Management” under the Dialogue structure
5. Select Plan Usage GRAC_BRLP and double click on it.
6. Enter the correct ABAP class as "CL_GRAC_ERM_BROLE_BG". (This value may have been set up/delivered incorrectly before, hence the error).
NOTE: If the entry “GRAC_BRLP” does not exist, you can create it as per SAP note 1837416
- Click on New Entries
- Enter the following fields and save:
Plan Usage: GRAC_BRLP
Activity Name: Access Control Business Role Provisioning Background Job
ABAP class: CL_GRAC_ERM_BROLE_BG (note SAP note 1837416 mentions CL_GRAC_BROLE_BG, but this does not work)
With this fix, you should now be able to successfully maintain and provision Business role updates to all users via the Role Maintenance screen.
SAP Notes in relation to this topic
Business Role Methodology contains multiple steps including “Provisioning” and under “Provisioning” steps there is “Update Assignment” button. When customer clicks on “Update Assignment” button, notification is triggering to all the end users whom this business role is assigned and notifying the access changing. But there is no way to control this notification.
The SAP note provides correction instructions that introduces a new configuration parameter ID to control if emails are sent out to users during the "provisioning update" scenario (param ID 3029 - Send Notification to End User on Update Assignment)
It seems there is a program issue in 10.1 whereby the updates are not working correctly when a new derived role is added or a existing role is removed from the business role definition. Seems to state the note is part of SP08 for 10.1. No clear indication of if this behavior is reported or fixed for 10.0.
I presume that the fact there is no "Mass assignment" feature available for Business Roles from BRM means that there is no "Mass Update Assignment" feature available at all either (i.e. running a "Provision update assignment" job for many business roles in a single attempt. SAP suggest utilising the "Multiple User Request" option to control mass assignments of business roles.