I had a feeling that it would be you that answered.
We have a requirement that needs GRC to be able to able to see an "exceptions table"
The exceptions table has been created so that different people can report on different parts of the Org Stucture rather than just the nodes that are directly connected to i.e. cross node functionality. I have never come accross this problem before (and I surgested building a role for each requirement) but the business has gone for an exceptions table instead.
I hope this helps
I am not sure what AFAIK is can you explain this please
This exceptions table was for RAR yes.
Can you explain why GRC will not see or report on this table, I would like to go back to the business with an explanation as to why they cannot use it rather than just say "no you cannot use this for GRC" they will want me to explain exactly why
AFAIK - As Far As I Know
As I understand, you want the table entries to be in GRC and based on these entries you want to identify them as risks. I still dont get the what are the risks here and how they are identified from table entries.
In RAR if you want to identify risk, rule have to be built on and supplementary rules can be used to identify false positives. Based on these rules risk are identified, i dont see how you are going to utilize the table entries to define rules.
The tables will NOT be in GRC they will be in the SAP ERP system, and yes we want GRC to be able to see them and run risks on them to see if there are any risks highlighted, but as you say I do not see how GRC can see this never mind run RAR against them.
The outsourcing company have said that they will link the exceptions table via ABAP code but I do still do not see how this can work.
I totally agree with you there are no rules so RAR cannot report on them, but apart from that how on hell can GRC be linked to an exceptions table. I advised them that rather than EXCLUDE someone from seeing part of the Org Structure they should build roles so that the users can only see what they want them to see (INCLUDE)
Just a suggestion, for your customer. I would recommend talking to Greenlight. They are able to build connectors to non-sap systems without having to bring the data into ECC. What they do is build an interface that will bring the data from your non-SAP system. run the data throught the interface so that its in a format that GRC can read it (this being cross system rules to non-SAP systems) and then you have a webservice connection from GRC that syncs your data into GRC so you can run a risk analysis with that. One draw back the data may not be real time like SAP ECC but it will get you close enough to meet their requirements.
I have worked with Greenlight before and they were able to build such an interface to a mainframe application and pull the data in so that RAR could analyse cross system risks.
Hope this helps.
They might be able to do that, by converting the entries in the table with an ABAP program and publishing them in a readable format for GRC. GRC may identify these pusblished results and mark them as risks. But as of with standard functionality, its not possible.
Definetely not recommended if you have alternative ways as you said.