Scribd
Upload
7 views16 pages

BRM

The document outlines the Business Role Management (BRM) process, detailing the steps for role creation, approval, and visibility in the GRC system. It emphasizes the importance of role naming conventions, documentation, and risk analysis, while also describing the role import concept and methodologies for managing various role types. Additionally, it highlights the responsibilities of role owners and the distinction between assignment approvers and role content approvers.

Uploaded by

natarajdn24
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
7 views16 pages

BRM

The document outlines the Business Role Management (BRM) process, detailing the steps for role creation, approval, and visibility in the GRC system. It emphasizes the importance of role naming conventions, documentation, and risk analysis, while also describing the role import concept and methodologies for managing various role types. Additionally, it highlights the responsibilities of role owners and the distinction between assignment approvers and role content approvers.

Uploaded by

natarajdn24
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 16

BRM: Business Role Management

VIRSA 4.0 ---- > Role Expert

GRC AC 5.1, 5.2, 5.3 ----- > ERM (Enterprise Role Management)

GRC AC 10, 10.1, 12 ----- > BRM (Business Role Management)

1) CR - Documentation – Requirement – Tool


2) Approval Process – Group of people --- Finance team Approvals FI, GRC,
MM – SME or Solution Architect
3) Technical Process – Security – PFCG
4) Testing – UT, SIT, UAT
5) Moving to PROD

SOLMAN: Solution Manager

SD – Service Desk – Ticketing Tool

ChARM – Change Access Request Management – Role Admin Process

Role Administration Concerns:

1) Role Naming Convention Ex,, ZS – Single, ZM – Master , ZD - Derived

2) Approval

3) Documentation - Who requested, Who modified, Who approved, T-codes

4) Risk Analysis

5) Role should be visible to user while submitting access request - ARM


What is the purpose of BRM?

1. Making the role visible (by defining attributes) for the user while filling the
access form in GRC - Role Import Concept - (Role is created in the ECC Dev
and moved to ECC PROD and then imported into GRC PROD NWBC) – 5th is
addressed.

2. Role Methodology in GRC – Steps - Automating role


management/administration process by Defining Workflow with Stages like
– Approvals, Documentation, and Risk Analysis and also make the role
visible for End user (Role creation is done from GRC and then pushed into
ECC) – 1 to 5 Steps are addressed.
Role Import Concept:

Create the role in the Backend and then import the role into GRC, define
attributes (Define Role) and make it ready for assignment (Provisioning) in the
GRC system.

Basic purpose of BRM is to make the role visible for user while submitting access
form (ARM)

Single/Mass role Import:

NWBC ---- > Access Management ---- > Role Mass Maintenance ----- > Role Import
When the role imported/created thru BRM is not visible in ARM – while filling
Access form:

1. Below entry should be YES.

How to make this entry as YES? Through SYNC job…

2. Role Status: Production

Template is needed to load the data into GRC system for multiple roles
Click here to download attribute file template

Mandatory Columns to be filled for all role types: A to H, P to S, AC, AF, AG

Derived Role – T (additional mandatory column to be filled)

Comp Role - X (additional mandatory column to be filled)

Business Role -X, Y (additional mandatory columns to be filled)

Note: Associated Roles (column X) & Master Role (Column T) – should be imported already into BRM
before you import Comp role or Business Role and Derived Role.

Derived Role ---- > Master Role

Comp Role ---- > single Roles


Business Roles ----- > Single, Comp, Group

Single Role

Comp Role ---- > Single Roles

Derived Role --- > Master Role

Comp Role --- > DR1, SR1

1.Single Roles

2.Master Roles

3.Derived Roles

4.Comp Roles

5.Business Roles
Connector Group ----- > Landscape

BNZ_GROUP

ECC - R1

BW – R1

CRM – R1

BMW_GROUP

ECC - R1

BW - R1

CRM - R1

ECC_GROUP

ECC

BW_GROUP

BW
Default Role Methodology:

SPRO ----- > GRC ------- > Access Control --------> Role Management --- > Define
Methodology Processes and Steps

1. Initiate Role Creation in GRC PROD (NWBC) ---- > Role is pushed into ECC
Dev  ECC QUA --- > ECC PROD

2. Role Creation in GRC PROD


Role is pushed from GRC PROD into ECC Dev – Unit TEST
Role is pushed from GRC PROD into ECC Quality – Integration Test, UAT
Role is pushed from GRC PROD into ECC Prod

3. Role Creation in GRC PROD ---- > Role is pushed into ECC prod Copy
---- > ECC DEV ---- > ECC QUA ---- > ECC PROD
Role Types

 Business Role ----> Group of Technical Roles (Single, Comp, Group)

 Composite Role

 CUA Composite Role

 Derived Role

 Group ---- > Enterprise Portal Group

 PD Profile ------ > HR system used in Structural Auth Concept

 Profile

 Single Role

 Template ----- > Master Role

Role Naming Convention:


Single Role------ >ZS*MODULE*SUBMODULE*PROJECT_NAME

Composite Role ----- > Y*MODULE* PROJECT_NAME

Ex,, ZS:BS:CLIENT_ADMIN:BP

ZS: BASIS: SYSTEM_ADMIN:BP

BASIS – BS

HR – HR

Sales and – SD

MM – MM
1- Z* indicates Custom role.
2- S/M/D – Indicates of role type.
3- :
4- Module Name
5- Module Name
6- :
7- Sub Module
8- Sub Module
9- Sub Module
10- Sub Module
11- Sub Module
12- Sub Module
13- Sub Module
14- Sub Module
15- Sub Module
16- Sub Module
17- Sub Module
18- :
19- Project Name
20- Project Name

Project Releases:
WBS - Work Break down Structure

Role Creation:

Approval
Naming convention

Proper Requirement

Testing

BRF Plus:

Application where we can design rules

If “Role Type” is SIN ---- > SINGLE

If “Role Type” is COM ---- > COMP

If “Role Type” is BUS ---- > BUSINESS

Condition groups:

SINGLE ---- > CG1

COMP ----- > CG2

BUSINESS --- > CG3

Mapping Condition groups with Role Methodology:

CG1 ---- > Single role Methodology

CG2 ---- > Comp Role Methodology

CG3 ----- > Business Role Methodology

Role Owner:
Role owners are responsible for approving either role content or user-role
assignment or both

1) Create the USER ID in GRC system


2) Declare him as Role Owner in Access Control Owners Table
3) Define Role Owner for the respective roles

What is the difference between Assignment Approver and Role Content


Approver?

Ans:

 Assignment Approver – Person who approves for assignment of role in ARM


 Role Content Approver – Person who approves for Role maintenance which
includes Role creation, modification and deletion in BRM
Business Role:
 It is a collection of Technical Roles (Single/Comp/Derived/Master/Java UME
Group/profile/Business Role) belonging to different Systems/Landscapes
 Business Role exists only in GRC system (NWBC)(Not in PFCG)
 Composite role is collection of Single roles belonging to same system
 In the earlier version GRC AC 5.3, this was like ROLE MAPPING concept.

Ex,, Finance Accountant User needs following access

ECC – R1, R2, R5

BW – R3

FIN – R4

EP – G1

GRC – Requestor Role

Security Consultant

ECC – Sec Role

BW- Sec Role

HR – Sec Role

or

Finance Accountant
System Role
ECC R1
ECC R2
BW R3
FI R4
EP G1
Finance Team:
Clerk – T1, T2, T3

Supervisor – T5

Accountant – T6

Manager – T1, T2, T3, T4, T5, T6

Important Tables: (GRACROLE*/GRACRL*)


GRACRLCONN ---- > Backend System Role details
GRACUSERCONN ---- > Backend User Details
GRACROLE ---- > BRM Role Records
GRACUSERROLE --- > User Role Assignments of Multiple
systems connected to GRC
GRACROLERELAT ---- > Role Relationships (Comp – Single, BS-
Roles)
Default Role:
Generic or Common role which must be assigned to every user. We can make this
as Default role so whenever user fills the access form, this role is added to the
access form automatically and assigned to user when user is created.

1) Parameter Group: ACCESS REQUEST DEFAULT ROLES

Parameter 2009: Consider Default roles – YES/NO

2) Path: NWBC ---- > ACCESS MANAGEMENT ------ > Role Management --- >
Default Roles

Role Mining:

Role 1 ---- > 10 T-codes ---- Assigned to several users.

Audit team ---- > Action usage Logs --- > 8 T-codes

Remove the t-codes from Role.

Roles Reaffirmation/Role Certification:

You might also like