May 29, 2016



Q) Is it possible to assign two roles with different validity period to a user in one shot through GRC ? If yes, how

If you are talking about GRC Access enforcer tool then there is option of validity period for role while creating access enforcer request. When you go to button "Select roles" and when you search and add role in Role Tab you can see column Validity period which you can change. And you can add multiple roles to one user by just performing "Add" role activity. I hope this is what you are asking for.

Q) How to get the E-Mail address for 100 users at a time ?

SECATT script / to get email address of the no. of users go to SE16  ADR6  give the person number or Address number.
To get the Address number or Person number go to the tableUSR21 extracts the data of the users.

Q) While Creating BW roles what are the Authorization Objects we will use ?

 s_rs_auth, s_rs_icube, s_rs_odso, s_rs_mpro, s_rs_ipro, s_rs_admwb (for BI consultants & admins) and s_rs_rsec (for BI Security consultant)

Q) When we changed the password for more users(for example:100 users) 

a) At the time of implementation we create users & PWD
b) Depend on business user’s requests
c) If locked users needed to unlock and make them use then we generate new PWDs.
d) Monthly or quarterly basis we send a message to end-users to change their PWDs.
e) Users got locked due to incorrect log on.
f) Users locked with the expiration of their user ids.

Q) (A) Where the password will be stored 
        (B) from where you can Re-Collect the password and 
        (C) how will you communicate the password to all users at a time.

A) PWD information will be stored in table USR02.
B) There is NO re-collect password process in SAP again user needs to send request to security team to re-issue new PWD
C) We can do it through SECATT script.

Q) What is Virsa ? Once you entered in to the screen what it will perform ? 

Before GRC comes into picture there were other tools which are running in the market in order to do analysis. Those are VIRSA and APPROVA. Both are an INDIAN Companies and VIRSA developed Tools like Firefighter, Compliance Calibrator, Access Enforcer and Role expert to do risk analysis but In the Year 2006 VIRSA took over by SAP and it changed names as Superuser Privilege Management (SPM), Risk Analysis and Remediation (RAR), Compliant User Provisioning CUP) and Enterprise Role Management (ERM) respectively.
Virsa FireFighter for SAP: enables super-users to perform emergency activities outside the parameters of their normal role, but to do so within a controlled, fully auditable environment. The application assigns a temporary ID that grants the super-user broad yet regulated access & tracks and logs every activity the super-user performs using that temporary ID.

Q) What is the use of SU24 & SM24 ? 

There is no SM24 t-code in SAP. Coming to SU24, here we can maintain the assignment of Authorization Objects by entering into particular t-code and we can check the relation between the t-code and concern authorization objects and we can make changes according to business needs. It means maintain Authorizations and its fields and field values.

Q) What is Dialog users, Batch users and Communicate users. What is the use with Communicate user ? 

Dialog user is used by an individual to do all kinds of log on. Batch user is used for Background processing and communication within the system. Communicate user is used for external RFC calls. (Across the systems we can connect)

Q) Can we add one Composite role in to another Composite role at any urgent user requests or in normal user requests ? 

We cannot add a composite role into another composite role but we can add multiple derived roles into one composite role.

Q)    In Transport what type of Request we will use. Why don't we use workbench request in transport ?

Most of the time we do transport workbench and customized requests. 95% we do customized transport as we do settings, configurations, creation etc at DEV system and transport them to QUA or PRD systems.
Settings, configurations etc are done by BASIS, Security and Functional consultants then those will be treated as Customized and if ABAPers do programs and packages etc and transport them then those will be treated as workbench.

Q)    When we added Authorization Object in Template role, at the same time what will be happen in Derived role ? 

Template Roles will be provided by default by SAP while we do implementation (install SAP).when we want to have template role we should not use that role directly, instead of that we can go for COPY option and we can copy it and do customize according to our business needs.

Q) How to Check Profile parameter. And how to find whether any transport has ended with error and where we can check ?

T-code RZ10 to check Profile Parameter & T-code STMS we can check the Transport error logs. Click on Import Overview (Truck icon) in STMS screen and in next screen we have options like: Import Monitor, Import Tracking and Import History.... these will show the transport issues.

No comments:

Post a Comment