This document explains the idea of using the Business roles as containers. A concept of an efficient way of managing roles in an organization, and mapping them based on a job function, and making provisioning an efficient task.
The biggest challenge for organizations is being able to stay in compliance in an environment of constant access changes. Using GRC Access Control 10.0 – Business role Management (BRM), Business roles can be used to determine the access necessary for the function or process the user is involved with, helping organizations better manage changes to access. Once Business roles have been mapped with the appropriate job tasks, organizations easily control compliance or business risk by running their rules against the requests.
Each Business role represents a Job role or function, and is associated to one or more related Technical roles which the business can easily understand.
Example of Business roles
An example of a Business role is “AP Clerk” which has all the authorizations that a Accounts Payable Clerk employee needs to perform his activities.
Business roles are system independent
Business roles are system independent. An example is, when customer creates a Business role that has assigned two Technical roles, one for system A, and one for system B. When this Business role is assigned to the user (having two Technical roles from two different systems) it is not necessary to select the system for the Business role it-self. The request will automatically take both the Technical role's systems.
Searching for Business roles
Business roles search should not rely on “System” search criteria, as Business roles usually consist of more than one Technical role, where each Technical role is possibly tied to a different System. There could be different Technical roles from different systems assigned to a Business role.
So it is recommended to not combine System and Business roles in search criteria. Search for Business roles only and leave the system ID field blank.
Creating and provisioning Business roles
In BRM, business process owners can define which permissions make up a Technical role, document role status, follow a specific methodology for role creation, run risk analysis for compliance purposes before role generation, keep change histories, and achieve clean access controls avoiding SOD violations. Once Technical roles are defined and created, Business roles need to be created and mapped to these Technical roles.
When end user requests a Business role, it is transparent to the requestor the Technical roles it consists of.
Customers will not find the actual Business role created in the R/3 system; it is just a BRM concept. When a Business role is provisioned, actually what is being provisioned is a group of Technical roles.
Updating existing Business roles
When updating an existing Business role, will it reflect all the already assigned users to this Business role? Yes, but for this to happen, customers need to update the assignment after updating the Business role.
How to do it? In BRM, when opening the Business role, in step “Provisioning” of the role methodology there is a button called "Initiate update to users", this will do all the deletion/insertion to all the users. The change will be pushed to those users who have that Business role.
The button will be enabled when:
• The Business role has already been provisioned at least once
• The Business role has changed and technical roles have been added or removed
The button will be disabled when:
• The Business role has not been provisioned via request yet
• The Business role has already been provisioned at least once, but there are no users currently assigned (the Business role has been later removed from the users)
SPRO Parameters group related to Business roles
Under transaction SPRO>SAP Reference IMG>Governance, Risk & Compliance>Access Control>Maintain Configuration Settings, there is a parameter group called “Access Request Business role”, which comprises the following parameter:
Parameter 4011: Delete the technical roles if it is part of the Business roles
When setting this parameter to “Yes”, shared Technical roles will get removed when a Business role is removed via Access Request.
Role Certification is a concept similar to “User Access Review”. It allows the Business role owner to review and certify the role content on a periodic basis.
Role certification attributes are defined in the role properties, and the certification period is defined in days. After the defined days have passed, an email reminder is sent to Role Owner to notify that the role needs to be certified. The next certification date is calculated based on the period and the last certification date. The reminder template can be customized in IMG.
Importing Business roles
While importing or defining a Business role, the Application Type is assigned to “BUSINESS ROLES” and the Landscape is assigned to “ROLE MANAGEMENT BUSINESS GROUPS”.
When importing a Business role, there is no need to maintain the column "System [ Alphanumeric(32) ]" from the import file. When a Business role is imported, the application will create the Business role container in BRM only (it is not created in any backend system) and will assign to the Business role each of Technical roles maintained in the file. The columns “Associated Roles [ Alphanumeric(100) ] [Only for Composite / Business Roles]” and “Associated Role Landscape [ Alphanumeric(10) ][ Only for Business Roles ]” are attributes of the Technical roles.
SAP Note 1696320: Business roles are not getting search in Role level report
SAP Note 696647: Business Role not getting searched with blank system failed
SAP Note 1736960: Shared Technical Roles not retained when Business Role is removed via Access Request
SAP Note 1692561: UAM: Business Role as default role is working