Enterprise Role Management (ERM) is a capability of the GRC Access Control application. The other Access Control capabilities interact with ERM.
Enterprise Role Management automates the definition and management of roles, allowing you to manage enterprise roles with a single unified role repository. The roles can be documented, designed, analyzed for control violations, approved, and then automatically generated.
This capability enables preferred practices to ensure that role definitions, development, testing, and maintenance are consistent across the entire enterprise.
ERM provides SAP security administrators, role designers, and role owners with a simplified means of documenting and maintaining important role information for better role management.
The features include:
Tracking progress during role implementation.
Monitoring the overall quality of the implementation.
Performing risk analysis at role design time.
Setting up a workflow for role approval.
Providing an audit trail for all role modifications.
Maintaining roles after they are generated to keep role information current.
Implementation considerations for this capability include:
Designing a logical role naming convention.
Creating a well thought out integration of enterprise role management into ongoing role development, testing, and change management processes.
Identifying users when using and customizing roles, such as role owners, security administrators, and user administrators.
Defining goals, such as role optimization or consolidation, user access optimization, and risk and change request reduction.
Identifying custom reports.
This capability provides role owners and security administrators with the means to:
Create and maintain role definitions.
Automate tasks such as generating roles and comparing role definitions in the SAP back end.
Identify potential audit and SoD issues.
Automate all SoD related activities, such as defining and monitoring SoD conflicts, proactive prevention of SoD conflicts and the use of mitigation controls.
For more information, see: Segregation of Duties.
Roles and Role Assignment
This capability integrates with the Compliant User Provisioning capability to support provisioning for ERP systems in which user access is role-based. A role is a predefined set of access permissions. In this model, access is not granted to individual users, but rather to roles.
Example
To provision access to a financial application for a user, you must assign to that user a role that has access to the application. If the user is assigned to the requisite role, the user automatically has access to the application.
Different users need to access the same module or application, yet require different levels of access. Typically, for any given application, multiple roles exist that include some form of access. Therefore, the roles assigned in this capability define both the application to which the user has access, and the level of access the user is granted.
Risk Analysis and Mitigation
One key element of provisioning in this capability is the identification and mitigation of risk. Here, a risk is identified as a conflict within a single role.
Example
In most organizations the roles Receiving, Inventory, and Accounts Payable are mutually exclusive. To prevent the risk of fraud, a person responsible for cataloguing deliveries cannot have:
the ability to catalogue inventory
authority to authorize payment for a delivery.
The application includes a rich set of reports that:
facilitate overall role quality management
provide valuable information for creating precise role definitions
minimize ongoing role maintenance