Show TOC

Component documentationEnterprise Role Management Locate this document in the navigation structure

 

Enterprise Role Management (ERM) is a capability of the GRC Access Control application. The other Access Control capabilities interact with ERM.

Enterprise Role Management automates the definition and management of roles, allowing you to manage enterprise roles with a single unified role repository. The roles can be documented, designed, analyzed for control violations, approved, and then automatically generated.

This capability enables preferred practices to ensure that role definitions, development, testing, and maintenance are consistent across the entire enterprise.

ERM provides SAP security administrators, role designers, and role owners with a simplified means of documenting and maintaining important role information for better role management.

The features include:

  • Tracking progress during role implementation.

  • Monitoring the overall quality of the implementation.

  • Performing risk analysis at role design time.

  • Setting up a workflow for role approval.

  • Providing an audit trail for all role modifications.

  • Maintaining roles after they are generated to keep role information current.

Implementation Considerations

Implementation considerations for this capability include:

  • Designing a logical role naming convention.

  • Creating a well thought out integration of enterprise role management into ongoing role development, testing, and change management processes.

  • Identifying users when using and customizing roles, such as role owners, security administrators, and user administrators.

  • Defining goals, such as role optimization or consolidation, user access optimization, and risk and change request reduction.

  • Identifying custom reports.

Features

This capability provides role owners and security administrators with the means to:

  • Create and maintain role definitions.

  • Automate tasks such as generating roles and comparing role definitions in the SAP back end.

  • Identify potential audit and SoD issues.

  • Automate all SoD related activities, such as defining and monitoring SoD conflicts, proactive prevention of SoD conflicts and the use of mitigation controls.

    For more information, see: Segregation of Duties.

Roles and Role Assignment

This capability integrates with the Compliant User Provisioning capability to support provisioning for ERP systems in which user access is role-based. A role is a predefined set of access permissions. In this model, access is not granted to individual users, but rather to roles.

Example Example

To provision access to a financial application for a user, you must assign to that user a role that has access to the application. If the user is assigned to the requisite role, the user automatically has access to the application.

End of the example.

Different users need to access the same module or application, yet require different levels of access. Typically, for any given application, multiple roles exist that include some form of access. Therefore, the roles assigned in this capability define both the application to which the user has access, and the level of access the user is granted.

Risk Analysis and Mitigation

One key element of provisioning in this capability is the identification and mitigation of risk. Here, a risk is identified as a conflict within a single role.

Example Example

In most organizations the roles Receiving, Inventory, and Accounts Payable are mutually exclusive. To prevent the risk of fraud, a person responsible for cataloguing deliveries cannot have:

  • the ability to catalogue inventory

  • authority to authorize payment for a delivery.

End of the example.

The application includes a rich set of reports that:

  • facilitate overall role quality management

  • provide valuable information for creating precise role definitions

  • minimize ongoing role maintenance

More Information