Search This Blog

Tuesday, January 11, 2011

Performance Optimization of SAP GRC Access Control 5.3 - Optimize Compliant User Provisioning

The performance of Compliant User Provisioning on application level can be improved by the following measures:

· Reduce Log Level

· Avoid Risk Analysis for Critical Roles and Profiles

Reduce Log Level

Writing detailed logs is a resource consumptive operation. In Compliant User Provisioning in

Configuration-> Miscellaneous you can select from the following four log levels: DEBUG, INFO, WARN, ERROR. We recommend reducing the trace level down to ERROR.

Avoid Risk Analysis for Critical Roles & Profiles

In Compliant User Provisioning request approvers can perform a risk analysis the request approval screen before they approve the request. It is also possible to force approvers to run a risk analysis before they approve a request by a customizing setting in the stage definition. This is very useful feature for most requests. However, if the request contains profiles like SAP_ALL or very powerful roles designed for super-user or emergency access, an online risk analysis during request approval would take a very long time and have little benefit. Two alternative approaches help to avoid falling into this trap:

· Separate approvers for critical roles / profiles: Assigning a particular attribute to tag roles or profiles as critical can later be used to route requests to specific approvers responsible and trained for approving critical roles and profiles. They wouldn’t start a risk analysis for such requests.

· If you run Superuser Privilege Management in the affected SAP backend systems, then the preferred approach would be to exclude critical roles and profiles from the role catalogue in Compliant User Provisioning and allow access to such roles and profiles only via a Firefighter ID in Superuser Privilege Management. End users can then request access to such a Firefighter ID in a particular SAP backend system via Compliant User Provisioning. As of Access Control 5.3 the new request type ‘Super User Access’ is available and allows for requesting and provisioning access to Firefighter IDs in Super User Privilege Management.

For more information on this new feature refer to SAP GRC Access Control Configuration Guide.


No comments:

Post a Comment