GRC Access Control Repository 10.1 /10

Purpose

This document explain the background jobs available in the context of the GRC Access Control 10.0 Repository, as well as the importance of those jobs in relation to other areas of the application. In addition, this document discusses the best practices for scheduling the jobs, and tips for performance.

Overview

In GRC Access Control 10.0, data from various client systems is stored in the Access Control Repository to improve the performance. This repository is a collection of tables within the GRC foundation server.

The Access Control Repository

There are various kinds of data which need to be synchronized from plugin systems into the GRC foundation system, using various transactions. The synch job reports can be run from IMG, navigating to Governance, Risk & Compliance>Access Control>Synchronization Jobs:

Authorization Synch
Synchronizes PFCG Authorization data

Repository Object Synch
Synchronizes Profiles, Roles, and Users master data

Action Usage Synch
Synchronizes action usage data

Role Usage Synch
Synchronize role usage data

These reports can also be maintained as scheduled background jobs.

The order in which these synchronization reports are completed is important. The jobs should be executed in the above order. 

Authorization Synch

The report GRAC_PFCG_AUTHORIZATION_SYNC synchronizes the PFCG master data from the backend system(s) specified in the connector input parameter. It is also possible to execute this report by running the transaction GRAC_AUTH_SYNC.

The objects are pulled from backend transaction SU24. This transaction holds the relationships between transactions and their respective authorization objects. This is relevant for roles creation in Business Role Management (BRM). Upon adding a transaction to a role, BRM will bring in all the synchronized authorization objects maintained for that transaction.

There are a few input parameters that need to be provided:

• Connector field: enter the connector ID defined in transaction SM59. It can be entered more than one Connector.
• Language: enter the language for which the roles are created in the system, it can be entered more than one language.
• Legacy systems: In case the synchronization is for a legacy system, check the "Legacy System" box and provide the connector ID for the Legacy system, also in transaction SM59 (under connection type "L").

 

Repository Object Synch

The Repository Object Synch synchronizes User, Role, and Profile objects to Access Control Repository. The main report is called GRAC_REP_OBJ_SYNC and can be run directly from transaction SE38 to update User, Role, and Profile objects all at the same time.

For each of the objects to be synchronized, a specific report is called within GRAC_REP_OBJ_SYNC. As a best practice recommendation, the synchronization of the objects should be run in a specified order for the program to function properly: Profiles first, then Roles, then Users. The Repository Sync job does this automatically for you, therefore it is recommended to run the Repository Object Synch from IMG, instead of each report separatelly. This explains why the report screen does not allow users to check only Users and Roles, for instance. In this case the Profiles checkbox is automatically selected.

To synchronize User master data, the report is called GRAC_ROLEREP_USER_SYNC.

To synchronize Role master data, the report is called GRAC_ROLEREP_ROLE_SYNC.

To synchronize Profile data, the report is called GRAC_ROLEREP_PROFILE_SYNC. 

There are a few input parameters that need to be provided:

• Connector field: enter the connector ID defined in transaction SM59. It can be entered more than one Connector.
• Language: enter the language for which the roles are created in the system, it can be entered more than one language.
• Legacy systems: In case the synchronization is for a legacy system, check the "Legacy System" box and provide the connector ID for the Legacy system, also in transaction SM59 (under connection type "L").
• Syncronization mode, explained as follows. 

Synchronizarion can be executed in two modes:

This report can be executed in two modes:

• Incremental Sync Mode - updates the PFCG authorization master data that has been maintained since the last execution
• Full Sync Mode - synchronizes data using a beginning date of 01/01/1970. The end date is always the current GRC server system date.

   
As a best practice approach, schedule periodic runs of the Repository object synchronization in Full mode once a week, and in Incremental mode every hour. 

   
IMPORTANT: After every Role Import, a Full Synch mode is required for the newly imported roles be captured by the report.

Action Usage Synch

The Action Usage Synchronization job retrieves the Transactions executed in specified plugin systems. Within this report, the execution count of the action usage, and the Alerts information is also updated.

The report is called GRAC_ACTION_USAGE and can be run directly from transaction SE38. For the specified connector, the report will loop through the list of application servers available and will read the action usage information from STAD.

    

 

There are a few input parameters that need to be provided:

• Connector field: enter the connector ID defined in transaction SM59. It can be entered more than one Connector.
• User field: enter the User ID for which to capture the action usage information. It can be entered more than one User.

Fore more information on the Action Usage Synchronization job, please visit the WIKI:
The Action Usage Sync job in technical details - GRC Access Control 10.0 

Role Usage Synch

The Role Usage Synchronization job retrieves the role usage information into the GRC repository. This job is important a pre-requisite for customers willing to use the User Access Review (UAR)workflow feature available in GRC V10 Access Request Management (ARQ). 

The report is called GRAC_ROLE_USAGE_SYNC and can be run directly from transaction SE38.

There are a few input parameters that need to be provided:

• Connector field: enter the connector ID defined in transaction SM59. It can be entered more than one Connector.
• Legacy systems: In case the synchronization is for a legacy system, check the "Legacy System" box and provide the connector ID for the Legacy system, also in transaction SM59 (under connection type "L")