SAP GRC Acces Control 10.x : How to Set Up & Use Approver Delegation

How To Set Approver Delegation

  1. In the My Hometab, choose Approver Delegation. The Approver Delegation screen appears.
  2. Choose the Delegate button.
    2. In the Approver IDfield, for the user to whom you wish to delegate your approver duty, enter the following:
    • Last Name
    • First Name
    • E-Mail address
  1. In the Valid Fromand Valid To fields, choose the Calendar icon to specify the date range during which the delegated approver has approval authority.
  2. Choose “Active” for Status.
  3. Choose Save.
  4. The Approver Delegationscreen appears with a success message at the top, and with the name of the approver in the delegations table.
  5. Make sure that the Statusicon is activated for the current delegated approver.

How To Use Approver Delegation

Once we save the data and authorize a user (the Delegate) to perform task on behalf of other user (the Delegator), user (the Delegate) is eligible/authorize to see the INBOX of Delegator for that particular period.

  1. User (the Delegate) can click on ‘Change Delegation’ from home page of GRC from NWBC/Portal and click the check box ‘All sessions closed’.
  1. Now user (the Delegate) can choose the other user (the Delegator), on behalf he is going to perform the work.
  1. Once user (the Delegate) save the information after choosing the right user (the Delegator), Work Inbox would be replaced with Delegator’s Task. Now if user (the Delegate) opens his own Work Inbox, he will get the list of all the Delegator’s task only.

*Before this delegation happened, user (the Delegate) was able to see only his tasks.

*If user (the Delegate) needs to see his own Tasks in Work Inbox, he needs to change the delegation back to  ‘Own Behalf’ in Change Delegation window as shown below.

SAP Application Security: Derived vs. Enabler Role Concept Desiign

What is a derived role?

  • SAP Standard to allow for organizational data restriction and reduce role administration tasks
  • Parent (Master Role) and Child (Derived Role(s)) concept where the child role will have identical attributes to the parent role
  • Parent role will have wide-open access to all organizational level entities
  • Child Role will have limited access to a specific organizational unit (i.e. Company Code 1000)
  • Simplified maintenance at derived role level as only organizational levels need to be maintained
  • Minimizes human error during authorization maintenance using automation and reduced testing efforts
Pros Cons
No Updates Needed Post-Upgrade Increased number of technical security roles
Eliminates Human Error
Simplification of Role Administration Tasks
Program to mass update values in org level window
Decreases level of effort required for testing

What is an enabler role?

  • Non-standard approach to allow for organizational restriction and reduce number of technical roles
  • Single, manually created, Authorization Object-only technical role (without t-codes) that provides access to a restricted organizational level unit (i.e. Company Code 1000)
  • Authorization objects in Functional Roles need to be “disabled”
  • A single common authorization object may be responsible for a particular organizational security check in hundreds of transaction codes. This can be contained in one enabler role.
Pros Cons
Reduced number of technical security roles All Enabler Roles Updated Post- Upgrade
Flexibility in complex / low level data restriction designs/build No automation to maintain authorization objects within enabler roles
Frequency of human error increases
More complex org structure = more complex enabler role design
Non-standard SAP approach