Hi Colleen,
Yeah your analysis is spot on.
In ECC client's roles are following different approaches.
1. For few finance modules AP,P2P,Treasury Management, Capital Project they have derived role concept.
2. For Cashiering, Invoicing, Collection management they have Position and Control role concept.
Basically both security roles design are done by different vendors and i am not sure why it was done by different vendors.
For the first point mentioned above GRC 5.3 was already implemented and end users are using it. Now a different vendor has done GRC 10 upgrade for that.
We are working on GRC implementation for the modules mentioned in point 2.
There was lot of confusion on the approach as the vendor who is doing upgrade from GRC 5.3 to GRC 10.0 has completed it and it went to LIVE. Users are requesting derived roles through GRC and ruleset defined for 5.3 is being used in 10.0 in the same way just including connector groups. Now we want to implement GRC 10.0 without disturbing the existing approach.
Tasks from our side
1. Should use the same security design approach and implement GRC without affecting existing approach.
2. Ruleset need to e build considering existing functions and that exercise is yet to start.
3. Basically in ECC, we have 2 security designs as mentioned. But there are few users who will request roles from both the designs. This is making things complicated.
Actually i already proposed for security roles re-design but client is not interested in doing it.
I will try to contact SAP about our approach and should see if SAP suggest for security re-design client shows interest.
Thanks for sharing your view points.
Regards,
Sai.