Hi,

We have a scenario that whenever a user requests a role via GRC, a corresponding SU01 parameter also needs to be assigned.

Example: user is requesting for role PPMDT, this tcode requires scenario to be set in parameter.

Problem is that when we go into parameters tab in access request and try to search, nothing comes. We tried searching by giving various values (e.g. system, parameter name etc.) but still no output.

Can you please guide how to pull this information. It seems like a bug in product. Any relevant notes on this?

Best Regards,

Ravi

Hi

How SSL Authentication configuration is to be done in SAP GRC AC 5.3

ThankS

Hi All,

I noticed that we have "ADD" and "REMOVE" buttons on Mitigation screen in ARQ. I am unable to understand the purpose of these buttons.

I played with "REMOVE" button and it simply deleted the selected row from the Mitigation Screen. I have played with "ADD" button and noticed that user id can be added. But not sure why we have this.

I would like to understand the business logic or importance of these 2 buttons in mitigation screen.

Can anybody please help me?

Regards,

Faisal

Hi experts,

I’m trying to understand the compatibility of GRC (BRM, EAM, etc.) with other SAP systems.  The question came after looking at some of the configuration from SRM since I see the GRC Plug-In component installed in the system but then I don’t see the actual plug-in on SPRO.  I was looking for similar information on the GRC installation guide and Config. Guide but so far no luck.  Can someone point me in the right direction? Even better if there is an official document.  Thanks

Hi together,

We have a productive SAP GRC 10.1 AC System SP04

Our table space growth very quck.

By checking the running jobs I found the job "GRAC_REPOSITORY_SYNC" which runs weekly in full sync mode

and daily incremental.

In my understanding it´s enough, when the Job runs only incremantal.

So that I can delete the full Sync job

Had anybody infromation if we run into criticals?

In the Documents I found, this Point was not described detailed.

Kind regards,

Harald

PS: a curiosity in our System we had change the runtime from our "GRAC_PFCG_ AUTHORIZATION_SYNC" Job from daily to weekly which reduce

the tablespace - is there any dependances between both Jobs known?

If you attended Alan Jackson's performance at the 2013 ASUG/ SAPPHIRE Now Celebration Night, or if you are a fan of his, you might be familiar with his hit ballad "I'd love you all over again."

https://www.youtube.com/watch?v=D0tbfh-Arb8

Now that we have gone live with our Governance, Risk and Compliance (GRC) 10 system, I thought I might look back over several years of such projects to ask myself, if I had it to do all over, which choices would I love all over again.

Pilot or big bang?

One choice, to do an Access Control pilot, was the option selected by one of my previous GRC 10 projects. It allowed us to get the system configured, build the Business Roles, and do a pilot of the custom request workflows, in a few short months. The downside to that choice is that everyone else stayed on the 5.3 system, so both systems had to be maintained, and presumably audited, until all the business units were brought onboard the 10.0. It was a trade-off, but they were willing to make that choice.

On the other hand, my recent project took the "big bang" approach, bringing all the systems connected to our 5.3 GRC over and going live with everyone at once. The upside was that we were able to shut down our 5.3 system soon after the go-live, reducing the dual maintenance period. The downside was that testing identified many issues, particularly with provisioning to the SAP Portal, many corrections were implemented, one connection never did work and had to be taken out of scope, and it all took much longer than planned. Now, just a few weeks after go-live, we are already living on borrowed time: the APO system was upgraded to a NetWeaver release requiring a plug-in higher than our SP level. Everything is working for now, but sooner or later, another connected system upgrade will force us to upgrade, too.

Business roles or technical roles?

The GRC 10 project I was on back in early 2012 included implementation of Business Role Management (BRM), and I blogged about that here. BRM was, unfortunately, still pretty buggy back then. I think it was a good choice given their technical role design and their access request process, but waiting for a later support pack might have made it easier.

In that client's process, anyone could submit an access request; in contrast, the process at my current organization has access requests submitted by key users  trained on SAP security reporting and other tools. In theory, these folks are knowledgeable enough of the business processes at their location for the users they support, and with the tools and training, can make informed role choices. While Business Roles would probably add value to our process, we chose to continue with requesting technical roles for now, with some role mapping to ease the process, and consider implementing BRM later.

Another option is to do a security re-write- concurrently, before, or after the GRC project? If you decide to do it concurrently, be sure you have enough resources for the multiple work streams. My first GRC 10 project went that path; in my view, having a small army of experienced internal and external resources was one of the good decisions, along with ensuring good executive support.

If your rule set is in good shape, maybe you want to do your security rewrite ahead of the migration to GRC 10, either with a pilot or big bang. If you lean towards a pilot, be certain that your pilot group is onboard with the project approach; trust me, you don't want to be in the position of having the business unit for the pilot getting cold feet midway through the project, leaving you in a tough spot.

Change management decisions

How much of a change is GRC 10? It all depends. If you are implementing Access Request Management, does your current access request process have a lot of manual hand-offs and detours to be automated in the new process? It may delight your users, but they still have to be trained on the new user interface and get used to the automation. On the other hand, if you are just going live with Access Risk Analysis, you probably have a smaller user community to train.

The big project I mentioned above included a team of experienced change management consultants, and I think that was a smart choice for such a huge undertaking. My much smaller recent project had excellent internal support for communications and our web page, but we were pretty much on our own for developing and delivering training. We offered live training, step-by-step video recordings, and Quick Reference Cards that were jointly produced. All were well received; however, by business decision the training was not mandatory, so you can probably guess the outcome: the users who took the training are doing pretty well and are happy with the new system, especially the new request templates and more efficient workflows, and those who opted out of training.... Enough said.

Now we are working on resolving non-showstopper issues, problems identified during testing that were not urgent enough to risk breaking something else with a possibly buggy correction before go-live. It never really ends, does it?

And what about you? If you are already live on GRC 10, what would you do all over again and what might you do differently? I invite you to share your perspectives.

Hi All,

I have few ECC roles mapped with BW roles.

When user selects ECC role, BW roles are automatically getting added in the request and user is submitting the request.

But Is it possible that user will not see the mapped roles, but after request submission only approvers can see the mapped roles in the request.

Is this possible? Is there any configuration for this available in GRC 10 or Do we need to go for enhancement with the help of ABAPer?

Please suggest.

Regards,

Madhu.

Hi All,

I have a query on below warning message. Need advise from experts here.

In our scenario, at few stages of workflow, approver enters the comments and then clicks on SUBMIT button. Request gets approved. There will be a CLOSE button once the request is approved. Approver clicks on CLOSE button and will be shown a warning message as shown below.

"This application contains unsaved data which may be lost.

Do you want to continue without saving the changes"

Now during our UAT concern was raised by the client team and they don't want to see this message as request is already approved and this message looks irrelevant.

Please suggest if there is a way to avoid showing this message.

Thanks in Advance.

Regards,

Sai.

Hi Experts,

I have a query regarding PSS in GRC 10.0.

1. Is it possible to restrict the number of questions user can register in PSS?

2. Is it possible to allow user to register for PSS using only Admin Defined questions and not user defined questions. Currently I can see both options available. Requirement is to hide "USER DEFINED QUESTIONS" option.

Regards,

Sai.

The purpose of this document is to summarise the technical solutions to custom-build your NWBC screens should you decide the SAP pre-delivered screens do not meet your requirements. The focus on this document applies to GRC 10.x Access Controls. However, some options apply to NWBC in general. This document does mention quite a few technical concepts (PFCG role menu for NWBC access, webdynpro, launchpads, etc). If you are not familiar with these concepts, I recommend you review available documentation in SCN and SAP Help. Technical implementation steps have not been included; however, links to other SCN blogs and Wiki where possible have been provided.

A Quick overview of the GRC SAP standard

In GRC 10.x Access Controls Work Center roles are provided by SAP to provide users with the NWBC layouts (each role provides a different tab). These roles are built based on PFCG Role menu using ABAP webdynpro GRFN_SERVICE_MAP with the specific application configuration mapped. Each folder name in the PFCG role provides the Level 1 Tab (such as Master Data, Access Request) and the webdynpro provides the layout for that tab. The individual links/icons are displayed based on configuration of a launchpad and authorisation object GRFN_REP (if the user does not have authorisations of the link in NWBC for that specific item they will not see it on their screen). Example role of this is SAP_GRC_NWBC as shown in the screen shot below with access to the the My Home, Rule Setup, Access Management and Reports and Analytics work centers.

          Screen Shot: example of SAP standard role that grants NWBC Work Center access for GRC

The idea of the GRFN_REP object allows you to reuse the launchpad to provide different links to different users (or if you are not using all of the functionality you can hide some from the users). However, lack of access to the authorisation does not guarantee the users has been prevented from accessing the functionality (if they know the SICF service name they can enter the URL assuming SICF has not been restricted with S_ICF authorisation).

  The launchpads can be customised to add/remove the SAP standard proposed links. Launchpad functionality does allow you to compare your changes to the SAP standard version. For information on GRC example, refer to the following document by Trinadh Bokka

I did not like the SAP standard work centers outside of prototyping/demonstration for the following reasons:

1. Having to assign the user multiple work centers to get their full access;
2. User having to jump across multiple tabs (Org Structure on one, Access Control Owners on another, risk and mitigation split up, etc);
3. Wanting to set up custom work center layouts as per the process steps (much more user friendlier); and
4. Old school’ avoidance to maintaining SAP standard (although possible, I am not a fan of maintaining the SAP launchpads as I like to have the original reference and not have headache at support packs/enhancement packs). Happy for someone to come along and convince me otherwise (a SAP Basis expert managed to convince me to stop building Custom ZSAP* work center roles for Solution Manager).

Hence, time to provide options on how you can build your own layout for users:

Option 1 – Standard NWBC Build

In this option you build your PFCG role menu without using the GRC Work Center concept. Refer to SAP help documentation for how to achieve this. Each link (webdynpro) must be added to the PFCG role menu as a link and configured to appear in NWBC. This option does allow you to add different levels of folders and group the links together. It provides you the greatest control in choosing what you want to display in the SAPGUI menu and/or NWBC menu. It does not leverage the GRC launchpads or GRFN_SERVICE_MAP.

One benefit of this option is that by adding the webdynpro to the role menu you can leverage the SU24 mapping proposals. At the same time, you will need to go through and figure out the defaults for each webdynpro as SAP did not deliver any standard SU24 proposals (it takes time but is worth it when it comes to security build and testing).

You will, however, need to build PFCG role menu for each access scenario instead of re-use of the work center roles and launchpads. This may not be a drawback for you if your PFCG role is also including the underlying authorisations to execute the functionality.

    Screen Shot: Building custom PFCG menu for NWBC layout

Option 2 – Use the Launchpad Webdynpro

Instead of using GRFN_SERVICE_MAP you can create the NWBC layout by adding the webdynpro APB_LAUNCHPAD_NWBC to the PFCG role menu. As part of the configuration parameters, you must specify the launchpad instance and role name.

     Screen Shot: Launchpad added to PFCG via APB_LAUNCHPAD_NWBC

This approach does not use the SAP delivered GRFN_SERVICE_MAP (and therefore hiding of links in NWBC via authorisation object GRFN_REP object). It also does not include each webdynpro link in the role menu to import the SU24 proposals (again assuming they exist). I had this as a solution on my options after looking at this webdynpro for an ECC build. However, I did not like that it provided the use with the option in NWBC to “change launchpad” as the user would be presented with the full list of launchpads to choose another.

      Screen Shot: Change Launchpad button for APB_LAUNCHPAD_NWBC

Option 3 – Build your own configuration for GRFN_SERVICE_MAP

In this option, you follow the SAP GRC work center approach by using GRFN_SERVICE_MAP to build your own launchpads and use them instead. Unlike the APB_LAUNCHPAD_NWBC, the PFCG item definition does not reference the role and instance. This is configured in the webdynpro configuration via SE80.

The diagram below provides the mappings of the webdynpro configuration and applications for GRFN_SERVICE_MAP. You will need to have a developer key to do this - or you may need to ask a developer depending on your company's policy. You will not need to register an SAP object in the Marketplace. If you receive a prompt of the object repair key you have attempted to modify the standard instead of copying your own.

     Diagram: Mapping of Webdynpro Configuration for GRFN_SERVICE_MAP

You will need to access SE80 for the GRFN_SERVICE_MAP and launch the Webdynpro Application Configurator (a link appears). To create your own, you need to copy the GRAC_FPM* items listed in the example and map them to each other. You are not modifying SAP standard. The “UIBB” item contains the link to the launchpad instance and role. The “AC” item is added to the PFCG menu for the GRFN_SERVICE_MAP.

My tip for copying these items: stick to a naming convention such as ZGRAC_FPM* to denote custom, use the AC/CC/UIBB (marked in red) and have the last character (example above ACCESS_MGMT) reflect the launchpad name. It becomes a lot easier to trace your configuration if you have a build error.

     Screen Shot: UIBB Configuration showing mapping to launchpad

This option allows you to leverage the GRC NWBC design and continue to use launchpad. It also means you do not need to maintain the SAP standard launchpad and can build your own.

Refer to the following Wiki article for the SE80 webdynpro configuration.

Option 3 Extended to leverage SU24 proposals

Each webdynpro referenced in the launchpad can also be added to the PFCG role menu but kept invisible. In doing this, SU24 proposal can then be defaulted into PFCG. This option will require dual maintanance of the launchpad and the PFCG menu.

Interested in Option 3… and more?

If the SAP standard roles are not appropriate for you, I recommend you have a look at the Option 3 mappings. Have a look at the PFCG role menu to see differences in making links invisible and changing the icons that you see in NWBC. You can also have a look in the SE80 configuration to change the Launchpad headings from hyperlink to plain bold text; see if you can find the default empty launchpad that has been mapped to all work centers; and work out why your are limited to two columns in your launchpad.

I welcome your constructive feedback in the comments below J

Regards

Colleen

Hi,

For some reason, calculated fields aren't working in my business rule.

What I did:

In deficiency criteria, I added the calculated field "Total Val".

In conditions and calculations I chose "Grouping/Aggregation".

For Select Group Fields, I chose "Plant and Material Number".

For Aggregation Method, I chose "Count".

Result when "Apply Rule" is used:

The filtered records are still shown. The "Field Names" (names within the table such as MATNR instead of material number) are shown instead of the field labels.

I'm trying to determine the cause of this issue and how to resolve it. Does anyone have a suggestion of what it is and what can be done?

Hi,

Does any one also know the Ruleset comparison program name in GRC10.

I tried running the Ruleset comparison option from NWBC->Setup-> Access Ruleset Maintenance->Rulesetup->Ruleset Comparison, there is an option to select Risks,Actions,Permission, however on running the comparison tool no risks/action/permission is getting populated in the output report. Is this a bug? has any one else faced this issue?

Cheers,
Sabitha

Hello experts,

we are currently working on configuring MSMP workflows for access request creation.

The requirement is, whenever a composite role is selected in access request form for assignment, all the single role owners under the respective composite role should be notified for approval.

Is there anyway we can achieve this.

Any suggestions are greatly appreciated.

Anyone have a copy of the configuration guide?  The link has been down for some time and technical support still has not fixed.

Configuration and Deployment Information

SAP Access Control 10.1 – SAP Help Portal Page

Configuration and Deployment Information

Configuration Guide

Hi ,

I have installed both GRC plugin GRCPIERP and GRCPINW in my ECC system.

Now I dont have to use GRCPIERP plugin. Would it will cause any effect?

Could you please also explain more,  about use of both plugins?

Thanks and Regards

Amit

Hi,

What we need:

We need the system to send e-mails every time a control is used in a job.

Example:

The job with the control is scheduled to run every morning and evening. When it's run in the morning, an e-mail should be sent to the control owners. When it's run in the evening, another e-mail should be sent to the control owners.

The current status:

Control owners are only getting an e-mail once per day. The messaging for the two jobs for a single control are being sent as one e-mail.

Additional Details:

Depending on the control, the user will get an e-mail notification either once per day, or everytime the job for the control is run. And some of these have to be run twice a day, or when the control owner requires it.

It seems the two executions are being treated as a single work item, since they share the same control.

Does someone have any information on what we can do? Or has someone done this before and can assist us?

Best Regards,

Raphael

Hello experts,

I have a test GRC system, that all my colleagues come there and make configurations...

Now after 1 year, many configurations are there and they cause error while i'm trying to generate new version of MSMP workflow.

So is there anyway for me to reset/clean the version of MSMP workflow(Access request), or can we reactivate the BC Set to overwrite all the configurations ?

Thanks in advance and best regards.

Hi,

I am recently trying to setup Fraud management Web UI. However, after use FRA_UI to go to Web UI, there is nothing on the front end page. Anyone knows what happened? It is supposed to have alert, detection, ect.

Thanks,

Hi Guys,

We've just migrated from VIRSA 4.0 to GRC 10.0. We have only two connectors configured ECC and Finace System.

Rules have been generated and we're using the standard "global" ruleset. The rules seem to be generated successfully ( I've checked in the NWBC that the permissions appear after the risk generation and also I've checked some tables like GRACSYSRULE and GRACACTRULE and risks appear there).

When running  a risk analysis report at user level in both the system VIRSA 4.0 and GRC 10.0 the no. of conflicts matches where as no. of mitigation doesnot match.Due to this mis-match we are not in a position to go 100% LIVE with GRC and decommisioning VIRSA. We use concept of mitigated roles and not users. Raised the concern with SAP too 2 weeks back and no luck yet.

Does anyone faced a similar issue? can you give me some light in order to solve the issue?

Many Thanks!

Ratan Roy

Hi Experts,

We are planning to implement the LDAP group assignment from GRC10

For this we have performed end to end configuration

Created the connector and performed LDAP server configuration ( for LDAP system user we have given pseudo access)

Done mapping for connector etc

Performed the all the synchronizations and everything is working fine

I have imported the groups as single roles using role import and scheduled synchronization job (full sync), but the role exits says No'.

Even the roles are present in the tables GRACRLCONN & GRACROLE.

Current SP level is 13

Kindly suggest.

Thanks,

Sriram