G'Day All,

I've raised a question in the following blog but it got to a stage where it is not related to the original post anymore. So I would like to draw upon your collective knowledge and appreciate it if you all can jump in and help me out here.

http://scn.sap.com/thread/3555700

So this is where I'm at this point:

Why use two kinds of Approvals in BRM Role Generation?

1. Role Content Approval - Through BRF+ Condition
2. MSMP Approval - Role Owner etc

It seems redundant to have two approvals for pretty much the same thing. I believe in both cases (I am guessing) the Approver would be the same person, approving precisely the same thing. So why not have just one?

Is there a way I can tie up the BRF+ Approver Rule I created, with an 'Agent Rule' in MSMP so I can use the conditions defined to dictate who the request should go to.

For Example:

1. Condition1: Then Request should go to Approver1
2. Condition2: Then Request should go to Approver 2

* These Conditions are defined in BRF+ Approver Rule and linked in IMG and 'Role Owners' in NWBC.

Alternatively, I tried creating an Initiator Rule from scratch for SAP_GRAC_ROLE_APPR Process ID, using BRF+ with the exact same conditions and everything seems to be OK except the Configuration ID part in Stages. Screen shots of my MSMP WF is as follows:

Step 1: Process ID

Step 2: Maintain Rules

Step 3: Mantain Agents

Step 5: Maintain Paths

Step 6: Route Mapping

I have encountered errors while generating the WF, which are as follows:

• I tried defining my own configuration ID for Stage 1:

• So I tried changing the name of the config ID thinking maybe there is a particular naming convention I have to follow:

• Next I tried using the default configuration ID and link my Agent ID to it:

So I would appreciate it if any of you could tell me what on earth is happening as I never had this problem with my other Initiator Rules. Is there a particular 'Naming Convention' for stage config IDs or can I give anything as long as they start with a Z/Y/X?

Regards,

Leo..

Hi GRC space members

Participating in GRC with an attitude of continually giving to occasionally receive benefits us all. By voluntarily contributing to our space we all benefit in receiving technical document, strategies and ideas on how to architect, implement and support our systems. If you have been around this space for a while you might have noticed a slight increase in the volume and variety of documents and blogs being produced. What is fantastic about this is the number of authors involved. It is great to see the diversity of people contributing to our space. We want to see our space continue to grow and improve quality at the same time!

You may have noticed us starting to collaborate on articles or providing public feedback. Over time we have exchanged ideas and a vision on how we would like to see this space evolve. We also acknowledge we have different strengths and experiences and by teaming up we could improve our own quality and knowledge. The best improvement we felt was to encourage others to start producing material that was beyond the technical "How To" since these types of documents really belong in the Wiki (fingers crossed one day SAP/GRC Wiki will let some of us contribute there).

The idea - this idea - is a community collaborative effort to suggest topic ideas and for others to volunteer to write them. You might be out there wanting to contribute but cannot think of a topic (how many times has an article been published to which you realise you could have written something similar?) Perhaps you have searched looking for material for a specific question but could not locate it in help.sap, Marketplace, Wiki or SCN. Or maybe you have an idea for a topic but do not have the knowledge or experience to write it. All of these scenarios are what we want to target here.

Any SCN member can participate in this project:  GRC Document Collaboration Topics

You have an Idea for a Blog or Document:

• Search to see if it already exist - look in help.sap, Wiki. Remember we do not want duplicated material on SCN
• Edit the document GRC Document Collaboration Topics and add a row to the top of the table with a title and summary of your idea
• We encourage you to use your real name in your account to keep this professional
• Save and publish the document to make it available to the rest of the community

You want to volunteer to write the Blog or Document

• Ask yourself honestly if you are qualified/knowledgeable to attempt this (we want quality after all)
• We encourage you to use your real name in your account to keep this professional
• Edit the document GRC Document Collaboration Topics
• Write the document or blog as you intended to. Refer to the following SCN pieces for guidance:
  • The SCN Rules of Engagement - Moderators will reject content that is against the copyright and any other rules
  • Create a Blog Post
  • Create a Document
  • The Difference between a Discussion, Blog Post, Document and Wiki
  • You must acknowledge the person who suggested the topic and any collaboration you received
• Publish it
  • Please mention the person who provided the topic idea
• Update the document to show you have completed it GRC Document Collaboration Topics

As part of offering to be the author, you can ask for assistance. We felt this is a way for those new to blogging and writing documents to start. You might ask for help to review your document or provide input and feedback. You may be completely fine and require no assistance so good luck to you!

Note: if you promise to deliver by a certain date but do not complete you activity, we will attempt to follow up with you. If we cannot contact you with new deadline then we will remove your name for someone else to attempt the topic. Please consider your commitments before volunteering to attempt a topic. If you are aware you cannot meet the deadline but are still committed to writing it, please edit the document with an updated deadline.

Moderator and Coordinator Override

• If we are aware this topic is duplicate (i.e. covered already or exists in Wiki) then we will edit the document to "reject" it. We will add a reference to it
• If the promised deadline passes for a document or blog we will remove the author for let someone else have an opportunity
• Moderators are welcome to override any content they feel necessary
• Attempts will be made to privately contact the authors, etc to communicate reasoning and prevent wasting time and effort

You 'just' want to consume

Producing this type of content may not be your strength or interest and that is fine - there is no point writing something if we have no readers. Your contribution is import to this project by reading the material; liking the article (if you do); rating the article (if valid, poor ratings are encouraged but please add constructive feedback); and adding comments with your feedback. Rating and comments are an integral feedback mechanism to the author to help them improve their skills, and to the rest of the community to benefit from the article. At the same time if you change your mind or see a topic that you could attempt then by all means jump in and have a go!

So without further delay let's get blogging and writing! If you have any suggestions or clarifications please add comments to this blog below. We can update the guidelines based on feedback. Refer to the instructions below our sign-off for rules on participating.

Your SCN GRC self-proclaimed coordinators of this project (a mixture of SAP Mentors, Moderators and GRC enthusiasts):

Colleen Lee, Alessandro Banzer, Fernando Bassuino

Gretchen Lindquist and Frank Koehntopp

Instructions for updating the table in the document:

These are the instructions to update the document: GRC Document Collaboration Topics. If you would like to suggest improvements to the process or have any concerns, please add comments to this document. Based on community feedback, we can amend the rules if necessary.

Note: you are welcome to be both the Requester and the Author if you want to advertise that you are working on a topic

Step 1: Requester to Complete

1. Enter Date you added your entry
2. Add your name (remember copy URL or your profile and SCN will convert to your name)
3. Specify if it is a document or a blog
4. Idea - summarise what your idea is. Please advise if you would like overview, details, technical, etc. The author will take this as a consideration
5. Option - if the author follows you in SCN, recommend you follow them back so you can both communicate privately via SCN

Step 2: Author to Complete

1. Add your SCN profile to the document (remember copy URL of your profile and SCN will covert to your name)
2. Enter Date Due for when you intend to complete the document or blog. This is a self-imposed deadline. Refer to document link for rules to explain consequence if you cannot deliver in time. If deadline is close to approaching and you need time, please edit and extend deadline (within reason) to communicate you have prioritised it
3. Assistance - please advise if you would like someone to help you in writing your blog or document. Help can include contributing content and business examples or assistance with formatting and language. It may be your first time writing a professional document and you would like constructive feedback before publishing (it can be a bit scary posting your first document or blog).
4. Optional - recommend you follow the Requester in SCN to seek any further clarification and ideas (they will need to follow you back)

Step 3: Collaborator to complete (if assistance requested)

1. Add your SCN profile to the document (remember copy URL or your profile and SCN will convert to your name)
2. Follow the author on SCN so you can direct message each other

Step 4: Author to Publish

1. Add the link to the document or blog once completed
2. Ensure you document and blog acknowledges the person who suggested the idea and any collaboration you received.

Moderator and Coordinator Override

Moderators and those involved in SAP Wiki cleanup project may intervene and reject the topic idea. They must add their name and high level reason. They should reach out to the author to discuss reason for rejecting the suggestion. This moderator override has been included to reduce wasted effort or risk of rejected content via Alert Moderator functionality.

The coordinators of this project will intervene if the author does not meet their deadline commitments. They will add a comment if they have removed the author, etc. As most coordinators are not moderators (in the GRC space), they will perform more administrative functions of this project.

Happy brainstorming!

Hi All

If you are wondering what this document is all about then please refer to: Community Collaboration for GRC Blogs and Documents - you will find an overview of what this community collaboration is about and the rules on how you can contribute. You are still encouraged to write your own blogs and documents without participating in this process (it would be nice if you could update this document to let the community know you are working on something).

You are also welcome to be both the person who suggests the topic and the author. This can advertise you are working on the topic and hold yourself accountable to a deadline that the community is aware of.

Remember: Add a row below the 3rd row of the table to included your suggestion. Please do not change the first three heading rows as these rows indicate the title and a short summary of the content below. When including your name, please include your SCN profile as a hyperlink (easiest way to open your Profile in a new browser tab and copy the URL)

This document is a collection of the most useful SAP GRC Access Control documents, blogs, resources, links, etc. here in SCN.

Overview

Getting Started with SAP Governance, Risk and Compliance Solutions (GRC)

GRC Processes, Lifecycles and Responsibilities

General opinion and thought-leadership

Are you ready to implement GRC 10?

A lot of help from my friends

If I had it to do all over: looking back on GRC 10 projects

Lessons learned from SAP GRC projects

Remediating Access Control SoD Risks

Internal Controls - a step towards strong controls

Defining Mitigating Controls / Compensating Controls

IT Control Testing - SOX Compliance

A #GRC tool is just part of the solution

GRC General

NWBC screen layout options for GRC

Customizing NWBC for New Menus with our own Transactions, Reports and Accessing SAP Backend Systems from NWBC

Configure LaunchPad for Menus

Customizing Access request and approval screens in GRC Access Control

Issues, Bugs in GRC SP13 - Related Fixes

HR Triggers

Understanding HR Triggers in Access Control 10.0 - Governance, Risk and Compliance - SCN Wiki

GRC 10.0 - HR Trigger configuration - Governance, Risk and Compliance - SCN Wiki

Example of decision table for GRC 10 HR Trigger rule, using BRF+ tool

GRC Access Control - Compliant User Provisioning: HR Triggers

MSMP Workflows

AC 10.0 - Customizing Workflows for Access Management

MSMP - Multi Step Multi Process – GRC’s answer to Workflow Configuration Flexibility

LDAP

Configuring LDAP Connector in Compliant User Provisioning of GRC Access Control

LDAP Group parameter mapping.. what does it mean?

Mobile Apps in SAP GRC

Administrator guides for Access Approver, Policy Survey, etc.

Fiori apps in GRC – Install two applications in 5 easy steps

Access Risk Analysis (ARA)

Rule set - Rules & Rule Types

Business Risks / Rule Set

How to set up a Configurable Business Rule

Online vs. Offline Risk Analysis

Creation of Mitigation Controls in GRC 10.0

Organizational Rules in GRC Access Control

Mass change of Mitigation Assignments

SAP GRC AC 10.0 Alerting

Risk Terminator - GRC 10

Access Request Management (ARM)

AC10.0/10.1: Create Rule Based on Risk Violation in Request, Using BRF+ Procedure Calls

Approve/Reject Own Requests

How to Change Subject Line in SAP GRC Email notification

Recommendations for using Business roles provisioning in access request

Configure Manager Look-Up in ARM for GRC 10

Role Search Screen Enhancement – GRC 10

Terminate Account - Request Process - GRC 10

Creating Access Request: Template Based Requests and Configuring End User Personalization forms for use with Access Requ…

GRC Request with both System and Role Line Items

Access Control 10 (ARM) – Risk Analysis Report Type is editable in Access Request.

Access Control: - Create Access Request Using Web Service in GRC10

Business Role Management (BRM)

Maintain Default Roles in BRM GRC AC 10.1

Role Import - GRC 10

Import Role from ECC to GRC system

Emergency Access Management (EAM)

EAM - Provisioning Strategies

ID-Based Firefighting vs. Role-Based Firefighting

AC 10.0 - Centralized Emergency Access

Configure Emergency Access (EAM) in GRC 10

De-centralized EAM GRC 10.0

EAM - Approve through Wrokflow

Emergency Access Management Reporting

Legend

	SAP SCN Documents
	SAP SCN Blogs
	SAP Wiki

Please help in updating the collection so that new users can get a well structured overview for their information.

Best regards,

Alessandro

G'Day All,

I've raised a question in the following blog, however I would like to open it up to other people as well so they might get something out of it and in the process might share their own thoughts on the matter at hand.

ID-Based Firefighting vs. Role-Based Firefighting

So this is where I am at this point:

From what I can gather so far, my understanding of EAM ID/ROLE based is as follows:

- Id Based: Logs in using own U.ID and through GRAC_SPM accesess FFID from the GRC Server and logs into the system assigned to them (ECC, SRM, CRM etc)

• Only one user at a time can use a FFID.
• Firefighter need not exist in every system assigned to them due to central logon however they need to exist in the GRC system
• Knows exactly when FFID is being used as he/she has to login so has a psychological effect (good thing)
• Better tracking of FF tasks - Specific log reports with Reason Codes. Bonus point from Auditors!
• Two Log ins so potential to commit fraud. (1 action using own UserID and 1 action using FFID)
• Could be hard to track and find out when a fraud has been committed so can be a problem with auditors.

      ID Based -> GRAC_SPM : TCode for Centralised FFighting -> You will see FFIDs assigned to you

      ID Based -> /n/GRCPI/GRIA_EAM : TCode for DCentralised FFighting -> You can see  the FFIDs assigned to you

- Role Based: Logs into the remote system only using U.ID, so everything gets logged against that one ID. 

• Multiple users can use the FFROLE at once.
• Firefighter has to exist in every system assigned to them - so multiple logons.
• Hard to differentiate between FF tasks and normal tasks as no login required  So easy to slip up
• Time consuming to track FF tasks - No Specific log reports. No Reason Codes

     R.Based -> GRAC_SPM : TCode for Centralised FFighting -> You will see FFROLEs

     R.Based -> /n/GRCPI/GRIA_EAM : TCode for DCentralised FFighting -> Not applicable so wont work

So based on this there are pros and cons in both however according to SAP only one can be used. To me personally,  it makes more sense to get the best of both the worlds right? So here is my question why can’t we just use both?

    . Really critical tasks -> FFID

    . Normal EAM tasks -> FFRole

Alessandaro from the original post pointed this out:

"Per design it isn't possible to achieve both types of firefighting at the same time. It's a system limitation and hence to configurable."

Well this is what I can't seem to get my head around. For a FFID, there is a logon session so it has to be enabled and as far as I can tell there is no way around it.

However for FFRole, there isn't such limitations/restrictions like starting a separate session. FFRole is just assigned to an end user for him/her to perform those tasks using their own user ID.

• So in what way is it different from any of their other tasks/roles, other than the fact that they've got an Owner/Controller assigned to the FFRole? and
• What is stopping us from using it when ID based is the default?

If I were to do the following does it mean I can use both ?

    . Config Parameter: 4000 = 1 (GRC System) -> ID Based

    . Config Parameter: 4000 = 2 (Plug-In)  - > Role Based

Please excuse me if my logic is a bit silly, Role Based firefighting is only done on Plug-in systems so the following should work just fine:

   . Config Parameter: 4000 = 2 (Plug-In)  - > Role Based

However for ID based, it is a Central Logon, so the following is a must:

    . Config Parameter: 4000 = 1 (GRC System) -> ID Based

Which means both ID/Role based can be used at the same time, which seems to be working just fine on my system. Either way I leave it you experts and I hope you will shed some light on it.

Cheers

Leo..

Hi,

I am wondering if anybody has experience of changing the authorisation objects for the standard /VIRSA/Z_VFAT_ID_OWNER role. The standard role does not allow the owner to update the firefighters table and view the log. SAP recommended that I add an authorisation object

Object- S_TABU_DIS

Field- DICBERCLS

Values: &NC*, ZV&X, ZV&Y

The FF owner can now edit the Firefighters and controllers table, which is good.

But they cannot view the log file and can view the security and config tables which I don't want.

If anybody has any other tips I would be grateful.

Hello all!

1 - We are implementing GRC AC for a client and this is our first project. Basically the client needs the default workflow to add new roles for a user (Change Account) with only one extra need, add a "Manager Approval". In this case, to concede a role for a user he need 3 approvals, firstly the Manager Approval, if he approves the request, then the "Role Content Approver"  and "Assignment Approver" are requested. In my thoughts, probably we should add a new step for the "Manager Approval" in the workflow.

I´m a little lost. Someone can clarify for me if I can do this trough MSMP, BRF+. Am I thinking right? Any suggestion is really appreciated.

Thanks in advance,

SAP Legend

Hello Colleagues,

Wonder whether you can provide some guidance on something I am struggling with. I simply want to add an additional stage to GRAC_USER_ACCESS_REVIEW workflow to pass the request back to the Security Team once it is approved by the role owner. This is just to make sure roles marked for removal by role owners during the UAR are appropriate. Can I do this with the standard workflow I am using in GRC, or do I need to create a new rule, agents etc.?

I looked at creating a new stage under GRAC_DEFAULT_PATH.  All I see is GRAC_UAR_REVIEWER agent under available agents. Appreciate your help or if you can point me to any available documentation on adding an additional stage to UAR Workflow. I did search in SAP Marketplace, but could not find anything useful.

Kind regard,

Sonny

Hi Team,

I am doing the GRC 10 configuration, for the first time would be asking simple questions, please bear.

Our requirement is :

1. X1( GRC system) is connected to all SAP productions systems, should have role approver workflow in place.

2. X1 will also br connected to all DEV and QA systems, should not have role approver workflow in place.

How can I achieve this? I understand detour should be helpful but since i have less time to achieve this, seeking straight help here.

Thanks.

Once I go to OTHER ACTIONS and click on additional information and request more information to the controller and submit the request I am not getting the log notification to my email.How to get the log notification?

Hi All,

While testing notification emails for Firefighter Log Review Report scenario i came across an issue as below.

1. Firefighter controller will have only below actions for the review.

a. SUBMIT

b. Additional Information

C. Forward

For SUBMIT - I am using Notification event (Approved) and sending notification to requester.

when Controller wish to forward the request, this uses Forward REQUEST scenario and I am using Notification event (Forward) and sending notification to forward reviewer.

when controller selects Additional Information, request is going to the user and user should be informed about this. This scenario also uses notification event "FORWARD WITH RETURN".

Basically when the request is forwarded to another controller for review, notification mail content says few details about the report and informs the other controller to review

In the same scenario when the request is sent back to user for additional information, notification mail content should inform the user that controller asked for additional details and he needs to provide them in the notes and send back to controller.

But since FORWARD and ADDITIONAL INFORMATION uses the same notification event (FORWARD) I am not able to segregate the notification mails.

Please suggest if there is any work around for this scenario as i assume lot of consultants might have faced the same.

Thanks,

Sai.

Hi,

I am working in a VIRSA CC 4.0.

Is there a table where I can find (download) results of risk analysis?

Something similar to VIRSA_CC_PRMVL table of GRC 5.3...

Thanks.

Andrea

Hi experts!

I'm trying to accomplish the timing with GRC a legacy system following the SAP note 1594963, but got no success, the files were exported directly from SAP and I reviewed them, play in various environments and the error is the same "Repositiry Object sync job failed with errors, please check SLG1 for further details"

I checked SLG1 and show anything.

Look at the attachments, to see the steps and errors

Thanks

Hug

Melkin

Hi,

Below configuration settings have been maintained in our system.

In Access Management > Role Management > Default Roles, I maintained the default role based on below settings:

Attribute: System

Attribute Value: ECDCLNT100

System: ECD

Role Name: ZTEST

After processing the New User Account request, it does not assign the default role.

Is there any configuration that I am missing?

Thanks,

Jay

On analysing the Autho Objects enabled in GRC for Organisation mgmt module of HR I notice that :

1. A key OM Authorisation Object 'PLOG' is disabled and instead P_ORGIN is Active. for e.g - Tcodes like PO14 & PO01, included in HR05

2. In some instances the values of field 'Otype' for PLOG are inadequate for e.g. A.) for Tcodes- PPOC, PPOCE only values C & P have been included which are inadequate. B) Tcode PP01 - only C & P are enabled. 

My Concern :

P_ORGIN controls PA modules in HR  & also maybe getting called due to integration between PA & OM. However, without PLOG object , OM tcodes cannot be executed. On testing I find that without P_ORGIN I can still make changes on the OM side, but PLOG is mandatory (these changes maynot get reflected in PA side due to missing P_ORGIN). Hence I am trying to understand why PLOG is disabled in standard ruleset for certain OM tcodes.

I have tried numerous searches on SCN/ net to find any relevant notes / updates on these objects & treatment in GRC , but barring a few notes wherein new tcodes have been included in some function ids, I donot get any reference.( for e.g in Note 1083611, PPOC is updated with Autho object P_ORGIN, but not PLOG! )

Since I am neither a developer/programmer or functional consultant working actively on any project right now, I donot have any means to raise an incident in SAP market place.

Hence requesting the experts to please provide insight

Hi,

I would like know if there is any way to reset the number range. Currently, the sequence number in 2 digits and due to some business reason this is to be reset.

I would also like to know:

1. What would be the impact on the application?

2. What would be the impact on existing requester numbers?

Can  anybody please let me know how I can reset the request numbers?

Regards,

Faisal

Hi Gurus,

I have a requirement where the Fileds 'Functional Area' & 'Business Process' in Access Request Page should be shown as Text fields instead

of Drop Down.

Please Suggest if this is possible & If yes, how can this be achieved.

Regards,

Pavan Muthyala

Hi folks, I've been unable to find any document that addresses this so I thought I'd ask.

I've configured GRC 10.1 so that the GRC system is looking at the ECC system and all the scenarios are configured and things are working well.  We have a separate LDAP issue, and until that's resolved, the user data sources have been set to the ECC system.

Specifically for Firefighter, we want to create Firefighters in the GRC system and assign them IDs that are configured in the ECC system so that they can get in for Firefighter related access and get their work done.  Many of these people are not in the ECC system.

I realized that I have not set up the GRC system as a connector within the GRC connectors configuration.  I also did not find any reference to this in any of the documentation that's available out there.

So I wanted to know how do you get the GRC system to become available as a user data source so that in the event a user is not available in the ECC system, and as in our case, LDAP isn't working, the user will still pull up because they exist in the GRC system?

Can I use a connection type of LOCAL in the "Change View "Connection type definition": Overview" Screen?

Please advice.

Thanks,

Santosh

Hi Guys,

Is there any risk or chances of loosing data if the below listed table is cleaned up?

GRACSODREPDATA

Hi,

We are on GRAC SP09.  I run a Full Repository Sync Weekly on Monday at 00:30:00 in background batch mode.  It states it is successful.   A few users(they are always the same users) do not show each week on Monday after the sync runs when I check these same users in access review.

If I then run incremental in background mode at 8 am then these users will show up.  I run the incremental daily but not until later in the day.

Shouldn't the full sync pull these users?  They are active users and not users that have had roles changed, deletions or expired roles.

Thanks,

Mary