Hello All,
We are trying to import role from NWBC -> Role Mass Maintenance -> Role Import.
Even though role exits in the backend system its not getting imported. Unfortunalty its not even throughing any error message just status zero roles imported.
We have successfully imported many roles earlier but suddenly its not working now and even we tried to re-import an existing role by setting Over write option to Yes but still no luck.
Any suggestions please?
Thanks in advice.
Prezados,
Toda vez em que precisamos efetuar um recebimento físico utilizando a automação de entrada do SAP GRC, temos a obrigatoriedade de informar o "depósito" no pedido de compras (ME21N) ou na Inbound Delivery (VL32N), mesmo para materiais "Não estocáveis" (exemplo: NLAG).
Entendo que esta obrigatoriedade vem da Inbound (VL32N) no SAP ECC e não do SAP GRC.
Existe alguma configuração a nível de SAP ECC, para retirarmos essa obrigatoriedade de utilização do depósito na Inbound?
Aguardo Retorno.
Atenciosamente,
--
Marcos Lima
Hello there,
when I run the risk analysis via CUP for some requests is failed and read Timed Out
I have applied the SAP Note 1564243 SAP Note 1121978 and But that still does not work,
Can you help me ? and do you Have you any suggestions?
Thank you in advance
Hello SAP Experts,
We are currently using Access Request for our EAM functionality with a 1 stage workflow with approvers coming from the SPM Owners table.
There's currently 4 systems connected in our GRC landscape. The current requirement is to have 2 stage approval workflow for 2 of the system while the other 2 will remain in the 1 stage path. May you kindly advise what approach can be done for this? I'm planning to use the Request type (006) and Functional Area as my conditions for the rule.
Thank you in advance for your help!
Best regards,
Joel
Hi,
There is a development currently underway in house where a z transaction has been created which calls the BAPI:
BAPI_ACC_GL_POSTING_POST
I have been asked to add this transaction to the GRC RuleSet but i don't think there's any point in doing this yet as i don't feel the z transaction is calling an authority check in the right way.
When i trace the test user, or check the transaction in RSABAPSC, i cannot see any posting activity taking place i.e. i cannot see ACTIVITY 01 being called anywhere.
The developer added the FM Z_AUTH_BUKRS_FROM_BUKRS at my request but i think he should go further and add a check with an ACTIVITY 01. Only then will GRC be able to properly analyse this tcode for SOD violations because as-is, it's not calling enough.
I hope i have explained this in enough detail.
Has anyone come across an issue like this in the past? Any advice greatly appreciated.
Regards,
Colin
Hello,
I have a situation where we are updating 100+ existing business roles that are currently assigned to user for our next release of SAP. I am wondering, is there a way to update the business role via import template (add / remove roles) and then push the changes out to users on a mass level?
We use the role methodology “provisioning” stage to push these changes under normal circumstance but with 100+ roles that would be quite cumbersome.
I also know there is an option under Role Update > Authorization Data Sync, but that doesn’t appear to update the user assignment. Only authorization under the role.
Any suggestion would be appreciated!
Hi - We are installing GRC 10.1 SP6. When I create a request it is forcing me to include at least one system or role. Is there a system setting that I'm missing to not enforce the requirmenet to add either a system or a role at the time you create a request?
This is not a huge deal to me as I created templates that include the systems we provision to by default. However, if I don't need to include a system or role at time of request creation I would prefer that this requirement be turned off.
Thanks,
Rich
Hello Experts,
I need to show the data from workflow in notification email of Process Control, I am pulling the data from workflow container but its not showing in the email. I can see the data in Workflow container but not in email.
Kindly throw some ideas on it.
Thanks.
Hello All,
Could you please help out me in the below scenarios.
1) We have maintained default roles in NBWC- Access Management - Default roles.
Also set the parameter 2038 to Yes- Auto approve roles without approver.
In MSMP we have maintained Escape path if approver is not found at the role level.
As default roles have no approver maintained request is taking the Escape Path which should not happen.
We just want to auto approve the defualt roles and other than defualt roles request should take escape path if no approver found.
2) In other action its quite same as the above one.
When we are using provisioning type REMOVE for role removal. Request also takes the Escape path as Defualt roles has no approver.
Once the ,Manager at first stage is approved, request should close for the removal type access.
Please advise. Thanks in advance.
Hi Everyone
I would like to know if anyone have a rule set for the IS-Media SAP solution, specially for the M/SD and M/PS modules
Hi - We are upgrading from 5.3 to 10.1 SP6. We are not migrating. In 5.3 we provisioned PD profiles directly to a user in OOSB.
I'm having issues with our PD Profile showing up in my access request search. Here's what I have done.
Business Role Management
- I created a "PD Profile" against my ECC "Landscape". The "Project Release" is Production. The Additonal Details -->Provisioning has my ECC system and allows for provisioning. The "Current Phase" is Complete.
When a search for the PD profile using "Role Type" PD Profile in Access Management-->Role Management-->Role Search, my PD profile appears.
When I go to create an access request and I go to Add --> Role the "Select Roles" search screen appears. I search by Role Type = PD Profile and nothing shows up. I try to search by the actual PD Profile Name with no other selections and nothing shows up. All my composite and single roles show up in my searches.
When I go into table "GRACPDPROFILES", I see the PD Profile I created. Field AC_REF_ROLE_ID contains a long string. It has an updated date of when I created it.
Any idea on what other setting I may be missing to make the PD profile available to select in an access request?
We'll continue to do direct assignment within OOSB and not indirectly via the position.
Thanks,
Rich
Hi Guys,
We've just migrated from VIRSA 4.0 to GRC 10.0. We have only two connectors configured ECC and Finace System.
Rules have been generated and we're using the standard "global" ruleset. The rules seem to be generated successfully ( I've checked in the NWBC that the permissions appear after the risk generation and also I've checked some tables like GRACSYSRULE and GRACACTRULE and risks appear there).
When running a risk analysis report at user level in both the system VIRSA 4.0 and GRC 10.0 the no. of conflicts matches where as no. of mitigation doesnot match.Due to this mis-match we are not in a position to go 100% LIVE with GRC and decommisioning VIRSA. We use concept of mitigated roles and not users. Raised the concern with SAP too 2 weeks back and no luck yet.
Does anyone faced a similar issue? can you give me some light in order to solve the issue?
Many Thanks!
Ratan Roy
G’Day All,
Considering the fact that so many people out here, have so selflessly shared their expertise through blogs, answers etc. So its only fair that I do my bit to balance the scales. Now if what I contribute is worth it or not, that's a different story and I shall leave it to the moderators to judge for themselves.
The topic I would like to present to you is ARA. Just a heads up that whatever is presented here is just an overview of my understanding of what ARA is (from what I read here and SAP documentation) and how it works. I’ll leave it to the experts here to make corrections/suggestions if the need be for the benefit of everyone reading this document and myself included.
A lot of the key terminology has been explained rather brilliantly by Alessandro in the following two documents, so there is no point in me trying to reinvent the wheel.
http://scn.sap.com/docs/DOC-54434
http://scn.sap.com/docs/DOC-54530
So here we go.
Access Risk Analysis - ARA Analyzing Risks associated with Access | ||||
|---|---|---|---|---|
Risk: when an Employee in a Company is assigned with Task/Tasks that could provide him/her with an opportunity to commit fraud Employee -> Company -> Task/Tasks -> Opportunity -> Fraud
Tasks are assigned to the employee in form of Roles, which are made up of Actions/Tcodes, which in turn are made up Permissions/Authorizations | ||||
Workshops with BP Owners and other relevant personnel would have to be conducted to gather information about the Risks associated with the following:
Roles -> Actions/Transaction Codes -> Permissions/Authorizations
Role1 Action1 Action2 Permission1 Permission2 Role2 Action3 Action4 Permission3 Permission4 | ||||
Based on the information gathered we need to define the Risks
Role1+Role2= SOD Risk . Action1= Critical Action . Action 3= Critical Action .Permission1= Critical Permission Function1= Action1 + Action3 . Function 2= Permission1 Risk 1= Function1 . Risk 2= Function2 Rule is a condition: If Function1 is given to a user Then it is a Risk Therefore Rule1 is generated against Function1 and Risk1
*Example: Action1= XK99: Vendor Mass Maintenance .Action3= ME2L: Maintain Purchase Order - Purchasing Risk= Create a fictitious vendor and initiate purchases to that vendor | ||||
Run a Risk Analysis against all the Risks defined | ||||
Based on the Analysis, Remediate the Risks by executing cleanup process by Re-designing/defining the roles. This can be done through Simulation to check if the defined Risks will be eliminated if the cleanup is executed. | ||||
In certain unavoidable circumstances Remediation isn’t an option, so the solution is to Mitigate the Risk
Mitigation
So when you create a Mitigation Control: You specify the Risk Ids and the BU they are associated with-> The Risk Ids will look up the Function they are associated with-> Functions will look up the Actions (T-codes) they are associated with. Assign an Owner and Controller to the MC and tie all of this up to an end user/role/profile who is assigned with a role/roles, which could pose a threat. | ||||
To Ensure all the hard work done so far does not go for a waste, run SOD review, Audit Trails and Risk Analysis on a periodic basis |
This entire process is termed as 'SOD Management Process'.
Segregation of Duties (SoD) is an internal control within a Company implemented to prevent or decrease the risk of errors or regulatory irregularities and ensure corrective action is taken. Ideally, no one individual must have the authority of:
Creation . Modification . Reviewing . Deletion
SoD ensures no single user has access to separate phases of these business transactions. This is done by Dividing, Distributing and Allocating key tasks amongst various individuals thereby eliminating or at least reducing the possibility of errors and fraud.
All of this is carried out in three separate phases:
Phase 1
Risk Recognition
Rule Building & Validation
Phase 2
Risk Analysis
Remediation
Mitigation
Phase 3
Continuous Compliance
*Credit for the following SOD Management Process flow goes to: Alessandro& Colleen
| Steps | Description |
|---|---|
 | Gather a list of applicable SOD conflicts that allow fraud or generate significant errors. The outcome of this step is that your business has determined what is an unacceptable risk that they want to report on and manage via remediation or mitigation.
Helpful documents: |
 | Build the rule set based on the recognized risks from step 1. The outcome of this step is the technical rule set to analyze the user and/or role assignments.
Helpful documents: |
 | Analyze the SoD output. This can be performed with the help of SAP GRC Access Control. In case of manual analysis, for each user, analyze if he/she has the access to perform any of the conflicting functions defined in step 1. The outcome is basically to provide the business insight to alternatives for correcting or eliminating discovered risks.
Helpful documents: |
 | In this step, evaluate if the conflicting tasks can be performed by an alternate person. If so, role changes and/or user reassignments can be performed to segregate duties properly. The outcome must be a very low number of remaining risks that need mitigation.
Helpful documents: |
 | If it would not be possible to remediate the existing conflicts, consider formulating an appropriate control to mitigate the risk. This would typically entail working with the business to setup additional monitoring procedures that ensure to compensate the risk. The outcome must be no remaining risks.
Helpful documents: Internal Controls - a step towards strong controls Defining Mitigating Controls / Compensating Controls |
 | Finally, establish a new continuous process wherein every access request is reviewed against the SoD conflict matrix prior to provisioning on the system. Also make sure that all role changes must be analyzed and remediated before implementing. The outcome, and also final result, your system remains clean.
|
Now that we’ve covered the what and the why part we have to get our hands dirty and physically create them. If you have access to a Server, after following SAP documentation for 'From Post-Installation to First Risk Analysis' and 'Enhanced Access Risk Analysis', try executing the following tasks:
I sincerely hope this document will help you in your pursuit to get a grasp on what ARA is all about.
Please free to correct me if I made any mistakes or if you would like to add more on this matter. It would be nice to know what is done in regards to ARA, once we cross the bridge (the real world).
Regards,
Leo..
Hi there,
I am having AC10 where i started getting one issue lately and not sure if my issue has been dealt here before so apologies if this is being repeated.
ISSUE:
My business role consists of several composite roles which i need to have provisioned with access request management which is not happening. I did check the SLG1 logs which simply states log is unavailable. and the request gets closed.
Surprisingly when i raise the request for the nested composite role independently, it happens and so gets provisioning.
To tell you what, status of business role is confirmed with production.
Can you help me with this please?
Marcus
Hi,
I am working in a VIRSA CC 4.0.
Is there a table where I can find (download) results of risk analysis?
Something similar to VIRSA_CC_PRMVL table of GRC 5.3...
Thanks.
Andrea
hi sap gurus,
I am new to brf+ concepts,
while creating brf+ initiator rule,
I created application and I created decision table,
in decision table I added 2 columns for context data object that is request type and business process
and I added two columns for result data objects that is LINE_ITEM_KEY and RULE_RESULT.
I have doubt about LINE_ITEM_KEY column.
1. is it mandatory column for result data object,
2. if it is mandatory what value we have provide is this column.
3. I found in most of the documents that the LINE_ITEM_KEY does not have any value.
can u pls.. explain me the concept of LINE_ITEM_KEY.
and pls can u suggest the best document for beginners to create brf+ rule for INITIATOR, ROUTING, AGENT and NOTIFICATION variable RULES.
thanks in advance, correct answer will be rewarded with points.
Hi, We have issue in EAM when users are using Firefighter ID with some of the Z Tcodes. After they jump in to FF ID from their regular ID,if they execute some of Z Tcodes, it is opening authentication page and asking for ID and password for that Z Tcode execution. If we change FF ID user type from service to dialog, it is not asking for any authentication (its only for few Z Tcodes). We are in SP11.Please check and suggest if we can change all our FF IDs from service user type to dialog. If we change to Dialog, do we need to add any additional authorizations to users and advice if it is correct process to follow or not. Thanks & Regards, Koteswara Rao.
Hi,
We have implemented the Password self service for one of our systems (where we got a lot of password requests). Some of the other systems use Single sign-on.
Is there a way of defaulting the system in password self service; such that the user is not expected to search for the system for which they want a password?
Currently, after the user has submitted their challenge response answers, they are expected to search for the system where they want a new password. It only returns one system anyway in our scenario, but we would like to save the user the trouble of having to search for the system whereas there's only one in any case.
Thanks,
Pumza
G'Day All,
I've raised a question in the following blog but it got to a stage where it is not related to the original post anymore. So I would like to draw upon your collective knowledge and appreciate it if you all can jump in and help me out here.
http://scn.sap.com/thread/3555700
So this is where I'm at this point:
Why use two kinds of Approvals in BRM Role Generation?
It seems redundant to have two approvals for pretty much the same thing. I believe in both cases (I am guessing) the Approver would be the same person, approving precisely the same thing. So why not have just one?
Is there a way I can tie up the BRF+ Approver Rule I created, with an 'Agent Rule' in MSMP so I can use the conditions defined to dictate who the request should go to.
For Example:
* These Conditions are defined in BRF+ Approver Rule and linked in IMG and 'Role Owners' in NWBC.
Alternatively, I tried creating an Initiator Rule from scratch for SAP_GRAC_ROLE_APPR Process ID, using BRF+ with the exact same conditions and everything seems to be OK except the Configuration ID part in Stages. Screen shots of my MSMP WF is as follows:
Step 1: Process ID
Step 2: Maintain Rules
Step 3: Mantain Agents
Step 5: Maintain Paths
Step 6: Route Mapping
I have encountered errors while generating the WF, which are as follows:
So I would appreciate it if any of you could tell me what on earth is happening as I never had this problem with my other Initiator Rules. Is there a particular 'Naming Convention' for stage config IDs or can I give anything as long as they start with a Z/Y/X?
Regards,
Leo..
We are using the Automated Monitoring in GRC Process Control 10.0 to configure a job for SAP standard control and have a problem with the job scheduler. We perform the search for control selection in the step 3(Select Control) and this display the warning message “There is no data matching the selection criteria, please refer to help”.
The scenario created is follows:
Business rule (Configurable Type) was created with valid date of 01.01.2013 to 31.12.999
In the Activities and Processes section, process and subprocess was created. Later the corresponding control was created. This control has a regulation, risk and control objective assigned.
Thanks.