Dear Experts,
I would just like to know how to check if BS sets for rulesets are activated correctly.
When I click on Activation log I get an error there are no activation logs available for this selection.
Regards,
Abhishek
↧
How to check if BC sets for rulesets are activated correctly?
↧
GRC 5.3 CUP automated generated password not working
Hello Experts
We have GRC 5.3 and currently are facing following issue
1)The password generated by the CUP for the child system does not work
2)The CUA generated password is pushed to child system and there fore CUP generated password does not work
3)user gets automated generated passwords in case new account is created but the password does not work
for the work around we have started creating the user in the child system(CUA) so that the user doesn't get
any automated email from the CUP and send the password by manual resetting.
We have tried setting CUP email notification to "NO" but in that case it is sending a mail with a link and which takes the
user again to the password which does not work
Could you please provide some input and solution that when the email config set to no why is it sending another email with
the link to the password ; we want that no email password goes to the user when new account is created and not even the mail with
the link
Secondly the reason why the CUP password is not working for the child system which is generated by CUP.
The problem will be solved if password sent by CUP start working or if we can stop the password email notification(including the link one) from the CUP.
P.S. CUA is implemented and it is GRC's backend system and all other production systems are provisioned through it.
The Ids are first created manually in PSC and then CUP ticket is provisioned.
We don't want to change the setting of CUA due to some other constraints.
There is no password self service enabled
↧
↧
Unable to import role from Role Mass Maintenance
Hello All,
We are trying to import role from NWBC -> Role Mass Maintenance -> Role Import.
Even though role exits in the backend system its not getting imported. Unfortunalty its not even throughing any error message just status zero roles imported.
We have successfully imported many roles earlier but suddenly its not working now and even we tried to re-import an existing role by setting Over write option to Yes but still no luck.
Any suggestions please?
Thanks in advice.
↧
Unable to retrieve data from workflow
Hello Experts,
I need to show the data from workflow in notification email of Process Control, I am pulling the data from workflow container but its not showing in the email. I can see the data in Workflow container but not in email.
Kindly throw some ideas on it.
Thanks.
↧
GRC PC 10.0 - Mail personalization
Hi all,
I can't found the way to modify the automated mail.
I would like to write a more comprehensive text with the list of controls and the organization name. Is it possible?
Can somebody explain me how to do it?
Really thanks
↧
↧
SAP GRC BRF+ OBJECTS FOR INITIATOR, ROUTING AND AGENT RULES
Hi SAP GURUS,
can any one explain the BRF+ structures.
I am a beginner to BRF+ application. when I am trying to create table for initiator rule or agent rule,
I am getting 2 options to select:
1. Access Request Line Item
2. Request Header
and both have the same objects, can u tell me, do I need to select the objects from 1. Access Request Lie Item or 2 Request Header?
and can u also explain about following 4 structures:
1. Access Request Line Item
2. Request Header
3. Result Routing Rule
4. Role Function Area
Thanks in advance. the correct answer will be rewarded with points.
↧
NFE 10.0 incoming B2B NFE
Hi All,
We have implemented the NFE 10.0. Now we are testing the NFE inbound B2B NFE. When NFE xml is getting received at GRC system. It is processed successfully and NFE is available in NFE table /XNFE/INNFEHD. However, we are unable to find the inbound NFE in incoming NFE monitoring GUI.
Could you please share your thoughts on this. Are we missing any configuration?
Regards,
Sami.
↧
GRAC Repository Sync SP09
Hi,
We are on GRAC SP09. I run a Full Repository Sync Weekly on Monday at 00:30:00 in background batch mode. It states it is successful. A few users(they are always the same users) do not show each week on Monday after the sync runs when I check these same users in access review.
If I then run incremental in background mode at 8 am then these users will show up. I run the incremental daily but not until later in the day.
Shouldn't the full sync pull these users? They are active users and not users that have had roles changed, deletions or expired roles.
Thanks,
Mary
↧
ARA - For the new kid on the block
G’Day All,
Considering the fact that so many people out here, have so selflessly shared their expertise through blogs, answers etc. So its only fair that I do my bit to balance the scales. Now if what I contribute is worth it or not, that's a different story and I shall leave it to the moderators to judge for themselves.
The topic I would like to present to you is ARA. Just a heads up that whatever is presented here is just an overview of my understanding of what ARA is (from what I read here and SAP documentation) and how it works. I’ll leave it to the experts here to make corrections/suggestions if the need be for the benefit of everyone reading this document and myself included.
A lot of the key terminology has been explained rather brilliantly by Alessandro in the following two documents, so there is no point in me trying to reinvent the wheel.
http://scn.sap.com/docs/DOC-54434
http://scn.sap.com/docs/DOC-54530
So here we go.
Access Risk Analysis - ARA Analyzing Risks associated with Access | ||||
|---|---|---|---|---|
Risk: when an Employee in a Company is assigned with Task/Tasks that could provide him/her with an opportunity to commit fraud Employee -> Company -> Task/Tasks -> Opportunity -> Fraud
Tasks are assigned to the employee in form of Roles, which are made up of Actions/Tcodes, which in turn are made up Permissions/Authorizations | ||||
Workshops with BP Owners and other relevant personnel would have to be conducted to gather information about the Risks associated with the following:
Roles -> Actions/Transaction Codes -> Permissions/Authorizations
Role1 Action1 Action2 Permission1 Permission2 Role2 Action3 Action4 Permission3 Permission4 | ||||
Based on the information gathered we need to define the Risks
Role1+Role2= SOD Risk . Action1= Critical Action . Action 3= Critical Action .Permission1= Critical Permission Function1= Action1 + Action3 . Function 2= Permission1 Risk 1= Function1 . Risk 2= Function2 Rule is a condition: If Function1 is given to a user Then it is a Risk Therefore Rule1 is generated against Function1 and Risk1
*Example: Action1= XK99: Vendor Mass Maintenance .Action3= ME2L: Maintain Purchase Order - Purchasing Risk= Create a fictitious vendor and initiate purchases to that vendor | ||||
Run a Risk Analysis against all the Risks defined | ||||
Based on the Analysis, Remediate the Risks by executing cleanup process by Re-designing/defining the roles. This can be done through Simulation to check if the defined Risks will be eliminated if the cleanup is executed. | ||||
In certain unavoidable circumstances Remediation isn’t an option, so the solution is to Mitigate the Risk
Mitigation
So when you create a Mitigation Control: You specify the Risk Ids and the OU they are associated with-> The Risk Ids will look up the Function they are associated with-> Functions will look up the Actions (T-codes) they are associated with. Assign an Owner and Controller to the MC and tie all of this up to an end user/role/profile who is assigned with a role/roles, which could pose a threat. | ||||
To Ensure all the hard work done so far does not go for a waste, run SOD review, Audit Trails and Risk Analysis on a periodic basis |
This entire process is termed as 'SOD Management Process'.
Segregation of Duties (SoD) is an internal control within a Company implemented to prevent or decrease the risk of errors or regulatory irregularities and ensure corrective action is taken. Ideally, no one individual must have the authority of:
Creation .Modification .Reviewing .Deletion
SoD ensures no single user has access to separate phases of these business transactions. This is done by Dividing, Distributing and Allocating key tasks amongst various individuals thereby eliminating or at least reducing the possibility of errors and fraud.
All of this is carried out in three separate phases:
Phase 1
Risk Recognition
Rule Building & Validation
Phase 2
Risk Analysis
Remediation
Mitigation
Phase 3
Continuous Compliance
*Credit for the following SOD Management Process flow goes to: Alessandro& Colleen
| Steps | Description |
|---|---|
 | Gather a list of applicable SOD conflicts that allow fraud or generate significant errors. The outcome of this step is that your business has determined what is an unacceptable risk that they want to report on and manage via remediation or mitigation.
Helpful documents: |
 | Build the rule set based on the recognized risks from step 1. The outcome of this step is the technical rule set to analyze the user and/or role assignments.
Helpful documents: |
 | Analyze the SoD output. This can be performed with the help of SAP GRC Access Control. In case of manual analysis, for each user, analyze if he/she has the access to perform any of the conflicting functions defined in step 1. The outcome is basically to provide the business insight to alternatives for correcting or eliminating discovered risks.
Helpful documents: |
 | In this step, evaluate if the conflicting tasks can be performed by an alternate person. If so, role changes and/or user reassignments can be performed to segregate duties properly. The outcome must be a very low number of remaining risks that need mitigation.
Helpful documents: |
 | If it would not be possible to remediate the existing conflicts, consider formulating an appropriate control to mitigate the risk. This would typically entail working with the business to setup additional monitoring procedures that ensure to compensate the risk. The outcome must be no remaining risks.
Helpful documents: Internal Controls - a step towards strong controls Defining Mitigating Controls / Compensating Controls |
 | Finally, establish a new continuous process wherein every access request is reviewed against the SoD conflict matrix prior to provisioning on the system. Also make sure that all role changes must be analyzed and remediated before implementing. The outcome, and also final result, your system remains clean.
|
Now that we’ve covered the what and the why part we have to get our hands dirty and physically create them. If you have access to a Server, after following SAP documentation for 'From Post-Installation to First Risk Analysis' and 'Enhanced Access Risk Analysis', try executing the following tasks:
- Create test users using SU01
- Create test roles with Critical/Conflicting Actions using PFCG
- Assign role/roles to test users including roles for Risk Owner , Mitigation Controller
- Create Access Control Owners in NWBC
- Check Configuration Parameters of Risk Analysis: SPRO -> IMG -> GRC -> Access Control -> Maintain Configuration Settings
- Create/Check Business Process and Sub Process: SPRO -> IMG -> GRC -> Access Control -> Maintain Business Process and Sub processes
- This will come in handy when creating Functions and Risks
- Create Organizations: SPRO -> IMG -> GRC -> Shared Master Data -> create a Root Organization Hierarchy
- You cannot create a Mitigation Control without this
- Add Owners to the created Organization in NWBC: Setup -> Organizations
- Run following Sync Jobs: SPRO -> IMG -> GRC -> Access Control -> Synchronization Jobs
- Authorization Sync
- Repository Object Sync
- Create the following in NWBC
- Functions
- Access Risks
- Mitigation Control
- Run a Risk Analysis against the Risks
- Remediate using Simulation and see if it works
- Mitigate Risks against User/Role/Profile
- Create Alerts: SPRO -> IMG -> GRC -> Access Control -> ARA -> Generate Alerts
- Setup Batch Risk Analysis on a periodic basis: SPRO -> IMG -> GRC -> Access Control -> ARA -> Batch Risk Analysis
I sincerely hope this document will help you in your pursuit to get a grasp on what ARA is all about.
Please free to correct me if I made any mistakes or if you would like to add more on this matter. It would be nice to know what is done in regards to ARA, once we cross the bridge (the real world).
Regards,
Leo..
↧
↧
ARQ: How to reset the Number Range of Access Request???
Hi,
I would like know if there is any way to reset the number range. Currently, the sequence number in 2 digits and due to some business reason this is to be reset.
I would also like to know:
1. What would be the impact on the application?
2. What would be the impact on existing requester numbers?
Can anybody please let me know how I can reset the request numbers?
Regards,
Faisal
↧
Blank entry in adhoc query
Hi All,
Im have created a data source with table joins T001W and T134M.
Filed MANDT has been maintained when the join condition has been established at Data source level.
Adhoc query in business rule identifies the deficiency. But some filed in the result has blank entry.
Attached the screen shot for your reference.
Can you please let me know, how to fix the blank entry issue.
Thanks
Ashok S
↧
GRC_10 Risk Analysis Report
Hi,
i should extend the risk analysis report with more details from diffrent tables, they hold special role details.
I havent found an idea how to do this.
Could i extend the standard report for risk analysis with more columns?
Is there something like user.exits or enhancement-points?
thank you very much indeed
best regards
Alex
↧
GRC AC Access Request
Hello all!
1 - We are implementing GRC AC for a client and this is our first project. Basically the client needs the default workflow to add new roles for a user (Change Account) with only one extra need, add a "Manager Approval". In this case, to concede a role for a user he need 3 approvals, firstly the Manager Approval, if he approves the request, then the "Role Content Approver" and "Assignment Approver" are requested. In my thoughts, probably we should add a new step for the "Manager Approval" in the workflow.
I´m a little lost. Someone can clarify for me if I can do this trough MSMP, BRF+. Am I thinking right? Any suggestion is really appreciated.
Thanks in advance,
SAP Legend
↧
↧
SAP GRC How does Mitigation Monitoring work ?
Hello All,
I am trying to learn the processes related to mitigation control monitoring. I understand a control requires an approver and a monitor. So what functions
does the mitigation monitor perform ?.
I'm interested in any reports that need to be working that would be employed by the monitor. Is there an enforcement mechanism logging or reporting
when the monitor runs related reports on mitigating controls ? Also, is there available documentation on this
process ?
All information on this topic is welcome.
Thanks !
Jamie
↧
PSS Error: Cannot unbind LDAP system
Hi,
I am trying to configure PSS in GRC system.
I have followed SAP LDAP configuration document attached in SAP note#1584110.
I am successfully able to log on to LDAP server from tcode LDAP. Everything seems to be working fine. However, when a user tries to access PSS service using End User Logon Page by entering his user ID, it gives below errors:
Cannot unbind LDAP system
Cannot perform read operation on LDAP system
I am unable to recognize this error and I dont know why are where it is coming from (SAP problem or ADS problem).
Please suggest how I can address this issue.
Regards,
Faisal
↧
SAP GRC Certification
Hello Gurus,
I do not have experience with Basis, but i working in a company which is making similar products like SAP GRC. I would like to know from you guys if I can learn SAP GRC also.
What can be the technical challenges for me in order to do the SAP GRC.
Please provide input on this.
Also is there any documentation on that also.
↧
GRC Report for SAP_ALL
Hi Experts,
There are several requirements from our client on the reports... please suggest the possibility in GRC 10.0 for the below points mentioned.
1. A quarterly report of users with SAP_ALL / SAP_NEW access. and is there any way to send this report via workflow on quaterly basis.
2. If our assignment is out side of GRC.....then an Immediate alert to Risk Owners for all high risk SoD assignments.
3. An exception report for assignments made outside GRC (e.g. not automated via ARM)
3. A weekly report for any changes to access for users with SAP_ALL / SAP_NEW access and send via workflow
Please suggest asap.
Thanks,
Sriram
↧
↧
How to find list of users based on expired date in GRC 10
Hi all,
Do we have a report in GRC 10 to find the list of users based on expired date?
Thanks
LAK
↧
Reg_Access Request Submission Notification to GRAC_REQUESTER
Hi All,
I have an issues in SAP GRC 10.0 with respect to Notifications and variables, Currently in the Process SAP_GRAC_ACCESS_REQUEST, i have by default global notification settings which are mentioned below.
Notification Event Template ID Recipient ID
1. END_OF_REQUEST GRAC_AR_CLOSE GRAC_USER
2. REQUEST_SUBMISSION GRAC_AR_SUBMIT GRAC_REQUESTER
Now when i try to create a change access request which is by adding roles to the user in the connector system, the request gets submitted. So because of the Request Submission Notification event , a notification is sent to the requester and notification has the text which is mentioned in the document object associated to the message class<0AC_AR_SUBMIT>. Now i have created a custom Document object <Z_GRAC_AR_SUBMIT_BODY> and assigned that to the <0AC_AR_SUBMIT> by maintaining the table GRFNVNOTIFYMSG and also have changed the subject in that.
But Now when the requester receives the notification, the subject is < Access Request Submission Notification > where as it is mentioned differently as shown below.
Where as when the requester gets the submission notification as shown below, it looks different, i mean even the first name and last name too are not coming correctly.
where as the user name maintained in the Requester's User master record is
Could you please help why there are discrepencies and also how can i know where the sender is maintained, the mail id which sends the notifcations to the users.
Thanks and Regards,
Naga.
↧
SAP GRC connectivity with wsdl
Hi,
we are trying to communicate the SAP GRC with the web services wsdl (DOC_3I_GRAC_USER_ACCES_WS.wsdl) where that wsdl does not contain the XXXservice.java or XXXport.java or XXXlocator.java files so how to write the client programs for those wsdl.
Any sample code will be very helpfull.
thanks,
pranali.
↧