Quantcast
Channel: SCN : All Content - Governance, Risk and Compliance (SAP GRC)
Viewing all 5097 articles
Browse latest View live

GRC 10 - UAR workflow not generating requests

September 24, 2014, 8:47 pm
$
0
0

GRC 10 - UAR workflow not generating any requests

I have configured as per SAP recommendation with no Admin review

 

(1) Prerequisite Jobs need to be executed, in sequence, as follows:

  • Repository Object Synch /GRAC_ROLEREP_ROLE_SYNC
  • Repository Object Synch /GRAC_ROLEREP_USER_SYNC
  • Action Usage Synch  /GRAC_ACTION_USAGE_SYNC
  • Role Usage Synch / GRAC_ROLE_USAGE_SYNC

(2) Role Methodology verification:

  • Verify that all the roles have been assigned to a methodology in 'Business Role Management'.

(3) Reviewer Verification:

  • Verify that the role owners have been assigned to roles or role users have a manager assigned from the data source system.

(4) Verify Mandatory Configurations:

  • Verify that the following configuration parameters have been maintained in the IMG.

         Run transaction SPRO, then go to IMG > SAP Reference IMG > Governance, Risk and Compliance-->Access Control-->Maintain Configuration Settings

    1. parameter id = 2004 (Request Type for UAR)
    2. parameter id = 2005 (Default Priority)
    3. parameter id = 2006  (Who are the reviewers?)

MSMP workflow has been configured so that all requests going to Role Owner .  When I scheduled the batch job , it is styaing in active status for long time and I manually cancelled it .

 

I have checked all the posts , but no lcuk. Any ideas / advice much appreciated

Search

SAP GRC 10 - PSS Access from SAP ECC System

September 24, 2014, 8:57 pm
$
0
0

I have configured Password Self Service in GRC System and is working perfectly fine for all password resets if access provided to NWBC from  GRC System.

 

We have requirement to provide end users to reset password using SAP ECC System only. I have tried to access NWBC using SAP ECC System but is giving me error that Menu not configured or roles not assigned.

 

Currently Maintain Data Sources is configured as below

 

User Search Data Sources , User Detail Data Sources  & User Authentication Data Sources set to ECC Connector and End User Vertification Set to yes.We are not using LDAP / Active Directory for the User Search Database and instead ECC Only

 

Can anyone provide the roles to be assigned in SAP ECC System to access NWBC - Password Reset .

Roles not visible for selection

September 23, 2014, 11:20 pm
$
0
0

Although GRACROLE table shows roles, the same are not appearing , when doing Role search(from NWBC-Access Management)

GRAC10 Access Request not taking any workflow path/stage

September 24, 2014, 10:16 am
$
0
0

Hi Experts,

 

Since yesterday, In the GRC AC system,(GRC AC 10.0 SP14) the access requested is getting submitted successfully, however the request is not getting anywhere and is not picking any workflow path. I checked in the SWI1 and SWI5, it is showing all the request until yesterday. Therefore my request created today does not have any track. Upon checking the audit log it is just giving the message that Role added to the request for action assigned with validity date.

 

Any suggestion or comment will be of great help.

 

Thanks,

Kjoshi

Role retain action results in provisioning failure

September 24, 2014, 11:45 pm
$
0
0

Hi All,

 

We are on GRC 10.0 SP 10. Following is the steps and the issue, any help would be really appreciated. Thanks!!

 

1. A change account request is created.

2. Existing user is selected and from existing assignments a composite role is selected.

3. The provisioning action is "Retain" for the role.

4. The role validity dates are changed / extended.

5. Request is submitted and approved by relevant approvers.

6. On closure following things happen:

     6.1 The role's validity dates in the backend system is changed as requested

     6.2 The audit log for the request however shows - "Role is not retained for user xxxx for system xxxxx" and "Post-request activities reported problems; check logs for details"

     6.3 Due to this the auto provisioning in GRC's side fails and the notification is sent out as provisioning failed even though the backend system was changed as requested.

 

There are no errors / warnings in SLG1 of GRC and ECC. We have done a trace and there are no authorization issues with the requester, WF-BATCH or the approvers.

 

Kindly suggest for a solution.

 

Thanks

Sammukh Gupta

HR trigger to GRC system - System modifiable issue

September 25, 2014, 4:48 am
$
0
0

Hi All

 

I have been trying to add my Dev system as the HR trigger for my GRC Dev system.

 

I am planning to Prototype the HR trigger functionality

 

When i try (ECC Dev system) IMG->Governance, Risk and Compliance (Plug-In->Access Control->Maintain Plug-In Configuration Settings.

message is displayed as Client XXX : is not modifiable

 

But when i go to SE06 in backend system - i see the setting set to modifiable.

 

Hence i am unable to add the Entries for 1000,1001 & 1003

 

Let me know what corrective actions to be taken on the same.

 

Raju

Access Form Fields Not Updated

September 25, 2014, 9:08 am
$
0
0

Hi Everyone,

 

 

In SPRO through end user personalization i have maintained access form fields visible,mandatory,editable for default EUP ID.

 

But,when I open the access form in NWBC those changes were not updated.

 

Please suggest any more steps that needs to be performed.

Disable roles which no longer needed GRC 10.1

September 23, 2014, 11:29 am
$
0
0

Hi All ,

 

I would like to get advice on how to disable single roles so that these role would not be assigned or won’t reflected in the users selection via GRC   10.1.

 

The goal is to ensure only composite roles should be assigned to user.

 

Based on my reading prior the roles available we need to add these new roles to CUP for user provisioning and the wiki information indicates “ Single

 

Roles contained in the Composite Roles are Imported before the Composite Roles.”

http://wiki.scn.sap.com/wiki/display/GRC/AC+10.0+Role+Import

 

Question is there any option in the role upload file where we can disable this single roles so that either it would not visible or would not allow for provisioning .


I am very new to GRC  10.1 thus any help much appreciated .

 

Regards

Search

Not able to perform offline Self Assessment

September 25, 2014, 5:02 am
$
0
0

Hello Everyone,

 

We are currently configuring Self Assessment in GRC 10.1 and have performed below steps for enabling Offline Adobe forms ..

 

  • Configured E-mail Inbound Process with exit name "CL_GRFN_OWP_DELIVER"
  • Scheduled a hourly job to deliver PDF through E-mail
  • We are using standard handlers hence have made no update in "Configure OWP Business Scenario"

 

We are already using Adobe forms for Risk Management hence ADS connection is working properly.

 

While we are triggering Self assessment using Planner, all of the assessments are moving to work Inbox instead of getting delivered via Offline Adobe attachment.

 

Please let me know if there is any configuration which creates offline assessment.

 

Regards,

Rohit Shetty

Create an organization in Process Control 10.0

September 25, 2014, 10:31 am
$
0
0

Hi all,

 

I have a problem when creating an organization in Process Control 10.0. I created the organization from "Create Root Organization Hierarchy" IMG, and I can it see from the Expert Mode but I can't see it from the NWBC --> Master Data --> Organizations. Can someone please help me?

 

Thanks in advance.

Role Owner Defination

September 25, 2014, 8:16 pm
$
0
0

Hi All ,

 

We are currently implementing GRC 10 and since I only have brief exposure would like to some advice on the role owner definition in GRC .

 

In our organization we have two approve for each of the business domain. After checking in SDN I believe this is possible with defining the approver during the role upload via NWBC .

 

 


Approver [ Alphanumeric(12) ]

Alternate Approver [ Alphanumeric(12) ]

 

If this is true would the notification would be going to both approver or only to the Primary Approver. 

 

 

Regards

Amir . 

Integration of GRC10.1 with ADFS

September 25, 2014, 11:02 pm
$
0
0

We are in the process of implementing GRC Access Controls 10.1.

Business has requested details about usage of SAML for SSO within their

Landscape.

 

Currently, we will have GRC AC interface with ECC, CRM, EWM, etc.

Additionally, business has a 3rd party IDM solution that they are in

the process of implementing. Currently ADS is being used as the User

Store, but for implementing SAML, the understanding is that ADFS

(Active Directory Federation Services) will have to be used.

 

In order to implement SSO using SAML in the above scenario, where in

GRC will need to connect with ADFS and 3rd party IDM, we would like to

request information regarding the following:

 

1. Can we integrate GRC AC 10.1 with ADFS (instead of ADS / LDAP)?

2. Will the procedure for connecting GRC with ADFS be the same as one

for GRC with LDAP / ADS?

3. GRC will be used for provisioning users into SAP systems such as

ECC / CRM / EWM etc. In this case, we were looking for documentation

for setting up SSO using SAML.

 

Thanks In advance

No Approver Found. Request Change is not possible.(Process Control)

September 26, 2014, 12:57 am
$
0
0

Hello All,

 

We deployed GRC10.1(Process Control) in our environment. We did post installation step & activated  BC sets. Initial Work Configuration has been completed.

step 1: SPRO --->Shared Master Data Settings -->Activate Workflow for Master Data Changes

 

 

Step 2: SPRO --> General Setting ---> Workflow--> Maintain Custom Agent Determination Rules

Assigned Business Event --> 0FN_MDCHG_APPR

 

 

 

 

 

 

 

Step 3: While click on Request Change ..below message receiving workflow not triggering

'No Approver Found. Request Change is not possible."


Step 4: I already assign  User name & role (Cross Regulation Organization Admin).



Please suggest me how to  assign approver.

 

Thanks in Advance.

 

Regards,

Nani

ARQ: MSMP Workflow version Activation and Existing Requests' Fate???

September 25, 2014, 9:23 am
$
0
0

Hi,

 

Our current Workflow solution is working fine to cater the current business requirements. Now an addition is made to the MSMP workflow to address the "Default" roles. In this regard, routing rule is enabled at Manager level. This is successfully moved to Quality System and I generated the MSMP workflow version in Quality System. After that I tested the scenario and it worked as expected.

 

Now it is moved to Production system. Currently, there are multiple requests with "Pending" status in Production system. If I activate (generate) the MSMP workflow version, all the existing requests would become "Invalid" and cannot be processed because of MSMP version change!

 

May I have your valuable inputs to address this issue? I believe, I need to generate the MSMP workflow version to bring "Default" roles functionality in effect. What should be the reasonable solution to:

 

1. get current requests approved seamlessly?

2. get "Default" roles functionality introduced?

 

Please advise.

 

Regards,

Faisal

GRC AC 10.0 Role Owner can Approve owned role

March 13, 2012, 7:13 am
$
0
0

SAP Gurus,

Could you please help me in the below scenario (GRC Access Control V10.0):

I want to configure such a way that ROLEOWNER should not be able to approve the role that he owns for himself.

Eg: Role1 approver is ROLEOWNER1.

 

If someone/Roleowner1 raises a request to assign the ROLE1 to ROLEOWNER1 then the roleowner1 should not be able to approve as the request is raised for himself. There should be an error message.  Currently, we have the EUP setting set to "NO' for the Approve/Reject Own Requests setting. The result is we receive two messages:

1.)“You are not allowed to approve your own request” – Correct system response

2.) “Access Request XX is approved”- The request should not be approved in this situation, but does progress through workflow.

I would like to avoid using a custom agent rule, because role approvers at for my client change frequently.  It works correctly for our Manager stage. If a user sets themselves as the manager, they are unable to approve at that stage.

Please advise. I will appreciate your help.

 

Thanks,

Ryan

Search

GRC AC - HCM as user search data source

September 22, 2014, 7:02 am
$
0
0

Hello all,

 

I´ve configured GRC AC to user HCM as user search data source and also user details data source. During my user change tests through the "Access Request" function, I noticed that only existent users at SU01 and HCM (checked through PA30) appear in the access request User Selection. Existent users at HCM but not at SU01 doesn´t appear.

 

Someone can tell me why? I mean, if I configured the user search to use HCM as data source, shoudn´t it bring all HCM users regardless of his existence at SU01?

 

Thanks in advance,

Pedro

GRC - Restricting owners and controllers from approving own requests

September 26, 2014, 10:34 am
$
0
0

Hi Everyone,

 

We are implementing GRC 10.1. I have the SAP_GRAC_ACCESS_REQUEST and SAP_GRAC_FIREFIGHT_LOG_REPORT workflows working as expected except for one issue.

 

I am unable to restrict users from approving their own requests and FF id activity.

 

I wanted to create a condition in the workflow to  cancel whenever approver = user but couldnt figure out how to add the user value to the condition.

I have an option to add the workflow initiator but if i do that this will fail when we have someone else requesting a ff id for the user who is also the approver for a ff id.

 

Any ideas?

 

Please advise.

 

Sushni

Risk Analysis shows "HIGH" risk as "MEDIUM" risk

September 26, 2014, 3:35 am
$
0
0

Hi All,

 

I have defined SOD risks with Risk Level "HIGH" and generated the rules


Access Rule summary also shows that rules are generated with risk level "HIGH"

 

But when I execute the risk analysis for these risks which are defined with risk level as "HIGH", in the risk analysis result they are being shown with risk level "MEDIUM"

 

I have run all the synch jobs. My logical group also contain only one connector. To cross check I have generated rules again from front end.

 

Someone please help if I am doing something wrong.

 

Regards,
Madan.

ARQ: BRF+ Rule for User Defaults???

September 26, 2014, 9:59 am
$
0
0

Hi All,

 

This is very basic and common requirement and I am trying to map the same at my end. In pursuing so, I was following note#1615552 - Hot to Set User Default.

 

In this note, I came across with an action (in Step#2) to maintain User Default BRF+ Selection Rule. Below is the excerpt from note (Only step#2):

 

-----------------Start---------------

Step 2: Maintain the User Default BRF+ selection rule.

 

 

In transaction SPRO Open node Governance, Risk ad Compliance>Access Control>Maintain AC Applications and BRFplus Function Mapping and copy the BRF Function Id mentioned against 'User Defaults'

 

 

Now open transaction brfplus and choose menu Workbench>Open object and enter the id that you selected above (80E0ED08B0561DDFA5ADCADA787E1EDA).

 

 

Once the object is open, go to the Signature section an see that the 'Result Data Object' is USER_DEFAULT_ID.

 

 

Write your BRF+ rule so that a unique Id is returned in USER_DEFAULT_ID output structure that you mentioned already defined in step 1.

 

 

BRF+ rule will be based on the input structure supplied to the function which should be the base of determining what user id should be resulted out.

 

-----------------End---------------

 

 

I opened object#80E0ED08B0561DDFA5ADCADA787E1EDA in BRF+ application and I found the USER_DEFAULT_ID as indicated in the note.

 

It asks to write own BRF+ rule for this user default. This has raised below 2 questions for me:

 

1. Should I create a new BRF+ application as I created for "Initiator Rule"?

  If yes, then how should I create BRF+ application for User Defaults? I mean, like "Initiator Rule", do we have for "User Default" also?

 

2. Should I modify 80E0ED08B0561DDFA5ADCADA787E1EDA (standard) object?

 

  If yes, then may I know how should I modify to reflect my user default parameters?

 

Please advise.

 

Regards,

Faisal

Need Help to Face the Issue

September 27, 2014, 12:45 am
$
0
0

Hi Experts,

I am New to GRC. I dont know wich questions are askable and wich not.

But here i am facing the issue like No Cross system-ids maintained..

what is this means..???

Viewing all 5097 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>