Hello Team,

We are installing the latest SAP Assurance and Compliance Software 1.1

SP05 . using the SUM tool version 12.

But we are facing the following error in the pre processing phase as

shown

below

The sub phase is

Checks after phase MAIN_SHDIMP/SUBMOD_SHDIMP/SHADOW_IMPORT_INC were

negative

The HANA DB is running on REV 85

The Netweaver version installed in Netweaver 7.4 SR2

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SHADOW IMPORT ERRORS and RETURN CODE in SAPK-11002INSAPFRA.GFD

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

4 ETW000 keypart: 'X' 'X'

4 ETW000 len : 001 001 (bytes)

4 ETW000 offset : 026 028 (bytes)

4 ETW000 format : 'B' 'B'

4 ETW000 ... ignoring such differences.

2EETW201 table "GRCAUD_C_SCHML_T": key fields "LVL" and "LANGU" are

toggled. It's better not to delete anything.

4 ETW000 0 entries for GRCAUD_C_SCHML_T imported (000DEFAULT *S ).

4 ETW000 3 entries for GRCAUD_C_SCHML_T rejected - language not installed

(000DEFAULT *S ).

2EETW201 table "GRCAUD_C_SCHML_T": key fields "LVL" and "LANGU" are

toggled. It's better not to delete anything.

4 ETW000 0 entries for GRCAUD_C_SCHML_T imported (000DEFAULT *R ).

4 ETW000 3 entries for GRCAUD_C_SCHML_T rejected - language not installed

(000DEFAULT *R ).

2EETW201 table "GRCAUD_C_SCHML_T": key fields "LVL" and "LANGU" are

toggled. It's better not to delete anything.

4 ETW000 0 entries for GRCAUD_C_SCHML_T imported (000DEFAULT *P ).

4 ETW000 3 entries for GRCAUD_C_SCHML_T rejected - language not installed

(000DEFAULT *P ).

2EETW201 table "GRCAUD_C_SCHML_T": key fields "LVL" and "LANGU" are

toggled. It's better not to delete anything.

4 ETW000 0 entries for GRCAUD_C_SCHML_T imported (000DEFAULT *N ).

4 ETW000 3 entries for GRCAUD_C_SCHML_T rejected - language not installed

(000DEFAULT *N ).

2EETW201 table "GRCAUD_C_SCHML_T": key fields "LVL" and "LANGU" are

toggled. It's better not to delete anything.

4 ETW000 0 entries for GRCAUD_C_SCHML_T imported (000DEFAULT *J ).

4 ETW000 3 entries for GRCAUD_C_SCHML_T rejected - language not installed

(000DEFAULT *J ).

2EETW201 table "GRCAUD_C_SCHML_T": key fields "LVL" and "LANGU" are

toggled. It's better not to delete anything.

4 ETW000 0 entries for GRCAUD_C_SCHML_T imported (000DEFAULT *F ).

4 ETW000 3 entries for GRCAUD_C_SCHML_T rejected - language not installed

(000DEFAULT *F ).

2EETW201 table "GRCAUD_C_SCHML_T": key fields "LVL" and "LANGU" are

toggled. It's better not to delete anything.

4 ETW000 9 entries for GRCAUD_C_SCHML_T inserted (___DEFAULT *E).

4 ETW000 client 000: 3

4 ETW000 client 001: 3

toggled. It's better not to delete anything.

3WETW000 fails to obtain a temporary lock on table GRCAUD_C_SCHML_T =>

parallel import is running without deadlock protection

4 ETW000 0 entries for GRCAUD_C_SCHML_T imported (000DEFAULT *S ).

4 ETW000 3 entries for GRCAUD_C_SCHML_T rejected - language not installed

(000DEFAULT *S ).

4 ETW690 COMMIT "146" "895835902"

2EETW201 table "GRCAUD_C_SCHML_T": key fields "LVL" and "LANGU" are

toggled. It's better not to delete anything.

3WETW000 fails to obtain a temporary lock on table GRCAUD_C_SCHML_T =>

parallel import is running without deadlock protection

4 ETW000 0 entries for GRCAUD_C_SCHML_T imported (000DEFAULT *R ).

4 ETW000 3 entries for GRCAUD_C_SCHML_T rejected - language not installed

(000DEFAULT *R ).

4 ETW690 COMMIT "0" "895835902"

2EETW201 table "GRCAUD_C_SCHML_T": key fields "LVL" and "LANGU" are

toggled. It's better not to delete anything.

3WETW000 fails to obtain a temporary lock on table GRCAUD_C_SCHML_T =>

parallel import is running without deadlock protection

4 ETW000 0 entries for GRCAUD_C_SCHML_T imported (000DEFAULT *P ).

4 ETW000 3 entries for GRCAUD_C_SCHML_T rejected - language not installed

(000DEFAULT *P ).

4 ETW690 COMMIT "0" "895835902"

2EETW201 table "GRCAUD_C_SCHML_T": key fields "LVL" and "LANGU" are

toggled. It's better not to delete anything.

3WETW000 fails to obtain a temporary lock on table GRCAUD_C_SCHML_T =>

parallel import is running without deadlock protection

4 ETW000 0 entries for GRCAUD_C_SCHML_T imported (000DEFAULT *N ).

4 ETW000 3 entries for GRCAUD_C_SCHML_T rejected - language not installed

(000DEFAULT *N ).

4 ETW690 COMMIT "0" "895835902"

2EETW201 table "GRCAUD_C_SCHML_T": key fields "LVL" and "LANGU" are

toggled. It's better not to delete anything.

3WETW000 fails to obtain a temporary lock on table GRCAUD_C_SCHML_T =>

parallel import is running without deadlock protection

4 ETW000 0 entries for GRCAUD_C_SCHML_T imported (000DEFAULT *J ).

4 ETW000 3 entries for GRCAUD_C_SCHML_T rejected - language not installed

(000DEFAULT *J ).

4 ETW690 COMMIT "0" "895835902"

2EETW201 table "GRCAUD_C_SCHML_T": key fields "LVL" and "LANGU" are

toggled. It's better not to delete anything.

3WETW000 fails to obtain a temporary lock on table GRCAUD_C_SCHML_T =>

parallel import is running without deadlock protection

4 ETW000 0 entries for GRCAUD_C_SCHML_T imported (000DEFAULT *F ).

4 ETW000 3 entries for GRCAUD_C_SCHML_T rejected - language not installed

(000DEFAULT *F ).

4 ETW690 COMMIT "0" "895835902"

2EETW201 table "GRCAUD_C_SCHML_T": key fields "LVL" and "LANGU" are

toggled. It's better not to delete anything.

4 ETW000 9 entries for GRCAUD_C_SCHML_T updated (___DEFAULT *E).

4 ETW000 client 000: 3

4 ETW000 client 001: 3

4 ETW000 client 100: 3

4 ETW690 COMMIT "990" "895836892"

2EETW201 table "GRCAUD_C_SCHML_T": key fields "LVL" and "LANGU" are

toggled. It's better not to delete anything.

4 ETW000 9 entries for GRCAUD_C_SCHML_T updated (___DEFAULT *D).

4 ETW000 client 000: 3

4 ETW000 client 001: 3

4 ETW000 client 100: 3

4 ETW690 COMMIT "990" "895837882"

2EETW201 table "GRCAUD_C_SCHML_T": key fields "LVL" and "LANGU" are

toggled. It's better not to delete anything.

1 ETP111 exit code : "8"

Do let me know if any one has faced similar issue during the install.

Sandip Jain

Hello All ,

We have designed workflows ( New User creation / change user / removal of access )  in GRC for EP system.

I have followed all the steps which are necessary for Portal Integration ( EP ) with GRC.

I am facing error while selecting a EP system for raising a request for New User creation in GRC.

As soon as I click on ' OK ' , I get the error ( 2nd screenshot ) . I am not able to proceed to the 4th step ( Review & Submit ).

Please suggest .

Best Regards,

Rahul Muni

Hello all,

Someone know if there is an option to inform users (e-mail notification) with pending itens (work inbox) for more than 3 days for example? And after, another notification to itens with 10 days?

Regards,

Pedro

Dear Mohana,

We are facing the same issue on our side.

Could you please let us know if you have solved this problem ?

Thanks and best regards,

Jamal HALAQ

This document is a collection of the most useful SAP GRC Access Control documents, blogs, resources, links, etc. here in SCN.

Overview

Getting Started with SAP Governance, Risk and Compliance Solutions (GRC)

GRC Processes, Lifecycles and Responsibilities

General opinion and thought-leadership

Are you ready to implement GRC 10?

A lot of help from my friends

If I had it to do all over: looking back on GRC 10 projects

Lessons learned from SAP GRC projects

Remediating Access Control SoD Risks

Internal Controls - a step towards strong controls

Defining Mitigating Controls / Compensating Controls

IT Control Testing - SOX Compliance

A #GRC tool is just part of the solution

GRC General

Helpful transactions, tools, programs, tables, etc. for a SAP GRC Consultant

NWBC screen layout options for GRC

Customizing NWBC for New Menus with our own Transactions, Reports and Accessing SAP Backend Systems from NWBC

Configure LaunchPad for Menus

Customizing Access request and approval screens in GRC Access Control

Issues, Bugs in GRC SP13 - Related Fixes

General tips to help in troubleshooting scenarios

Access Control Debugging tips

SAP GRC AC 10.1 - Enhancements

HR Triggers

Understanding HR Triggers in Access Control 10.0 - Governance, Risk and Compliance - SCN Wiki

GRC 10.0 - HR Trigger configuration - Governance, Risk and Compliance - SCN Wiki

Example of decision table for GRC 10 HR Trigger rule, using BRF+ tool

GRC Access Control - Compliant User Provisioning: HR Triggers

Debugging HR Trigger - GRAC_HR_TRIGGER_EVENT_RECIEVER

Debugging HR Trigger - Simulation

Debugging HR Trigger - PA40 changes to infotypes

MSMP Workflows

AC 10.0 - Customizing Workflows for Access Management

MSMP - Multi Step Multi Process – GRC’s answer to Workflow Configuration Flexibility

LDAP

Configuring LDAP Connector in Compliant User Provisioning of GRC Access Control

LDAP Group parameter mapping.. what does it mean?

Mobile Apps in SAP GRC

Administrator guides for Access Approver, Policy Survey, etc.

Fiori apps in GRC – Install two applications in 5 easy steps

Access Control with Identity Management (IdM)

SAP BusinessObjects GRC 10.0 Integration Guide – Access Control 10.0 and NetWeaver Identity Management

SAP Access Control 10.0 Interface for Identity Management

Access Risk Analysis (ARA)

ARA - For the new kid on the block

Rule set - Rules & Rule Types

Business Risks / Rule Set

Download, Modify and Upload the Access Risk Analysis Rule Set in SAP Access Control 10.x.

How to set up a Configurable Business Rule

Online vs. Offline Risk Analysis

Creation of Mitigation Controls in GRC 10.0

Organizational Rules in GRC Access Control

Mass change of Mitigation Assignments

SAP GRC AC 10.0 Alerting

The Action Usage Sync job in technical details - GRC Access Control 10.0

The Repository - GRC Access Control 10.0 

Access Request Management (ARM)

ARM - For the new kid on the block

AC10.0/10.1: Create Rule Based on Risk Violation in Request, Using BRF+ Procedure Calls

Approve/Reject Own Requests

How to Change Subject Line in SAP GRC Email notification

Recommendations for using Business roles provisioning in access request

Configure Manager Look-Up in ARM for GRC 10

Role Search Screen Enhancement – GRC 10

Terminate Account - Request Process - GRC 10

Creating Access Request: Template Based Requests and Configuring End User Personalization forms for use with Access Requ…

GRC Request with both System and Role Line Items

Access Control 10 (ARM) – Risk Analysis Report Type is editable in Access Request.

Access Control: - Create Access Request Using Web Service in GRC10

Design Considerations to reduce Password Self Service (PSS) Intruder Risk

User Access Review(UAR) Workflow Configuration and Description - Governance, Risk and Compliance - SCN Wiki

Business Role Management (BRM)

BRM - For the new kid on the block

Maintain Default Roles in BRM GRC AC 10.1

Role Import - GRC 10

Import Role from ECC to GRC system

Business Roles concept and usability in GRC AC10 

BRM Default Approvers via Condition Groups

Emergency Access Management (EAM)

EAM - For the new kid on the block

Usage of EAM

EAM - Provisioning Strategies

ID-Based Firefighting vs. Role-Based Firefighting

AC 10.0 - Centralized Emergency Access

Configure Emergency Access (EAM) in GRC 10

De-centralized EAM GRC 10.0

EAM - Approve through Wrokflow

Emergency Access Management Reporting

Analysis and Recommended Settings of the Security Audit Log (SM19 / SM20)

See also

SAP GRC Process Control - Useful Documents, Blogs, Resources, etc.

SAP GRC Risk Management - Useful Documents, Blogs, Resources, etc.

SAP Fraud Management - Useful Documents, Blogs, Resources, etc.

Legend

	SAP SCN Documents
	SAP SCN Blogs
	SAP Wiki

Please help in updating the collection so that new users can get a well structured overview for their information.

Best regards,

Alessandro

Hello "Support",

We are trying to configure User Search and User Details Data Source like this:

User Search:

1 - LDAP 1 = Looks for users at OU Users1 (OU=Users1,DC=xxx,DC=xxx)

2 - LDAP 2 = Looks for users at OU Users2 (OU=Users2,DC=xxx,DC=xxx)

3 - HCM = Look for users at HCM

User Details:

1 - LDAP 1 = Looks for user details at OU Users1 (OU=Users1,DC=xxx,DC=xxx)

2 - LDAP 2 = Looks for user details at OU Users2 (OU=Users2,DC=xxx,DC=xxx)

3 - HCM = Look for user details at HCM

Parameter 2050 is configured with "NO" due to the multiple LDAP´s connections.

I have two major issues here:

1 - At transaction LDAP I can consult both LDAP connections and see the respective users.

1.1 - When I run the program GRAC_ROLEREP_USER_SYNC to synchronize the Users LDAP 2 doesn´t sync anything (it is working at tx LDAP). This LDAP has a lot of users, much more than LDAP1 wich runs at the same AD, just two differente OU´s.

So, at this point the problem is why users are not synchronized for LDAP2.

2 - When I open an Access Request I can find users for LDAP1. But User Details are not filled automatically.

Someone can please help me with this?

Thanks in advance,

Pedro

Hi Everyone,

In GRC 10.1, when the approver gets an email to approve or reject a request, everything looks fine, but there isn't a button to either reject or deny the request. I have attached a PDF below of the task settings in the workflow, and the access approval page (I realize the approval is out of date, but it was active at the time of the screen capture).

Thanks

Hi All,

I have few queries regarding business roles. I have joined a project where they are using business roles for provisioning and this project went live recently.

I have joined as part of support team and found few issues regarding business roles.

Anyone out here who already came across my queries please help me to understand. Currently they haven't given me the access as it takes at least 2 weeks to complete initial KT.

I have went through the below note as well

1981001 - Recommendations : Using business role provisioning in access request

1. Users here select business roles for provisioning. But during role removal request is being raised with single roles as role removal happens because of termination and there is a job which creates access request for role removals and this job uses single roles while raising access request as there is a IDM webservice used for this purpose and Business roles are not supported with that webservice.

If provisioning is happening via business roles and de-provisioning happening via single roles, what kind of implications arise?

2. Business roles are being modified regularly. Today there will be 10 roles and assume that they have added in 2 more new roles then the process they defined here is the users who already requested this business role should individually request for those 2 new single roles. Some how implementation team has convinced the client to accept this process.

I assume that this scenario will create lot of issues as Business role definition changes for User-ROLE assignment stored in GRC tables.

My query is: If the user who initially requested business role with 10 roles and then later requested 2 roles individually, if he raises an access request for the same business role removal, Will it remove 10 roles or 10 + 2 new single roles = 12 roles ?

3. I understand that there is a parameter 4019 provided by SAP specially for Business roles. Can someone explain me how this parameter works to maintain consistency in repository?

4. Also here they have Portal Sync job running regularly but SAP suggests don't run portal sync if you have portal roles as part of Business roles as the validity dates maintained in GRC repository wipes off.

Can someone explain me what kind of implications this can cause?

~ Madan

Hi, We will be getting a request for risk analysis with a user id, single and/or multiple roles from a non-SAP system into GRC. To generate the risk analysis we are planning to use GRAC_RISK_ANALYSIS_WOUT_NO_WS service and activated it. In our testing in GRC system,  the Endpoint function module GRAC_IDM_RISK_WOUT_NO_SERVICES for this service is not returning any data even though we are giving all the mandatory parameters as needed as per the documentation of the service. We tried executing it with OBJECT_TYPE = ‘USR’, OBJECT_ID = user id and the valid connector ID. It is not returning any values. We also tried executing it for Role, by giving OBJECT_TYPE = ‘ROL’, single and/or multiple valid roles in OBJECT_ID, with ROLE_TYPE = 1, 2 or 3 and a valid connector. Still it is not returning any values. It doesn’t give any error messages too. We also activated GRAC_RISK_ANALYSIS_WITH_NO_WS in GRC and created an access request in GRC system with the above values. The endpoint function module GRAC_IDM_RIS_WITH_NO_SERVICES returns the risk analysis correctly. We don’t want to create access request in the GRC system for the incoming request for the risk analysis from the non-SAP system. Hence decided to use GRAC_RISK_ANALYSIS_WOUT_NO_WS service. We want to use this service to get the risk analysis by user and role(s). Has anyone used this service? Any advice on what needs to be checked and how the input parameters to be passed to get the desired risk analysis data? Appreciate any help or direction. Thanks, Ram

Hi All,

we got one assignment from our customer to integrate SAP Business objects to SAP GRC 10.0, could you please let me know how can we integrate GRC with SAP Bo. requirement is for Risk analysis and user provisioning.

Hello  Experts,

I am working on GRC 10 EAM configuration at SP07.

The EAM Firefighting scenario is working on ie.Firefighter can login to backend R3 system and performed

FF activities but when i update the FF Logs GRC system doesnt show any logs in the system.

The logs are present in R3 system in STAD, CDPOS, SM20 etc.

The TIme Zones are same in both GRC and R3 system.

But Except Table GRACFFLOG.

NO other Log related table is getting updated after running log update Sync job successfully.

Please let me know if anybody has faced this issue or any advise on what is need to be checked.

Any help is much appreciated.

Regards,

Yatin Phad

Hi All,

We have an issue with escalation at Role Owner Stage.

I have enabled escalation to Alternate Role Owner after 5 days, if the role owner hasn't approved.

Now that my request has 4 roles, out of which 3 roles are approved and 1 role is pending approval.

Once escalation criteria is met, only the role which is pending approval should escalate to alternate role owner.

Instead all the roles (which are already approved) are being escalated to alternate role owner.

We have already implemented the below SAP notes. We are on GRC SP13.

2008881 - Approved request items are also escalated alongwith unapproved items

2000779 - UAM: Esclation on roleowner stage not working properply

Experts please help me in getting this issue fixed?

~ Madan

Dear Experts:

One question: Access Request Creation: As per current MSMP settings we have; escalation after 4 days for the role owners. Our roles have no alternate approvers - so, I am sending the escalation requests to the same role owners again. (GRAC_MSMP_ROLEOWNER_AGENT) - If I use GRAC_AR_ROLE_ALT_APPR agent - it takes escape route. (Message: Approver not found; Applied Escape route)

Issue: NOW, if a request is created for 3 roles and 2 of them has approved before escalation and one is still pending, - after escalation, the request goes to all 3 of them again - instead of PENDING approver only. So, all the role owners have to approve the same request again - which is double work for them.

What agent should I use in MSMP? Any idea? OR - what should I be doing to send the escalations to the remaining approvers only??

Please advise.

Regards

Ashish

Hi Experts,

I have a small problem when selecting any role through transaction NWBC by the GRC-AC.

By clicking on the options, role access, the screen simply loading and does not generate any response, ending with the 500 error.

The browser has the standard size (100%) and the tests were done in 3 browsers.

Thanks for help

Hi all,

The Task setting at stage level(there is only 1 stage) is 'System and Role' is shown below. There are 2 roles in my request. one has role owner, and the other does not. but the request goes to Escape path. what can be the reason. I have tried with level = role. but request still follows escape path

Hi,

we have a problem with the "User Analysis" Access Dashboards. When I select  a System which represents one SAP System everything is working fine. But we have also some connector groups. If I select a connector group the Dashboard shows always "No Violations". But there are definitely violations.

I can see no error in the log of Report GRAC_BATCH_RISK_ANALYSIS.

Does some know this problem?

Best Regards

Markus Spann

Hi Experts,

I was trying to find out how many users/owners have invalid logs in search request, but I can't find any tool or table that can give me this kind of information.  I'm running GRC 10, SP14 and only AC is running.  When I go to search request  and look for decision pending logs I received 700 decision pending logs, but I don't know how many are there invalid logs and unless I ask all owners to open up their logs and find out which ones are invalid ones. The error option didn't give me anything, so that means invalid logs are not error ones.

Please let me know if there is any way we can find out that among 700 logs which ones are invalid logs and who are the owners of these logs.

Thanks in advance

Regards,

Faisal

Hello all,

we are still using the GRC 5.3 in paralell with the GRC 10 ( Migration Phase )

I have installed the patchelevel for the SP 18 and its Level 24

after the installation we got the Error Message

Error processing your request, Request no: ******** in stage : S_BUSINESS seems that the approvament

doesn't work anymore

does someone knows this Erros MEssage ?

is this because of the Patch level 24 ?

Best regards

Vito

We have a two test system, one is GRC System (Source), second one is target system (ECC) . On both the system GRC Component GRCFND_A  and GRCPINW (SAP GRC Plug in) is installed.

I am facing issue while doing the post installation activities and establishing the connector . Please suggest.

Hi everyone,

Setting up the BRM, Mass Role Derivation i came accross the following problem.

The generated derived role contains no org-level values, which have been defined as follows:

The values are defined here:

Thanks for you support in advance.

Regards

Pourang