I'm trying to create a schedule for rule set but I'm getting a performance issue(CPU usage to 100%).
1) Rule Sets -> Legacy Automated Monitoring - > Monitoring Scheduler
2) Choose SOX on the Regulations field
3) Click Create Schedule
4) fill up the fields
5) On the Select Controls part -> Click Add button and it's just hanging and consuming the whole CPU usage
Do you know what notes to implement?
Thank you.
Regards,
Jenilyn
Dear all.
I want to implement a Initiator BRF+ where one of the entries values into the Decision table is the field Request For which appears into the Access Request form . Please see image below:
I have been searching inside some structures like de GRC*REQUEST*HEADER but i cannot see this field.
Thank you.
Sara.
Hello Gurus,
I am using Function Approval Workflow in RAR to initiate approval process after making changes to Functions. Everything works fine and whoever is set up with Function Approver role can go in and approve/reject the change. Since GRAC_FUNCTION_APPROVER agent is of PFCG Roles type, whoever is granted with the Function Approver role can approve it.
How can I route the request to approvers by Business Process?
If one approver is identified for all the functions, it works fine since he/she gets the role and would be able to approve. What if I have one approver for each Business Area like BASIS, CRM, FI etc?
Thanks,
Bhanu
Hello All,
We have requirement for increasing the character limit in name description for Mitigating Controls ID's in GRC access control 10.1
Default character limit is 40 characters.
But customer wants more chaaracter limit to update name description for their mitigation controls ids in GRC 10.1 system.
Can we increase the character limit in any table or parameter.
Regards,
Karunakar
Hello Team,
We are implementing the GRC Access Control 10.1.
We have a requirement for resubmitting the rejected Fire Fighter
request
again with same request number.
Ex:
Reguester (Firefighter) has raised a request for FireFighter access,
but
FF approver has rejected the request based on some missing data (after
rejection, work flow ends), after
that requester (firefighter) has to resubmit (rejected FF request) the
same
request with same request number.
Kindly let us know, this functionality is avaiable in GRC access
control
10.1. or not.
Thanks in advance.
Regards,
Karunakar
In GRC Access control as part of Workflow approvals and reviews Managers, Role Owners, FF ID Owners and Controllers, Function/Risk/Mitigation Approvers, Monitors, Users, Requestors etc. receive various Email notifications. Based on the client’s requirements these Email notifications are enhanced and maintained. This blog is to discuss about various customizing options available for GRC notifications as well as notification variables and their limitations and scope 
For beginners below document gives details on how to customize email notifications templates in GRC
AC 10.0 - How to Customize Notification Templates for AC Workflow
Email Notification Templates - HTML Tags
1. HREF (For Email ID and URLs)
Below are the few notification variables which gets converted to URLs in the notification emails. Basically when the URL is not maintained as HREF using HTML tags, in most of the cases Emails get routed to JUNK folder in mailbox because of various special characters in the URL.
LINK_APPROVE_REJECT Link to Approve/Reject by Email
LINK_GET_APPROVERS Link to get Approvers
LINK_GET_REQ_STATUS Link to get Request Status
Eg: To make URL a HTML link use, "Click <A href="%LINK_GET_REQ_STATUS%">here</A> to view request status"
For Email ID to appear as HTML Link use, <A href="mailto:Test@test.com">Test@test.com</A>
2. BOLD and UNDERLINE
Eg: <STRONG><span style="text-decoration: underline;">GRC Notifications</span></STRONG>
3. ITALICIZE
Eg: <span style="font-style: italic;"> TEXT</span>
How to insert Company Logo in Email Notification Templates
First you need to store the Logo which you want to use in Email notifications in GRC MIME repository
Go to SE80 Tcode and click on MIME REPOSITORY. Import the Logo which you wanted to use into MIME objects repository as shown below:
Once the above activities are completed, the next step is to use the LOGO in Email notification Templates.
Note: URL for logo is no transportable and need to be individually changed in each system when notification template is transported.
Use the image source tag as shown below:
<img src = "http://my_server.my_domain/sap/public/bc/ur/MyLogo.png">
How to create New Message Class for Notification Templates
How to create new Message Class for any workflow in GRC ?
Very common requirement is customers request to have specific Email notifications at each stage individually and for such scenarios it might require creation of Custom message classes to be used at various stages in workflow and you can follow below process for creating new message classes
Example: For EAM Log Review Workflow there are no FORWARD and RETURN Message Class available.
Execute Tcode SM30
Open table GRFNVNOTIFYMSG and click on Maintain button and then click on "NEW ENTRIES" and maintain as below and once done click on SAVE button
Execute Tcode SM30
Open table GRFNVNOTIFYMSGC and click on Maintain button and then click on "NEW ENTRIES" and maintain as below and once done click on SAVE button
Once the above mentioned activities are completed, now the newly created Message Class can be added to your MSMP Variables & Templates Notification Templates section as shown below
Notification Variables in GRC
Each workflow process comes with a number of notification variables that are available to all notification templates that belong to it. They are displayed on the bottom of the screen in step 4, ”Variables & Templates”, in the customizing activity Maintain MSMP Workflows.
Few queries regarding Notification Variables customization especially %PROVISIONING% and %PROVISIONING_WITHOUT_PASSWORD%
For ARQ provisioning there are 2 variables which are sent along with END OF REQUEST notification( with Roles and Password details) PROVISIONING and PROVISIONING_WITHOUT_PASSWORD
These variables are standard variables which are calculated run-time.. if you are not happy with the formatting, please raise a CSS message and let SAP developer fix that for you.. there is no customizing available for it..
Other option can be to have your own custom variable created, but again that require development
2012041 - Is it possible to suppress the role details in the variable %PROVISIONING%
1854408 - Potential information disclosure relating to user password
How to create custom notification variables in GRC
In the MSMP configuration, Select the process ID and goto Step 4 Variables & Templates kindly add a Z variable.
Now in the backend GRC system goto transaction SE37 and enter the function module GRAC_NOTIF_VAR_RULE_AR. and copy this function module and
create a custom Z Function Module and add the logic for the Z variable in the function module.
Once done activate the Function Module
Open the MSMP configuration and goto Step 2. Maintain Rules. Add this newly create Z function module as a Notification Variables Rule. Also maintain this Z Function Module in the Notification Rule under Global Rules in Step 2.
Save and Activate the MSMP workflow configuration.
Now you can use the custom Z variable in the document objects.
How to modify URL shown in GRC notification variables to enable SSO
First setup Single Sing On (SSO) between Enterprise Portal and GRC system.
Once done, create a Portal iView in Content Adminstration -> Portal Content Management using standard GRC Access Control iView Template.
In the template, Application Name, Configuration Name, System, Location etc fields are maintained and once the template is maintained then PERMISSIONS need to be maintained for iView.
Once the above steps for creation of portal iview are completed, modify the URL used in the notification variables by creating a Custom Notification Variable Function module and replace the URL with Portal iView which you can work with ABAPer and Portal guys to get the details.
Once all above steps are done even the approvers can access all Approval Links in Email notifications via SSO without entering UserID and Password
Note:Deactivate password for all users in GRC System including approvers UserIDs
Looking forward for all your inputs in improving this blog with all other additional details
Thanks for reading.
Best Regards,
Madhu Babu Sai
Hi Experts
I need to Configure a Delete Access workflow in GRC AC where i have 3 requirements.
1) Lock the user and change the validity date of the user.
2) Remove the roles of the user
3) Update the user group of the user.
First two requirements are done but the 3rd one is pending.
I have updated the decision table for User defaults in BRF+ as below and also assigned the action User default to Request type DELETE ACCOUNT.
Request type(003)-> System id->Default_id(As per SPRO)
But the assignment of user group is not happening.I have read some notes that i need to create a Loop Expression for this.Can anyone explain me what is this and what is the use of this as i have already created a decison table
Thanks
Nitesh
Hello
I wanted to know if there was notification variable that contained a user's password so a notfication text could be maintained with this variable.
Our requirement is to not display all the roles that are in the %PROVISIONING% variable which is the one that contains the password for a new request notification, hence we need to use another variable to be able to display the password for the user.
Regards
Maria Alejandra Piedra
Hell All,
I am attempting to configure a new Org Rule in GRC Production, but there is no selectable Org Level value for BUKRS (Company Code). This is especially strange because my GRC Dev and QA systems do, in fact, have this value. The below screenshot is from GRC Prod.
The Org Level value of BUKRS is also not present within ARA Report criteria, while all other Org Levels are selectable. Screenshot below from GRC Prod.
I have confirmed that the BUKRS entry is in ECC in table USORG.
I have activated $BUKRS permission checks in my ruleset for the appropriate functions/tcodes. I have successfully generated the ruleset.
My GRC sync jobs run frequently and have no issues. I have re-run GRAC_PFCG_AUTHORIZATION_SYNC, as recommended in thread http://scn.sap.com/thread/3666212, but to no avail.
We are in the process of implementing note 1970172, but I am not optimistic. Again, I do not have this issue in GRC Dev or QA.
I have also reviewed the logs for the SP upgrades on all GRC systems, and all logs are consistent and show no issues.
If anyone has solved this issue, please share the correctional instructions.
Regards,
Ken
Hi experts!
Im working in GRC AC 10.1 SP07. I have configured END USER LOGIN services; the idea is that end user from ECC system could submit request without having user in GRC box, this is working fine but i´m experimenting next problem.
When i go to search request, those request submited by end user appears like created by Z_END_USER, this is the user in GRC that i have configured in services GRAC_UIBB_END_USER_LOGIN and GRAC_OIF_REQUEST_SUBMISSION_EU.
¿Is possible to configure that request appears "Created By" the requester and not the service´s user? I don´t think so, but if not, ¿is there any way to add the column User ID in Result screen? because it is avaible in parameters search but im not being able to add this in result screen (it´s not like hidden neither).
Parameters "Created by user ID" would be service´s user and "User ID" would be the requester.
Thanks!
Emiliano
Hello guys,
I created a new MSMP workflow for OVM(Org Val Map) approval.
I am stuck in the part that I need to create a new process type for my workflow.
it is possible to create a new process type for a MSMP workflow? If yes from where?
Thank you,
Ovidiu
Greetings experts,
What ratio or percentage of your company's or client's access requests are getting rejected?
Thanks!
Hello Experts,
I have maintained multiple languages in my GRC system in the 'Maintain Supported Languages' setting. But, these act as additional language in case the logon language is not available.
Is there any way to have multiple languages working simultaneously on the same GRC client.
Thanks in advance.
Best Regards,
Himanshu
Hi All,
This is very basic and common requirement and I am trying to map the same at my end. In pursuing so, I was following note#1615552 - Hot to Set User Default.
In this note, I came across with an action (in Step#2) to maintain User Default BRF+ Selection Rule. Below is the excerpt from note (Only step#2):
-----------------Start---------------
Step 2: Maintain the User Default BRF+ selection rule.
In transaction SPRO Open node Governance, Risk ad Compliance>Access Control>Maintain AC Applications and BRFplus Function Mapping and copy the BRF Function Id mentioned against 'User Defaults'
Now open transaction brfplus and choose menu Workbench>Open object and enter the id that you selected above (80E0ED08B0561DDFA5ADCADA787E1EDA).
Once the object is open, go to the Signature section an see that the 'Result Data Object' is USER_DEFAULT_ID.
Write your BRF+ rule so that a unique Id is returned in USER_DEFAULT_ID output structure that you mentioned already defined in step 1.
BRF+ rule will be based on the input structure supplied to the function which should be the base of determining what user id should be resulted out.
-----------------End---------------
I opened object#80E0ED08B0561DDFA5ADCADA787E1EDA in BRF+ application and I found the USER_DEFAULT_ID as indicated in the note.
It asks to write own BRF+ rule for this user default. This has raised below 2 questions for me:
1. Should I create a new BRF+ application as I created for "Initiator Rule"?
If yes, then how should I create BRF+ application for User Defaults? I mean, like "Initiator Rule", do we have for "User Default" also?
2. Should I modify 80E0ED08B0561DDFA5ADCADA787E1EDA (standard) object?
If yes, then may I know how should I modify to reflect my user default parameters?
Please advise.
Regards,
Faisal
Good day experts and fellow consultants
I am currently faced with an issue whereby I am trying to assign a subprocess to an organisation in the "Year 2015" timeframe and once submitted the subprocess' "Valid From" date is always defaulting to today's date instead of the timeframe's which should be 01.01.2015.
This is quite a problem as it removes the possibility of having consistent Master Data especially with trying to assign Business Rules to Controls and the client won't be happy with the reports.
Please see screenshots below:
Hi Experts,
With the help of audit log functionality,i see that one request is pending for approval with one of the controller.
But, the same request is not visible in his inbox for approval. Approver is getting e-mail reminders,but no request to approve.
We are in 10.1,SP6.
Is it fine to follow directions as per note :
Please guide.
Thanks,
Mukul
I am receiving calls from access request creator saying they are getting error message when they copy and paste text from MS Word to role comment box. If they use the notepad they don't have any issues at all.
Error: "The ASSERT condition was violated"
Helly guys, again,
I have created a new custom workflow.
When I am trying to test the new workflow i have some errors: Incorect path and stage entry for process XXX.
Can you help me?
Thank you,
Ovidiu
Hi All,
We have a workflow set up for HR Trigger. Recently for HR Separation, we are getting the error saying The alias <alias_name> already exists in <RFC_Connection>. When I checked in the plugin system, that alias is assigned to some other user id ( not to the user id for which this request is raised ). But interesting thing is that No Alias is assigned to the user id to which the request is raised. In fact I do not understand why is the alias coming into picture here.
Any help/advice is greatly appreciated.
Thanks and Regards,
Fazil
Hello,
We are configured the system GRC AC 10.1 according the configuration guides.
After configure the Access Risk Analysis for User Level/Role Level/Profile Level... no output data will be displayed. We use a user test with roles and rules created for test this situation and no results are displayed. The same happens for the rest of real users.
We try to execute the risk analysis both in on line or offline mode but with the same result.
What could be missing? I found a lot of SAP notes for this particular problem specially for GRC 10.0 nut none for GRC 10.1.
Follow I send some information points:
Components
SAP GRC AC 10.1
SP v007
GRCFND_A V1100 SAPK-V1107INGRCFNDA
GRCPINW V1100_731 SAPK-11507INGRCPINW
Configuration steps
This tables contain entries:
GRACUSERCONN
GRACRLCONN
GRACACTRULE
This tables does not contain entries:
GRACUSERACTVL
GRACUSERPRMVL
Jobs executed:
GRAC_PFCG_AUTHORIZATION_SYNC
GRAC_REPOSITORY_OBJECT_SYNC
GRAC_ACTION_USAGE_SYNC
GRAC_ROLE_USAGE_SYNC
Best Regards for all.
PC