Quantcast
Channel: SCN : All Content - Governance, Risk and Compliance (SAP GRC)
Viewing all 5097 articles
Browse latest View live

ARQ: BRF+ Rule for User Defaults???

September 26, 2014, 9:59 am
$
0
0

Hi All,

 

This is very basic and common requirement and I am trying to map the same at my end. In pursuing so, I was following note#1615552 - Hot to Set User Default.

 

In this note, I came across with an action (in Step#2) to maintain User Default BRF+ Selection Rule. Below is the excerpt from note (Only step#2):

 

-----------------Start---------------

Step 2: Maintain the User Default BRF+ selection rule.

 

 

In transaction SPRO Open node Governance, Risk ad Compliance>Access Control>Maintain AC Applications and BRFplus Function Mapping and copy the BRF Function Id mentioned against 'User Defaults'

 

 

Now open transaction brfplus and choose menu Workbench>Open object and enter the id that you selected above (80E0ED08B0561DDFA5ADCADA787E1EDA).

 

 

Once the object is open, go to the Signature section an see that the 'Result Data Object' is USER_DEFAULT_ID.

 

 

Write your BRF+ rule so that a unique Id is returned in USER_DEFAULT_ID output structure that you mentioned already defined in step 1.

 

 

BRF+ rule will be based on the input structure supplied to the function which should be the base of determining what user id should be resulted out.

 

-----------------End---------------

 

 

I opened object#80E0ED08B0561DDFA5ADCADA787E1EDA in BRF+ application and I found the USER_DEFAULT_ID as indicated in the note.

 

It asks to write own BRF+ rule for this user default. This has raised below 2 questions for me:

 

1. Should I create a new BRF+ application as I created for "Initiator Rule"?

  If yes, then how should I create BRF+ application for User Defaults? I mean, like "Initiator Rule", do we have for "User Default" also?

 

2. Should I modify 80E0ED08B0561DDFA5ADCADA787E1EDA (standard) object?

 

  If yes, then may I know how should I modify to reflect my user default parameters?

 

Please advise.

 

Regards,

Faisal

Search

What can be done to decrease the ad hoc report run time?

April 23, 2015, 8:26 am
$
0
0

We are processing a weekly ad hoc report in background to show the unmitigated users within our production systems.  Currently the report for our HCM production system runs for at least 3 days.  We have about 116,000 users in the HCM system.  We are running GRC AC 10.0 SP16.  Our Basis resource performed a trace on the job and saw that the background process performs a full scan on the GRACMITUSER table and suggested that an index be placed on this table and that the query be updated to work with an index.  Is this a normal resolution? 

 

Any insight you can give into this issue is appreciated.

 

Thanks --

Sara B.

Ad hoc Risk Analysis report is returning incorrect Risk Level for some Risks

April 23, 2015, 12:16 pm
$
0
0


We are running GRC AC 10.0 with SP 16.  After application of Support Pack 16, some of our ad hoc risk analysis reports are returning incorrect risk levels.  For example:  Risk F024 Open closed periods and inappropriately post currency or tax entries is set as High.  When the Ad hoc report is run, the risk F024 will show on a user with a level of Medium.  We have generated our ruleset and have followed the normal procedures used to implement the support pack.  Any ideas what is causing this issue?  I have exhausted my knowledge and search attempts.

 

Any help is appreciated.

 

Sara B.

BRFplus rule to assign role to position where position has no roles assigned

April 24, 2015, 1:57 am
$
0
0

Hi GRC gurus

 

I have a requirement where if a valid position does not have roles assigned that GRC assign default ESS roles to the position. Please advise if this is possible and how would i do this in BRFplus. Would it be possible to build this in the HR trigger application provided by SAP. This should work in cases where users are promoted, changes positions etc...You guidance in this will be appreciated

How to delete backend system data from GRC,GRC 10 AC

April 22, 2015, 7:47 am
$
0
0

Hello experts,

 

we have connected multiple ECC systems to GRC by creating connectors with respect to each system and

currently we are using,now due to some reasons customer requested to delete complete data from

one of the ECC system from GRC.

 

we are using only access control with all components

 

please  suggest how to delete all relevant data

from GRC system

 

Thanks

GRC Admin

SAP GRC Risk Management 10.0 certification code

April 24, 2015, 8:10 am
$
0
0

Hi

I am Planing to do certification in SAP GRC Risk Management 10.0 Please let me know the code.

 

Regards,

Varun

"Sequence number already exists in table" maintining Data Sources

April 21, 2015, 10:14 am
$
0
0

Hi fellows, i am seting up a new connector in GRC 10.0, but when configuring the connector for the User detailed Data sources i get the same error; "Sequence number already exists in table".

 

I have tried with over 200 numbers which I know for sure are available and still get the same error. Where can I find the table with this information?

Can the information be removed to clean up table space?

 

Thanks for your help!!!

GRC 10 Custom Agent Rule not working

April 3, 2012, 9:26 am
$
0
0

Does anyone know what we are missing?

 

Created BRF-Plus Agent Rule for our role approvers, in BRF-Plus we are able to simulate our Rule and get the correct UserID approvers but when we add this Agent Rule into the workflow, when the request enters this stage the request just stops.  Without errors.    There is no error, (not even an error for No Approver found)  the request just stops without any error listed in the Audit Log.  The request cannot be opened even in Administrative mode.  

 

Since the Agent Rule simulation is working, we think there is an issue with adding this Agent Rule into the workflow.    When our Agent Rule was failing simulation we did get an Approver Not Found error message on the workflow.  Now there is no Approver Not Found message but no approver can enter this request when it enters this stage.

 

Here is our Agent Rule

·         Business Process from Request, Functional Area from Request, System and Role from  line

·         We have our role approver listed as UserID and Recipent

 

Any idea what we might have missed? 

 

2: Maintain Rules

We added the Rule ID (long number of Function), Rule Description, Rule Type as BRFPlus Flat Rule (line by line), Agent Rule

 

3: Maintain Agent

We added this with an Agent ID, Agent Name, Agent Type: GRC API Rules, Agent Purpose: Approval, Agent Rule (that long number of Function)

 

5: Maintain Path

This agent rule is in the second stage for a path.  (The request enters the path and passes through first stage Manager fine so Initiator  and Routing Rules are fine.)

The Agent ID is showing up in the Agent ID column.  Every column that the first stage has filled out, has something on this stage.  Therefore we assume nothing is missing from the stage set up.

 

Search

Issue with GRAC_UPLOAD_MIT_ASSIGNMENTS

April 24, 2015, 9:35 am
$
0
0

Hello!

 

I'm having problems while trying to upload mitigation roles using GRAC_UPLOAD_MIT_ASSIGNMENTS program, these were downloaded from our development system using GRAC_DOWNLOAD_MIT_ASSIGNMENTS however when we try to upload them in our quality system the following error is showed:

 

"I:GRAC_SOD_MESSAGE:628"

"Invalid Role: XX_XXX_XXXX at line number XX"

 

 

There are some mitigated roles which were updated via NBWC in our quality system and when we do a download and upload these are imported successfully however if we use the file that we have from our development system it will not take them.

We already ran a full sync in all our connectors as per note 2011870 but the problem still persists.

 

I compared both .txt files and the format looks the same, additionally if we put any additional roles in the file that we download from quality it will import the roles, but when it gets to the new records which were inserted it will throw the error message.

 

 

The format is the following:

System    Risk ID Rule ID    Control ID      Valid From     Valid To       Monitor    Status          Role

*                X03Y*    *         XMR0000130    11/08/2013    11/08/2015    USERID       X    XX_XX_XXX_XXXX

 

We are currently using GRC 10.1 SP-Level 6

 

 

Thanks in advance for your help and suggestions

Logs of FireFighter user dont sync

April 24, 2015, 8:28 am
$
0
0

Hi experts,

 

I need obtain the logs of emergency users from backend system. for this reason, i excute the progra GRAC_SPM_LOG_SYNC in SE38.

 

The program runs with error: "LOAD_PROGRAM_NOT FOUND"

 

 

 

 

 

 

 

Thanks and regards.

 

Claudio

BRF+ For User Defaults

April 23, 2015, 3:26 pm
$
0
0

Hi everyone,

 

I followed the guide on setting up user defaults but I'm having some trouble with it. Basically, I followed this guide.

 

User Defaults - GRC 10.0

 

Now in that guide, it shows that a loop must be created as well as a ruleset, but it doesn't show what should go into the ruleset. 

 

When I create the loop,  here's what happens.

 

2015-04-23_15-25-17.png

 

Do you have more information on getting this application for user defaults setup?

 

Thanks,

Santosh

User Access Review - Custom User Agent using BRF+

April 24, 2015, 9:35 pm
$
0
0

Business Scenario


In one of the GRC projects I have worked for, the client's requirement is to send the User Access Review Workflow to User for review at First Stage and then to Manager for review. Since there is no standard User agent provided by SAP we developed a custom user agent by making use of BRF+ functionality

 

BRF+ Agent Design

 

As per User Access Review process, first UAR request generation job is scheduled which will generate the requests and then UAR Workflow update job is scheduled which will push all UAR requests into workflow and then they go to corresponding workflow path and stages

 

Since "User Agent" is requested by the client, now "User" also becomes one of the GRC Approvers and hence "User" should exist in Target system and GRC System as well

 

Once the requests are generated by "UAR Request Generation" job, these requests will be stored in GRC table "GRACREVITEM - Review Request Related Items"

 

In our UAR User Agent design we used DBLOOKUP functionality to the table GRACREVITEM to get the result as UserID based on the UAR Request ID.

 

BRF+ Agent Configuration


You have to generate the BRF Rule via Transaction SPRO in GRC system. Follow the below steps in your GRC system.

Run the transaction SPRO, Go to IMG => Governance, Risk and Compliance =>Access Control =>Workflow for Access Control  => Define Workflow related MSMP rules.

Or

Directly execute Tcode GRFNMW_DEV_RULES


  • Fill generation criteria (Process ID, Rule type, etc.)
  • Specify Generation options
  • Generate rule shell (Execute button)


 

Click Execute or Press F8. This now generates a successful message for BRFPlus Rule with name and ID. You can run BRF+ Tcode and can check the newly created BRF+ application there.

 

 

Functions Signature Update


In BRF+ function, change the mode to “Event Mode” and activate the function as shown below.

  • Since Function mode has been changed to “Event mode,” the result data object has changed automatically, so it has to be reset manually
  • In “Signature” tab of BRF Function, change the result data object to GRFN_MW_T_AGENT_ID

 

Create Ruleset in BRF+ Application


Create Ruleset in your BRF+ application by clicking on “Create Ruleset” button under “ASSIGNED RULESETS” tab of function. Ruleset is a combination of business rules that can only be assigned to a function in the BRFPlus framework.


Create Rule within Ruleset - Create Expression of Type “Loop”


  1. Click on “Insert Rule” button to create new rule
  2. From within rule, click on “Add” -> “Process Expression” -> “Create” to create a new expression
  3. Create expression of type “Loop” and provide suitable name and description.
  4. Loop gets created as shown below. Processing Mode and Loop Mode maintain as mentioned below.

 

Create Rules within Loop Expression


First Rule


a. Request ID field which we use in this particular agent rule is sent with prefix as "ACCREQ/REQ_ID". Before doing DBLOOKUP the prefix has to be removed and only "REQ_ID" should be sent to DBLOOKUP. To achieve this, I used "FORMULA" expression with SUBSTRING function.


 

b. Once the Request ID field is trimmed, then this Request ID field is used in DBLOOKUP and gets the UserID. The second rule is to create DBLOOKUP for tables GRACREVITEM


 

 

C. Each LineItem in BRF+ need to be assigned to context parameter ITEMNUM as we didn't initialize the LineItem key.


 

Second Rule


Second rule is used to assign value to context as shown below. This rule will be included in your loop for inserting the values into Agent ID table after processing each LineItem.


 

Finally Loop expression will have all required rules as shown below.

 

 

Once above rules creation is done, activate your expressions REMOVE STRING, DBLOOKUP, LOOP, FUNCTION and then check by simulating your function by adding Line Items rows and enter any Request_ID from table GRACREVITEM and check if your agent is returning correct results.



 

After verification this BRF+ agent can be used in MSMP UAR workflow and your UAR requests can be routed to User's for Approval/Notifications



Looking forward for all your feedback

 

Thanks for reading.

 

Best Regards,

Madhu Babu Sai

Agent Rule in UAR

April 16, 2015, 9:54 am
$
0
0

Hi Experts,

 

I am looking to create an Agent Rule (BRF+/ BRF+ Flat) for the UAR MSMP Process. The purpose is that, the users will be notified via email when any role is removed from their IDs. Appreciate your help in creating the BRF rule to identify 'Users' as the Agent.

 

Thanks,

Sajib.

Performance isuue in planner and planner monitor,GRC10 PC

April 23, 2015, 10:19 pm
$
0
0

Hi,

 

it is taking more time to open the planner and planner monitor in NWBC,how to improve performance of planner

and planner monitor.

 

Any suggestions to improve the performance.



Thanks

GRC Admin

GRC - Error in generating BRF Agent Rule

April 23, 2015, 3:02 pm
$
0
0

Hello Gurus,

 

I am trying to generate a BRF Agent Rule but am unable to activate MSMP workflow corresponding to that:

 

Error in MSMP Workflow while activation:

 

1)    MSMP process SAP_GRAC_ACCESS_REQUEST_HR version IMG Configuration Tables contains errors

 

2)    Abap dictionary data object binding is out of synchronization

 

Below are the screen shots of my BRF Rule configuration. I have created a procedure call which is tied to function module..

Search

GRC PC: Unable to set connector and status in system which receives Business rules

May 8, 2015, 3:10 am
$
0
0

Hi Experts,

 

I have prepared and transported an ABAP Report type data source and business rule from system1 to system2. Now, in the system2 I am trying to set up the status and connector for this business rule but always encounter the error "cannot set status to active; Data Source status is not active" even though the task of this configuration is to set it to active.

 

Can anyone please provide any inputs on how to resolve this issue ?

 

Thanks in Advance.

 

Best regards,

Himanshu

Doubt on User default

May 4, 2015, 8:09 pm
$
0
0

Hi All,

I have tried to understand and replicate the screenshots at User Defaults - GRC 10.0 , but could not understand Loop and Ruleset.

 

- Function USER_DEFAULT_FUNCTION is calling Ruleset,and Ruleset has the operation " Change USER_DEFAULT_ID after processing expression LOOP_CONNECTOR_ITEMS.

So, could you say to which value will USER_DEFAULT_ID be changed to, and what is meant by "after processing expression LOOP_CONNECTOR_ITEMS. "

 

- I could not understand the logic of the loop.

 

as.png

 

- Also George's screenshots are not in sequence. He first adds condition 'then'. why not 'if'

 

Could you please suggest, as i have to review a User default setting.

 

regards

Plaban

No Rules were selected

May 8, 2015, 8:41 am
$
0
0

Hi,

 

We are on GRC 10. SP13.

When performing risk analysis we are getting no violations ( user selected has SAP_ALL Access in the plug in system),

Then ran batch risk analysis and now getting No Rules were selected.

 

following step by step from Post installation to 1st risk analysis document.

configuration is done, connectors are linked with Auth scenario.

i downloaded and uploaded the SOD rules and uploaded it to both logical and actual connectors

Generated the SOD rules both in SPRO and NWBC, still issue is not resolved,

 

I have searched for this forum and found similar issues for other users but have not seen a solution for their problems.

 

would appreciate if you can let me know what steps am i missing or is this a program error and is there a SAP note to correct the issue, thanks

 

 

Regards,

Vijay

Access Control End User Verification Logon Fails

March 12, 2012, 4:41 am
$
0
0

Hello experts,

I configured LDAP as authentication source and set end user verification

to YES. But when I try to lo logon to end user page via ldap user

and password, I get the error "Invalid user credentials". When I set end

user verification to NO, I can login without password and reach

to my profil page. My customer wants to use this system to use pss and

and it is urgent for them.

Can you advise me what to do please..

Best regards,

Begüm

Does GRC 10/10.1, pull the users, without sync, from LDAP/AD

May 8, 2015, 3:28 am
$
0
0

Hi All,

 

All New users in my org., get added to LDAP/AD, first. So, thereafter i create new users in plug-in systems. So, in the access request, while creating a new id, i will search for the user id. So, could you suggest, if sync from LDAP /AD is required to find this user id in search?

 

if so,i think it would be through Rep. Sync job, with Connector as RFC Name defined for LDAP/AD

 

Regards

Plaban

Viewing all 5097 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>