Hi Group,

I only want to set comments mandatory for role removals in User access Review.  Currently the comments mandatory for both removals and approving roles.

Current System Information

GRC Version 10.1

SP-07

I had to set the Approval Type as complete request since earlier we had few reports coming empty and SAP recommend to set this as Complete Request. Is there any way only the comments become mandatory for rejections or is there anyway we can make the column "Reason" as mandatory for role removals in screenshot 2.

Currently the approver hits the comment button on the top and can comment for the entire request. This approves the request.  Need to set it at line item level for role removals.

Regards

Sharma

Hello colleagues,

I got a new 'old' problem many times discussed on the forum. However, I hope that you will not blame me for the well-known issue.

While copying a request line items (roles or systems) are not being transferred to it.

What I've done trying to resolve the issue:

1) Search notes. Found 2018976 note, but the note is quite old for my SP level:

And it contains reference to other notes that are also not applicable for me

2) Find logs. No issues were found in the logs.

3) Google. Found many references to the forum (in example), but solutions contains also old notes (for previous releases). Trying to resolve the problem at least with roles I reconfigured the system for role status (PRD change to PRO) and update test role in accordance with the following recommendations, unfortuantely, it was in vain too.

Does anybody have any ideas where the problem can be?

Regards,

Artem

Access Request Management (ARM) can connect to ABAP-based SAP systems such as SAP ERP (ECC), SAP SCM, SAP CRM, SAP  Business Intelligence (BI) to create users and assign roles with pre-delivered ABAP-based programs. Enabling the same functionality with a Java-based system such as the SAP Enterprise Portal requires a different procedure and separate configuration. To connect to Java-based systems, you use pre-delivered Web services installed on the SAP Enterprise Portal for integration.

A step-by-step guide demonstrates the required configuration to integrate SAP Enterprise Portal with GRC 10.0.

Step 1:-Deploy the AC 10.0 web service and you will find the following in WS Navigaton.

Step 2:-Create a G type SM59 connector. This will connect to the above web service for AUTH extraction and password generation.

Step 3:-Create a G type SM59 connector. This will connect to EP’s SPML interface for PROV.

Step 4:-Maintain the Logical port for WS connector in tx LPCONFIG.

Step 5:-Maintain Connector and Connection Types.

WS will be attached to the LPCONFIG end point SPML1 logical port will be same as Target Connector

Step 6:-Define the EP Group (this will be used in field mapping). See SAPNote 0001981001

Step 7:-Attach both the connectors (WS and SPML) to AUTH scenario.

Make sure that the following classes are attached to the scenario.

Step 8:-Do same for PROV scenario.

Step 9:- And for ROLMG scenario.

Step 10:-Set as Production system.

Step 11:-Create the group field mapping.

Default connector is the one which will make a runtime call to get the F4 for system field names in figure below.

Define the field mapping for the group applicable to all the system in that group (F4 from default connector)

Define the technical parameter mapping .

Step 12:-Synchronize EP SPML Schema.

Connector is the one for SPML we earlier created

Step 13:-Now sync user, roles, auths from EP.

As once you start provisioning if you continue to sync using the inconsistencies. You should switch to use  'GRAC_ROLEREP_ROLE_SYNC' program.

Following important points needs to be considered:

1.You don't need to sync Profiles with NetWeaver Java as they don't exist on Java Stacks.

2.If you continue to sync Users after your initial sync, i.e. after you start provisioning from GRC, then your GRC data will become inconsistent. These inconsistencies are caused because GRC maintains validity dates for User, Role, and the relationships between these, whereas the NetWeaver Java does not include this same detail and a future User sync will overwrite validity information in GRC with blank entries.

This is from WS connector.

Step 14:- Deploy GRC Portal Content -add-on portal business package GRC_POR which contains  the GRC Portal UI elements to access the GRC suite.

Step 15:Deploy GRC Portal Plugin(GRCPIEP)(Must for GRC AC)

Step 16:- Set the system Alias for GRC system in SAP Netweaver Enterprise Portal as  follows:

                  SAP-GRC

                  SAP-GRC-AC

                  SAP_GRC(in case of issue-faced by me in SP8)

                  SAP_GRC_AC(in case of issue-faced by me in SP8)

*In case of GRC PC is activated then system alias must be SAP-GRC & SAP-GRC-PC,for GRC RM SAP-GRC & SAP-GRC-RM.

Step 17:-Create a same user both in GRC and EP and assign  following Portal Roles to the user.

                a.GRC Access Control

                b.ERP Common

       Assign Required GRC Roles to the user in the GRC System.

*In case of GRC PC or RM activated  assign GRC SUITE  & ERP COMMON Portal Role to the user,additionally GRC Internal Audit Management if required by the user.

Procedure for creating user in the Portal for  Accessing GRC Roles.

1.Log on as portal user administrator and access the User Administration function.

2.If the user has been created by the User Management Engine (UME) that is connected to the GRC ABAP system, you do not need to create the user in the portal system.

If not, create a new portal user and assign the system to the user in the User Mapping for System Access tab, along with a mapped user ID and password.

3.After creating the user, go to the Assigned Roles tab and assign the role GRC Access Control  to the user who has the power user role SAP_GRAC_FN_ALL in the ABAP system, to enable viewing of all the Work Centers.[Only in case of GRC AC is activated].

Hope this  was useful. Please use the comments section to share your feedback and questions.

Hello Experts,

There is a Issue with Access rule detail report.

When i try to see Report & Analytics  ---> Access Rule Detail Report, I am getting the following options

1) System : Here, I am selecting our ERP system

2) Rule Set : i select "GLOBAL"

and execute it The output is nill/blank.

But when I try to run the same with the following inputs

1) System : *

2) Rule Set : i select "GLOBAL"

I am getting the result.

Any help is highly appreciated in this regard.

Thanks in advance.

deepak

Hi All,

We have a scenario where if MANAGER and ROLE OWNER are same then request should go to PATH A

If MANAGER and ROLE OWNER are different then request should go to PATH B

I have implemented DBLOOKUP and is working fine.

Assume that User requested 5 roles and each role has different role owner and one of the role owner is same as User Manager.

Now only that role should not go to ROLE OWNER stage and should go to GRC ADMIN stage and remaining four roles should go normal path ROLE OWNER -> GRC ADMIN

I have created an Initiator rule using DBLOOKUP where if MANAGER = ROLE OWNER it goes to PATH A, else it goes to PATH B

PATH A - MANAGER -> GRC ADMIN

PATH B - MANAGER -> ROLE OWNER -> GRC ADMIN

So my scenario is failing as MANAGER = ROLE OWNER even for one LineItem my request goes to PATH A.

Anyone came across similar scenario, Please provide your valuable suggestion

Regards,

Madhu.

FF Login notification shows FF User id instead of FF Owner id against FF Owner in Decentralized FF:

I believe the document idbeing used is" /GRCPI/GRIA_SPM_NOTIFICATION " in the target system (ECC). The standard content in the document id is as below in (1) but the mail notification sent to the controller results as in screenshot (2). Please update on issue note fix if any.

We are on GRC 10 SP16.

(1)

Dear %RECIPIENT%,

The login notification details for the Firefighter ID %FFOBJECT%  in system %CONNECTOR%  using Reason code  '%REASON_CODE%'  is as follows :

Firefighter:              %FF_USER%

Owner:                   %OWNER%

Date & Time: %LOG_TIME%

Reason code: %REASON_CODE_DESCN%

Activity:              %ACTIVITY%

Kind Regards,

Access Control Administrator

(2)

Dear XXXXXXX,

The login notification details for the Firefighter ID XXX_FF_ABAP in
system X20CLNTX00 using Reason code 'Critical XXXX issues' is as follows :

Firefighter: Shasxxxx
Owner: Shasxxxx
Date & Time: 11.09.2015 16:47:40
Reason code: test
Activity: test


Kind Regards,
Access Control Administrator

Regards,

Arun

With continuous to Part1:How to create Policy in Process Controls-GRCV10.0

Select Policy group and click on Create Policy

Policy category can be selected from drop down and which is maintained in SPRO

SPRO>GRC>Common component settings>Policy Management>Maintain Policy Categories

And select the organization from F4 list

Tab:Policy Document

Go to Policy Document and attach policy document (Should be less in size)

Tab:Policy Scope

Go to Policy Scope

Apart from the responsible organization in General tab, we can assign selected organizations, processes and People from list in Policy Scope.

Now select anyone of the organization from assigned list, then click on Processes

Now it will shows all processes which are relevant to Organization, then select required processes

Error:

Now go to Organizations and select the organization ,Open and select Shared Service Provider is YES

Now search for Processes to Organizations

Now Select the Process or Sub processes, click on Activities to assign

Reason: No activity has been created for process/sub process

Go to Activities

Create Activity by Selecting organization name and Activity Category

Tab:Risks

Now go to Risks tab

Reason: No risks are defined/created for responsible organization

Risks can be created in Risk and Opportunities

Now the created risk is available in search

Tab:Controls

Go to Controls Tab

Regulations information will be fetched from Regulation tab of the organization

Regulation information can be pulled from sub processes assignment, which are maintained in Business Processes under Activities and Processes

Tab:Policy Sources

Go to Policy Sources tab

Which are maintained in SPRO

SPRO>GRC>General Settings>Policy Management>Maintain Policy Source Categories

Tab:Roles

Go to Roles Tab

We need to add the roles to entity in SPRO

SPRO>GRC>General Settings>Authorizations>Maintain Entity role assignments

Which will appear in roles tab of Policy to assign owner

Please note that in backend we need to map business events with respective roles which are assigned to user for review and approvals

Path: SPRO>GRC>General settings>Workflows>Maintain Custom agent rules.

Tab:Review and Approval

Go to tab Review and Approval

Which gives information about the approver and reviewers.

Send for review and then submit for approval.

Regards

Baithi

Dear all,

This document will gives you basic details about how to create Policies in GRC process controls

Regulations and Policies are provides visibility into your compliance framework and access to end-to-end policy management.

To create policy, we need to create Policy group

Step1:Create Policy group

Provide Name, Description and Select Approval survey from drop down

Approval Survey are available from Survey Library. Which comes under Assessments work center

Select the category as Policy Approval and provide other details

Note:We need to use Policy Approval as category then it will be available for Policy

Click Add to select the questions, which is defined in question library

Select the category as Policy Approval and provide other details, Save.

Now we can see this survey under Approval survey drop down of Policy group

Now created policy group is available to create Policy

Select Policy group and click on Create Policy

Step2:Create Policy

For complete process Part 2:How to create Policy in Process Controls-GRCV10.0

Regards

Baithi

Hi Team,

We have defined ABAP Class based for Agent Rule ZCL_GRAC_WFA_RISK_OWNER, and the Risk owners are also maintained in the AC table in Set-up, but after submitting the access request there are SOD voilations,Detour condition GRAC_MSMP_DETOUR_SODVIOL is satisfied , so the request is routed to ROLEAPP_SOD_PATH and parallely routed  SODVIOL_DETOUR_PATH6,

Once the role owner approvers the request, and escape route applied at SODVIOL_DETOUR_PATH6  as  No approver found.

But the Risk owners are defined in the AC Owner table.

Can anybody help with this, as why escape path is applied even after maintaining Risk owners?

Regards,

Sindhu

Hi all,

We are planning to modify the workflow in our system and I need some help on the correct approach to acheive this.

In our current system the workflow is set as follows.

New or change workflow submitted-->Manager approves-->Role owner approves-->If any unmitigated risk is found-->Routed to local SOX team(Only 1 at thi spoint).If local SOX is unable to determine-->It gets sent to corporate SOX for mitigation of risk-->Gets back to role owner-->Security for closure..

We currently have only 1 entity. But from next month onwards we are adding 2 more entities to GRC AC and hence it is expected the workflow to works as follows

New or change workflow submitted-->Manager approves-->Role owner approves-->If any unmitigated risk is found on a role/user that belongs to Entity1-->Routed to local SOX team of Entity 1 and similarly if the role/user belongs to entity2 it should get routed to Entity2 etc-->If local SOX of any entity is unable to determine-->It gets sent to corporate SOX for mitigation of risk and then  -->Gets back to Role owner stage for approval-->Then security stage for final completion.

My requirement is to modify our currently workflow to enable request to get routed to appropriate local SOX.

1. We are in the process of redoing all of teh security roles build in the past and are re-building it with correct naming conventions. Each role built entity specific is now assigned to respective Entity name in "Project reelase attribute of the role". Also we have users assigned to user groups based on the entity. These are the only 2 object that can be used to distinguish between users and roles.

So I thought of creating a Custom Agent rule. But unfortunately the Project release(attribute of the role) is not available to me as an option for selection in decision table. SO I took the user group as the selection object. If user group is USG1 then route to User 1(local SOX tem). If user group is USG2 then route to User 2.

I am unsure if this is the correct way to do it as I am not happy hard coding the user ID's in decision table.

We are currently in V10/SP15.

Please help with some idea on how to approach this.

Thanks

Lakshmi

Dear Team,

We are migrating from GRC5.3 to GRC10.1(SAP-> NonSAP) with Oracle Back end using Green Light Adapter.

after migration , we are able to see the Initiators,path,stages of 5.3 in 10.1 but we are unable to see the AND and OR conditions of the Attributes from 5.3 to 10.1. We have a file of about 10,854 Records of Attributes (with conditions AND ,OR and NOT) downloaded from 5.3. Please let us know the best possible way to set this up in 10.1..Where and how quickly... Any suggestions would be of great help.

Dear all.

I am trying to restrict the user types that are available into an Access Request.

However i am not able to find an authorization object which restricts this information.

Knid regards and thanks,

Sara.

Hi Experts,

I have a strange issue in GRC 5.3, I don't think is a familiar issue.

Issue is :-  A user is trying to raise a CUP request, in the main screen end date field is showing filled up with 10001 by default, according to the SAP standards it supposed to be 9999.

I am wondering, when the user is login with French language this date is coming as 10001. Other languages are perfectly all right being with 9999.

Any configuration changes required to do ?? Or does it a bug ??

Please help me out to resolve this. 

Thanks In advance.

Regards

Shan

We are on GRC 10.0 Access Management.  Some users are not able to pull up a complete list of users when searching for user from Access Request Creation via NWBC.  However, a complete list of users will display for these users when they search for user from Access Request Creation via End-user login link.  There are some other users who get the same complete list of users regardless of which path they use to search for user from the Access Request Creation.  I compared the security roles among these users but can't locate or identify a specific authorization object that could be the reason.  Any suggestion on what may be causing the user search discrepancy?  

Does anyone know what we are missing?

Created BRF-Plus Agent Rule for our role approvers, in BRF-Plus we are able to simulate our Rule and get the correct UserID approvers but when we add this Agent Rule into the workflow, when the request enters this stage the request just stops.  Without errors.    There is no error, (not even an error for No Approver found)  the request just stops without any error listed in the Audit Log.  The request cannot be opened even in Administrative mode.  

Since the Agent Rule simulation is working, we think there is an issue with adding this Agent Rule into the workflow.    When our Agent Rule was failing simulation we did get an Approver Not Found error message on the workflow.  Now there is no Approver Not Found message but no approver can enter this request when it enters this stage.

Here is our Agent Rule

·         Business Process from Request, Functional Area from Request, System and Role from  line

·         We have our role approver listed as UserID and Recipent

Any idea what we might have missed? 

2: Maintain Rules

We added the Rule ID (long number of Function), Rule Description, Rule Type as BRFPlus Flat Rule (line by line), Agent Rule

3: Maintain Agent

We added this with an Agent ID, Agent Name, Agent Type: GRC API Rules, Agent Purpose: Approval, Agent Rule (that long number of Function)

5: Maintain Path

This agent rule is in the second stage for a path.  (The request enters the path and passes through first stage Manager fine so Initiator  and Routing Rules are fine.)

The Agent ID is showing up in the Agent ID column.  Every column that the first stage has filled out, has something on this stage.  Therefore we assume nothing is missing from the stage set up.

Hi Guys,

Any idea how to address this Issue with LDAP Synchronization?

SA38

Program: RSLDAPSYNC_USER

Errors:

Operation failed

LDAP_SEARCH failed

The system could not create the directory objects pool

Regards.

Hello All,

I have created some Applications ( Functions / Decision tables ) in BRFplus in GRC development for my client.

I have configured workflows such as New User , Change User , User termination, Lock User , Unlock User  and all are working perfectly fine.

BRFplus for the respective agents is configured and is working as expected in GRC development.

I have now moved all the respective TR's to GRC quality for UAT. But the Applications of BRFplus will have to be created by me again in GRC quality.

I am facing some problems in creating the same and not able to proceed.

Please suggest.

Regards,

Rahul Muni

Hello,

When we try to login using end user login with LAN User account, we are getting "Correctly define the logical connection in CCITS".

Background information of our system:

There are three connectors configured, two connectors are with the back-end system as Oracle ERP. We configured one connector as LDAP and maintained the User detailed data source as LDAP.

All the configuration and connector settings are verified, but we are not able to resolve the issue.

Kindly need your valued inputs.

Regards,

John

Hi Experts,

We need to configure GRC AC 10.1 EAM but there different approvers stages for different FF ID for the same.

Eg: We have SAP ALL Firefighter ID that's need to route to 2 approvals and all the other firefighter id should route to only one level approval.

Please suggest how can we achieve this configuration and provide best solution for the same.

Thanks in advance!

Hi All,

There is any SAP standard agent for Monitors of Mitigation Control Maintenance Workflow?

I found for Approvers but not for Monitors.

Please advise.