Access Request Provisioning Failure

April 11, 2016, 12:12 am

≫ Next: EAM - Position based owners/controllers

≪ Previous: Narrowing LDAP Filter Search Results in GRC AC 10.1

Good Day Experts.

Hope someone will be able to assist me

We are busy implementing Access Request in GRC 10.1.

I have 6 plug in systems linked to GRC 10.1

Auto provisioning is working 100% for 5 of these systems, but the last system, BW System, it doesn't want to work at all.

I keep on getting an error message under the provisioning logs saying that the user does not exists in target system. The Access Requests gets closed as Approved.

In SLG1 I get the message from plugin system, saying that the user does not exists in the target system

All the plug in systems share the same config from GRC in terms of Access Request and Provisioning.

When I assign roles to an existing user in the BW System, it works fine, just when I want to create a new user, I get the error.

I have looked everywhere for answers and can't seem to get the correct one.

It is strange that for 5 systems it works and for just 1, I am having problems with.

Any information would be great

Regards

Gerrit

↧

EAM - Position based owners/controllers

April 11, 2016, 3:28 pm

Latest and popular articles on SAP ERP

≫ Next: Cannot perform read operation on the LDAP System???

≪ Previous: Access Request Provisioning Failure

Hi all

I'm currently implementing AC 10.1 SP12 at my current site. I've been asked to set up EAM to have owners and controllers identified by position, rather than being directly assigned in the EAM master data. They are concerned that when assigned owners/controllers are away that requests and logs won't be processed in a timely manner as the assignments may not be updated.

I have a few ideas about how to implement this, but I'm wondering if anyone else has set EAM up like this? I'm also looking for any thoughts that you might have about how this could be achieved. My current way of thinking is to have BRF functions to identify the appropriate agent for the request/log based on a table mapping the FFID to a owner/controller position numbers.

Thoughts/Ideas?

Thanks very much in advance

Daniel

↧

Cannot perform read operation on the LDAP System???

April 11, 2016, 1:01 am

Latest and popular articles on SAP ERP

≫ Next: SAP GRC 10.1 communicates with the Java environments?

≪ Previous: EAM - Position based owners/controllers

Dears,

I am facing above issue in GRC system while syncing user data from LDAP connector. LDAP configuration is completed and seems to be working fine because of below details:

Users are fetched successfully from LDAP system while searching in LDAP Tcode
Users are authenticated successfully while accessing End User Logon Page.

I have tried syncing using user id having SAP_ALL profile but still could not get the proper result.

Please advise.

Regards,

Faisal

↧

SAP GRC 10.1 communicates with the Java environments?

April 12, 2016, 12:14 pm

Latest and popular articles on SAP ERP

≫ Next: GRC AC 10 - PSS: Password reset failed: no valid Email-id maintained for user id

≪ Previous: Cannot perform read operation on the LDAP System???

Hi!

Its a simple question, the SAP GRC 10.1 communicates with the Java environments? For exemple CLM, PO, Portal...

↧

GRC AC 10 - PSS: Password reset failed: no valid Email-id maintained for user id

April 30, 2013, 7:56 am

Latest and popular articles on SAP ERP

≫ Next: firefighter log review

≪ Previous: SAP GRC 10.1 communicates with the Java environments?

Hello SAP-Experts,

i have some issues with the Password Self-Service (PSS).

I'm on GRC 10.0 SP12.

I have 2 Plugin/backens systems: the GRC box my himself and another ERP6.0, were GRCPINW SP12 is installed.

My issue:

I have registered the Security Questions.

In step 1 I answer the questions -> in step 2 I select a backend system.

When I submit the PSS action, the error " Password reset failed: no valid Email-id maintained for user id" appears and nothing happens.

Thanks in advance for your help

↧

firefighter log review

October 30, 2014, 6:57 am

Latest and popular articles on SAP ERP

≫ Next: Firefighter Log Approval Workflow

≪ Previous: GRC AC 10 - PSS: Password reset failed: no valid Email-id maintained for user id

Hello. My team is responsible for montoring firefighter ID usage on SAP GRC 5.3_21.7. Currently updates a master log documenting each time a user logs in with a firefighter ID regardless as to whether they execute a transaction code. Is there any risk (from an audit perspective) associated with logging in but not executing a transaction code. I'm fairly new on the job and I want to remove governance processes that may be redundant. We pull detail reports for t-codes that are executed on production for a specified period on weekly basis. I'm just not sure whether requiring management to log firefighter login's when no t-code has been executed in necessary. Open for suggestions.

↧

Firefighter Log Approval Workflow

March 22, 2016, 5:31 pm

Latest and popular articles on SAP ERP

≫ Next: GRC 10 : How to limit requestor authorization to specific template request?

≪ Previous: firefighter log review

Hi Everyone,

I've got an interesting one I think and would appreciate any help or advice.

In my GRC 10 SP12 system, we've configured Decentralised Firefighter and it's all working well.

I have used standard SAP Workflow but have customised the notification templates and these also work fine.

The problem I have is that the Approval email from the Firefighter Log Review is going to the wrong person. I'll list the steps below:

GRC Administrator - so your SAP Security/GRC Resource, called GRCADMIN

Firefighter ID - the FF that is used, lets call it FF_SUPER

The End user in ECC - ENDUSER

FF Controller in GRC - CONTROLLER

OK, here's the scenario.

ENDUSER logs in to ECC and calls FF (GRCPI/GRIA_EAM)

As FF_SUPER carries out tasks and logs off.

New Work Item email is sent to the CONTROLLER after the background job finishes.

The forward and return workitem emails are working fine between the CONTROLLER and the ENDUSER

Once the CONTROLLER approves (hits Submit) the Log Review report, the final approval email goes to GRCADMIN

MSMP has the notification set to GRC_REQUESTOR so I have no idea why it's being routed to a user id not even involved in the FF process.

All email addresses etc have been set up correctly as well on all the accounts in both ECC and GRC.

Any thoughts of where to check and what to look for would be great.

Thanks in advance!

Sonia

↧

GRC 10 : How to limit requestor authorization to specific template request?

April 13, 2016, 6:58 am

Latest and popular articles on SAP ERP

≫ Next: Request is getting approved at SOD_OWNER Stage despite of risks

≪ Previous: Firefighter Log Approval Workflow

Hello,

My problem is in access request based on a template form.

I would like users being able to see just some template request, not all of them. I have customized a new EUP, so I wanted users to have access only to template request with this specefic EUP. I can't find how to limit this access. Is there any authorization objet that can limit on GRACEUPCRIT-EUP_ID? Am I wrong in my way of trying to limit access to request? (knowing that in fact, all the others template request are not really available because roles are filtered by business process and functional area, but I would prefer them not to appear in the available list of templates).

Thanks in advance for your help.

↧

Request is getting approved at SOD_OWNER Stage despite of risks

February 8, 2016, 3:10 pm

Latest and popular articles on SAP ERP

≫ Next: ARA Risk Function with Multiple Tcodes

≪ Previous: GRC 10 : How to limit requestor authorization to specific template request?

Hi Experts,

My access requests are getting approved even if risks are not mitigated in the access request.

parameter 1062 set to No

1072 Yes

Approve Despite Risk is unchecked at stage configuration for SOD_OWNER.

In SPRO maintain application mapping -> request mitigation policy is set to default.

working on GRC 10.1 SP12

Please can someone help me here?

Regards,

Ram

↧

ARA Risk Function with Multiple Tcodes

April 13, 2016, 9:09 pm

Latest and popular articles on SAP ERP

≫ Next: Create request simplified - link

≪ Previous: Request is getting approved at SOD_OWNER Stage despite of risks

Hi Friends,

I would like to enquire the behaviour on below query. Appreciate your response.

We have created a Critical Action Risk with Function F1. Function F1 comprises as below

Function ID	Action
F1	Tcode 1
F1	Tcode 2

Function ID	Permission Group	Field	Value	Condition
F1	Tcode 2	ACTVT	01	AND
F1	Tcode 2	BUKRS	1000	AND

My objective is to reflect the critical action risk when a user has both tcodes tcode1 and tcode 2. However, I noticed that based on above definition when risk analysis is performed, the user with only tcode 1 is reflected in the results.

My understanding is that when multiple actions are added, they are considered as AND operation. Here it seems to behave as OR operation between them.

Appreciate your advise.

Thanks

Ravi

↧

Create request simplified - link

April 6, 2016, 12:29 am

Latest and popular articles on SAP ERP

≫ Next: Issue in "Copy Request" of a "New Request" in GRC 10.1

≪ Previous: ARA Risk Function with Multiple Tcodes

Hi expert,

I've a strange issue on GRC 10.1 SP12.

I'm able to see "Create request simplified" link , but when I click on it a new page is opened, but it's empty (see attach).

Please help

Regards,

Claudio

↧

Issue in "Copy Request" of a "New Request" in GRC 10.1

March 29, 2016, 7:54 am

Latest and popular articles on SAP ERP

≫ Next: GRC IDM Integration

≪ Previous: Create request simplified - link

Hi,

I am facing an issue regarding access request – “New Account”, user is creating request containing Roles and Systems. Ideally, they should select only Roles.

Once the system found System in the request, it goes to ESCAPE path.

But we search the request and open the Audit log, it is only showing systems. No Roles are showing which was selected.

But when we “open” the request, it is showing all roles and systems.

When I am trying to create new request by “Copy request”, it is showing below message and could not copy all the roles and System, it is only copy the systems.

Please help me on this issue.

Thanks,

Samrat

↧

GRC IDM Integration

April 14, 2016, 12:34 am

Latest and popular articles on SAP ERP

≫ Next: EAM - Position based owners/controllers

≪ Previous: Issue in "Copy Request" of a "New Request" in GRC 10.1

Hello Experts,

We are doing GRC 10 and IDM 7.2 integration, and want to start with creating request in GRC and the sending it to IDM for provisioning (Access control driven user provisioning). Standard documents just mention that this can be done but does not give any more technical details, can somebody shed light on how this can be achieved technically.

Mohammed

↧

EAM - Position based owners/controllers

April 11, 2016, 3:28 pm

Latest and popular articles on SAP ERP

≫ Next: Fire fighter Validity Date Extension Issue

≪ Previous: GRC IDM Integration

Hi all

Thoughts/Ideas?

Thanks very much in advance

Daniel

↧

Fire fighter Validity Date Extension Issue

April 14, 2016, 4:51 pm

Latest and popular articles on SAP ERP

≫ Next: Simplified access Request Service

≪ Previous: EAM - Position based owners/controllers

Hello All,

Good Morning,

We have a issue with Fire fighter ID Validity date.

We have restrict the validity date for 5 days to Firefighter id in

Configuration parameter ID 4001 to 4 days , but while requesting the

firefighter access, firefighter user can change the validity date

(validity from to validity to in Access request) as many days as he

wants.

Kindly let us know is there any configuration settings to restrict

strictly for 5 days validity.

As part of SAP GRC 10.1 implementation, We have configured Emergency

access Management (EAM) module such that default validity period for

all EAM access requests is set to 5 days (Default Firefighter Validity

Period (Days - Parameter ID : 4001 in SPRO). However we have seen a

scenario where one of the end user requested EAM access for 8 days by

changing the validity date as part of the submission process. Is there

a way to restrict that happening from? End users should not be able to

modify validity date. Is there a standard mechanism/configuration to

implement this.

Regards

Karunakar

↧

Simplified access Request Service

April 14, 2016, 11:30 pm

Latest and popular articles on SAP ERP

≫ Next: Agent 'GRAC_SPM_OWNER' returned empty User ID

≪ Previous: Fire fighter Validity Date Extension Issue

Hello,

We are trying to configure the simplified access request in GRC 10.1 SP12.

But we are unable to find the service GRC_ACCESSREQUEST_APPROVE_SRV in SICF.

Please advice .

Thanks & Regards,

Lakshmi

↧

Agent 'GRAC_SPM_OWNER' returned empty User ID

April 15, 2016, 12:25 am

Latest and popular articles on SAP ERP

≫ Next: orgDatas LDAPMapping

≪ Previous: Simplified access Request Service

Hi GRC Experts,

I am trying to configure EAM workflow to provision firefighter ID for a firefighter in GRC 10.1 SP11. We are implementing de-centralised firefighter concept here.

Access request of superuser access request type is raised and submitted successfully. Next stage is to route request to firefighter ID owner for approval. Agent ID 'GRAC_SPM_OWNER' is used. But, no notification is routed to the respective FFID owner.

When checked in MSMP debug log, this is the debug message recorded:

APPL_DEBUG:184:GRFNMW:MSMP agent rule GRAC_MSMP_SPM_OWNER_AGENT returned 1 approvers

APPL_DEBUG:225:GRFNMW:Agent 'GRAC_SPM_OWNER' returned empty User ID (for Line Item '0001')

The access request form contains approver name on line item 001. The approver name and ID exists in both the GRC and target systems. The approver ID have been assigned with roles: SAP_GRAC_SUPER_USER_MGMT_OWNER and SAP_GRAC_ACCESS_APPROVER in the GRC system.

Any idea what could be the problem here?

Regards,

Debbie

↧

orgDatas LDAPMapping

April 15, 2016, 4:47 am

Latest and popular articles on SAP ERP

≫ Next: Critical Profile/Role Assignment Alerts

≪ Previous: Agent 'GRAC_SPM_OWNER' returned empty User ID

Hello again,

now I have two short questions regarding LDAP field mapping

1. I would like fill the orgData fields in the request e.g. Business-Area. I defined the field in LDAPMAPPING and also the connector activities but the fields will not be filled in the request.

2. I would like to get Department/User group assignment from SAP in the request fields. is for these kind of datas a special configuration necessary?

thanks in advance

chris

↧

Critical Profile/Role Assignment Alerts

April 15, 2016, 5:12 am

Latest and popular articles on SAP ERP

≫ Next: User Level Risk Violation Reports at Company Code level

≪ Previous: orgDatas LDAPMapping

Good Day

Is there a way that GRC can send an Alert (Maybe an Email notification of some sort) when a Critical Profile or Role (Defined under Setup > Critical Access Rules > Critical Profiles or Critical Roles) is assigned to a user in the plug in system manually?

I do understand that Risk Terminator has something to do with this, but if there is any other easier way, please let me know.

Thanks and Regards

Gerrit

↧

User Level Risk Violation Reports at Company Code level

April 15, 2016, 6:24 am

Latest and popular articles on SAP ERP

≫ Next: SOD RULESET ISSUE (GRC 10 SP 15 )

≪ Previous: Critical Profile/Role Assignment Alerts

Dear Experts,

Want to check if below is a possibility : I want to execute the user level risk report which should provide results on company code level. We have activated the authorization F_BKPF_BUK but still we dont get the output in desired format. Can this be done without using organizational level rules ?

Please advice

Thanks

Rahul

↧