ARQ: Default Role Provisioning Problem in Access Request???

Similar Messages

• GRC AC 10 - Change default value for field in access request

  Hi everybody
  in Access request,  Is it possible to change the defaut value in the fied "request for" ?
  thanks
  Aurélien

  Hi Aurélien,
  Yes we can make it default, please go to EUP and there is a field Request for. please check the snapshot.
  Thanks and Regards
  Ankit sharma

• Composite role not showing in Access request screen. (BRM not used)

  Dear All
  I have created a composite role in backend system with 2 single roles.
  a. I have imported the single roles using the NWBC screen.
  b. run the auth sync job.
  c. imported the composite role as a techincal role using the NWBC import screen.
  the import procedure was successfully completed.
  But when i try to search for the role in Access request screen for a user - i can only see the single roles & not the composite roles?
  Pls advise
  Raju

  Hi Raju,
  In addition to Alessandro's valuable inputs, you need to be sure whether or not you were able to generate the composite roles (in NWBC).
  The final stage of the composite role has to be in complete status.
  Regards,
  Ameet

• ARQ: User details fields mappings problem in Access Request

  Dear All,
  My "User Search Data Sources" are: HR system and LDAP (in this order) and
  "User Details Data Sources" are: HR system, LDAP, GRC Production system and ERP Development system (in this order)
  I could search for the users in HR and LDAP systems correctly. However, the problems I am facing are:
  1. For some users, First Name, Last Name and Email id fields are not getting mapped. Though they are correctly shown in search screen of ARQ. This
      behavior is sporadic and not sure why this is not mapped for some of the users only. But for other users, they are getting mapped correclty!
  2. For some other users selected users from the search result, First Name, Last Name and Email id fields are correctly mapped. However, "Manager" field is empty and not mapped! Though they are correctly maintained in HR system.
  Any idea why this is behaving like this and how to solve this?
  Please advise.
  REgards,
  Faisal

  Hi,
  I could figure out something.
  I have below hierarchy in Active Directory:
  1. OU=Unit1,OU=ABC,DC=123,DC=COM
  2. OU=Unit2, OU=XYZ,DC123,DC=COM
  Unit1 and Unit2 are peers, fall under DC "123" and contain different sub-nodes and users. What is happening is that, if a user and his manager are from same OU (Unit1 for example), it is pulled appropriately.
  In case if a user is in Unit1 and manager is in Unit2, then in this case, manager first and last name is pulled and Manager id field is not filled.
  I could only maintain one of the above entries in LDAP tcode. I dont know how I can maintain peer-OUs in LDAP!
  When I maintained like this:
  OU=Unit1,OU=ABC,DC=123,DC=COM;OU=Unit2, OU=XYZ,DC123,DC=COM
  It give me error: "Entry does not exist".
  It is looking for only one node at at time but can not traverse in multiple peer nodes.
  CAn anyone suggest me on this?
  Regards,
  Faisal

• GRC 10.0 - Auto Approve default roles

  Hello All,
  Could you please help out me in the below scenarios.
       1) We have maintained default roles in NBWC- Access Management - Default roles.
       Also set the parameter 2038 to Yes- Auto approve roles without approver.
  In MSMP we have maintained Escape path if approver is not found at the role level.
  As default roles have no approver maintained request is taking the Escape Path which should not happen.
  We just want to auto approve the defualt roles and other than defualt roles request should take escape path if no approver found.
       2) In other action its quite same as the above one.
       When we are using provisioning type REMOVE for role removal. Request also takes the Escape path as Defualt roles has no approver.
  Once the ,Manager at first stage is approved, request should close for the removal type access.
  Please advise. Thanks in advance.

  In your custom initiator, you need to have mapped out all the scenarios of which path each line item in your request goes to.
  The condition columns can be an array of attributes, i.e. Request Type, Role name, Role Connector (System the Role is in), Functional area etc.
  In your case, if you want "default roles" auto approved, easiest thing to so is create an empty path (i.e. No stages) and have the initiator set so that if the "Role Name" is "X" (i.e. your default role), go to the path with no stages.
  BRF plus Flate Rule - GRC Integration - Governance, Risk and Compliance - SCN Wiki

• No Approvers visible on Access Requests

  Hi Everyone
  I am currently experiencing a problem on Access Request Management, on all my request types no Approvers are visible after submission of a request. Checking the request under Instance Status it shows no Approvers, the Approvers have been assigned on the Roles for Assignment approval and Content approval and also have been created on NWBC front-end as Role Owners. On MSMP GRAC_ROLEOWNER Agent has been assign to ROLEOWNER stage and also the stage task settings maintained, On the GRC system the Role Owner/Approvers have also be created and given the proper access including SAP_GRAC_ACCESS_APPROVER role.
  I am not sure where I am going wrong on the Workflow, I have checked and verified also the settings under SPRO - Maintain Configuration Settings and Perform Task-SpecificCustomizing.
  Your assistance in this is highly appreciated
  Regards
  George

  Hi Lentobo,
  As Dilip suggested ,please ensure that role owner is set-up in NWBC. Define role owner  in , Access Control Owner hyperlink ,under Set up tab of NWBC.
  Also make sure that you have checked the checkbox "Assignemnt approver" under Owner tab of  that role.
  Thanks,
  Mamoon

• Default role Issue

  Can anyone help us in configuring the default role in GRC 10?
  We are on SP15.
  Default role attribute is Company.Default role gets added to the request but the role needs an approver.If there is no approver, the request goes to the escape route.
  Regards,
  Vinayalaxmi

  Hi Vijaylaxmi,
  As stated by other people, you need to configure MSMP workflow path for approvals. You can configure agent to read the approver from a BRF+ table or a function module also. It depends on your business environment. If approvers don't change often, you can use BRF+ decision table also else you can put your logic inside the function module to find the approver.
  Regards,
  Ravi

• ARQ: "No Provisioning log available" message in Access Request

  Hi,
  I am facing a problem wherein, a request is duly provisioned and closed. However, in email notification, I get below message:
  Hi XXX,
  The Request number : 123 , has been processed by XYZ and the Request is Closed. The details are as follows:
  No Provisioning log available
  I checked and noticed that, request is duly closed and user is either created/modified in the target system properly. I maintained variable
  %PROVISIONING% in the email body but still I am not getting the provisioning details.
  The document is active and working absolutely fine in Development system. But here I am not sure why this is not working.
  Can anybody help me determine what I am missing?
  Regards,
  Faisal

  Hi Claudio,
  Thanks for your reply.
  I am on SP#14 and it seems to be applicable and I can try this. Just before doing so, I would like to inform you that this is working in Development system (same settings) but not in QA. To the best of my knowledge, the configuration is same and no modifications have been done in QA alone.
  Still I am facing this problem. Do  you think if I implement this in Development system, the existing configurations will not be corrupted?
  Also, please see below screen I got from GRFNMW_DBMONITOR_WD tcode
  From this I can see, the value in variable "PROVISIONING"  is same as I am receiving in email notification. But not sure if why this is not getting updated. Where as in development, I could see values for this variable properly.
  Any suggestion?
  Regards,
  Faisal

• Access Request Creation - Role or System Required at Creation

  Hi - We are installing GRC 10.1 SP6.  When I create a request it is forcing me to include at least one system or role.  Is there a system setting that I'm missing to not enforce the requirmenet to add either a system or a role at the time you create a request?
  This is not a huge deal to me as I created templates that include the systems we provision to by default.  However, if I don't need to include a system or role at time of request creation I would prefer that this requirement be turned off.
  Thanks,
  Rich

  Hi Richard,
  additionally to what Colleen has already mentioned you can set up the provisioning configuration in the way that you don't have to select a system in the access request. So basically a requests requires either a system or a role. Most of the time (best practice) users select a role without a system. Personally I also recommend that way as the system comes with the role automatically.
  In the global provisioning configuration (SPRO > AC > User Provisioning > Maintain Provisioning Settings) you have to define that the user gets created when the role gets assigned.
  Alternatively, as you would like to remove both, you can check if it is workable via the request type settings. I don't have a system to test, but you might be lucky. Remove the "Assign object" action from the request type and check if it is still mandatory to add at least one assignment.
  SPRO > GRC > AC > User Provisionign > Define Request Type
  Please let me know  if this helps.
  Regards,
  Alessandro

• Provisioning log is not available on Access request type Change Account

  Hi,
  So I have and issue when I try to submit a request to add a role to a user and I'm trying to understand what could be the reason for it.  Basically I have a workflow that works perfectly for a "Change Request".  I can see that all the steps are executed and then at the end of the request when is suppose to do the actual role assignment I see the message "Provisioning log is not available" then the approval path is finish and the request is closed but when I take a look at the user in the back end the role is not assign.  In terms of access I have try giving SAP_ALL to WF-Batch, nothing shows in Yellow or Red on SLG1 and in SPRO->AC-> User Provisioning -> Define request Type I see "Change Account" with SAP_GRAC_ACCESS_REQUEST.  What else can I do to troubleshoot this error?
  Note: I when back to the  to the AC 10.0 Pre-Implementation From Post-Installation to First Access Request and everythings looks right in terms of the AC Configuration settings.

  Hi Jonathan,
  In my question I was referring to SPRO - GRC/access control/user provisioning / maintain provisioning settings. Those need to be setup (min. global provisioning settings) in order to have role being assigned to user at the end of path.
  Change account option you can see under request type is referring to change user master data(e.g. password/ account validity / details).
  Is this system maintain by CUA? If so settings have to be different (see CUA settings in SPRO)
  I would recommend moving to SP14 as in SP13 there were many bugs, by the way I believe the worst SP ever since beginning of AC is SP13 (maybe due to number), as it destroys many working functionality.
  Filip         

• GRC 10.0 SP 14 access request form displays unassigned roles

  Dear experts, when I open the Access Request form and I select a user, and then I click on existing assignments, I am shown a list of roles and systems assigned to this user. However, when I go to those corresponding backend systems to see if the roles are actually assigned, it turns out that they are not. I have rerun all the sync jobs and they all completed successfully. Auto provisioning works on all these systems and there are no issues in terms of the RFC. However, as indicated by the attachments, it continues to show rules that were unassigned from this user some time ago. where might these assignments be coming from?

  Hi Santosh,
  did you run the repository object sync job in full mode for this connector? This has mostly to do with outdated sync information as you can also see in the following note:
  http://service.sap.com/sap/support/notes/1667112
  Please check again.
  Regards,
  Alessandro

• No Roles In Access Request - GRC 10 SP06

  Hello Experts ,
  With GRC 10 SP 06 ,I am facing strange issue .In Access request when I search for roles to be assigned I am not getting any result .
  I have performed all post installation system and same working with SP 05 in other landscape .
  Important steps  like running back ground jobs for user.role.profile  synch role import all is done .
  Thanks & Regards
  Ashish

  Hi,
  You have hit a similar problem I faced after moving to SP06.
  What is the value assigned to the "Role Status"? If it is not "Production/PRD", then Access request doesn't allow it to be displayed as a selectable option for assignment. Prior to SP06, this was not checked, but SP06 got updated to ensure roles that are not in Productive use status can not be assigned for usage.
  Once you change this status over in the roles you wish to make available for assignment via Access Request, you should be able to search and select them.
  Hope that helps.

• Access Request "Model User" - Role Type "Role" disabled in "Select Model Access" screen.

  Hi All,
  I am implementing GRC AC 10.0 - ARM  for provisioning in SAP R/3 and Enterprise Portal systems.
  While using "Model User" access request, I find that UME portal groups are coming as disabled and are not available for selection in tab 'Select Model Access'.
  Also only Type "Single Roles" appear for assignment or selection in the "Model User" form. Type "Role" appears disabled.
  Request help, thanks.
  Regards,
  Piyush.

  Thanks all for the suggestions but issue persists.
  I ran repository object sync in full sync mode for the portal system.
  I re-imported the portal groups.
  Still as earlier while using "Model User" request, I can see the groups with the reference user but it is grayed out and not available for selection.
  The other three scenarios (Access request, Copy Request & Template) work fine. In those request I can select the portal groups as well.

• ARQ: How to Specify specific system in "System" Field in "Risk Violations" Tab in Access Request???

  Hi,
  I would like restrict users from selection systems from the drop down in "Risk Violations" Tab. In order to achieve this, I opened  GRAC_OIF_RQUEST_SUBMISSION" application in Admin mode and disabled. As a result, this field is disabled. But this is blank. I am unable to maintain any value in it. I tried to select a value from the drop down and then disabling the field. I saved with the selected value. But later when Access Request application accessed, it is again showed blank.
  However, when a user performs risk analysis, application still performs for all the connectors!
  user is authorized to perform risk analysis for specific connector (controlled using GRAC_SYS object). But not sure where from application is picking up different connectors?
  Secondly, I also noticed that this "System" drop down has multiple entries in it along with "ALL". I dont have any clue where these values are coming from!
  Can anybody help me in understanding and addressing this?
  Also, may I know how other are tackling this? I mean, is "System" drop down disabled with specific value as default or enabled with ONLY specific value?
  Please advise.
  Regards,
  Faisal

  Hi Faishal,
  I went through the challenge you have described. On top of mentioned issues - do you know that if a user select a system (has requested a role for it) but you have no sod rule book defined for it - grc will identify no sod risks for request and will mark all roles (even those for other systems for which rulebook is defined) as 'green' on access approver screen. The expected behavior would be only selected role would be marked as green and others would be still red. We have tried also with option 'ALL' however results provided in our case were not accurate (we did recons to single systems)
  This strange system behavior (SP14) was reported to SAP. In this case if you have path defined for SoD detour - system will not go on detour as there is no risk defined.
  What we did -was we setup a fix value in this field (our production system with rulebook) an put this system as parameter TVARV (system depended) and using the value of this parameter we fixed the system against which the analysis are executed.
  Filip

• Approving the access request gives error in Sharepoint Foundation 2013 / Email notification codepage problem

  Hello
  On our SharePoint Foundation 2013 server approving Access Requests fails with "request approval failed" after pressing the approve button. The user is site administrator, site collection administrator and site owner.
  In the ulsviewer we see the following error:
  System.NotSupportedException: No data is available for encoding 1033.     at System.Text.Encoding.GetEncodingRare(Int32 codepage)     at System.Text.Encoding.GetEncoding(Int32 codepage)     at Microsoft.SharePoint.Email.SPMailMessageHelper.GetSocialNotificationMailMessage(SPWeb
  web, String senderAddress, String senderName, Boolean useSenderAddressAsFromAddress, String recipientAddress, CultureInfo recipientCulture, String subject, String sidebarHtml, String descriptionHtml, String customMessageHtml, List`1 embeddedAttachments)    
  at Microsoft.SharePoint.SPSharingEmailHelper.SendAccessRequestsEmail(SPCachedItemEventProperties eventProperties, SPUser sender, String message, SPUser recipient, String recipientEmailAddress, String strSubject, String body)     at Microsoft.SharePoint.SPSharingEmailHelper.SendRequestorNotification(SPCachedItemEventProperties
  eventProperties, String objRequestedTitle, SPUser reqByUser, SPUser reqForUser, String message, Boolean isMessageUpdate, Int32 status)     at Microsoft.SharePoint.SPAccessRequestsOperationHandler.HandleStatusChangingToApprove(SPCachedItemEventProperties
  properties, Int32 reqByUserId, Int32 reqForUserId, Int32 newStatus, SPUserCollection users, SPGroupCollection groups, IEnumerable`1 roleDefs)     at Microsoft.SharePoint.SPAccessRequestsOperationHandler.HandleRequestStatusChanging(SPCachedItemEventProperties
  properties, SPUserCollection users, SPGroupCollection groups, IEnumerable`1 roleDefs)     at Microsoft.SharePoint.SPAccessRequestsOperationHandler.ItemUpdating(SPCachedItemEventProperties properties, SPUserCollection users, SPGroupCollection
  groups, IEnumerable`1 roleDefs)     at Microsoft.SharePoint.SPAccessRequests.UpdateItem(Int32 newStatus, SPUser reqFor, String convStr, String permType, Int32 permissionLevel, Boolean extendInvitation, String anonLinkType, SPList accReqList,
  SPListItem item, SPUserCollection users, SPGroupCollection groups, IEnumerable`1 roleDefs)     at Microsoft.SharePoint.SPAccessRequests.ChangeRequestStatusCore(Int32 newStatus, SPUser reqFor, String convStr, String permType, Int32 newPermissionLevel,
  Boolean extendInvitation, String anonLinkType, SPList accReqList, SPListItem request)     at Microsoft.SharePoint.SPAccessRequests.ChangeRequestStatus(Int32 itemId, Int32 newStatus, SPUser reqForUser, String convStr, String permType, Int32
  permissionLevel, Boolean extendInvitation, String anonLinkType, SPWeb web)     at Microsoft.SharePoint.SPAccessRequests.ChangeRequestStatus(Int32 itemId, Int32 newStatus, String convStr, String permType, Int32 permissionLevel)    
  at Microsoft.SharePoint.ServerStub.SPAccessRequestsServerStub.ChangeRequestStatus_MethodProxy(XmlNodeList xmlargs, ProxyContext proxyContext)     at Microsoft.SharePoint.ServerStub.SPAccessRequestsServerStub.InvokeStaticMethod(String methodName,
  XmlNodeList xmlargs, ProxyContext proxyContext, Boolean& isVoid)     at Microsoft.SharePoint.Client.ServerStub.InvokeStaticMethodWithMonitoredScope(String methodName, XmlNodeList args, ProxyContext proxyContext, Boolean& isVoid)    
  at Microsoft.SharePoint.Client.ClientMethodsProcessor.InvokeStaticMethod(String typeId, String methodName, XmlNodeList xmlargs, Boolean& isVoid)     at Microsoft.SharePoint.Client.ClientMethodsProcessor.ProcessStaticMethod(XmlElement
  xe)     at Microsoft.SharePoint.Client.ClientMethodsProcessor.ProcessOne(XmlElement xe)     at Microsoft.SharePoint.Client.ClientMethodsProcessor.ProcessStatements(XmlNode xe)     at Microsoft.SharePoint.Client.ClientMethodsProcessor.Process() 449c7b9c-6cec-f09a-9792-3d76c4d7e351
  The server is running on an English Windows 2012 Server and also the English version of SharePoint Foundation 2013 with the June 2013 CU.
  We see exactly the same error when add users to a group with the option "Send an email invitation" enabled.
  Any ideas what could cause this problems?
  Regards,
  Reinhard

  Hi Reinhard ,
  According to your error message, it says that no data is available after  encoding the social notification mail message. It  should be caused by the E-Mail encoding setting.
  For troubleshooting your issue, please check the character set of your E-Mail Settings:
  Verify that the user account that is performing this procedure is a member of the Farm Administrators group.
  On the Central Administration Home page, click System Settings.
  On the System Settings page, in the E-Mail and Text Messages(SMS) section, click Configure outgoing e-mail settings.
  On the Outgoing E-Mail Settings page, make sure
  Character set setting is  65001(Unicode UTF-8).
  Best Regards,
  Eric
  Eric Tao
  TechNet Community Support