Automatically reject access requests in GRC 10.0

Hello friends,
In PMU WF has set three escalations, when no one approves the request after a while, can automatically reject these access requests?

You can use the Stale Request functionality to CANCEL requests that have not been worked on after x amount of days.
Schedule ABAP GRFNMW_BATCH_STALE_REQUEST to run daily.  This is done by individual MSMP Process IDs.
Thanks.
Kevin Tucholke

Similar Messages

  • User details are missing in Access request in GRC 10.0

    Hello All,
    When we are trying to create Access request in GRC 10.0 for an user it results as user  details not found.
    Under SPRO - Maintain data source configuration we have configured 2 HR systems HR1 and HR2.
    But the User details exits in HR1 system and lies in validity also. We have tried to run the Repository Object Sync also still unable to search the details.
    But we observed even after the Sync job User details are not created in table GRACUSER and GRACUSERCONN. Is this could be the problem. Why its not updating even after the Sync job many times almost 10 times.
    We have also configured parameter 5023 to YES.Please advise.
    Thanks in advance.

    Did the sequence for HR1 set to 1 or 2, I hope you are following the suggestions given by Luciana in other thread.
    Please post your data source config screenshots otherwise.
    BR,
    Mangesh

  • Error while trying to submit Access request to GRC from IDM

    Hello
    We have SAP IDM 7.2 SP8 installed and done all the prerequisite for connecting to GRC AC 10 as in configuration document.
    We are trying to submit request to GRC using Standard GRC provisioning framework task ( AC Validation) but pass: Submit AC Request fails with error: "Pass stopped by script"
    Is there anything wrong with the script which put RoleData details since its getting aborted ?
    I tried providing Role name directly in Role data attribute inside the action task and got following error:
    Error
    putNextEntry failed
    storingcn=IDMUSR0023,ou=useraccessrequest,o=grc
    Exception from Add operation:javax.naming.NamingException: [LDAP: error code
    82 - (GRC User Access Request:82:Script execution failed)]; remaining name
    'cn=IDMUSR0023,ou=useraccessrequest,o=grc'
    I checked VDS Logs and there was one error :
    Additional message = msgcode=4;msgdescription=Mandatory field ITEM NAME  is empty in line no 1 ;msgtype=ERROR
    From where exactly ITEM NAME field value will be fetched and pass to GRC for request creation ?
    Regards
    Deepak Gupta

    Thanks Christopher
    I got my issue fixed, There was issue with my GRC Initial load job which couldn't enrich repository privileges and hence the issue was coming since script wasn't able to find GRC ROLE ID and Application ID attribute from privileges.
    Regards
    Deepak Gupta

  • Split of an Access Request in GRC

    Hello GRC Experts,
    I have a following issue in my MSMP workflow:
    I have created a MSMP workflow using detour Rule GRAC_MSMP_DETOUR_SODVIOL ar first stage. If an Access request contains SOD violations the request should be routed to Security stage. If works fine so far, but with one exception. We have requests which contain three roles, two of them have SODs and one is clean. I expect that only two roles which contain SOD should be routed to SOD path, and the role which is clean should go the normal path (No SOD path). However I am facing the situation that the whole request is routed to the SOD path and Security stage.
    Do you have any idea how to solve this issue?
    thank you in advance
    best regards
    Sabrina
    Here are the screenshots from the MSMP workflow

    Hi Sabrina,
    we had exactly the same challenge - this is how we solve it:
    - check parameter: 1073 Enable sod violations detour on risks from existing roles (recommended YES)
    - routing level - make sure the stage settings (where your routing rule is executed) are set to "line item level" under MSMP Workflow configuration / Maintain paths/ maintain stage settings
    Hope this helps,
    Filip

  • Is it possible (and if so, how) to automatically approve Access Requests

    SharePoint 2013 (we are using SP 2013 On-Prem.) provides the ability for users to "request" access to a site, or for Site Members to "share" content with users outside of the current site users.  In both cases, however, the request
    for access/sharing is added to the hidden list Access Requests, and a notification sent to the Site Collection Owner/Administrator, who must then "approve" the request before access is actually granted to the outside user.
    We have a use case where we would like to have any access requests (specifically those initiated by Member users to share content with non-site users) automatically approved.  We still want the Access Request list to track all the requests, but we want
    to somehow set all requests to Approved as soon as they come in, so that the Site Owners/Admins do not become a bottleneck where it takes time for access to be granted.
    Is there any way to accomplish this without the need for custom code? 
    I tried leveraging a SPD-based workflow, but there are not properties on Access Request that seem to represent the Approved/Declined selections available in the Request user interface, so there does not appear to be a way (at least via workflows) to set
    a request  to approved.
    Any ideas/thoughts on how to maybe accomplish this? 

    Don't think there is a way to do this OOB.
    --Cheers

  • GRC 10.0 Access Request Creation- Data Source of User Details

    Hi Experts,
    I was doing GRC 10.0 Configuration and found a query which I am not able to resolve.
    While creation of any kind of Access Request in GRC through NWBC> Acces Management Tab>Access Request>Access Request Creation.
    In the user details section, I can see the HR records( like Pernr, position, manager) have been visible to some extent.
    My question is where from these details came in GRC. What configuration we should maintain to achieve these HR records?
    Hope to get a quick response as this is one of the requirement of the implementation which I am doing with my customer.
    Thanks,
    Atanu

    Alessandro,
    Thanks for your response. It helped me to know certain things.
    But when I am navigating to SPRO > GRC > Access Control > Maintain Data Sources Configuration > [User Detail Data Source], it is configured with a ECC system in target connector and User data type is maintained as "SU01".
    Now my question is where from in my case the GRC is pulling the HR records (PA20) like PERNR, POSITION,PERSONEL AREA etc? SU01 does not provide these information. My ECC box is integrated with HR module, so is it taking the data from HR directly?
    Thanks in advance!
    Atanu

  • CUP Automatic reject request

    Hello,
    inspired by the great blog from Frank Bannert (/people/frank.bannert/blog/2009/06/19/configure-bobj-ac-53-cup-that-workflows-only-appear-if-violations-detected) to have a workflow (triggered from IdM) that only appears if SoD-violation is detected, I want to go further:
    Can anyone tell me how to create a workflow step in CUP that automatically rejects the request?
    The idea is to have a request from IdM for a person to get a role. This request now comes to CUP. With the basic construction mentioned in the blog above, there is a obligatory SoD check. If there is no violation, the request is granted in CUP automatically and sent back to IdM. If there is a violation, I now want the request to be rejected in CUP automatically (instead of a manual step with user interaction).
    Is this possible - and how?
    Thanks in advance
    Matthias Arlt

    Hi Matthias,
    maybe I need to correct this - it is technically possible, but you need to make the distinction whether a request had SoD risks on IdM. The risk analysis service will tell you if there were risks, you can have  a "no stage" path to come back without user intervention.
    What is it that you want to mass upload - initial user/role assignments, or ongoing requests?
    You can also do a simulation in RAR before the upload, or a risk analysis immediately after that. If it's a one time thing, it probably doesn't qualify for a special implementation.
    Can you tell us in a bit more detail what it is you want to do? There surely is a solution, it's just not easy to find from the information so far.
    Frank.

  • HOW TO CONFIGURE MANAGER or APPROVER USER IN ACCESS REQUEST MANAGEMENT TO APPROVE OR REJECT REQUEST

    hi sap gurus,
    i configured grc 10 system successfully. I created one user: GR_AR_APP001 and assign following roles:
    SAP_GRAC_ACCESS_APPROVER
    SAP_GRAC_ACCESS_REQUEST_ADMIN
    SAP_GRC_FN_BASE
    SAP_GRC_FN_NUSINESS_USER
    and I maintained GR_AR_APP001 in access control owners as "POINT OF CONTACT", "SECURITY LEAD" and "WORKFLOW ADMINISTRATOR"
    but when i am creating access request for new user and defining MANAGER under user details tab as GR_AR_APP001.
    the user GR_AR_APP001 is not receiving any request for APPROVE or REJECT in his WORK INBOX.
    can u please guide me how to configure APPROVER or MANAGER to approve or reject request.
    I will be very much thankful if you guide me successfully.

    Hi Colleen,
    thanks a lot for your time.
    PIC1: I created one user: GR_AR_APP001
    and assigned all the GRC ROLES.
    PIC2: I assigned owner type to GR_AR_APP001 user : POINT OF CONTACT, SECURITY LEAD and WORKFLOW ADMINISTRATOR in NWBC ACCESS CONTROL OWNERS
    PIC3: I created one EUP 980 (copied from default EUP)
    PIC4: I maintained default manager as GR_AR_APP001 user in 980 EUP
    PIC5: I selected SAP_GRAC_ACCESS_REQUEST process id
    PIC6: I created one agent id as ZGRAC_MANAGER11 in which I added approver user id: GR_AR_APP001
    PIC7: I saved agent id
    PIC8: I added agent id as ZGRAC_MANAGER11 in stage5 in manager stage.
    PIC9: I saved
    PIC10: I maintained EUP 980 (in which I configured manager as GR_AR_APP001 user) in stage 5 task settings
    PIC11: Maintain Route Mapping, I clicked on next
    PIC12 and PIC13: I saved and activated.
    After this process I created one request for new account and selected the manager as GR_AR_APP001 and one request is created with request no 9000000030.
    now I logged into system by user GR_AR_APP001 and checked, there is no request under his work inbox.
    please guide me at least one procedure, how to receive request in approver work inbox so that I can learn other procedures to configure approver as per our organization requirement.
    thanks for your support Colleen.

  • ERM Role con't be deleted Automatically after rejecting the request in CUP

    Hi Experts,
    I am involving the GRC implimentation project and ERM component is succefully configured with post-installation activites and also configure the workflow(1-stage) in CUP for role approval.
    After initiating request, the request was sent to appropriate approver for approval process and approved/ Rejected by the approver.For first case(Request approved) everything is looks fine.
    but whenever the request is rejected (second case) by the approver, the role is still present in ERM and ABAP backend as well as.
    please suggest me, if the role is deleted in ABAP/ERM system after rejecting the request by Role Approver in CUP. or still present the role in systems.
    Regards,
    Arjuna.

    Hi Jes,
    We so have a feature called Password Self Service which is used by users to reset their password using CUP. Also if the password is locked by multiple failed attempt, CUP even activate this user.
    However in your case administrator will be locking the user or deactivating the password, so CUP will not allow users to unlock their users as it has been locked by administrator.
    So CUP can only unlock those users which were locked due to failed attempts etc.
    Regards,
    Shweta

  • GRC 10.0: Access Request Creation - LDAP user advanced search not working

    Dear Experts,
    We are implementing SAP GRC Access Control and we have an issue in Access Request Creation. If we put the user name in “User” field and press intro, the user details are updated, but if we want to make an "Advanced search" the user is not found and the application give us the following message: “No records found for the search criteria entered.”
    Scenario 1: If we put the user name in “User” field and press intro, the user details are updated:
    Scenario 2: If we want to make an "Advanced search" the user is not found and the application give us the following message: “No records found for the search criteria entered.”
    We are using the Active Directory as Data Source.
    Thanks and Regards.

    Hi Jose,
    Try maintaning the parameter 2050 as YES and check once.
    Kindly, also make refer to  the below list of SAP notes:
    1757906 - GRC 10.0 - LDAP user search does not work in NWBC
    1745370 - LDAP search in GRC does not work anonymously
    1718242- UAM: User search not working in Access Request.
    Regards,
    Neeraj Agarwal

  • GRC 10.0 Access request Management Audit

    Hello All,
    Can Anyone let me know what  Auditors Check When they Audit GRC 10.0 Access request Management (excluding Configuration).
    Thanks
    Mohammed Wasim

    Hi,
    ARM supports key ITGC controls for user access management, so probably audit would also cover:
    - review of updated processes & controls
    - check (based on sample) if all requests were properly approved
    - review of correctness of approvers assignment
    - verification if what was requested was provisioned
    - timely removal of terminated access
    - review of SoD controls embedded in process
    - periodic review of user access
    and maybe some more controls. In most cases it will be sample based testing so auditors may ask for a sample of requests to trace them to back-end systems and opposite sample of changes in users privileges to verify if proper requests were prepared for those changes...
    Sometimes they could perform more tests on configuration and process, but this is up to particular auditor.
    Best regards, Andrzej

  • No Roles In Access Request - GRC 10 SP06

    Hello Experts ,
    With GRC 10 SP 06 ,I am facing strange issue .In Access request when I search for roles to be assigned I am not getting any result .
    I have performed all post installation system and same working with SP 05 in other landscape .
    Important steps  like running back ground jobs for user.role.profile  synch role import all is done .
    Thanks & Regards
    Ashish

    Hi,
    You have hit a similar problem I faced after moving to SP06.
    What is the value assigned to the "Role Status"? If it is not "Production/PRD", then Access request doesn't allow it to be displayed as a selectable option for assignment. Prior to SP06, this was not checked, but SP06 got updated to ensure roles that are not in Productive use status can not be assigned for usage.
    Once you change this status over in the roles you wish to make available for assignment via Access Request, you should be able to search and select them.
    Hope that helps.

  • GRC 10.1 Simplified Access Request and Remediation View Issues

    Hi Everyone,
         We recently upgraded our GRC 10.0 environment to 10.1, SP 5 and am having the following issues--has anyone else also experienced?
    In the simplified access request form, it keeps telling me to enter a “valid user ID”—even though the ID is valid and works fine in the normal access request screen. Also tried to search and then select the ID in this field with the same error.
    In the SoD Remediation view, I keep getting “No Data Found”, even though in the detail view, there are risks the same request:
    I’ve checked the following things:
    I’ve used IE 8, IE 9, FireFox, Chrome, and the NWBC to see if any of these fix the issue
    I double checked the 10.1 “upgrade guide” to make sure Gateway configurations are correct
    It looks like we are on the latest support packs:
    Any help on this would be greatly appreciated!
    Thanks,
    Brett

    Hi Brett,
    For Remediation issue you can check the below thread.
    http://scn.sap.com/thread/3574790
    Regards,
    Neeraj

  • Email content in GRC access request

    Dear Experts,
    Can any one let me know from where GRC access request email content is picked up which creating creating throught access request.?
    I.e when ever the requestor creating request, the manager will get an email( and in my scenario the email document is maintained in document maintenance(se61 tcode) ). Now i need to prefix user full name in email content(which the manager receives) with Mr./Ms.
    Thanks
    Katrice

    Hi,
    My issue is resolved my enhancing the method GET_NOT_VARS_AND_ATTACHMNTS( ) of class CL_GRFN_MSMP_NOTIFICATION
    """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""$"$\SE:(1) Class CL_GRFN_MSMP_NOTIFICATION, Method GET_NOT_VARS_AND_ATTACHMNTS, End                                                                          A
    *$*$-Start: (1)---------------------------------------------------------------------------------$*$*
    ENHANCEMENT 1  ZGRC_EMAIL_TITLE.    "active version
    DATA: lw_fullname  TYPE string,
           lw_variables TYPE grfn_s_msg_variable,
           lw_logsys    TYPE logsys,
           lw_system_id_temp  TYPE string,
           lw_user            TYPE grac_user,
           lw_return TYPE int4,
           lW_user_details    TYPE grac_s_user_detail.
           SELECT SINGLE logsys  INTO lw_logsys FROM t000 WHERE mandt = sy-mandt.
           IF sy-subrc = 0.
            lw_system_id_temp = lw_logsys.
           ENDIF.
    READ TABLE et_variables INTO lw_variables WITH KEY name = 'USER_ID'.
       IF sy-subrc EQ 0.
        lw_user = lw_variables-value.
          TRY.
                  CALL METHOD cl_grac_ad_access_mgmt=>get_user_detail
                    EXPORTING
                      iv_system_id    = lw_system_id_temp
                      iv_user         = lw_user
                    IMPORTING
                      ev_return_code  = lw_return
                      es_user_details = lw_user_details.
               CATCH cx_grfn_exception .                   "#EC NO_HANDLER
              ENDTRY.  
    ENDIF.
       READ TABLE et_variables INTO lw_variables WITH KEY name = 'USER_FULL_NAME'.
       IF sy-subrc EQ 0.
         CONCATENATE lw_user_details-address-title_p lw_variables-value INTO lw_variables-value SEPARATED BY space.
         MODIFY et_variables FROM lw_variables index sy-tabix.
       ENDIF.
    ENDENHANCEMENT.
    *$*$-End:   (1)---------------------------------------------------------------------------------$*$*
    Thanks
    KH

  • Add Fields in CUP Request - SAP GRC Access Control 5.3

    Dear Friends,
    I am wondering on how to add fields value in CUP (Compliant User Provisioning) SAP GRC AC 5.3.
    Currently i'm leading 9 SAP Security Coordinators in Indonesia and i want to create Performance Metrics on how long the CUP Requests is processed. It needs to enhance the CUP by adding value Delegation of Authority and the record no. of the DOA requests.
    Really appreciate your inputs on how to add fields value in CUP.
    Thank you so much
    -Mesti-
    Edited by: AnnisaPramesti on Jan 2, 2012 5:37 PM

    Hi.
    Check under http://service.sap.com/instguides
    SAP BusinessObjects -> SAP BusinessObjects Governance, Risk, Compliance (GRC) -> Access Control -> SAP GRC Access Control 5.3
    Cheers,
    Diego.

Maybe you are looking for