GRC AC- Workflow in CUP

Similar Messages

• Configuring ERM workflow in CUP issue (GRC AC 5.3)

  Hi once again fellow SAP Security Folk,
  Using GRC AC CUP 5.3 SP 13 I am trying to configure ERM workflow for the following scenario :
  Every role change made via ERM requires approval from relevant Business Process (BP) area.  If the role change contains an SOD conflict of Medium or higher then approval is required from a 2nd central approver (basically regardless of the business process area). 
  I have not been able to configure ERM workflow within CUP to be able to do this u2013 I have only been able to configure it for dual approval, i.e. every change must have approval from both BP approver and Central approver before request can progress.  I did this by assigning the Central approver to all Business Processes as an additional approver. This means that the conditions for the scenario above are met but the drawback is that all other requests also require approval from Central approver even though they donu2019t need to, generating additional workload.
  Can anyone advise if this is possible and how to do it ?
  Further info:-
  I have setup in CUP an ERM Initiator, an ERM Custom Approver Determinator (CAD), an ERM Stage.
  I have setup in ERM I have defined Business Process Approval Criteria for each Business Process approver.
  I tried creating a 2nd ERM stage using a separate 2nd ERM CAD but this meant all changes required 2nd approval before request can continue.
  I tried modifying the 1st Stage to Approval type All Approvers but this meant all changes required approval from all possible BP Approvers (instead of any one) before request can continue.
  I tried creating a Detour/Fork but could only see within the Workflow Type selection criteria non ERM workflow types.
  Thanks
  Steve

  You can either type in the configuration, like the what option you selected for approver (CAD or role or...etc), or other way is to capture the change log which shows what was the configuration for that stage....
  (Configuration -< Change Log -> Search Change log)
  Cheers !!
  Zaheer

• GRC HR triggers in CUP

  Hi all,
  I am working on GRC HR triggers in CUP. we developed the workflow in SAP GRC. the input is coming from the SAP HR system. i need to put some ABAP coding or settings in SAP HR system to trigger the workflow in GRC system.I dont know what to do in the SAP HR systems. Any pointers on this.
  Thanks in advance
  Regards,
  A.Rathinaprakash

  Hi,
  checkout https://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/b050c6bf-f8f4-2b10-67aa-95573e611ee4 and also the HR Triggers section in The Configuration Guide - see InstGuides.
  All How-To guides available in https://wiki.sdn.sap.com/wiki/display/BPX/Governance%2c%2bRisk%2c%2band%2bCompliance%2b(GRC)%2bHow-To%2bGuides
  cheers,
  Julie

• SAP GRC AC 5.3 (CUP) connecting to module of R/3 (HR)

  Hello,
  I have a problem.
  I want to monitor from the SAP GRC AC 5.3 (CUP) some event or activation or trigger when someone create or does some modificaction to an employee from the module HR. Maybe from the Tcode PA20, AP30 or PA40.
  IS there a "how to" or a manual to configure this from the SAP GRC AC 5.3?
  Thank you in advance
  Best Regards...
  Pablo Mortera.

  Pablo,
     I am not clear on what exactly you want but as far as I know there is no monitoring capability in CUP. If you want to monitor something, you will have to write your own Java code (for CUP front-end) or ABAP code (SAP back-end) to access particular database tables.
  Regards,
  Alpesh

• GRC AC v5.3 CUP - Initial Data Files

  Hi All,
  re: GRC AC v5.3 CUP - Initial Data Files
  Our GRC-AC v5.3 CUP Dev system has too many roles and we want it to match our GRC-AC v5.3 CUP QA system. We do not want to go through one role at a time and delete them. Would it be the correct procedure to export the CUP QA system "Initial Data" files for "Roles" and import into CUP DEV using the setting "Clean and Insert".
  Both systems are on the same CUP Version / SP / Build.
  Any help on this would be greatly appreciated.
  Thanks,
  John

  >
  John Stephens wrote:
  > Hi All,
  >
  > Yes, you are correct. An attempt gives the following error message:
  >
  > "x Please select Insert or Append option, to avoid Data Integrity errors, Clean and Insert option is not available."
  >
  > We came up with some additional options that we will pursue to resolve this.
  >
  > Thanks for your help on this.
  >
  > -john
  Hi John,
  Can you elaborate on what options you pursued to do mass role removal in CUP?
  Thanks!
  Jes

• GRC AC v5.3 CUP "User Access Reviews" (UAR) requires implementation of ERM?

  Hi Experts,
  re: GRC AC v5.3 CUP "User Access Reviews" (UAR) requires implementation of ERM?
  After reading the guides and forum it is still not clear to me if ERM is absolutely required in order to use CUP "User Access Reviews". The guide mentions in ERM the Role Usage Synch job has to be run, and then that data is to be loaded into CUP. Is this step absolutely required or can we skip it.

  Gary,
    ERM is a necessity if you want to fully use UAR in CUP. I don't know why SAP did it this way but it is how it is.
  Regards,
  Alpesh

• Trigger mitigation workflow within CUP

  Hi,
  I have configured the necessary workflow types, Mitigation controls and Mitigation objects. I am able to trigger workflow when I create a control in RAR. How do I go about triggering workflow within CUP?
  Currently, when I create a request, in one of the stages a risk analysis is mandatory. I am able to create or assign an existing mitigation control before the workflow process can continue. This works well. However, I would like a workflow to be triggered when somebody clicks on the 'create' mitigation control button as well as when somebody assigns an existing mitigation control.
  Any input would be highly appreciated.
  Thanks
  Mo

  Hello Muhammad,
    What you are saying is that you wish to trigger workflow from within CUP itself when you are assigning/creating mitigation control from within CUP, right? If i got that right then i would say that it is not possible. For mitigation control creation/assignment the trigger is only RAR application and be done through that only. Since for such workflows the request types would be type MITCTRL  and MITOBJ and not CUP..
  I nice feature though if it would have been there. In case i got anything wrong, then kindly elaborate so that i could get clarity.
  Regards, Varun

• GRC AC 5.3 CUP to create users in AD?

  Hello Experts,
  Could anyone answer to the following questions?
  Can I script in CUP to update HR master  record email address (infotype: 0105) while request workflow in progress?
  What are the functionalities in CUP can be customized and scripted?
  Thanks in advance!
  Himadama

  Hi,
     As Zaheer mentioned, SAP doesn't allow custom coding or scripting in GRC AC 5.3. I also doubt that you will be able to provisiong user email address in HR record. Mostly, the provisioning happens in user master record (SU01). It would be better if you check it out with SAP.
  Alpesh

• Parallel workflows in CUP

  Hello Experts,
  our environment has SAP HR , GRC CUP (5.3) and Active directory(connected to IBM tivoli Manager).
  I have a requirement where I need to provision user IDs to SAP systems through GRC CUP after the Hire event is completed in SAP HR.  To provision in SAP, we need to first create  Active directory ID ( network ID) before we can use this ID as sap user ID. we are planning to use position based security in SAP HR.
  Question: After the Hiring event is completed,can I initiate 2 paths in  GRC CUP workflow where one path creates the Active directory ID and then provides that Active directory ID to the second path which will then use this to provision in SAP systems.
  The Active directory is connected to IBM Tivoli Identity manager.  so we have to create Active Directory account through IBM Tivoli Manager.
  Can you share your thougts on this. can we build a workflow like that. If not, any other alternative thoughts ??
  Thanks

  My 2 cents on SAP IdM and GRC integration scenario (draft):
  1.     HR will create an employee record in HCM
  2.     IdM monitors changes and create a network (AD) id and email id (Assumption : Network id and SAP UserIds same)
  3.     IdM updates the email address back to the HCM systems
  4.     Hiring manager enters the required roles. 1* (one more option, manager may add the business role and the business roles are mapped to the technical roles in IdM)
  5.     IdM sends the SAP systems requests to GRC 5.3 RAR
  6.     If there are no violations, the request returns to the IdM and IdM completes the provisioning process and roles need to be approved.
  7.     If there are violations in the request(CUP approval), after the role owners approval, request returns to the IdM and then IdM completes the provisioning process.
  8.     Manager (Only) gets the notification of user creation and logon credentials will be given to the new employee If non-SAP (AD) provisioning process not happened prior to SAP provisioning process. (not clear yet)
  Questions:
  1.     1* Does IdM complete creation of network id? If it does, then manager could enter the new employeeu2019s email id. (Not sure whether manager only able to add roles or adding roles and email id)
  2.     Not sure whether IdM completes the non-SAP systems (like AD, etc) prior to SAP systems in the same request.
  Reference:
  Page 11/14:
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/60a4802f-b6cd-2b10-1ebf-e269d127a634?quicklink=index&overridelayout=true
  Page 8/48:
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/30027e41-b5cd-2b10-4593-df65027f8c55?quicklink=index&overridelayout=true
  Thanks
  Himadama

• GRC AC 10.0 - CUP User Authentication

  Hi All
  We have installed GRC AC 10.0 as a part of ramp up implementation. We will soon start with the configuration steps. For user interfacing we have 2 options (1) NWBC (2) Portal. Architecture of GRC AC 10.0 is based on webdynpro ABAP.
  Now we had a question wherein if we choose NWBC as a front end, then how do we integrate the LDAP for CUP user authentication.
  If we need to integrate LDAP as a authentication source for users in CUP, do we have the only option of going with Portal as a user interface.
  Please advise.
  Thank you.
  Anjan pandey

  > That feature in AC 10.0 is called End User Login and will have it's own URL to access via browser.
  Thanks Frank for your response. I did go through the RKT documents and seems that there is a link through which the end users will create request. we have also planned to setup a LDAP connectivity for user authentication.
  Thanks.
  Anjan Pandey

• Approver not found error while configuring workflow in CUP

  While I am configuring SAP CUP workflow,
  Once I create a request and sent it to approve, I am getting the message stating Approver doesn't exist.
  Any help will be appreciated in this regard.
  Regards

  Looking at your posts here so far (8 unresolved out of 10) I'm getting the impression that you're trying to learn how to configure a full Access Control solution without a) having read the documentation or b) having had any kind of training.
  May I suggest you take a start with a) or/and b) instead?
  Frank.

• GRC AC 5.3 CUP error

  Hi
  We have installed GRC AC 5.3 and did the configurations for CUP. Now when I try to submit my request in CUP I am getting the below listed error while trying to go to the request submission screen. This error is recieved only after application of SP14 for CUP. However when I try to create a request on behalf of someone, i am able to move to the next screen to provide request details.
  Also with the application of latest support pack, I am no more able to see the sign out/my name etc.. on the GRC screen. Earlier I used to see the same after I looged in to the same.
  Below are more details from configuration side.
  Authentication Source: LDAP
  User Details Souce: LDAP
  Search Data source: UME
  500   Internal Server Error
    SAP J2EE Engine/7.01 
    Application error occurred during request processing.
    Details:   java.lang.NullPointerException: null
  Exception id: [001F29E657BC00620000004600004AD400049AD377D5A94E]
  Below are listed the system logs
  2011-01-27 18:25:46,132 [SAPEngine_Application_Thread[impl:3]_36] ERROR java.lang.NullPointerException
  java.lang.NullPointerException
       at com.virsa.ae.accessrequests.actions.RequestDetailsHelper.copyUserPropertiesToRequest(RequestDetailsHelper.java:1032)
       at com.virsa.ae.accessrequests.actions.EUCreateRequestAction.loadHandler(EUCreateRequestAction.java:344)
       at com.virsa.ae.accessrequests.actions.EUCreateRequestAction.execute(EUCreateRequestAction.java:72)
       at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:295)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  Please help.
  Thanks.
  Anjan Pandey

  Hi Anjan/Chinmaya,
  We are facing the same error in our landscape here for the self service password reset functionality. We have GRC AC 5.3 SP15.
  We are considering reimporting the initial data files in CUP but have a few concerns.
  Will the reimport erase or affect existing CUP/SPM functionalities? With an audit around the corner, we don't want any existing request details/logs to be erased or the system to be affected.
  Can you please help out with the steps on how to proceed with this upload? Is it necessary to click on Upgrade once the reimport is complete?
  Thanks,
  Mahesh Pai

• GRC AC 10 (RAR/CUP/ERM) configuration for EP system

  Hello Gurus,
  We are aware of configuring RAR/CUP/ERM in GRC AC 10 for ERP system(back-end)
  Are there any documents /links to provide information on configuring the above components for EP system ??
  Or rather specific which of the following configuration is possible for EP system ?? CUP /RAR/ ERM ??
  Also going further , is there any way in which we can configure the same for BO system ??
  I am not quite sure if there is any PLUG-In as such which is available for BO system or not .
  But in my opinion there is no need to perform configuration for BOBJ system as the roles in them are imported from Backend system (ERP/BI etc) , hence if these roles are already taken care during ERP system cleanup and SOD analysis , there should be no need to configure seperately RAR/ERM/CUP.
  Please provide your comments.
  Regards,
  Victor

  Hello Prasad,
  Thank You for your quick response .. the info was quite helpful.
  Will you please put some light on aspects of integrating AC 10 with BO ??
  Is there any connecter available for it?? Which scenarios are possible ??
  Humbly Requesting your help.
  Thanks in advance.
  Regards,
  Victor

• GRC AC 5.3 - CUP automatically pick up Risk Owners?

  Hi GRC Experts,
  Just wanted to know, is there any way CUP can pick up Risk Approvers without configuring them in CAD? Role approvers automatically get picked up when choosing the "Role" as the approver determinator within a CUP "stage"; Is there any such option for a CUP stage to pick up the Risk Approvers in the same manner?
  Thanks and Best regards,
  Sandeep

  Hi Chinmaya,
  Firstly, thanks for your help and support.
  According to the post, I mean when the user manager or approver, receives the request to assign one role to a user, the approver has to decide the needs of the user to use that role.
  Then the approver can check (clicking on Risk Analysis button) the number of concflicts or criticals risk that the user could violate. The issue is when the approver launched the anaylisis and it shows same conflict risks that have been mitigated in the previously assignment. It may show the possible risks between the new role and the others, isn´t it?, or instead of the case ,that the oldest risks are showed. Must that  risks showed  as mitigated?
  Thanks, regards.

• GRC AC 5.3 | CUP Request Type = Information

  Hello All,
  We have recently deployed GRC 5.3 and have seen in many demos by different partners that GRC CUP has request Type: "Information" which is used to search and view information about request types.
  During our implementation of CUP we didn't realize that some users would have difficulty in choosing Request types such as New/Change/Unlock etc, so we didn't bother configuring anything. But there are users who, for some reason, unable to select the right request type.
  I would like to know how do I configure Information request type where users can search information about request types? I was able to create the request type but not sure what action to assign to it or do I even need to?
  Any documentation or help would be greatly appreciated.
  Thanks!

  Thanks Raghu but I did try the wiki page section:
  "Configuring Requestor Landing Page for Compliant User Provisioning (PDF 220 KB")
  The purpose of this article is to provide the procedure required to customize the requestor landing page i.e. the request types on the request access screen in compliant user provisioning in SAP GRC Access Control.
  but I get the error message that:
  "Sorry, the page or document you've requested can't be found on our site (404 error). It may have been moved or removed, or (yikes!) the site may be down."