Role of Administration in GRC

Similar Messages

• Difference between ID and Role based Administration - Firefighter 5.3

  In GRC AC 5.3 Firefighter, security guide, there are two sections for role design,
  1. Firefighter Role based Administration
  2. Firefighter ID based Administration
  Can someone explain what is the difference between the two?
  I have read the documentation, but it does not have a clear description of the
  differences between the two.
  Please help.
  Thanks

  HI Prakash,
  Though both of them eventually achieve the same function, that is giving access rights to the user for a certain period under monitring these differ based on the following:
  1. Firefighter Role based Administration
  You identlfy a particular role as a firefighter role and give it to the user.
  2. Firefighter ID based Administration
  You create a separate user altogether and give the normal dialog user, the access to this user's authorization.
  For the implication that both of these have and the differences or comparisons between using 1 & 2, I would suggest you do a bit of Mock testing for both of these. Also, there are a lot of posts related to this on the forum already, which you can refer to, for getting a more detailed idea on this topic. Unlimately, it depends on organization to organization which methodology they folow as per what suits them, according to features which both have. But generally what is preferred is Number 2.
  Regards,
  Hersh.

• CSM Role Based Administration

  Does Cisco Security Manager 4.x and Cisco Secure Access Control Server 5.x integrated role based administration has fine-grained control for devices? E.g.,
  * User-a can only manage policy-a for device-a
  * User-b can only manage policy-b for device-b

  ACS 4.2 should allow role-based access, but until the final build of CSM 4.0 is released this cannot be confirmed.
  I am not aware of plans to add the support within ACS 5.x, but you can always engage your Cisco account team to submit a product enhancement request on your behalf.
  Scott

• True Role-Based Administration?

  I'm sure this has been asked and answered many times, but are there any plans to make the ZCC more iManager-y in terms of Role-Based Administration? I'm trying to create a Report Viewer Role for the Help Desk, and I simply don't want them to be able to click through the rest of the Admin interface. Easy in iManager, why not in ZCC?
  Thanks,
  Holly

  Hnewman,
  we've had quite a few enhancement requests for this -
  http://support.novell.com/enhancement you might want to add your
  "voice"...
  Shaun Pond

• GP difference between Portal Role GP Administrator and Process Role Admin

  Please explain the difference between the Portal Role "GP Administrator" and the Process Role  "Administrator"
  In the CAF-GP Security guide, it says that the Process Role "Administrator" can "Maintain process instances using the GP administration tools".  What does this mean?
  If a user has the Portal Role "GP Administration" and he DOES NOT have the Process Role "Administrator" for ANY process, he can still maintain ALL of the process instances from the Administration workset.  He doesn't need to have the Process Role "Administrator" assigned to him.

  All three have the same Admion rights.
  They are the default users created when you are creating a domain.
  If not used or edited they are a major security risk!
  If you just use say weblogic or portaladmin and do not take care of changing the password or security privilige (changing the group from Admin, or deleting this user if not required) of yahooadmin then anyone knowing the admin url can login with this default username and its default password.
  I would personally prefer creating custom users and remove the default users.
  Regards,
  Rommel Sharma

• Request Administration in GRC 10.

  Dear GRC Experts,
  Currently, my GRC system in I have two issues in GRC AC 10 (SP 10), for which I couldn't find an answer here. Help me if you have encountered the same and solved it.
  1. When we search the request, we are not able to see the approver there with whom request is pending.
      - We have created a BRF+ initiator and agents. we rechecked again to make sure that we have not skipped any step.
      - Even the version generation was without any error).
      - Also made sure that the Approver of the request has the correct GRC R/3 Role assigned.
  2. When we go to Access Request Administration, there we can't find where the request is pending, we are not able to approve any request with admin rights. In the other action there no drop down is available or no approve or submit. It has only "other Actions" as the option and it has only 'return' which prompts to return at any stage.
      - I have assigned all the admin / super user roles to the administrator, but still he is not able to see perform any activity, apart from cancel instance.
  3. We have selected the functional area during the request, however we are not able to see post submission of the request. The administrator is not able to see the functional area selected. I have also checked in the user detail tab but could not find it.
  Please advise.
  Look forward to hear from you.
  Regards,
  Sahil.
  Message was edited by: Sahil Bhanushali

  Hi Sahil,
  I have migrated to GRC V10 2 months ago and also have been struggling against issues with Request with no approver found and that could not be redirected in Administration.
  I have reviewed all my Decision Tables - Table Settings - and marked "Return initial value if no match is found".   With this flag, I could define a Escape Route for Approver Not Found and set up a PATH with one stage for which a BRF+ rule find the proper GRC Support Team to be the approver.
  In my case I have some people designed by Company pattern [NA_*] for North America, [SA_*] for South America an so on...
  With that, I am now receiving the requests with no approver and use Administration to fix information in the request and then Return to the proper path.  I can also you manual Forwards with return to involve proper managers.
  Hope this can help you.
  Vaner

• Branch office Exchange 2010 Role base administration control for branch site administrator

  Dear sir,
       Customer has a Exchange 2010 Main and Branch office environment:
  - Main office Exchange 2010 CAS x2 +HTS & Mailbox x2  (Server1,2 & Server 3,4)
    (Main office administrator:domain1\administrator) - DAG1
  - Branch office Exchange 2010 CAS+HTS x2 & Mailbox with DAG x2 (Server5,6 & Server7,8
     (Branch Administrator: domain1\badmin) - DAG2
       Customer would like to know what is the role which permission should grant / delegate for ID: badmin in order to manage Exchange server 5,6,7,8 ?  (with manage user account and performance in DAG2 failover & branch exchange server)
  Regards,
  Joe Tam

  Dear Brian,
     I have try in my lab to scale down into 2 x Server in 1 AD Single Domain And Single Forest.  It still have many unexpected behaviour, can you please suggest whether it is a design or bug of Exchagne 2010 SP1?
  Procedure:
  ============================================================================
  Exchange 2010 Role Delegation Problem: (Single AD, Single Site)
  Environment:
  Server: Windows 2008 R2 AD x1 + (CAS+HTS+Mailbox) Server x1
  AD Server: AD1
  Exchange2010 Server : EX2010 (with SP1) – Member Server Joined to testdomain1.net
  Domain Name: testdomain1.net (NETBIOS: TESTDOMAIN1)
  In AD,
  Login as domain administrator: Testdomain1\administrator
  1. Create an Organization Unit OU1.
  2. Create User User1 under OU1
  3. Delegate User1 to allow create user in OU1
  Select all item in “Delegate the following common tasks:
  In Exchange 2010 Server,
  Login as domain administrator: Testdomain1\administrator
  1. Rename existing database name to HKDB1
  2. Create a new database AUDB1 in EX2010 Server:
  AUDB1 Create Done.
  Assign testdomain1\User1 as Exchange 2010 local administrators group.
  Logoff Testdomain1\administrator and Login Testdomain1\User1
  Open Exchange EMC: (Failed, because no user management roles is grant).
  Logoff Testdomain1\User1, Login Testdomain1\Administrator
  Open Exchange 2010 PowerShell:
  Delegate User1 to allow perform recipient management in HKDB1 only:
  ====================================================================
  New-ManagementScope "HKDBSCOPE" -DatabaseRestrictionFilter {Name -Eq 'HKDB*' }
  $RoleGroup = Get-RoleGroup "Recipient Management"
  New-RoleGroup "HKDBRecipientManagement" -Roles $RoleGroup.Roles -CustomConfigWriteScope "HKDBSCOPE"
  Add-RoleGroupMember “HKDBRecipientMANAGEMENT” -Member User1
  ====================================================================
  Result:
  In Exchange 2010 Server, logon as domain user: Testdomain1\User1
  Open Exchange Management Console: (User1 able to open EMC now)
  Perform Create User User2 in OU1 with Mailbox located in HKDB1
  Mailbox Creation Failed because it cannot match the Database name = HKDB*
  Logoff Testdomain1\User1, Login Testdomain1\Administrator
  In Exchange Management Shell, enter:
  Set-ManagementScope "HKDBSCOPE" -DatabaseRestrictionFilter {Name -Like 'HKDB*' }
  Logoff Testdomain1\administrator, Login Testdomain1\User1
  Open Exchange Mangement Shell and Create User2 again.
  Create user successfully.
  Perform create User User3 in OU1 with Mailbox located in AUDB1
  User3 Creation Failed because it is not meet the Database restriction of User1 – Like HKDB*
  Logoff Testdomain1\User1, Login Testdomain1\Administrator
  Open Exchange Management Console, create User3 in AUDB1
  Create User3 in Users Container, by administrator ID.
  Logoff Testdomain1\administrator, Login Testdomain1\User1
  Perform mailbox remove of User2
  User2 mailbox remove successfully.
  Perform deletion of User3
  Mailbox User3 Remove Successfully.
  Why User3 is allowed to deleted mailbox which is located in by using delegated of User1?
  Moreover, it found that User3 properties can also be changed by using User1. Why?
  Does it mean delegation cannot handle delete operation?
  In Active Directory User and Computer: User2 is deleted successfully by using User1 ID.
  In Active Directory User and Computer: User3 is also deleted successfully by using User1 ID.

• Role Based FireFighter with GRC 10.0 (CEA)

  Does anyone know how the Role Based functionality of FireFighter exactly works besides putting the application type parameter to Role Based in SPRO?
  The manuals explain that the FF users log in to the remote system with their own users, but how are the FF roles or roles that are enabled for Firefighting assigned to these users and how will the log file know which activity to record?

  Good question, and the answer is not pretty.
  In Role-Based Firefighter Application, the firefighter ID on the target system contains the user's regular access plus his/her firefighter access.
  Reporting turns on when the user runs a transaction in the firefighter role.
  If the transaction is in both the user's regular access and the firefighter role, reporting will turn on because the firefighter role access is in use.
  The reports only track firefighter role usage.  So if a user runs a firefighter transaction but also uses access defined in the user's regular access, the only thing recorded is the transaction.
  If your company is not completely married to the idea of using Role-Based Firefighter Application, I suggest you consider the ID-Based Firefighter Application.  In this, there are separate firefighter IDs on the target system and a firefighter gains access to them by going into GRC and completing a form showing how the firefighter ID will be used, and then the GRC system will let the firefighter into the target system using that firefighter ID.

• Illegal Tcodes error while role generation in BRM GRC 10.0

  Hi Experts,
  I am working on SP11 GRC 10.0.
  In BRM, after following all necessry steps for role creation, when I enter last stage "Role Generation" and try to generate it, I am getting error "Illegal Tcodes (system name)" as shown in below screenshot.
  I am adding SAP standard t-codes only (e.g. SU53) which are existing in the backend system but still it throws error.
  Your suggestion is highly appreciated.

  Hi Swati,
  Thanks for your reply.
  I had already applied note: 1066687 but it didn't resolve my issue.
  Note: 1441463 is valid till release 720 and I am on release 731 and SP11.
  Thanks
  Jayesh

• Reg:Auto Approve Roles without Approvers for GRC 10.0

  Hello,
  Is anyone using this option on GRC 10.0 as according to my understanding , if someone selects a role and it has no approver then the role has to be assigned to the user automatically but it is not happening in my system..The request is going to decision pending and it is still looking for role approver.
  Can someone provide their expertise on this issue .
  Thanks
  Uday

  Hi Uday,
  I have not used that functionality myself, as I find it too risky if a SOD or Critical risk would be introduced by assigning that role.
  I would have thought that by setting the correct values in SPRO would have enabled this functionality. It might be worth checking the settings again and resaving it.
  However, if you are purposly leaving the approver value blank for non-risky roles, as an alternativethe document below is worth a consideration for implementing via BRF+ in GRC 10. (I know the document is more GRC 5.3 related, but the concept is valid).
  Link: [http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/203d2716-ef84-2d10-3f81-a6f6643e308d?QuickLink=index&overridelayout=true]

• How does role inheritance work in GRC

  Hi All,
  We are implementing GRC PC 10.0 where we have activated Role inheritance for organization in Maintain Authorization Customization Node in SPRO.
  What i understood is by activating the role inheritance for organizations, you can specify that authorizations are to be passed on to lower levels of the organization. However I need to know if inheritance also helps in picking up the recipients while doing planning activity, I have two queries in this regard:
  For eg :
  1) if we have a Control Tester role maintained at subprocess and control level both and if a User is assigned to subprocess for Control tester role then in that case User will be also be mapped to all the control beneath the subprocess for Control tester role due to inheritance concept ..correct? and while planning for that particular control, does user maintained at subprocess level will be picked as a recipient ?
  2) A Control tester gets mapped at the subprocess level. This means that all controls under that subprocess would show this tester as inherited from the subprocess. However, if we do not want the inherited tester to perform the test, and instead map a tester at the control level, the inherited tester still appears. IN this case, will only the tester mapped at the control level receive the work inbox item for the control test (as this overrides the inherited tester), or will the inherited tester also receive it?
  Regards,
  Shikha

  The interface only needs loaded if one of its members
  is accessed (although this is probably implemented
  differently on different JVMs).No.
  The interface is loaded.
  It is not initialized. There is a difference. See section 12 of the JLS.
  Assuming the above is true, it appears the following
  is happening
  1. C is loaded because w is accessed from DD�s main .
  This loading causes �w� to be echoed and then �x� to
  be echoed since loading the interface initializes the
  members which in turn call the echo method (I am
  assuming that this only happends when the members are
  not �constants�).
  2. The main method then echoes the w variable (which
  is �w�).
  Having said this, I would think this code would behave
  differently on different JVMs so I am not sure how it
  could even be a �good� theoretical question (unless
  this is documented in the JLS).It is in the JLS.
  Also, loading the the interface may not really be what
  is happening; the initialization code may be in-lined
  in the class (this could be tested by printing w twice
  in main � really strange behaviour).No. It can't inline the initilization of one class in another class.

• No Roles In Access Request - GRC 10 SP06

  Hello Experts ,
  With GRC 10 SP 06 ,I am facing strange issue .In Access request when I search for roles to be assigned I am not getting any result .
  I have performed all post installation system and same working with SP 05 in other landscape .
  Important steps  like running back ground jobs for user.role.profile  synch role import all is done .
  Thanks & Regards
  Ashish

  Hi,
  You have hit a similar problem I faced after moving to SP06.
  What is the value assigned to the "Role Status"? If it is not "Production/PRD", then Access request doesn't allow it to be displayed as a selectable option for assignment. Prior to SP06, this was not checked, but SP06 got updated to ensure roles that are not in Productive use status can not be assigned for usage.
  Once you change this status over in the roles you wish to make available for assignment via Access Request, you should be able to search and select them.
  Hope that helps.

• Where are role and administrator settings saved?

  We have had issues in the past that have caused us to have to
  re-setup our site, including all administrative settings and all
  roles and users. Surely all of this is saved somewhere. If we just
  knew where, we could backup the info for an easier restore if
  further problems ensue.
  Anyone know how to backup site settings?

  I got the following reply on a separate forum:
  quote:
  For a website that has been administered by Contribute
  (Publishing server is not enabled), you would find an _mm folder in
  the website root on the remove server. This is a contribute
  specific folder and it contains the administrative settings, role
  information and users.
  For CPS managed sites, the _mm folder still holds the
  information about the administrative settings and role information.
  The user information of the sites are stored in the Database folder
  of CPS. The Database folder can be found in the following location,
  <CPS Install Path>\Database.

• Removing Role expert from the GRC Pad

  Hi Guys
  we are using three products of GRC ie RAR , SUP and Compliance user provisioning but NOT the Role Expert. Is there any way that I can show only these three tools in the GRC pad and remove the Role expert. At the moment it is grey out but still there.
  Parveen

  Hi Praveen,
  All capabilities are integrated into Launch Pad which are part of VIRACLP****.ear file. And there is no way we can take it out for the current release.
  Best Regards,
  Sirish Gullapalli.

• Assigned wrong role to administrator account.

  Hi all,
  To be able creating a user account on the portal. I wanted to add one role SAP_BC_JSF_Communication into account SAPJSF, but added it into j2ee_admin and restart system by accident. What I got now is I cannot use j2ee_admin logon portal.
  Here comes the questions:
  1. When I used j2ee_amin logon system, there was no any error message. It must be somewhere store the message for error handling. Where is it and how am I going to reach it?
  2. I checked the setting using J2EE engine visual administrator. Under server \ service \ security provider, I did not see this role attached to j2ee_admin on tab user management. If that's the case, why I cannot logon portal?
  PS) My NetWeaver version is 2004s SPS10.
  Any advice would be appreicated.

  Hi Mike:
    Thanks for your reply. Currently, even NWA I also can't logon. After trace defaultTrace.trc through Log Viewer. I found some error messages.
  <b>1.</b>
  Date : 04/26/2007
  Time : 10:37:47:265
  Message : Preventing access to user mapping data for user "J2EE_ADMIN, " (unique ID: "USER.R3_DATASOURCE.J2EE_ADMIN") and the SAP reference system ("PCCXI2") because the mapping has been saved when the system had not been set as SAP reference system.
  <b>Solution: Save the user mapping data again.</b> <b><i>(<--How to do that?)</i></b>
  Severity : Error
  Category : /System/Security/Usermanagement
  Location : com.sap.security.core.umap.imp.UserMappingDataImp.handleKeyedHashField(Object, int)
  Application : sap.com/com.sap.security.core.admin
  Thread : SAPEngine_Application_Thread[impl:3]_11
  Datasource : 1177574464015:F:\usr\sap\XI2\DVEBMGS11\j2ee\cluster\server0\log\defaultTrace.trc
  Message ID : 0015F2F00CD100790000000E0000020C00042EFAE77D8FF8
  Source Name : com.sap.security.core.umap.imp.UserMappingDataImp
  Argument Objs :
  Arguments :
  Dsr Component : pcc01_XI2_117653650
  Dsr Transaction : 1e5ad320f39f11db88280015f2f00cd1
  Dsr User : Guest
  Indent : 0
  Level : 0
  Message Code :
  Message Type : 0
  Relatives : /System/Security/Usermanagement
  Resource Bundlename :
  Session : 0
  Source : com.sap.security.core.umap.imp.UserMappingDataImp
  ThreadObject : SAPEngine_Application_Thread[impl:3]_11
  Transaction :
  User : J2EE_GUEST
  <b>2.</b>
  Date : 04/26/2007
  Time : 10:37:47:265
  Message : Reading user mapping data for principal "J2EE_ADMIN, " (unique ID: "USER.R3_DATASOURCE.J2EE_ADMIN") and system "PCCXI2" failed.
  Severity : Error
  Category : /System/Security/Usermanagement
  Location : com.sap.security.core.umap.imp.UserMappingDataImp.getLogonDataForSystem()
  Application : sap.com/com.sap.security.core.admin
  Thread : SAPEngine_Application_Thread[impl:3]_11
  Datasource : 1177574464015:F:\usr\sap\XI2\DVEBMGS11\j2ee\cluster\server0\log\defaultTrace.trc
  Message ID : 0015F2F00CD10079000000100000020C00042EFAE77D9304
  Source Name : com.sap.security.core.umap.imp.UserMappingDataImp
  Argument Objs : "J2EE_ADMIN, " (unique ID: "USER.R3_DATASOURCE.J2EE_ADMIN"),"PCCXI2",
  Arguments : "J2EE_ADMIN, " (unique ID: "USER.R3_DATASOURCE.J2EE_ADMIN"),"PCCXI2",
  Dsr Component : pcc01_XI2_117653650
  Dsr Transaction : 1e5ad320f39f11db88280015f2f00cd1
  Dsr User : Guest
  Indent : 0
  Level : 0
  Message Code :
  Message Type : 1
  Relatives : /System/Security/Usermanagement
  Resource Bundlename :
  Session : 0
  Source : com.sap.security.core.umap.imp.UserMappingDataImp
  ThreadObject : SAPEngine_Application_Thread[impl:3]_11
  Transaction :
  User : J2EE_GUEST
  It seems I set a unappropriate User Mapping System to j2ee_admin account. Can I cancel this setting throught any tool except portal's User Management web page?
  Any advice would be very appreciated.