SAP GRC 5.3 CUP Archiving Requests

All,
I have a question about archiving and re reviewing requests after they are closed (approved/rejected).
Let's say I create a request, my manager performs a risk analysis and SOD violations occur, but my manager approves the request. If at some point (say a year down the line) I want to review the request to see what the conflicts were would the request: a. still be in CUP to review and b. would it show the conflicts that were identified at the time.
How would archiving play into this scenario as well.
Unfortunately, I cannot test this in CUP as it is time sensitive, but I'm hoping someone has come across this before.
Thanks,
Kunal

Hello Kunal,
You can test this in a development by re-creating the scenario and archiving the completed request. The length of time archived is not an issue.
In answer, yes you can pull up the archived request information (provided that you did not delete the archive) and you can see what were the recorded SOD risks at the time. However, the request itself will not tell you the individual transactions that caused the conflicts and may no longer be accurate if the risks and business functions have changed in their content since the time of the request.
This said, GRC AC seems to be changing in "leaps and bounds" with recent support packs... Who knows if the archiving process will change in the future.
Best Regards, Dylan

Similar Messages

  • SAP GRC 5.3 CUP: Approver Determinator "Super Access Owner"

    Hi,
    when configuring a stage, a standard approver determinator called "Super Access Owner" could be selected.My question is where to specify the Super Access Owner in SAP GRC CUP? In the Config Guide of SAP GRC AC 5.3 a hint explains on page 145
    "If you select Superuser Access Owner as the approver determinator, the system
    fetches the configured owner from the SAP system where the Superuser Privilege
    Management is installed and assigns the request to that particular approver." 
    I do not really unterstand where to specifiy. Is it the former FireFighter in the backend.
    Did anybody user this Approver Determinator already?
    Thank you in advance.
    Marco

    Hi Marco,
    Yes this approver is defined in the backend Firefighter which is now Super User Privelege Management. The Firefighter ID owner will be taken as the approver if we select Super User Access Owner in the CUP request. This option is basically being provided for  Integration of Compliant User Provisioning and Super User Privelege Management for SAP GRC AC 5.3. You may now create a request to assign a Firefighter ID to a Firefighter in CUP and do not need to go to SPM for the same.
    In case you do not want to use this approver, please create a Custom Approver Determinator for the same.
    Hope this helps.
    Harleen

  • CUP Archived requests

    Hi experts,
    How is it possible to have a look into archived requests?
    With the function "Search requests" and "Informer" it is only possible to see the lists of the archived requests, but if I want to have a look inside a request, a error-message appears: "Request Approval Screen is not displayed because Request Status has changed". It is necessary to look into the requests because of internal audits, otherwise the archive function isn't usable for us.
    Does anybody knows why this error-message appears and how it is possible to have a look into the archived requests?
    Thanks a lot.
    Alexa

    Hi Alexa,
    same issue here in our SP10 system - it's a known/reported bug that will be fixed in a later SP ( planned for SP12).
    Cheers,
    Dominic
    Edited by: Dominic Yow-Sin-Cheung on Feb 18, 2010 12:34 PM

  • SAP GRC 5.3 CUP: Initial Password not displayed

    Hi,
    when a user account is created in the backend system CUP sents automatically the user ID and a link such as
    http://<Server>:50100/AE/showPassword.do?userId=NEWUSER30&ReqNo=1061&System=ERD
    to the user's email adresse. When opening the link no password is displayed.
    Could anybody help?
    Marco

    Hi Marco,
    Have you checked the Send Password in Mail option is  to Yes at Configuration>Workflow>Email reminder-->Closing Tab.
    This option is coming only in 5.3 version not in 5.2.
    Regards,
    Jagat

  • Cutover Plan SAP GRC AC

    Hi all,
    I´m interested in getting some templates for planning and describe a detailed Cutover Plan for SAP GRC Access Control, which includes all activities for performing in each one of the modules for SAP GRC (RAR, ERM, CUP and SPM).
    Anybody has some template or related information for prepare cutover plan for SAP GRC AC?
    Thanks in advance,
    Santiago

    Hi Santiago,
    here you could find a AC5.3 Project Plan:
    http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/b00a372f-ddb7-2b10-88aa-d6eaae69a756
    And this is the Pre-Installation Checklist:
    http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/50692df1-67da-2b10-2995-84a0d0c82193
    Best,
    Frank

  • Add Fields in CUP Request - SAP GRC Access Control 5.3

    Dear Friends,
    I am wondering on how to add fields value in CUP (Compliant User Provisioning) SAP GRC AC 5.3.
    Currently i'm leading 9 SAP Security Coordinators in Indonesia and i want to create Performance Metrics on how long the CUP Requests is processed. It needs to enhance the CUP by adding value Delegation of Authority and the record no. of the DOA requests.
    Really appreciate your inputs on how to add fields value in CUP.
    Thank you so much
    -Mesti-
    Edited by: AnnisaPramesti on Jan 2, 2012 5:37 PM

    Hi.
    Check under http://service.sap.com/instguides
    SAP BusinessObjects -> SAP BusinessObjects Governance, Risk, Compliance (GRC) -> Access Control -> SAP GRC Access Control 5.3
    Cheers,
    Diego.

  • SPM in CUP in a SAP GRC AC 5.3 -- "Approver not found" & "Path not found"

    hello,
    I have a problem when I try to do a request.
    I have configured the SPM in the CUP in a SAP GRC AC 5.3
    I gives me an error about "Error creating request. Approver not found ". When I took out the Manager in the Stage it gave me this error in the request "Error creating request. Path not found".
    Best regards.
    Pablo Mortera.

    You can either type in the configuration, like the what option you selected for approver (CAD or role or...etc), or other way is to capture the change log which shows what was the configuration for that stage....
    (Configuration -< Change Log -> Search Change log)
    Cheers !!
    Zaheer

  • SAP GRC CUP password issue

    Hi,
    to get user password, i set email reminder, closing as send password in mail No and password display period : 0.It throws a password as sap default string .How can it be standard password,so user can reset by entering it.In SAP GRC 5.3 AC-CUP 5.3_05.0, I can't see password self service tab too.Is there any better way so user can get password in email as sap standard in 8 words (number , letters or any special characters as set like us).

    when i try to create request type for password self service. i have only these actions to select
    CREATE_USER  Create User 
      CHANGE_USER  Change User 
      DELETE_USER  Delete User 
      LOCK_USER  Lock User 
      UNLOCK_USER  Unlock User 
      ASSIGN_ROLES  Assign Roles 
      SUPER_USER_ACCESS  Super User Access 
      USER_DEFAULTS  User Defaults 
    i can't see any action for password self service in configuration->request type-> create  option.please answer it.

  • Role Upload template for SAP GRC CUP 5.3

    Good Morning / Afternoon / Evening SAP Security Gurus,
    I am looking to upload end user roles via a role upload template spreadsheet for use in SAP GRC CUP 5.3.  I am referring specifically to the recommended template mentioned in step 11 of the 5.3 Post Installation CUP guide, so that roles can be picked within ERM for workflow.
    According to the guide, it recommends uploading from the backend systems via a spreadsheet - any template versions or advice on finalising this would be most appreciated.
    Best Regards
    Steve

    Thanks Ashish,
    Someone else recommended this option as well via another forum. Have tried it out and working fine. 
    Thanks for the reply
    Steve

  • Create user in SAP GRC AC 5.3 for each module (RAR, CUP, SPM, ERM).

    Hello,
    I have a doubt.
    The users of the modules of the SAP GRC AC 5.3 have to created in the UME of the EP Core, is that right?? And thet add the roles of each user for each module (RAR, CUP, SPM, ERM), is that right?
    Best Regards.
    Pablo Mortera.

    Hi Pablo,
    To access GRC AC 5.3 you can create one UME user and assign different roles related to four GRC component.
    Or you can create different GRC user and assign respective components roles.
    The example of GRC Admin role are.
    AEADMIN
    READMIN
    VIRSA_CC_ADMINISTRATOR
    regards,
    Sudip,

  • Load approvers, solicitors & workflows to the CUP (SAP GRC AC 5.3)

    Hello,
    I want to know if there is a way to load the approvers, solicitors & workflows to the CUP (SAP GRC AC 5.3) massively.
    Best Regards.
    Pablo Mortera.

    Most of the configuration screens in CUP have an export button and an associated excel/text upload template. Use this template to mass create/update configuration data.
    Regards,
    Alpesh

  • SAP GRC AC 5.3 (CUP) connecting to module of R/3 (HR)

    Hello,
    I have a problem.
    I want to monitor from the SAP GRC AC 5.3 (CUP) some event or activation or trigger when someone create or does some modificaction to an employee from the module HR. Maybe from the Tcode PA20, AP30 or PA40.
    IS there a "how to" or a manual to configure this from the SAP GRC AC 5.3?
    Thank you in advance
    Best Regards...
    Pablo Mortera.

    Pablo,
       I am not clear on what exactly you want but as far as I know there is no monitoring capability in CUP. If you want to monitor something, you will have to write your own Java code (for CUP front-end) or ABAP code (SAP back-end) to access particular database tables.
    Regards,
    Alpesh

  • GRC 5.3 CUP SP16 - User info not loading from LDAP into CUP

    Hello,
    We have multiple LDAPS that we needed to connect to our CUP system to authenticate the userids before a request can be created for them. And also to bring in Manager ID and manager email from LDAP as the first level approver for requests.
    My client hasn't maintained the actual LDAP userids, Manager and manager email fields correctly, so we utlized three other custom fields in LDAP and then did field mapping in CUP for those fields. But even when the connection to all the LDAPs is successful, there's no user information being pulled in from LDAP into CUP.  I noticed that when I use our backend SAP QA system as 'User Data Source' while using multiple LDAPS for 'User Detail Source Data' , it only reads data from SAP QA system SU01 area and even when I'm trying to create requests, no Manager info is being pulled from LDAPS for that user id. 
    SAP does not allow the use of multiple LDAPS for the configuration-->User Data Source , top option.  So, if a client has userids in multiple systems, it can only read from one data source.  But even when I temporarily assigned one active directory LDAP to the 'user data source' option, it stated, no records found. So, something is up that no data is being pulled from LDAPs even when the connection to those systems is successful. I just asked our AD guy to temporarily assign domain admin rights to that LDAP connection ID to see if it's access issue, and still I am not getting any LDAP data to read into GRC CUP.
    Anyone else has had this issue? Is there especial access that the LDAP connection id needs access in LDAP to be able to retreive data into GRC? Is there any jobs that need to be run to read LDAP data. I thought it should be live as the system is connected to LDAPs. I don't understand if the connection is successful, why the user info is not being pulled from there and even after the LDAP custom field mapping is done, those field values are not showing up on requests.
    We need the following to happen:
    1). Authenticate the custom userid field in LDAPs to ensure this user exist as an employee b4 request can be created for the user. For this I have configured the multiple LDAPS for the 'Authentication'. But it doesn't seem to confirm that option when creating a request for a user.
    2). The user details info source should bring in the custom manager id and manager email into the request to send the first level of approval via workflow to that manager. Since SAP doesn't give the option to define approvers per user group values in CUP, we had to actually map all the User Owner approvers this way since their direct managers are not aware of  what to request as the User owner approvers per user group are.  So, we added custom fields for Manager id and Manager EMail into LDAP to be ready automatically into the request when reading user id while creating request.
    I will greatly appreciate anyone's help on how they got the LDAP field values to be read into GRC CUP for request processing and what type of encripted access can a LDAP connection id have without assigning it complete domain admin rights on an open port 389 for LDAP and GRC CUP connection.
    Thanks and Regards,
    Alley

    Hi Alley,
    1). Authenticate the custom userid field in LDAPs to ensure this user exist as an employee b4 request can be created for the user. For this I have configured the multiple LDAPS for the 'Authentication'. But it doesn't seem to confirm that option when creating a request for a user.
    This is not possible. You can have only 1 LDAP. Why you want to authenticate the user in different sources?? CUP looks at only one user source, not many. The below wiki explains you the configuration part:
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/b089fb71-a3b7-2a10-64a2-8c77243b0664
    2). The user details info source should bring in the custom manager id and manager email into the request to send the first level of approval via workflow to that manager. Since SAP doesn't give the option to define approvers per user group values in CUP, we had to actually map all the User Owner approvers this way since their direct managers are not aware of what to request as the User owner approvers per user group are. So, we added custom fields for Manager id and Manager EMail into LDAP to be ready automatically into the request when reading user id while creating request.
    Based on user group is not possible. However, if you wish to maintain the Manager's Field, ensure that the CUP mapping is done correctly from the Configuration, Field Mapping, LDAP Mapping.
    While defining the workflow, take the approver determinator as Manager. This will route the request to the users manager. Also, ensure that LDAP is the source in all the confiuration areas in CUP.
    Check note 1228996 for more information.
    Hope this helps!!
    Regards,
    Raghu

  • SAP GRC AC 5.3 integrated with BW

    Hi all,
    Has anyone of you implemented integration between SAP GRC AC 5.3 and BW and develop custom reports?
    Thanks in advance. Regards,
       Imanol

    Imanol,
    There is documentation available for the integration.  You can find that here:
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/e05a9879-d204-2c10-54a9-ebc94eaddc4e?quicklink=index&overridelayout=true
    Also, there are numerous pre-delivered queries already developed.  However, if you wish to develop your own reports, then you will need a BW resource to do so.
    Pre-delivered queries:
    For RAR:
    Alert Detail Listing
    Alert Header Listing
    Critical Action Violations by User
    Critical Role Viols Analysis with Long Portal IDs
    Current User Permission Risk-Perm Violation Analysis Breakdowns
    Current User Permission Risk Violation Analysis Breakdowns
    Management Summary Total Listing
    Mitigated Users Analysis
    Risk Long Descriptions
    Risk-Rule Set Relationship Listing
    Role Permission Risk Violation Analysis
    Role (Portals) Permission Risk Violation Analysis
    Supplementary Rule Detail Listing
    Supplementary Rule Header Listing
    User Permission Risk Violation with Functions
    User Permission Risk Violation with Remediation by User
    User Permission Risk Violation with Remediation by User (Top 10)
    User Permission Violation with Remediation by Risk
    User Permission Violation with Remediation by Risk (Top 10)
    For CUP:
    Access Requests
    Risk Violations
    Role Provisioning
    Service Levels
    SOD Review
    User Access Review
    User Provisioning
    Thanks!
    Ankur
    SAP GRC RIG

  • SAP GRC - SAP IDM integration

    Hello,
    may I ask you how SAP GRC Access Control can be integrated with Identity Management?
    I would like a description of the model and to understand if CUP, ERM, RAR are all mandatory components to do the integration (it's not clear to me if only CUP should be use to integrate IDM).
    Thank you to all
    Daniela

    Hi Daniela,
    there are two basic options of integrating Netweaver Identity Management and SAP BusinessOBjects Access Control:
    - CUP can call IdM to provision roles to non-SAP systems through IdM
    - IdM can call CUP to hand over a request (or parts of it) for SoD and critical transaction checks
    As a third option, I have seen customers using both tools in parallel, provisioning users and master data through IdM and assigning SAP authorizations through CUP/RAR.
    The best kind of integration for your scenario is something that depends on your requirements and your desired processes. Technically you can do a lot, but it makes sense to invest the effort to find out what the best option is in your exact case.
    Kind regards,
    Frank.

Maybe you are looking for

  • How do i install business catalyst and typekit with creative cloud if they don't show up?

    I just recently signed up for creative cloud and learned about muse.  I would like to take advantage of the business catalyst and typekit, but when i open my application manager, neither are available for download.  Am I missing something here?  are

  • Getting started with Apex

    hi .. I tried to download Apex twice and it downloads a zip(apex_3.2.zip) file everytime that looks like contains documentation... I was expecting some kind of GUI installation (install.exe or setup.exe). As what I need is ..client-db application..I

  • DQ tolerance key

    I have maintained the DQ tolerance key in CUSTOMIZING in the foll path : Materials management ----> Logistics Invoice verification -----> Invoice Block ------> Set Tolerance limits. For DQ, I have set 30 INR as the upper limit ( absolute value ) Docu

  • Tool panel

    lost tool panel

  • CUP Request Stuck in Approver's Queue (approval show in logs)

    We are seeing an odd error in our CUP system (5.3 SP13). A request will come to a user, they will approve it, and then the request will never actually leave their queue. I can look at the request's Audit Information and see they have approved. It has