SAP GRC 5.3 CUP Archiving Requests
All,
I have a question about archiving and re reviewing requests after they are closed (approved/rejected).
Let's say I create a request, my manager performs a risk analysis and SOD violations occur, but my manager approves the request. If at some point (say a year down the line) I want to review the request to see what the conflicts were would the request: a. still be in CUP to review and b. would it show the conflicts that were identified at the time.
How would archiving play into this scenario as well.
Unfortunately, I cannot test this in CUP as it is time sensitive, but I'm hoping someone has come across this before.
Thanks,
Kunal
Hello Kunal,
You can test this in a development by re-creating the scenario and archiving the completed request. The length of time archived is not an issue.
In answer, yes you can pull up the archived request information (provided that you did not delete the archive) and you can see what were the recorded SOD risks at the time. However, the request itself will not tell you the individual transactions that caused the conflicts and may no longer be accurate if the risks and business functions have changed in their content since the time of the request.
This said, GRC AC seems to be changing in "leaps and bounds" with recent support packs... Who knows if the archiving process will change in the future.
Best Regards, Dylan
Similar Messages
-
SAP GRC 5.3 CUP: Approver Determinator "Super Access Owner"
Hi,
when configuring a stage, a standard approver determinator called "Super Access Owner" could be selected.My question is where to specify the Super Access Owner in SAP GRC CUP? In the Config Guide of SAP GRC AC 5.3 a hint explains on page 145
"If you select Superuser Access Owner as the approver determinator, the system
fetches the configured owner from the SAP system where the Superuser Privilege
Management is installed and assigns the request to that particular approver."
I do not really unterstand where to specifiy. Is it the former FireFighter in the backend.
Did anybody user this Approver Determinator already?
Thank you in advance.
MarcoHi Marco,
Yes this approver is defined in the backend Firefighter which is now Super User Privelege Management. The Firefighter ID owner will be taken as the approver if we select Super User Access Owner in the CUP request. This option is basically being provided for Integration of Compliant User Provisioning and Super User Privelege Management for SAP GRC AC 5.3. You may now create a request to assign a Firefighter ID to a Firefighter in CUP and do not need to go to SPM for the same.
In case you do not want to use this approver, please create a Custom Approver Determinator for the same.
Hope this helps.
Harleen -
Hi experts,
How is it possible to have a look into archived requests?
With the function "Search requests" and "Informer" it is only possible to see the lists of the archived requests, but if I want to have a look inside a request, a error-message appears: "Request Approval Screen is not displayed because Request Status has changed". It is necessary to look into the requests because of internal audits, otherwise the archive function isn't usable for us.
Does anybody knows why this error-message appears and how it is possible to have a look into the archived requests?
Thanks a lot.
AlexaHi Alexa,
same issue here in our SP10 system - it's a known/reported bug that will be fixed in a later SP ( planned for SP12).
Cheers,
Dominic
Edited by: Dominic Yow-Sin-Cheung on Feb 18, 2010 12:34 PM -
SAP GRC 5.3 CUP: Initial Password not displayed
Hi,
when a user account is created in the backend system CUP sents automatically the user ID and a link such as
http://<Server>:50100/AE/showPassword.do?userId=NEWUSER30&ReqNo=1061&System=ERD
to the user's email adresse. When opening the link no password is displayed.
Could anybody help?
MarcoHi Marco,
Have you checked the Send Password in Mail option is to Yes at Configuration>Workflow>Email reminder-->Closing Tab.
This option is coming only in 5.3 version not in 5.2.
Regards,
Jagat -
Hi all,
I´m interested in getting some templates for planning and describe a detailed Cutover Plan for SAP GRC Access Control, which includes all activities for performing in each one of the modules for SAP GRC (RAR, ERM, CUP and SPM).
Anybody has some template or related information for prepare cutover plan for SAP GRC AC?
Thanks in advance,
SantiagoHi Santiago,
here you could find a AC5.3 Project Plan:
http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/b00a372f-ddb7-2b10-88aa-d6eaae69a756
And this is the Pre-Installation Checklist:
http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/50692df1-67da-2b10-2995-84a0d0c82193
Best,
Frank -
Add Fields in CUP Request - SAP GRC Access Control 5.3
Dear Friends,
I am wondering on how to add fields value in CUP (Compliant User Provisioning) SAP GRC AC 5.3.
Currently i'm leading 9 SAP Security Coordinators in Indonesia and i want to create Performance Metrics on how long the CUP Requests is processed. It needs to enhance the CUP by adding value Delegation of Authority and the record no. of the DOA requests.
Really appreciate your inputs on how to add fields value in CUP.
Thank you so much
-Mesti-
Edited by: AnnisaPramesti on Jan 2, 2012 5:37 PMHi.
Check under http://service.sap.com/instguides
SAP BusinessObjects -> SAP BusinessObjects Governance, Risk, Compliance (GRC) -> Access Control -> SAP GRC Access Control 5.3
Cheers,
Diego. -
SPM in CUP in a SAP GRC AC 5.3 -- "Approver not found" & "Path not found"
hello,
I have a problem when I try to do a request.
I have configured the SPM in the CUP in a SAP GRC AC 5.3
I gives me an error about "Error creating request. Approver not found ". When I took out the Manager in the Stage it gave me this error in the request "Error creating request. Path not found".
Best regards.
Pablo Mortera.You can either type in the configuration, like the what option you selected for approver (CAD or role or...etc), or other way is to capture the change log which shows what was the configuration for that stage....
(Configuration -< Change Log -> Search Change log)
Cheers !!
Zaheer -
Hi,
to get user password, i set email reminder, closing as send password in mail No and password display period : 0.It throws a password as sap default string .How can it be standard password,so user can reset by entering it.In SAP GRC 5.3 AC-CUP 5.3_05.0, I can't see password self service tab too.Is there any better way so user can get password in email as sap standard in 8 words (number , letters or any special characters as set like us).when i try to create request type for password self service. i have only these actions to select
CREATE_USER Create User
CHANGE_USER Change User
DELETE_USER Delete User
LOCK_USER Lock User
UNLOCK_USER Unlock User
ASSIGN_ROLES Assign Roles
SUPER_USER_ACCESS Super User Access
USER_DEFAULTS User Defaults
i can't see any action for password self service in configuration->request type-> create option.please answer it. -
Role Upload template for SAP GRC CUP 5.3
Good Morning / Afternoon / Evening SAP Security Gurus,
I am looking to upload end user roles via a role upload template spreadsheet for use in SAP GRC CUP 5.3. I am referring specifically to the recommended template mentioned in step 11 of the 5.3 Post Installation CUP guide, so that roles can be picked within ERM for workflow.
According to the guide, it recommends uploading from the backend systems via a spreadsheet - any template versions or advice on finalising this would be most appreciated.
Best Regards
SteveThanks Ashish,
Someone else recommended this option as well via another forum. Have tried it out and working fine.
Thanks for the reply
Steve -
Hello,
I have a doubt.
The users of the modules of the SAP GRC AC 5.3 have to created in the UME of the EP Core, is that right?? And thet add the roles of each user for each module (RAR, CUP, SPM, ERM), is that right?
Best Regards.
Pablo Mortera.Hi Pablo,
To access GRC AC 5.3 you can create one UME user and assign different roles related to four GRC component.
Or you can create different GRC user and assign respective components roles.
The example of GRC Admin role are.
AEADMIN
READMIN
VIRSA_CC_ADMINISTRATOR
regards,
Sudip, -
Load approvers, solicitors & workflows to the CUP (SAP GRC AC 5.3)
Hello,
I want to know if there is a way to load the approvers, solicitors & workflows to the CUP (SAP GRC AC 5.3) massively.
Best Regards.
Pablo Mortera.Most of the configuration screens in CUP have an export button and an associated excel/text upload template. Use this template to mass create/update configuration data.
Regards,
Alpesh -
SAP GRC AC 5.3 (CUP) connecting to module of R/3 (HR)
Hello,
I have a problem.
I want to monitor from the SAP GRC AC 5.3 (CUP) some event or activation or trigger when someone create or does some modificaction to an employee from the module HR. Maybe from the Tcode PA20, AP30 or PA40.
IS there a "how to" or a manual to configure this from the SAP GRC AC 5.3?
Thank you in advance
Best Regards...
Pablo Mortera.Pablo,
I am not clear on what exactly you want but as far as I know there is no monitoring capability in CUP. If you want to monitor something, you will have to write your own Java code (for CUP front-end) or ABAP code (SAP back-end) to access particular database tables.
Regards,
Alpesh -
GRC 5.3 CUP SP16 - User info not loading from LDAP into CUP
Hello,
We have multiple LDAPS that we needed to connect to our CUP system to authenticate the userids before a request can be created for them. And also to bring in Manager ID and manager email from LDAP as the first level approver for requests.
My client hasn't maintained the actual LDAP userids, Manager and manager email fields correctly, so we utlized three other custom fields in LDAP and then did field mapping in CUP for those fields. But even when the connection to all the LDAPs is successful, there's no user information being pulled in from LDAP into CUP. I noticed that when I use our backend SAP QA system as 'User Data Source' while using multiple LDAPS for 'User Detail Source Data' , it only reads data from SAP QA system SU01 area and even when I'm trying to create requests, no Manager info is being pulled from LDAPS for that user id.
SAP does not allow the use of multiple LDAPS for the configuration-->User Data Source , top option. So, if a client has userids in multiple systems, it can only read from one data source. But even when I temporarily assigned one active directory LDAP to the 'user data source' option, it stated, no records found. So, something is up that no data is being pulled from LDAPs even when the connection to those systems is successful. I just asked our AD guy to temporarily assign domain admin rights to that LDAP connection ID to see if it's access issue, and still I am not getting any LDAP data to read into GRC CUP.
Anyone else has had this issue? Is there especial access that the LDAP connection id needs access in LDAP to be able to retreive data into GRC? Is there any jobs that need to be run to read LDAP data. I thought it should be live as the system is connected to LDAPs. I don't understand if the connection is successful, why the user info is not being pulled from there and even after the LDAP custom field mapping is done, those field values are not showing up on requests.
We need the following to happen:
1). Authenticate the custom userid field in LDAPs to ensure this user exist as an employee b4 request can be created for the user. For this I have configured the multiple LDAPS for the 'Authentication'. But it doesn't seem to confirm that option when creating a request for a user.
2). The user details info source should bring in the custom manager id and manager email into the request to send the first level of approval via workflow to that manager. Since SAP doesn't give the option to define approvers per user group values in CUP, we had to actually map all the User Owner approvers this way since their direct managers are not aware of what to request as the User owner approvers per user group are. So, we added custom fields for Manager id and Manager EMail into LDAP to be ready automatically into the request when reading user id while creating request.
I will greatly appreciate anyone's help on how they got the LDAP field values to be read into GRC CUP for request processing and what type of encripted access can a LDAP connection id have without assigning it complete domain admin rights on an open port 389 for LDAP and GRC CUP connection.
Thanks and Regards,
AlleyHi Alley,
1). Authenticate the custom userid field in LDAPs to ensure this user exist as an employee b4 request can be created for the user. For this I have configured the multiple LDAPS for the 'Authentication'. But it doesn't seem to confirm that option when creating a request for a user.
This is not possible. You can have only 1 LDAP. Why you want to authenticate the user in different sources?? CUP looks at only one user source, not many. The below wiki explains you the configuration part:
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/b089fb71-a3b7-2a10-64a2-8c77243b0664
2). The user details info source should bring in the custom manager id and manager email into the request to send the first level of approval via workflow to that manager. Since SAP doesn't give the option to define approvers per user group values in CUP, we had to actually map all the User Owner approvers this way since their direct managers are not aware of what to request as the User owner approvers per user group are. So, we added custom fields for Manager id and Manager EMail into LDAP to be ready automatically into the request when reading user id while creating request.
Based on user group is not possible. However, if you wish to maintain the Manager's Field, ensure that the CUP mapping is done correctly from the Configuration, Field Mapping, LDAP Mapping.
While defining the workflow, take the approver determinator as Manager. This will route the request to the users manager. Also, ensure that LDAP is the source in all the confiuration areas in CUP.
Check note 1228996 for more information.
Hope this helps!!
Regards,
Raghu -
SAP GRC AC 5.3 integrated with BW
Hi all,
Has anyone of you implemented integration between SAP GRC AC 5.3 and BW and develop custom reports?
Thanks in advance. Regards,
ImanolImanol,
There is documentation available for the integration. You can find that here:
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/e05a9879-d204-2c10-54a9-ebc94eaddc4e?quicklink=index&overridelayout=true
Also, there are numerous pre-delivered queries already developed. However, if you wish to develop your own reports, then you will need a BW resource to do so.
Pre-delivered queries:
For RAR:
Alert Detail Listing
Alert Header Listing
Critical Action Violations by User
Critical Role Viols Analysis with Long Portal IDs
Current User Permission Risk-Perm Violation Analysis Breakdowns
Current User Permission Risk Violation Analysis Breakdowns
Management Summary Total Listing
Mitigated Users Analysis
Risk Long Descriptions
Risk-Rule Set Relationship Listing
Role Permission Risk Violation Analysis
Role (Portals) Permission Risk Violation Analysis
Supplementary Rule Detail Listing
Supplementary Rule Header Listing
User Permission Risk Violation with Functions
User Permission Risk Violation with Remediation by User
User Permission Risk Violation with Remediation by User (Top 10)
User Permission Violation with Remediation by Risk
User Permission Violation with Remediation by Risk (Top 10)
For CUP:
Access Requests
Risk Violations
Role Provisioning
Service Levels
SOD Review
User Access Review
User Provisioning
Thanks!
Ankur
SAP GRC RIG -
Hello,
may I ask you how SAP GRC Access Control can be integrated with Identity Management?
I would like a description of the model and to understand if CUP, ERM, RAR are all mandatory components to do the integration (it's not clear to me if only CUP should be use to integrate IDM).
Thank you to all
DanielaHi Daniela,
there are two basic options of integrating Netweaver Identity Management and SAP BusinessOBjects Access Control:
- CUP can call IdM to provision roles to non-SAP systems through IdM
- IdM can call CUP to hand over a request (or parts of it) for SoD and critical transaction checks
As a third option, I have seen customers using both tools in parallel, provisioning users and master data through IdM and assigning SAP authorizations through CUP/RAR.
The best kind of integration for your scenario is something that depends on your requirements and your desired processes. Technically you can do a lot, but it makes sense to invest the effort to find out what the best option is in your exact case.
Kind regards,
Frank.
Maybe you are looking for
-
How do i install business catalyst and typekit with creative cloud if they don't show up?
I just recently signed up for creative cloud and learned about muse. I would like to take advantage of the business catalyst and typekit, but when i open my application manager, neither are available for download. Am I missing something here? are
-
hi .. I tried to download Apex twice and it downloads a zip(apex_3.2.zip) file everytime that looks like contains documentation... I was expecting some kind of GUI installation (install.exe or setup.exe). As what I need is ..client-db application..I
-
I have maintained the DQ tolerance key in CUSTOMIZING in the foll path : Materials management ----> Logistics Invoice verification -----> Invoice Block ------> Set Tolerance limits. For DQ, I have set 30 INR as the upper limit ( absolute value ) Docu
-
lost tool panel
-
CUP Request Stuck in Approver's Queue (approval show in logs)
We are seeing an odd error in our CUP system (5.3 SP13). A request will come to a user, they will approve it, and then the request will never actually leave their queue. I can look at the request's Audit Information and see they have approved. It has