User Access Review Workflow - GRC 10

Similar Messages

• GRC AC v5.3 CUP "User Access Reviews" (UAR) requires implementation of ERM?

  Hi Experts,
  re: GRC AC v5.3 CUP "User Access Reviews" (UAR) requires implementation of ERM?
  After reading the guides and forum it is still not clear to me if ERM is absolutely required in order to use CUP "User Access Reviews". The guide mentions in ERM the Role Usage Synch job has to be run, and then that data is to be loaded into CUP. Is this step absolutely required or can we skip it.

  Gary,
    ERM is a necessity if you want to fully use UAR in CUP. I don't know why SAP did it this way but it is how it is.
  Regards,
  Alpesh

• Configuration of  User Access Review process

  Hi,
  I'm new to the forum.
  I´m looking at the User Access Review process in CUP.
  I would like implement the User Access Review request. So, my question is:
  1.  Where take GRC the data to make the analysis? I need to know the exactly place where data are collected (which table, transaction code or  statistical data)
  In case that GRC use the backend tables, I should be aware of time that tables are operational in the system, correct?
  2. Otherwise, how affects this analysis the performance in backend system?
  3. I have read that it is possible obtain reports with use of Action Usage. The report that I mention is: RAR --> Informer --> Security Reports --> Miscellaneous --> Action Usage by User
  Where does it gets information from? Could be data in the same place that use User Access Review process?
  4. Is it possible to introduce another actors in the Reviewers (In Configuration Tab, User Review > Options > User Review pane)? Now, the reviewers configured are Manager or Role Owner.
  5. To set User Access Reviews, I need some additional technical or is an automatic procedure?
  If there is any requirements that I should be taken into account please, let me know.
  Thanks in advance
  Marta

  Hi,
  I have found this document that answers all my questions:   www.sdn.sap.com/irj/bpx/go/portal/prtroot/docs/library/uuid/b05010a3-ed45-2c10-79b2-96df60a6bf2b
  So, now I have another question:
  The GRC Access Control that I have, ERM is not configured and there is no communication with it; (only RAR and CUP are configured).  So, I would like to know if it´s possible configured User Access Review apart from ERM.
  To realize the Role Usage Synchronization job in ERM, the transaction usage information from RAR alert data is needed. The job also obtains role to user assignments and role content information from the back-end systems. Access Control then translates the transaction usage information into role usage.
  If this information could be extracted from the backend tables, I am looking for an alternative to way to load data in the system, regardless ERM. Is it possible?
  Thanks in advance
  Marta

• User Access Management(UAM) in SAP

  What are the various options to perform UAM for SAP solutions from an external application? For example can we create Users, groups, assign roles etc within SAP?
  1) Is webservice an option? If so, is it RESTful or SOAP based?
  2) Is an RFC call available?
  3) Can we use any other mechanism such as a BAPI wrapped with our own custom module exposed as an RFC?​

  I have looked at your screeenshots, and not too concerned with the MSMP settings yet as we are trying to first fix your Generation job
  I would enable the admin review in your setting to just see if all the necessary data is being generated, i.e. in case there are blank role owners for some roles, this could be causing an issue.
  As for your criteria selection, ensure no blank fields were left in the selection made.
  I would have a read of the following WIKI and see if any of the points mentioned are applicable. The first mistake made by many is to not perform the sync jobs in the correct order.
  Troubleshooting UAR Request Generation - Governance, Risk and Compliance - SCN Wiki
  From my memory, I know for SOD reviews "offline risk analysis" had to be enabled, but unsure if this is also necessary for UAR.
  Also refer to the following general wiki User Access Review(UAR) Workflow Configuration and Description - Governance, Risk and Compliance - SCN Wiki

• User details are missing in Access request in GRC 10.0

  Hello All,
  When we are trying to create Access request in GRC 10.0 for an user it results as user  details not found.
  Under SPRO - Maintain data source configuration we have configured 2 HR systems HR1 and HR2.
  But the User details exits in HR1 system and lies in validity also. We have tried to run the Repository Object Sync also still unable to search the details.
  But we observed even after the Sync job User details are not created in table GRACUSER and GRACUSERCONN. Is this could be the problem. Why its not updating even after the Sync job many times almost 10 times.
  We have also configured parameter 5023 to YES.Please advise.
  Thanks in advance.

  Did the sequence for HR1 set to 1 or 2, I hope you are following the suggestions given by Luciana in other thread.
  Please post your data source config screenshots otherwise.
  BR,
  Mangesh

• Set Single user with reviewer access to multiple conference room calendars

  Want to add a single user with reviewer access to multiple conference room calendars, used the below but it given a below error , Single user i am able to add but single user for multiple confernce room calendars hot happening.
  Import-csv C:\smtp1.csv | foreach-object {Add-MailboxFolderPermission -identity $_mail":\Calendar" -User "Mike" -AccessRights "Reviewer"}
  Smtp1.csv
  mail
  [email protected]
  [email protected]
  Error:--
  [PS] C:\>Import-csv "C:\smtp1.csv" | foreach-object {Add-MailboxFolderPermission -identity "$_mail:\Calendar" -User "Mike" -AccessRights "Reviewer"}
  The specified mailbox "\Calendar" doesn't exist.
      + CategoryInfo          : NotSpecified: (0:Int32) [Add-MailboxFolderPermission], ManagementObjectNotFoundException
      + FullyQualifiedErrorId : 78C23328,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission
  The specified mailbox "\Calendar" doesn't exist.
      + CategoryInfo          : NotSpecified: (0:Int32) [Add-MailboxFolderPermission], ManagementObjectNotFoundException
      + FullyQualifiedErrorId : 78C23328,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission
  The specified mailbox "\Calendar" doesn't exist.
      + CategoryInfo          : NotSpecified: (0:Int32) [Add-MailboxFolderPermission], ManagementObjectNotFoundException
      + FullyQualifiedErrorId : 78C23328,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission
  The specified mailbox "\Calendar" doesn't exist.
      + CategoryInfo          : NotSpecified: (0:Int32) [Add-MailboxFolderPermission], ManagementObjectNotFoundException
      + FullyQualifiedErrorId : 78C23328,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission

  i tried with that as well but getting the below
  A positional parameter cannot be found that accepts argument ':\Calendar'.
      + CategoryInfo          : InvalidArgument: (:) [Add-MailboxFolderPermission], ParameterBindingException
      + FullyQualifiedErrorId : PositionalParameterNotFound,Add-MailboxFolderPermission
  A positional parameter cannot be found that accepts argument ':\Calendar'.
      + CategoryInfo          : InvalidArgument: (:) [Add-MailboxFolderPermission], ParameterBindingException
      + FullyQualifiedErrorId : PositionalParameterNotFound,Add-MailboxFolderPermission
  A positional parameter cannot be found that accepts argument ':\Calendar'.
      + CategoryInfo          : InvalidArgument: (:) [Add-MailboxFolderPermission], ParameterBindingException
      + FullyQualifiedErrorId : PositionalParameterNotFound,Add-MailboxFolderPermission
  Cannot process argument transformation on parameter 'Identity'. Cannot convert value "" to type "Microsoft.Exchange.Configuration.Tasks.MailboxFolderIdParameter". Error: "Valu
  e cannot be null.
  Parameter name: mailboxFolderId"
      + CategoryInfo          : InvalidData: (:) [Add-MailboxFolderPermission], ParameterBindin...mationException
      + FullyQualifiedErrorId : ParameterArgumentTransformationError,Add-MailboxFolderPermission

• GRC 10.0 Access Request workflow error

  Hi,
  While creating change request in AC10 to assign roles I get task errors (see example in attachment) and request does not appear in approver`s (manager stage) work Inbox.
  Can anyone help and advice what can be missing and what should be checked additionally?
  I`ve checked all configuration settings as described in Post-Installation and Pre-Implementation docs but still get the same error and request does not appear in work Inbox.
  WF-BATCH user has assigned in GRC system roles as below:
  SAP_BC_BMT_WFM_SERV_USER
  SAP_GRC_FN_ALL
  SAP_GRC_FN_BASE
  Thanks a lot for advice!
  Aga

  Hi
  yes it helped. Now no errors on this stage and request appeared in manager work inbox. I`ve only assigned recommended roles as first. It looks like I need to look for additional roles for both users or authorization objects which are missing for SAP standard roles to avoid assignment of SAP_ALL.
  Thanks a lot!!!
  Regards,
  Aga

• Mitigation assignment approval in Access Request Workflow

  Hi Guys,
  I am currently implementing GRC for one of the clients. I have a question with respect to Mitigation assignment approval in Access Request Workflow.
  Below is the Scenario,
  1) User Submits the request
  2) Manager Approves
  3) Role Owner runs the SOD & finds SOD violations. Role Owner assigns the mitigation controls & approves the request
  Clarification:
  Once the role owner approves , depending on the mitigation controls assigned , can this request be routed to the mitigation control owner for approval in next stage? is this configurable with out custom BRF+ rules ? I know there is a workflow separately  (SAP_GRAC_CONTROL_ASGN) for approval of assignment which I suppose is out side of the Access request workflow.
  Please suggest.

  Pavan,
  more or less - as the control assignment workflow is independent the access request doens't wait. So if the role owner set a mitigation the control workflow starts. If you allow the role owner to approve the access request with risks, means if the risk isn't mitigated, then the role owner can proceed.
  To have your scenario working you must set the following in Access Request workflow: Role Owners are not allowed to approve as long as there are risks. All risks must either be remediated or mitigated before approval. That means if the role owner sets a mitigation the assignment workflow starts. As soon as the mitigation is valid (final approval) the access request can be approved.
  Technically both workflows are independent and don't have a relation to each other. But with some settings you can combine them.
  Does this answer your question?
  Regards,
  Alessandro

• Error while trying to submit Access request to GRC from IDM

  Hello
  We have SAP IDM 7.2 SP8 installed and done all the prerequisite for connecting to GRC AC 10 as in configuration document.
  We are trying to submit request to GRC using Standard GRC provisioning framework task ( AC Validation) but pass: Submit AC Request fails with error: "Pass stopped by script"
  Is there anything wrong with the script which put RoleData details since its getting aborted ?
  I tried providing Role name directly in Role data attribute inside the action task and got following error:
  Error
  putNextEntry failed
  storingcn=IDMUSR0023,ou=useraccessrequest,o=grc
  Exception from Add operation:javax.naming.NamingException: [LDAP: error code
  82 - (GRC User Access Request:82:Script execution failed)]; remaining name
  'cn=IDMUSR0023,ou=useraccessrequest,o=grc'
  I checked VDS Logs and there was one error :
  Additional message = msgcode=4;msgdescription=Mandatory field ITEM NAME  is empty in line no 1 ;msgtype=ERROR
  From where exactly ITEM NAME field value will be fetched and pass to GRC for request creation ?
  Regards
  Deepak Gupta

  Thanks Christopher
  I got my issue fixed, There was issue with my GRC Initial load job which couldn't enrich repository privileges and hence the issue was coming since script wasn't able to find GRC ROLE ID and Application ID attribute from privileges.
  Regards
  Deepak Gupta

• Problems in creation of a new user in the workflow

  Hello everybody,
  I created a task "create new user" in the workflow. When I chose the "password" attribute, the entry couldn't be created. Without that attribute, I am able to create a user and see him in the monitoring, but can't log into the workflow because of a password error. Could anybody tell me what went wrong here? Did I forget a setting?
  Thank you in advance...

  Hi All,
  We suddenly started getting this error:
  Access denied.
  You may not have access to perform this task on the chosen person
  or your session has timed out. (Try to log into the system again.)
  As told above we already have extension=php_mcrypt.dll enabled in php.ini file like this.
  ; Local Variables:
  ; tab-width: 4
  ; End:
  [PHP_LDAP]
  extension=php_ldap.dll
  [PHP_MCRYPT]
  extension=php_mcrypt.dll
  [PHP_MSSQL]
  extension=php_mssql.dll
  [PHP_XSL]
  extension=php_xsl.dll
  We are also having file libmcrypt.dll in the php.ini folder.
  This error is only coming for one queue when we try open a transaction and not any other queue. we are having same access to all the queues. this is only happening from today and till yesterday we never had this issue.

• User change attribute workflow with approval  problem

  Hello,
  I have a requirement to add account numbers to user entry through workflow with approval process. and also same user can have multiple account numbers. when approver approves the User request then it's account number will be added into the user entity in ldap.
  So, i have created a Change Attribute workflow for that account number with these steps as : initiate, Approval, Commit, Error_report
  this workflow i am able to invoke through IdentityXML call and from OIM interfaces approvers able to approve and that account number is persisting under the User entity.
  Problem is: Actually above request is staging system. when user requests, it is in initiate step, when approver approves the request then only commits the info. so, there are 2 stages here.
  When i am requesting two consecutive account number requests then both requests are in initial stage. Then approver approves the 1st request then it is persisting into User entity. after that approver approves the 2nd request then this account number is overwriting the previous one. so, here is the problem i am finding. worflow is not adding the new account number.. instead its replacing the last value in the list of account numbers for an User entity.
  I hope the above problem make understandable..
  Really its a very much helpful to find the solution on this.
  Thanks in advance,
  Srini.

  Thanks for the help. Having reinstalled OID/OAM a bunch of times to properly add our custom user object, nothing seems absurd. I tried running through your steps, but I'm still not getting the workflow button. I've customized create and delete workflows properly, but the change attribute is a mystery.
  I did the following:
  1) Selected a custom attribute in Attribute Access Control
  2) Changed its read access to Anyone
  3) Saved
  4) Changed its modify access to Anyone
  5) Saved
  6) Added a new Change Attribute workflow for the custom attribute
  7) Action #1: Request, added Anyone as participant and saved
  8) Action #2: External Action, selected attribute is the custom one
  9) Action #3: Commit
  10) Saved and enabled the workflow
  11) Restarted the Identity server
  12) Picked a user
  13) Opened his user profile
  14) Clicked Modify
  The custom attribute is still editable and has no Request a Change button.

• Multiple users accessing single application in HTML DB 2.1 with XE

  Hi,
  I am struggling to setup an application in HTMLDB 2.1 on XE.
  I would like multiple users to be able to access the same application. I have created the application and the users but now I need to give the new users access to the application.
  Can some highlight how to do this? Is it with authorisation schemes?
  Thanks
  Joel.

  Joel,
  Have you reviewed the XE documentation on Managing End Users?
  http://download-west.oracle.com/docs/cd/B25329_01/doc/appdev.102/b25309/wrkspc.htm#CHDDFDCH
  Sergio

• GRAC10.0 FF Log Review Workflow

  Hello Experts,
  we configurated the Firefighter Log review workflow in GRC10.0. The firefighter controller can review and submit the FF Log Workflow item in the Work Inbox.
  There is aber a question, is it possible to let the FF controller review the status of his or her own FF workflow after the submission of the workflow?
  P.S. with Access Request Administration --> Search Request, we can review the status of all the FF log workflows, but the workflows can not be selected or displayed according to Controller/ Approver. 
  Thanks a lot!
  Best regards
  Ying

  Hi Antti,
  thank you for your advices. I submit this Idee under
  https://cw.sdn.sap.com/cw/ideas/8162?back=false

• Audit log of the User access and permissions

  Hi All,
  We need to have the Audit trail of the user access and permission. Meaning Changes to user access rights will be logged.
  This should include:
  Current Access Rights (including Date the access was given),
  Group membership (including Date the access was given),
  Previous Access Rights (including Date the access was given and revoked).
  Can we reuse any out of the box functionality of CQ. Does anybody having any pointer to this?
  Thanks,
  Debasis

  Hi PChamoun,
  At the outset thanks a lot for the clue. I am very new to CQ. Could you please guide me like, what are the API required to track the rep:policy node changes. Even if workflow will be started after any change to rep:policy but how I will be able to get the information of what change happened.
  Thanks,
  Debasis

• MobileMe Gallery - allowing multiple users access

  Hi,
  I have a simple question - can allow more than one user access to a hidden MobileMe Gallery?
  I seem to be able to choose only one name from a drop-down list. I'd like to allow two people access to my gallery. Is this possible?
  Thanks,
  :-Joe

  Joe:
  Give the same name and password to both viewers.
  TIP: For insurance against the iPhoto database corruption that many users have experienced I recommend making a backup copy of the Library6.iPhoto (iPhoto.Library for iPhoto 5 and earlier) database file and keep it current. If problems crop up where iPhoto suddenly can't see any photos or thinks there are no photos in the library, replacing the working Library6.iPhoto file with the backup will often get the library back. By keeping it current I mean backup after each import and/or any serious editing or work on books, slideshows, calendars, cards, etc. That insures that if a problem pops up and you do need to replace the database file, you'll retain all those efforts. It doesn't take long to make the backup and it's good insurance.
  I've created an Automator workflow application (requires Tiger or later), iPhoto dB File Backup, that will copy the selected Library6.iPhoto file from your iPhoto Library folder to the Pictures folder, replacing any previous version of it. It's compatible with iPhoto 6 and 7 libraries and Tiger and Leopard. Just put the application in the Dock and click on it whenever you want to backup the dB file. iPhoto does not have to be closed to run the application, just idle. You can download it at Toad's Cellar. Be sure to read the Read Me pdf file.
  Note: There's now an Automator backup application for iPhoto 5 that will work with Tiger or Leopard.