Access Enforcer Role Import - Reaffirm period

Similar Messages

• Access Enforcer - Role Reaffirmation

  Hi,
  Access Enforcer offers a role <-> user assignment reaffirmation after a defined period.
  My question is, what happens if using the Remove or Hold button in the Role Reaffirm menu entry.
  I tried removing the access, but all that happens is the user entry is marked as "Remove".
  Should an automatic Request for the role removal be triggered or what's the purpose of these two options?
  Thanks,
  Daniela

  I answered the question myself.
  Hold will keep the role in the queue to reaffirm.
  Remove will automatically remove the role from the user once all user-role assignments have either been affirmed or removed.

• Access Enforcer and Import Roles

  Hi All,
  I am having issues importing roles that have the exact same name across different systems. This makes it almost impossible to implement Access enforcer across Dev/QA and Production environments at once. I would have thought that AE uses the (System ID, role name) as the key for that particular table used.
  Has anyone managed to find a workaround for this?
  Cheers,
  Cuneyt

  Nevermind i have solved the problem.

• Access Enforcer(error in approving the request) and import roles

  Dear all,
  error in approving the request at security stage(last)
  manager and role owner are successfully approved.
  and also importing roles into access enforcer was not successful.
  imortstatus : 0 roles imported of 28 records found.
  please find the system log:
  2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.messaging.MessageFormatter : parseDesc :   : INTO the method : desc :Please specify a file to import.paramNames :paramsMap :{FIELD_NAME=#_!FIELD_NAME#_!}
  2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
  2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
  2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
  2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
  2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
  2008-09-05 13:02:28,234 [Thread-47] DEBUG

  In Addition to my previous response:
  I meant to include the following:
  Some of the fields that need to be properly defined with attributes are:
         System: must have the know SAP system defined here
         Role Approver (i presently are using most of the roles without having need for approval; I created a user called NOAPPRV in AE)
         Functional Area: need to have all the areas defined that roles will be assigned to
         Company: I only have one company so that's an easy one
  Some areas I presently do not use but found they must ne coded and coded properly:
         ResponsibilityID:   N/A  (coded as is)
         CommentsMandatory: NO (coded as is)
         Parent Role Owner:   NO
         Business Process: NA  (I believe I originally coded N/A and it did not like that)
         Sub Process: NA  (again N/A I believe error on me)
         Reaffirm Period: presently I am using 0 (zero)
         LastReaffirm: presently using 12/31/9999
  Hope this helps a bit
  I wanted to include an attachment with a sample of my Role Import spreadsheet but I'm not sure exactly how to do that; if I figure that out or someone can provide me the process I will include it
  Jerry Synoga
  Ryerson Inc.
  630-758-2021

• Access Enforcer Import Role Automation

  We would like to automatically import roles from SAP.
  We do know that you can use Role Expert which in itself can be used to automate the import. However, we still have to manually import into AE - even if RE is used as the role source.
  Is there a way to periodically automate the import from either SAP or RE because it does not make sense to have to manuall import roles every time a new role is created in SAP.
  Thanks

  Actually, it does make sense.
  One of the prime features of Access Enforcer is that you don't import all the roles, but just the ones you want users to be able to request.
  For each of the roles, it's useful to put them into some kind of category (functional area, business process, sub-process), which makes handling for users a lot easier, and you have to assign approvers.
  One way to do that is to use an Excel spreadsheet and manage the data there. Easy to use and update, and quick to upload into AE.
  Kind regards,
  Frank.

• Upload of role in Access Enforcer 5.2.

  Hi All,
  I need to upload roles in Access Enforcer from SAP ECC system. Actually i have uploaded the roles in Access Enforcer, but all unwanted roles have also got uploaded.
  Now i need some way, first to clean entire uploaded roles & then upload selected roles.
  Please suggest.
  Thanks & Regards,
  Pravin

  Hi Pravin,
     Here are the steps:
  1) Download all the roles into an excel spreadsheet:
  Go to configuration -> Roles- Search roles -> Click on 'Export' button. This CUP, go to 'Search Roles'. Click on 'Search' button without providing any search criteria. This will return all the roles available in CUP. Now, click on Export button. CUP will export all the roles into Excel spreadsheet in the format which CUP understands.
  2) Delete all the roles from CUP: Now, in the same screen as above, select all the roles and delete them.
  3) Delete not needed roles from spreadsheet and upload it into CUP:
  Now, delete all the unwanted roles from CUP and play with the spreadsheet to manipulate other parameters like role approvers, systems, business process etc and upload that spreadsheet into CUP.
  Regards,
  Alpesh
  SAP GRC Manager (PwC)

• Access Enforcer/ CUP   - Export/ Import?

  Hi, I wanted to know if there is a export functionality in the access enforcer/CUP (GRC v 5.2)?? I wanted to export the workflows and other items I have created outside the current environment and import it to a different environment. Is this actually possible??
  Thanks,
  Ken

  Hi,
    You can go to configuration -> initial system data and select the checkboxes in front of the data you want to export. Click on export button and save the file. Now, you can import this data by going to same place in the other CUP system and import the file with 'clean and insert' option.
  Regards,
  Alpesh

• Access Enforcer - REMOVE roles/existing roles inoperant

  Hello
  After some time using the capability to ADD and REMOVE roles when creating a request on Access Enforcer (using the option 'Existing Roles' to REMOVE), now Access back to the screen to ADD always that we try to access 'Existing Roles'.
  So, the function to REMOVE roles are inoperant.
  Any ideas what It cold be?

  Hi,
  When you open a changing access request it's possible to add new roles and remove existing roles from the user, right?
  However, the option to remove roles (which is accessed through the 'existing roles' button) is not working longer.
  When that option is accessed, it's not showed anymore the current user's access: the screen returns to the add roles option.
  I haven't found any setting for the feature to remove roles and still don't know how that option, previously used in other requests, is not working for anyone else.
  Regards
  Heverton Kesseler

• Error in Mass role import in Role Expert

  Hi,
  While configuring role expert, in mass role import ,I am able to import the bulk download file but its import is getting failed and error is "<b>File is in invalid format</b>"
  If I alter the downloaded file, another error is generated saying "<b>Cannot write to Upload Directory
  ursula\sap_temp\ROLEIMPORT or Directory does not exist.</b>
  Please help me out!
  Regards,
  Anubha

  Hi Michael,
  I am not able to import the SAP roles properly.
  I downloaded the roles from backend properly. But while importing them I am getting a list of backend roles and against each of them following message <b>Error in processing role infomation. Role not imported</b>.
  What could be the possible mistake? I have set <b>Upload Directory</b> = ursula\sap_temp.
  One more problem, while creating a new role I am able to reach successfully till the risk analysis phase. After that, as soon as I click on approval , i am getting message <b>Error in creating request</b>.
  I suppose the control should go to Access Enforcer from here.I have already set AC Workflow URL for role approval in Configuration -> miscellaneous.
  Thanks in advance!
  Anubha

• Problem with Role import in GRC 10.0

  Dear GRC Gurus,
  I want to import roles from backend to GRC 10.0 system. for this I am using NWBC.
  In NWBC --> Access Management --> Mass Role Maintenance --> Role Import --> in this age below OPtions are selected:
  Role Selection --> Technical Role
  Import Source: Role Attribute Source: User Input, Role Authorization Source: Backend System
  Definition Criteria:Application Type: SAP, Landscape: nothing is shown in the dropdown, Source System: nothing is shown in the dropdown
  Without Defining Landscape and Source system I cannot proceed further
  Please advise why the system is not showing up the values in the dropdown.
  I have maintained role status as production in SPRO.
  I appreciate your help.
  Thanks,
  Swathi

  Hi,
  Sabita is correct.
  Here is the link to the documentation
  SAP Access Control 10.0
  Simon

• Integrate IdM roles with Sun Access Manager roles

  Hi all,
  I am currently working on a solution involving Sun Identity Manager 7.1 and Sun Access Manager 7.1 as well. We use AM for overall authentication and SSO across the application, and IdM for user provisioning.
  I need to create roles in Identity Manager, and I would like that when I assign a role to a user in Identity Manager, he gets the same role in my Access Manager repository (Sun LDAP). Identity Manager does provide a way to set attribute values in resources when a role is set. Access Manager on the other hand has both dynamic roles, based on an LDAP search, and static roles.
  What are the important differences between static and dynamic roles in AM?
  Does anybody know a good way to propagate roles from Identity Manager to Access Manager?
  Thanks.

  I found answers to my question. I succeeded in setting the Access Manager role from Identity Manager using the nsRoleDN attribute. Here are some references to begin with:
  About directory server roles:
  http://docs.sun.com/app/docs/doc/820-2493/fvbrn?a=view
  Forum thread reference:
  http://forums.sun.com/thread.jspa?threadID=5208694
  Here are roughly the steps I followed to get this working.
  Access Manager roles setup:
  1. In Access Manager, create a new static role named test_role under the identities realm (in Subjects > Role).
  Identity Manager roles setup:
  1. Create a new role in Identity Manager: tab Roles, click New....
  2. Assign the LDAP resource to synchronize the role with.
  3. On the Assigned Resources line, click the Set Attributes Values button. This shows up the attributes listing allowing you to bind your IdM role to your LDAP repository.
  4. Set the attribute nsRoleDN to the LDAP DN of the role that was created in AM (nsRoleDN must be added in the resource attributes mapping before).
  * In the column Value override, select Text.
  * In the column How to set, select Authoritative merge with value, clear existing. (* See IDM Admin guide about this setting, I am still not sure how it reacts with multi-value attributes)
  * In the text box, enter the role DN text (ex: cn=test_role,dc=com).
  5. Save the role. You can now add the role to a user.

• CUA still necessary/recommended with Access Enforcer?

  Hello forum members,
  we are planning to implement SAP GRC Access Control for one of our clients. There are 5 R/3 Systems in the landscape, one of them a HR System. Currently there is no CUA in place an all users and roles are maintained separately in each system. Now with the introduction of GRC Access Control there is the question, if we should at the same time also have a CUA introduced or if it is better to directly provision the Users and Roles from Access Enforcer to the target systems.
  What are the pros/cons to have a CUA in between? Does Access Enforcer also provide overview on all users in all system and the assigned roles?
  Thanks for your replies.

  This is a question that I'm asked all the time.  For some environments, using CUA with AE is really nice.  For other environments, it's just not feasible to have CUA as the security authorisation strategies are too inconsistent across systems.
  For example:
  a. There are three systems (ECC, BI, and SRM) implemented with a consistent top-down (job) approach to defining roles.  So, a AP clerk will receive the 'AP Clerk' role in ECC, 'AP Clerk' role in BI, and 'AP Clerk' role in SRM (for simplicity).   Obviously, the roles are different as they are for different systems, but the point is, it is easy to categorise the authorisations for a particular job across each of the systems.  If security is consistent like this, then CUA can be implemented and the three single roles for the three systems can be grouped together in a cross-system composite role called 'AP Clerk'.  When AE is implemented over the top of this, a user only has to request the 'AP Clerk'  role (composite).  AE performs the workflows, risk analysis etc and then finally passes the request to CUA, which then provisions out to the other two systems.  Very easy from a user point of view as they only have to request one role, which is their job.
  b.  If however due to inconsistency between the systems, it is not feasible to group access into cross-system composites, it may just be better to go with AE without CUA.  In this scenario, a user must request the applicable roles from each of the three systems.  It is more flexible, but a little more difficult for the end user.
  I normally spend quite a bit of time developing the Access Controls strategy during the blueprint phase of the implementation just to make sure that I'm coming up with the optimal design.  A bit of prototyping helps also!

• Error on role import for SAP integration with BO in CMC (3.1)

  Hello,
  We are trying to integrate existing BO environment in our company with existing BW installation.
  BO Environment - 3.1
  BW/ECC Environment - (BW - BI 7.0 SP20, ECC 6.0)
  So got the pre-requisites completed and the transports imported into both BW and ECC environments. Upon these steps we went ahead and installed the integration kit for 3.1 system.
  There were no error messages, after we completed the installation went into infoview and in the authentication drop down checked to see if I can get "SAP" in there....which it did. So, I am assuming there were no issues till this point which we might have missed out.
  Upon this, when I went into SAP authentication in CMC and double clicked on SAP and in the next screen clicked on "NEW" and added in the application server, system number, id and password and updated it...this automatically updated the logical system.
  But when I go into the role import, it gives me the following error message....
  Exception in JSP: /jsp/auth/sapsec_import_role.jsp:22:19:20: <%21:string context::secSAPR3ImportRoleBean.getContextPath():22: secSAPR3ImportRoleBean.init(request):23:response.setHeader("Expires","0"):24: 5> Stacktrace:
  The only thing is we have not assigned the CRYSTAL_ENTITLEMENT role to it as we are at this point only trying to see if we can log into webi...
  So, is it required to assign this role to an existing user id role in order for me to import the roles into BO CMC screen in order to be assigned to a group.
  Can you please help me out on this.
  Thanks
  Dharma.

  Hello Ingo,
  Thanks a lot for looking into the question.
  Yes, we are taking about the SAP Authentication part where I am trying to import roles in SAP into BO after I provide the login information in the Entitlement systems tab.
  I confirmed that all parts of Java Connector configuration were taken care of as mentioned in the installation manual and from your blog.
  The only piece left off is the CRYSTAL_ENTITLEMENT role assignment to the id which is used within the entitlement systems tab in CMC. I will get this configured and try it one more time.
  Just to confirm,
  1. The new user id to be created (should it be a RFC user or dialog user)
  2. Is the only role to be assigned to the new user is CRYSTAL_ENTITLEMENT with the authorization mentioned in the installation manual
  3. What are the roles to be imported into BO within CMC (are these the roles which we want for data access)
  4. When a user tries to login with any other user id other than the one listed in Entitlement systems tab, does it use the roles assigned to that person in SAP to retrieve the data or would it be dependent on the roles imported into BO within CMC in earlier step.
  Please let me know.
  Thanks
  Dharma.

• Can access enforcer be implemented with going through the SOD check.

  Hi All,
  I have couple of questions regarding Access enforcer:
  1. Can Access enforcer be implemented with going through the SOD check?
  2. Can we provision roles for the project team using Access Enforcer (without having a million SOD conflicts which need to be cleared)?
  I would really appreciate any insight on these questions.
  Thanks

  https://websmp103.sap-ag.de/~form/sapnet?_FRAME=OBJECT&_HIER_KEY=501100035870000015092&_HIER_KEY=601100035870000206624&_HIER_KEY=601100035870000212731&_HIER_KEY=601100035870000210510&_HIER_KEY=701100035871000519581&_SCENARIO=01100035870000000202&#HOME

• CUA vs. Access Enforcer

  Can anyone explain the need for implemented both CUA and Access Enforcer?
  We are currently upgrading to ECC6.0 and implementing the GRC tools(5.2) and CUA  With the distributed access provisioning available in Access Enforcer, I am trying to determine the benefit of implementing CUA .

  Hi Patrick
  1) In this scenario the only benefit with CUA i can see is
       a) Password reset
       b) locking and unlocking the user.
  2) If you use GRC AC in landscape, it is not at all recommended to assign roles, profiles using CUA. This can lead to high level compliance /regulatory issues.
  3) If you are implementing new CUA, then i would recommend to go for NW Identity Management Solution. Advantages are
      1) User provisioning for SAP and non-SAP system
      2) can be integrated with GRC for Risk analysis and remediation.
      3) Password Management also possible.
          https://www.sdn.sap.com/irj/sdn/nw-identitymanagement
  regards
  Anand.M