Access Request Creation - Role or System Required at Creation

Similar Messages

• Access request creation - select roles screen - field boxes were not aligned

  I'm not sure if this is really the screen of SAP GRC 10.1 access request creation. The field boxes were not aligned. Is there a note to fix this issue? Thank you.
  Regards,
  Jenilyn

  Hi Mohamed,
  Even I used Google Chrome, it's the same. Still facing the same issue. Is there any other way to solve this issue?
  Thank you.
  Regards,
  Jenilyn

• GRC 10.0 Access Request Creation- Data Source of User Details

  Hi Experts,
  I was doing GRC 10.0 Configuration and found a query which I am not able to resolve.
  While creation of any kind of Access Request in GRC through NWBC> Acces Management Tab>Access Request>Access Request Creation.
  In the user details section, I can see the HR records( like Pernr, position, manager) have been visible to some extent.
  My question is where from these details came in GRC. What configuration we should maintain to achieve these HR records?
  Hope to get a quick response as this is one of the requirement of the implementation which I am doing with my customer.
  Thanks,
  Atanu

  Alessandro,
  Thanks for your response. It helped me to know certain things.
  But when I am navigating to SPRO > GRC > Access Control > Maintain Data Sources Configuration > [User Detail Data Source], it is configured with a ECC system in target connector and User data type is maintained as "SU01".
  Now my question is where from in my case the GRC is pulling the HR records (PA20) like PERNR, POSITION,PERSONEL AREA etc? SU01 does not provide these information. My ECC box is integrated with HR module, so is it taking the data from HR directly?
  Thanks in advance!
  Atanu

• GRC 10.0: Access Request Creation - LDAP user advanced search not working

  Dear Experts,
  We are implementing SAP GRC Access Control and we have an issue in Access Request Creation. If we put the user name in “User” field and press intro, the user details are updated, but if we want to make an "Advanced search" the user is not found and the application give us the following message: “No records found for the search criteria entered.”
  Scenario 1: If we put the user name in “User” field and press intro, the user details are updated:
  Scenario 2: If we want to make an "Advanced search" the user is not found and the application give us the following message: “No records found for the search criteria entered.”
  We are using the Active Directory as Data Source.
  Thanks and Regards.

  Hi Jose,
  Try maintaning the parameter 2050 as YES and check once.
  Kindly, also make refer to  the below list of SAP notes:
  1757906 - GRC 10.0 - LDAP user search does not work in NWBC
  1745370 - LDAP search in GRC does not work anonymously
  1718242- UAM: User search not working in Access Request.
  Regards,
  Neeraj Agarwal

• GRC 10 Not able to search roles in Access Request Creation

  Hello Experts,
  I am unable to search for roles while creating access request by giving system name.
  I am able to search with any other search criteria except system.
  When I look for valid entries for System I get the following connector group values:
  ECC - (Custom Connector Group)
  SAP_BAS_LG
  SAP_ECC_LG
  SAP_HR_LG
  SAP_R3_LG
  All the above connector groups are pointing to the same system XXXCLNT100. I want to get only ECC as the result when I search for the system (Probably then it might work right).
  Others that start with SAP are linked to the XXXCLNT100 for generating rules after activating BC Sets.
  Any ideas how to get this work !!
  Thanks and Regards,
  Ajesh Raju.

  Found Note:
  Note 1654033 - Role search by System is giving same result
  Regards,
  Ajesh.

• [Prime Access Registrar 6.0] Minimum System Requirements

    Dear, CSC:
  In the installation requirements it says the following:
  Table 1     Minimum Hardware and Software Requirements for Cisco Prime AR Server
  Component
  Operating System
  Solaris
  Linux
  OS version
  Solaris 10
  RHEL 5.3/5.4/5.5/6.0/6.1/6.2
  Model
  SPARC Enterprise T5220
  X86
  CPU type
  UltraSPARC-T2 (SPARC V9)
  Intel Xeon CPU 3.40 GHz
  CPU Number
  8 cores (8 threads each)
  4
  CPU speed
  1165 MHz
  3.40 GHz
  Memory (RAM)
  8 GB
  8 GB
  Swap space
  10 GB
  10 GB
  Disk space
  50 GB
  50 GB
  For linux, the CPU number refers to 4 CPUs or 4 cores?
  Also, is a server of these characteristics capable of, basically, handling any number of TPS? or is there a table that matches TPS versus Server characteristics?
  Regards,
  c.

  hi,
  pls refer the following links.It may help you.
  help.sap.com/.../helpdata/en/43/44c532d36157c0e10000000a155369/chap%2040%20is-u%20sap%20utilities.pdf
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/5bd723c2-0d01-0010-97a5-cb14fe7f2810
  regards
  karthik.
  if ithe above information helps you. please reward me points

• Mitigation assignment approval in Access Request Workflow

  Hi Guys,
  I am currently implementing GRC for one of the clients. I have a question with respect to Mitigation assignment approval in Access Request Workflow.
  Below is the Scenario,
  1) User Submits the request
  2) Manager Approves
  3) Role Owner runs the SOD & finds SOD violations. Role Owner assigns the mitigation controls & approves the request
  Clarification:
  Once the role owner approves , depending on the mitigation controls assigned , can this request be routed to the mitigation control owner for approval in next stage? is this configurable with out custom BRF+ rules ? I know there is a workflow separately  (SAP_GRAC_CONTROL_ASGN) for approval of assignment which I suppose is out side of the Access request workflow.
  Please suggest.

  Pavan,
  more or less - as the control assignment workflow is independent the access request doens't wait. So if the role owner set a mitigation the control workflow starts. If you allow the role owner to approve the access request with risks, means if the risk isn't mitigated, then the role owner can proceed.
  To have your scenario working you must set the following in Access Request workflow: Role Owners are not allowed to approve as long as there are risks. All risks must either be remediated or mitigated before approval. That means if the role owner sets a mitigation the assignment workflow starts. As soon as the mitigation is valid (final approval) the access request can be approved.
  Technically both workflows are independent and don't have a relation to each other. But with some settings you can combine them.
  Does this answer your question?
  Regards,
  Alessandro

• ARQ: Default Role Provisioning Problem in Access Request???

  Hi,
  This Business Scenario is very common to have default role(s) assigned to a User at the back end system. So I have the same requirement. In achieving this, I followed below thread here:
  MSMP Issue - GRC 10
  I have also followed the note#1616092  for configuring the Default Roles.
  I have performed below activities:
  1. Param#2009 = YES
  2. Param#2010 = 001
  3. Param#2011 = REQUEST
  4. Param#2013 = SYSTEM
  5. Param#2038 = YES
  6. Imported a test role and NO ROLE OWNER is maintained.
  7.In NWBC->-AM->RM, I maintained a test role as a default.
  Now when I raise a request, application is successfully adding the default role to the request. However, the problem I am facing is that, one Manager approves the request, it is getting failed.
  The Audit Log says that, the STAGE is "Completed" but I could also see "No Agent Found, Cancelling path XYZ (in stage no. 002- GRAC_ROLEOWNER)
  May I know what I am missing here? Why I am getting error and how can I resolve it?
  Please advise.
  Regards,
  Faisal

  Hi Faisal,
  sorry for late resposne I was away traveling.
  default roles are being added by default to access request
  Yes, these roles are added to the access request.
  FN: OK
  and this roles are following your normal paths which I guess assumes manager and role owner.
  How such roles (not having role owner) will follow the normal path Manager->Role Owner if we are enabling routing (Rule ID: GRAC_MSMP_ROUTE_NO_ROLEOWNER) at manager stage level? Can you please help me understand this?
  FN: OK If you enable routing it will go to routing path. I have understood your post as you put in question the behavior of default roles and my point was - they act exacly the same like regular roles.
  - request is going to detour path
  Does it answer my question?
  FN: My point was default roles like all other will go to detur path (assuming you setup it globaly)
  Deafault roles can have separate path (in my case) where only supervisor is approving it.
  Instead of "GRAC_MSMP_ROUTE_NO_ROLEOWNER"  I believe we can have our own rule to have a separate path for such default roles based upon business requirement. Correct me, if required.
  FN; correct
  It was design in way that initiator rule based on role crtivality is sending this rule to separate path without role owner.
  Again, I believe you have enabled your custom rule here to achieve your business requirement instead standard rule id.
  correct
  If you do not have separate path - this role like any other will follow standard path you have.
  Here, I had used a stage called "ZNO_STAGE_PATH" for routing the system line item, which does not have any owner. I used the same path ID for "GRAC_MSMP_ROUTE_NO_ROLEOWNER"Rule ID and it is working fine as of now.
  FN: good
  My question is that, do you think if I don't use "ZNO_STAGE_PATH" as Path ID for "GRAC_MSMP_ROUTE_NO_ROLEOWNER" Rule ID, should it follow the standard Manager->Role Owner path and these default roles get approved and assigned automatically?
  FN: You should use the path ZNO_STAGE_PATH as path ID for routing rule.
  If the role does not have role owner it will not allow you the even get to Role Onwer stage - request will be detured.
  My point from the begining was - instead of using the routing rule - in our case we used separate path for default roles without role owner:) only consisted with manager stage. Again your approach is different but also will work.
  Then which Path ID should I use for "GRAC_MSMP_ROUTE_NO_ROLEOWNER" Rule ID, as it is mandatory?
  Should I use my current path for New/Change Account where at Manager level this was routed due to non availability of role owner?
  Are you asking for default roles?
  Please advise.
  Regards,
  Faisal

• GRC 10.0 SP 14 access request form displays unassigned roles

  Dear experts, when I open the Access Request form and I select a user, and then I click on existing assignments, I am shown a list of roles and systems assigned to this user. However, when I go to those corresponding backend systems to see if the roles are actually assigned, it turns out that they are not. I have rerun all the sync jobs and they all completed successfully. Auto provisioning works on all these systems and there are no issues in terms of the RFC. However, as indicated by the attachments, it continues to show rules that were unassigned from this user some time ago. where might these assignments be coming from?

  Hi Santosh,
  did you run the repository object sync job in full mode for this connector? This has mostly to do with outdated sync information as you can also see in the following note:
  http://service.sap.com/sap/support/notes/1667112
  Please check again.
  Regards,
  Alessandro

• No Roles In Access Request - GRC 10 SP06

  Hello Experts ,
  With GRC 10 SP 06 ,I am facing strange issue .In Access request when I search for roles to be assigned I am not getting any result .
  I have performed all post installation system and same working with SP 05 in other landscape .
  Important steps  like running back ground jobs for user.role.profile  synch role import all is done .
  Thanks & Regards
  Ashish

  Hi,
  You have hit a similar problem I faced after moving to SP06.
  What is the value assigned to the "Role Status"? If it is not "Production/PRD", then Access request doesn't allow it to be displayed as a selectable option for assignment. Prior to SP06, this was not checked, but SP06 got updated to ensure roles that are not in Productive use status can not be assigned for usage.
  Once you change this status over in the roles you wish to make available for assignment via Access Request, you should be able to search and select them.
  Hope that helps.

• Access Request "Model User" - Role Type "Role" disabled in "Select Model Access" screen.

  Hi All,
  I am implementing GRC AC 10.0 - ARM  for provisioning in SAP R/3 and Enterprise Portal systems.
  While using "Model User" access request, I find that UME portal groups are coming as disabled and are not available for selection in tab 'Select Model Access'.
  Also only Type "Single Roles" appear for assignment or selection in the "Model User" form. Type "Role" appears disabled.
  Request help, thanks.
  Regards,
  Piyush.

  Thanks all for the suggestions but issue persists.
  I ran repository object sync in full sync mode for the portal system.
  I re-imported the portal groups.
  Still as earlier while using "Model User" request, I can see the groups with the reference user but it is grayed out and not available for selection.
  The other three scenarios (Access request, Copy Request & Template) work fine. In those request I can select the portal groups as well.

• ARQ: How to Specify specific system in "System" Field in "Risk Violations" Tab in Access Request???

  Hi,
  I would like restrict users from selection systems from the drop down in "Risk Violations" Tab. In order to achieve this, I opened  GRAC_OIF_RQUEST_SUBMISSION" application in Admin mode and disabled. As a result, this field is disabled. But this is blank. I am unable to maintain any value in it. I tried to select a value from the drop down and then disabling the field. I saved with the selected value. But later when Access Request application accessed, it is again showed blank.
  However, when a user performs risk analysis, application still performs for all the connectors!
  user is authorized to perform risk analysis for specific connector (controlled using GRAC_SYS object). But not sure where from application is picking up different connectors?
  Secondly, I also noticed that this "System" drop down has multiple entries in it along with "ALL". I dont have any clue where these values are coming from!
  Can anybody help me in understanding and addressing this?
  Also, may I know how other are tackling this? I mean, is "System" drop down disabled with specific value as default or enabled with ONLY specific value?
  Please advise.
  Regards,
  Faisal

  Hi Faishal,
  I went through the challenge you have described. On top of mentioned issues - do you know that if a user select a system (has requested a role for it) but you have no sod rule book defined for it - grc will identify no sod risks for request and will mark all roles (even those for other systems for which rulebook is defined) as 'green' on access approver screen. The expected behavior would be only selected role would be marked as green and others would be still red. We have tried also with option 'ALL' however results provided in our case were not accurate (we did recons to single systems)
  This strange system behavior (SP14) was reported to SAP. In this case if you have path defined for SoD detour - system will not go on detour as there is no risk defined.
  What we did -was we setup a fix value in this field (our production system with rulebook) an put this system as parameter TVARV (system depended) and using the value of this parameter we fixed the system against which the analysis are executed.
  Filip

• Composite role not showing in Access request screen. (BRM not used)

  Dear All
  I have created a composite role in backend system with 2 single roles.
  a. I have imported the single roles using the NWBC screen.
  b. run the auth sync job.
  c. imported the composite role as a techincal role using the NWBC import screen.
  the import procedure was successfully completed.
  But when i try to search for the role in Access request screen for a user - i can only see the single roles & not the composite roles?
  Pls advise
  Raju

  Hi Raju,
  In addition to Alessandro's valuable inputs, you need to be sure whether or not you were able to generate the composite roles (in NWBC).
  The final stage of the composite role has to be in complete status.
  Regards,
  Ameet

• GRC 10 Access request with 'System entry only' goes to escape route

  Hello All Experts,
  I am facing same issue but scenario is different which I found not possible with above solution. If I am submitting request with ONLY system, then request will go to AUTO approve and end.
  1) In change authorizations option, end user submits request with only filling SYSTEM option.
  2) Request goes to 1st Stage people, who will add roles into system
  Existing MSMP no roleowner is used as routing condition here, if role approver not FOUND, request takes  ESCAPE ROUTE and goes to Escape Stage with system option and role(if not defined role owner for it)
  3) If role has owner, it goes to Role Owner.
  Can we remove SYSTEM option from request and send it to NO PATH stage instead of ESCAPE route
  OR
  Is there any better way to handle this?  client do not wants to APPROVE requests with SYSTEM entries but ready to handle requests with no role owner request.
  Please help..  **Urgent**

  1. Look at the following link and ensure you have a similar Initiator created and applied in MSMP.
  GRC Request with both System and Role Line Items
  2. Ensure in MSMP you have "no stages" in the path for "system only" requests. Paths with no stages will work on roughly SP10 onwards (from experience).

• I don't have the up to date system requirements to run iCloud on my mac but would still like to access my email on my mac.  I think I need to update my settings, but am not sure what to do.  Can anyone help.  thanks

  I don't have the up to date system requirements to run iCloud on my mac but would still like to access my email on my mac.  I think I need to update my settings, but am not sure what to do.  Can anyone help.  thanks

  Welcome to the Apple Community.
  If you haven't done so already you need to migrate your mail account to iCloud first and do so IMMEDIATELY at the website Move
  Then
  Delete your mail account from Mail preferences and set it up again using the Mail Server Information.
  Some users have apparently encountered issues using this information in pre-Lion set ups (I haven't), Roger Wilmut has kindly provided instructions for those who find themselves with this problem.
  Entering iCloud email settings manually in Snow Leopard or Leopard
  Entering iCloud email settings manually in Tiger