Configuration access control

Similar Messages

• Configuring Access Control with OIM 11gR2

  Hi,
  I have to configure Access Control resource with OIM 11gR2. Kindly share relevant pointers.
  Best Regards,
  Varun

  I think this link will be Helpful
  22.5.1 Configuring Oracle Application Access Controls Governor
  http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/segduties.htm#OMDEV3394

• Configure Access Control Owner screen

  Hi All,
  I am working on SAP GRC project and it's very new to me. I have one user and that user has Access control owners screen.
  This role displaying all the Central Owner in the table. When I click one role than Open button gets activated. When i click open button it's navigating to Owner assignment screen in Central Owner Administration. In here i am having two doubts,
  1. Is this possible to create duplicate screen of Owner assignment screen
  2. If possible how to configure that in Access Control Owners screen.
  Your valuable answers will be appreciated.
  Thanks in advance.
  Regards,
  Kathiresan R

  Hi Kathiresan,
  its not possible for creating duplicate entries for one user with similar owner administration in Access Control Owners tab.
  and it is possible, for one user we can able to assign multiple responsibilities.
  Once we are in to Access control Owners screen
  -> select the user id which you want assign additional responsibility like Risk Owner, MC owner and FF role owner etc.
  -->Click on open button and select multiple responsibilities and save the data.
  And make sure that user should have the required roles before assigning the responsibilities in access control owners.
  Thanks,
  Siva

• ADF Authorization for ADF Mobile:Configuring Access Control URL for ADF App

  Can someone explain, how to expose weblogic user roles as a Rest Json Api? Basically I want to set up Access Control URL to authorize users on adf mobile.

  Hi Frank,
  This is what I did. Could you please let me know if I am doing it right.
  1. Created an adf application with a simple page and applied security basic http authentication.
  2. Added a rest service implementation in the same application, changed the adf application web.xml as below
  <servlet-mapping> 
     <servlet-name>jersey</servlet-name> 
     <url-pattern>/jersey/*</url-pattern> 
    </servlet-mapping>
  3. When I test the rest service in browser, it asks to log in and returns the user roles. Below is my rest implementation
  @POST
  @Produces(MediaType.APPLICATION_JSON)
  public User getMessag3() throws Exception {
  return new User();}
  the rest service returns the logged in user roles in below json format.
  {"userid":"susant","roles":["SSBAccessGroup","authenticated-role","SSBAccessApp","anonymous-role"],"priviledges":[]}
  Do I need to implement anything on the ADF mobile side or I can just add the rest service url to the authorization tab. Will adf mobile automatically handle sending the http request.
  Actually I just added the rest service url to adfm-applications connections authorization tab and I am getting ACS failed error after log in.
  Thanks

• Access control for different user groups in APEX 4.0

  Hi guys,
  in Apex 4.0, is there any way to use the access control page to configure access control for different user groups?
  The access control page currently only has an access control list by users with 3 privileges namely, Administrator, Edit & View where Administrator has the highest access level & View the lowest. Therefore 1 user cannot have more than 1 different privilege, however if the user belongs to 2 or more different groups then we can control what access he can have in a more fine grained manner. We also want to have more than the 3 privileges given.
  Can we assign different groups to different users and let them have different privileges to be configured by page, region, process or item level?
  Now Apex will create 2 tables, Apex_Access_Control & Apex_Access_Setup to store the application access control mode & access control list. It will also create 3 authorization schemes "access control - administrator", "access control - edit" & "access control - view" based on the 2 tables.
  Does this mean we have to change the table structures & edit the authorization schemes to suit our usage? We are reluctant to do this because if we upgrade to a newer version of Apex then we would have to merge our pl/sql coding with Apex's updated code.
  How can we auto-configure more than the 3 authorization schemes in the access control page? Is there any way to achieve a finer grain of access control based on the current access control administration page given by Apex without writing it ourselves?
  We are afraid that we may have missed something on Apex access control & do not want to reinvent the wheel.

  Hi Errol,
  to build your own application authorization scheme around the security model supplied by Apex for administration of the Apex environment would be a bad idea.
  This was never intended for authorization scheme management in custom built Apex applications, it was solely intended to control access in the Apex environment overall. The API for it is not published, and making changes to it, such as adding more roles, would run the risk of breaking the overall Apex security model. It would not be supported by Oracle and Oracle would not guarantee the upwards compatibility of any changes you make in future versions of Apex.
  In short, you should follow Tyson's advice and build your own structure. As he indicated, there are plenty of examples around and provided your requirements are not too complicated, it will be relatively simple.
  Regards
  Andre

• Access Control up grade from 5.2 to 5.3

  Hi,
  One of my client have
  1. Earlier Access control 5.2 was installed but only FF are configured and is in use.
  2. After some time Access Control GRC 5.2 server (front end) have some problem so they have
  installed 5.3 to front end level
    --no back end patch was updated
  --no connector are created.
  Now the situation is as follows
  Front end -access control 5.3 -
  Back end -RTA is access control 5.2(they are only using FF)
  No connector are created
  From this situation how can we take it forward to access control 5.3.
  I have following question
  1. can  we update back end to 5.3 and start configuration --what is the impact?
  2. Do we need to take back up of table FF as client is using only FF.
  Thanks,
  Digambar

  Hi
  5.2 RTA will not be compatible with with GRC 5.3 RTA .
  So best would ne to upgrade your backend RTA to 5.3 and SP level shoul;d be in Synch with level of SP of front end i.e SA P GRC 5.3 .
  Thanks & Regards
  Asheesh

• Issue while enabling Access Control for a Coherence server node

  Hi
  Im trying to enable access control for a Coherence server node, using the default Keystore login method shipped with Coherence. When i start the server i get the error "java.security.AccessControlException: Unsufficient rights to perform the operation". Please see below for the sequence of steps I've followed to enable access control. I just need to be enable Authentication (not authorization) at this stage
  1. I have added the following entry in the Coherence Operational override file
  <security-config>
            <enabled system-property="tangosol.coherence.security">true</enabled>
            <login-module-name>Coherence</login-module-name>
            <access-controller>
                 <class-name>com.tangosol.net.security.DefaultController</class-name>
                 <init-params>
                      <init-param id="1">
                           <param-type>java.io.File</param-type>
                           <param-value>keystore.jks</param-value>
                      </init-param>
                      <init-param id="2">
                           <param-type>java.io.File</param-type>
                           <param-value>permissions.xml</param-value>
                      </init-param>
                 </init-params>
            </access-controller>
            <callback-handler>
                 <class-name>com.sun.security.auth.callback.TextCallbackHandler</class-name>
            </callback-handler>
       </security-config>
  2. The following is the entry in the Permissions.xml
  <?xml version='1.0'?>
  <permissions>
  <grant>
  <principal>
  <class>javax.security.auth.x500.X500Principal</class>
  <name>CN=admin,OU=Coherence,O=Oracle,C=US</name>
  </principal>
  <permission>
  <target>*</target>
  <action>all</action>
  </permission>
  </grant>
  </permissions>
  3. The following is the content of the Login configuration file "Coherence_Login.conf"
  Coherence {
  com.tangosol.security.KeystoreLogin required
  keyStorePath="keystore.jks";
  4. The following is the command line tag for starting the server
  java -server -showversion -Djava.security.auth.login.config=Coherence_Login.conf -Xms%memory% -Xmx%memory% -Dtangosol.coherence.cacheconfig=PROXY-cache-config.xml -Dtangosol.coherence.override=FOL-coherence-override.xml -Dcom.sun.management.jmxremote.port=6789 -Dcom.sun.management.jmxremote.authenticate=false -Dtangosol.coherence.security=true -cp "%coherence_home%\lib\coherence.jar" com.tangosol.net.DefaultCacheServer %1
  Following is the output on the Console when running the command. It asks for a username and password for the JKS store (If i provide the wrong password, it gives a different error, which shows that it is able to authenticate aganst the Keystore). After i put in the password, it throws the error as shown below "java.security.AccessControlException: Unsufficient rights to perform the operation"
  D:\Coherence\FOL_CacheServer>fol-cache-server
  java version "1.6.0_20"
  Java(TM) SE Runtime Environment (build 1.6.0_20-b02)
  Java HotSpot(TM) 64-Bit Server VM (build 16.3-b01, mixed mode)
  Username:admin
  Password:
  Exception in thread "main" java.security.AccessControlException: Unsufficient ri
  ghts to perform the operation
  at com.tangosol.net.security.DefaultController.checkPermission(DefaultCo
  ntroller.java:153)
  at com.tangosol.coherence.component.net.security.Standard.checkPermissio
  n(Standard.CDB:32)
  at com.tangosol.coherence.component.net.Security.checkPermission(Securit
  y.CDB:11)
  at com.tangosol.coherence.component.util.SafeCluster.ensureService(SafeC
  luster.CDB:6)
  at com.tangosol.coherence.component.net.management.Connector.startServic
  e(Connector.CDB:20)
  at com.tangosol.coherence.component.net.management.gateway.Remote.regist
  erLocalModel(Remote.CDB:10)
  at com.tangosol.coherence.component.net.management.gateway.Local.registe
  rLocalModel(Local.CDB:10)
  at com.tangosol.coherence.component.net.management.Gateway.register(Gate
  way.CDB:6)
  at com.tangosol.coherence.component.util.SafeCluster.ensureRunningCluste
  r(SafeCluster.CDB:46)
  at com.tangosol.coherence.component.util.SafeCluster.start(SafeCluster.C
  DB:2)
  at com.tangosol.net.CacheFactory.ensureCluster(CacheFactory.java:998)
  at com.tangosol.net.DefaultConfigurableCacheFactory.ensureServiceInterna
  l(DefaultConfigurableCacheFactory.java:923)
  at com.tangosol.net.DefaultConfigurableCacheFactory.ensureService(Defaul
  tConfigurableCacheFactory.java:892)
  at com.tangosol.net.DefaultCacheServer.startServices(DefaultCacheServer.
  java:81)
  at com.tangosol.net.DefaultCacheServer.intialStartServices(DefaultCacheS
  erver.java:250)
  at com.tangosol.net.DefaultCacheServer.startAndMonitor(DefaultCacheServe
  r.java:55)
  at com.tangosol.net.DefaultCacheServer.main(DefaultCacheServer.java:197)

  Did you create the weblogic domain with the Oracle Webcenter Spaces option selected? This should install the relevant libraries into the domain that you will need to deploy your application. My experience is based off WC 11.1.1.0. If you haven't, you can extend your domain by re-running the Domain Config Wizard again (WLS_HOME/common/bin/config.sh)
  Cappa

• Dump on screen when configuring Process controlled workflow

  Hi Experts,
  I am facing 1 problem in SAP SRM 7 ehp1.  I am configuring Process controlled workflow. Previous workflow settings was Application controlled workflow as its been upgraded from SRM 5. If i run a RFX (BUS2200) cycle in application controlled workflow environment, it works flawlessly.
  But when i change my workflow framework to process controlled workflow for all Business Objects. I face a dump when I am creating an RFX. The dump on the portal is:
  http://dl3803.ltisap.com:8040/sap/bc/webdynpro/sapsrm/wda_l_fpm_oif
  DATREF_NOT_ASSIGNED
  No access possible via the 'NULL' data reference
  Method: PARTICIPATING_IN_ACTIVE_WF of program /SAPSRM/CL_PDO_DYN_MDA_WF_ADJ=CP
  Method: EDIT_DURING_WORKFLOW of program /SAPSRM/CL_PDO_DYN_MDA_WF_ADJ=CP
  Method: /SAPSRM/IF_PDO_META_CONF_BO~GET_BO_HDR_ACTION_METADATA of program /SAPSRM/CL_PDO_META_CONF_PROV=CP
  Method: /SAPSRM/IF_PDO_META_CONSUMER~GET_ACTION_METADATA of program /SAPSRM/CL_PDO_META_BO_RFQ====CP
  Method: /SAPSRM/IF_PDO_META_CONSUMER~GET_ACTION_METADATA of program /SAPSRM/CL_PDO_META_BO_RFQ_ADVCP
  Method: /SAPSRM/IF_PDO_META_CONSUMER~GET_ACTION_METADATA of program /SAPSRM/CL_PDO_META_HANDLER===CP
  Method: UPDATE_ACTIONS of program /SAPSRM/CL_CH_WD_MAP_IDENT====CP
  Method: /SAPSRM/IF_CLL_MAPPER~REFRESH of program /SAPSRM/CL_CH_WD_MAP_IDENT====CP
  Method: /SAPSRM/IF_CLL_MAPPER~REFRESH of program /SAPSRM/CL_CH_WD_IDEN_MAP_RFQ=CP
  Method: OVERRIDE_LEAVE_INIT_SCREEN of program /SAPSRM/CL_FPM_OVRIDE_OIF=====CP
  & when i check in st22. I get the dump as:
  Category               ABAP Programming Error
  Runtime Errors         DATREF_NOT_ASSIGNED
  ABAP Program           /SAPSRM/CL_PDO_DYN_MDA_WF_ADJ=CP
  Application Component  SRM-EBP-PD
  Date and Time          17.12.2011 15:46:56
  and get dump at:
    1 method PARTICIPATING_IN_ACTIVE_WF.
    2   " this method returns ABAP_TRUE if the logon user has an active work item,
    3   " i.e. he participates in an active approval workflow process.
    4
    5   DATA lv_curr_workitem_id    TYPE /sapsrm/wf_workitem_id.
    6   DATA lr_process_info        TYPE ref to /SAPSRM/S_PDO_WF_PROCESS_INFO.
    7
    8   " the default:
    9   rv_participates_in_active_wf = abap_false.
  10
  11   " The scenario is not valid for application-controlled workflow:
  12   " Any agents who may edit the document (approver and requester)
  13   " enter "Edit" mode right-away. No special handling possible.
  14   lr_process_info = io_apf_md_context->get_process_info_ref( ).
  >>>   IF lr_process_info->wf_version NE /sapsrm/if_wf_process_c=>GC_APF_VERSION_0200.
  16     return.
  17   endif.
  18
  19   " check if a valid workitem exists
  20   lv_curr_workitem_id = io_apf_md_context->get_workitem_id( ).
  21   IF lv_curr_workitem_id IS INITIAL.
  22     RETURN.
  23   ENDIF.
  the only configuration I change in the system is I changed the workflow framework to process controlled workflow.
  Kindly help.
  Thanks
  Anand

  Hello Anand,
  As per standard SAP recommendations the application-controlled workflow framework is only intended to be used if you are upgrading from SAP SRM 5.0 or earlier and you need to continue using your existing work-flows.
  The default workflow framework setting is the process-controlled workflow from SRM 6.0 on-wards and the user will be provided a option to switch to the application-controlled workflow framework.  The option to switch to process-controlled workflows is available only after you have once switched to application-controlled work flows but there will be a big caution that " If you switch from the application-controlled workflow framework to the process-controlled workflow framework; once a process-controlled workflow has been run, it is not supported that you switch back to application-controlled work-flows".
  As per the details given i got a feel that we have tried executing the scenario by switching between application and process controlled workflow and hence the system have become inconsistent and its dumping.
  I suggest you to raise a OSS ticket to SAP to resolve the issue.
  Best Regards,
  Rahul

• Problems using access control in sender agreement for SOAP adapter 7.1

  I am trying to use Access Control Lists to restrict user access to web services/interfaces which are exposed via PI. This can be configured via the Integration Builder Directory using the u201CAssigned Usersu201D tab of both Communication Components (Business System) and Sender Agreements.
  The configuration is via the above mentioned components. However, I understand that itu2019s the adapters which at runtime are responsible for actually applying these checks.
  I have been having problems getting the access control to work using a setup involving a SOAP adapter of type SAP BASIS 7.10.
  The symptom of the problem is that although the access control works as expected at the Business System level, any settings at the Sender Agreement level appear to have absolutely no effect whatsoever.
  I have confirmed that I have no problems if I use an adapter of type SAP BASIS 7.00. However, I really need to get this working on 7.1.
  I have looked on the SAP support portal but can not find any notes that relate to this.
  Has anyone else had a similar problem? And have you found a fix for it?
  Any suggestions would be welcome.
  Edited by: Malcolm Dingle on Jun 17, 2009 1:08 PM

  Hi Shai,
  Please have a look at the following link and see if it helps you .
  It deals with SOAP adapter installation and activation 
  Re: SOAP adapter installation and activation
  Best Regards
  Edited by: Prakash Bhatia on May 8, 2009 11:51 AM

• Access controll Logs and DNS entries

  Hello there,
  We have upgraded from Border Manager 3.5 to Border Manager 3.8 SP4 on
  new hardware. Everything runs fine except a little niggle. When we
  view the Access Control logs now all we see is IP addresses there are
  no host names. In real time monitoring we can click on DNS Host Name
  and get some of the names but most come back Unknown. Under the logs
  themselves the DNS host Name option is grayed out. Have I messed up
  the configuration in some manner?
  Dan

  Thanks Craig, We are indeed runing the transparent proxy. Is this a
  change between 3.5 and 3.8? When we ran the transparent Proxy under
  3.5 we were able to see the URL's.
  On Tue, 17 Jul 2007 21:36:53 GMT, Craig Johnson
  <[email protected]> wrote:
  >In article <[email protected]>, Dan Larson
  >wrote:
  >> When we
  >> view the Access Control logs now all we see is IP addresses there are
  >> no host names. In real time monitoring we can click on DNS Host Name
  >> and get some of the names but most come back Unknown. Under the logs
  >> themselves the DNS host Name option is grayed out. Have I messed up
  >> the configuration in some manner?
  >>
  >If you have transparent proxy working, you will get IP addresses of
  >hosts instead of URL's.
  >
  >If you are not using proxy authentication, you will get IP addresses of
  >user PC's instead of user names.
  >
  >Craig Johnson
  >Novell Support Connection SysOp
  >*** For a current patch list, tips, handy files and books on
  >BorderManager, go to http://www.craigjconsulting.com ***
  >

• ADF UIX Role Based Access Control Implementation

  Hi,
  Can anybody suggest a detailed example or tutorials of how to implement a role based access control for my ADF UIX application.
  The application users can be dymanically added to specific roles (admin, Secretary, Guest). Based on the roles, they should be allowed to access only certain links or ADF entity/view operations. Can this be implemented in a centralized way.
  Can this be done using JAZN or JAAS. If so, Please provide me references to simple tutorial on how to do this.
  Thanks a lot.
  Sathya

  Brenden,
  I think you are following a valid approach. The default security in J2EE and JAAS (JAZN) is to configure roles and users in either static files (jazn-data.xml) or the Oracle Internet Directory and then use either jazn admin APIs or the OID APIs to programmatically access users, groups and Permissions (your role_functions are Permissions in a JAAS context).
  If you modelled your security infrastructure in OID than the database, an administrator would be able to use the Delegated Administration Service (DAS), as web based console in Oracle Application Server. To configure security this way, you would have two options:
  1. Use J2EE declarative security and configure all you .do access points in web.xml and constrain it by a role name (which is a user group name in OID). The benefit of this approach is that you can get Struts actions working dirctly with it because Struts actions have a roles attribute.
  The disadvantage is that you can't dynamically create new roles because they have to be mapped in web.xml
  2. Use JAAS and check Permissions on individual URLs. This allows you to perform finer grained and flexible access control, but also requires changes to Struts. Unlike the approach of subclassing the DataActionForward class, I would subclass the Struts RequestProcessor and change the processRoles method to evaluate JAAS permissions.
  The disadvantage of this approach is that it requires coding that should be done carefully not to lock you in to your own implementation of Struts so that you couldn't easily upgrade to newer versions.
  1 - 2 have the benefit of that the policies can be used by all applications in an enterprise that use Oracle Application Server and e.g. SSO.
  Your approach - as said - is valid and I think many customers will look for the database first when looking at implementing security (so would I).
  Two links that you might be interested in to read are:
  http://sourceforge.net/projects/jguard/ --> an open source JAAS based security framework that stores the user, roles and permissions in database tables similar to your approach
  http://www.oracle.com/technology/products/jdev/collateral/papers/10g/adfstrutsj2eesec.pdf --> a whitepaper I've written about J2EE security for Web applications written with Struts and JavaServer pages. You may not be able to use all of it, but its a good source of information.
  Frank

• After install Crystal Report Server 2011, can not access control tools

  Afte install Crystal Report Server 2011, can not access control tools from web or from application.
  My server OS is Windows 2008 R2 SP1. I follow the default setting. How to fix it?
  Error message is above.

  Is Tomcat started?  On your Start menu you should have an option to get to "Tomcat  Configuration" or, under the CRS menu you can run the "Central Configuration Manager" to start Tomcat.
  What URL are you using to connect to the web app?  By default Tomcat runs on port 8080 so your URL should look something like this:  "http://<servername>:8080/BOE/CMC" or "http://<servername>:8080/BOE/BI".
  If Tomcat is running and you're trying to access it from another computer, check to see if the Windows Firewall is turned on for the server - if it is, turn it off for "Domain" access.
  If Tomcat won't start, go to the folder where Tomcat is installed and then look in the "logs" folder.  There should be a file called "stderr.log" which you can open in Notepad to see what types of errors might be occurring (you can ignore any errors having to do with "persisted sessions".)  If there are other errors, post in the BI Platform space to get assistance.
  -Dell

• EP 6.0 SP2 KM Access control and version problems

  Hi,
  We have installed EP 6.0 SP2 and have configured KM. We have created a File system repository pointing to a shared folder in the local drive. Now, we are facing the following 2 problems:
  1. Access Control for Resources (folders and files) are not working..i.e, even though, we have given 'Read' access to a particular folder for a given portal user, he is still able to delete, rename, etc. How do we tackle this? Is there any property to be set for ACL to work.
  ACL Manager Cache : ca_rsrc_acl
  Security Manager  : AclSecurityManager
  are used for this particular file system repository.
  2. For the very same file system repository, we are not able to get the option 'versioning' for any of the folders. while for other folders in Content Management (CM) repository, 'versioning' property appears. Why is this so? Is there any setting to be done for the property 'versioning' to appear for a file system repository?
  Any help in this regard is highly appreciated.
  Thanks in advance,
  Pavithra

  Hi,
  Thanks so much for the quick response. It was quite helpful. The problem is that while trying to set up W2Ksecurity manager, the system component monitor shows the following error:
  Startup Error:  Exception during start up of sub-manager: The W2kSecurityManager can only be run under Windows 2000 operating systems.
  Portal server is installed on Microsoft Windows 2003 server. But the file system repository is mapped to a shared drive whose host machine runs Microsoft windows 2000 professional.
  My Questions:
  1. Do I have to have Microsoft Windows 2000 ONLY for portal installation.
  2. Can I not have a shared folder mapped to another local machine's directory
  3. Also, Any ideas on whats the max length of file path for KM..Because, its likely that the file path length may extend to more than 200 characters..
  Please help me in this regard.
  Thanks in advance.
  Pavithra

• Change in Access Control components on the Service Marketplace

  Hello GRC community:
  We would like to inform you that as of yesterday (5/30) the Access Control components for support messages/SAP Notes have been changed (they have actually been replaced so all messages/notes logged under the old component will be moved/replaced to the new).
  The main 4 components are now:
  New: GRC-SAC-ARA     Access Risk Management
  Old: GRC-SAC-SCC          Risk Analysis & Remediation (formerly Compliance Calibrator) 
  New: GRC-SAC-ARQ     Access Request
  Old: GRC-SAC-SAE          Compliant User Provisoning (formerly  Virsa Access Enforcer) 
  New: GRC-SAC-EAM     Emergency Access Management
  Old: GRC-SAC-SFF          Superuser Privilege Management (formerly Virsa Firefighter) 
  New: GRC-SAC-BRM     Business Role Management
  Old: GRC-SAC-SRE          Enterprise Role Management (formerly Virsa Role Expert)
  There are also NEW components specific to areas of functionality. If you are not sure of what component to log your message under, please use the main components above.
  GRC-SAC-ADS          Directory Services
  GRC-SAC-BI             Access Control BW
  GRC-SAC-CONF       Configuration
  GRC-SAC-DAS          Dashboard
  GRC-SAC-REP          Repository
  GRC-SAC-RPT          Reporting
  GRC-SAC-UAR          User Access Review
  GRC-SAC-UPG          Installation & Upgrade
  GRC-SAC-WF           Workflow
  Ramelyn Paredes
  AGS Primary Support

  Hello COmmunity,
  To Summarise in Short: New features introduced to V10.0 : GRC 10.0 is ABAP based, so extraction of data from users is fast & analysis as well.
  As usual, the names for the Access control tool has been changed
  A. Access Risk Analysis (RAR)
  1. USOBT & object information will be automatically updated with GRC rather than manual upload (earlier version)
  2. Mass Users can be imported from .CSV file for risk analysis, Role analysis etc.,
  3. Variant creation / reuse for any report analysis
  4. Option of having multiple rule sets & simulating users across multiple rule sets at same time
  5. Risk analysis for CUA, Composite roles
  6. Mitigation by system, risk id, mass mitigation for users, audit trail etc.,
  7. Risk analysis for HR objects
  B. Emergency Access Management (SPM)
  1. Mass reporting for all FF users, Ids, Executions
  2. Centrally maintained for all systems rather than individual ERPs.
  C. User Access Management (CUP)
  1. Customizable Access request forms
  2. HR based role assignment for position, org unit
  3. IDM integration using GRC Web services
  D. Business Role Management (ERM)
  1. Concept of Business role mapping for Technical roles.
  2. Audit Trails & PFCG Change history.
  Finally, the look, reporting format has been changed to provide additional information for analysis.
  More important - GRC V5.3 support is till 2015 & SAP has planned to push the customers to upgrade to 10.0. Eventually SAP is also planning to release GRC 11.0 by mid next year. So we have to wait & watch the show

• "Assign Access Control" returns error for essbase apps in shared services

  Hello,
  I installed and configured Oracle EPM 11.1.2 (Foundation, Essbase, Planning, Reporting&Analysis):
  OS: Windows Server 2008 Sp2 (32bit)
  Default Installation with default ports,
  Installation of all components on the same server,
  no clustering
  EPM System Diagnostic says that everything is OK.
  Now I want to assign filter access for an essbase database in the Shared Services.
  Starting the menu item "Assign Access Control" in Shared Services returns the following error:
  Error 404--Not Found
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  +10.4.5 404 Not Found+
  The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent.
  +....+
  Can anybody help ???
  best regards,
  Nicole

  Hello,
  here's what I found out so far:
  I get the error if I start the shared services console via the URL "http://servername:port/interop/index.jsp" and then select the "assign access control" for an essbase database.
  If I start the shared services console via the workspace everything works fine.
  Does anybody know what to do so that it also works if I start the shared services console via URL?
  best regards,
  Nicole