Configuration of  User Access Review process

Similar Messages

• GRC AC v5.3 CUP "User Access Reviews" (UAR) requires implementation of ERM?

  Hi Experts,
  re: GRC AC v5.3 CUP "User Access Reviews" (UAR) requires implementation of ERM?
  After reading the guides and forum it is still not clear to me if ERM is absolutely required in order to use CUP "User Access Reviews". The guide mentions in ERM the Role Usage Synch job has to be run, and then that data is to be loaded into CUP. Is this step absolutely required or can we skip it.

  Gary,
    ERM is a necessity if you want to fully use UAR in CUP. I don't know why SAP did it this way but it is how it is.
  Regards,
  Alpesh

• User Access Review Workflow - GRC 10

  Hi Team,
  UAR request contains items which are not directly assigned to users/roles,
  Example: child roles of composite roles
  We are on GRC SP13.
  1807552 - UAM: UAR request shows indirect roles and wrong usage count
  1821101 - UAM: User Id missing from provisioning log for UAR requests
  1865864 - UAM: Wrong data in UAR Request & adding Expired Roles filter
  1829331 - UAM: Issues with UAR requests
  I have went through the above four SAP notes and all are part of SP13.
  I just want to know if anyone has faced the same issue and whether the below note is applicable for our GRC system SP13 or not.
  1970118 - UAM : Expired and locked Users and indirect role assignment are also display in UAR request
  Please suggest
  Regards,
  Madhu.

  Hi Shweta,
  We have already raised a OSS message for the same 336348 / 2014.
  Regards,
  Madhu.

• User Access Management(UAM) in SAP

  What are the various options to perform UAM for SAP solutions from an external application? For example can we create Users, groups, assign roles etc within SAP?
  1) Is webservice an option? If so, is it RESTful or SOAP based?
  2) Is an RFC call available?
  3) Can we use any other mechanism such as a BAPI wrapped with our own custom module exposed as an RFC?​

  I have looked at your screeenshots, and not too concerned with the MSMP settings yet as we are trying to first fix your Generation job
  I would enable the admin review in your setting to just see if all the necessary data is being generated, i.e. in case there are blank role owners for some roles, this could be causing an issue.
  As for your criteria selection, ensure no blank fields were left in the selection made.
  I would have a read of the following WIKI and see if any of the points mentioned are applicable. The first mistake made by many is to not perform the sync jobs in the correct order.
  Troubleshooting UAR Request Generation - Governance, Risk and Compliance - SCN Wiki
  From my memory, I know for SOD reviews "offline risk analysis" had to be enabled, but unsure if this is also necessary for UAR.
  Also refer to the following general wiki User Access Review(UAR) Workflow Configuration and Description - Governance, Risk and Compliance - SCN Wiki

• Set Single user with reviewer access to multiple conference room calendars

  Want to add a single user with reviewer access to multiple conference room calendars, used the below but it given a below error , Single user i am able to add but single user for multiple confernce room calendars hot happening.
  Import-csv C:\smtp1.csv | foreach-object {Add-MailboxFolderPermission -identity $_mail":\Calendar" -User "Mike" -AccessRights "Reviewer"}
  Smtp1.csv
  mail
  [email protected]
  [email protected]
  Error:--
  [PS] C:\>Import-csv "C:\smtp1.csv" | foreach-object {Add-MailboxFolderPermission -identity "$_mail:\Calendar" -User "Mike" -AccessRights "Reviewer"}
  The specified mailbox "\Calendar" doesn't exist.
      + CategoryInfo          : NotSpecified: (0:Int32) [Add-MailboxFolderPermission], ManagementObjectNotFoundException
      + FullyQualifiedErrorId : 78C23328,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission
  The specified mailbox "\Calendar" doesn't exist.
      + CategoryInfo          : NotSpecified: (0:Int32) [Add-MailboxFolderPermission], ManagementObjectNotFoundException
      + FullyQualifiedErrorId : 78C23328,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission
  The specified mailbox "\Calendar" doesn't exist.
      + CategoryInfo          : NotSpecified: (0:Int32) [Add-MailboxFolderPermission], ManagementObjectNotFoundException
      + FullyQualifiedErrorId : 78C23328,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission
  The specified mailbox "\Calendar" doesn't exist.
      + CategoryInfo          : NotSpecified: (0:Int32) [Add-MailboxFolderPermission], ManagementObjectNotFoundException
      + FullyQualifiedErrorId : 78C23328,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission

  i tried with that as well but getting the below
  A positional parameter cannot be found that accepts argument ':\Calendar'.
      + CategoryInfo          : InvalidArgument: (:) [Add-MailboxFolderPermission], ParameterBindingException
      + FullyQualifiedErrorId : PositionalParameterNotFound,Add-MailboxFolderPermission
  A positional parameter cannot be found that accepts argument ':\Calendar'.
      + CategoryInfo          : InvalidArgument: (:) [Add-MailboxFolderPermission], ParameterBindingException
      + FullyQualifiedErrorId : PositionalParameterNotFound,Add-MailboxFolderPermission
  A positional parameter cannot be found that accepts argument ':\Calendar'.
      + CategoryInfo          : InvalidArgument: (:) [Add-MailboxFolderPermission], ParameterBindingException
      + FullyQualifiedErrorId : PositionalParameterNotFound,Add-MailboxFolderPermission
  Cannot process argument transformation on parameter 'Identity'. Cannot convert value "" to type "Microsoft.Exchange.Configuration.Tasks.MailboxFolderIdParameter". Error: "Valu
  e cannot be null.
  Parameter name: mailboxFolderId"
      + CategoryInfo          : InvalidData: (:) [Add-MailboxFolderPermission], ParameterBindin...mationException
      + FullyQualifiedErrorId : ParameterArgumentTransformationError,Add-MailboxFolderPermission

• Anonymous user access to GP Process iView

  Hi GP/Portal Gurus,
  I've created an iView for my GP process. The problem is only authenticated users can successfully access to this GP Process iView. Anonymous users will get an error in accessing GP process iView. I've given the Page and iView authentication scheme as anonymous. But still, it doesn't work.
  The error message is:
  "com.sap.tc.webdynpro.clientserver.session.SessionExpiredLongJumpException: Application session has expired: No application session with ID oJji4PrZdG5ox8ITkiHTpAsDdNOJtMyv78EPQ66xiLlA/pcd:portal_content/cafUAT/formBrole/sap.com/cafeugpuiinst/AInstantiation/base exists. Hint: A follow-up request was sent to Web Dynpro, but no corresponding session was found under the existing sessions. Reasons: a) Session has expired; b) Web Dynpro is called with incorrect session parameters; c) Application session has been destroyed due to proceeding exception. Please restart the application..."
  Appreciate any help.
  Rgds,
  Hapizorr

  Hi Hapizorr
  From what you have posted, please try to login again into portal and then proceed with the creation of iView.
  Please let us know the behaviour this time.
  Regards
  Navneet

• Mail sender adapter POP server not configured for URL access

  Hi Experts,
  I have a Mail --> PI --> R/3 scenario and I am configuring the Mail sender adapter for POP3. The issue is that the POP server is not configured to be accessed via a URL and hence the URL pop://hostname/ is causing the following error at runtime:
  _1. When I use pop://Fully qualified host name/
  _Error: exception caught during processing mail message; java.net.UnknownHostException
  _2. When I use pop://IP address of host/
  _Error: exception caught during processing mail message; java.net.SocketException: Connection timed out:could be due to invalid address
  I am able to ping the POP3 server from the PI server using both the FQDN and IP address.
  Can someone please help.
  Thanks,
  Shobhit
  Edited by: Shobhit Swarup Mathur on Jul 14, 2009 9:29 AM
  Edited by: Shobhit Swarup Mathur on Jul 14, 2009 9:29 AM

  Hi Shobhit
  Check with these notes:
  804102
  xi 3.0 mail adapter with pop3 user authentication problem
  810238
  XI 3.0 Mail Adapter for POP3 may not report some errors
  also check mailserver security settings ...
  Connection refused occures when XI cannot connect
  in most cases so try checking it again , maybe some ports are not opend on the firewall
  Thanks
  Edited by: Abhishek Agrahari on Jul 14, 2009 11:44 AM

• Control user access in SOA Suite 11.1.1.2 Console

  Hi All,
  We recently migrated our application from SOA Suite 11.1.1.1 to 11.1.1.2 . In 1.1 we had an end user account assigned to the Monitor group which could access the middleware console and view composite flows but could not deploy/undeploy or retire/activate processes. However the same user in 1.2 can log in to the console but cannot view a composite flow.
  In the dashboard we get the following error:
  Unable to retrieve composite details.
  Error retrieving Composite CompositeName (1.0) details from soa-infra runtime. This could happen due to the errors in soa-infra initialization. Please view the log files for details.
  EJB Exception: ; nested exception is:
  java.lang.RuntimeException: Caller doesn't have enough permission to call this method.
  My question is... how do we create a user in weblogic which will allow a user to view process flows but wont not deploy/undeploy or retire/activate privileges?
  Thanks in advance,
  Shaf
  Edited by: soa_adf on Jul 15, 2010 11:44 AM

  So the reason is, you need to add users/groups to the SOAMonitor Application Role for them to be able to view instance data. Below are the instructions.
  Here are the instructions on how to create Monitoring Roles:
  Instruction to add SOA application role SOA Monitor to user "monitoruser":
  1. log in em as weblogic user
  2. right click on SOA/soa-infra(soa_server1) on the left panel and select Security => Application Roles.
  3. click on the "play button" to select "Role Name". A list will appear and you select SOAMonitor. The page "Application Roles > Edit Application Role" appears.
  4. Click Users/Add Users, a "Add User" popup appears. Click on the "play button", select user "monitoruser" from left column and move it to the right column. And click on "ok"
  If you have your WebLogic environment set up per EDG Guidelines (where your admin servers and managed servers are on different hosts or same host, different directories) you may not be able to see the list of Application Roles in the above instructions. First you would need to copy your JAZN Policies to the Admin Server or move to LDAP. The SOA Application Roles and policies will likely be stored in your mserver configuration (if you deployed SOA there). A restart is not required afterwards.
  As per the docs EDG deployment requires OID for policy store because there are two copies of policy store file, system-jazn-data.xml:
  $ORACLE_BASE/admin/soaedg_domain/mserver/soaedg_domain/config/fmwconfig/system-jazn-data.xml
  and
  $ORACLE_BASE/admin/soaedg_domain/aserver/soaedg_domain/config/fmwconfig/system-jazn-data.xml
  EDG states in section 11.1.1
  http://download.oracle.com/docs/cd/E14571_01/core.1111/e12036/oam.htm#CACJADGI
  "...The Oracle Fusion Middleware SOA Suite EDG topology uses different domain homes for the Administration Server and the Managed Server, thus Oracle requires the use of an LDAP store as policy and credential store for integrity and consistency..."

• What's the Point of the AppStore Review Process?

  I was initially pleased when I heard that developers would have to pay a $99 joining fee and submit apps to a stringent review process for the iPhone, because surely that would keep the quality app ratio high and reduce the number of half-baked stinkers being published right? Wrong.
  I reckon well over half of the apps in the AppStore are utter trash or are so buggy or feature-incomplete as to be unusable. Of the remaining half, at least half of those are clones of a superior competing products, and most of the rest do no justice at all to the iPhone's polished UI design. I reckon 10% of the apps really deserve their place in the store.
  It makes me wonder what Apple do during the review process. So far, we've seen a $999 application that shows you a picture of a ruby gem, about 10 torch applications that show you the colour white (some not even free), a tasteless application that shows a picture of a knife, apps whose descriptions are written in English so poor as to convey no meaning, and more to-do lists than there are atoms in the known universe, none of which can remind you when you have something to do. That's not to mention otherwise good apps that are too buggy and unstable. If I didn't know otherwise, I'd bet my mortgage that access to upload apps was completely unrestricted based on quality.
  All this would be fine if the review process didn't actually hinder developer's efforts to fix urgent bugs or security issues by delaying updates for up to 4 weeks. I'm getting really tired of seeing app descriptions that say "update pending review adds feature x" and then having to wait weeks to actually get feature x. If the review process is intended to secure a reputation of quality and trustworthiness for the AppStore, I say it is having the reverse effect.

  According to TUAW, "Apple is busy rejecting Applications from the App Store for grammar mistakes in onboard help files (not a joke) and for not presenting the user with the best playability options (also not a joke). Many of these frustrated developers tell us that some of their products have been waiting for review for four weeks": http://www.tuaw.com/2008/07/25/iphone-2-1-sdk-disappointments/3 ...so somebody's wrong here.
  I enjoy my iPhone as much as the next user, but I'm already getting weary of sifting through page after page of stinkers every few days looking for the odd gem. Lots of platforms suffer from this problem - Konfabulator Widgets, Firefox Addons, Microsoft Sidebar to name a few. Call me elitist, but I think all of these platforms would benefit greatly from a higher degree of quality filtering.
  I suppose I'm just frustrated that the small number of apps I consider worthwhile are having their development cycle massively extended by Apple's need to sift through truck loads of crud from second rate developers dollar signs in their eyes and no imagination.

• User Defined Activity Process Flow Help

  Hello,
  I'm trying to create a process flow that will rename a file. I'm using the User Defined Activity, but I've ran into a couple problems. First some background info, Oracle 10G is the DB, and it's ran on a Unix system, the Oracle user account does have read/write access to the directories used.
  For the Activity Parameters I've set
  Command > I've tried everything here
  Parameter > Blank
  Script >
  filefullname=ip_xref.dat
  filename=${filefullname%.*}
  fileext=${filefullname##*.}
  DATE=`date +%Y%m%d`
  newfilename="${filename}_${DATE}.${fileext}"
  mv $filefullname $newfilename
  mv $newfilename backup/
  in the command section, I've tried every possible thing I can think of from : /usr/bin/ksh, /bin/ksh, ksh, /bin/bash, made a script outside owb with the same thing, and pointed it at that and still all I get is "/bin/bash: not found" or "/usr/bin/ksh: not found"
  Ideas/suggestions, I'm open to anything.
  As a side note I tried to do it with UTL_FILE, but I was informed by our DBA that it was disabled for security, so that's out.

  What type of execution is configured for user defined activity (this type is defined in file Runtime.properties on server side, available types for UDA - SCHEDULER or NATIVE_JAVA)?
  For SCHEDULER type ask your DBA about Uinux user used for executing external jobs (usually nobody user used with very limited rights - maybe this user doesn't have rights for executing any program/scripts).
  Regards,
  Oleg

• Looking for Suggestions on granting all users access to an application *except a subset of users*

  This might not be the right forum for this question, but since it is related to an App-V application I figured I would try since this may have come up for some of you.  I am looking for the best way to grant all Domain Users access to an application
  except for Domain Admins.  Using the Full App-V infrastructure, I want to grant access to the App-V UI via User Targeting, but I don't want to allow Domain Admins access.  The reason for this is because when we make updates to provisioned
  server cores (stateless), we login with our Admin accounts to make modifications to the cores, and I would like to reduce the steps that need to be taken at the end to ensure that all AppV applications are removed before sealing up the core. 
  Currently, Domain Admins do not have access to any App-V applications, so this process is fairly clean.  All applications are User Targeted. 
  Packages are cached on a persistent D drive on each server, so the issue is that the registry, programdata, and packageinstallationroot become out of sync if packages are pulled down during core modifications after the core is attached to other servers (hence
  other D drives).  Because of this, Machine Targeting is not an option for this either.
   

  This would be so much easier with a "Configuration Manager" like feature where you could create a collection query to accomplish the same thing.  Are there other tools out there that will do the same thing?

• Multiple simutaneously logged in users accessing AFP home directories?

  Hi,
  Many of our problems are described in this guy's blog:
  http://alblue.blogspot.com/2006/08/rantmac-migrating-from-afp-to-nfs.html
  The basic capability we want is to have multiple simultaneously logged in users to have access to their AFP mounted home directory, which is configured in a sane, out-of-the box setup using WGM and Server Admin.
  Multiple user access could take the form of FUS (fast user switching), or simply allowing a user to SSH into a machine that another user is already logged into and expect to be able to manipulate the contents of her home directory.
  From my extensive searches, I have no reason to believe this is currently possible with 10.4 Server and AFP.
  (here's the official word from apple: http://docs.info.apple.com/article.html?artnum=25581)
  I've read that using NFS home directories will work, though.
  I want to believe that Apple has a solution for this by now (it's been almost a year since we first had difficulty), or at least a sanctioned workaround. If Apple doesn't have one, maybe someone else has come up with something clever. I find it hard to believe that more people haven't wanted this capability! (not being able to easily search the discussion boards doesn't help, though...)
  Thanks for your help!
  Adam

  Parallels Issue. Track at http://forum.parallels.com/showthread.php?p=135585

• Service Desk User access

  Hi Experts,
  I want my service desk users login on Solman and they can update Msg status and ther remarks.
  so what are auth. object needs on there profile, please suggest.
  Can we block users access in such a way , they are not able to do add change on other users issue msg.
  bcoz , if i give access on crm_dno_monitor to any user, he may access and process all issue tickets.
  Thanks
  Andrew

  Andree,
  Actually we provide variants for crm_dno_monitor.
  so they have option of seeing only tickets belonging to themselves only
  For e.g create a variant of crm_dno_monitor by choosing mine and then save it and create a ztcode in se93 for the same.
  assign this tcode for the user menu to the respective role of the user.
  So whn this user logs in and click on the link he sees only mine tickets or tickets belonging to him..he doesnt hav access to crm_dno_monitor.
  Pls assign pts.

• How to set up reverse proxy to allow user access portal site from internet

  Hi all,
  I have installed 10g(10.1.2.0.2) AS on same machine(single IP for both mid and infra with different users respectively). there is a DMZ on which windows IIS is working through which we need to redirect the request to application server such that users access portal page from internet (within intranet all URLs are working fine). I have went through technet documentation where i found 3 ways : through this link
  http://download.oracle.com/docs/cd/B14099_19/core.1012/b13998/variants.htm
  Section 9.2.1.1, "Configuring OracleAS Web Cache as a Reverse Proxy"
  Section 9.2.1.2, "Configuring the Oracle HTTP Server as a Reverse Proxy"
  Section 9.2.1.3, "Configuring Internet Information Services as a Reverse Proxy"
  I am confused to which option to use. Also i went through the metalink document 270160.1
  Please help me which option to choose to do this.
  Thanks.

  Hi Hozy,
  May be it's too late, I am thinking to go in the same route for our sap portal access to external customers. Please can you share your experience , like what are the challenges have you faced? what is the complexity? what are all the resources we need to configure this?
  I appreciate your feedback.
  Thanks
  Krish

• How-do-i-configure-guest-wifi-access-using-2504-wlc-fortigate-utm-l3-device

  Dear All
  I have a 2504 Wireless Controller with multiple radios attached. I currently have a "private" WLAN configured (taking ip from windows server based DHCP of Range 192.1681.0/24 ) and working, but I need to add a Guest/Public WLAN which should take the IP from Other DHCP Configured on Fortigate UTM of range 172.16.0.0/24.
  We have one SG300 switch in the office and the rest are basic switches.
  Our firewall/router is a Fortigate UTM 240D
  Find the attached network diagram for the issue.
  Is there a SIMPLE way to enabling guest access that doesn't require VLANS (or are VLANS easier than I'm making them)? 
  Thanks.
  - See more at: https://supportforums.cisco.com/discussion/12473186/how-do-i-configure-guest-wifi-access-using-2504-wlc-fortigate-utm-l3-device#sthash.aj1XcWI0.dpuf

  Complete these steps in order to configure the devices for this network setup:
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-vlan/70937-guest-internal-wlan.html
  Configure Dynamic Interfaces on the WLC for the Guest and Internal Users
  Create WLANs for the Guest and Internal Users
  Configure the Layer 2 Switch Port that Connects to the WLC as Trunk Port