CUP Auto Provisioning Error 260: User Comparison

Similar Messages

• CUP Provisions user to SAP successfully but gives "Auto-Provisioning" error

  Hi All,
  I'm getting an "auto-provisioning" error in CUP when a "Change Account" workflow is approved. The strange thing is, CUP does successfully provision the change to the SAP backend. Yet, the "New Account" provisions successfully without the error.
  Here is an example of the audit trail log from Change Account:
  Request submitted for approval by Dylan Hack(HACKDY) on 06/28/2010 17:14 
  Approved By Dylan Hack(HACKDY) Path AE_AUTO_APPROV_ERROR and Stage AE_AUTOPROV_ERR on 06/28/2010 17:14 
     Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
     Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
     Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
     Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
  Auto provisioned for request on 06/28/2010 17:14 
     User Provisioning failed for System(s) : DEV. Error Message :
     Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
     Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
     Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
     Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
  Request submitted for reroute by system on 06/28/2010 17:14 due to auto provisioning failure 
     Rerouted in the Path : AE_AUTO_APPROV_ERROR and Stage : AE_AUTOPROV_ERR to Path : AE_AUTO_APPROV_ERROR and Stage : AE_AUTOPROV_ERR
  Note: the role names were replaced with "xxxxxxx."
  The system log gives an error, but it is very vague:
  2010-06-28 17:14:34,682 [SAPEngine_Application_Thread[impl:3]_33] ERROR com.virsa.ae.service.ServiceException
  com.virsa.ae.service.ServiceException
       at com.virsa.ae.service.sap.SAPProvisionDAO.intializeWithChangeUserInputParameters(SAPProvisionDAO.java:762)
       at com.virsa.ae.service.sap.SAPProvisionDAO.changeUser(SAPProvisionDAO.java:3457)
       at com.virsa.ae.service.sap.SAPProvisionDAO.changeUser(SAPProvisionDAO.java:3419)
  Any ideas or suggestions?
  Current software level AC5.3 SP12.
  -Dylan

  Hello Varun,
  Thanks for the thought on this. We don't use User Defaults for Change Account, but do for New Account. You question prompted me to do more testing with very interesting results.
  Results
  New Account with User Defaults configured:
  User provisioned successfully, no Auto-Provision error, Defaults NOT provisioned.
  New Account without User Defaults configured:
  User provisioned successfully, no Auto-Provision error.
  Change Account with User Defaults configured:
  User provisioned successfully, no Auto-Provision error, Defaults NOT provisioned.
  Change Account without User Defaults configured:
  User provisioned successfully, Auto-Provision ERROR, Defaults NOT provisioned.
  In both New and Change Account, the configured User Defaults are NOT provisioned even though the user is provisioned. AC5.3 is on SP12, the RTA is VIRSANH SP12 and VIRSAHR SP10.
  For the Change Account, the user is always provisioned regardless of User Defaults; however, when no User Default is configured, the Auto-Provisioning error occurs. The User Defaults NOT provisioning is a real problem, the CUP error message, I can work around for now.
  What about on your side? Am I the only guy using SP12 here?

• GRC CUP 5.3 Auto provisioning Error

  Hello All,
  This issue is occurring in development system of GRC and works as expected in Quality systems.
  Development system of CUP Jco's connected to the development ABAP stack and
  Quality Systems of Cup Jco's connected to the QA ABAP stack .
  All the parameters and the configuration are the same in Dev and QA.
  Now the problem we have is at the last approval stage in the workflow after the approver approves the request (Create/Change) It is erroring out in Auto Provisioning stage with the below message :
  Error provisioning your request. Request no: 75. Error occurred in the system(s) : n/a, error details :
  DEVL1120-TEST_A-USER CREATE-Password is not long enough (minimum length: 10 characters)
  DEVL2120-TEST_A-USER CREATE-Password is not long enough (minimum length: 10 characters)
  If the same approvers goes back into the request and re-approves the Autoprovisioning is completed and the request is closed. For every last approver the first time he tries to approve the message he gets the above errors in development and does not receive the same error in QA.
  The password parameters in the ABAP stack and the Portal Security config are same in DEV and QA. I am not sure if I am missing any information. Any suggestion/Help is appreciated.
  Angara

  Raghu Thanks for your response. Yes I checked all the login parameters in both QA & DEV and compared to those that were user defined Vs Default they were the same with no difference. yet the problem occured in Development system.
  I finally figured out the issue and the surprising part was the error that was issued during auto provisioning is very misleading.
  Our Security team had prototyped CUA and connected to the same development client CUP was connected and forgot to remove the child system from the CUA after their demo was complete.
  By utilizing Debug log mechanisim, it showed the error as BAPI that is used by CUP to create the user was failing due to CUA locking the client with no ability to create the users in child system directly , The error displayed had no connection to the password lenght.
  Thank you all my issue has been resolved and back in business.
  Best Regards,
  Angara Rao

• GRC 5.3 CUP auto provisioning of Mitigation Assignment in RAR

  Hello,
  Is there any other workflow that needs to be triggered for the auto provisioning of the Mitigation control id assignment to the userid in RAR system from CUP,  upon request completion?
  I created a request that after the final stage of sox approver, got auto provisioned roles assigned to the user id in the SAP system , but it also stated that auto provisioning failed and got re-routed to the detour path of the security admin as I configured in case of auto provisioning failure. When I look at the error log, it states:
  User Provisioning failed for System(s) : XYZ. Error Message : User type TE is unknown
     Role: ROLEA assigned to user: TESTER1 in System(s): XYZ.
  1). So, even though the approved role is being assigned to the user in the backend system, some other stuff is failing at auto provisioning. And I thought it might be the mitigation control assignment to the userid in RAR. I have the mitigation fields/objects active. But how do I ensure the auto-assignment of mitigation control ids also gets assigned on the same request upon sox approval?
  2). The other question is where is the value of the 'controller' stored when configuring a stage for workflow approver determinator in the sox approver stage? Where is this value picked up from? We don't want to use the RAR mitigation approvers or monitors, we want to use a custom approver id from CUP and then the control id to be assigned upon approval automatically to the userid in RAR via CUP request completion during auto provisioning. Is this possible? The only thing failing for us is trying to determine how to create the custom approver determinator for SOX approver in CUP since it asks for 'attribute' value for workflow type 'Compliant User Provisioning' which doesn't make sense for this.
  And then the above error even though the user role assignment is auto provisioning already but still giving the error as I listed above and re-routing to detour path instead of completing the request. Is it due to auto provisioning failure of mitigation control assignment in RAR?
  Thanks in advance,
  Alley
  Edited by: Alley1 on Sep 20, 2011 1:15 AM

  Hi Karell,
     Here is response to your questions:
  I can use the following CAD in an AE workflow: web service to fetch role approvers. I question this as it is merely a RE workflow service : No. As far as I know the web service is only for RE/ERM.
  Can the Risk Analysis be initiated in stage x automatically once stage (x-1) was completed. So no person involved, it is mandatory however, in my opinion there should be no extra person involved to actually press the button "Risk Analysis" : No. There is no way to automate the risk analysis part. Someone will have to click on the button to check for SoD violations. You can configure to run automatic risk analysis when the request is submitted but this is not 100% perfect. If someone adds or removes role during approval phase, it will invalidate the risk analysis which was run during request submission.
  Can somehow the Risk Owners defined in the RAR componed be asked to approve/reject risk that came out of the Risk Analysis described in my previous point. They should only be contacted when there is a risk indicated. : This is possible by following Babak's workflow.
  Regards,
  Alpesh

• CUP auto provision to position

  Hello Experts
  I hope you can help me on this issue. We have just implemented CUP (SP14) and have set up auto provisioning, indiirect to a position.
  Despite this CUP is provisioning all requests directly to the User ID. There are no error messages to indicate that provisioning to the position has failed or even if it has been attempted. All back end funtionality is standard and working when tested manually. The CUP logs are not showing anything that I can decipher. It is as if the auto provision configuration indirect to the position is being ignored.
  Any ideas what could cause this behaviour?
  Thanks
  Barry

  Hi Jwalant
  Thanks very much for the reply,
  I am using SAPHR as the data source and for authentication. However we only want the user id to authenticate.
  Auto provisioning is set to indirect with position for Global and by System and I have tried Provisioning at end of request and at end of each path. This should work without using the personnel number in the authentication shouldn't it?
  The users Hr information is being pulled into the request without problem. It seems that CUP is making no effort to provision to the position, it just does it to the user every time.
  Any ideas?
  Thanks
  Barry

• Access Enforcer 5.2 - auto-provisioning error

  Hi all,
  i have come across strange quirk in AE 5.2 that is causing my client some issues.  During UAT, a scenario was tested for a new user request with two roles with different role managers.  The results i obtained were as follows:
  1.  Role manager 1 rejects 1st role then role manager 2 approves 2nd role (in that order).  Expected result is that the user is created and the 2nd role is provisioned in the system.  Actual result was that user was created and 2nd role was provisioned in system.  PASS
  2.  Role manager 1 approves 1st role and then role manager 2 rejects 2nd role (in that order).  Expected result is that the user is created and the 1st role is provisioned in the system.  Actual result was that the request was closed and no auto provisioning was done.  FAIL
  For some reason, AE is only picking up the last approval/rejection when deciding whether to auto-provision or not.  So when the last role manager rejects their role that was requested, AE closes the entire request and does not provision other roles in the request even though they were already approved.  If the last role manager approves their role that was requested, AE will provision access according to the roles that were previously approved/rejected.
  This does not occur for multiple roles that have the same role manager, as they are able to reject some roles and approve others without any problems with the provisioning.  Config is set up so that the role manager stage approvals are at the role level, and approval type is "all approvers".  We have also configured auto-provisioning type as "Auto provision at end of request" and provision effective immediately as "Yes".
  Any ideas what is going on?
  Thanks,
  Alexi

  Hi all,
  i've tried to resolve this issue by changing the configuration, however this has not resolved it.  I've attached the audit log of two requests for the same roles, only difference is the order of the role approvals.  In request 226, the first role manager approved their role and the second role manager rejected their role and AE did not auto-provision the approved role (the whole request appears to be rejected). 
  Request 226 Submitted by Alexi Tsafos(k01232) on 07/30/2008 15:44 
     YBC:ROLE_921-QAS Role Added
     YBC:ROLE_922-QAS Role Added
     ZU:COMMON-QAS Default Role Added By system
     Request submitted for approval by Alexi Tsafos(K01232) on 07/30/2008 15:44 
    Approved By Alexi Tsafos(K01232) Path ERP_NEW and Stage LINE_MANAGER on 07/30/2008 15:44 
     ZU:COMMON-QAS Role Approved
     YBC:ROLE_921-QAS Role Approved
     YBC:ROLE_922-QAS Role Approved
     Request submitted for role level approval by Carmen Richardson(K01231) on 07/30/2008 15:45 
    Approved By Carmen Richardson(K01231) Path ERP_NEW and Stage ROLE_MANAGER on 07/30/2008 15:45 
     YBC:ROLE_922-QAS Role Approved
     Request submitted for role level rejection by Alexi Tsafos(K01232) on 07/30/2008 15:45 
    Rejected By Alexi Tsafos(K01232) Path ERP_NEW and Stage ROLE_MANAGER on 07/30/2008 15:45 
     YBC:ROLE_921-QAS Role Rejected
     Request Closed By Alexi Tsafos(K01232) on 07/30/2008 15:45 
     Auto provisioned for request on 07/30/2008 15:45 
  In request 227, the first role manager rejected their role and the second role manager approved their role and AE auto-provisioned the approved role. 
  Request 227 Submitted by Alexi Tsafos(k01232) on 07/30/2008 15:50 
     YBC:ROLE_921-QAS Role Added
     YBC:ROLE_922-QAS Role Added
     ZU:COMMON-QAS Default Role Added By system
     Request submitted for approval by Alexi Tsafos(K01232) on 07/30/2008 15:50 
    Approved By Alexi Tsafos(K01232) Path ERP_NEW and Stage LINE_MANAGER on 07/30/2008 15:50 
     ZU:COMMON-QAS Role Approved
     YBC:ROLE_921-QAS Role Approved
     YBC:ROLE_922-QAS Role Approved
     Request submitted for role level rejection by Carmen Richardson(K01231) on 07/30/2008 15:50 
    Rejected By Carmen Richardson(K01231) Path ERP_NEW and Stage ROLE_MANAGER on 07/30/2008 15:50 
     YBC:ROLE_922-QAS Role Rejected
     Request submitted for role level approval by Alexi Tsafos(K01232) on 07/30/2008 15:50 
    Approved By Alexi Tsafos(K01232) Path ERP_NEW and Stage ROLE_MANAGER on 07/30/2008 15:50 
     YBC:ROLE_921-QAS Role Approved
    Auto provisioned for request on 07/30/2008 15:50 
     New User: AETEST20 created on 07/30/2008 15:50 in System(s): QAS.
     Role: ZU:COMMON assigned to user: AETEST20 in System(s): QAS.
     Role: YBC:ROLE_921 assigned to user: AETEST20 in System(s): QAS.
     Request Closed By Alexi Tsafos(K01232) on 07/30/2008 15:50 
  As described in an earlier post, the stage config is set for "role" level approval by "any approver".  I've also tried "role" level approval by "All approvers" and have the same problem. 
  Any ideas?
  Thanks,
  Alexi

• SP12: CUP: Error for requesttype "change" at auto-provisioning

  Hello,
  We have an error while auto-provisioning a change-request in CUP.
  The request stages can be approved correctly but after the last stage, the request is rerouted to administrator because of escape-route settings. (auto provisioning failures)
  So the audit trail reports an error at auto-provisioning, BUT in the backend-system the user was changed correctly.
  If we now want to approve the request on admin-stage, the error appears again. So we have a closed loop reaction.
  Any ideas?
  Does anybody have the same issue?
  Our client have the same problem with SP12 on the prod.system but in the dev.system (also SP12) we can create the request well.
  Thanks,
  Alexa

  2010-10-15 13:45:54,456 [SAPEngine_Application_Thread[impl:3]_32] DEBUG  ProvisioningBO.java@1794:getProvisioningStatusDTO() : OUT of the method
  2010-10-15 13:45:54,458 [SAPEngine_Application_Thread[impl:3]_32] DEBUG  ProvisioningBO.java@1827:getProvisioningStatusDTO() : OUT of the method
  2010-10-15 13:45:54,458 [SAPEngine_Application_Thread[impl:3]_32] DEBUG com.virsa.ae.accessrequests.bo.ProvisioningBO : autoProvision() :   : listMessagesForSysType,list size=1
  2010-10-15 13:45:54,459 [SAPEngine_Application_Thread[impl:3]_32] DEBUG com.virsa.ae.accessrequests.bo.ProvisioningBO : autoProvision() :   : listMessagesForSysType #0# element:com.virsa.ae.configuration.po.ApplicationLogPO@31cf3f2[userId=GRC_20,emailId=<null>,reqNo=716,system=LS_DI6_300,recDate=10/15/2010,changedBy=AKOLB,logAction=USER CREATE,newValue=GRC_20,description=<null>,error=true,singleMessage=false]
  2010-10-15 13:45:54,461 [SAPEngine_Application_Thread[impl:3]_32] DEBUG  ProvisioningBO.java@248:autoProvision() :  Preparing Provision to SAP ... DONE
  2010-10-15 13:45:54,463 [SAPEngine_Application_Thread[impl:3]_32] DEBUG  ProvisioningBO.java@277:autoProvision() : OUT of the method
  2010-10-15 13:45:54,465 [SAPEngine_Application_Thread[impl:3]_32] WARN   RequestBO.java@5924:autoProvisioningForApprove() : Exception occured during auto provisioning , error messages : [com.virsa.ae.configuration.po.ApplicationLogPO@31cf3f2[userId=GRC_20,emailId=<null>,reqNo=716,system=LS_DI6_300,recDate=10/15/2010,changedBy=AKOLB,logAction=USER CREATE,newValue=GRC_20,description=<null>,error=true,singleMessage=false]]
  2010-10-15 13:45:54,469 [SAPEngine_Application_Thread[impl:3]_32] ERROR  RequestBO.java@6665:approveRequest() : AutoProvisioning Exception, checking if the escape route is enabled
  2010-10-15 13:45:54,478 [SAPEngine_Application_Thread[impl:3]_32] ERROR  RequestBO.java@6681:approveRequest() : AutoProvisioning Exception, escape route is enabled, going for the escape route
  2010-10-15 13:45:54,490 [SAPEngine_Application_Thread[impl:3]_32] DEBUG com.virsa.ae.accessrequests.bo.RequestBO : rerouteRequest() : AKOLB : INTO the method with toPathName : , poRequestDetails : com.virsa.ae.accessrequests.po.RequestDetailsPO@70e31b05[requestForOthers=false,userLookupEnabled=false,userIDFieldEnabled=false,userFirstNameFieldEnabled=false,userLastNameFieldEnabled=false,approverLookupEnabled=false,locationFieldEnabled=false,departmentFieldEnabled=false,emailFieldEnabled=false,telephoneFieldEnabled=false,companyFieldEnabled=false,employeeTypeFieldEnabled=false,managerTelephoneFieldEnabled=false,managerEmailFieldEnabled=false,managerNameFieldEnabled=false,requestorTelephoneFieldEnabled=false,requestorEmailFieldEnabled=false,requestorNameFieldEnabled=false,addRole=false,approveReject=,approveRejects=approveRejects,accessChanged=false,fileAttached=false,reqDataApplProvDTOs={com.virsa.ae.dao.dto.RequestDataApplicationProvisionDTO@46b5291a[reqNo=716,application=LS_DI6_300,provisionAction=ASSIGN_ROLES,userId=GRC_20,roleId=2,isProvisioned=true,isNew=false,LMD=<null>],com.virsa.ae.dao.dto.RequestDataApplicationProvisionDTO@1f9d8e3a[reqNo=716,application=LS_DI6_300,provisionAction=ASSIGN_ROLES,userId=GRC_20,roleId=3,isProvisioned=true,isNew=false,LMD=<null>],com.virsa.ae.dao.dto.RequestDataApplicationProvisionDTO@20e4920d[reqNo=716,application=LS_DI6_300,provisionAction=ASSIGN_ROLES,userId=GRC_20,roleId=4,isProvisioned=true,isNew=false,LMD=<null>]},accntValidationmsgs=[],connectionFailedSystems=,userExistSystems=,userNotExistSystems=,comm_method_type=,cstmFldName=,usersPOList=[com.virsa.ae.accessrequests.po.RequestUserPO

• EBusiness Suite User "Auto-provisioning" and  "Self-Request" Problem

  I have two types of OIM User, Staff and Contingent
  Staff (Role = Full-Time)
  Contingent (Role = Contractor / Role = Consultant)
  Resource Object: eBusiness Suite User
  Here's my RO configuration:
  Auto Pre-populate: true
  Allow Multiple: true
  Self Request Allowed: true
  Allow All: true
  Auto-Launch: true
  EBS Connector, by default has two forms:
  UD_EBS_UO: Object Form
  UD_EBS_USER: Process Form
  I have requirement which will auto-provision eBusiness Suite User resource to Staff users.
  Originally, UD_EBS_OU is the table name used by the RO. For auto-provisioning to work, I have implemented it this way:
  First, I have defined a User Group for Staff and assign an Access Policy to it (for users with Role == Full-Time).
  Then, I have detached Object Form UD_EBS_UO from the RO. This way, when Staff user is created in OIM, it is automatically provisioned with eBusiness Suite User, though it won't have a Resource Form, only a Process Form. Process Form fields are automatically pre-populated with values (via my Pre-populate adapters).
  Now my problem is during Self-Request. Contingent user doesn't get auto-provisioned with EBS RO, but he can self-request for it. Problem is, since I detached the Object Form from the RO, user is not seeing any form during request. And I have a requirement that approver of the request should also be able to view/modify the details of the request form. But that is not possible now that Object Form does not exist for this RO.
  Is it possible that Self-Request and Auto-Provisioning works both ways under the same Resource Object? How do I configure that? Appreciate your quick response and help. :)
  Edited by: user10202544 on Feb 10, 2010 3:27 AM

  Yes I have set permissions to all users for the Object Form.
  It is required for me to have both Self Request and Auto-provisioning work for eBusiness Suite RO.
  During approval, however, the approver needs to see the Object Form (where he can view/modify its values before approving it). That's impossible for me since I detached the Object Form from the Resource Object. I need do to this for auto-provisioning to work.
  It seems that it doesn't work both ways. Any other suggestions?

• AC 5.3 SP10 CUP Delaying Auto Provisioning Email

  All -
  Is it possible to delay the auto provisioning email? If yes, how?
  We have a scenario where security needs to perform certain tasks post user account set-up before the user logs on to the system (we don't want to auto provision & lock the user) and want to delay the automatic email sent to the user. Is this possible?
  Thanks,
  Daniel

  Daniel,
     Here is the email content:
  Your request #_!AUTO_PROVISION_REQNO#_! provisioning has been done. Your  account has been created.    Your ID is #_!AUTO_PROVISION_ID#_!  Your password in each system (Password/System):#_!AUTO_PROVISION_PASSWORD#_!
  It is part of cleanandinsert xml file, which comes with the installation. You can search for this and change the email content.
  Alpesh

• Limitations of Auto-Provisioning through CUP (AE)

  Hi all,
  I am looking for some information on what are all the benefits and limitations of using auto-provisioning over manual provisioning for the backend systems through CUP (AE).
  We are implementing GRC AC 5.3 and it is organization's business decision whether we need the proviosing piece to be automated or not. However, I would like to get your suggestions based on your project experiences esp in a decentralized security administration where security admins are in different geographical locations and have to provision only for their user groups.
  Can we perform all the activities thro' auto-provision similar to a security administrator manually creating a user, assign appropriate user groups etc.,  or is there any limitation?
  Which approach would be better for decentralized administration?
  Appreciate your suggestions..
  Thanks
  Siri

  Hi Alpesh & Williams,
  The user default settings such as date, timezone, decimal etc can be configured through the 'user defaults' and 'user default mapping' . I see the option of assigning user  groups and appropriate parameters too.
  Say the user belong to user group AAA_XXX  and another user belongs to AAA_YYY, where
  AAA - location
  XXX - Dept
  I have configured these (location, dept) as required fields while entering the request in CUP .
  However, during run time how will the correct user group be assigned to the user. Is it through the user default mapping? Where do we maintain all the user group information that is available in the ECC system? Do we have to create user default, user default mapping for each user group??
  The documentation from SAP is not very clear .. Appreciate if you can provide some lights on this area.
  Thanks
  Siri

• CUP - How to handel requests with no auto provisioning

  Dear Friends,
  We are not using Auto-Provisioning in our CUP component.
  We don't know how to handle a situation when although the request was approved at all stages, the provisioning it self (which is executed manually) does not happen (for example, the security manger forgot to do the changes).
  How can we detect those differences ?
  And if we did detect them, is there a possibility to add some comments to a request that was fully approved.
  thanks
  Yudit

  Hi Yudit,
  Not exactly. It is some manual work.
  CUP>>Informer>>Provisioning
  Run these two reports (select specific period):
  Role Assigned / Removed
  User Processed
  Run t-code RSSCD100_PFCG_USER (You find this repot in SUIM).
  Use the same period as above.
  Export the report to Excel. If many entries, create a function to compare the results orilter the result by Action and compare to CUP reports.
  Good luck,
  Vit

• Is it possible to limit what fields can CUP update during Auto-provisioning

  I have configured CUP to do Auto-provisioning after all the stages have been approved. However, our client requirement is to not to update some fields in user master  e.g: User Valid Start date and End Dates. Is it possible to restrict CUP to update only the required fields  and not all fields during auto provisioning process?
  Can you please let me know if this possible in CUP?
  Thanks
  Anand

  Alpesh,
  Currently my User details source is pointing to SAPHR . I have made the valid start date and end date hidden in the request form. However, CUP pulls the info anyway and updates SU01 record during the auto provisioning. I guess hiding the fields may not work.
  Please let me know if you have find any solution from your sources.
  Thanks
  Anand

• Exchange Provisioning - Error (User Has been deleted from AD)

  Hello Experts,
  User has been provisioned to AD successfully and I verified it manually by logging into AD server. But when I provision Exchange to User "Create Mailbox" task failed with the following error message "User Has been Deleted from AD".
  I am wondering what causing this issue? Can u assist me?
  Thanks & Regards
  INIYA

  Exchange provisioning task "Get Object GUID" returns "Value not set" . Is this the reason for the above error?
  Seems like AD provisioning process is creating user in AD but not setting Object GUID. Any idea how to resolve this?

• Auto-provisioning new users with GRC 10.1

  There is some lack of clarity at my client on auto-provisioning new users into SAP systems with GRC 10.  Here's what they want and I'm telling them they need SAP IdM.
  The client will regularly have upwards of 500 new users on an on-going basis.  These users are approved and created in Active Directory.  The client believes that GRC 10 can now pick up these new users from Active Directory and then go ahead and provision them into ECC and CRM automatically, as soon as they're created, with no further approval required.
  To the best of my knowledge, the easiest way to do this would be for IdM to do this, and have IdM trigger GRC for certain users, and to provision users who fall into this group of 500 users.
  These users are different from regular users, who need to go through the approval workflows.  Regular users will have managers and roles that need approval.  These 500 or so users are approved to be created in the system and don't need to get caught up in the approval workflow.
  Am I wrong in saying that IdM 7.2 is the best way to do this, or am I missing something about what GRC 10 can do?
  Thanks for your help.  I really appreciate it.

  Hi Santosh,
  In AC 10.1, I created one brf plus initiator rule.Although I saved it in GRAC_ACCESS_REQUEST package.Transport button is not available(Not greyed).
  Dis you faced this issue..How to get this change in transport??
  PS:Application are activated.
  Thanks,
  Mamoon

• CUP - Initiator for roles not requiring approval (i.e. auto provisioned)

  We recently upgraded to GRC 5.3, SP10 and started noticing that using CUP, for roles that should be automatically provisioned (i.e. no approval required), it is taking between 3 minutes 45 seconds to 5 minutes for the request to be successfully submitted and automatically approved with provisioning.   I was wondering if anyone is experiencing simlar system performance
  Our set-up for auto provisioned role requests is as follows:
  1.  Created initiator INI_NO_APPROVE using role for attribute
  2.  Created stage STG_NO_STAGE  with Approver Determinator = No Stage
  3.  Created path definition PATH_NO_APPROVE with number of stages =2 and initiator = INI_NO_APPROVE
  Thanks!

  F.Y.I.
  As per SAP's recommendation - we applied note:1423983 in all target provisioningn systems and this resolved the issue.