Emergency access procedure - non GRC

Similar Messages

• GRC AC 10: Emergency Access Management, Logon button is disabled (GRAC_SPM)

  Hello Gurus,
  I have configured Emergency Access Management in GRC AC 10.
  GRC Box (SID) : GR1 client 100
  Backend ERP system : D24 client 100
  The FIREFIGHTER in GRC system : FFUSER1
  Z_SAP_GRAC_SUPERUSER_MGMTUSER
  Z_SAP_GRC_FN_BASE
  Z_SAP_GRC_NWBC
  In the Backend ERP system the FIREFIGHTER ID: ABC wants to access the FIREFIGHTER(FFUSER1)
  Hence in NWBC (Setup >Superuser Assignment>Firefighter ID) the assignment is done.
  ABC(FIREFIGHTER ID) <--->FFUSER1(FIREFIGHTER)
  Now the User login the GRC system using FFUSER1 assigned following roles
  Z_SAP_GRAC_SUPERUSER_MGMTUSER
  Z_SAP_GRC_FN_BASE
  Z_SAP_GRC_NWBC
  Z_SAP_GRAC_SPM_FFID
  and runs Transaction: GRAC_SPM
  and he is able to see that ABC is assigned .
  Now the user clicks on "Logon" and the status changes from green to "RED".
  A new SAP screen opens asking credintials for Backend ERP system D24 client 100
  The User enters his own Id : ABC and password and logs in.
  Runs the necessary transactions and logs out using transaction: /nex
  The session in GRC is still running and now the "LOGON button" is disabled , he comes out of that screen too.
  When the user tries to login again using FFUSER1 to do more task , the "LOGON Button" is seen disabled.
  and clicking the "unlock" button also doesn;t help.
  When checked in SM04, no live session is reflected .
  How can we "enable" the LOGON button in the transaction : GRAC_SPM for the same FIREFIGHTER (FFUSER1) assigned for Firefighter ID (ABC) ??
  As it is now not possible to click "LOGON" button and the status is "RED".
  Please let me know your opinion .
  Thank You.
  Regards,
  Premjit

  Thanks to All

• GRC 10.0 - Centralized Emergency Access

  Hi experts,
  Have a question lets see if someone else have faced this same concern.
  We are facing an implementation of the new GRC - AC 10.0 and when configuring the component Emergency Access (former SPM) we realized that in order to assign and end user to a FF ID, the end user account must be created in the GRC AC server.
  This concept changes from the last AC 5.3 version where end users only needed to be created in the SAP ERP and have the role /VIRSA/Z_VFAT_FIREFIGHTER assigned in order to access transaction code /n/VIRSA/VFAT.
  So if what Iam saying is correct, that means that we have to create one user in GRC for each user that we have in the SAP ERP, is that correct? And, if that is correct, that means that we need to buy as many licenses for GRC 10.0 as the one that we have for the SAP ERP?
  Thanks very much for your support
  Best regards,

  Hi,
  only user who shall be able to use FFIDs (EAM) need a user on the GRC box! I guess these are not all users in your SAP ERP system?!
  Regards

• User details are missing in Access request in GRC 10.0

  Hello All,
  When we are trying to create Access request in GRC 10.0 for an user it results as user  details not found.
  Under SPRO - Maintain data source configuration we have configured 2 HR systems HR1 and HR2.
  But the User details exits in HR1 system and lies in validity also. We have tried to run the Repository Object Sync also still unable to search the details.
  But we observed even after the Sync job User details are not created in table GRACUSER and GRACUSERCONN. Is this could be the problem. Why its not updating even after the Sync job many times almost 10 times.
  We have also configured parameter 5023 to YES.Please advise.
  Thanks in advance.

  Did the sequence for HR1 set to 1 or 2, I hope you are following the suggestions given by Luciana in other thread.
  Please post your data source config screenshots otherwise.
  BR,
  Mangesh

• Reason Codes not displaying when performing emergency access management(SPM

  Hello guru,
  I am experiencing a little problem when using superuser privilege management (emergency access) functionality in AC 10.0.
  My problem is that the reason codes created in the AC system via the reason code link in the workcenter does not appear as drop down for me when I click on the logon button in the initial screen displayed in transaction SPM_GRAC.
  Suffice to say that i do not have any reason code to pick from in the drop down for superuser privilege management in the AC system when i logon with the firefighter user to perform SPM.
  Please help me out with your suggestions.
  Thanks

  Hello guru,
  I am experiencing a little problem when using superuser privilege management (emergency access) functionality in AC 10.0.
  My problem is that the reason codes created in the AC system via the reason code link in the workcenter does not appear as drop down for me when I click on the logon button in the initial screen displayed in transaction GRAC_SPM.
  Suffice to say that i do not have any reason code to pick from in the drop down for superuser privilege management in the AC system when i logon with the firefighter user to perform SPM.
  Please help me out with your suggestions.
  Thanks

• Access to non spatial tables in oracle mapviewer/ oracle maps V2

  Hello,
  We want to have access to non spatial oracle tables (for value list creation etc), existing in oracle mapviewer spatial datasource (ex datasource: MVDEMO/ nospatial table: Employees).
  We have allready created the datasource MVDEMO and we want to avoid the creation of an external datasource to the same oracle user.
  Thxs,
  Bill

  Thanks.  Your answer was very helpful.  It pointed me in the right direction.  I wanted to be able to generate a table, below the map, which listed all the points (and their associated data) shown on the map.  The simplified code I used is shown below.  The function is called using an event listener (map.addListener(OM.event.MapEvent.LAYER_ADDED, createTable) which fires after the pointlayer is added to the map.
  function createTable(evt) {
      var tableRecords = pointLayer.getAllFeatures();
      var tableRecordsAttr = pointLayer.getAttributeNames();
      divElem = document.createElement('div');
      tableElem = document.createElement('table');
      tbodyElem = document.createElement('tbody');
      rowElem = document.createElement('tr');
      // create the table headings     
      for (var i = 0; i < tableRecordsAttr.length; i++) {
          colElem = document.createElement('th');
          colElem.appendChild(document.createTextNode(tableRecordsAttr[i]));
          rowElem.appendChild(colElem);
      tbodyElem.appendChild(rowElem);
      // populate each row of the table with data
      for (var i = 0; i < tableRecords.length; i++) {
          rowElem = document.createElement('tr');
          for (var j = 0; j < tableRecordsAttr.length; j++) {
              colElem = document.createElement('td');
              colElem.appendChild(document.createTextNode(tableRecords[i].getAttributes()[tableRecordsAttr[j]]));
              rowElem.appendChild(colElem);
          tbodyElem.appendChild(rowElem);
      tableElem.appendChild(tbodyElem);
      divElem.appendChild(tableElem);
      document.getElementsByTagName('body')[0].appendChild(divElem);

• How do you access iCloud (non-Pages) stored documents on iCloud

  How does one access iCloud (non-Pages) stored documents on iCloud? Only iWork shows up.

  iCloud does not provide general file storage: only iWork docucuments (at the moment) will upload to iCloud for access by other devices/computers. There aren't any other documents stored up there.

• HELP Cant login on my MAC after changed in OSX Server all access for NONE

  Hi
  After changed for the users , roots , and another one , the access for NONE in one of the options in  OSX Server to configure access just lost the capability to open the programs with the click of the mouse and turned off the MAC
  I can't login now into my MAC , the display got the apple logo on startup and the login window doesn't come blocking me to login
  Any help are welcome
  Thanks 

  Hi
  Just tipped command key and S key and hold it and turned the mac on
  Lots of information coming but in the middle of the screen I can read some of the lines it says
  Darwin Kernel VErsion....
  Security policy loaded
  AppleIntell CPUPowerManagementClient :ready
  FireWire (OHCI) TI ID 823f built-in is now active
  Got boot device= iOService : AppleACPIPlatformExpert ......
  "Launch [1] has started up in single-user mode"
  " Verbose boot will log to /dev/console "
  "SHutdown loggin is enabled "
  Root device is mount read-only
  It got much more lines and ends with
  If you want to make modifications to files
  /sbin/fsck -fy     ( this command line show that system it's ok )
  /sbin/mount -uw
  If you want to boot the system
  Exit
  But after exit it goes to the same situation with the apple logo in the middle of the screen and the login widow doesn't come
  Thanks anyway for your answer
  Any further information in how can I login into my mac are welcome
  Thanks

• GRC 10: Centralized Emergency Access  - SPM Questions

  Can Firefighter logon using the Netweaver Business Client to launch Firefighter ID?
  Is that mandate to use GRC system to launch Firefighter ID using GRAC_SPM transaction code? or can the user logon to local system as well?
  What about Portal based system Firefighting functionality? Can we have Firefighter IDs on Netweaver Java system?  
  Will I be able to grant a Firefighter ID to a Firefighter User  on hourly basis?
  For initial setup , how the initial data load of Firefighter Ids Owners, Controllers and Firefighter Users can be done? Are there options like load from Excel or CSV available as part of setup toolset?
  Edited by: sarath govindarajual on Mar 16, 2011 4:53 PM

  Can Firefighter logon using the Netweaver Business Client to launch Firefighter ID?
  - No, GRAC_SPM is the way to go.
  Is that mandate to use GRC system to launch Firefighter ID using GRAC_SPM transaction code? or can the user logon to local system as well?
  - Yes. However, the option would be nice to have a workaround in case GRC is down
  What about Portal based system Firefighting functionality? Can we have Firefighter IDs on Netweaver Java system?
  - As far as I know only for transactional SAP systems.
  Will I be able to grant a Firefighter ID to a Firefighter User on hourly basis?
  - Same as answered already  - no. 
  For initial setup , how the initial data load of Firefighter Ids Owners, Controllers and Firefighter Users can be done? Are there options like load from Excel or CSV available as part of setup toolset?
  - Same as answered already  - no.

• GRC AC Emergency Access Management (EAM) and STAD report data

  Dear Community,
  we use EAM (ID based fire fighting) and the Log synchronization jobs are scheduled every half hour in order to get the fire fighter logs from the back-ends for review by the controller. Due to a technical issue the synchronization jobs are not working correctly over several days. We experienced missing session details (executed transactions, programs, changes, etc.) for many Fire fighter sessions. As one the source of of the fire fighter log is STAD on the back end and these data are only buffered 48 hours per default, I expect that I can't recover the logs and they are irreversible lost if GRC is down or the sync-jobs are not running for more that time. That can happen over a weekend....
  I ask you:
  can you confirm my expectation?
  does it make sense to extend the STAD buffer up to e. g. 96 hours for all GRC production back ends?
  have you controls in place to check if the sync-jobs are running and the logs are synchronized correct and complete?
  I would appreciate, if you can share some thoughts with me about this.
  Thanks in advance,
  Andreas Langer

  Hi Andreas,
  - Please check the below note, for missed log entries
  1934127 - GRC10 EAM: EAM recovery program to retrieve missing log and to generate the missing workflows
  - The maximum value is 99, and it is the number of stat files that  are generated. So, you can get records upto 4 days.
  - Periodic Monitoring activity activity can be set, which is done manually. I am not aware if Process Control, can take care of this monitoring.
  regards

• Error while trying to submit Access request to GRC from IDM

  Hello
  We have SAP IDM 7.2 SP8 installed and done all the prerequisite for connecting to GRC AC 10 as in configuration document.
  We are trying to submit request to GRC using Standard GRC provisioning framework task ( AC Validation) but pass: Submit AC Request fails with error: "Pass stopped by script"
  Is there anything wrong with the script which put RoleData details since its getting aborted ?
  I tried providing Role name directly in Role data attribute inside the action task and got following error:
  Error
  putNextEntry failed
  storingcn=IDMUSR0023,ou=useraccessrequest,o=grc
  Exception from Add operation:javax.naming.NamingException: [LDAP: error code
  82 - (GRC User Access Request:82:Script execution failed)]; remaining name
  'cn=IDMUSR0023,ou=useraccessrequest,o=grc'
  I checked VDS Logs and there was one error :
  Additional message = msgcode=4;msgdescription=Mandatory field ITEM NAME  is empty in line no 1 ;msgtype=ERROR
  From where exactly ITEM NAME field value will be fetched and pass to GRC for request creation ?
  Regards
  Deepak Gupta

  Thanks Christopher
  I got my issue fixed, There was issue with my GRC Initial load job which couldn't enrich repository privileges and hence the issue was coming since script wasn't able to find GRC ROLE ID and Application ID attribute from privileges.
  Regards
  Deepak Gupta

• How do I allow access to non admin network users to disk volume?

  I would like to allow access to a specific volume (disk) on one of our networked macs (Mac1) to all users. I've set user accounts on Mac 1 for all network users. These users are "regular" users, not admin. They can access this disk (and all others on Mac1) if I log in as Admin set Users to Admin. If I do this, then users have access to ALL data on all disks. If I do not, leaving them as "regular" users, when they log in they only see public folders. How can I allow access to the one disk volume without making network users admin? I tried changing various settings for the volume in Finder Info (everone else=read/write; ignore permissions) with no luck.
  Thanks
  iMac, ibooks, G5, Tibook   Mac OS X (10.4.4)  

  Your observations are correct - by default, an "admin" user connecting over AFP can choose from available "volumes" (default) or "shares", whereas a non-admin user can only mount "shares".
  By default, the only "shares" on an OS X client machine are the users' "Public" folders, and unlike pre-OS X Macs, it isn't easy to configure your own share points. Apple's official statement is that users wanting this functionality should buy OS X Server.
  However, it is possible to create an arbitrary share point using 3rd party software called "SharePoints" (donationware). I have never used it, but it seems to be well regarded. Alternatively, you can do it manually following the instructions in this hint & comments (especially apw8's):
  http://www.macosxhints.com/article.php?story=20011108161839416
  Once the external drive (or folder on the external drive) is configured as a share point, it should be possible for non-admin users to select and mount it once they connect over AFP.

• Access to non-apple system prefs

  We are in a corporate environment. When setting up new Macs we turn off access to the System Preferences using the Accounts Control Panel. We want to prevent users from changing Network settings, Sharing options, etc. that we setup up for our company.
  The problem with this is when we install software for third-party products such as mice or graphics tablets. Many of these items install Control Panels that are accessed only through the System Preferences, but a non-admin user cannot go in and change the individual settings for these devices without having full admin rights to the System Preferences.
  Are there any workarounds for being able to control which Control Panels users have access to when using System Preferences?
  Thanks for any help!

  If your users are non-admins, they shouldn't be able
  to change the Sharing or Network prefs unless they
  enter an admin password. When setting up the new
  accounts, go into those prefs and ensure the little
  padlock icon is locked.
  Apparently this has improved over earlier versions of OS X when I wasn't looking. When we intially loaded OS X I remember turning on the access to System Prefs and locking the various control panels for the non-admin users, but I recall that some of them didn't stay locked. That's why we started turning off access to them completly. After that initial install of our desktop Macs I never tried this again. We've updated the OS a couple times, but never went in and tried this again because everything was working fine. But when I went to setup some new laptops with wireless mice that had their own control panels this became an issue and that's why I was looking for the workaround. It would be nice if Apple gave you a way in System Preferences to turn on/off access to the individual CPs without having to muck with system like this. But this will work for now.

• How to access the "Non Adapter" properties in Teststand API

  Hi,
  I'm trying to dynamically create a sequence file through Labview with the help of the API. So far I have eben able to create the file, add a sequence call into the file as well as link the sequence call to a particular sequence file that will be called. Now, I wish to add certain "non-adapter" steps into the sequence file like Goto, Label, Property Loader etc. I can't seem to find a way to access the propeties once the step has been added. In the LV adapter, I was able to access the TSAdp.SequenceCall API and manipulate the properties. How do I do the same for the non-adapter ones?
  Also, when I load the sequence file through the TSAdp.SequenceCall API, i'm unable to access the parameters and link the inputs and outputs. I've attached a portion of my code and would really appreciate some help.
  Thanks in advance,
  -Anshul
  Attachments:
  Dynamic Sequence File.vi ‏127 KB

  Thanks for everyone's replies. I am now able to set the parameters for the sequence file, just that I added a property node for the sequence file path and the sequence before loading the parameters. That did the trick and the rest was easy. Also for Goto, with some digging, I was able to add a custom property step if it fails or passes the step. It works like a charm. I'm attaching a modified version of my code in LV 7.0 format.
  Attachments:
  Dynamic Sequence File-1.vi ‏175 KB

• Access Enforcer & non-SAP apps

  We were told that you can use AE 5.2 for non-SAP applications.  There are ways to set up roles for any type of system and accross systems.  I do not see any of this information in the user guides that are provided and I have not been able to figure it out by playing around with the tools. 
  I saw some posts with regard to Role Expert so I will begin looking into this tool to see if it helps.
  Is it possible to set this up to perform approvals/reol evaluations for some legacy applications?
  Does anyone know of some web training or anything available for this?
  Any links/pointers is appreciated.
  Also, does the LDAP configuration actually work in AE?  We wer able to set up NetWeaver to map to an ldap instance and then log into AE if we kept the authentication pointing ad SAP UME but when we set up LDAP using the same settings, set up the LDAP mappings and user defaults I cannot authenticate.
  Regards,
  -J

  Hi John,
      in response to the original question - you can use AE with non-SAP applications - basically anything that a Connector can be built to. This is specifically only for data retrieval (eg from LDAPs / Oracle/ Role Expert) - not for user account creation/ maintenance in the target systems (eg JDE / Bespoke systems etc). This doesn't stop you from defining workflows for non-SAP systems - just that you'll need a manual step at the end to execute the change.
  Re the LDAP - connectors work fine for data retrieval (eg User details / User <> Mgr relationship) - which is totally separate from User Authentication for AE. If you are using CC & RE as well then you'll have to make a decision about whether to go with UME as primary point or LDAP (the UME User Persistence store is prob the easiest option long term - as UME roles would still need to be assigned for any user intending to use GRC..)
  cheers
  Paul