ERM role generation

Similar Messages

• GRC-AC 5.3sp14, ERM, Role Generation

  We updated our GRC-AC 5.3 from sp12 to sp14 and now we cannot generate roles anymore. When we try to do it, we get the following error: "Failure : Field AGR_1252 not a member of TABLES".
  Does any one know how can we solve it?
  The backends were also updated with sp14 and the post installation procedures (import xml, run sync jobs) were done. Role generation was working well before sp14.
  Thanks,
  Marcelo

  Hi Marcelo,
  I managed to solve the problem.
  Check SNOTE 1352498  and ensure that you have the right levels of SP. For GRC AC 5.3 SP14 you need VIRSANH SP15 and VIRSAHR SP13.
  After the upgrade check in the Daemon Manager that the jobs and webservices are running.
  You will now be able to generate the roles in ERM.
  Regards,
  Pedro.

• ERM Role generation gives error

  Hi,
  All the fields are checked and the configuration is meeting the document guidelines for ERM. I am getting error while trying to generate the role from ERM and the message is " Cannot generate role Z:TB_TS_TEST1234567890987_S001  provide valid & 1& 2 in table & 3".
  Please let me know if somebody has faced this problem and has been fixed.
  Thanks,
  Abhimanu

  Hi,
  Do you uploaded the static text and Authorization Objects in GRC from backend system?
  If not then download them from your ECC system using  program /VIRSA/ZCC_DOWNLOAD_DESC and /VIRSA/ZCC_DOWNLOAD_SAPOBJ by executing se38 tcode and upload it in RAR.
  Then try to generate the role.
  Thanks,
  Sudip.

• ERM5.3 - Role generation in SAP QA & SAP Prod

  Good day Chaps.
  My client requested wants to generate a role 1st in a QA system, test
  the role and then generate the same role in production.
  The challenge is that on ERM > Config Tab > System Landscape >
  Landscape Name > Associate Actions. There is only one default Role
  Generation connector.
  What is best practise to allow a Role to be generated in a QA system
  and the a Production system?
  Thank you.
  Michael Hannie

  Good day Alpesh.
  Thanks for the good and quick reply. I will inform my project manager of our options. Below is the reply from SAP AG for the same issue that I logged, for anybody that might come across the same issue -
  [https://service.sap.com/sap/support/message/E/012002523100001743122009]
  17.02.2009 - 08:42:55 CAT - Reply by SAP      ,
  Thanks for messaging us. At a time, you can generate the Role only in
  one System. Please a create a Landscape and assign the related
  Systems as Connectors to the Landscape.
  In the Associated Actions, you can assign as many Connecors(Systems)
  as you want in Risk Analysis & Role Generation.
  Please assign the QA System & Production in one Landscape and make the
  QA system as default for Role Generation and start creating the Role
  and generate it, and test it.
  Then change the default System of Role Generation to Production System,
  and generate the Role.
  Hope this will solve your issue and kindly confirm the Message, Once
  you are able to solve the issue.
  Thanks,
  Babu

• Illegal Tcodes error while role generation in BRM GRC 10.0

  Hi Experts,
  I am working on SP11 GRC 10.0.
  In BRM, after following all necessry steps for role creation, when I enter last stage "Role Generation" and try to generate it, I am getting error "Illegal Tcodes (system name)" as shown in below screenshot.
  I am adding SAP standard t-codes only (e.g. SU53) which are existing in the backend system but still it throws error.
  Your suggestion is highly appreciated.

  Hi Swati,
  Thanks for your reply.
  I had already applied note: 1066687 but it didn't resolve my issue.
  Note: 1441463 is valid till release 720 and I am on release 731 and SP11.
  Thanks
  Jayesh

• Error in stage of Role generation in Role Expert

  Hi,
  While generating the role in backend from RE, its throwing an error " Exception condition : " NOT_Authorised" raised. please suggest me any solution.
  Thanks

  Hello Hima,
  The user ID should be the same in frontend as well as in backend with enough authorizations for role generation in the backend too. For getting this authorization correct, you can first try to create and Generate a role in the backend itself, if you are not sure what authorizations this user should have to generate a role.
  Also, I would like to suggest you to maintain the same password for this user in both the frontend as well as backend.
  Regards,
  Hersh.

• Synchronisation problem of  ERM roles with SAP BACKEND

  Hi ,
  In GRC could anyone please let me know what is OPEN bug regarding Sync ERM roles from backend and is it still a issue .
  Anyone experiencing this, I am using GRC ac v5. 3 and sp13 ,
  Thank You

  Hi  Folkvar,
  There might be specific issues but as general there are very few. I recommend you to reply with the exact details on the current setup, i.e., the role setup in your landscape (parent roles, derived roles etc) and other information such as your current setup etc., Incase if you have started sync'ing the roles, post the exact error message so that some expert can guide you towards a resolution.
  Best Regards,
  Raghu

• AC ERM : role creation and how to delete ungenerated roles

  Hi,
  When you work on a role from ERM, the role is created in the back end. It will be generated only at the generation phase. But what if finaly it is decided not to generate the role, is there a way to delete the role in the BE from ERM?
  It seems the only way is to go in PFCG and delete the role manualy?
  Regards

  Hello Vincent,
  There are different tables in which the roles for RE (in frontend RE, frontend tables) and where the roles in R/3 are stored. That is, it might be that even if you are generating all the roles from RE, at a particular time the list of roles in RE is greater than number of roles in R/3 Backend. This is because:
  RE roles = Generated roles (which exist at backend as well)+Ungenerated roles (which are in RE only till that particular time).
  Here ungenerated roles would mean the roles which you have not yet generated in RE.
  Thus, __deleting roles from R/3 and RE are two separate things__.
  1. To achieve the deletion the role from Backend (R/3) you should create a request in RE to remove this role from all the users currently attached to it as there is no way possible to delete the role from R/3 by creating a request from RE. Doing this would still have the role in R/3 but with no user assigned.
  2. To delete the role from RE tables, so that you do not see it again, you can Search for the role, select it and then click on the "Delete" TAB. This will delete the role from the RE tables.
  Now, for the clenliness of your R/3 system, in case you do not want to see these roles in R/3 too, you can schedule a BG job to delete this or do a mass delete of all these roles say every fortnight or at whatever frequency as desired by your management.
  Regards,
  Hersh.

• Best Practice of using ERM (Role Expert) in Landscape

  Hello,
  Can anyone tell me what is the best practice (choice) of using ERM in the SAP landscape?
  1. Creating a role in DEV system using ERM and using SAP standard transport process to transport role to QAS and PRD systems.
  OR
  2. Creating a role in all systems in ladscape (DEV, QAS and PRD).
  Please share if you have any best practice implementation scenarios.
  Appreciate for the help.
  Thanks
  Harry.

  Harry,
     The best practice is to follow Option 1. You should never directly create a role in Prod system. This is what SAP recommends as well.
  Alpesh

• ERM Role con't be deleted Automatically after rejecting the request in CUP

  Hi Experts,
  I am involving the GRC implimentation project and ERM component is succefully configured with post-installation activites and also configure the workflow(1-stage) in CUP for role approval.
  After initiating request, the request was sent to appropriate approver for approval process and approved/ Rejected by the approver.For first case(Request approved) everything is looks fine.
  but whenever the request is rejected (second case) by the approver, the role is still present in ERM and ABAP backend as well as.
  please suggest me, if the role is deleted in ABAP/ERM system after rejecting the request by Role Approver in CUP. or still present the role in systems.
  Regards,
  Arjuna.

  Hi Jes,
  We so have a feature called Password Self Service which is used by users to reset their password using CUP. Also if the password is locked by multiple failed attempt, CUP even activate this user.
  However in your case administrator will be locking the user or deactivating the password, so CUP will not allow users to unlock their users as it has been locked by administrator.
  So CUP can only unlock those users which were locked due to failed attempts etc.
  Regards,
  Shweta

• ERM: "Role not saved" ?

  Hi All, I've recently imported roles to ERM (SP11) and I've generated the role on the backend successfully. However, if I try to then change the role I'm unable to save the changes for the imported role. Instead a red error message is issued: "X Role not saved."
  This problem appears to only occur on imported roles, but not on new roles created in ERM. Has anyone experienced this problem?  Thanks.
  -Dylan

  Hello Satyabrat,
  Thank for posting the OSS Note. I followed the instructions but still have a problem relating to those specific roles. In the meantime, I've tested the same procedure against another set of uploaded roles from another system, and these roles seem to work well. I'll delete all my roles and reload them once again (we are not yet productive, but nearly there).
  I've also noticed that SP12 is a major SP with many changes, we'll also implement SP12 and the latest RTAs before I re-download and import the roles.
  Best Regards,
  Dylan

• ERM Role Export with multiple languages

  Hi All,
  I have an issues where role download program /VIRSA/RE_DNLDROLES exports the roles with all text languages included (if the role was maintained in multiple languages).
  Then when I mass import the roles into ERM (AC 5.3 SP10), the upload program gives an "unknown error." After several hours of testing I figured out that that eliminating all but one of the multiple role language texts in main role file will allow the roles to be uploaded sucessfully.
  It seems that the function module /VIRSA/RE_BAPI_DOWNLOAD_ROLES should be changed to include a language parameter.
  Anybody ever have this problem?
  Thanks, Dylan

  Hi All,
  I found a workaround for this issue, I'm posting it for posterity then will close this post within a couple of days. I would appreciate to know if anyone has run into this issue too, it can't just be me?!
  First, the download of the main role text file from /VIRSA/RE_DNLDROLES stores the file as ANSI text type. At least that is how my Windows PC opens it. IF the role was maintained in mulitple languages with special language characters like ü, ô, ê, é, è, à, ò, ä, ö, then GRC AC 5.3 SP10 ERM gives me an "unknown error" when trying to do the mass import. To fix this issue, simply save the file as text type "UTF-8" or anything but ANSI. The ANSI seems to work fine for plain english.
  Second, roles with multiple language versions get all the languages squished together in the long description. I had one role with a Japanese, English, German, French and Italian long description BUT each maintained in it's own language. During the upload, all were imported into ERM and grouped together in one ugly text.
  I fixed this (although not ideally) by modifying Function Module /VIRSA/RE_BAPI_DOWNLOAD_ROLES used during the download:
  The code change is as follows:
      SELECT * FROM AGR_TEXTS APPENDING TABLE i_agR_TEXTS WHERE AGR_NAME
                                                          "#EC CI_GENBUFF
  *{   REPLACE        SIDKxxx
        in r_agr_name.
         in r_agr_name
         and spras eq 'E'.   "download only English
  *}   REPLACE
  Then, the 1000+ roles uploaded successfully without issues.
  I realized after that OSS Note 1260773 covers explains this similarly.
  -Dylan

• Derived Role generation in BRM

  Hi,
  In BRM while creating a parent role, corresponding derived roles are created and sent for approval.
  Post approval, the roles are generated, in the foreground confirmation message states that Parent + derived roles all are successfully generated.
  In the backend system the derived role's "Authorization" tab is with a status yellow and profile is not generated. However, the derived role has all the relevant values in it and the last changed by / date is appropriate to reflect the changes done.
  Can some one please point to a solution to this? We have raised an OSS for this about a month back and applied suggestions from SAP without any result.
  Version - GRC 10.0 SP10
  Thanks,
  Sammukh

  Hello Andrzej
  Yes, the derived roles are in status complete. After generation of all the roles (parent+derived) the derived roles move to the maintain test cases phase. Here we maintain the test cases and close the methodology. Post this the derived roles' status become complete.
  Yes, we did try re-generating them manually from mass generation from GRC. The result is same. In fact the surprising thing is following:
  1. Derived role is complete and in not generated state.
  2. Mass generated from GRC - still not generated.
  3. Manually generated in backend system - roles are now generated.
  4. Mass generated from GRC again - status that was generated from point 3 before changed to not generated again.
  Looks like the generation from GRC itself is the problem, but we are unable to pin-point the issue.
  Thanks
  Sammukh

• ERM role methodology configuration

  Hi
  For some reason the stages in the role methodology process in the configuration tab are not in the same order as those showen in the create role screen in the role management tab.
  Does anyone have an idea how it can be fixed?
  Thank you for your help

  Hi...
  First Role definition -> Defining Authorization ->Deriving roles -> Performing risk analysis -> approval -> Generating role*
  we can use the arrow buttons to move the step up or down.
  For creating the methodology
  Login to ERM -> Configuration -> Methodology -> Process -> Create
  Regards
  Gangadhar

• ERM Role Methodology Process - Steps

  Hello Gurus,
  I am on SP17 and have uploaded relevant init files. Have also performed background job sync.
  When I create a role in Role Definition stage and save it, the role does not pass or promote to next step i.e. Role Authorization Stage. GRC saves the role properly.
  I have not defined any condition groups or custom fields. It is just plain role definition.
  Request your help on this.
  Thanks,
  SA

  Hi,
  Please, can you give more details for your configuration?
  I´m thinking that you don´t have ERM Workflow in CUP for workflow approval criteria. Do you have workflow configuration for ERM in CUP?
  Good luck!