Future direction of User Provisioning Tools ( GRC CUP or IDM)

Similar Messages

• De activating the users upon user Termination in GRC CUP.

  Dear Experts,
  I have a requirement to de-activate users(should not delete physically) in SAP after the users are terminated. we are planning to use HR triggers for HR terminate event in GRC CUP
  Q) I understand there is a De-provision functionality in GRC CUP.  Will this delete users in SU01 physically ? Is  there any way to use this functionality to deactivate the users ?
  Thanks
  Kumar

  Kumar,
     Delete request type will delete users in CUP. What do you mean by deactiving users? Do you mean to change the validity date of the users? You will have to use change request type if you want to change any other information in the user master record other than delete/locking/unlocking of the user.
  Alpesh

• Seeking User Feedback on Future Direction for WebLogic Server Tools

  My apologies for cross-posting, but I wanted to make sure that as many of WebLogic Server Tools users as possible see this blog posting and get a chance to express their opinions.
  http://dev2dev.bea.com/blog/kosta/archive/2007/09/seeking_user_feedback_on_futur.html

  Hi Dan,
  I tried to change the hostname from workstation IP(192.168.1.3) to workstation name(home-mittal). Also, I tried to specify localhost as HostName while configuration in Oracle BPM Server for Weblogic but still I am getting the same issue.
  I have tried pinging what u specifed and response was there.
  WLST Failed!!!
  Please suggest and it is very urgent.
  Thanks,
  Abhishek

• User Data Source in CUP AC5.3

  Hello,
  What is the functionality of the User data sourcein Compliant User Provisioning?
  We are using HR module and i have created the connector using the Jco destination VIRSA_HRModel.
  I have configured the User data source type as SAP HR System as VIRSA_HRModel and Details source type as SAPHR with System name as VIRSA_HRModel.
  Please explain the functionality.
  Regards,
  Kumar Rayudu

  Kumar,
     As you know CUP is an ticket creation, user provisioning tool with automated workflow. So CUP will need to bring user details or user information for requestor, approver, manager etc. from some kind of source. This is where data source comes into picture. Whenever you need to search for an user ID, CUP will look at the search data source and whenever CUP needs to bring in user information like name, email, phone etc., CUP will use user details data source.
  DO NOT USE JCO IN CUP, ERM AND SPM. You will need to have exactly same connector names in all four modules of AC 5.3 for all of the integration functionality to work. When you use JCo, it will not allow you to change the default name (virsahr_model in your case).
  ONE MORE THING, NEVER EVER TOUCH JCo OTHER THAN VIRSAXSR3 EVEN FOR RAR (CC). VIRSAHR AND VIRSAR3 ARE NOT RECOMMENDED TO USE.
  I hope this helps.
  Regards,
  Alpesh

• User deletion Requests in CUP

  Hi Experts,
  I have a question regarding CUP 5.3 SP11, I am wondering if you all have had the same scenarios before. We have about 20 systems connected to the CUP. When an employee leaves the company a person in HR usually sends a termination request and they are not usually aware where all does the user exist. When we do a select all for the systems and procede with the request it gives you an error message with the systems in which the user does not exist.
  Is there any way to ignore this and process the request to delete the user in the systems in which they exist, so that one does not have to slect the systems manually?
  Regards,
  Chinmaya

  Kumar,
     As you know CUP is an ticket creation, user provisioning tool with automated workflow. So CUP will need to bring user details or user information for requestor, approver, manager etc. from some kind of source. This is where data source comes into picture. Whenever you need to search for an user ID, CUP will look at the search data source and whenever CUP needs to bring in user information like name, email, phone etc., CUP will use user details data source.
  DO NOT USE JCO IN CUP, ERM AND SPM. You will need to have exactly same connector names in all four modules of AC 5.3 for all of the integration functionality to work. When you use JCo, it will not allow you to change the default name (virsahr_model in your case).
  ONE MORE THING, NEVER EVER TOUCH JCo OTHER THAN VIRSAXSR3 EVEN FOR RAR (CC). VIRSAHR AND VIRSAR3 ARE NOT RECOMMENDED TO USE.
  I hope this helps.
  Regards,
  Alpesh

• GRC AE User provisioning for Portal giving error

  Hi,
  We are having GRC AC 5.3- SP9.
  While doing user provisioning for Portal, we are getting the following error:  DBCacheVerifier.java@58:isExpired(). Detailed error log is attached herewith. The back end system (EP Dev) is installed with GRC RTA. Connectors are testing OK. The CPIC user id in backend system EPDev is ED1GRC and has SUPER ADMIN Authorizations, with SPML read/write actions attached to the Role. EP Dev system is having UME as data source, not LDAP. The issue was existing even before the SP9 upgrade. We have restarted the Server several times lately. Pls help me in this.
  Thanks & Regards,
  Jagadish H S
  BASIS Team, BPCL, Mumbai.

  Jagadish,
  This type of error would normally be a data setup issue. Have you imported all of the initial data files (XML ones)?
  Otherwise, if it is just a cache issue, then restarting the server would normally solve the proplem. I would also check the Java Netweaver Admin console to ensure that the memory settings are sufficiently configured to match the hardware that is deployed.
  Simon

• Questions about the future directions of InfoPath and Microsoft Access

  Because I have been confused about the future directions of InfoPath and Access, I wrote a short blog post, which I have pasted below.  My question is, can Microsoft provide some more guidance on Access vs InfoPath?  If Access is indeed the
  the future direction, can you please provide some pointers to resources that can help us transition.
  A Short Review of MS Access,  SharePoint ,InfoPath (2013)
  After the November 2012 SharePoint Conference in Las Vegas (#spc12) there were a number of blog posts and people saying that Access 2013 was great and would be replacing InfoPath.
  Marc Anderson and
  Ruven
  Gotz have short posts summarizing #SPC12 and touch on the subject of InfoPath and Access.  I also spoke with several individuals shortly after #SPC12 and they were excited about Access 2013.
  Since I rely heavily on InfoPath for much of what I do, I wanted to kick the tires and see what everyone was talking about.  First, a few notes about SharePoint 2013 and Office 2013.
  Microsoft should rename Access:  If you have tried to
  bing the word Access, then you know that the search results are overwhelming,  because the word "access" is used for so many other purposes.
  Use the RTM version of Office 2013! I was performing  my investigations by leveraging the Office 365 Beta and the Office Applications that come with it.  Not much was working!  After I uninstalled the Beta
  version of Office 2013 and Installed the RTM version everything seemed to work. 
  Windows 7 and IE 9.0: The drag & drop that is being touted as
  "manna from heaven" seems to work well with Firefox, Safari, Chrome, and IE 10, but it does
  not work with IE 9!
  Non Microsoft browsers are still second class citizens (except for the drag & drop):  Microsoft has finally done away with the Active X's for datasheet view (that is brilliant!)  One can now see the newly
  minted datasheet view in many browsers.  But I still find that one needs to be in IE to do a number of key manual opeartions.  For example pasting numerous rows of data from a spreadsheet into the new sheet view works only in IE.
  Access 2013
  Microsoft Access is touted as a non developer tool.  I know a number of people who are on the business side and love Access.  These people will like the renewed energy that Microsoft has applied to Access.   One should note that conceptually
  this functionality existed  in SharePoint 2010.  Here is what I see that is new:
  +The new version works better:Although I haven't tested it fully, it seems that many more features that work on the Desktop version of Access, now work in the published Web Application which is hosted by SharePoint 2013.
  +The new version has fairly robust browser based forms: End users can now fill in data using forms that are rendered in the browser.
  +The published version that resides in SharePoint now uses its own SQL server tables.  So the engine appears to be SQL Server, not a modified version of Access built for a server.  This stands to be quite robust, but I imagine
  that some quirks will surface due to new model.
  The limitations are:
  - Access is pretty much its own application and does not integrate with SharePoint building blocks.  For example, an Access table is not easy to integrate with a SharePoint workflow.  Further, although  Access forms now are visible
  in a browser, they are not nearly as rich as InfoPath forms.  InfoPath forms cannot easily integrate with the Access tables.  In order to integrate SharePoint features and Access, one needs to tie SharePoint list(s) to Access as data sources. 
  This overcomplicates the model and one may very well run into synchronization issues.
  In short, although I believe there will be some people who will be happy with newly minted Access, I do not think that Access will be able to replace InfoPath and Workflow technologies.  I do agree that Microsoft does not seem to have put much energy into
  InfoPath.  If they leave a vacuum in this space, then others may very well take over, for instance Nintex Forms.

  Although I agree with the comments made by Ruven and Marc after the conference please note that those blog posts are their own personal opinions and that they don't work for Microsoft.  A lot of people have asked Microsoft to clarify the future of InfoPath
  and the response up until now has been a deafening silence.  In my opinion speculations about Access replacing InfoPath are premature.
  I should also point out that most of your comments about Access 2013 above are actually about Access Services in SharePoint Server 2013.  Access Services are NOT Access they are a shared service offering in SharePoint that convert and publish Access
  databases and forms.  As you point out once an Access database is published through Access services it is converted to SQL Server and no longer resides in Access.  Of course I don't work for Microsoft either so these are all just my personal opinion. 
  Having said that I doubt you will get the confirmation/response that you are hoping for from any official Microsoft channel.
  Paul Stork SharePoint Server
  MVP Principal Solutions Architect: BlueChip Consulting Group
  Blog: http://dontpapanic.com/blog
  Twitter: Follow @pstork
  Please remember to mark your question as "answered" if this solves your problem.

• GRC CUP: Audit Trail Update is incorrect

  Hi All,
  I have noticed while going through one of the requests in Compliant User Provision (CUP) that, the information updated in the "Audit Trail" section of the request is incorrect. Meaning, there were certain roles added to a user. And I got the below Audit Trail Informaiton:
  Request 603 Submitted by XXXX on 08/03/2011 12:53 
     Role 1-XXX Role Added with validity dates 08/03/2011-12/31/9999
     Role 2-XXX Role Added with validity dates -12/31/9999
     Role 3-XXX Role Added with validity dates 08/03/2011-
     Role 4 -XXX Role Added with validity dates 08/03/2011-
  If you notice the fourth line, the validity til Datel is not mentioned. When I checked in the backend system for that role, it is duly mentioned there.
  May any one please help me in identifying the problem?
  Regards,
  Faisal

  Hi Raghu,
  Thanks for your reply.
  I have gone through these notes and it seems they belong to GRC AC 10. However, we are running on GRC AC 5.3.
  Also, notes 1597664 and 1581495 say that, the validity date is shown as 31.12.9999 always. But my problem is that the dates for a role which is addes is not mentioned properly.
  I am not sure how thie will helpme.
  Please suggest.
  Regards,
  Faisal

• Compliant user provisioning configuration done but can't create new request

  Hi All,
  We have upgraded our system from GRC 5.2 to GRC 5.3.
  Then we have done all the configuration for Risk analysis (CC) and then we have completed the configuration for Compliant user provisioning(Access enforcer) but now when we are going to create the request it is saying the request canniot be created.
  THe request passes through all the steps it is successful at Risk anlysis step also.
  But at the last step when we go to submit the Request this error comes.
  I have looked at the logs present in : Monitoring :--> System log.    I could not find anything.
  Am i looking at wrong place for logs. ?
  Is there any issue with the configuration.. Because the requests was successfully created when in GRC 5.2.
  Can anybody help me. ?

  Rajesh-
  Since 5.3 is in the ramp-up phase, you can contact SAP directly and they will resolve your problem very quickly, since they will be releasing it to all clients in October.
  And I am assuming you are working with SAP directly right now, since you have upgraded to 5.3, right?...
  Ankur
  GRC Consultant

• GRC CUP 5.3 SP16.3 Mitigation Controls automation removal

  Does anyone know that if you create any user requests to remove roles from a user, that if any mitigation controls were assigned to the users for those roles, the mitigating control ids can also be automatically removed from RAR during auto provisioning of the request?
  Right now, GRC CUP, if configured properly, during auto provisioning, will assign the mitigation controls automatically to the userid in RAR to mitigate the risks when the request is processed if the new access will give any SOD violations.  But if you remove the roles from a user and he/she had any mitigation ids assigned in RAR, can the request also automatically remove the mitigated control id associated with it if the user will no longer have that risk?  I have not seen the request automatically remove the mitigated id from RAR when the role was removed from the user id during auto provisioning. But I'm not sure if this requires additional workflow configuration or not.
  Will greatly appreciate if any1 is aware of this issue and how to resolve it. Or is the only solution to manually remove it from RAR..but this can be tiresome..bc then you have to run the report every week or month in RAR to remove the excessive controls assigned if the users do not have the risks anymore..comparing reports from current to previous month, etc.
  Thanks,
  A.

  Hi Alley,
  It is not possible to automate the removal of mitigation controls through a workflow in CUP. The only solution is to review on a regular basis and remove them manually from RAR
  We also has the same issue and performing manual review at regular intervals of the user & role assigned mitigation controls
  Best Regards,
  Srihari.K

• SAP User Provisioning

  Hi Guys,
  What are the different options available for SAP User provisioning?
  Thanks
  Harry

  Hi Harry,
  In SAP GRC Access Enforcer5.2 two type of provisioning is available Direct and Indirect.
  1-You should only select InDirect if your SAP environment includes the SAP HR module, and you want to use SAP HR to perform provisioning. Otherwise, you should select Direct.
  If you select InDirect, you must then select the type of HR object Virsa Access Enforcer needs to transmit to the HR module. There are three possible object types: Position, Orgtype, and Job.
  2-You can perform Provisioning in two ways:-
     i)Automatically :- for this way you can set provisioning  type to Auto provision at the end of request or Auto provision at the end of each path 
     ii)Manually :- for this way you can set  provisioning  type to No autoprovision .
  For the provisioning configuration settings Go to Configuration tab>Workflow>Auto provisioning.
  3-You can also configure your user provisioning BY SYSTEM as well.
  For reference you can download configuration guide of Access enforcer 5.2 from SAP Market place
  https://websmp101.sap-ag.de/~form/sapnet?SHORTKEY=01100035870000691285_
  Regards,
  Jagat

• GRC CUP Error creating request. Approver not found

  Hi,
  We just upgrade from GRC CUP 14 to GRC CUP 15.6 support pack.I already performed post upgrade steps and when i try to create a request i am getting approver not found.i didnot change workflow.In stage for role approver we have approver determinator "role".
  system log report
  com.virsa.ae.workflow.NoApproverFoundException: No approvers found for req no : 493, for reqPathId, 662, for path, PROD_APPRV_PATH and approver determinator : Role
       at com.virsa.ae.workflow.bo.WorkFlowBOHelper.handleApproversTransactions(WorkFlowBOHelper.java:1469)
       at com.virsa.ae.workflow.bo.WorkFlowRequestCreateHelper.handleWFForNewPath(WorkFlowRequestCreateHelper.java:278)
       at com.virsa.ae.workflow.bo.WorkFlowRequestCreateHelper.createNewWorkflow(WorkFlowRequestCreateHelper.java:167)
       at com.virsa.ae.workflow.bo.WorkFlowBO.saveNewWorkflow(WorkFlowBO.java:120)
       at com.virsa.ae.accessrequests.bo.RequestBO.saveNewRequest(RequestBO.java:579)
       at com.virsa.ae.accessrequests.actions.CreateRequestAction.createRequest(CreateRequestAction.java:381)
       at com.virsa.ae.accessrequests.actions.EUCreateRequestAction.createRequestHandler(EUCreateRequestAction.java:135)
       at com.virsa.ae.accessrequests.actions.EUCreateRequestAction.execute(EUCreateRequestAction.java:68)
       at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:295)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  Please let me know solution ASAP.This is high priority.
  Thanks
  Yakoob.

  It looked like some old request stuck in DB.But, not sure about it.I tried by changing the number ranges in configuration by giving the current request number in "from number",but it didn't work.
  This is strange some time it gives "error creating request: path not found." and once this error gone then "error creating request : approver not found".
  To avoid this i created one more stage by custom approver determinator with application attribute and approver assiged.This stage, i assigned before role approver stage then it worked,Request get created and request get provisioned.
  i don't understand why it's not working,if i assigned role approver stage first in a path of workflow.role approver (approver determinator:"role" standard one, "approver" gets from configuration:roles:create role:role approver OR upload from role import).
  Please help
  Thanks
  Yakoob.

• User Provisioning Issue in Essbase 11.1.2.2

  Hi Experts,
  We have done migration from 11.1.1 to 11.1.2.2 version.Everything went fine but got problem with User provisioning.
  All our users provisioning are managed via Native Groups
  Eg: FIJI_READ,FIJI_WRITE are the Native Groups.
  What we have done is created the Native group provisioned the group with the roles and added the user to the group.
  The problem is the users assigned to these groups “lose” their permissions after sometime. They do still appear to be part of the group when we check in Shared Services, but when we run a MAXL command for a user, say VIBIN:
  DISPLAY USER PRIVILEGE VIBIN;
  It shows the user has having none. The user doesn’t see any cubes on logging in too. From what we’ve seen so far, we can trust the MAXL command output, but not what we see in Shared Services. The user VIBIN still shows as being part of the group FIJI_READ which is provisioned with READ role for the FIJI database. This is very inconsistent behavior.
  The only workaround so far is to directly provision users (i.e.  bypass provisioning via Groups):
  GRANT READ ON DATABASE FIJI.CONSOL TO VIBIN;
  This isn’t very manageable but the ONLY option that seems to be “sticky”. Have anyone gone through this issue  before? Any idea/advice?
  Regards,
  Naveen

  I  exported the Sec file from Security and when i see the content i cant see any groups which are created in Shared Services but only all the applications,databases  and some of the Administrators of the applications only i can see. But normal users who are added in Shared Services to the group i cant able to see.Is there any thing wrong in it.
  Regards,
  Naveen

• Role Upload template for SAP GRC CUP 5.3

  Good Morning / Afternoon / Evening SAP Security Gurus,
  I am looking to upload end user roles via a role upload template spreadsheet for use in SAP GRC CUP 5.3.  I am referring specifically to the recommended template mentioned in step 11 of the 5.3 Post Installation CUP guide, so that roles can be picked within ERM for workflow.
  According to the guide, it recommends uploading from the backend systems via a spreadsheet - any template versions or advice on finalising this would be most appreciated.
  Best Regards
  Steve

  Thanks Ashish,
  Someone else recommended this option as well via another forum. Have tried it out and working fine. 
  Thanks for the reply
  Steve

• How does GRC CUP handle scheduled termination set up in SAP HR ?

  Dear Experts,
  We are planning to use "HR Tiggers"  for Hire, Terminate and transfer events in GRC CUP ? Can some body help me understand how does GRC CUP handle the termination requests that are scheduled in future ?
  Thanks
  Kumar

  I configured HR trigger rule for infotype 0000 & subtype Z1,field MASSN with value equal to 01 to trigger new hire...i don't see any data being populated into table /VIRSA/INT_TRIG & ?VIRSA/DATA.
  I could see the rule in table /VIRSA/RULEATTR.
  Any help would be appreciated.
  Thanks,
  Srinu