GRC 10.0: Access Request Creation - LDAP user advanced search not working

Similar Messages

• GRC 10.0 Access Request Creation- Data Source of User Details

  Hi Experts,
  I was doing GRC 10.0 Configuration and found a query which I am not able to resolve.
  While creation of any kind of Access Request in GRC through NWBC> Acces Management Tab>Access Request>Access Request Creation.
  In the user details section, I can see the HR records( like Pernr, position, manager) have been visible to some extent.
  My question is where from these details came in GRC. What configuration we should maintain to achieve these HR records?
  Hope to get a quick response as this is one of the requirement of the implementation which I am doing with my customer.
  Thanks,
  Atanu

  Alessandro,
  Thanks for your response. It helped me to know certain things.
  But when I am navigating to SPRO > GRC > Access Control > Maintain Data Sources Configuration > [User Detail Data Source], it is configured with a ECC system in target connector and User data type is maintained as "SU01".
  Now my question is where from in my case the GRC is pulling the HR records (PA20) like PERNR, POSITION,PERSONEL AREA etc? SU01 does not provide these information. My ECC box is integrated with HR module, so is it taking the data from HR directly?
  Thanks in advance!
  Atanu

• Can not access the mac my user account does not work

  hello
  I tried to access the mac after I shuted it because it freezed. I don't know what to do to open the mac as the name and password. Please help me
  Best Regards

  You can only purchase Apple media (from iTunes and App Store) from the country's store in which you are physically located and yo must have a payment method associated with that country.
  If the app is not available in your country's store yo have to go to a county that has the app to download it.

• All user mailbox search not working correctly

  I have just started a job at a new company as their exchange admin. One of the tasks they want me to do is delete a few
  spam emails that went out to many users. I planned on using the search-mailbox cmd to find them and then delete the email messages. However I cannot seem to get this to work right for me. 
  The commands I've tried are 
  Get-Mailbox -server server01 | Search-Mailbox -SearchQuery 'Subject:"Alert:Somebody has run a back*"' -TargetMailbox "mymailbox" -TargetFolder "test" -LogOnly -LogLevel Full
  Get-Mailbox -database database1 | Search-Mailbox -SearchQuery 'Subject:"Alert:Somebody has run a back*"' -TargetMailbox "mymailbox" -TargetFolder "test" -LogOnly -LogLevel Full
  Get-Mailbox -resultsize unlimited | Search-Mailbox -SearchQuery 'Subject:"Alert:Somebody has run a back*"' -TargetMailbox "mymailbox" -TargetFolder "test" -LogOnly -LogLevel Full
  These all run normally, however the results message in outlook that I get is "The search has Failed." Says errors:
  None. Searched 173 mailboxes. 
  If I change the command to this: 
  Get-Mailbox -identity user1 | Search-Mailbox -SearchQuery 'Subject:"Alert:Somebody has run a back*"' -TargetMailbox "mymailbox" -TargetFolder "test" -LogOnly -LogLevel Full
  The search comes back and I get the email i'm looking for. So it works as expected with only one user selected. 
  Does anyone have any ideas on what could cause the multi-mailbox search to not function as expected?

  Is the account you are using a member of the domain admins group?
  I think there is a Full Access = Deny permission that might come into play.
  By default, domain admins cannot access mailboxes (even though, of course, they could change permissions to make that possible).
  EDIT - I do see it worked on  one mailbox - I'm not sure how the permissions may have been configured.
  This is the cmdlet I used to see permissions. Domain Admins *do* have full ADPermissions
  Get-Mailbox user1 | Get-MailboxPermission
  Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

• Access request creation - select roles screen - field boxes were not aligned

  I'm not sure if this is really the screen of SAP GRC 10.1 access request creation. The field boxes were not aligned. Is there a note to fix this issue? Thank you.
  Regards,
  Jenilyn

  Hi Mohamed,
  Even I used Google Chrome, it's the same. Still facing the same issue. Is there any other way to solve this issue?
  Thank you.
  Regards,
  Jenilyn

• GRC 10.0 Access request Management Audit

  Hello All,
  Can Anyone let me know what  Auditors Check When they Audit GRC 10.0 Access request Management (excluding Configuration).
  Thanks
  Mohammed Wasim

  Hi,
  ARM supports key ITGC controls for user access management, so probably audit would also cover:
  - review of updated processes & controls
  - check (based on sample) if all requests were properly approved
  - review of correctness of approvers assignment
  - verification if what was requested was provisioned
  - timely removal of terminated access
  - review of SoD controls embedded in process
  - periodic review of user access
  and maybe some more controls. In most cases it will be sample based testing so auditors may ask for a sample of requests to trace them to back-end systems and opposite sample of changes in users privileges to verify if proper requests were prepared for those changes...
  Sometimes they could perform more tests on configuration and process, but this is up to particular auditor.
  Best regards, Andrzej

• 1. TACAS+ Accounting and Logged in Users report is not working on ACS 4.1(1

  Hi,
  I am facing problem with ACS 4.1 accounting, TACAS+ Accounting and Logged in Users report are not working, the csv file is been generated but nothing is showened in the file.
  I have checked the documents related to ACS 4.1, it says that there is a bug related to command accounting “CSCsg97429 - TACACS+ Command Accounting does not work in ACS 4.1(1) Build 23”.
  Tried upgrading the same with the patch applAcs-4.1.1.23.3.zip, still it is not working.
  Other reports are working fine.
  1. TACAS+ Accounting - not working
  2. Logged in Users - not working
  3. TACAS+ Administration - working
  4. Passed Authentication - working
  5. Failed Attempts - working
  Any suggestions or any idea, please revert.
  Regards
  Vineet

  Hi,
  Thanks
  Yes I have configured the command “aaa accounting exec default start-stop group tacacs+”
  As I have mentioned all the other reports are working. Which user and when he has logged in and what commands he has used. Only the TACAS+ Accounting and logned user is not working.
  Regards,
  Vineet

• GRC 10 Not able to search roles in Access Request Creation

  Hello Experts,
  I am unable to search for roles while creating access request by giving system name.
  I am able to search with any other search criteria except system.
  When I look for valid entries for System I get the following connector group values:
  ECC - (Custom Connector Group)
  SAP_BAS_LG
  SAP_ECC_LG
  SAP_HR_LG
  SAP_R3_LG
  All the above connector groups are pointing to the same system XXXCLNT100. I want to get only ECC as the result when I search for the system (Probably then it might work right).
  Others that start with SAP are linked to the XXXCLNT100 for generating rules after activating BC Sets.
  Any ideas how to get this work !!
  Thanks and Regards,
  Ajesh Raju.

  Found Note:
  Note 1654033 - Role search by System is giving same result
  Regards,
  Ajesh.

• Access Request Creation - Role or System Required at Creation

  Hi - We are installing GRC 10.1 SP6.  When I create a request it is forcing me to include at least one system or role.  Is there a system setting that I'm missing to not enforce the requirmenet to add either a system or a role at the time you create a request?
  This is not a huge deal to me as I created templates that include the systems we provision to by default.  However, if I don't need to include a system or role at time of request creation I would prefer that this requirement be turned off.
  Thanks,
  Rich

  Hi Richard,
  additionally to what Colleen has already mentioned you can set up the provisioning configuration in the way that you don't have to select a system in the access request. So basically a requests requires either a system or a role. Most of the time (best practice) users select a role without a system. Personally I also recommend that way as the system comes with the role automatically.
  In the global provisioning configuration (SPRO > AC > User Provisioning > Maintain Provisioning Settings) you have to define that the user gets created when the role gets assigned.
  Alternatively, as you would like to remove both, you can check if it is workable via the request type settings. I don't have a system to test, but you might be lucky. Remove the "Assign object" action from the request type and check if it is still mandatory to add at least one assignment.
  SPRO > GRC > AC > User Provisionign > Define Request Type
  Please let me know  if this helps.
  Regards,
  Alessandro

• Enabling Direct Database Request for LDAP User in RPD

  Hi All,
  Can anybody help me out how to set the Direct datasbase parameter in repository for the respective LDAP User.
  Actually I am implementing PROXY USer setup, in this process im encountering the below error
  Odbc driver returned an error (SQLExecDirectW).
  State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred.
  [nQSError: 13017] User or group has not been granted the Direct Database Access privilege to access the database 'So n So'. Please verify the User/Group Permissions in the Oracle BI Administration Tool. (HY000)
  http://1.bp.blogspot.com/-NqzXnCsUse0/UT5D2F6SksI/AAAAAAAAA1s/SpygihX4z5A/s1600/3.PNG
  If i create the user in the repository and for him if i set "direct database Request" to "Allow" then he is able to use the PROXY functionality , but in my case i am using LDAP there are no room for the USers.
  Any assistance , greatly appreciated.
  Thank you./
  Siva Budagam.

  Hi All,
  Can anybody help me out how to set the Direct datasbase parameter in repository for the respective LDAP User.
  Actually I am implementing PROXY USer setup, in this process im encountering the below error
  Odbc driver returned an error (SQLExecDirectW).
  State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred.
  [nQSError: 13017] User or group has not been granted the Direct Database Access privilege to access the database 'So n So'. Please verify the User/Group Permissions in the Oracle BI Administration Tool. (HY000)
  http://1.bp.blogspot.com/-NqzXnCsUse0/UT5D2F6SksI/AAAAAAAAA1s/SpygihX4z5A/s1600/3.PNG
  If i create the user in the repository and for him if i set "direct database Request" to "Allow" then he is able to use the PROXY functionality , but in my case i am using LDAP there are no room for the USers.
  Any assistance , greatly appreciated.
  Thank you./
  Siva Budagam.

• SAP GRC AC ARM -Access Request approval

  Dear Community Members,
  my question relates to practice advise in respect to risk analysis type on access request.
  Can anybody share experience with type of analysis on access request.
  According to SAP HELP we have: In the Analysis Type dropdown list, select the relevant analysis type.
  You use Risk Analysis to determine violations pertaining to the authorizations assigned to the role. For example, when the authorizations result in segregation of duties violations.
  You use Impact Analysis to determine authorization violations pertaining to other roles. That is, the authorizations for the selected role, in combination with authorizations for another role, result in violations
  In particular I am interested when I have requested Role A and Role B with both creates SoD risks, would this be catch by access risk analysis during request creation? Assuming user have no role at backend.
  Thanks,
  Filip

  Hi Filip,
  Yes, your understanding is correct.
  Risk analysis in the access request is intended to find out any sorts of risks associated to the roles in the request inaddition to the roles assigned to the user already.
  When Risk analysis is performed, it will take into account all roles which are added to request and show the correct results.
  You can also run the simulation to see what will happen if the role is assigned to user beforehand.
  Regards,
  Shweta
  SAP - GRC

• GRC 10.1 Access Request - Provisioning Logs Not Available

  Hello guys,
  I am currently running into an issue with the user provisioning logs, the Request Approval notification which is sent to the user are at the end of an approved access request are as below and the Provisioning Logs tab is throwing a timeout error when opened.
  "Hi Varsha Upadhyay (B001193),
  The Request number : 26 , has been processed and the Request is Closed. The details are as follows:
  Provisioning failed; check provisioning log for details.
  Kind regards,
  Access Control Administrator "
  I have checked the table 'GRACREQPROVLOG'  and I see the logs available in the table, When I open the logs for a particular request no I see the below error message under the 'Prov Message' field
  "Type conflict when calling a function module (field length)"
  Similarly in SLG1, I find the following message at the end of each provisioning task that has taken place at the end of a request being approved.
  "Error in RFC; 'Type conflict when calling a function module (field length)'.
  I made sure I gave SAP_ALL to all the RFC ID's and also the WF-BATCH ID's, and the integration scenarios are also defined correctly for all the target system.
  It seems that this error is just preventing the provisioning details from being displayed in the email or in the Provisioning logs, but the user provisioning has actually taken place as expected (viewed in SU01).
  So i'm wondering even after provisioning has actually taken place successfully, why would this error occur. Does anyone know the source for this error message, please let me know what am I missing?

  Hi Narsimha,
  The error seems to be associated with wrong type being passed as a parameter to a function module.
  Can you check the field mapping for your connectors in SPRO? There might be a mismatch happenning there.
  Thanks
  Sammukh

• LDAP users that are not Windows users

  Hello,
  I would like to use Active Directory as a directory service for internal intranet sites, etc.
  I have users that do not need access to a Windows desktop as they are connecting to the sites via kiosk/mobile devices.
  Can I set up a user that can be validated through LDAP but would not be able to access a Windows desktop through the normal Windows logon screen ?
  Chris.

  Hi Chris,
  If you want to restrict some users in Active Directory can only logon through mobiles/devices rather than computers, you can configure
  Deny log on locally and Deny log on through Terminal Services through Group Policy.
  More information for you:
  User Rights
  http://technet.microsoft.com/en-us/library/dd349804(v=WS.10).aspx
  Best Regards,
  Amy

• Run with User's rights not working as expected

  I have a VBscript that runs the Quest Client Profile Updating Utility for migrating Outlook e-mail profiles to a new Exchange Server.  For this tool to work it must be run using the User's security context when the user is logged onto the computer. 
  What I have found is that the script fails to run because SCCM is running the script with elevated privileges.  The program is set with 'Only when a user is logged on' and a run mode of 'Run with user's rights'.  The advertisement is set to run from
  a distribution point and has two mandatory re-occuring schedules (Logon, and at 6:00 a.m. every day).
  To test what is happening I created a separate Program that has the same program settings but only runs 'Cmd.exe /k echo' for the command line.  If I run this SCCM program as a user who is not a member of the local administrators group
  I can execute privileged programs like regedit.exe.  If I run the Command Prompt from the Start\Accessories folder and try to run Regedit I receive an 'Access denied' message.  It appears SCCM is running with elevated privileges.
  Does SCCM run a program with elevated privileges?  How can I make a program run without elevated privileges.
  thank you for your help.

  Actually I ran into a similar issue today trying to gather info about mapped network drives and found this thread when trying to troubleshoot it.  Here's a summary of what I've done:
  I have an SCCM package set up to run a script to dump the users' mapped drives to a text file.  The program is set to run only if a user is logged on and to run in the logged on user's context.  UAC is enabled.  For users who are members of
  the local Administrators group, the resulting text file was empty, as if no drives were mapped.  Running the script manually (not via SCCM, just double-clicking the script) populated the text file with the expected results.  So the script works correctly. 
  I suspected SCCM was running the package elevated, since drives mapped in the non-elevated context aren't visible to the elevated context.
  To test, I created another package & program that runs a command I know requires elevation (ipconfig /registerdns) and pipes the output to a text file. I configured it in the same way, and for users who are in the local admin group, the text file results
  indicate that the command ran successfully (which means it ran elevated). If I take the user out of the local admin group, making no changes to the package, then run the package again, the text file results say "This command requires elevation."
  So, it appears SCCM is running with the highest elevation level for which the user has rights.  I guess this makes sense, and it's not doing anything the user wouldn't normally have rights to do, but it does cause a problem when a program needs to run
  under the user's non-elevated token.  Any suggestions?
  Thanks,
  Matt

• Palm Treo 755p -- bought new computer with Vista and downloaded Download Palm Desktop by ACCESS 6.2 -- now the sync does not work, asks for drivers

  Hello...
  I am new to the Palm (~1mo.) but I was using hotsync with my old laptop which had Windows XP and was not experiencing any real problems.  That computer is going bye-bye, I bought an HP with the Vista OS and I followed the directions on downloading the Download Palm Desktop by ACCESS 6.2 from the website but now I can not get my device to sync-- The Desktop computer asks for the appropriate drivers.  I tried searching online, on the disk that came with the smartphone and even reinstalling a couple times and everything is dead in the water...
  Anyone able to help me out on this?
  Is there an additional patch of some sort to download?
  Post relates to: Palm m515

  Just in case it is not clear...  that post was made after I bought the bluetooth adapter and tried following the advice provided in the Vista 64 Hotsync solution found! post.  Again-- my statement of not working is for the following reasons:
  1) my PC tells me that the sychronization completed with errors.
  2) when I look at the log that the Backup sychronization aborted.
  3) It almost invariably tells me that it Failed to backup 1 file(s) and that file is "NetworkProfiles2" through a "Protocol Error: Unknown error. (6410)"
  4) many of my contacts (over half) duplicate during this synchronization.
  5) many of my appointments (over half) duplicate during this synchronization.
  The information about creating a virtual serial port on my PC comes from my actual palm itself.  The palm info is in the HotSynch verbage and it tells me to contact my computer manufacturer.  In doing so however they have no idea how to do this and Palm does not either.  I am still working with HP on trying to resolve that part of it but I am thinking from the hours of research that Palm wants me to create another COM port but again the help I am finding on this is beyond my pay grade so to speak...  you can check out the following link and try to help me if you like:
  http://msdn.microsoft.com/en-us/library/ms885792.aspx
  So... any ideas my friend?  It appears that some Vista 64-bit users are having success with a bluetooth synch but I have tried emailing those that claim to have been able to do this with no luck.  I am not having any luck (I hope my outline above is clearer)-- and no one has seemed to had any luck recently.
  I would love to make this work-- I bought this phone for this functionality.
  Post relates to: Palm m515
  Post relates to: Palm m515