GRC 10.0 Access request Management Audit
Hello All,
Can Anyone let me know what Auditors Check When they Audit GRC 10.0 Access request Management (excluding Configuration).
Thanks
Mohammed Wasim
Hi,
ARM supports key ITGC controls for user access management, so probably audit would also cover:
- review of updated processes & controls
- check (based on sample) if all requests were properly approved
- review of correctness of approvers assignment
- verification if what was requested was provisioned
- timely removal of terminated access
- review of SoD controls embedded in process
- periodic review of user access
and maybe some more controls. In most cases it will be sample based testing so auditors may ask for a sample of requests to trace them to back-end systems and opposite sample of changes in users privileges to verify if proper requests were prepared for those changes...
Sometimes they could perform more tests on configuration and process, but this is up to particular auditor.
Best regards, Andrzej
Similar Messages
-
HOW TO CONFIGURE MANAGER or APPROVER USER IN ACCESS REQUEST MANAGEMENT TO APPROVE OR REJECT REQUEST
hi sap gurus,
i configured grc 10 system successfully. I created one user: GR_AR_APP001 and assign following roles:
SAP_GRAC_ACCESS_APPROVER
SAP_GRAC_ACCESS_REQUEST_ADMIN
SAP_GRC_FN_BASE
SAP_GRC_FN_NUSINESS_USER
and I maintained GR_AR_APP001 in access control owners as "POINT OF CONTACT", "SECURITY LEAD" and "WORKFLOW ADMINISTRATOR"
but when i am creating access request for new user and defining MANAGER under user details tab as GR_AR_APP001.
the user GR_AR_APP001 is not receiving any request for APPROVE or REJECT in his WORK INBOX.
can u please guide me how to configure APPROVER or MANAGER to approve or reject request.
I will be very much thankful if you guide me successfully.Hi Colleen,
thanks a lot for your time.
PIC1: I created one user: GR_AR_APP001
and assigned all the GRC ROLES.
PIC2: I assigned owner type to GR_AR_APP001 user : POINT OF CONTACT, SECURITY LEAD and WORKFLOW ADMINISTRATOR in NWBC ACCESS CONTROL OWNERS
PIC3: I created one EUP 980 (copied from default EUP)
PIC4: I maintained default manager as GR_AR_APP001 user in 980 EUP
PIC5: I selected SAP_GRAC_ACCESS_REQUEST process id
PIC6: I created one agent id as ZGRAC_MANAGER11 in which I added approver user id: GR_AR_APP001
PIC7: I saved agent id
PIC8: I added agent id as ZGRAC_MANAGER11 in stage5 in manager stage.
PIC9: I saved
PIC10: I maintained EUP 980 (in which I configured manager as GR_AR_APP001 user) in stage 5 task settings
PIC11: Maintain Route Mapping, I clicked on next
PIC12 and PIC13: I saved and activated.
After this process I created one request for new account and selected the manager as GR_AR_APP001 and one request is created with request no 9000000030.
now I logged into system by user GR_AR_APP001 and checked, there is no request under his work inbox.
please guide me at least one procedure, how to receive request in approver work inbox so that I can learn other procedures to configure approver as per our organization requirement.
thanks for your support Colleen. -
GRC 10.0 Access Request Creation- Data Source of User Details
Hi Experts,
I was doing GRC 10.0 Configuration and found a query which I am not able to resolve.
While creation of any kind of Access Request in GRC through NWBC> Acces Management Tab>Access Request>Access Request Creation.
In the user details section, I can see the HR records( like Pernr, position, manager) have been visible to some extent.
My question is where from these details came in GRC. What configuration we should maintain to achieve these HR records?
Hope to get a quick response as this is one of the requirement of the implementation which I am doing with my customer.
Thanks,
AtanuAlessandro,
Thanks for your response. It helped me to know certain things.
But when I am navigating to SPRO > GRC > Access Control > Maintain Data Sources Configuration > [User Detail Data Source], it is configured with a ECC system in target connector and User data type is maintained as "SU01".
Now my question is where from in my case the GRC is pulling the HR records (PA20) like PERNR, POSITION,PERSONEL AREA etc? SU01 does not provide these information. My ECC box is integrated with HR module, so is it taking the data from HR directly?
Thanks in advance!
Atanu -
GRC 10.0: Access Request Creation - LDAP user advanced search not working
Dear Experts,
We are implementing SAP GRC Access Control and we have an issue in Access Request Creation. If we put the user name in “User” field and press intro, the user details are updated, but if we want to make an "Advanced search" the user is not found and the application give us the following message: “No records found for the search criteria entered.”
Scenario 1: If we put the user name in “User” field and press intro, the user details are updated:
Scenario 2: If we want to make an "Advanced search" the user is not found and the application give us the following message: “No records found for the search criteria entered.”
We are using the Active Directory as Data Source.
Thanks and Regards.Hi Jose,
Try maintaning the parameter 2050 as YES and check once.
Kindly, also make refer to the below list of SAP notes:
1757906 - GRC 10.0 - LDAP user search does not work in NWBC
1745370 - LDAP search in GRC does not work anonymously
1718242- UAM: User search not working in Access Request.
Regards,
Neeraj Agarwal -
GRC 10.1 Access Request - Provisioning Logs Not Available
Hello guys,
I am currently running into an issue with the user provisioning logs, the Request Approval notification which is sent to the user are at the end of an approved access request are as below and the Provisioning Logs tab is throwing a timeout error when opened.
"Hi Varsha Upadhyay (B001193),
The Request number : 26 , has been processed and the Request is Closed. The details are as follows:
Provisioning failed; check provisioning log for details.
Kind regards,
Access Control Administrator "
I have checked the table 'GRACREQPROVLOG' and I see the logs available in the table, When I open the logs for a particular request no I see the below error message under the 'Prov Message' field
"Type conflict when calling a function module (field length)"
Similarly in SLG1, I find the following message at the end of each provisioning task that has taken place at the end of a request being approved.
"Error in RFC; 'Type conflict when calling a function module (field length)'.
I made sure I gave SAP_ALL to all the RFC ID's and also the WF-BATCH ID's, and the integration scenarios are also defined correctly for all the target system.
It seems that this error is just preventing the provisioning details from being displayed in the email or in the Provisioning logs, but the user provisioning has actually taken place as expected (viewed in SU01).
So i'm wondering even after provisioning has actually taken place successfully, why would this error occur. Does anyone know the source for this error message, please let me know what am I missing?Hi Narsimha,
The error seems to be associated with wrong type being passed as a parameter to a function module.
Can you check the field mapping for your connectors in SPRO? There might be a mismatch happenning there.
Thanks
Sammukh -
SAP GRC AC ARM -Access Request approval
Dear Community Members,
my question relates to practice advise in respect to risk analysis type on access request.
Can anybody share experience with type of analysis on access request.
According to SAP HELP we have: In the Analysis Type dropdown list, select the relevant analysis type.
You use Risk Analysis to determine violations pertaining to the authorizations assigned to the role. For example, when the authorizations result in segregation of duties violations.
You use Impact Analysis to determine authorization violations pertaining to other roles. That is, the authorizations for the selected role, in combination with authorizations for another role, result in violations
In particular I am interested when I have requested Role A and Role B with both creates SoD risks, would this be catch by access risk analysis during request creation? Assuming user have no role at backend.
Thanks,
FilipHi Filip,
Yes, your understanding is correct.
Risk analysis in the access request is intended to find out any sorts of risks associated to the roles in the request inaddition to the roles assigned to the user already.
When Risk analysis is performed, it will take into account all roles which are added to request and show the correct results.
You can also run the simulation to see what will happen if the role is assigned to user beforehand.
Regards,
Shweta
SAP - GRC -
GRC 10.0 Access Request workflow error
Hi,
While creating change request in AC10 to assign roles I get task errors (see example in attachment) and request does not appear in approver`s (manager stage) work Inbox.
Can anyone help and advice what can be missing and what should be checked additionally?
I`ve checked all configuration settings as described in Post-Installation and Pre-Implementation docs but still get the same error and request does not appear in work Inbox.
WF-BATCH user has assigned in GRC system roles as below:
SAP_BC_BMT_WFM_SERV_USER
SAP_GRC_FN_ALL
SAP_GRC_FN_BASE
Thanks a lot for advice!
AgaHi
yes it helped. Now no errors on this stage and request appeared in manager work inbox. I`ve only assigned recommended roles as first. It looks like I need to look for additional roles for both users or authorization objects which are missing for SAP standard roles to avoid assignment of SAP_ALL.
Thanks a lot!!!
Regards,
Aga -
No Approvers visible on Access Requests
Hi Everyone
I am currently experiencing a problem on Access Request Management, on all my request types no Approvers are visible after submission of a request. Checking the request under Instance Status it shows no Approvers, the Approvers have been assigned on the Roles for Assignment approval and Content approval and also have been created on NWBC front-end as Role Owners. On MSMP GRAC_ROLEOWNER Agent has been assign to ROLEOWNER stage and also the stage task settings maintained, On the GRC system the Role Owner/Approvers have also be created and given the proper access including SAP_GRAC_ACCESS_APPROVER role.
I am not sure where I am going wrong on the Workflow, I have checked and verified also the settings under SPRO - Maintain Configuration Settings and Perform Task-SpecificCustomizing.
Your assistance in this is highly appreciated
Regards
GeorgeHi Lentobo,
As Dilip suggested ,please ensure that role owner is set-up in NWBC. Define role owner in , Access Control Owner hyperlink ,under Set up tab of NWBC.
Also make sure that you have checked the checkbox "Assignemnt approver" under Owner tab of that role.
Thanks,
Mamoon -
Access request creation - select roles screen - field boxes were not aligned
I'm not sure if this is really the screen of SAP GRC 10.1 access request creation. The field boxes were not aligned. Is there a note to fix this issue? Thank you.
Regards,
JenilynHi Mohamed,
Even I used Google Chrome, it's the same. Still facing the same issue. Is there any other way to solve this issue?
Thank you.
Regards,
Jenilyn -
GRC Access requests - Audit Log
Dear All, GRC access requests is noticed with Provisioning failed messages. Access Request Audit Log is displayed with " Log on Failed / CPI - CALL: ThSAPCMRCV " message ( Screen shot enclosed ). Could you please share an insight on these messages and it's resolution. Thanks raj
Dear Raj,
please check with your basis team if the connection to the system works. Basically it seems like you have a connection error as the log on does not work.
Regards,
Alessandro -
Email content in GRC access request
Dear Experts,
Can any one let me know from where GRC access request email content is picked up which creating creating throught access request.?
I.e when ever the requestor creating request, the manager will get an email( and in my scenario the email document is maintained in document maintenance(se61 tcode) ). Now i need to prefix user full name in email content(which the manager receives) with Mr./Ms.
Thanks
KatriceHi,
My issue is resolved my enhancing the method GET_NOT_VARS_AND_ATTACHMNTS( ) of class CL_GRFN_MSMP_NOTIFICATION
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""$"$\SE:(1) Class CL_GRFN_MSMP_NOTIFICATION, Method GET_NOT_VARS_AND_ATTACHMNTS, End A
*$*$-Start: (1)---------------------------------------------------------------------------------$*$*
ENHANCEMENT 1 ZGRC_EMAIL_TITLE. "active version
DATA: lw_fullname TYPE string,
lw_variables TYPE grfn_s_msg_variable,
lw_logsys TYPE logsys,
lw_system_id_temp TYPE string,
lw_user TYPE grac_user,
lw_return TYPE int4,
lW_user_details TYPE grac_s_user_detail.
SELECT SINGLE logsys INTO lw_logsys FROM t000 WHERE mandt = sy-mandt.
IF sy-subrc = 0.
lw_system_id_temp = lw_logsys.
ENDIF.
READ TABLE et_variables INTO lw_variables WITH KEY name = 'USER_ID'.
IF sy-subrc EQ 0.
lw_user = lw_variables-value.
TRY.
CALL METHOD cl_grac_ad_access_mgmt=>get_user_detail
EXPORTING
iv_system_id = lw_system_id_temp
iv_user = lw_user
IMPORTING
ev_return_code = lw_return
es_user_details = lw_user_details.
CATCH cx_grfn_exception . "#EC NO_HANDLER
ENDTRY.
ENDIF.
READ TABLE et_variables INTO lw_variables WITH KEY name = 'USER_FULL_NAME'.
IF sy-subrc EQ 0.
CONCATENATE lw_user_details-address-title_p lw_variables-value INTO lw_variables-value SEPARATED BY space.
MODIFY et_variables FROM lw_variables index sy-tabix.
ENDIF.
ENDENHANCEMENT.
*$*$-End: (1)---------------------------------------------------------------------------------$*$*
Thanks
KH -
User Management - How to submit Additional Access Request on behalf of employee
User Management - how can we configure "Access Requests" so that Managers can submit Additional Access Requests, or Initial Access Requests on behalf of employee?
Have looked at "Manage Proxies" but this seems to allow access to everything - not ideal
Please assist with knowledge and/or experience
Many Thanks
MeAdditional Access Request Registration Process is complete
Giving access to User Management to users is not an option.
What I would like is the scenario below - is this achievable?
When employee goes to iProcurement > Preferences > Access Requests > Request Access | they can submit an access request on behalf of themselves.
Would like an option where a manager, navigates to same UI as above, has option to choose a subordinate, and request additional access on their behalf
The table UMX_REG_REQUESTS has columns REQUESTED_FOR_USER_ID & REQUESTED_BY_USER_ID - so it seems they don't have to be same person (manager can submit request on behalf of an employee)
Can this be achieved through UI for "Access Requests"? -
Error while trying to submit Access request to GRC from IDM
Hello
We have SAP IDM 7.2 SP8 installed and done all the prerequisite for connecting to GRC AC 10 as in configuration document.
We are trying to submit request to GRC using Standard GRC provisioning framework task ( AC Validation) but pass: Submit AC Request fails with error: "Pass stopped by script"
Is there anything wrong with the script which put RoleData details since its getting aborted ?
I tried providing Role name directly in Role data attribute inside the action task and got following error:
Error
putNextEntry failed
storingcn=IDMUSR0023,ou=useraccessrequest,o=grc
Exception from Add operation:javax.naming.NamingException: [LDAP: error code
82 - (GRC User Access Request:82:Script execution failed)]; remaining name
'cn=IDMUSR0023,ou=useraccessrequest,o=grc'
I checked VDS Logs and there was one error :
Additional message = msgcode=4;msgdescription=Mandatory field ITEM NAME is empty in line no 1 ;msgtype=ERROR
From where exactly ITEM NAME field value will be fetched and pass to GRC for request creation ?
Regards
Deepak GuptaThanks Christopher
I got my issue fixed, There was issue with my GRC Initial load job which couldn't enrich repository privileges and hence the issue was coming since script wasn't able to find GRC ROLE ID and Application ID attribute from privileges.
Regards
Deepak Gupta -
User details are missing in Access request in GRC 10.0
Hello All,
When we are trying to create Access request in GRC 10.0 for an user it results as user details not found.
Under SPRO - Maintain data source configuration we have configured 2 HR systems HR1 and HR2.
But the User details exits in HR1 system and lies in validity also. We have tried to run the Repository Object Sync also still unable to search the details.
But we observed even after the Sync job User details are not created in table GRACUSER and GRACUSERCONN. Is this could be the problem. Why its not updating even after the Sync job many times almost 10 times.
We have also configured parameter 5023 to YES.Please advise.
Thanks in advance.Did the sequence for HR1 set to 1 or 2, I hope you are following the suggestions given by Luciana in other thread.
Please post your data source config screenshots otherwise.
BR,
Mangesh -
No Roles In Access Request - GRC 10 SP06
Hello Experts ,
With GRC 10 SP 06 ,I am facing strange issue .In Access request when I search for roles to be assigned I am not getting any result .
I have performed all post installation system and same working with SP 05 in other landscape .
Important steps like running back ground jobs for user.role.profile synch role import all is done .
Thanks & Regards
AshishHi,
You have hit a similar problem I faced after moving to SP06.
What is the value assigned to the "Role Status"? If it is not "Production/PRD", then Access request doesn't allow it to be displayed as a selectable option for assignment. Prior to SP06, this was not checked, but SP06 got updated to ensure roles that are not in Productive use status can not be assigned for usage.
Once you change this status over in the roles you wish to make available for assignment via Access Request, you should be able to search and select them.
Hope that helps.
Maybe you are looking for
-
IWeb Photo galleries not appearing in latest Firefox
Anyone else notice that the latest Firefox won't show the iweb photo galleries? They do show up in IE and safari, but not firefox. I've tested on all 3 browsers on both Mac and PC (well, not IE for mac, cause it doesn't exist anymore) here is the url
-
Multi-Tab Canvas Navigational Controls
I want to control navigation out of a block displayed on a "tab" canvas to other "tabs" in a form containing multiple tab canvases. Are ther any "events triggers" associated with the "tab" level similar to the "WHEN_BUTTON_PRESSED" trigger such as "W
-
Phone won't make outbound calls. can't call verizon support. this after being on hold for 17 minutes in an attempt to fix voicemail notification. this is a nightmare and Verizon is unreachable. Any way to get Verizon wireless to fix my service when t
-
HT201328 Does your iphone need to be updated to the newest OS to unlock it?
I haven't updated my phone in about a year it seems because I didn't want the new changes. So I think my OS is 5.1.1. Anyways I got a code from ATT for an unlock which is useless since it sounds like I don't even need a code, however my phone won't
-
Firefox and Mozilla Suite are forked!
Gnuzilla is the GNU version of the Mozilla suite, and IceWeasel is the GNU version of the Firefox browser. Its main advantage is an ethical one: it is entirely free software. While the source code from the Mozilla project is free software, the binari