GRC 10.0 Access request Management Audit

Similar Messages

• HOW TO CONFIGURE MANAGER or APPROVER USER IN ACCESS REQUEST MANAGEMENT TO APPROVE OR REJECT REQUEST

  hi sap gurus,
  i configured grc 10 system successfully. I created one user: GR_AR_APP001 and assign following roles:
  SAP_GRAC_ACCESS_APPROVER
  SAP_GRAC_ACCESS_REQUEST_ADMIN
  SAP_GRC_FN_BASE
  SAP_GRC_FN_NUSINESS_USER
  and I maintained GR_AR_APP001 in access control owners as "POINT OF CONTACT", "SECURITY LEAD" and "WORKFLOW ADMINISTRATOR"
  but when i am creating access request for new user and defining MANAGER under user details tab as GR_AR_APP001.
  the user GR_AR_APP001 is not receiving any request for APPROVE or REJECT in his WORK INBOX.
  can u please guide me how to configure APPROVER or MANAGER to approve or reject request.
  I will be very much thankful if you guide me successfully.

  Hi Colleen,
  thanks a lot for your time.
  PIC1: I created one user: GR_AR_APP001
  and assigned all the GRC ROLES.
  PIC2: I assigned owner type to GR_AR_APP001 user : POINT OF CONTACT, SECURITY LEAD and WORKFLOW ADMINISTRATOR in NWBC ACCESS CONTROL OWNERS
  PIC3: I created one EUP 980 (copied from default EUP)
  PIC4: I maintained default manager as GR_AR_APP001 user in 980 EUP
  PIC5: I selected SAP_GRAC_ACCESS_REQUEST process id
  PIC6: I created one agent id as ZGRAC_MANAGER11 in which I added approver user id: GR_AR_APP001
  PIC7: I saved agent id
  PIC8: I added agent id as ZGRAC_MANAGER11 in stage5 in manager stage.
  PIC9: I saved
  PIC10: I maintained EUP 980 (in which I configured manager as GR_AR_APP001 user) in stage 5 task settings
  PIC11: Maintain Route Mapping, I clicked on next
  PIC12 and PIC13: I saved and activated.
  After this process I created one request for new account and selected the manager as GR_AR_APP001 and one request is created with request no 9000000030.
  now I logged into system by user GR_AR_APP001 and checked, there is no request under his work inbox.
  please guide me at least one procedure, how to receive request in approver work inbox so that I can learn other procedures to configure approver as per our organization requirement.
  thanks for your support Colleen.

• GRC 10.0 Access Request Creation- Data Source of User Details

  Hi Experts,
  I was doing GRC 10.0 Configuration and found a query which I am not able to resolve.
  While creation of any kind of Access Request in GRC through NWBC> Acces Management Tab>Access Request>Access Request Creation.
  In the user details section, I can see the HR records( like Pernr, position, manager) have been visible to some extent.
  My question is where from these details came in GRC. What configuration we should maintain to achieve these HR records?
  Hope to get a quick response as this is one of the requirement of the implementation which I am doing with my customer.
  Thanks,
  Atanu

  Alessandro,
  Thanks for your response. It helped me to know certain things.
  But when I am navigating to SPRO > GRC > Access Control > Maintain Data Sources Configuration > [User Detail Data Source], it is configured with a ECC system in target connector and User data type is maintained as "SU01".
  Now my question is where from in my case the GRC is pulling the HR records (PA20) like PERNR, POSITION,PERSONEL AREA etc? SU01 does not provide these information. My ECC box is integrated with HR module, so is it taking the data from HR directly?
  Thanks in advance!
  Atanu

• GRC 10.0: Access Request Creation - LDAP user advanced search not working

  Dear Experts,
  We are implementing SAP GRC Access Control and we have an issue in Access Request Creation. If we put the user name in “User” field and press intro, the user details are updated, but if we want to make an "Advanced search" the user is not found and the application give us the following message: “No records found for the search criteria entered.”
  Scenario 1: If we put the user name in “User” field and press intro, the user details are updated:
  Scenario 2: If we want to make an "Advanced search" the user is not found and the application give us the following message: “No records found for the search criteria entered.”
  We are using the Active Directory as Data Source.
  Thanks and Regards.

  Hi Jose,
  Try maintaning the parameter 2050 as YES and check once.
  Kindly, also make refer to  the below list of SAP notes:
  1757906 - GRC 10.0 - LDAP user search does not work in NWBC
  1745370 - LDAP search in GRC does not work anonymously
  1718242- UAM: User search not working in Access Request.
  Regards,
  Neeraj Agarwal

• GRC 10.1 Access Request - Provisioning Logs Not Available

  Hello guys,
  I am currently running into an issue with the user provisioning logs, the Request Approval notification which is sent to the user are at the end of an approved access request are as below and the Provisioning Logs tab is throwing a timeout error when opened.
  "Hi Varsha Upadhyay (B001193),
  The Request number : 26 , has been processed and the Request is Closed. The details are as follows:
  Provisioning failed; check provisioning log for details.
  Kind regards,
  Access Control Administrator "
  I have checked the table 'GRACREQPROVLOG'  and I see the logs available in the table, When I open the logs for a particular request no I see the below error message under the 'Prov Message' field
  "Type conflict when calling a function module (field length)"
  Similarly in SLG1, I find the following message at the end of each provisioning task that has taken place at the end of a request being approved.
  "Error in RFC; 'Type conflict when calling a function module (field length)'.
  I made sure I gave SAP_ALL to all the RFC ID's and also the WF-BATCH ID's, and the integration scenarios are also defined correctly for all the target system.
  It seems that this error is just preventing the provisioning details from being displayed in the email or in the Provisioning logs, but the user provisioning has actually taken place as expected (viewed in SU01).
  So i'm wondering even after provisioning has actually taken place successfully, why would this error occur. Does anyone know the source for this error message, please let me know what am I missing?

  Hi Narsimha,
  The error seems to be associated with wrong type being passed as a parameter to a function module.
  Can you check the field mapping for your connectors in SPRO? There might be a mismatch happenning there.
  Thanks
  Sammukh

• SAP GRC AC ARM -Access Request approval

  Dear Community Members,
  my question relates to practice advise in respect to risk analysis type on access request.
  Can anybody share experience with type of analysis on access request.
  According to SAP HELP we have: In the Analysis Type dropdown list, select the relevant analysis type.
  You use Risk Analysis to determine violations pertaining to the authorizations assigned to the role. For example, when the authorizations result in segregation of duties violations.
  You use Impact Analysis to determine authorization violations pertaining to other roles. That is, the authorizations for the selected role, in combination with authorizations for another role, result in violations
  In particular I am interested when I have requested Role A and Role B with both creates SoD risks, would this be catch by access risk analysis during request creation? Assuming user have no role at backend.
  Thanks,
  Filip

  Hi Filip,
  Yes, your understanding is correct.
  Risk analysis in the access request is intended to find out any sorts of risks associated to the roles in the request inaddition to the roles assigned to the user already.
  When Risk analysis is performed, it will take into account all roles which are added to request and show the correct results.
  You can also run the simulation to see what will happen if the role is assigned to user beforehand.
  Regards,
  Shweta
  SAP - GRC

• GRC 10.0 Access Request workflow error

  Hi,
  While creating change request in AC10 to assign roles I get task errors (see example in attachment) and request does not appear in approver`s (manager stage) work Inbox.
  Can anyone help and advice what can be missing and what should be checked additionally?
  I`ve checked all configuration settings as described in Post-Installation and Pre-Implementation docs but still get the same error and request does not appear in work Inbox.
  WF-BATCH user has assigned in GRC system roles as below:
  SAP_BC_BMT_WFM_SERV_USER
  SAP_GRC_FN_ALL
  SAP_GRC_FN_BASE
  Thanks a lot for advice!
  Aga

  Hi
  yes it helped. Now no errors on this stage and request appeared in manager work inbox. I`ve only assigned recommended roles as first. It looks like I need to look for additional roles for both users or authorization objects which are missing for SAP standard roles to avoid assignment of SAP_ALL.
  Thanks a lot!!!
  Regards,
  Aga

• No Approvers visible on Access Requests

  Hi Everyone
  I am currently experiencing a problem on Access Request Management, on all my request types no Approvers are visible after submission of a request. Checking the request under Instance Status it shows no Approvers, the Approvers have been assigned on the Roles for Assignment approval and Content approval and also have been created on NWBC front-end as Role Owners. On MSMP GRAC_ROLEOWNER Agent has been assign to ROLEOWNER stage and also the stage task settings maintained, On the GRC system the Role Owner/Approvers have also be created and given the proper access including SAP_GRAC_ACCESS_APPROVER role.
  I am not sure where I am going wrong on the Workflow, I have checked and verified also the settings under SPRO - Maintain Configuration Settings and Perform Task-SpecificCustomizing.
  Your assistance in this is highly appreciated
  Regards
  George

  Hi Lentobo,
  As Dilip suggested ,please ensure that role owner is set-up in NWBC. Define role owner  in , Access Control Owner hyperlink ,under Set up tab of NWBC.
  Also make sure that you have checked the checkbox "Assignemnt approver" under Owner tab of  that role.
  Thanks,
  Mamoon

• Access request creation - select roles screen - field boxes were not aligned

  I'm not sure if this is really the screen of SAP GRC 10.1 access request creation. The field boxes were not aligned. Is there a note to fix this issue? Thank you.
  Regards,
  Jenilyn

  Hi Mohamed,
  Even I used Google Chrome, it's the same. Still facing the same issue. Is there any other way to solve this issue?
  Thank you.
  Regards,
  Jenilyn

• GRC Access requests - Audit Log

  Dear All, GRC access requests is noticed with Provisioning failed messages. Access Request Audit Log is displayed with " Log on Failed / CPI - CALL: ThSAPCMRCV " message ( Screen shot enclosed ). Could you please share an insight on these messages and it's resolution. Thanks raj 

  Dear Raj,
  please check with your basis team if the connection to the system works. Basically it seems like you have a connection error as the log on does not work.
  Regards,
  Alessandro

• Email content in GRC access request

  Dear Experts,
  Can any one let me know from where GRC access request email content is picked up which creating creating throught access request.?
  I.e when ever the requestor creating request, the manager will get an email( and in my scenario the email document is maintained in document maintenance(se61 tcode) ). Now i need to prefix user full name in email content(which the manager receives) with Mr./Ms.
  Thanks
  Katrice

  Hi,
  My issue is resolved my enhancing the method GET_NOT_VARS_AND_ATTACHMNTS( ) of class CL_GRFN_MSMP_NOTIFICATION
  """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""$"$\SE:(1) Class CL_GRFN_MSMP_NOTIFICATION, Method GET_NOT_VARS_AND_ATTACHMNTS, End                                                                          A
  *$*$-Start: (1)---------------------------------------------------------------------------------$*$*
  ENHANCEMENT 1  ZGRC_EMAIL_TITLE.    "active version
  DATA: lw_fullname  TYPE string,
         lw_variables TYPE grfn_s_msg_variable,
         lw_logsys    TYPE logsys,
         lw_system_id_temp  TYPE string,
         lw_user            TYPE grac_user,
         lw_return TYPE int4,
         lW_user_details    TYPE grac_s_user_detail.
         SELECT SINGLE logsys  INTO lw_logsys FROM t000 WHERE mandt = sy-mandt.
         IF sy-subrc = 0.
          lw_system_id_temp = lw_logsys.
         ENDIF.
  READ TABLE et_variables INTO lw_variables WITH KEY name = 'USER_ID'.
     IF sy-subrc EQ 0.
      lw_user = lw_variables-value.
        TRY.
                CALL METHOD cl_grac_ad_access_mgmt=>get_user_detail
                  EXPORTING
                    iv_system_id    = lw_system_id_temp
                    iv_user         = lw_user
                  IMPORTING
                    ev_return_code  = lw_return
                    es_user_details = lw_user_details.
             CATCH cx_grfn_exception .                   "#EC NO_HANDLER
            ENDTRY.  
  ENDIF.
     READ TABLE et_variables INTO lw_variables WITH KEY name = 'USER_FULL_NAME'.
     IF sy-subrc EQ 0.
       CONCATENATE lw_user_details-address-title_p lw_variables-value INTO lw_variables-value SEPARATED BY space.
       MODIFY et_variables FROM lw_variables index sy-tabix.
     ENDIF.
  ENDENHANCEMENT.
  *$*$-End:   (1)---------------------------------------------------------------------------------$*$*
  Thanks
  KH

• User Management - How to submit Additional Access Request on behalf of employee

  User Management - how can we configure "Access Requests" so that Managers can submit Additional Access Requests, or Initial Access Requests on behalf of employee?
  Have looked at "Manage Proxies" but this seems to allow access to everything - not ideal
  Please assist with knowledge and/or experience
  Many Thanks
  Me

  Additional Access Request Registration Process is complete
  Giving access to User Management to users is not an option.
  What I would like is the scenario below - is this achievable?
  When employee goes to iProcurement > Preferences > Access Requests > Request Access | they can submit an access request on behalf of themselves.
  Would like an option where a manager, navigates to same UI as above, has option to choose a subordinate, and request additional access on their behalf
  The table UMX_REG_REQUESTS has columns REQUESTED_FOR_USER_ID & REQUESTED_BY_USER_ID - so it seems they don't have to be same person (manager can submit request on behalf of an employee)
  Can this be achieved through UI for "Access Requests"?

• Error while trying to submit Access request to GRC from IDM

  Hello
  We have SAP IDM 7.2 SP8 installed and done all the prerequisite for connecting to GRC AC 10 as in configuration document.
  We are trying to submit request to GRC using Standard GRC provisioning framework task ( AC Validation) but pass: Submit AC Request fails with error: "Pass stopped by script"
  Is there anything wrong with the script which put RoleData details since its getting aborted ?
  I tried providing Role name directly in Role data attribute inside the action task and got following error:
  Error
  putNextEntry failed
  storingcn=IDMUSR0023,ou=useraccessrequest,o=grc
  Exception from Add operation:javax.naming.NamingException: [LDAP: error code
  82 - (GRC User Access Request:82:Script execution failed)]; remaining name
  'cn=IDMUSR0023,ou=useraccessrequest,o=grc'
  I checked VDS Logs and there was one error :
  Additional message = msgcode=4;msgdescription=Mandatory field ITEM NAME  is empty in line no 1 ;msgtype=ERROR
  From where exactly ITEM NAME field value will be fetched and pass to GRC for request creation ?
  Regards
  Deepak Gupta

  Thanks Christopher
  I got my issue fixed, There was issue with my GRC Initial load job which couldn't enrich repository privileges and hence the issue was coming since script wasn't able to find GRC ROLE ID and Application ID attribute from privileges.
  Regards
  Deepak Gupta

• User details are missing in Access request in GRC 10.0

  Hello All,
  When we are trying to create Access request in GRC 10.0 for an user it results as user  details not found.
  Under SPRO - Maintain data source configuration we have configured 2 HR systems HR1 and HR2.
  But the User details exits in HR1 system and lies in validity also. We have tried to run the Repository Object Sync also still unable to search the details.
  But we observed even after the Sync job User details are not created in table GRACUSER and GRACUSERCONN. Is this could be the problem. Why its not updating even after the Sync job many times almost 10 times.
  We have also configured parameter 5023 to YES.Please advise.
  Thanks in advance.

  Did the sequence for HR1 set to 1 or 2, I hope you are following the suggestions given by Luciana in other thread.
  Please post your data source config screenshots otherwise.
  BR,
  Mangesh

• No Roles In Access Request - GRC 10 SP06

  Hello Experts ,
  With GRC 10 SP 06 ,I am facing strange issue .In Access request when I search for roles to be assigned I am not getting any result .
  I have performed all post installation system and same working with SP 05 in other landscape .
  Important steps  like running back ground jobs for user.role.profile  synch role import all is done .
  Thanks & Regards
  Ashish

  Hi,
  You have hit a similar problem I faced after moving to SP06.
  What is the value assigned to the "Role Status"? If it is not "Production/PRD", then Access request doesn't allow it to be displayed as a selectable option for assignment. Prior to SP06, this was not checked, but SP06 got updated to ensure roles that are not in Productive use status can not be assigned for usage.
  Once you change this status over in the roles you wish to make available for assignment via Access Request, you should be able to search and select them.
  Hope that helps.