GRC 10.0 Access Request workflow error

Similar Messages

• Mitigation assignment approval in Access Request Workflow

  Hi Guys,
  I am currently implementing GRC for one of the clients. I have a question with respect to Mitigation assignment approval in Access Request Workflow.
  Below is the Scenario,
  1) User Submits the request
  2) Manager Approves
  3) Role Owner runs the SOD & finds SOD violations. Role Owner assigns the mitigation controls & approves the request
  Clarification:
  Once the role owner approves , depending on the mitigation controls assigned , can this request be routed to the mitigation control owner for approval in next stage? is this configurable with out custom BRF+ rules ? I know there is a workflow separately  (SAP_GRAC_CONTROL_ASGN) for approval of assignment which I suppose is out side of the Access request workflow.
  Please suggest.

  Pavan,
  more or less - as the control assignment workflow is independent the access request doens't wait. So if the role owner set a mitigation the control workflow starts. If you allow the role owner to approve the access request with risks, means if the risk isn't mitigated, then the role owner can proceed.
  To have your scenario working you must set the following in Access Request workflow: Role Owners are not allowed to approve as long as there are risks. All risks must either be remediated or mitigated before approval. That means if the role owner sets a mitigation the assignment workflow starts. As soon as the mitigation is valid (final approval) the access request can be approved.
  Technically both workflows are independent and don't have a relation to each other. But with some settings you can combine them.
  Does this answer your question?
  Regards,
  Alessandro

• GRC 10.0 Access request Management Audit

  Hello All,
  Can Anyone let me know what  Auditors Check When they Audit GRC 10.0 Access request Management (excluding Configuration).
  Thanks
  Mohammed Wasim

  Hi,
  ARM supports key ITGC controls for user access management, so probably audit would also cover:
  - review of updated processes & controls
  - check (based on sample) if all requests were properly approved
  - review of correctness of approvers assignment
  - verification if what was requested was provisioned
  - timely removal of terminated access
  - review of SoD controls embedded in process
  - periodic review of user access
  and maybe some more controls. In most cases it will be sample based testing so auditors may ask for a sample of requests to trace them to back-end systems and opposite sample of changes in users privileges to verify if proper requests were prepared for those changes...
  Sometimes they could perform more tests on configuration and process, but this is up to particular auditor.
  Best regards, Andrzej

• Approving the access request gives error in Sharepoint Foundation 2013 / Email notification codepage problem

  Hello
  On our SharePoint Foundation 2013 server approving Access Requests fails with "request approval failed" after pressing the approve button. The user is site administrator, site collection administrator and site owner.
  In the ulsviewer we see the following error:
  System.NotSupportedException: No data is available for encoding 1033.     at System.Text.Encoding.GetEncodingRare(Int32 codepage)     at System.Text.Encoding.GetEncoding(Int32 codepage)     at Microsoft.SharePoint.Email.SPMailMessageHelper.GetSocialNotificationMailMessage(SPWeb
  web, String senderAddress, String senderName, Boolean useSenderAddressAsFromAddress, String recipientAddress, CultureInfo recipientCulture, String subject, String sidebarHtml, String descriptionHtml, String customMessageHtml, List`1 embeddedAttachments)    
  at Microsoft.SharePoint.SPSharingEmailHelper.SendAccessRequestsEmail(SPCachedItemEventProperties eventProperties, SPUser sender, String message, SPUser recipient, String recipientEmailAddress, String strSubject, String body)     at Microsoft.SharePoint.SPSharingEmailHelper.SendRequestorNotification(SPCachedItemEventProperties
  eventProperties, String objRequestedTitle, SPUser reqByUser, SPUser reqForUser, String message, Boolean isMessageUpdate, Int32 status)     at Microsoft.SharePoint.SPAccessRequestsOperationHandler.HandleStatusChangingToApprove(SPCachedItemEventProperties
  properties, Int32 reqByUserId, Int32 reqForUserId, Int32 newStatus, SPUserCollection users, SPGroupCollection groups, IEnumerable`1 roleDefs)     at Microsoft.SharePoint.SPAccessRequestsOperationHandler.HandleRequestStatusChanging(SPCachedItemEventProperties
  properties, SPUserCollection users, SPGroupCollection groups, IEnumerable`1 roleDefs)     at Microsoft.SharePoint.SPAccessRequestsOperationHandler.ItemUpdating(SPCachedItemEventProperties properties, SPUserCollection users, SPGroupCollection
  groups, IEnumerable`1 roleDefs)     at Microsoft.SharePoint.SPAccessRequests.UpdateItem(Int32 newStatus, SPUser reqFor, String convStr, String permType, Int32 permissionLevel, Boolean extendInvitation, String anonLinkType, SPList accReqList,
  SPListItem item, SPUserCollection users, SPGroupCollection groups, IEnumerable`1 roleDefs)     at Microsoft.SharePoint.SPAccessRequests.ChangeRequestStatusCore(Int32 newStatus, SPUser reqFor, String convStr, String permType, Int32 newPermissionLevel,
  Boolean extendInvitation, String anonLinkType, SPList accReqList, SPListItem request)     at Microsoft.SharePoint.SPAccessRequests.ChangeRequestStatus(Int32 itemId, Int32 newStatus, SPUser reqForUser, String convStr, String permType, Int32
  permissionLevel, Boolean extendInvitation, String anonLinkType, SPWeb web)     at Microsoft.SharePoint.SPAccessRequests.ChangeRequestStatus(Int32 itemId, Int32 newStatus, String convStr, String permType, Int32 permissionLevel)    
  at Microsoft.SharePoint.ServerStub.SPAccessRequestsServerStub.ChangeRequestStatus_MethodProxy(XmlNodeList xmlargs, ProxyContext proxyContext)     at Microsoft.SharePoint.ServerStub.SPAccessRequestsServerStub.InvokeStaticMethod(String methodName,
  XmlNodeList xmlargs, ProxyContext proxyContext, Boolean& isVoid)     at Microsoft.SharePoint.Client.ServerStub.InvokeStaticMethodWithMonitoredScope(String methodName, XmlNodeList args, ProxyContext proxyContext, Boolean& isVoid)    
  at Microsoft.SharePoint.Client.ClientMethodsProcessor.InvokeStaticMethod(String typeId, String methodName, XmlNodeList xmlargs, Boolean& isVoid)     at Microsoft.SharePoint.Client.ClientMethodsProcessor.ProcessStaticMethod(XmlElement
  xe)     at Microsoft.SharePoint.Client.ClientMethodsProcessor.ProcessOne(XmlElement xe)     at Microsoft.SharePoint.Client.ClientMethodsProcessor.ProcessStatements(XmlNode xe)     at Microsoft.SharePoint.Client.ClientMethodsProcessor.Process() 449c7b9c-6cec-f09a-9792-3d76c4d7e351
  The server is running on an English Windows 2012 Server and also the English version of SharePoint Foundation 2013 with the June 2013 CU.
  We see exactly the same error when add users to a group with the option "Send an email invitation" enabled.
  Any ideas what could cause this problems?
  Regards,
  Reinhard

  Hi Reinhard ,
  According to your error message, it says that no data is available after  encoding the social notification mail message. It  should be caused by the E-Mail encoding setting.
  For troubleshooting your issue, please check the character set of your E-Mail Settings:
  Verify that the user account that is performing this procedure is a member of the Farm Administrators group.
  On the Central Administration Home page, click System Settings.
  On the System Settings page, in the E-Mail and Text Messages(SMS) section, click Configure outgoing e-mail settings.
  On the Outgoing E-Mail Settings page, make sure
  Character set setting is  65001(Unicode UTF-8).
  Best Regards,
  Eric
  Eric Tao
  TechNet Community Support

• GRC 10.0: Access Request Creation - LDAP user advanced search not working

  Dear Experts,
  We are implementing SAP GRC Access Control and we have an issue in Access Request Creation. If we put the user name in “User” field and press intro, the user details are updated, but if we want to make an "Advanced search" the user is not found and the application give us the following message: “No records found for the search criteria entered.”
  Scenario 1: If we put the user name in “User” field and press intro, the user details are updated:
  Scenario 2: If we want to make an "Advanced search" the user is not found and the application give us the following message: “No records found for the search criteria entered.”
  We are using the Active Directory as Data Source.
  Thanks and Regards.

  Hi Jose,
  Try maintaning the parameter 2050 as YES and check once.
  Kindly, also make refer to  the below list of SAP notes:
  1757906 - GRC 10.0 - LDAP user search does not work in NWBC
  1745370 - LDAP search in GRC does not work anonymously
  1718242- UAM: User search not working in Access Request.
  Regards,
  Neeraj Agarwal

• GRC 10.0 Access Request Creation- Data Source of User Details

  Hi Experts,
  I was doing GRC 10.0 Configuration and found a query which I am not able to resolve.
  While creation of any kind of Access Request in GRC through NWBC> Acces Management Tab>Access Request>Access Request Creation.
  In the user details section, I can see the HR records( like Pernr, position, manager) have been visible to some extent.
  My question is where from these details came in GRC. What configuration we should maintain to achieve these HR records?
  Hope to get a quick response as this is one of the requirement of the implementation which I am doing with my customer.
  Thanks,
  Atanu

  Alessandro,
  Thanks for your response. It helped me to know certain things.
  But when I am navigating to SPRO > GRC > Access Control > Maintain Data Sources Configuration > [User Detail Data Source], it is configured with a ECC system in target connector and User data type is maintained as "SU01".
  Now my question is where from in my case the GRC is pulling the HR records (PA20) like PERNR, POSITION,PERSONEL AREA etc? SU01 does not provide these information. My ECC box is integrated with HR module, so is it taking the data from HR directly?
  Thanks in advance!
  Atanu

• GRC 10.1 Access Request - Provisioning Logs Not Available

  Hello guys,
  I am currently running into an issue with the user provisioning logs, the Request Approval notification which is sent to the user are at the end of an approved access request are as below and the Provisioning Logs tab is throwing a timeout error when opened.
  "Hi Varsha Upadhyay (B001193),
  The Request number : 26 , has been processed and the Request is Closed. The details are as follows:
  Provisioning failed; check provisioning log for details.
  Kind regards,
  Access Control Administrator "
  I have checked the table 'GRACREQPROVLOG'  and I see the logs available in the table, When I open the logs for a particular request no I see the below error message under the 'Prov Message' field
  "Type conflict when calling a function module (field length)"
  Similarly in SLG1, I find the following message at the end of each provisioning task that has taken place at the end of a request being approved.
  "Error in RFC; 'Type conflict when calling a function module (field length)'.
  I made sure I gave SAP_ALL to all the RFC ID's and also the WF-BATCH ID's, and the integration scenarios are also defined correctly for all the target system.
  It seems that this error is just preventing the provisioning details from being displayed in the email or in the Provisioning logs, but the user provisioning has actually taken place as expected (viewed in SU01).
  So i'm wondering even after provisioning has actually taken place successfully, why would this error occur. Does anyone know the source for this error message, please let me know what am I missing?

  Hi Narsimha,
  The error seems to be associated with wrong type being passed as a parameter to a function module.
  Can you check the field mapping for your connectors in SPRO? There might be a mismatch happenning there.
  Thanks
  Sammukh

• SAP GRC AC ARM -Access Request approval

  Dear Community Members,
  my question relates to practice advise in respect to risk analysis type on access request.
  Can anybody share experience with type of analysis on access request.
  According to SAP HELP we have: In the Analysis Type dropdown list, select the relevant analysis type.
  You use Risk Analysis to determine violations pertaining to the authorizations assigned to the role. For example, when the authorizations result in segregation of duties violations.
  You use Impact Analysis to determine authorization violations pertaining to other roles. That is, the authorizations for the selected role, in combination with authorizations for another role, result in violations
  In particular I am interested when I have requested Role A and Role B with both creates SoD risks, would this be catch by access risk analysis during request creation? Assuming user have no role at backend.
  Thanks,
  Filip

  Hi Filip,
  Yes, your understanding is correct.
  Risk analysis in the access request is intended to find out any sorts of risks associated to the roles in the request inaddition to the roles assigned to the user already.
  When Risk analysis is performed, it will take into account all roles which are added to request and show the correct results.
  You can also run the simulation to see what will happen if the role is assigned to user beforehand.
  Regards,
  Shweta
  SAP - GRC

• MSMP Access request and mitigation assignment workflows

  Hi Guys,
  Need help in understanding access request workflow. Here is the flow:
  Requester submitted access request.
  1. Manager stage (010)
  2. Role owner (020) - at this stage routing enabled for DETOUR_SODVIOL with standard rule ID by creating detour path with new stage (021).
  3. Security Lead (030).
  Instead of going to SoD stage (021) request is diverted to MIT_ASSIGNMENT workflow for applying mitigation control with a new number generated.
  I am confused with system behavior, Please suggest.
  Thanks all for your time.
  Thanks & regards
  Harry

  Hello,
  Based on your requirement you need 2 PATH .
  PATH A : where you have 3 stages
  Manager
  Roleowner
  Security Lead
  and PATHB 2 stages if security Lead is required after SOD Stage.
  1)SOD stage
  2)Security Lad
  Requester submitted access request. nThis is Go in PATHA
  1. Manager stage (010): Manager Appoves then goes to Next stage
  2. Role owner (020) - at this stage routing enabled for DETOUR_SODVIOL with standard rule ID by creating detour path with new stage (021).: After Role owner approves with check for condition and route mapping based on rule result value
  3. Security Lead (030).
  Instead of going to SoD stage (021) request is diverted to MIT_ASSIGNMENT workflow for applying mitigation control with a new number generated.
  Ensure MITIGATION workflow in not active in Configuration parameter.
  Good Luck
  Prasant

• Access request creation - select roles screen - field boxes were not aligned

  I'm not sure if this is really the screen of SAP GRC 10.1 access request creation. The field boxes were not aligned. Is there a note to fix this issue? Thank you.
  Regards,
  Jenilyn

  Hi Mohamed,
  Even I used Google Chrome, it's the same. Still facing the same issue. Is there any other way to solve this issue?
  Thank you.
  Regards,
  Jenilyn

• Error while trying to submit Access request to GRC from IDM

  Hello
  We have SAP IDM 7.2 SP8 installed and done all the prerequisite for connecting to GRC AC 10 as in configuration document.
  We are trying to submit request to GRC using Standard GRC provisioning framework task ( AC Validation) but pass: Submit AC Request fails with error: "Pass stopped by script"
  Is there anything wrong with the script which put RoleData details since its getting aborted ?
  I tried providing Role name directly in Role data attribute inside the action task and got following error:
  Error
  putNextEntry failed
  storingcn=IDMUSR0023,ou=useraccessrequest,o=grc
  Exception from Add operation:javax.naming.NamingException: [LDAP: error code
  82 - (GRC User Access Request:82:Script execution failed)]; remaining name
  'cn=IDMUSR0023,ou=useraccessrequest,o=grc'
  I checked VDS Logs and there was one error :
  Additional message = msgcode=4;msgdescription=Mandatory field ITEM NAME  is empty in line no 1 ;msgtype=ERROR
  From where exactly ITEM NAME field value will be fetched and pass to GRC for request creation ?
  Regards
  Deepak Gupta

  Thanks Christopher
  I got my issue fixed, There was issue with my GRC Initial load job which couldn't enrich repository privileges and hence the issue was coming since script wasn't able to find GRC ROLE ID and Application ID attribute from privileges.
  Regards
  Deepak Gupta

• GRC 10.1 Simplified Access Request and Remediation View Issues

  Hi Everyone,
       We recently upgraded our GRC 10.0 environment to 10.1, SP 5 and am having the following issues--has anyone else also experienced?
  In the simplified access request form, it keeps telling me to enter a “valid user ID”—even though the ID is valid and works fine in the normal access request screen. Also tried to search and then select the ID in this field with the same error.
  In the SoD Remediation view, I keep getting “No Data Found”, even though in the detail view, there are risks the same request:
  I’ve checked the following things:
  I’ve used IE 8, IE 9, FireFox, Chrome, and the NWBC to see if any of these fix the issue
  I double checked the 10.1 “upgrade guide” to make sure Gateway configurations are correct
  It looks like we are on the latest support packs:
  Any help on this would be greatly appreciated!
  Thanks,
  Brett

  Hi Brett,
  For Remediation issue you can check the below thread.
  http://scn.sap.com/thread/3574790
  Regards,
  Neeraj

• Split of an Access Request in GRC

  Hello GRC Experts,
  I have a following issue in my MSMP workflow:
  I have created a MSMP workflow using detour Rule GRAC_MSMP_DETOUR_SODVIOL ar first stage. If an Access request contains SOD violations the request should be routed to Security stage. If works fine so far, but with one exception. We have requests which contain three roles, two of them have SODs and one is clean. I expect that only two roles which contain SOD should be routed to SOD path, and the role which is clean should go the normal path (No SOD path). However I am facing the situation that the whole request is routed to the SOD path and Security stage.
  Do you have any idea how to solve this issue?
  thank you in advance
  best regards
  Sabrina
  Here are the screenshots from the MSMP workflow

  Hi Sabrina,
  we had exactly the same challenge - this is how we solve it:
  - check parameter: 1073 Enable sod violations detour on risks from existing roles (recommended YES)
  - routing level - make sure the stage settings (where your routing rule is executed) are set to "line item level" under MSMP Workflow configuration / Maintain paths/ maintain stage settings
  Hope this helps,
  Filip

• CUP 5.3 Superuser Access Request Error

  Dear Exparts,
  I have a path u201CSuperuser Access Requestu201D with three stages* for assigning FF IDs to requesting users in CUP.
  Stage1: Manager (Determinator: Manager)
  Stage2: Superuser Owner (Determinator: Superuser Owner)
  Stage3: Security Admin (Determinator: Security)
  I have no problem assigning FF IDs to users through this path.
  However, I have a problem when I tried to remove all FF IDs from a user (with an error message: Failed to process your request, Configuration Error, Approvers not found for SUPERUSER OWNER stage).
  I kinda know that this is an error due to the fact that I am, in a request, removing all the FF IDs which are supposedly tied to superuser owners---Missing superuser owners causing this error.
  Is there any way I can remove all FF IDs and still keep the user ID for day-to-day standard access?
  PS: I have tried to create a detour path to the security admin stage in the case if no superuser owner is found. Unfortunately, this didnu2019t work since there is no such pre-defined condition as u201CNo Superuser Owneru201D in the detour path configuration.
  Please help if you can.
  Thanks,
  HM

  HM,.
  How are you removing FFID's from users via CUP?
  Michael,
  Superuser provisioning via CUP actually assigns available FFID's to the user.
  For more details on this functionality, please visit our AC5.3 Best Practice site at: http://help.sap.com/bp_grc53/GRC_US/HTML/index.htm
  Not sure, but you might need your S-number to access.
  Thanks!
  Ankur
  SAP GRC RIG

• GRC Access requests - Audit Log

  Dear All, GRC access requests is noticed with Provisioning failed messages. Access Request Audit Log is displayed with " Log on Failed / CPI - CALL: ThSAPCMRCV " message ( Screen shot enclosed ). Could you please share an insight on these messages and it's resolution. Thanks raj 

  Dear Raj,
  please check with your basis team if the connection to the system works. Basically it seems like you have a connection error as the log on does not work.
  Regards,
  Alessandro