GRC 10.0 SP 14 access request form displays unassigned roles

Similar Messages

• Access request form fields changing if request is self or other

  Hi SAP experts,
  When open a new Access Request all the fields from the EUP work as expected with designated mandatory fields and visible fields (attachment "AC other") but for some reason when I change the "Request For:" dropdown to some other value (in this example "Self") all the fields become visible and Mandatory disappears (attachment "AC Self") what can I do to correct this behavior?
  Note: If I assign the default value as "Self" and then change the field to "Other" I get the same results (all visible fields) so is something that happens when changing "Request For:" dropdown.

  Hi Jonathan,
  Can you check webdynpro component : GRAC_UIBB_ACCESS_REQUEST once because i think there might be code written to hide fields in onselect( ) action of request type.
  PFB the snapshot for reference.
  If not, pls check WDDOINIT( ) method of view V_SELECT_USER as shown below
  PS : Compare your code with the attached file code.
  If still the issue exists, Pls refer to this note : 1670922.
  Hope this helps you.
  Thanks
  KH

• GRC 10.1 Simplified Access Request and Remediation View Issues

  Hi Everyone,
       We recently upgraded our GRC 10.0 environment to 10.1, SP 5 and am having the following issues--has anyone else also experienced?
  In the simplified access request form, it keeps telling me to enter a “valid user ID”—even though the ID is valid and works fine in the normal access request screen. Also tried to search and then select the ID in this field with the same error.
  In the SoD Remediation view, I keep getting “No Data Found”, even though in the detail view, there are risks the same request:
  I’ve checked the following things:
  I’ve used IE 8, IE 9, FireFox, Chrome, and the NWBC to see if any of these fix the issue
  I double checked the 10.1 “upgrade guide” to make sure Gateway configurations are correct
  It looks like we are on the latest support packs:
  Any help on this would be greatly appreciated!
  Thanks,
  Brett

  Hi Brett,
  For Remediation issue you can check the below thread.
  http://scn.sap.com/thread/3574790
  Regards,
  Neeraj

• AC 10.1 remove tabs from Access Request

  Hello,
  I checked the forum for my specific issue but didn't find what I was looking for.
  We're on GRC 10.1 V1100 SP04
  Here's the scenario...
  - We're requesting a new role to be assigned to an existing user in ECC using the Access Request form from GRC AC 10.1 system.
  - I've created a new Request Type "Change Account" with actions Retain/Remove/Assign under process id SAP_GRAC_ACCESS_REQUEST
  - We cannot modify the default EUP ID 999 Maintain EUP as they are SAP values & hard coded
  - We even copied the 999 and made a custom EUP and made these fields non-mandatory but we want to remove these unnecessary tabs
  So what's happening is when we put in a request for assignment of a new role to a user...and hit submit after selecting the role it is asking for "Enter the value for Email" & "Enter the value for Last Name"...which are mandatory fields.
  Does anyone know how I can remove/hide the Risk Violations, User Details, Parameters, User Groups etc tabs which are NOT required in this request...we only need the User Access & Attachments tab.
  I know in SE80\Access Request package there is a way to hide these BUT I do not see this form under the packages.
  Is there any other way?
  Thanks in advance,
  Rajiv

  Hi Rajiv,
  Please check the below path
  Go to SE80 T-code and select package from the drop down and enter GRAC_ACCESS_REQUEST.
  Then in the Web Dynpro tab go to FPM Applications and there you can find the aplication GRAC_OIF_REQUEST_SUBMISSION where you can make your changes.
  Regards,
  Neeraj

• WebDynpro Access Request

  Dear all.
  I am creating a Launchpad for a new Access Request form. My idea is to delete one of the tab (Custom tab) not for all users, just for some of them. So I have copied the Configuration component and the UIBB. Then I assign the ZGRAC_OIF_REQUEST_ROLE_TAB_CC and then I push over the Configure UIBB
  Then I can see all the tabs and then I remove the tab Custom Data tab.
  So now  I create a Launchpad. Creating two folders (Access Request and Access Risk Analysis) and I assigning the Access Request application the ZGRAC_OIF_REQUEST_SUBMISSION. Is that correct?
  Now  I create a single role and then I assign the Application Configuration I have created.
  But when I access to the user instead of appearing the two folders created previously (Access Request and Access Risk Analysis) I see the Access Request screen directly. In this screenshot you can see how the Custom tab does not appear anymore but I cannot see the two folders.
  I was expecting to see a menu similar to this image 8 attached.

  Hi Sara,
  parameters setup at end user personalization (EUP) may in your case overide your expected settings.
  Make sure in SPRO/EUP/ custom tab - is set to  visable and try again,
  FIlip

• Error while trying to submit Access request to GRC from IDM

  Hello
  We have SAP IDM 7.2 SP8 installed and done all the prerequisite for connecting to GRC AC 10 as in configuration document.
  We are trying to submit request to GRC using Standard GRC provisioning framework task ( AC Validation) but pass: Submit AC Request fails with error: "Pass stopped by script"
  Is there anything wrong with the script which put RoleData details since its getting aborted ?
  I tried providing Role name directly in Role data attribute inside the action task and got following error:
  Error
  putNextEntry failed
  storingcn=IDMUSR0023,ou=useraccessrequest,o=grc
  Exception from Add operation:javax.naming.NamingException: [LDAP: error code
  82 - (GRC User Access Request:82:Script execution failed)]; remaining name
  'cn=IDMUSR0023,ou=useraccessrequest,o=grc'
  I checked VDS Logs and there was one error :
  Additional message = msgcode=4;msgdescription=Mandatory field ITEM NAME  is empty in line no 1 ;msgtype=ERROR
  From where exactly ITEM NAME field value will be fetched and pass to GRC for request creation ?
  Regards
  Deepak Gupta

  Thanks Christopher
  I got my issue fixed, There was issue with my GRC Initial load job which couldn't enrich repository privileges and hence the issue was coming since script wasn't able to find GRC ROLE ID and Application ID attribute from privileges.
  Regards
  Deepak Gupta

• User details are missing in Access request in GRC 10.0

  Hello All,
  When we are trying to create Access request in GRC 10.0 for an user it results as user  details not found.
  Under SPRO - Maintain data source configuration we have configured 2 HR systems HR1 and HR2.
  But the User details exits in HR1 system and lies in validity also. We have tried to run the Repository Object Sync also still unable to search the details.
  But we observed even after the Sync job User details are not created in table GRACUSER and GRACUSERCONN. Is this could be the problem. Why its not updating even after the Sync job many times almost 10 times.
  We have also configured parameter 5023 to YES.Please advise.
  Thanks in advance.

  Did the sequence for HR1 set to 1 or 2, I hope you are following the suggestions given by Luciana in other thread.
  Please post your data source config screenshots otherwise.
  BR,
  Mangesh

• GRC 10.0: Access Request Creation - LDAP user advanced search not working

  Dear Experts,
  We are implementing SAP GRC Access Control and we have an issue in Access Request Creation. If we put the user name in “User” field and press intro, the user details are updated, but if we want to make an "Advanced search" the user is not found and the application give us the following message: “No records found for the search criteria entered.”
  Scenario 1: If we put the user name in “User” field and press intro, the user details are updated:
  Scenario 2: If we want to make an "Advanced search" the user is not found and the application give us the following message: “No records found for the search criteria entered.”
  We are using the Active Directory as Data Source.
  Thanks and Regards.

  Hi Jose,
  Try maintaning the parameter 2050 as YES and check once.
  Kindly, also make refer to  the below list of SAP notes:
  1757906 - GRC 10.0 - LDAP user search does not work in NWBC
  1745370 - LDAP search in GRC does not work anonymously
  1718242- UAM: User search not working in Access Request.
  Regards,
  Neeraj Agarwal

• GRC 10.0 Access Request Creation- Data Source of User Details

  Hi Experts,
  I was doing GRC 10.0 Configuration and found a query which I am not able to resolve.
  While creation of any kind of Access Request in GRC through NWBC> Acces Management Tab>Access Request>Access Request Creation.
  In the user details section, I can see the HR records( like Pernr, position, manager) have been visible to some extent.
  My question is where from these details came in GRC. What configuration we should maintain to achieve these HR records?
  Hope to get a quick response as this is one of the requirement of the implementation which I am doing with my customer.
  Thanks,
  Atanu

  Alessandro,
  Thanks for your response. It helped me to know certain things.
  But when I am navigating to SPRO > GRC > Access Control > Maintain Data Sources Configuration > [User Detail Data Source], it is configured with a ECC system in target connector and User data type is maintained as "SU01".
  Now my question is where from in my case the GRC is pulling the HR records (PA20) like PERNR, POSITION,PERSONEL AREA etc? SU01 does not provide these information. My ECC box is integrated with HR module, so is it taking the data from HR directly?
  Thanks in advance!
  Atanu

• GRC 10.0 Access request Management Audit

  Hello All,
  Can Anyone let me know what  Auditors Check When they Audit GRC 10.0 Access request Management (excluding Configuration).
  Thanks
  Mohammed Wasim

  Hi,
  ARM supports key ITGC controls for user access management, so probably audit would also cover:
  - review of updated processes & controls
  - check (based on sample) if all requests were properly approved
  - review of correctness of approvers assignment
  - verification if what was requested was provisioned
  - timely removal of terminated access
  - review of SoD controls embedded in process
  - periodic review of user access
  and maybe some more controls. In most cases it will be sample based testing so auditors may ask for a sample of requests to trace them to back-end systems and opposite sample of changes in users privileges to verify if proper requests were prepared for those changes...
  Sometimes they could perform more tests on configuration and process, but this is up to particular auditor.
  Best regards, Andrzej

• No Roles In Access Request - GRC 10 SP06

  Hello Experts ,
  With GRC 10 SP 06 ,I am facing strange issue .In Access request when I search for roles to be assigned I am not getting any result .
  I have performed all post installation system and same working with SP 05 in other landscape .
  Important steps  like running back ground jobs for user.role.profile  synch role import all is done .
  Thanks & Regards
  Ashish

  Hi,
  You have hit a similar problem I faced after moving to SP06.
  What is the value assigned to the "Role Status"? If it is not "Production/PRD", then Access request doesn't allow it to be displayed as a selectable option for assignment. Prior to SP06, this was not checked, but SP06 got updated to ensure roles that are not in Productive use status can not be assigned for usage.
  Once you change this status over in the roles you wish to make available for assignment via Access Request, you should be able to search and select them.
  Hope that helps.

• Email content in GRC access request

  Dear Experts,
  Can any one let me know from where GRC access request email content is picked up which creating creating throught access request.?
  I.e when ever the requestor creating request, the manager will get an email( and in my scenario the email document is maintained in document maintenance(se61 tcode) ). Now i need to prefix user full name in email content(which the manager receives) with Mr./Ms.
  Thanks
  Katrice

  Hi,
  My issue is resolved my enhancing the method GET_NOT_VARS_AND_ATTACHMNTS( ) of class CL_GRFN_MSMP_NOTIFICATION
  """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""$"$\SE:(1) Class CL_GRFN_MSMP_NOTIFICATION, Method GET_NOT_VARS_AND_ATTACHMNTS, End                                                                          A
  *$*$-Start: (1)---------------------------------------------------------------------------------$*$*
  ENHANCEMENT 1  ZGRC_EMAIL_TITLE.    "active version
  DATA: lw_fullname  TYPE string,
         lw_variables TYPE grfn_s_msg_variable,
         lw_logsys    TYPE logsys,
         lw_system_id_temp  TYPE string,
         lw_user            TYPE grac_user,
         lw_return TYPE int4,
         lW_user_details    TYPE grac_s_user_detail.
         SELECT SINGLE logsys  INTO lw_logsys FROM t000 WHERE mandt = sy-mandt.
         IF sy-subrc = 0.
          lw_system_id_temp = lw_logsys.
         ENDIF.
  READ TABLE et_variables INTO lw_variables WITH KEY name = 'USER_ID'.
     IF sy-subrc EQ 0.
      lw_user = lw_variables-value.
        TRY.
                CALL METHOD cl_grac_ad_access_mgmt=>get_user_detail
                  EXPORTING
                    iv_system_id    = lw_system_id_temp
                    iv_user         = lw_user
                  IMPORTING
                    ev_return_code  = lw_return
                    es_user_details = lw_user_details.
             CATCH cx_grfn_exception .                   "#EC NO_HANDLER
            ENDTRY.  
  ENDIF.
     READ TABLE et_variables INTO lw_variables WITH KEY name = 'USER_FULL_NAME'.
     IF sy-subrc EQ 0.
       CONCATENATE lw_user_details-address-title_p lw_variables-value INTO lw_variables-value SEPARATED BY space.
       MODIFY et_variables FROM lw_variables index sy-tabix.
     ENDIF.
  ENDENHANCEMENT.
  *$*$-End:   (1)---------------------------------------------------------------------------------$*$*
  Thanks
  KH

• Split of an Access Request in GRC

  Hello GRC Experts,
  I have a following issue in my MSMP workflow:
  I have created a MSMP workflow using detour Rule GRAC_MSMP_DETOUR_SODVIOL ar first stage. If an Access request contains SOD violations the request should be routed to Security stage. If works fine so far, but with one exception. We have requests which contain three roles, two of them have SODs and one is clean. I expect that only two roles which contain SOD should be routed to SOD path, and the role which is clean should go the normal path (No SOD path). However I am facing the situation that the whole request is routed to the SOD path and Security stage.
  Do you have any idea how to solve this issue?
  thank you in advance
  best regards
  Sabrina
  Here are the screenshots from the MSMP workflow

  Hi Sabrina,
  we had exactly the same challenge - this is how we solve it:
  - check parameter: 1073 Enable sod violations detour on risks from existing roles (recommended YES)
  - routing level - make sure the stage settings (where your routing rule is executed) are set to "line item level" under MSMP Workflow configuration / Maintain paths/ maintain stage settings
  Hope this helps,
  Filip

• GRC Access requests - Audit Log

  Dear All, GRC access requests is noticed with Provisioning failed messages. Access Request Audit Log is displayed with " Log on Failed / CPI - CALL: ThSAPCMRCV " message ( Screen shot enclosed ). Could you please share an insight on these messages and it's resolution. Thanks raj 

  Dear Raj,
  please check with your basis team if the connection to the system works. Basically it seems like you have a connection error as the log on does not work.
  Regards,
  Alessandro

• GRC AC 10 - Change default value for field in access request

  Hi everybody
  in Access request,  Is it possible to change the defaut value in the fied "request for" ?
  thanks
  Aurélien

  Hi Aurélien,
  Yes we can make it default, please go to EUP and there is a field Request for. please check the snapshot.
  Thanks and Regards
  Ankit sharma