GRC 10.1 HR trigger BEGDA

Similar Messages

• GRC 10 - HR Triggers

  Dear Experts,
  We have configured SAP HR Triggers to terminate the user and the termination date is taken as BEGDA ( Start Date of termination) from PA0000 table.
  So whenever user is terminated, the validity of user account is set to (BEGDA date - 1).
  Now we want HR triggers NOT to use BEGDA date to set the user account validity but we want to use someother date field say 'XXXXX' from some other standard SAP HR table 'YYYYY'. Is this possible to configure?
  I appreciate your help.
  Thanks,
  Swathi

  Dear Swathi:
  Could you please share information related on how did you do that Trigger?
  I was looking at GRC 10.0 - HR Trigger configuration guide Reference to SAP Note 1591291
  I have created BRF+ and everything needed but i want to know  Which is the next step i have to Maintain MSMP For acces request? Do i have to create another initiator rule?
  if you could share some information and your decision table to get an idea of how you are doing it.
  Also i would like to do the same that you are doing.
  I appreciate your help and attention to this.
  Best Regards.
  Picho

• GRC10- HR Trigger BRF+ rule error

  Hi,
  We are facing an error in HR trigger. The BRF+ is configured as per the note Note 1591291 - GRC 10.0 - HR Trigger configuration.
  The BRF+ rule has decision table which satisfies the condition for new hire. The infotype: 0105 and subtype: 0001
  After the new hire event the trigger is activated in GRC system but the log gives a following error Message:
  Error occurred during the processing of Rule 'Rule_1'
  Error occurred during the processing of Loop 'Loop_1'
  Error occurred during the processing of Rule 'Rule_2'
  Error occurred during the processing of Decision Table 'Decision_Table_HR'
  No match found for the given context (DECISION_TABLE_HR)
  Rules are not satisfied for Employee ID 00000019
  The rules configured are as per the SAP guide.
  1.     How do you analyze the error in the BRF+ rules
  2.     Have anyone come across similar situation
  Regards,
  Prasad Chaudhari

  Hi Prasad
  I am also getting the same error. I have configured the decision table exactly as per the SAP note, and even simplified my rules to only include the CREATE function.
  My SLG1 log picks up the same error.
  Did you find a fix for this on your side ?
  Please help.
  Rgrds
  Sameel

• GRC AC 10- HR Triggers

  Hi,
  Please refer to the note number SAP Note 1591291 - GRC 10.0 - HR Trigger configuration for HR Trigger configuration.
  The materials are in below like:
  https://sapmats-de.sap-ag.de/download/download.cgi?id=5KU0MSXE2SCM78GJU8MM5W3P21VXU8IXYNAYO135V6TDOXKSNI
  Regards,
  Prasad Chaudhari

  Hi,
  I remember few configuration tables
  1. GRACCONFIG
  2. GRACCONFIGSET
  3. GRACCONFIGT
  I suggest for GRC 10 tables do a search in se16 with GRAC
  Hope it helps.
  Prasad

• GRC 10 - Legacy connector as user detail data source

  Hello, 
  I'm trying to use a legacy connector (with a text file as input) as a user data-source.
  Repository user sync for this legacy connector works : checked GRACUSER table, it is populated with all the user details from the input file (id,firstname,lastname,mail,department,phone
  I got it working for user search data source : when creating an access request for "other" user, searching for a user ID/name works : data are displayed in search result, however when I select the user from the serach result the user details are not populated in an access-request form.
  Any clue about this ? Any one already got this working ?
  GRC 10.0 SP13.
  Checked SP14 and SP15 release notes, and found no relevant notes yet.
  repository-related notes applied :
  -1864423
  -1950231
  Regards,
  Emmanuel.

  Hi Pedro,
  You only have confirmed that 2 accounts are maintained in HCM and in SU01 as well, so you would be able to see these accounts' details both ways.
  Yes, you are right about user account maintenance first in HCM at the time of new hire, then you can manually raise the access request to grant them access to various SAP systems. Or in order to automate this process as Prasahant suggested, you can take help from HR Triggers.
  You can refer: GRC 10.0 - HR Trigger configuration - Governance, Risk and Compliance - SCN Wiki
  But responding to your original discussion, whatever user accounts are maintained in HCM you would see those details provided you define HR for the "user search data source" AND from SU01 for "user detail data source"
  In your case you have 2 accounts which have been maintained in HCM as well as SU01, so that is what creating confusion for you.
  Let us know if you need any more clarifications.
  Regards,
  Ameet

• GRC AC - HCM as user search data source

  Hello all,
  I´ve configured GRC AC to user HCM as user search data source and also user details data source. During my user change tests through the "Access Request" function, I noticed that only existent users at SU01 and HCM (checked through PA30) appear in the access request User Selection. Existent users at HCM but not at SU01 doesn´t appear.
  Someone can tell me why? I mean, if I configured the user search to use HCM as data source, shoudn´t it bring all HCM users regardless of his existence at SU01?
  Thanks in advance,
  Pedro

  Hi Pedro,
  You only have confirmed that 2 accounts are maintained in HCM and in SU01 as well, so you would be able to see these accounts' details both ways.
  Yes, you are right about user account maintenance first in HCM at the time of new hire, then you can manually raise the access request to grant them access to various SAP systems. Or in order to automate this process as Prasahant suggested, you can take help from HR Triggers.
  You can refer: GRC 10.0 - HR Trigger configuration - Governance, Risk and Compliance - SCN Wiki
  But responding to your original discussion, whatever user accounts are maintained in HCM you would see those details provided you define HR for the "user search data source" AND from SU01 for "user detail data source"
  In your case you have 2 accounts which have been maintained in HCM as well as SU01, so that is what creating confusion for you.
  Let us know if you need any more clarifications.
  Regards,
  Ameet

• License Type Change through GRC

  Hi All,
  currently ECC user id is being created through GRC HR trigger. but BASIS team manually changing license type after getting physical signe off copy from user. so now we want to automate the system like user request for new ECC id through GRC and it will trigger workflow and license type will automatically changed at end of the request.
  GRC version is 10
  Regards,
  Arif

  Hey Arif,
  You will have to create a custom field first and then map it to the License type field value in the connector within "Maintain mapping for actions and connector groups" section within IMG.
  Once this is done, you will be able to maintain the License type value from the "Custom fields" tab of a access request form.

• HR triggers job in CUP

  Hello there,
  I have an issue with my HR trigger jobs they are always in busy state as result i  am unable to capture  the Triggers in CUP
  we are GRC CUP 5.3 SP9
  can anyone share their experience please  ?
  Thanks
  MK

  Our Trigger jobs run smoothly most of the time.  However, sometimes, the JAVA system that we have GRC on will go down or restart itself.  When this happens, our trigger jobs are most likely in a Busy state since they run so often (every 60 and 80 seconds).  Once we click on the busy icon, they start up again.  We have made it a requirement that our GRC admin checks the trigger jobs at least once daily (normally every morning) to make sure the jobs aren't "stuck" in busy mode.  When we have more time, we plan to investigate further to find out why the java stack is restarting so often.  Right now we are just recording how often this happens.
  Hope this helps.
  Peggy

• HR Trigger in GRC 10 with interface to change 0105 data

  Hi Friends,
  Has someone had experience of enabling HR trigger with core ECC system built on ECC6.0 and HR system built on seperate ECC5.0 system ?
  Also client has email ids of the employees maintained in 0105 field of HR database instead of user ids.
  Is it feasbile to extract the text before '@' from that email id and treat it as user id for remaining processing ?
  Please provide your views on the same.

  Hi Prashant,
  I have an experience with HR Triggers built on a separate system. The problems are:
  1. If you want to provisioning in the ECC server, you need to assign an ECC role to a position in HR server.
  2. If you want to provisioning in ECC and HR server, you need to:
  a) Assign an ECC role and HR role to HR position
  b) Put those system in GRC customization.
  When HR department made a modification, GRC generated a request with the two roles (corresponding to a position) in the two systems. I do not remember if in the request all 2 roles are shown for each system (even if does not exist in one system).
  For your second question, GRC capture ok the email stored in infotype 0105 subtype 0010 and the user ID is capture from infotype 0105 subtype 0001.
  Regards,

• HR Trigger request with a approval workflow in GRC AC 10.0

  Hi Friends,
  Is it possible that a HR triggered user creation request in GRC follow a stage approval based workflow ? Something like MSMP workflow ? Or can we route the HR triggered requests to MSMP worflows someway ? if yes, please help me with the details of the same.
  Thanks in advance for your guidance

  Hi Prashant,
  Refer : Understanding HR Triggers in Access Control 10.0 - Governance, Risk and Compliance - SCN Wiki
  Also search on GRC community there is lot of material available.
  BR,
  Mangesh

• GRC 10.1 Business role and HR Trigger

  Hello, masters and GURUs.
  I have recently deployed HR trigger in our system, and it works fine -  creating requests for lock or unlock users.
  But i am wondering if it is possible to create access request not only for the systems, but also for business roles using standard functionality.
  For example:
  We'v department where people must have the same authorization to do their job.
  When they hire a new employee, HR triggers this event(only for this department) and creates access request with pre-defined business roles.
  I hope, i explained good enough my idea.
  I will be very thankful for any thoughts or ideas.
  With best regards, Ivan.

  Hi Ivan,
  There is a functionality of default roles, that you could use to add roles to your request by implementing this logic in your BRF rule for HR triggers.
  The bad news is that assignment for the default roles based upon Department is not supported.
  There are only a certain fields which are supported for the Default Roles assignment, below:
  Business Process, Business Subprocess, Company, Role Critical Level, Functional Area, Landscape, Location, Project Release, Role sensitivity, and System.
  Lets suppose you can use Functional Area instead of Department. You will need to maintain Default Roles settings in SPRO, at REQUEST level, (parameters 1302, 2009, 2010, 2011, 2012, 2013).
  In NWBC>Access Management>..>Default Roles, make sure that the entry maintained there (for attribute Functional Area) has SYSTEM set to "All Systems" or "All system in the role Landscape".
  This should work.
  Note 1964884 has a correction for this functionality, so if you go for it, make sure to have this Note applied.
  Now, if any of the fields available for Default Roles will be good for your scenario, then it will not be possible to use Role Defaults, thus I am not aware of any customization on this area.
  Hope this helps!
  Luciana.

• GRC 10 EAM- Work Items generated  but mail is not trigger to Controller.

  Hi All,
  In EAM i am able to received  log in notification mail,But EAM -Controller is not able to received mail .for ref please see the attached screen shot
  Here one Issue.
  Work items generated properly ,But in search request results Showing like below.
  Instance Status  =Aborted
  Instance Approval Status = Error
  so open this request ,Work items are generated ,for ref please see the below screen shot
  and then i checked Audit log ,below message is there
  Submission failure of request FF_USER using FFID-TEST on D26300/FFLOG/53828355378F18A0E10080000A02400E - Process ID SAP_GRAC_FIREFIGHT_LOG_REPORT
  I am attaching both screen shots please help me ,I need very urgent.
  thanks,
  Suresh

  Hi Suresh
  Did you configure the MSMP for SAP_GRAC_FIREFIGHT_LOG_REPORT?
  I need very urgent.
  Very few people raise something on this community that is not urgent. Please be mindful that everyone on this community volunteers their free time to provide assistance. Telling us it is urgent will not speed up response.
  Regards
  Colleen
  Message was edited by: Colleen Lee
  don't tell us it's urgent!

• Connect CUP (in GRC 10.0) with ABAP CUA

  Hi ,
  Has anyone a short guide how to connect the CUP in GRC 10.0 with an ABAP CUA?
  We would like to use the CUP to trigger the CUA for the deployment of the CUP assigned authorisations.
  Thank you in advance!
  Br,
  Frank

  Hi Frank,
  There is one for SAP GRC 5.3 that you can access with the below link:
  http://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/80ee8c81-7812-2a10-ce91-e1be55f43491
  The GRC AC10 documentation is not available.
  May be this can be an input for the BPX team to create one
  Regards,
  Raghu

• How to provide access to Critical Transactions in GRC AC 10.0

  +Hello Gurus,+
  +We are in phase of implementing GRC AC 10.0 , and have a requirement where there are "Critical Transactions" identified by the Business and if there is any end user who wants to access any specific "Critical Transaction" e.g. PA30 etc then it must automatically go to a specific Owner of that transaction.+
  +As far as i know , we can have a workflow for getting a role assigned, but not sure if it is possible to have a workflow where every "critical transaction" will have an owner and then on selection of the transaction it will trigger a workflow.+
  +I would also like to know what is a standard or rather best practice in SAP GRC , regarding providing access to "CRITICAL Transactions" ??+
  +We thought of creating a role containing multiple "Critical transactions" and then assigning to the firefighter ID , for which we have an approval workflow !! But that does not help , as assigning the role will give user access to some other "critical transactions" as well which we would like to control.+
  +Looking forward to know about the suggestion/solution for this issue.+
  +Thanks in advance.+
  +Regards,+
  +Victor+

  Hello,
  Victor Ger wrote:
  > +We thought of creating a role containing multiple "Critical transactions" and then assigning to the firefighter ID , for which we have an approval workflow !! But that does not help , as assigning the role will give user access to some other "critical transactions" as well which we would like to control.+
  > +Victor+
  I think that only one firefighter with all the critical transactions is not a good idea. I guess it's better to have different firefighters IDs assigned to different users. The point here is to decide if you really want to have a trace for all critical transactions executions.
  An example:
  Tx. SM37 is considered a critical transaction if the user has also the auth. object S_BTCH_ADM set to "yes".  This allows to delete or copy others user's jobs. This is and authorization that a Basis person must have. Do you really want to trace this?
  I think that force a Basis person to use a firefighter for this is nonsense, because this tx. is part of his/her job. Then, you should accept this sort of risks, otherwise you'll get the point where you replace the normal users with FF users. This is not the idea of FF.
  Of course, this is just a thought and all depends on your business requirements.
  Cheers,
  Diego.

• Custom Field in GRC AC 5.3

  Hi Experts,
  I'm configuring GRC AG 5.3 SP 16, in HR Trigger we need to fill some custom field, and I want to know if there is no way to mapping these custom fields in UMR?
  Best Regards,

  Hi Shivam,
  In the ERM>>COnfiguration>>system....have you maintained the MS server name???
  If NOt please maintain....
  Check for the test connection..
  Regards
  Gangadhar