GRC 10 Access request with 'System entry only' goes to escape route

Similar Messages

• GRC Access requests - Audit Log

  Dear All, GRC access requests is noticed with Provisioning failed messages. Access Request Audit Log is displayed with " Log on Failed / CPI - CALL: ThSAPCMRCV " message ( Screen shot enclosed ). Could you please share an insight on these messages and it's resolution. Thanks raj 

  Dear Raj,
  please check with your basis team if the connection to the system works. Basically it seems like you have a connection error as the log on does not work.
  Regards,
  Alessandro

• Email content in GRC access request

  Dear Experts,
  Can any one let me know from where GRC access request email content is picked up which creating creating throught access request.?
  I.e when ever the requestor creating request, the manager will get an email( and in my scenario the email document is maintained in document maintenance(se61 tcode) ). Now i need to prefix user full name in email content(which the manager receives) with Mr./Ms.
  Thanks
  Katrice

  Hi,
  My issue is resolved my enhancing the method GET_NOT_VARS_AND_ATTACHMNTS( ) of class CL_GRFN_MSMP_NOTIFICATION
  """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""$"$\SE:(1) Class CL_GRFN_MSMP_NOTIFICATION, Method GET_NOT_VARS_AND_ATTACHMNTS, End                                                                          A
  *$*$-Start: (1)---------------------------------------------------------------------------------$*$*
  ENHANCEMENT 1  ZGRC_EMAIL_TITLE.    "active version
  DATA: lw_fullname  TYPE string,
         lw_variables TYPE grfn_s_msg_variable,
         lw_logsys    TYPE logsys,
         lw_system_id_temp  TYPE string,
         lw_user            TYPE grac_user,
         lw_return TYPE int4,
         lW_user_details    TYPE grac_s_user_detail.
         SELECT SINGLE logsys  INTO lw_logsys FROM t000 WHERE mandt = sy-mandt.
         IF sy-subrc = 0.
          lw_system_id_temp = lw_logsys.
         ENDIF.
  READ TABLE et_variables INTO lw_variables WITH KEY name = 'USER_ID'.
     IF sy-subrc EQ 0.
      lw_user = lw_variables-value.
        TRY.
                CALL METHOD cl_grac_ad_access_mgmt=>get_user_detail
                  EXPORTING
                    iv_system_id    = lw_system_id_temp
                    iv_user         = lw_user
                  IMPORTING
                    ev_return_code  = lw_return
                    es_user_details = lw_user_details.
             CATCH cx_grfn_exception .                   "#EC NO_HANDLER
            ENDTRY.  
  ENDIF.
     READ TABLE et_variables INTO lw_variables WITH KEY name = 'USER_FULL_NAME'.
     IF sy-subrc EQ 0.
       CONCATENATE lw_user_details-address-title_p lw_variables-value INTO lw_variables-value SEPARATED BY space.
       MODIFY et_variables FROM lw_variables index sy-tabix.
     ENDIF.
  ENDENHANCEMENT.
  *$*$-End:   (1)---------------------------------------------------------------------------------$*$*
  Thanks
  KH

• How to create a transport request with query and only with its structure.

  HI guru,
              how to create a transport request with query and only with its structure.transport request should not  include any other query items like ( variables, conditions...etc)
  thanks in advance.
  venkata

  Hi,
  Goto RSA1 and then Transport Connection -> In SAP Transports select Object Types-> Query Elements -> Then select Query->Give Technical name of the query and then select for transfer. In the right side you can choose the components which you wanted to transport.
  Regards,
  anil

• Cross-enterprise integration of SAP GRC Access Control with PeopleSoft

  Friends,
  Does anybody has/have/had the owner to implement Cross-enterprise integration of SAP GRC Access Controls 5.2 with PeopleSoft ?
  If yes, what are the key points and approach one should keep in mind while going for this kind of cross-enterprise implementation.
  Is there any reference material, blog, wiki or such informative resource regarding cross enterprise GRC implementation available on the web?
  I tried to search, but could not get good results.
  Any help would be highly appreciated.
  Best Regards,
  Amol Bharti

  Amol-
  From my experience:
  CC 5.2 with Peoplesoft: as long as you have the RTA's installed in the Peoplesoft system and create the connectors in CC, you are good to go.
  AE 5.2 with Peoplesoft: cannot provision to Peoplesoft, however you can connect with Peoplesoft HR for Password Self-Service.  You have the capability to provision to SAP HR.
  FF 5.2 with Peoplesoft: N/A
  RE 5.2 with Peoplesoft: N/A
  I am not sure if there are any standalone docs out there for AC integration with Peoplesoft.  And the 5.2 manuals have sparse information on integration.  However, the AC 5.3 manuals have more detailed info on the integration piece with various other non-SAP systems.
  Sorry, I couldn't share more info, as that is all I know for now...
  Ankur
  GRC Consultant

• How do I configure my AirPort Extreme as a wireless access point?  My cable modem goes to a router, and one of those ports goes to my AirPortExtreme.

  I am about to hook up my airport extreme.  My cable modem goes into a router, and one of those ports will supply my airport extreme.  I was told by the Apple Store that I would need to configure my airport extreme as a wirreless access point.  How do I do this?

  With sbcgobal I got a Gateway 2wire modem. What I would like to know is how do I set up my APE as remote?
  Unfortunately, you won't be able to do this as few non-AirPort routers will work with AirPorts in a Wireless Distribution System (WDS).

• Site Access Request EMail not being sent

  Like others, my Access Request email messages aren't going out. I've read numerous blogs and such about this, but haven't found anything that is quite fitting my happenings.
  I'm using IIS 6 SMTP server on my SP server, Incoming Mail is configured as Advanced Mode, sites can receive mail (and some do and it works), No on SharePoint Directory Management Service, incoming email addy is configured and the e-mail drop folder is c:\inetpub\mailroot\drop.
  Outgoing mail points directly to my Exchange (2007) server, from and reply-to addys are configured, char set is 65001.
  As with others, outgoing email from SharePoint, other than access requests, is working. I get plenty of notices about documents changing, alerts, etc. But the alerts from Access Requests aren't going out. I found one blog somewhere that mentioned permissions
  to the \inetpub\mailroot folders, so I searched my ULS logs for system.net.mail issues, found one where it had an error about insufficient permissions to the \inetpub\mailroot\drop folder. Okay, seems odd, but what the heck, give it a shot. I grant some permissions
  to the drop folder and, surprise, the Outgoing Access Request EML file is dropped in the drop folder!
  But why? It should be going out to my Exchange server! I look in the message, there aren't any routing headers in the message indicating that it even tried the Exchange server, much less got bounced back to SP from Exchange. If I manually copy the EML file
  to the Pickup folder - off it goes and is properly mailed to my Exchange account.
  I don't get it.
  Thanks in advance,
  Steven

  Never mind. Stupid stupid stupid dumb dumb dumb...
  My IIS 7 .NET SMTP settings were to configured to drop outgoing mail in the DROP folder. Changed this setting to the Pickup folder and it starts working.
  Sorry for the interruption, now back to our regularly scheduled emergencies...
  Steven

• Mitigation assignment approval in Access Request Workflow

  Hi Guys,
  I am currently implementing GRC for one of the clients. I have a question with respect to Mitigation assignment approval in Access Request Workflow.
  Below is the Scenario,
  1) User Submits the request
  2) Manager Approves
  3) Role Owner runs the SOD & finds SOD violations. Role Owner assigns the mitigation controls & approves the request
  Clarification:
  Once the role owner approves , depending on the mitigation controls assigned , can this request be routed to the mitigation control owner for approval in next stage? is this configurable with out custom BRF+ rules ? I know there is a workflow separately  (SAP_GRAC_CONTROL_ASGN) for approval of assignment which I suppose is out side of the Access request workflow.
  Please suggest.

  Pavan,
  more or less - as the control assignment workflow is independent the access request doens't wait. So if the role owner set a mitigation the control workflow starts. If you allow the role owner to approve the access request with risks, means if the risk isn't mitigated, then the role owner can proceed.
  To have your scenario working you must set the following in Access Request workflow: Role Owners are not allowed to approve as long as there are risks. All risks must either be remediated or mitigated before approval. That means if the role owner sets a mitigation the assignment workflow starts. As soon as the mitigation is valid (final approval) the access request can be approved.
  Technically both workflows are independent and don't have a relation to each other. But with some settings you can combine them.
  Does this answer your question?
  Regards,
  Alessandro

• Access request list

  Hi,
  Currently all requests are going to the only person who is  in the access request list. Is there any way page owner can receive all access request which are related to only page access. Basically we have individual owner for each page, we do not want
  all access request will direct to only to the person who belongs to access request list.
  Thanks
  srabon

  Sorry Srabon, that's a no as well. Take a look at the following link for options on creating your own:
  http://blog.randomdust.com/index.php/2013/07/custom-access-denied-page-in-sharepoint-2013/
  cameron rautmann

• ACS 4.2 doesn't response RADIUS access-request

  I have configured radius 4,2:
  - Create an internal database, a account
  - Create an AAA client, with pass the same on Authenticator server
  - Authenticate using Radius-Aironet (and try with other radius vendor)
  - Submit and Apply
  From Authenticator ( Ruckus Zone-director 1000)
  - Configure the same secret pass with ACS
  - IP: ACS, Port: 1812
  - Send user name and pass which created on ACS server
  From authenticator, send raidius access-request with username & pass have created on ACS, but ACS doesn't response any message even fail ..
  Could you please help me figure out the happening problem
  Thank a lot
  -Brian.

  Brian,
  I would also like you to check following,
  Please go to Network Configuration > If we have Network Device Group option enabled, then go the network device group---Edit properties---remove the shared secret from there---submit the changes.
  And try again, If authentication works, that would mean that we have configured a Network Device Group level key. And a NDG level key over rides the AAA
  Client level key.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NetCfg.html#wp342699
  Are we seeing "unknown NAS" with the same NAS ip address the one we have added on the ACS under network configuration?
  Regds,
  JK
  Do rate helpful posts-

• ARQ: How to Specify specific system in "System" Field in "Risk Violations" Tab in Access Request???

  Hi,
  I would like restrict users from selection systems from the drop down in "Risk Violations" Tab. In order to achieve this, I opened  GRAC_OIF_RQUEST_SUBMISSION" application in Admin mode and disabled. As a result, this field is disabled. But this is blank. I am unable to maintain any value in it. I tried to select a value from the drop down and then disabling the field. I saved with the selected value. But later when Access Request application accessed, it is again showed blank.
  However, when a user performs risk analysis, application still performs for all the connectors!
  user is authorized to perform risk analysis for specific connector (controlled using GRAC_SYS object). But not sure where from application is picking up different connectors?
  Secondly, I also noticed that this "System" drop down has multiple entries in it along with "ALL". I dont have any clue where these values are coming from!
  Can anybody help me in understanding and addressing this?
  Also, may I know how other are tackling this? I mean, is "System" drop down disabled with specific value as default or enabled with ONLY specific value?
  Please advise.
  Regards,
  Faisal

  Hi Faishal,
  I went through the challenge you have described. On top of mentioned issues - do you know that if a user select a system (has requested a role for it) but you have no sod rule book defined for it - grc will identify no sod risks for request and will mark all roles (even those for other systems for which rulebook is defined) as 'green' on access approver screen. The expected behavior would be only selected role would be marked as green and others would be still red. We have tried also with option 'ALL' however results provided in our case were not accurate (we did recons to single systems)
  This strange system behavior (SP14) was reported to SAP. In this case if you have path defined for SoD detour - system will not go on detour as there is no risk defined.
  What we did -was we setup a fix value in this field (our production system with rulebook) an put this system as parameter TVARV (system depended) and using the value of this parameter we fixed the system against which the analysis are executed.
  Filip

• GRC 10 Not able to search roles in Access Request Creation

  Hello Experts,
  I am unable to search for roles while creating access request by giving system name.
  I am able to search with any other search criteria except system.
  When I look for valid entries for System I get the following connector group values:
  ECC - (Custom Connector Group)
  SAP_BAS_LG
  SAP_ECC_LG
  SAP_HR_LG
  SAP_R3_LG
  All the above connector groups are pointing to the same system XXXCLNT100. I want to get only ECC as the result when I search for the system (Probably then it might work right).
  Others that start with SAP are linked to the XXXCLNT100 for generating rules after activating BC Sets.
  Any ideas how to get this work !!
  Thanks and Regards,
  Ajesh Raju.

  Found Note:
  Note 1654033 - Role search by System is giving same result
  Regards,
  Ajesh.

• Doubt in customizing request with respect to table entries

  Hi All,
  I have a doubt in customizing request with respect to table entries.
  Suppose I have a customizing request with respect to a table that contains say 10 entries in the development system.
  Now I am transporting this request to the quality system in which the same table contains 20 entries.
  When I am transporting this table from the development system to the quality system, will my 10 entries in the development system get added to the 20 entries in the quality system or will my table get overwritten in the quality system.
  What difference will this be if it is a workbench request ? .
  Regards,
  Sushanth H.S.

  Hello,
  So if we are transporting contents of a table from one system to another, it should always be a customizing request and not a workbench request right.
  If the "Delivery Class" of the table is 'C'(Customizing table, maintenance only by cust., not SAP import) it will ask for a customizing request.
  If it is 'A'(Application table (master and transaction data)), it will ask for Workbench.
  To add to your previous qn, when you transport the entries to subsequent system it will always check the KEY FIELDS and then update. If you see a transport, then the table entries are represented by their key fields.
  If you create new entries in your table and transport, it will add the records. Else it will modify them
  Hope i am clear.
  BR,
  Suhas
  Edited by: Suhas Saha on Jan 23, 2009 11:51 AM

• Integrate GRC 10.1 with CUA and how to import roles from CUA & Child systems into GRC for provisioning

  Hello,
  I am trying to integrate CUA into our GRC 10.1 system through the below steps and so far I have completed the below steps following SAP Notes 1680108 and 1616121:
  1. Connected CUABOX to GRCBOX like a plug-in system.
  2. Updated CUA Global System and CUA Model Distribution in Maintain CUA settings under User Provisioning.
  3. Next I am trying to import the roles from CUA(CUABOX) into GRC(GRCBOX) to be able to provision roles in CUA Child Systems(ECCBOX).
  After reading few discussions in SCN, I have figured that we have to download a template in Role Import and populate it accordingly to upload the CUA child system roles into GRC system for provisioning in CUA Child Systems.
  Unfortunately, this template has multiple fields and I am unable to determine the fields that should be populated as CUA Global System and CUA Child System to import into GRC. Also, when we upload CUA Child System Roles template what selections should be made in Role Import window.
  Any help in this regard is very helpful.
  Thank you,
  Pawan

  Hi Alessandro,
  I have "Create user if does not exist" setting checked for both change action and assign role action and also have CUA enabled. Here is the list of steps that I am performing:
  1. Create an access request for new account, T-CUA_CHILD and select a role from a child system ECC Z_ECC_ROLE_IN_CHILD_SYSTEM.
  2. Approvals provided to assign the ECC role.
  3. I see the following in GRFNMW_DBGMONITOR_WD.
             Auto provisioning activity at end of request at Path GRAC_DEFAULT_PATH and Stage              GRAC_SECURITY
                 New User:T-CUA_CHILD created in System(s): ECC (created without role assignments)
                 T-CUA_CHILD User does not exist in target system CUA
  GRC created an account without role assignment in ECC but also throwed me an error that the user does not exist in CUA.
  However, if I select roles from both CUA and ECC it creates the account in both systems with the selected role assignments.
  So I am wondering if there is way to provide CUA access to users by default for new account requests types. I have tried setting up default roles for CUA but it does not assign the roles by default until I select the CUA system.
  Thank you for your help!
  Pawan

• GRC 10.0 Access Request Creation- Data Source of User Details

  Hi Experts,
  I was doing GRC 10.0 Configuration and found a query which I am not able to resolve.
  While creation of any kind of Access Request in GRC through NWBC> Acces Management Tab>Access Request>Access Request Creation.
  In the user details section, I can see the HR records( like Pernr, position, manager) have been visible to some extent.
  My question is where from these details came in GRC. What configuration we should maintain to achieve these HR records?
  Hope to get a quick response as this is one of the requirement of the implementation which I am doing with my customer.
  Thanks,
  Atanu

  Alessandro,
  Thanks for your response. It helped me to know certain things.
  But when I am navigating to SPRO > GRC > Access Control > Maintain Data Sources Configuration > [User Detail Data Source], it is configured with a ECC system in target connector and User data type is maintained as "SU01".
  Now my question is where from in my case the GRC is pulling the HR records (PA20) like PERNR, POSITION,PERSONEL AREA etc? SU01 does not provide these information. My ECC box is integrated with HR module, so is it taking the data from HR directly?
  Thanks in advance!
  Atanu