GRC 10 Access request with 'System entry only' goes to escape route
Hello All Experts,
I am facing same issue but scenario is different which I found not possible with above solution. If I am submitting request with ONLY system, then request will go to AUTO approve and end.
1) In change authorizations option, end user submits request with only filling SYSTEM option.
2) Request goes to 1st Stage people, who will add roles into system
Existing MSMP no roleowner is used as routing condition here, if role approver not FOUND, request takes ESCAPE ROUTE and goes to Escape Stage with system option and role(if not defined role owner for it)
3) If role has owner, it goes to Role Owner.
Can we remove SYSTEM option from request and send it to NO PATH stage instead of ESCAPE route
OR
Is there any better way to handle this? client do not wants to APPROVE requests with SYSTEM entries but ready to handle requests with no role owner request.
Please help.. **Urgent**
1. Look at the following link and ensure you have a similar Initiator created and applied in MSMP.
GRC Request with both System and Role Line Items
2. Ensure in MSMP you have "no stages" in the path for "system only" requests. Paths with no stages will work on roughly SP10 onwards (from experience).
Similar Messages
-
GRC Access requests - Audit Log
Dear All, GRC access requests is noticed with Provisioning failed messages. Access Request Audit Log is displayed with " Log on Failed / CPI - CALL: ThSAPCMRCV " message ( Screen shot enclosed ). Could you please share an insight on these messages and it's resolution. Thanks raj
Dear Raj,
please check with your basis team if the connection to the system works. Basically it seems like you have a connection error as the log on does not work.
Regards,
Alessandro -
Email content in GRC access request
Dear Experts,
Can any one let me know from where GRC access request email content is picked up which creating creating throught access request.?
I.e when ever the requestor creating request, the manager will get an email( and in my scenario the email document is maintained in document maintenance(se61 tcode) ). Now i need to prefix user full name in email content(which the manager receives) with Mr./Ms.
Thanks
KatriceHi,
My issue is resolved my enhancing the method GET_NOT_VARS_AND_ATTACHMNTS( ) of class CL_GRFN_MSMP_NOTIFICATION
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""$"$\SE:(1) Class CL_GRFN_MSMP_NOTIFICATION, Method GET_NOT_VARS_AND_ATTACHMNTS, End A
*$*$-Start: (1)---------------------------------------------------------------------------------$*$*
ENHANCEMENT 1 ZGRC_EMAIL_TITLE. "active version
DATA: lw_fullname TYPE string,
lw_variables TYPE grfn_s_msg_variable,
lw_logsys TYPE logsys,
lw_system_id_temp TYPE string,
lw_user TYPE grac_user,
lw_return TYPE int4,
lW_user_details TYPE grac_s_user_detail.
SELECT SINGLE logsys INTO lw_logsys FROM t000 WHERE mandt = sy-mandt.
IF sy-subrc = 0.
lw_system_id_temp = lw_logsys.
ENDIF.
READ TABLE et_variables INTO lw_variables WITH KEY name = 'USER_ID'.
IF sy-subrc EQ 0.
lw_user = lw_variables-value.
TRY.
CALL METHOD cl_grac_ad_access_mgmt=>get_user_detail
EXPORTING
iv_system_id = lw_system_id_temp
iv_user = lw_user
IMPORTING
ev_return_code = lw_return
es_user_details = lw_user_details.
CATCH cx_grfn_exception . "#EC NO_HANDLER
ENDTRY.
ENDIF.
READ TABLE et_variables INTO lw_variables WITH KEY name = 'USER_FULL_NAME'.
IF sy-subrc EQ 0.
CONCATENATE lw_user_details-address-title_p lw_variables-value INTO lw_variables-value SEPARATED BY space.
MODIFY et_variables FROM lw_variables index sy-tabix.
ENDIF.
ENDENHANCEMENT.
*$*$-End: (1)---------------------------------------------------------------------------------$*$*
Thanks
KH -
How to create a transport request with query and only with its structure.
HI guru,
how to create a transport request with query and only with its structure.transport request should not include any other query items like ( variables, conditions...etc)
thanks in advance.
venkataHi,
Goto RSA1 and then Transport Connection -> In SAP Transports select Object Types-> Query Elements -> Then select Query->Give Technical name of the query and then select for transfer. In the right side you can choose the components which you wanted to transport.
Regards,
anil -
Cross-enterprise integration of SAP GRC Access Control with PeopleSoft
Friends,
Does anybody has/have/had the owner to implement Cross-enterprise integration of SAP GRC Access Controls 5.2 with PeopleSoft ?
If yes, what are the key points and approach one should keep in mind while going for this kind of cross-enterprise implementation.
Is there any reference material, blog, wiki or such informative resource regarding cross enterprise GRC implementation available on the web?
I tried to search, but could not get good results.
Any help would be highly appreciated.
Best Regards,
Amol BhartiAmol-
From my experience:
CC 5.2 with Peoplesoft: as long as you have the RTA's installed in the Peoplesoft system and create the connectors in CC, you are good to go.
AE 5.2 with Peoplesoft: cannot provision to Peoplesoft, however you can connect with Peoplesoft HR for Password Self-Service. You have the capability to provision to SAP HR.
FF 5.2 with Peoplesoft: N/A
RE 5.2 with Peoplesoft: N/A
I am not sure if there are any standalone docs out there for AC integration with Peoplesoft. And the 5.2 manuals have sparse information on integration. However, the AC 5.3 manuals have more detailed info on the integration piece with various other non-SAP systems.
Sorry, I couldn't share more info, as that is all I know for now...
Ankur
GRC Consultant -
I am about to hook up my airport extreme. My cable modem goes into a router, and one of those ports will supply my airport extreme. I was told by the Apple Store that I would need to configure my airport extreme as a wirreless access point. How do I do this?
With sbcgobal I got a Gateway 2wire modem. What I would like to know is how do I set up my APE as remote?
Unfortunately, you won't be able to do this as few non-AirPort routers will work with AirPorts in a Wireless Distribution System (WDS). -
Site Access Request EMail not being sent
Like others, my Access Request email messages aren't going out. I've read numerous blogs and such about this, but haven't found anything that is quite fitting my happenings.
I'm using IIS 6 SMTP server on my SP server, Incoming Mail is configured as Advanced Mode, sites can receive mail (and some do and it works), No on SharePoint Directory Management Service, incoming email addy is configured and the e-mail drop folder is c:\inetpub\mailroot\drop.
Outgoing mail points directly to my Exchange (2007) server, from and reply-to addys are configured, char set is 65001.
As with others, outgoing email from SharePoint, other than access requests, is working. I get plenty of notices about documents changing, alerts, etc. But the alerts from Access Requests aren't going out. I found one blog somewhere that mentioned permissions
to the \inetpub\mailroot folders, so I searched my ULS logs for system.net.mail issues, found one where it had an error about insufficient permissions to the \inetpub\mailroot\drop folder. Okay, seems odd, but what the heck, give it a shot. I grant some permissions
to the drop folder and, surprise, the Outgoing Access Request EML file is dropped in the drop folder!
But why? It should be going out to my Exchange server! I look in the message, there aren't any routing headers in the message indicating that it even tried the Exchange server, much less got bounced back to SP from Exchange. If I manually copy the EML file
to the Pickup folder - off it goes and is properly mailed to my Exchange account.
I don't get it.
Thanks in advance,
StevenNever mind. Stupid stupid stupid dumb dumb dumb...
My IIS 7 .NET SMTP settings were to configured to drop outgoing mail in the DROP folder. Changed this setting to the Pickup folder and it starts working.
Sorry for the interruption, now back to our regularly scheduled emergencies...
Steven -
Mitigation assignment approval in Access Request Workflow
Hi Guys,
I am currently implementing GRC for one of the clients. I have a question with respect to Mitigation assignment approval in Access Request Workflow.
Below is the Scenario,
1) User Submits the request
2) Manager Approves
3) Role Owner runs the SOD & finds SOD violations. Role Owner assigns the mitigation controls & approves the request
Clarification:
Once the role owner approves , depending on the mitigation controls assigned , can this request be routed to the mitigation control owner for approval in next stage? is this configurable with out custom BRF+ rules ? I know there is a workflow separately (SAP_GRAC_CONTROL_ASGN) for approval of assignment which I suppose is out side of the Access request workflow.
Please suggest.Pavan,
more or less - as the control assignment workflow is independent the access request doens't wait. So if the role owner set a mitigation the control workflow starts. If you allow the role owner to approve the access request with risks, means if the risk isn't mitigated, then the role owner can proceed.
To have your scenario working you must set the following in Access Request workflow: Role Owners are not allowed to approve as long as there are risks. All risks must either be remediated or mitigated before approval. That means if the role owner sets a mitigation the assignment workflow starts. As soon as the mitigation is valid (final approval) the access request can be approved.
Technically both workflows are independent and don't have a relation to each other. But with some settings you can combine them.
Does this answer your question?
Regards,
Alessandro -
Hi,
Currently all requests are going to the only person who is in the access request list. Is there any way page owner can receive all access request which are related to only page access. Basically we have individual owner for each page, we do not want
all access request will direct to only to the person who belongs to access request list.
Thanks
srabonSorry Srabon, that's a no as well. Take a look at the following link for options on creating your own:
http://blog.randomdust.com/index.php/2013/07/custom-access-denied-page-in-sharepoint-2013/
cameron rautmann -
ACS 4.2 doesn't response RADIUS access-request
I have configured radius 4,2:
- Create an internal database, a account
- Create an AAA client, with pass the same on Authenticator server
- Authenticate using Radius-Aironet (and try with other radius vendor)
- Submit and Apply
From Authenticator ( Ruckus Zone-director 1000)
- Configure the same secret pass with ACS
- IP: ACS, Port: 1812
- Send user name and pass which created on ACS server
From authenticator, send raidius access-request with username & pass have created on ACS, but ACS doesn't response any message even fail ..
Could you please help me figure out the happening problem
Thank a lot
-Brian.Brian,
I would also like you to check following,
Please go to Network Configuration > If we have Network Device Group option enabled, then go the network device group---Edit properties---remove the shared secret from there---submit the changes.
And try again, If authentication works, that would mean that we have configured a Network Device Group level key. And a NDG level key over rides the AAA
Client level key.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NetCfg.html#wp342699
Are we seeing "unknown NAS" with the same NAS ip address the one we have added on the ACS under network configuration?
Regds,
JK
Do rate helpful posts- -
Hi,
I would like restrict users from selection systems from the drop down in "Risk Violations" Tab. In order to achieve this, I opened GRAC_OIF_RQUEST_SUBMISSION" application in Admin mode and disabled. As a result, this field is disabled. But this is blank. I am unable to maintain any value in it. I tried to select a value from the drop down and then disabling the field. I saved with the selected value. But later when Access Request application accessed, it is again showed blank.
However, when a user performs risk analysis, application still performs for all the connectors!
user is authorized to perform risk analysis for specific connector (controlled using GRAC_SYS object). But not sure where from application is picking up different connectors?
Secondly, I also noticed that this "System" drop down has multiple entries in it along with "ALL". I dont have any clue where these values are coming from!
Can anybody help me in understanding and addressing this?
Also, may I know how other are tackling this? I mean, is "System" drop down disabled with specific value as default or enabled with ONLY specific value?
Please advise.
Regards,
FaisalHi Faishal,
I went through the challenge you have described. On top of mentioned issues - do you know that if a user select a system (has requested a role for it) but you have no sod rule book defined for it - grc will identify no sod risks for request and will mark all roles (even those for other systems for which rulebook is defined) as 'green' on access approver screen. The expected behavior would be only selected role would be marked as green and others would be still red. We have tried also with option 'ALL' however results provided in our case were not accurate (we did recons to single systems)
This strange system behavior (SP14) was reported to SAP. In this case if you have path defined for SoD detour - system will not go on detour as there is no risk defined.
What we did -was we setup a fix value in this field (our production system with rulebook) an put this system as parameter TVARV (system depended) and using the value of this parameter we fixed the system against which the analysis are executed.
Filip -
GRC 10 Not able to search roles in Access Request Creation
Hello Experts,
I am unable to search for roles while creating access request by giving system name.
I am able to search with any other search criteria except system.
When I look for valid entries for System I get the following connector group values:
ECC - (Custom Connector Group)
SAP_BAS_LG
SAP_ECC_LG
SAP_HR_LG
SAP_R3_LG
All the above connector groups are pointing to the same system XXXCLNT100. I want to get only ECC as the result when I search for the system (Probably then it might work right).
Others that start with SAP are linked to the XXXCLNT100 for generating rules after activating BC Sets.
Any ideas how to get this work !!
Thanks and Regards,
Ajesh Raju.Found Note:
Note 1654033 - Role search by System is giving same result
Regards,
Ajesh. -
Doubt in customizing request with respect to table entries
Hi All,
I have a doubt in customizing request with respect to table entries.
Suppose I have a customizing request with respect to a table that contains say 10 entries in the development system.
Now I am transporting this request to the quality system in which the same table contains 20 entries.
When I am transporting this table from the development system to the quality system, will my 10 entries in the development system get added to the 20 entries in the quality system or will my table get overwritten in the quality system.
What difference will this be if it is a workbench request ? .
Regards,
Sushanth H.S.Hello,
So if we are transporting contents of a table from one system to another, it should always be a customizing request and not a workbench request right.
If the "Delivery Class" of the table is 'C'(Customizing table, maintenance only by cust., not SAP import) it will ask for a customizing request.
If it is 'A'(Application table (master and transaction data)), it will ask for Workbench.
To add to your previous qn, when you transport the entries to subsequent system it will always check the KEY FIELDS and then update. If you see a transport, then the table entries are represented by their key fields.
If you create new entries in your table and transport, it will add the records. Else it will modify them
Hope i am clear.
BR,
Suhas
Edited by: Suhas Saha on Jan 23, 2009 11:51 AM -
Hello,
I am trying to integrate CUA into our GRC 10.1 system through the below steps and so far I have completed the below steps following SAP Notes 1680108 and 1616121:
1. Connected CUABOX to GRCBOX like a plug-in system.
2. Updated CUA Global System and CUA Model Distribution in Maintain CUA settings under User Provisioning.
3. Next I am trying to import the roles from CUA(CUABOX) into GRC(GRCBOX) to be able to provision roles in CUA Child Systems(ECCBOX).
After reading few discussions in SCN, I have figured that we have to download a template in Role Import and populate it accordingly to upload the CUA child system roles into GRC system for provisioning in CUA Child Systems.
Unfortunately, this template has multiple fields and I am unable to determine the fields that should be populated as CUA Global System and CUA Child System to import into GRC. Also, when we upload CUA Child System Roles template what selections should be made in Role Import window.
Any help in this regard is very helpful.
Thank you,
PawanHi Alessandro,
I have "Create user if does not exist" setting checked for both change action and assign role action and also have CUA enabled. Here is the list of steps that I am performing:
1. Create an access request for new account, T-CUA_CHILD and select a role from a child system ECC Z_ECC_ROLE_IN_CHILD_SYSTEM.
2. Approvals provided to assign the ECC role.
3. I see the following in GRFNMW_DBGMONITOR_WD.
Auto provisioning activity at end of request at Path GRAC_DEFAULT_PATH and Stage GRAC_SECURITY
New User:T-CUA_CHILD created in System(s): ECC (created without role assignments)
T-CUA_CHILD User does not exist in target system CUA
GRC created an account without role assignment in ECC but also throwed me an error that the user does not exist in CUA.
However, if I select roles from both CUA and ECC it creates the account in both systems with the selected role assignments.
So I am wondering if there is way to provide CUA access to users by default for new account requests types. I have tried setting up default roles for CUA but it does not assign the roles by default until I select the CUA system.
Thank you for your help!
Pawan -
GRC 10.0 Access Request Creation- Data Source of User Details
Hi Experts,
I was doing GRC 10.0 Configuration and found a query which I am not able to resolve.
While creation of any kind of Access Request in GRC through NWBC> Acces Management Tab>Access Request>Access Request Creation.
In the user details section, I can see the HR records( like Pernr, position, manager) have been visible to some extent.
My question is where from these details came in GRC. What configuration we should maintain to achieve these HR records?
Hope to get a quick response as this is one of the requirement of the implementation which I am doing with my customer.
Thanks,
AtanuAlessandro,
Thanks for your response. It helped me to know certain things.
But when I am navigating to SPRO > GRC > Access Control > Maintain Data Sources Configuration > [User Detail Data Source], it is configured with a ECC system in target connector and User data type is maintained as "SU01".
Now my question is where from in my case the GRC is pulling the HR records (PA20) like PERNR, POSITION,PERSONEL AREA etc? SU01 does not provide these information. My ECC box is integrated with HR module, so is it taking the data from HR directly?
Thanks in advance!
Atanu
Maybe you are looking for
-
Mouse pointer Problem with CS3 and windows 7
Upgraded to a new PC which has Windows 7(32bit) as an operating system. Installed my Photoshop CS3 and everything seems ok except when I magnify in the navagator panel. Once I zoom in my mouse pointer changes to 3 hands in the navigator panel. I powe
-
How do I change the name of my iPad in iTunes??
Hey guys, So recently I really really wanted to change my iPad name, and I did on my iPad settings. HOWEVER, when I checked my managed devices in iTunes on my Mac, it was still the previous name, and I am kinda confused. P.S. i took a screenshot in m
-
Need help with formatting a number
hi all, the problem i am having has been a hot topic over time in java. i have an integer say 123. i want to convert this to a string of 10 characters. how do i pad the first seven spaces with blanks. ex. " 123" in c++ you can use sprintf. how do i d
-
InfoObject to R/3 Field Mapping
Does anybody know of a list that shows the standard Business Content InfoObjects and what they typically are mapped to in R/3? The reason is that I want to use the standard InfoObjects wherever possible without creating new ones unnecessarily. As an
-
A question from a computer idiot! help me!
This might sound like a dumb question, but......My computer drive recently broke, as well as the video card. We replaced them but now itunes is completely new. Is it possible to transfer the songs in my Ipod to our newly fixed computer. Most of my so