GRC 5.3 CUP auto provisioning of Mitigation Assignment in RAR

Hello,
Is there any other workflow that needs to be triggered for the auto provisioning of the Mitigation control id assignment to the userid in RAR system from CUP, upon request completion?
I created a request that after the final stage of sox approver, got auto provisioned roles assigned to the user id in the SAP system , but it also stated that auto provisioning failed and got re-routed to the detour path of the security admin as I configured in case of auto provisioning failure. When I look at the error log, it states:
User Provisioning failed for System(s) : XYZ. Error Message : User type TE is unknown
Role: ROLEA assigned to user: TESTER1 in System(s): XYZ.
1). So, even though the approved role is being assigned to the user in the backend system, some other stuff is failing at auto provisioning. And I thought it might be the mitigation control assignment to the userid in RAR. I have the mitigation fields/objects active. But how do I ensure the auto-assignment of mitigation control ids also gets assigned on the same request upon sox approval?
2). The other question is where is the value of the 'controller' stored when configuring a stage for workflow approver determinator in the sox approver stage? Where is this value picked up from? We don't want to use the RAR mitigation approvers or monitors, we want to use a custom approver id from CUP and then the control id to be assigned upon approval automatically to the userid in RAR via CUP request completion during auto provisioning. Is this possible? The only thing failing for us is trying to determine how to create the custom approver determinator for SOX approver in CUP since it asks for 'attribute' value for workflow type 'Compliant User Provisioning' which doesn't make sense for this.
And then the above error even though the user role assignment is auto provisioning already but still giving the error as I listed above and re-routing to detour path instead of completing the request. Is it due to auto provisioning failure of mitigation control assignment in RAR?
Thanks in advance,
Alley
Edited by: Alley1 on Sep 20, 2011 1:15 AM

Hi Karell,
Here is response to your questions:
I can use the following CAD in an AE workflow: web service to fetch role approvers. I question this as it is merely a RE workflow service : No. As far as I know the web service is only for RE/ERM.
Can the Risk Analysis be initiated in stage x automatically once stage (x-1) was completed. So no person involved, it is mandatory however, in my opinion there should be no extra person involved to actually press the button "Risk Analysis" : No. There is no way to automate the risk analysis part. Someone will have to click on the button to check for SoD violations. You can configure to run automatic risk analysis when the request is submitted but this is not 100% perfect. If someone adds or removes role during approval phase, it will invalidate the risk analysis which was run during request submission.
Can somehow the Risk Owners defined in the RAR componed be asked to approve/reject risk that came out of the Risk Analysis described in my previous point. They should only be contacted when there is a risk indicated. : This is possible by following Babak's workflow.
Regards,
Alpesh

Similar Messages

CUP Auto Provisioning Error 260: User Comparison

I am in the process of configuring the CUP 5.3 module within our ECC and SRM environments. I believe the path and associated stages are established properly. I have tested the auto provisioning functionality within both SRM and ECC. As it relates to SRM, the auto provisioning functionality works without a hitch. However, when I attempt to auto provision a user into our ECC environment, I receive the following error:
Auto provisioned for request on 04/07/2010 13:41
   New User: T00522 created on 04/07/2010 13:42 in System(s): DR4-300.
   User attributes changed for User : T00522 in System(s) :DR4-300.
   Role Provisioning failed for System(s) : DR4-300. Error Message : 260:User master comparison incomplete; see long text
Speaking with out security team, the only time they have seen this issue was when they attempted to map a user, using PFCG, to a role. However, I informed them that CUP uses SU01. They have not experienced such an issue using SU01 and clicking on the user comparison button.
Interesting point: The user record is created and roles assigned to user but have a red light indicator by the role within SU01. However, when the next day rolls around the role has been changed to a Green light, profile assigned and everything is looking good. Unfortunately, CUP can't seem to register this and when the Role Owner attempts to approve the role / user request again. The same error occurs and until I can get around this error, the workflow is not closed out nor is the requester notifiied.
Questions:
(1) How can I fix this issue, I assume it will require a security change to be made within the ECC environment?
(2) If this issue can't be fixed, can I get around this issue with a detour or other CUP error processing step?

Denoted below is the log that corresponds to the 260 comparison error. Does anyone know what access I am missing within the UME. I have tested this provisioning process, manually, and do not run into a Comparison error within the SU01 screens:
2010-04-27 13:44:54,748 [SAPEngine_Application_Thread[impl:3]_31] ERROR com.virsa.ae.service.ServiceException: 260:User master comparison incomplete; see long text
com.virsa.ae.service.ServiceException: 260:User master comparison incomplete; see long text
     at com.virsa.ae.service.sap.SAPProvisionDAO.executeRoleOperation(SAPProvisionDAO.java:1706)
     at com.virsa.ae.service.sap.SAPProvisionDAO.assignRoles(SAPProvisionDAO.java:1458)
     at com.virsa.ae.service.sap.ProvisionSAPUserDAO.provisionInNonCUA(ProvisionSAPUserDAO.java:1232)
     at com.virsa.ae.service.sap.ProvisionSAPUserDAO.provisionRole(ProvisionSAPUserDAO.java:932)
     at com.virsa.ae.service.sap.ProvisionSAPUserDAO.provisionUser(ProvisionSAPUserDAO.java:118)
     at com.virsa.ae.accessrequests.bo.ProvisioningBO.autoProvision(ProvisioningBO.java:216)
     at com.virsa.ae.accessrequests.bo.RequestBO.autoProvisioningForApprove(RequestBO.java:4572)
     at com.virsa.ae.accessrequests.bo.RequestBO.callAEExitService(RequestBO.java:5565)
     at com.virsa.ae.accessrequests.bo.RequestBO.callExitService(RequestBO.java:5339)
     at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:5191)
     at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:4984)
     at com.virsa.ae.accessrequests.actions.RequestViewAction.confirmRequestApproval(RequestViewAction.java:941)
     at com.virsa.ae.accessrequests.actions.RequestViewAction.execute(RequestViewAction.java:103)
     at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:271)
     at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
     at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
     at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
     at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
     at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
     at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
     at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
     at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
     at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
     at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
     at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
     at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
     at java.security.AccessController.doPrivileged(AccessController.java:219)
     at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
     at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
2010-04-27 13:44:54,927 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.accessrequests.bo.RequestAuditHelper : logMajorAction() :   : intHstId : 3068
2010-04-27 13:44:54,972 [SAPEngine_Application_Thread[impl:3]_31] ERROR no dtos exist which are in the same state as the passing dto
com.virsa.ae.core.ObjectNotFoundException: no dtos exist which are in the same state as the passing dto
     at com.virsa.ae.workflow.bo.WorkFlowBOHelper.getIfUnapprovedPathExists(WorkFlowBOHelper.java:2662)
     at com.virsa.ae.workflow.bo.WorkFlowBOHelper.handleWFForNewPathStage(WorkFlowBOHelper.java:2516)
     at com.virsa.ae.workflow.bo.WorkFlowRequestRerouteHelper.rerouteRequest(WorkFlowRequestRerouteHelper.java:68)
     at com.virsa.ae.workflow.bo.WorkFlowBO.rerouteRequest(WorkFlowBO.java:614)
     at com.virsa.ae.accessrequests.bo.RequestBO.rerouteRequestForAutoProvisioningFailure(RequestBO.java:6897)
     at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:5239)
     at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:4984)
     at com.virsa.ae.accessrequests.actions.RequestViewAction.confirmRequestApproval(RequestViewAction.java:941)
     at com.virsa.ae.accessrequests.actions.RequestViewAction.execute(RequestViewAction.java:103)
     at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:271)
     at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
     at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
     at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
     at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
     at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
     at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
     at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
     at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
     at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
     at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
     at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
     at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
     at java.security.AccessController.doPrivileged(AccessController.java:219)
     at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
     at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
2010-04-27 13:44:55,394 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.accessrequests.actions.RequestViewAction : confirmRequestApproval() :   : setting context to true, ending context
2010-04-27 13:44:55,414 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.dao.sqlj.RequestDataForwardDAO : findTransactions() :   : sbQuery : SELECT REQNO, REQPATHID, STAGE_NAME, FWDED_BY, APRVRID, ITERATION, FORWARD_TYPE, STATUS FROM VIRSA_AE_RQD_WPFWD WHERE REQNO = ?
2010-04-27 13:44:55,486 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.dao.sqlj.SAPConnectorDAO : findAllActiveSAPConnectors :   : going to return no of records= 3
2010-04-27 13:44:55,495 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.dao.sqlj.OracleAppsConnectorDAO : findAllActiveORACLEConnectors :   : going to return ImmutableList(empty)
2010-04-27 13:44:55,498 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.dao.sqlj.PACSConnectorDAO : findAllActivePACSConnectors :   : going to return ImmutableList(empty)
2010-04-27 13:44:55,502 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.dao.sqlj.WSConnectorDAO : findAllActive :   : going to return ImmutableList(empty)
2010-04-27 13:44:55,505 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.dao.sqlj.ApplicationDAO : findAllForContext :   : going to return ImmutableList(empty)
2010-04-27 13:44:55,532 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.dao.sqlj.RequestDataSODConflictDAO : findAllForContext(SqljContext ctx) :   : going to return ImmutableList(empty)
2010-04-27 13:44:55,535 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.dao.sqlj.RequestDataSODConflictDAO : findAllForContext(SqljContext ctx) :   : going to return ImmutableList(empty)
2010-04-27 13:44:55,540 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.dao.sqlj.RequestDataMitigationDAO : findAllForContext(SqljContext ctx) :   : going to return ImmutableList(empty)
2010-04-27 13:44:55,579 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.accessrequests.actions.RequestViewAction : pageLoad() :   : INTO the method
2010-04-27 13:44:55,580 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.accessrequests.actions.RequestViewAction : pageLoad() :   : request number : 154
2010-04-27 13:45:14,055 [SAPEngine_Application_Thread[impl:3]_18] INFO com.virsa.ae.dao.sqlj.RequestTypeDAO : findAll :   : going to return no of records= 20

CUP auto provision to position

Hello Experts
I hope you can help me on this issue. We have just implemented CUP (SP14) and have set up auto provisioning, indiirect to a position.
Despite this CUP is provisioning all requests directly to the User ID. There are no error messages to indicate that provisioning to the position has failed or even if it has been attempted. All back end funtionality is standard and working when tested manually. The CUP logs are not showing anything that I can decipher. It is as if the auto provision configuration indirect to the position is being ignored.
Any ideas what could cause this behaviour?
Thanks
Barry

Hi Jwalant
Thanks very much for the reply,
I am using SAPHR as the data source and for authentication. However we only want the user id to authenticate.
Auto provisioning is set to indirect with position for Global and by System and I have tried Provisioning at end of request and at end of each path. This should work without using the personnel number in the authentication shouldn't it?
The users Hr information is being pulled into the request without problem. It seems that CUP is making no effort to provision to the position, it just does it to the user every time.
Any ideas?
Thanks
Barry

GRC CUP 5.3 Auto provisioning Error

Hello All,
This issue is occurring in development system of GRC and works as expected in Quality systems.
Development system of CUP Jco's connected to the development ABAP stack and
Quality Systems of Cup Jco's connected to the QA ABAP stack .
All the parameters and the configuration are the same in Dev and QA.
Now the problem we have is at the last approval stage in the workflow after the approver approves the request (Create/Change) It is erroring out in Auto Provisioning stage with the below message :
Error provisioning your request. Request no: 75. Error occurred in the system(s) : n/a, error details :
DEVL1120-TEST_A-USER CREATE-Password is not long enough (minimum length: 10 characters)
DEVL2120-TEST_A-USER CREATE-Password is not long enough (minimum length: 10 characters)
If the same approvers goes back into the request and re-approves the Autoprovisioning is completed and the request is closed. For every last approver the first time he tries to approve the message he gets the above errors in development and does not receive the same error in QA.
The password parameters in the ABAP stack and the Portal Security config are same in DEV and QA. I am not sure if I am missing any information. Any suggestion/Help is appreciated.
Angara

Raghu Thanks for your response. Yes I checked all the login parameters in both QA & DEV and compared to those that were user defined Vs Default they were the same with no difference. yet the problem occured in Development system.
I finally figured out the issue and the surprising part was the error that was issued during auto provisioning is very misleading.
Our Security team had prototyped CUA and connected to the same development client CUP was connected and forgot to remove the child system from the CUA after their demo was complete.
By utilizing Debug log mechanisim, it showed the error as BAPI that is used by CUP to create the user was failing due to CUA locking the client with no ability to create the users in child system directly , The error displayed had no connection to the password lenght.
Thank you all my issue has been resolved and back in business.
Best Regards,
Angara Rao

CUP - Initiator for roles not requiring approval (i.e. auto provisioned)

We recently upgraded to GRC 5.3, SP10 and started noticing that using CUP, for roles that should be automatically provisioned (i.e. no approval required), it is taking between 3 minutes 45 seconds to 5 minutes for the request to be successfully submitted and automatically approved with provisioning. I was wondering if anyone is experiencing simlar system performance
Our set-up for auto provisioned role requests is as follows:
1. Created initiator INI_NO_APPROVE using role for attribute
2. Created stage STG_NO_STAGE with Approver Determinator = No Stage
3. Created path definition PATH_NO_APPROVE with number of stages =2 and initiator = INI_NO_APPROVE
Thanks!

F.Y.I.
As per SAP's recommendation - we applied note:1423983 in all target provisioningn systems and this resolved the issue.

Limitations of Auto-Provisioning through CUP (AE)

Hi all,
I am looking for some information on what are all the benefits and limitations of using auto-provisioning over manual provisioning for the backend systems through CUP (AE).
We are implementing GRC AC 5.3 and it is organization's business decision whether we need the proviosing piece to be automated or not. However, I would like to get your suggestions based on your project experiences esp in a decentralized security administration where security admins are in different geographical locations and have to provision only for their user groups.
Can we perform all the activities thro' auto-provision similar to a security administrator manually creating a user, assign appropriate user groups etc., or is there any limitation?
Which approach would be better for decentralized administration?
Appreciate your suggestions..
Thanks
Siri

Hi Alpesh & Williams,
The user default settings such as date, timezone, decimal etc can be configured through the 'user defaults' and 'user default mapping' . I see the option of assigning user groups and appropriate parameters too.
Say the user belong to user group AAA_XXX and another user belongs to AAA_YYY, where
AAA - location
XXX - Dept
I have configured these (location, dept) as required fields while entering the request in CUP .
However, during run time how will the correct user group be assigned to the user. Is it through the user default mapping? Where do we maintain all the user group information that is available in the ECC system? Do we have to create user default, user default mapping for each user group??
The documentation from SAP is not very clear .. Appreciate if you can provide some lights on this area.
Thanks
Siri

GRC Auto-Provisioning Behavior

Ellow Experts,
I am newbie in supporting GRC thus most of the errors encountered are crucial for me to resolve.
I have some inquiries with regards to GRCu2019s behavior.
1. If a GRC Request has been created to assign roles with validity date earlier than today, why does the GRC closes the request (with logs saying that auto-provision has been completed) but the roles were not assigned yet to the user id.
Ex. GRC CUP created March 22 to assign the following roles:
RoleXXX valid from March 26, 2010 to December 31, 2010.
RoleYYY valid from March 26, 2010 to December 31, 2010.
Upon checking useru2019s role, these roles were not assigned to his account.
2. We also have scenario where the role is requested to be added for next week but GRC auto-provisioned it today and closed the request.
Ex. GRC CUP created March 22 to assign the following roles:
RoleZZZ valid from March 26, 2010 to December 31, 2010.
RoleAAA valid from March 26, 2010 to December 31, 2010.
Upon checking user id, role has been assigned to him the same day the GRC request has been closed.
Please advice why this 2 new scenario has different result where as same type of request. Does workflow has something to do with it?
Version: GRC-SAC-SAE 5.3_09.1
Thanks.

Hi Santosh,
In AC 10.1, I created one brf plus initiator rule.Although I saved it in GRAC_ACCESS_REQUEST package.Transport button is not available(Not greyed).
Dis you faced this issue..How to get this change in transport??
PS:Application are activated.
Thanks,
Mamoon

CUP Provisions user to SAP successfully but gives "Auto-Provisioning" error

Hi All,
I'm getting an "auto-provisioning" error in CUP when a "Change Account" workflow is approved. The strange thing is, CUP does successfully provision the change to the SAP backend. Yet, the "New Account" provisions successfully without the error.
Here is an example of the audit trail log from Change Account:
Request submitted for approval by Dylan Hack(HACKDY) on 06/28/2010 17:14
Approved By Dylan Hack(HACKDY) Path AE_AUTO_APPROV_ERROR and Stage AE_AUTOPROV_ERR on 06/28/2010 17:14
   Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
   Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
   Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
   Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
Auto provisioned for request on 06/28/2010 17:14
   User Provisioning failed for System(s) : DEV. Error Message :
   Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
   Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
   Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
   Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
Request submitted for reroute by system on 06/28/2010 17:14 due to auto provisioning failure
   Rerouted in the Path : AE_AUTO_APPROV_ERROR and Stage : AE_AUTOPROV_ERR to Path : AE_AUTO_APPROV_ERROR and Stage : AE_AUTOPROV_ERR
Note: the role names were replaced with "xxxxxxx."
The system log gives an error, but it is very vague:
2010-06-28 17:14:34,682 [SAPEngine_Application_Thread[impl:3]_33] ERROR com.virsa.ae.service.ServiceException
com.virsa.ae.service.ServiceException
     at com.virsa.ae.service.sap.SAPProvisionDAO.intializeWithChangeUserInputParameters(SAPProvisionDAO.java:762)
     at com.virsa.ae.service.sap.SAPProvisionDAO.changeUser(SAPProvisionDAO.java:3457)
     at com.virsa.ae.service.sap.SAPProvisionDAO.changeUser(SAPProvisionDAO.java:3419)
Any ideas or suggestions?
Current software level AC5.3 SP12.
-Dylan

Hello Varun,
Thanks for the thought on this. We don't use User Defaults for Change Account, but do for New Account. You question prompted me to do more testing with very interesting results.
Results
New Account with User Defaults configured:
User provisioned successfully, no Auto-Provision error, Defaults NOT provisioned.
New Account without User Defaults configured:
User provisioned successfully, no Auto-Provision error.
Change Account with User Defaults configured:
User provisioned successfully, no Auto-Provision error, Defaults NOT provisioned.
Change Account without User Defaults configured:
User provisioned successfully, Auto-Provision ERROR, Defaults NOT provisioned.
In both New and Change Account, the configured User Defaults are NOT provisioned even though the user is provisioned. AC5.3 is on SP12, the RTA is VIRSANH SP12 and VIRSAHR SP10.
For the Change Account, the user is always provisioned regardless of User Defaults; however, when no User Default is configured, the Auto-Provisioning error occurs. The User Defaults NOT provisioning is a real problem, the CUP error message, I can work around for now.
What about on your side? Am I the only guy using SP12 here?

Auto-provisioning new users with GRC 10.1

There is some lack of clarity at my client on auto-provisioning new users into SAP systems with GRC 10. Here's what they want and I'm telling them they need SAP IdM.
The client will regularly have upwards of 500 new users on an on-going basis. These users are approved and created in Active Directory. The client believes that GRC 10 can now pick up these new users from Active Directory and then go ahead and provision them into ECC and CRM automatically, as soon as they're created, with no further approval required.
To the best of my knowledge, the easiest way to do this would be for IdM to do this, and have IdM trigger GRC for certain users, and to provision users who fall into this group of 500 users.
These users are different from regular users, who need to go through the approval workflows. Regular users will have managers and roles that need approval. These 500 or so users are approved to be created in the system and don't need to get caught up in the approval workflow.
Am I wrong in saying that IdM 7.2 is the best way to do this, or am I missing something about what GRC 10 can do?
Thanks for your help. I really appreciate it.

Hi Santosh,
In AC 10.1, I created one brf plus initiator rule.Although I saved it in GRAC_ACCESS_REQUEST package.Transport button is not available(Not greyed).
Dis you faced this issue..How to get this change in transport??
PS:Application are activated.
Thanks,
Mamoon

GRC 5.3 - Auto Provisioning completed but Status remains Open

Hi All,
Lately GRC 5.3 does not change the status to closed once approval has been submitted. Auto Provisioning completed successfully as roles was assigned to back end ABAP system.
Please advice how to change the status to CLOSED once auto provisioning completes.
Thank you
Jacky.

Hi,
I'm not sure if this is the new issue with SP17. Everything is working fine before we upgrade to SP17. Is anyone can help to solve this issue?
Thank you.
Regards,
Merdelyn

CUP - How to handel requests with no auto provisioning

Dear Friends,
We are not using Auto-Provisioning in our CUP component.
We don't know how to handle a situation when although the request was approved at all stages, the provisioning it self (which is executed manually) does not happen (for example, the security manger forgot to do the changes).
How can we detect those differences ?
And if we did detect them, is there a possibility to add some comments to a request that was fully approved.
thanks
Yudit

Hi Yudit,
Not exactly. It is some manual work.
CUP>>Informer>>Provisioning
Run these two reports (select specific period):
Role Assigned / Removed
User Processed
Run t-code RSSCD100_PFCG_USER (You find this repot in SUIM).
Use the same period as above.
Export the report to Excel. If many entries, create a function to compare the results orilter the result by Action and compare to CUP reports.
Good luck,
Vit

SP12: CUP: Error for requesttype "change" at auto-provisioning

Hello,
We have an error while auto-provisioning a change-request in CUP.
The request stages can be approved correctly but after the last stage, the request is rerouted to administrator because of escape-route settings. (auto provisioning failures)
So the audit trail reports an error at auto-provisioning, BUT in the backend-system the user was changed correctly.
If we now want to approve the request on admin-stage, the error appears again. So we have a closed loop reaction.
Any ideas?
Does anybody have the same issue?
Our client have the same problem with SP12 on the prod.system but in the dev.system (also SP12) we can create the request well.
Thanks,
Alexa

2010-10-15 13:45:54,456 [SAPEngine_Application_Thread[impl:3]_32] DEBUG ProvisioningBO.java@1794:getProvisioningStatusDTO() : OUT of the method
2010-10-15 13:45:54,458 [SAPEngine_Application_Thread[impl:3]_32] DEBUG ProvisioningBO.java@1827:getProvisioningStatusDTO() : OUT of the method
2010-10-15 13:45:54,458 [SAPEngine_Application_Thread[impl:3]_32] DEBUG com.virsa.ae.accessrequests.bo.ProvisioningBO : autoProvision() :   : listMessagesForSysType,list size=1
2010-10-15 13:45:54,459 [SAPEngine_Application_Thread[impl:3]_32] DEBUG com.virsa.ae.accessrequests.bo.ProvisioningBO : autoProvision() :   : listMessagesForSysType #0# element:com.virsa.ae.configuration.po.ApplicationLogPO@31cf3f2[userId=GRC_20,emailId=<null>,reqNo=716,system=LS_DI6_300,recDate=10/15/2010,changedBy=AKOLB,logAction=USER CREATE,newValue=GRC_20,description=<null>,error=true,singleMessage=false]
2010-10-15 13:45:54,461 [SAPEngine_Application_Thread[impl:3]_32] DEBUG ProvisioningBO.java@248:autoProvision() : Preparing Provision to SAP ... DONE
2010-10-15 13:45:54,463 [SAPEngine_Application_Thread[impl:3]_32] DEBUG ProvisioningBO.java@277:autoProvision() : OUT of the method
2010-10-15 13:45:54,465 [SAPEngine_Application_Thread[impl:3]_32] WARN   RequestBO.java@5924:autoProvisioningForApprove() : Exception occured during auto provisioning , error messages : [com.virsa.ae.configuration.po.ApplicationLogPO@31cf3f2[userId=GRC_20,emailId=<null>,reqNo=716,system=LS_DI6_300,recDate=10/15/2010,changedBy=AKOLB,logAction=USER CREATE,newValue=GRC_20,description=<null>,error=true,singleMessage=false]]
2010-10-15 13:45:54,469 [SAPEngine_Application_Thread[impl:3]_32] ERROR RequestBO.java@6665:approveRequest() : AutoProvisioning Exception, checking if the escape route is enabled
2010-10-15 13:45:54,478 [SAPEngine_Application_Thread[impl:3]_32] ERROR RequestBO.java@6681:approveRequest() : AutoProvisioning Exception, escape route is enabled, going for the escape route
2010-10-15 13:45:54,490 [SAPEngine_Application_Thread[impl:3]_32] DEBUG com.virsa.ae.accessrequests.bo.RequestBO : rerouteRequest() : AKOLB : INTO the method with toPathName : , poRequestDetails : com.virsa.ae.accessrequests.po.RequestDetailsPO@70e31b05[requestForOthers=false,userLookupEnabled=false,userIDFieldEnabled=false,userFirstNameFieldEnabled=false,userLastNameFieldEnabled=false,approverLookupEnabled=false,locationFieldEnabled=false,departmentFieldEnabled=false,emailFieldEnabled=false,telephoneFieldEnabled=false,companyFieldEnabled=false,employeeTypeFieldEnabled=false,managerTelephoneFieldEnabled=false,managerEmailFieldEnabled=false,managerNameFieldEnabled=false,requestorTelephoneFieldEnabled=false,requestorEmailFieldEnabled=false,requestorNameFieldEnabled=false,addRole=false,approveReject=,approveRejects=approveRejects,accessChanged=false,fileAttached=false,reqDataApplProvDTOs={com.virsa.ae.dao.dto.RequestDataApplicationProvisionDTO@46b5291a[reqNo=716,application=LS_DI6_300,provisionAction=ASSIGN_ROLES,userId=GRC_20,roleId=2,isProvisioned=true,isNew=false,LMD=<null>],com.virsa.ae.dao.dto.RequestDataApplicationProvisionDTO@1f9d8e3a[reqNo=716,application=LS_DI6_300,provisionAction=ASSIGN_ROLES,userId=GRC_20,roleId=3,isProvisioned=true,isNew=false,LMD=<null>],com.virsa.ae.dao.dto.RequestDataApplicationProvisionDTO@20e4920d[reqNo=716,application=LS_DI6_300,provisionAction=ASSIGN_ROLES,userId=GRC_20,roleId=4,isProvisioned=true,isNew=false,LMD=<null>]},accntValidationmsgs=[],connectionFailedSystems=,userExistSystems=,userNotExistSystems=,comm_method_type=,cstmFldName=,usersPOList=[com.virsa.ae.accessrequests.po.RequestUserPO

Is it possible to limit what fields can CUP update during Auto-provisioning

I have configured CUP to do Auto-provisioning after all the stages have been approved. However, our client requirement is to not to update some fields in user master e.g: User Valid Start date and End Dates. Is it possible to restrict CUP to update only the required fields and not all fields during auto provisioning process?
Can you please let me know if this possible in CUP?
Thanks
Anand

Alpesh,
Currently my User details source is pointing to SAPHR . I have made the valid start date and end date hidden in the request form. However, CUP pulls the info anyway and updates SU01 record during the auto provisioning. I guess hiding the fields may not work.
Please let me know if you have find any solution from your sources.
Thanks
Anand

CUP - Editing Auto Provisioning Email Content

Hi,
I am looking into the possibility of editing the content of the Auto Provisioning email that is automatically sent out after user creation is done. Our policy is to send User ID and Password in separate emails.
Below not provides some insight into editing the initial data XML file AE_init_clean_and_insert_data.
[Note 1253720 - Compliant User Provisioning 5.3-Supressing Password Email|https://websmp230.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=1253720]
Questions I have:
1) If editing this XML file and re-loading will over-write the workflow configuration, then do I have to manually reconfigure all our workflows again or is there an option to export the workflow configuration and the import it back after re-loading the XML file? Which all existing configuration will be overwritten by reloading this file?
2) If at some point in time we decide to revert back to the standard XML file provided by SAP, then we again fall into the same issue as in the above question. What is best approach?
If anyone has experience in implementing the above note, then can you please provide some insight?
Regards,
Jay

Your workflows wont be effected. If you however wanted to export the workflows you could do so along with intial system configuration under intial system data, roles and connectors.
If you want to export workflows alone, you can only export the initiators.
Regards,
Chinmaya

AC 5.3 SP10 CUP Delaying Auto Provisioning Email

All -
Is it possible to delay the auto provisioning email? If yes, how?
We have a scenario where security needs to perform certain tasks post user account set-up before the user logs on to the system (we don't want to auto provision & lock the user) and want to delay the automatic email sent to the user. Is this possible?
Thanks,
Daniel

Daniel,
Here is the email content:
Your request #_!AUTO_PROVISION_REQNO#_! provisioning has been done. Your account has been created. Your ID is #_!AUTO_PROVISION_ID#_! Your password in each system (Password/System):#_!AUTO_PROVISION_PASSWORD#_!
It is part of cleanandinsert xml file, which comes with the installation. You can search for this and change the email content.
Alpesh

GRC 5.3 CUP auto provisioning of Mitigation Assignment in RAR

Similar Messages

Maybe you are looking for