GRC AC 10 ERM Configuration

Similar Messages

• ERM Configuration error "UNHANDLED ERROR N/A"

  Hi Experts ,
  We are doing ERM configuration in our ECC system .
  while configuration we are receiving "UNHANDLED ERROR N/A" error.
  we contacted SAP and received the reply to run SU25 first as ECC system was recently upgraded but SU25 was not executed.
  As  of now our ECC system is working fine without SU25 run as during and after upgrade we have resolved the errors using testing results and one of the tool.
  Now we have suggestions to run SU25 w/o bringing any new objects/tcodes  or any changes to any of the profiles and roles.
  Please suggest if it is possible to run Su25 w/o effecting existing security and how. we are planning to test it in one of our sandbox first.
  Thank You
  Ritu

  Now we have suggestions to run SU25 w/o bringing any new objects/tcodes  or any changes to any of the profiles and roles.
  Why did you upgrade then? If you do not care about SU24 and have manual authorizations then you should not care about running SU25 either?
  The main pest here is that the GRC "permissions" level data is based only on the proposals of SU24. This is actually a very stupid design as it forces you to maintain proposals with values simply so that you can report on them, but then your roles look like a dog's breakfast.
  Actually, if you could maintain all transactions contexts for all their capabilities as proposals as well, then at the end you will have achieved the same as if you had re-written the whole of the system code because you will have seen it all. And all roles with standard authorizations will be equivalent to SAP_ALL as well.
  If you are using menus and proposals, then perform the upgrade tasks propoerly and raise customer messages to complain about the proposals which GRC type tools have convinced SAP to maintain excessively in SU24 and those which they did not maintain at all because they are not on some SOD radar (but are still a big security problem).
  That is enough rant now...   --> Do you have a sandbox copy or know the exact release and SP level?
  This is just a table entry from which the exception is raised, which is also transported in step 3. You should shame yourself, but you could simply transport it instead of upgrading.
  Cheers,
  Julius

• GRC AC 10 (RAR/CUP/ERM) configuration for EP system

  Hello Gurus,
  We are aware of configuring RAR/CUP/ERM in GRC AC 10 for ERP system(back-end)
  Are there any documents /links to provide information on configuring the above components for EP system ??
  Or rather specific which of the following configuration is possible for EP system ?? CUP /RAR/ ERM ??
  Also going further , is there any way in which we can configure the same for BO system ??
  I am not quite sure if there is any PLUG-In as such which is available for BO system or not .
  But in my opinion there is no need to perform configuration for BOBJ system as the roles in them are imported from Backend system (ERP/BI etc) , hence if these roles are already taken care during ERP system cleanup and SOD analysis , there should be no need to configure seperately RAR/ERM/CUP.
  Please provide your comments.
  Regards,
  Victor

  Hello Prasad,
  Thank You for your quick response .. the info was quite helpful.
  Will you please put some light on aspects of integrating AC 10 with BO ??
  Is there any connecter available for it?? Which scenarios are possible ??
  Humbly Requesting your help.
  Thanks in advance.
  Regards,
  Victor

• GRC - AC - RAR - DataMart Configuration

  Hi,
  we are on GRC AC SP 10, ORACLE 10.2.0.2.0 Full sync and RA are done.
  We have created drivers (classes12.jar) and datasource (GRC) on Visual administrator (based on SDN DataMart configuration guide).
  In Visual Adminsitrator -> JDBC Connector -> MyNewDatasource (GRC) -> JDBC 1.x Compliant, we have inserted this information:
  Driver Calss: oracle.jdbc.OracleDriver
  DataBase URL: jdbc:oracle:thin:@192.168.0.125:1521:GRC
  When try to start application an exception arising:
  Caused by: java.sql.SQLException: Io exception: The Network Adapter could not establish the connection
  It's correct Driver Class and DataBase URL syntax?
  Many thanks.
  Massimo

  Daniela Bork wrote:
  Hi Jay,
  >
  > activating the BC set does not fill any default parameters for any of the tools.
  > You will need to add them into the list manually.
  >
  OK. I'll put them manually or see if I should go with the default ones.
  Daniela Bork wrote:
  > For your second issue, we have the same effect: Two new invalid parameters 2021 and 2022 are listed with value 009 which have not been there within SP05 and definitely not added manually. Also a complete empty line.
  > I think this will be a bug/issue with SP06.
  > Did you report this to SAP?
  >
  I'm glad that I'm not alone. Yes, I have reported to SAP and expect them to reply by tom.
  @Anyone, I am working in the implementation and configuration of GRC AC and would like to share some configuration related issues. Would be glad if someone who has worked on GRC (esp ERM), drop me a mail frm my business card (click my name).
  Thanks,
  Jay

• Important GRC AC 5.3 Configurations

  Hello,
  Can anyone provide me, with answers to the following 11 queries.
  1- The list of the day-to-day activities of a SAP GRC AC 5.3 Consultant.
  2- What are the most important mandatory configurations in SAP GRC AC 5.3?
  3- Important parameters for extracting data, into SAP GRC Suite (RAR, CUP, SPM, ERM), from SAP and Non-SAP Applications.
  4- Performance Tuning Parameters for SAP GRC AC 5.3 Suite
  5- Steps/ parameters for export/import utility
  6- System monitoring steps for SAP GRC System.
  7- List of important GRC AC Background Jobs.
  8- Different types of workflows in GRC etc and their usage?
  8- How to configure workflows in GRC?.
  10- SAP GRC AC 5.3 Integration with IDENTITY Management etc?
  11- AC 5.3 Integration with PC (process control)?
  Thanks in advance!

  Hello,
  In the URL mentioned, https://wiki.sdn.sap.com/wiki/display/BPX/Governance,%20Risk,%20and%20Compliance%20(GRC)%20How-To%20Guides,
  I am unable to open the guide "How-to Integrate Access Control 5.3 and Business Warehouse 7.0". I am getting the following error
  An error occurred while processing your request.
  Reference #30.5a4fe3c.1248181333.380356
  1- Can you please provide me the correct URL for the guide "How-to Integrate Access Control 5.3 and Business Warehouse 7.0".
  2- Also can anyone provide the guide "How-to Integrate Access Control 5.3 and ECC 6.0".
  THANKS!

• GRC UAR without ERM

  Hi Gurus,
       In my client we are planning to go for UAR. Currently we are using CUP, RAR and SPM. We are not using ERM. In this case is it possible to go for UAR without ERM. Is it possible to implement UAR only for CUP. Please clarify us.
  Info:
  SAP GRC 5.3
  SP11
  Imp: CUP, RAR and ERM.
  Thanks and Regards,
  Vasa

  Hello Vasa,
  CUP requires ERM only to capture the Role Usage Data and nothing else for functionality of UAR. All other data is gathered either from RAR or from within CUP itself. You do not need to use ERM completely but you do need to set it up with minimum settings to make it work. You need to configure basic attributes, Landscape, Connectors & run the role usage synchronization job.
  Regards, Varun

• GRC AC DATA MART CONFIGURATION

  Hi All,
  We are on GRC AC 5.3 SP 11. The customer wants to use the Data Mart functionality with crystal report 2008 for custom reporting purpose. In my knowledge this functionality is available in AC since SP 9. But don't know the exact procedure to go ahead and configure the same. Though I have gone through couple of documents available on SDN on this, no document is Step by step.Can anyone please suggest me any detailed configuration guide available in SMP/SDN or on web.
  Thanks in Advance.
  Best Regards,
  Guru

  Hi Gangadhar,
  I have already gone through the AC config guide and the notes mentioned by you and some other available docs also. But nowhere it is detailed and step by step. Is there any detailed document or step-by-step on the same. Because in the config guide it has been given the steps need to be performed in the GRC AC side. To view the custom report in Crystal Reports 2008, what configurations need to be done there is no such details. However I have got some other docs like, 'SAP BUSINESSOBJECTS ACCESS CONTROL 5.3 SP09 DATA MART u2013 SAMPLE REPORTS', from SDN where it has been given the frontend configurations. But I am confused where to start and how to get the custom reports after doing the necessary configurations. Any idea on the same.
  Thanks,
  Guru

• GRC AC CUP LDAP configuration

  Dear team,
  I am facing issues with one of my LDAP connections. Users beloning to one particular LDAP are not able to login to the self-provisioning link on CUP. The system log returns 'nulpointer' exception, which generally comes on incorrect  logon credentials.
  I have checked the user in the connector. It exists and is working well.
  The only point is this LDAP is my 6th. How do I make this working?

  Assuming  User Data Source is pointing to LDAP;
  Please  check the  Connector User[Configuration Tab-> Available Connectors->select the LDAP Connector]  between the LDAP and GRC AC CUP is locked .Unlock It and save .
  Then check is TEST CONNECTION is successful.
  Regards
  Ajit.

• GRC AC v10 NWBC: Configure LaunchPad for Menus

  I would like to add a new menu Launchpad, but am having trouble getting it to appear in NWBC.
  I followed the instructions at: http://scn.sap.com/community/grc/blog/2014/01/31/configure-launchpad-for-menus
  However, it still does not appear.
  Any help would be appreciated.
  thanks,
  -john

  Dear John,
  did you authorize the end user for the application? If the user is missing authorization the work center is not applicable in the screen. Hence the user cannot see it.
  Regards,
  Alessandro

• GRC AC 10 CUA Configuration for Data Sources

  When using CUA as the search data source in GRC AC 10.0 the search is not working. If I change the data source to my ECC system it works fine. Also trying to use CUA as the first sequence in the Details sources, but it does not work either. Also noticed that the details sources only seems to recognize one sequence when multiple sequences are setup. Has anyone come across this as a problem?

  Hi all,
  I agree with Patrick, I received the answer from SAP, that once a user is found in a detail data source, GRC will take all data from this data source and not continue looking in the following details systems.
  Eg. USER1 is existing in CUA and HR, it will find the user in the CUA system, take email, phone no etc from CUA but will not continue looking for e.g. the missing personnel no data in HR.
  USER2 is existing in HR only but not in CUA - GRC will take the detail data from HR only.
  Did you try these scenarios?
  Regards
  Daniela

• Migration of GRC AC 5.2 configurations into GRC AC 5.3

  Hello,
  I already have GRC AC 5.2 on 1 system. We have GRC AC 5.3 installed on a seperate system.
  We would like to download/ upload all the rules, functions, risks, mitigations etc from old GRC AC 5.2 to new GRC AC 5.3 system.
  My query is.
  What would be the best approach among the below 3 options.
  Option 1- Download rules, functions, risks, mitigations from old GRC AC 5.2 and upload them to new GRC AC 5.3 system. (I assume it will append)
  Option 2- Export rules, functions, risks, mitigations from old GRC AC 5.2 and Import them to new GRC AC 5.3 system. (I assume it is overwrite)
  Option 3- Install GRC AC 5.3 System and upload 5.3 ruleset, functions, risks and mitigations and then download 5.2 rules, risks, mitigations, and upload them in 5.3?
  Thanks for your valuable inputs in advance.
  Thanks,
  Haleem

  Haleem,
    Here is my respone:
  Option 1: This is not even an option. There is no way you can download and upload the files with append option. Append option requires files in totally different format.
  Option 2: This may or may not work. I have never done it.
  Option 3: This is your best bet.
  Alpesh

• GRC 5.3 | ERM | Synch ERM - Back-End

  Hi Experts,
  suppose a role is generated in the back-end over ERM, it hence exists in both.
  If changes are made to the authorizations (e.g. deletion of a tcode, changed field value, ...) in the back-end, how can these then be synchronized automatically in ERM?
  Is this done by the background job "Trans/Obj/Fld Sync"? Or does this job only synch the back-end with changes in ERM?
  Much appreciated!
  Kraell

  Kraell,
     It will be better to maintain roles from only one place so if the role is generated by ERM then you should stick with ERM to modify the role. If you still want to use PFCG then there is a way to open PFCG via ERM. Use this option so you can get best of both worlds.
  If you already used PFCG to modify a role then only way to sync is to download the role from SAP backend system and upload it into ERM. I hope SAP simplifies this process and makes it just one click sync the way CUP has.
  Regards,
  Alpesh

• GRC 5.3 | ERM | Disabled Role Comparison Field

  When executing a role comparison in ERM, the only way to select the role is to use the magnifier next to the field, search and select the role. As we have thousands of roles, this is not userfriendly.
  Is is possible to enable the field for role name in the role comparison "section" so that can be searched on roles using wildcards.
  Thx.

  Hello Kraell 
  Considering that this feature is not available as of now but if you still have dire need for the same, you may contact SAP if they can treat this as an enhancement request (for which you might be charged a bit) and deliver this feature to you.
  Regards,
  Hersh.
  http://www.linkedin.com/in/hersh13

• GRC 5.3 | ERM | Best Practise Role Transport

  Hi Experts,
  can someone tell me the best practise to transport roles from DEV to PRD using ERM?
  Thx!

  Hi All,
  As Alpesh mentioned this is possible but not recommended and he is right.
  But it is an work arround and which is very long process.
  1) Search the role in ERM
  2) Select the role and click on copy button
  3) In Copy Role screen you can see original From Role(eg, Z:TEST) and From Landscape(eg. QA system)
  4) And you can see To role and To Landscape. Here you have to choose your production system.
     Along with this you can tick:Detailed Description,Functional Area,Approvers,Custom Attributes,  
     Attachments and Authorizations.
  Then click on copy button. Your role will be saved with your prod server name and you have to do the whole process of role generation for this role.
  Thanks,
  Sudip

• GRC 10 BRM Workflow configuration issue

  Hello all,
  Can you suggest me, how can i set a proper workflow for BRM, without using BRF+, so that I can create a role, which should go the the approver stage for approval.
  I used MSMP Default workflow but did not use the "BRF".
  Now i have stuck at a point where I have created a New role request but I am not able to see approve button when i login using approver ID.
  I have maintained WF-Batch ID as system user and provided SAP_ALL to it.
  Please suggest if i have made a mistake some where
  Edited by: security Sapsecuirty on Mar 3, 2012 4:33 PM

  Hi,
  Please check if you have checked the Approve/Reject buttons in the Path definition of MSMP - Modify task settings. As a standard they will be unchecked.
  We also faced the problem. Once they are checked in Modify task settings - approve button appeared for the approver.
  Best Regards,
  Srihari.K