GRC AC 10- HR Triggers
Hi,
Please refer to the note number SAP Note 1591291 - GRC 10.0 - HR Trigger configuration for HR Trigger configuration.
The materials are in below like:
https://sapmats-de.sap-ag.de/download/download.cgi?id=5KU0MSXE2SCM78GJU8MM5W3P21VXU8IXYNAYO135V6TDOXKSNI
Regards,
Prasad Chaudhari
Hi,
I remember few configuration tables
1. GRACCONFIG
2. GRACCONFIGSET
3. GRACCONFIGT
I suggest for GRC 10 tables do a search in se16 with GRAC
Hope it helps.
Prasad
Similar Messages
-
Hello Experts,
I have cconfigured HR Triggers for change of position using Procedural call method. Created BRF+ Rule that identifies the condition and returns ACTION-ID. I can see that condition is satisfied when change of Position occurs, but it not following any workflow.
Where do we link the ACTION-ID to a workflow? Do we need to create new initiator with BRF+ Function ID ?
Already followed note 1591291 but did not help.
Thanks and Regards,
Ajesh.
Edited by: Ajesh Raju Pujari on Mar 4, 2012 2:56 PMHi all,
check the transavtion SLG1 run it backend system mention the following
Object: GRAC
Subobject:HRTRIGGER
External ID: *
then mention the dates and make * in remaning fileds for log class select All Logs and Log Creation ANy
Log Source Formatting select the first option then run the report
select the date which Hire actiivity taken place and Double click on it
you will get the log report and the exact error issue
Normally you define the workflow in SPRO as i nthe following the path
SPRO ->GRC -> Access Control -> Maintain mAC Application anf BRF+Fucntion mapping
maintain the workflow name
then you need to map the workflow in the MSMP GOto GRC->AC->workflow for access control -> Maintain MSMP workflow - select the standerd workflow you mentioned then go to the stage Maintain Path and maintain the path mentioned then go to stage Maintain Route Mapping and RUle ID for HR Trigger and PAth ID
hope it you solve -
Hi all,
I am working on GRC HR triggers in CUP. we developed the workflow in SAP GRC. the input is coming from the SAP HR system. i need to put some ABAP coding or settings in SAP HR system to trigger the workflow in GRC system.I dont know what to do in the SAP HR systems. Any pointers on this.
Thanks in advance
Regards,
A.RathinaprakashHi,
checkout https://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/b050c6bf-f8f4-2b10-67aa-95573e611ee4 and also the HR Triggers section in The Configuration Guide - see InstGuides.
All How-To guides available in https://wiki.sdn.sap.com/wiki/display/BPX/Governance%2c%2bRisk%2c%2band%2bCompliance%2b(GRC)%2bHow-To%2bGuides
cheers,
Julie -
HR triggers in GRC CUP.. How and when does this work
Dear Experts,
I would really appreciate if some one could shed some light on how HR triggers work in GRC CUP ?
When does this get triggered ?
Is it when the the user master record is saved or when the Info type 105 is linked ? Are there any pre-requisities that should be taken care from the Hr perspective so that I can set the expectations accordignly with HR team ?
P.S I already went through the article " How to configure HR triggers with GRC CUP ?
Thanks
KumarI configured HR trigger rule for infotype 0000 & subtype Z1,field MASSN with value equal to 01 to trigger new hire...i don't see any data being populated into table /VIRSA/INT_TRIG & ?VIRSA/DATA.
I could see the rule in table /VIRSA/RULEATTR.
Any help would be appreciated.
Thanks,
Srinu -
HR triggers in GRC -not following any workflow
Hi Experts
We have successfully configured HR triggers in GRC system for various scenarios like new Hire ,Position change ,change Name etc . We can see triggers in GRC but here action is not creating request in other words itu2019s not following any workflow .
Here we get following message
1586 CHANGEFNAME E-HR DEV ENVIRONMENT 114 In process The request has been created, waiting for approval.
Request no. : Trigger 1586 (Rule:CHANGEFNAME, Action:CHANGEFNAME) processed on 2/15/2012 12:00 AMResult : The action is not procesed yet.
Any suggestion / help is greatly appreciated . Thanks .
Regards
Aditya
Edited by: Adityatd on Feb 15, 2012 7:57 PMHi Ajesh
Sorry for the delayed response ..
Here I found Note 1641543 helpful considering our SP level and hence we were implementing this note and we got error saying it canu2019t be implemented so I have asked ABAP team to go for manual changes as itu2019s a programing error .. hope this will help us out will keep you posted .
Also our connectors are working fine but I havenu2019t understood what do you mean by connectors listed in HR Trigger --> Actions . Can you please explain .
Thanks
Aditya Thakurdesai -
Dear Experts,
We have configured SAP HR Triggers to terminate the user and the termination date is taken as BEGDA ( Start Date of termination) from PA0000 table.
So whenever user is terminated, the validity of user account is set to (BEGDA date - 1).
Now we want HR triggers NOT to use BEGDA date to set the user account validity but we want to use someother date field say 'XXXXX' from some other standard SAP HR table 'YYYYY'. Is this possible to configure?
I appreciate your help.
Thanks,
SwathiDear Swathi:
Could you please share information related on how did you do that Trigger?
I was looking at GRC 10.0 - HR Trigger configuration guide Reference to SAP Note 1591291
I have created BRF+ and everything needed but i want to know Which is the next step i have to Maintain MSMP For acces request? Do i have to create another initiator rule?
if you could share some information and your decision table to get an idea of how you are doing it.
Also i would like to do the same that you are doing.
I appreciate your help and attention to this.
Best Regards.
Picho -
GRC: Negative ack; PI: End tag 'enviNFe' does not match the start tag 'NFe'
Bom dia SAP Boosters!
Como muita gente estou aqui brigando com o GRC NFe. Esse forum tem resolvido meus problemas, até agora. Por isso inicio um novo tópico pois estou tendo o seguite problema que nao encontrei resposta:
O grc e o pi estao em servidores separados. Do lado do grc, na sxmb_moni mostra para a interface BATCH_nfeRecepcaoLote_OB erro no acknowledgement status. abrindo o item error do ack msg id aparece:
<SAP:Error SOAP:mustUnderstand="" xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
<SAP:Category>XIAdapter</SAP:Category>
<SAP:Code area="BPE_ADAPTER">NEGATIVE_ACKNOWLEDGEMENT</SAP:Code>
<SAP:P1></SAP:P1>
<SAP:P2></SAP:P2>
<SAP:P3></SAP:P3>
<SAP:P4></SAP:P4>
<SAP:AdditionalText></SAP:AdditionalText>
<SAP:ApplicationFaultMessage namespace=""></SAP:ApplicationFaultMessage>
<SAP:Stack>Negative acknowledgment triggered by a process</SAP:Stack>
<SAP:Retry>M</SAP:Retry>
</SAP:Error>
No lado do PI, ao consultar esta interface e abrir o payload do item Request Message Mapping, aparece a mensagem de erro: End tag 'n0:enviNFe' does not match the start tag 'NFe'. e todo o xml fica em uma linha só.
Voltei entao no xml do sender e de fato encontrei a tag NFe, onde deveria constar os dados das notas fiscais, sendo aberta mas nao sendo fechada, e sem dados, desse jeito.
<?xml version="1.0" encoding="utf-8" ?>
- <n0:nfeRecepcaoLote2 xmlns:n0="http://sap.com/xi/NFE/006">
<n0:cUF>35</n0:cUF>
<n0:tpEmis>1</n0:tpEmis>
<n0:tpAmb>2</n0:tpAmb>
- <n0:nfeDadosMsg>
- <n0:enviNFe versao="2.00" xmlns:n0="http://www.portalfiscal.inf.br/nfe">
<n0:idLote>000000000000025</n0:idLote>
<n0:NFe asx:root="" xmlns:asx="http://www.sap.com/abapxml"></n0:NFe>
</n0:enviNFe>
</n0:nfeDadosMsg>
</n0:nfeRecepcaoLote2>
Alguém já viu esse bug? estou com grc 10 e SP 08 e das notas que sairam depois nenhuma fala disso.
Obrigado.Fiz um teste que parou de dar erro de acknowledgement e chegou a enviar o lote para a sefaz, que retornou erro de schema porque o xml continua vazio:
Na interface determination gerada quando criei o cenário NFE_BATCH_WebAS_Outbound_Batch, a que contém a interface BATCH_nfeRecepcaoLote_OB, tirei o operation mapping BATCH_nfeRecepcaoLote2_TO_nfeRecepcaoLote2. Embora não seja mais retornada a mensagem de erro na tag, o payload continua no mesmo formato postado acima. Entao coloquei de volta.
Bem, pesquisando vi que a função que gera o xml é a /XNFE/006_SIGN_NFE_OUT. As notas aparecem como assinadas no monitor do grc, mas vou ter que ver entao como esta ocorrendo a geraçao do xml por esta funçao, certo? -
Error GRC Access Control 10.0
We have a problem when execute the next steps in GRC Access Control 10.0
SPRO-->Governance, Risk and Compliance>Access Control--> Access Risk Analysis--> Batch RisK Analysis
We applied the next note, but problem is the same.
1563583 - SYSTEM_NO_TASK_STORAGE dump on AIX
Category
ABAP Programming Error
Runtime Errors
ASSERTION_FAILED
ABAP Program
CL_GRRM_DASHBOARD_MENU_AUTH===CP
Application Component GRC-RM
Date and Time
13.03.2013 11:50:04
|Short text
|
|
The ASSERT condition was violated.
|
|What happened?
|
|
In the running application program, the ASSERT statement recognized a
|
|
situation that should not have occurred.
|
|
The runtime error was triggered for one of these reasons:
|
|
- For the checkpoint group specified with the ASSERT statement, the
|
|
activation mode is set to "abort".
|
|
- Via a system variant, the activation mode is globally set to "abort"
|
|
for checkpoint groups in this system.
|
|
- The activation mode is set to "abort" on program level.
|
|
- The ASSERT statement is not assigned to any checkpoint group.
|
|What can you do?
|
|
Note down which actions and inputs caused the error.
|
|
|
|
|
|
To process the problem further, contact you SAP system
|
|
administrator.
|
|
|
|
Using Transaction ST22 for ABAP Dump Analysis, you can look
|
|
at and manage termination messages, and you can also
|
|
keep them for a long time.
|
|Error analysis
|
|
The following checkpoint group was used: "No checkpoint group specified"
|
|
|
|
If in the ASSERT statement the addition FIELDS was used, you can find
|
|
the content of the first 8 specified fields in the following overview:
|
|
" (not used) "
|
|
" (not used) "
|
|
" (not used) "
|
|
" (not used) "
|
|
" (not used) "
|
|
" (not used) "
|
|
" (not used) "
|
|
" (not used) "
|
|How to correct the error
|
|
Probably the only way to eliminate the error is to correct the program.
|
|
|
|
|
|
If the error occures in a non-modified SAP program, you may be able to
|
|
find an interim solution in an SAP Note.
|
|
If you have access to SAP Notes, carry out a search with the following
|
|
keywords:
|
|
|
|
"ASSERTION_FAILED" " "
|
|
"CL_GRRM_DASHBOARD_MENU_AUTH===CP" or "CL_GRRM_DASHBOARD_MENU_AUTH===CM001"
|
|
"IF_GRFN_MENU_ITEM_AUTH~IS_AUTHORIZED"
|
|
|
|
If you cannot solve the problem yourself and want to send an error
|
|
notification to SAP, include the following information:
|
|
|
|
1. The description of the current problem (short dump)
|
|
|
|
To save the description, choose "System->List->Save->Local File
|
|
(Unconverted)".
|
|
|
|
2. Corresponding system log
|
|
|
|
Display the system log by calling transaction SM21.
|
|
Restrict the time interval to 10 minutes before and five minutes
|
|
after the short dump. Then choose "System->List->Save->Local File
|
|
(Unconverted)".
|
|
|
|
3. If the problem occurs in a problem of your own or a modified SAP
|
|
program: The source code of the program
|
|
In the editor, choose "Utilities->More
|
|
Utilities->Upload/Download->Download".
|
|
|
|
4. Details about the conditions under which the error occurred or which
|
|
actions and input led to the error.
|
|
|
|
|
|System environment
|
|
SAP Release..... 702
|
|
SAP Basis Level. 0012
|
|
|
|
Application server... "KIO13701"
|
|
Network address...... "172.20.1.137"
|
|
Operating system..... "AIX"
|
|
Release.............. "7.1"
|
|
Hardware type........ "00F6C78E4C00"
|
|
Character length.... 16 Bits
|
|
Pointer length....... 64 Bits
|
|
Work process number.. 10
|
|
Shortdump setting.... "full"
|
|
|
|
Database server... "KIO13701"
|
|
Database type..... "DB6"
|
|
Database name..... "DGR"
|
|
Database user ID.. "SAPDGR"
|
|
|
|
Terminal.......... "192.168.0.5"
|
|
|
|
Char.set.... "C"
|
|
|
|
SAP kernel....... 720
|
|
created (date)... "Jul 8 2012 19:43:01"
|
|
create on........ "AIX 2 5 00092901D600"
|
|
Database version. "DB6_81 "
|
|
|
|
Patch level. 300
|
|
Patch text.. " "
|
|
|
|
Database............. "DB6 08.02.*, DB6 09.*, DB6 10.*"
|
|
SAP database version. 720
|
|
Operating system..... "AIX 2 5, AIX 3 5, AIX 1 6, AIX 1 7"
|
|
|
|
Memory consumption
|
|
Roll.... 0
|
|
EM...... 8379584
|
|
Heap.... 0
|
|
Page.... 16384
|
|
MM Used. 6205712
|
|
MM Free. 2170976
|
|User and Transaction
|
|
Client.............. 100
|
|
User................ "LVELASCO"
|
|
Language key........ "E"
|
|
Transaction......... " "
|
|
Transaction ID...... "51400164B1F00C40E1008000AC140189"
|
|
|
|
EPP Whole Context ID.... "5140015EB1F00C40E1008000AC140189"
|
|
EPP Connection ID....... "5140F9B0B19C1150E1008000AC140189"
|
|
EPP Caller Counter...... 1
|
|
|
|
Program............. "CL_GRRM_DASHBOARD_MENU_AUTH===CP"
|
|
Screen.............. "SAPMHTTP 0010"
|
|
Screen Line......... 2
|
|
Debugger Active..... "none"
|
|Server-Side Connection Information
|
|
Information on Caller of "HTTPS" Connection:
|
|
Plug-in Type.......... "HTTPS"
|
|
Caller IP............. "192.168.0.5"
|
|
Caller Port........... 44300
|
|
Universal Resource ID. "/sap/bc/webdynpro/sap/grfn_service_map"
|
|
|
|
Program............. "CL_GRRM_DASHBOARD_MENU_AUTH===CP"
|
|
Screen.............. "SAPMHTTP 0010"
|
|
Screen Line......... 2
|
|
|
|
Information on Caller ofr "HTTPS" Connection:
|
|
Plug-in Type.......... "HTTPS"
|
|
Caller IP............. "192.168.0.5"
|
|
Caller Port........... 44300
|
|
Universal Resource Id. "/sap/bc/webdynpro/sap/grfn_service_map"
|
|Information on where terminated
|
|
Termination occurred in the ABAP program "CL_GRRM_DASHBOARD_MENU_AUTH===CP" -
|
|
in "IF_GRFN_MENU_ITEM_AUTH~IS_AUTHORIZED".
|
|
The main program was "SAPMHTTP ".
|
|
|
|
In the source code you have the termination point in line 59
|
|
of the (Include) program "CL_GRRM_DASHBOARD_MENU_AUTH===CM001".
|
|Source Code Extract (Source code has changed)
|
|Line |SourceCde
|
| 29|
lv_dashboard = lv_value.
|
| 30|
|
| 31|
TRANSLATE lv_dashboard TO UPPER CASE.
|
| 32|
|
| 33|
CASE lv_dashboard.
|
| 34|
WHEN 'HEATMAP'.
|
| 35|
lv_report = 'GRRM_HEATMAP'.
|
| 36|
|
| 37|
WHEN 'LOSS_OVERVIEW' OR 'LOSS_STRUCTURE' OR 'OB_LOSS_OVERVIEW' OR 'OB_LOSS_STRUCTU|
| 38|
lv_report = 'GRRM_LOSS_ANALYSIS'.
|
| 39|
|
| 40|
WHEN 'OVERVIEW'.
|
| 41|
lv_report = 'GRRM_OVERVIEW'.
|
| 42|
|
| 43|
WHEN OTHERS.
|
| 44|
ASSERT 1 = 2.
|
| 45|
|
| 46|
ENDCASE.
|
| 47|
|
| 48|
EXIT.
|
| 49|
|
| 50|
ENDLOOP.
|
| 51|
|
| 52|
WHEN 'GRRM_LOSS_MATRIX' OR 'GRRM_LOSS_MATRIX_NEW'.
|
| 53|
lv_report = 'GRRM_LOSS_ANALYSIS'.
|
| 54|
|
| 55|
WHEN 'GRRM_HEATMAP_REPORT'.
|
| 56|
lv_report = 'GRRM_HEATMAP'.
|
| 57|
|
| 58|
WHEN OTHERS.
|
|>>>>>|
ASSERT 1 = 2.
|
| 60|
|
| 61| ENDCASE.
|
| 62|
|
| 63| TRY.
|
| 64|
lv_regulation_id = cl_grfn_api_regulation=>if_grfn_api_regulation~get_regulation_id( i|
| 65|
|
| 66|
ev_authorized = cl_grfn_util_rep_auth=>has_rep_auth(
|
| 67|
io_session
= io_session
|
| 68|
iv_regulation_id = lv_regulation_id
|
| 69|
iv_report
= lv_report
|
| 70|
iv_activity
= grfn0_c_activity-print
|
| 71|
|
| 72|
|
| 73|
CATCH cx_grfn_exception.
|
| 74|
ev_authorized = abap_false.
|
| 75|
|
| 76| ENDTRY.
|
| 77|
|
| 78|ENDMETHOD.
|
|Contents of system fields
|
|Name
|Val.
|
|SY-SUBRC|4
|
|SY-INDEX|2
|
|SY-TABIX|1
|
|SY-DBCNT|1
|
|SY-FDPOS|0
|
|SY-LSIND|0
|
|SY-PAGNO|0
|
|SY-LINNO|1
|
|SY-COLNO|1
|
|SY-PFKEY|
|
|SY-UCOMM|
|
|SY-TITLE|HTTP Control
|
|SY-MSGTY|
|
|SY-MSGID|
|
|SY-MSGNO|000
|
|SY-MSGV1|
|
|SY-MSGV2|
|
|SY-MSGV3|
|
|SY-MSGV4|
|
|SY-MODNO|0
|
|SY-DATUM|20130313
|
|SY-UZEIT|115004
|
|SY-XPROG|SAPCNVE
|
|SY-XFORM|CONVERSION_EXIT
|
|Active Calls/Events
|
|No. Ty.
Program
Include
Line |
|
Name
|
| 34 METHOD
CL_GRRM_DASHBOARD_MENU_AUTH===CP
CL_GRRM_DASHBOARD_MENU_AUTH===CM001
59 |
|
CL_GRRM_DASHBOARD_MENU_AUTH=>IF_GRFN_MENU_ITEM_AUTH~IS_AUTHORIZED
|
| 33 METHOD
CL_GRFN_API_MENU_ITEM_ELA=====CP
CL_GRFN_API_MENU_ITEM_ELA=====CM001 126 |
|
CL_GRFN_API_MENU_ITEM_ELA=>IF_GRFN_MENU_AUTH~ITEM_AUTH
|
| 32 METHOD
CL_GRFN_API_MENU==============CP
CL_GRFN_API_MENU==============CM003
34 |
|
CL_GRFN_API_MENU=>IF_GRFN_MENU_AUTH~ITEM_AUTH
|
| 31 METHOD
CL_GRFN_LAUNCHPAD_UIBB========CP
CL_GRFN_LAUNCHPAD_UIBB========CM006
60 |
|
CL_GRFN_LAUNCHPAD_UIBB=>IF_FPM_GUIBB_LAUNCHPAD~MODIFY
|
| 30 METHOD
CL_FPM_LAUNCHPAD_UIBB_ASSIST==CP
CL_FPM_LAUNCHPAD_UIBB_ASSIST==CM001
76 |
|
CL_FPM_LAUNCHPAD_UIBB_ASSIST=>INIT_FEEDER
|
| 29 METHOD
/1BCWDY/T2POSMRSKMLY9L6LJP5Z==CP
/1BCWDY/B_T2POSBAR6C8HPR0XTR4P
410 |
|
CL_COMPONENTCONTROLLER_CTR=>WDDOINIT
|
|
Web Dynpro Component
FPM_LAUNCHPAD_UIBB
|
|
Controller
COMPONENTCONTROLLER
|
| 28 METHOD
/1BCWDY/T2POSMRSKMLY9L6LJP5Z==CP
/1BCWDY/B_T2POSBAR6C8HPR0XTR4P
181 |
|
CLF_COMPONENTCONTROLLER_CTR=>IF_WDR_COMPONENT_DELEGATE~WD_DO_INIT
|
|
Web Dynpro Component
FPM_LAUNCHPAD_UIBB
|
|
Controller
COMPONENTCONTROLLER
|
| 27 METHOD
CL_WDR_DELEGATING_COMPONENT===CP
CL_WDR_DELEGATING_COMPONENT===CM004
9 |
|
CL_WDR_DELEGATING_COMPONENT=>DO_INIT
|
| 26 METHOD
CL_WDR_CONTROLLER=============CP
CL_WDR_CONTROLLER=============CM00V
3 |
|
CL_WDR_CONTROLLER=>INIT_CONTROLLER
|
| 25 METHOD
CL_WDR_COMPONENT==============CP
CL_WDR_COMPONENT==============CM019
24 |
|
CL_WDR_COMPONENT=>INIT_CONTROLLER
|
| 24 METHOD
CL_WDR_CONTROLLER=============CP
CL_WDR_CONTROLLER=============CM002
7 |
|
CL_WDR_CONTROLLER=>INIT
|
| 23 METHOD
CL_WDR_CLIENT_COMPONENT=======CP
CL_WDR_CLIENT_COMPONENT=======CM00E
24 |
|
CL_WDR_CLIENT_COMPONENT=>INIT
|
| 22 METHOD
CL_WDR_CLIENT_COMPONENT=======CP
CL_WDR_CLIENT_COMPONENT=======CM00A
42 |
|
CL_WDR_CLIENT_COMPONENT=>IF_WDR_COMPONENT_FACTORY~CREATE_COMPONENT
|
| 21 METHOD
CL_WDR_COMPONENT_USAGE========CP
CL_WDR_COMPONENT_USAGE========CM009
67 |
|
CL_WDR_COMPONENT_USAGE=>IF_WD_COMPONENT_USAGE~CREATE_COMPONENT
|
| 20 METHOD
CL_FPM_COMPONENT_MANAGER======CP
CL_FPM_COMPONENT_MANAGER======CM003
81 |
|
CL_FPM_COMPONENT_MANAGER=>ADD_COMPONENT
|
| 19 METHOD
CL_FPM_COMPONENT_MANAGER======CP
CL_FPM_COMPONENT_MANAGER======CM004
19 |
|
CL_FPM_COMPONENT_MANAGER=>ATTACH_COMPONENT_TO_USAGE
|
| 18 METHOD
CL_FPM========================CP
CL_FPM========================CM005
89 |
|
CL_FPM=>PROCESS_EVENT
|
| 17 METHOD
CL_FPM========================CP
CL_FPM========================CM00C
34 |
|
CL_FPM=>RUN_EVENT_LOOP
|
| 16 METHOD
CL_FPM========================CP
CL_FPM========================CM002
5 |
|
CL_FPM=>IF_FPM~RAISE_EVENT
|
| 15 METHOD
CL_FPM========================CP
CL_FPM========================CM003
11 |
|Hi Alberto,
The below Notes should resolve!
1428775
1744179
Hope this helps,
Luciana -
GRC 10.0 - Transport Connector Relevant Settings
Hi Gurus,
Many of you have already completetd GRC 10.0 implementaion. One of the Key advantage of GRC 10.0 stated as "Changes can be transported".
While carrying out configuration settings under nodes SPRO -->GRC --> Common Component Settings --> Integration Framework and other Subsequent nodes in Access Control, we find many steps involve Connector, Connector Mappings, Actions related Settings which are connector dependent.
Further, there are relevant sub-nodes viz. User Defaults, User data sources, HR Triggers etc., which involve connector values as part of configuration steps.
We have created Back end test / Development related connectors and carried out the relevant configuration settings. We find that all these settings are getting collected in the transport request.
Once we move this transport request to GRC QAS / Production landscape all the back-end Test / Development /QAS related connector settings will also move. Further this will also call for defining back-end Production systems related Connector Settings in GRC Development System itself.
Looking forward for inputs with respect best practices for managing the GRC 10.0 config / workflow related transports across Dev / QAS / landscape.
Regards
HemantHi Hemant
SAP has made a lot of the transport functionality in GRC10. I find that they hereby created a huge expectation with the customer, that in fact is not true.
For instance Exclusion Objects and Mitigation Controls are NOT transported. What about Organizations? Critical Roles and Profiles are also not transportable.
As for the Connectors - system specific parameters are transported. Therefore you end up having to delete the DEV and QA connectors in the PRD GRC system.
On this question, has anyone used CLM yet? It seems that only Functions and Risks will be extracted to CLM and then deployed in the other system (DEV to QA for example). Does CLM even work?
SAP provide not guidance on all of these important issues. I agree that it is about time that SAP takes some leadership and produce a proper best practise guide for this software. By the way, an offical sizing document from SAP is still to be delivered.
Thanks
Will -
HR Trigger request with a approval workflow in GRC AC 10.0
Hi Friends,
Is it possible that a HR triggered user creation request in GRC follow a stage approval based workflow ? Something like MSMP workflow ? Or can we route the HR triggered requests to MSMP worflows someway ? if yes, please help me with the details of the same.
Thanks in advance for your guidanceHi Prashant,
Refer : Understanding HR Triggers in Access Control 10.0 - Governance, Risk and Compliance - SCN Wiki
Also search on GRC community there is lot of material available.
BR,
Mangesh -
GRC AC 5.3 Detour not working as expected in workflow
Hi GRC Experts!
I would greatly appreciate your help with the problem we're currently facing; we have configured 2 CUP workflows; one for handling requests with SoD violations (Workflow B) and one to handle ones without any SoD violations (Workflow C), with the former handling risk analysis followed by role approval, and the latter handling only role approval; we have one path with one stage configured as "No Stage" (Workflow A); this path is used to decide which of the primary workflows to use (i.e. SoD violations or no SoD violations) using two detours; we have one detour configured to use Workflow B if any SoD violations are found in the request and another detour configured to use Workflow C if no SoD violations are found.
Currently what happens in our tests is that requests without risks / SoD violations work fine and actually get detoured to Workflow C, awaiting role approval from the right approver ; while requests with inherent risks / SoD violations unforutnately get automatically approved and provisioned rather than being sent to Workflow B
Any clues as to why this could be happening? We've checked if there are any settings that might be triggering it to automatically approve requests despite any risks, but can't find anything of the sort; Would be very grateful for any insight / advice on the issue.
Thanks a lot in advance!
Best regards,
SandeepHi Diego!
Once again; thank you for your quick reply!
I did recheck the auto-provisioning issue and I can confirm that it is definitely set to "No Auto-provisioning" and it hasn't been changed recently. The strange thing is that the detour works for NO SoD violations, but doesn't work for SoD violations; find below the audit trail for detour working:
Request XXX Submitted by Sandeep (SANDEEP) on 01/28/2012 02:04
Z_111111-ECC Role Added with validity dates 01/28/2012-12/31/9999
Request submitted for approval by admin(system) on 01/28/2012 02:04
Approved by Sandeep (SANDEEP) on behalf of Sandeep (SANDEEP) at path WORKFLOW_A and stage WORKFLOW_A on 01/28/2012 02:04
Approved Z_111111-ECC role for Add action with validity dates 01/28/2012-12/31/9999
Request has taken a detour to path C_WORKFLOW and stage C_STAGE on 01/28/2012 02:04
Detour condition SOD Violations with value No is satisfied at path WORKFLOW_A and stage WORKFLOW_A
and find below the audit trail for the detour not working:
Request YYY Submitted by Sandeep (SANDEEP) on 01/28/2012 01:53
Z_222222-ECC Role Added with validity dates 01/28/2012-12/31/9999
Request submitted for approval by admin(system) on 01/28/2012 01:53
Approved by Sandeep (SANDEEP) on behalf of Sandeep (SANDEEP) at path WORKFLOW_A and stage WORKFLOW_A on 01/28/2012 01:53
Approved Z_222222-ECC role for Add action with validity dates 01/28/2012-12/31/9999
Request Closed By Sandeep (SANDEEP) on 01/28/2012 01:53
I even checked the CUA System section, and the "By system" tab and it was empty; there were no specific system configurations.
And to answer your questions:
Since Workflow A is the path with the Initiator, the detour flag is deactivated and the active flag is activated.
WF B & C have both the active and detour flags activated.
Thanks a lot again for your quick responses and all the help you've provided so far!
Best regards,
Sandeep -
How to transport a permission deletion in GRC AC 10
I am trying to modify our rule set and need to transport a permission/action deletion. I have spent hours searching for an answer to this today and this is my last hope.
When I transport the ruleset after making the deletion, it doesn't leave the rule set in our QA system.
I did find something on the SAP Idea Place that the current workaround is to change the request and ensure that you replace all of the entries on GRACFUNCACT and GRACFUNCPRM to 1 entry = "cliento" + "*".
I've opened my transport to make the changes, but I want to make sure I'm doing it correctly.
Can anyone elaborate on this? Any help is greatly appreciated.Hi Prashant,
Refer : Understanding HR Triggers in Access Control 10.0 - Governance, Risk and Compliance - SCN Wiki
Also search on GRC community there is lot of material available.
BR,
Mangesh -
Is Compliance Calibrator the same as GRC Access Control?
I have been asked to look at<b> Compliance Calibrator </b>and am getting confused about what functionality is offered. I have done the basic e-learning course for Compliance Calibrator (GRC200): this was all about separation of duties etc. Fair enough. But I also have a Document called "<b>SAP GRC Access Control</b>" which talks about the same S.O.D compliance functionality but also talks of "roles triggering workflows", "users creating roles", "automated approvals for roles" eg:
"SAP GRC Access Control streamlines access requests by filling each request automatically with user identity information from a lightweight directory access protocol (LDAP) directory or HR database, thereby eliminating the need for user intervention. Approvers receive an e-mail with a direct hyperlink to the request inside the application, where they can easily view and approve the request. The application then checks for security violations before updating accounts automatically."
None of this was covered on the Compliance Calibrator course, so what product offers this? I can see another product by Virsa called <b>Access Enforcer</b> but have no info on this... can anyone enlighten me?SAP GRC Access Control is the SAP application that comprises the former Virsa products Compliance Calibrator, Access Enforcer, Risk Terminator, Firefighter and Role Expert.
-
HR Trigger in GRC 10 with interface to change 0105 data
Hi Friends,
Has someone had experience of enabling HR trigger with core ECC system built on ECC6.0 and HR system built on seperate ECC5.0 system ?
Also client has email ids of the employees maintained in 0105 field of HR database instead of user ids.
Is it feasbile to extract the text before '@' from that email id and treat it as user id for remaining processing ?
Please provide your views on the same.Hi Prashant,
I have an experience with HR Triggers built on a separate system. The problems are:
1. If you want to provisioning in the ECC server, you need to assign an ECC role to a position in HR server.
2. If you want to provisioning in ECC and HR server, you need to:
a) Assign an ECC role and HR role to HR position
b) Put those system in GRC customization.
When HR department made a modification, GRC generated a request with the two roles (corresponding to a position) in the two systems. I do not remember if in the request all 2 roles are shown for each system (even if does not exist in one system).
For your second question, GRC capture ok the email stored in infotype 0105 subtype 0010 and the user ID is capture from infotype 0105 subtype 0001.
Regards, -
GRC BO AC 10.0 Risk Analisys & Role management from SRM
Hi Gurus,
Anyone know if GRC AC 10.0 can analyze and manage (create/modify) the SAP SRM (Portal Based) Role and User?
Thank you,
LuigiHi Vishal,
The parameters will be invoked in different scenarios. 1085 is specific to when roles are generated in the SAP Backend system using risk terminator and therefore this will have no impact if you are using BRM to generate the roles.
3011 & 3014 are specific to BRM and govern different behaviours. 3011 will facilitate the risk analysis prior to triggering the generation steps in the methodology and 3014 will allow the roles to be generated despite any permission risks that are returned.
They are not exclusive and actually work together. For instance, you may want to have a block on generation of roles when there are open conflicts identified and therefore you should have 3011 set to YES and 3014 set to NO. If both are set to YES, then you could propagate conflicts in the roles.
You can use Risk Terminator if you wish to continue to develop roles within the SAP system itself rather than to rely on the GRC BRM system wholly.
There are still wide discussions and differing opinions about which represents the best approach for this and so it depends on your organisation as to which process you follow.
The parameter descriptions in question are:
1085 - Stop Role Generation if violations exist
3011 - Conduct Risk Analysis before Role Generation
3014 - Allow role generation with Permission Level violations
Regards, Simon
Maybe you are looking for
-
How can I create a new Tag in Finder?
Can somebody explain how to create a new Tag in Finder? Thank you very much
-
Agent's Commission calculation in pricing procedure only for NEW Saleorders
Hi Guys, In a pricing procedure, .the base for agent commission was calculated on cost + markup price and freight and this base for commision + commision + insurance gave the base price.But now client wants to calculate commision from cost + mark up
-
new to web start downloaded examples ant in webpad directory copied webpad.war to tomcat/webapps restarted tomcat tomcat-log contains the following error ================= 2003-11-21 05:53:18 WebappLoader[webpad]: Deploy JAR /WEB-INF/lib/xalan.jar to
-
Can I use US keyboard as Japanese (jis) keyboard?
Hi, I'm new to these forums, and I speak and do business in Japanese. Because of this, I need Japanese input on my MacBook, and I am familiar with the Kotoeri setup in Mac OS X and use it often. However, after living in Japan for several years with a
-
IPhoto 08 not updating videos deleted from iMovie 08
Been an iPhoto user for years. During that time I've accumulated hundreds of short video clips taken in the movie mode of my various still cameras. Good stuff but it's always been hard to look at them, until now. iMovie 08 makes it very simple but I'