GRC AC 10 - Reassign FF ID Owner to FF IDs Assigned to Users

Similar Messages

• How to restrict a schema owner from granting privileges to other users.

  How can we restrict a schema owner from granting privileges to other users on his objects (e.g. tables). Lets say we have user called XYZ and he has tables in his schema TAB1, TAB2 an TAB3. How can we restrict user XYZ from granting privileges on TAB1, TAB2 and TAB3 to other users in the database. Is it possible in Oracle 10g R2? Any indirect or direct way to achieve this? Please help on this.
  Thanks,
  Manohar

  Whenever someone is trying to prevent an object owner from doing something, that's generally a sign of a deeper problem. In a production database, the object owner shouldn't generally have CREATE SESSION privileges, so the user shouldn't be able to log in, which would prevent the user from issuing any grants.
  As a general rule, you cannot stop an object owner from granting privileges on the objects it owns. You can work around this by creating a database-level DDL trigger that throws an exception if the user issuing the statement is XYZ and the DDL is a GRANT. But long term, you probably want to get to the root of the problem.
  Justin
  Edited by: Justin Cave on Nov 6, 2008 9:52 PM
  Enrique beat me to it.

• Find an iphone 5 in the club and i want you to help me find the owner and return it to the user.  its been erased and no sim card in it .when i try to configure , it says i should enter an apple  and a password.

  find an iphone 5 in the club and i want you to help me find the owner and return it to the user.
  its been erased and no sim card in it .when i try to configure , it says i should enter an apple
  and a password.

  Since it was erased and no sim card the owner probably got rid of it of some reason.

• GRC 10 - Business role, no role owner but associated role have owner....

  Dear All,
  In GRC 5.3 we perform the following mapping:
  Business Role A mapped with (no owner)
  - Technical Role 1 (from ECC with Owner1)
  - Technical Role 2 (from CRM with Owner2)
  - Technical Role 3 (from HR with Ownwer3)
  IN GRC 5.3 we have a business role mapped with multiple child role(techinical role) from other system.
  GRC 5.3 request is able to close and provisioned as it can see owners from child role.
  Now in GRC 10, we did the same. Create a business role, then mapped the child role (technical role). Unfortunately, when manager approves the workflow reroute to "NO OWNER DETOUR PATH" because it cannot see the technical role owner.
  Seems like GRC 10 is only looking at business role owner. We are unable to add Owner1, Owner2, Owner3 to the business role because when one of the owner approves, it will provision all the technical roles. We might have owners who will reject their role.
  Please advice.
  Jacky

  Hi Mustafa,
  you can use end user personalization to avoid a role owner to approve roles for himself. Define a dedicated EUP for role owner stage and restrict via "Approve/Reject Own Requests" like shown below:
  Does this answer your question?
  Regards,
  Alessandro

• How to reassign a budget type which has been assigned

  hi,
  i wanted to know how to reassign the budget type assigned for psoting period ending 30.09.2008.
  i want to change the key figure assigned to the budget type so i am trying to delete the budget type for that purpose.
  i cannot delete key figure for the budget type unless i can dleete the budget type.

  I can use delegateTask() if the context belongs to the person who acquired the task but I want to delegate a task to different person even if it is not me who acquired the task.
  My second question is when should I set Assignees for a task?Is it when a person acquires a task for the first time or do I need to specify it in some configuration file, so that every task that is created newly will have a set of assignees by default.
  Thanks,
  Mythili.

• How to find user's owner or who has created the user?

  Hi all,
  I want to find out owner of user or who has created the users?
  example:
  system has created test user.
  test has created xyz user.
  so i want to find out who has created xyz?
  Thanks in Advance,
  Sandeep.

  Read below thread:
  Re: is there a way to find out who created a user account?
  But if you have enabled auditing then its easy one option.
  Regards
  Girish Sharma

• GRC AC 10:How to generate Access Rule? No output from User or Risk Analysis

  Hello Gurus,
  We have done configuration of GRC AC 10, and uploaded files via
  SoD rules -->Upload Rules
  After that we generated SoD rules for Risk Id : B001 and B002
  Now when we go to NWBC --> Reports & Analytics >Access Dashboards>Access Rule Library
  The report shows (for Group Rule level : Action)
  Number of Active rules : 0
  Number of Disabled Rules : 0
  Number of Functions :  151
  Where as for Group Rule level : Action Risk
  The report shows
  Number of Active Risk : 42
  Disabled risk : 161
  Nmr. of functions : 151 .
  When we perform Risk Analysis at User Level or Role Level, the output is empty !!!
  Note: All the background jobs have run successfully.
  Also the SoD files also have been uploaded successfully.
  Will you please guide how can i activate the "rules" for the uploaded risk ??
  regards,
  Victor

  Hello Victor/ Inder,
  For Risk ID B001functions are BS02 and BS11 if you open any one of them you can see system maintained as SAP BASIS which is SAP_BAS_LG (logical connector group).
  Post installation you can check in SPRO>Governance, Risk and Compliance-> common Component---> integration framework-> maintain connector and connector types->select SAP and click Define connector Group.
  BUSINESS     Business Roles     SAP
  SAP_BAS_LG     SAP Basis     SAP
  SAP_CRM_LG     SAP CRM     SAP
  SAP_ECC_LG     SAP ECCS     SAP
  SAP_HR_LG     SAP HR     SAP
  SAP_NHR_LG     SAP R3 - NON HR Basis Logical Group     SAP
  SAP_R3_LG     SAP R3     SAP
  SAP_SRM_LG     SAP SRM     SAP
  (If not present then manually you can create the same)
  Select SAP_BAS_LG and put connector type as SAP,  select SAP_BAS_LG and click Assign Connector group to group types as AM & LG, then click on Assign Connector to connector group and maintain you connector.
  Post this activity re generate SOD for B001 and then check for user level and role level analysis.
  Hope it will resolve your issue.
  Regards,
  Sudesh

• Owner account need info on other users...help

  I am new to iMac and i transfered information from my old PC to this one but it transfered it to the Owner account and i made two additional accounts.  i want to be able to view that information on the other two accounts.  I tried to use Migration assistant again and upload the information again to the other two accounts but i wasn't able to.  i kept creating new user accounts when i attempted to transfer it. any ideas?

  I had to completely reinstall OSX - and start from the ground up.. melodyne apparently did something to rewire. Logic would fail everytime on core audio.. even with melodyne completely wiped from system.. I reinstalled Logic - that failed - finally I had to archive and put in new OSX.

• GRC AC 10 EAM - Distiguish between a firefighter id and a regular user id logon by looking at it

  Hello,
  I have a requirement where users want to see a change in SAP screen( color/warning/note)  while using a firefighter id.
  Reason behind the requirement is that some users are not logging off after using the firefighter id and by mistake using the firefighter id as their own user id for their day to day jobs.
  We are conducting training sessions for users but wanted to check if anyone has worked on the same requirement before .
  I know SAP GUI settings to get different color codes for development, staging and production sap system but we can not use this for firefighter id globally.
  Mark

  Hi Mark
  Changing screen colours are unlikely to really help and I thought those settings are stored against the SAPGUI settings. You could talk to Basis/Developer to see if they have any suggestions in that space.
  I have not done this before (and Basis/ABAP might shoot me down for performance issues) but is it possible for a custom program that runs in background and checks for active FF sessions? it can track and every xx minute display a pop up to remind them they are in FF.
  The challenge here will be users legitimately in FF Ids will get frustrated. It could be improved with a check box for 'don't remind me again for this session'.
  You still rely on training of users and controllers of what FF should be used for in your company. Security authorisations provide additional restriction.
  Regards
  Colleen

• Drawbacks to iPod Touch iOS 5.1 for owners of 2nd/3rd Generation iPod users

  Hello,
  I am the principal at a middle school and we have been investing in iPod touch technology.  We have a cart of iPod touch units that are 2nd generation units.  From what I have read they can not be upgraded to ios 5.1.  Can you confirm that this is correct?
  Second, and probably most important, we have been very happy with the iPod touches we have.  Should I be really concerned that we only bought these units two years ago and they are already unable to accept the ios upgrade?  What recommedations do you have to keep the units running in tip top shape for our students given the fact that they cannot utilize ios 5.1.
  Thanks a bunch.....

  Second-generation iPod touch models cannot be upgraded past iOS 4.2.1. iOS 5.0 and 5.1 are both supported on 3rd-generation models.
  I'm not sure what you are asking when you ask for recommendations to keep them in "tip top shape" in regards to the OS version. OS version won't make any difference when it comes to what students might be doing to the iPods to cause them to run in a less-than-optimal fashion. The only concern when it comes to OS version that I can think of is whether new apps that you would wish to run would require iOS 5 or later, something which is not yet common but which will become more so as time goes by.
  Regards.

• Error- while assigng FF-Owners to FF-Id's in GRC-10 AC

  Hi Experts,
  Iam  facing  issue as below.. while configuring Super user assignment (while assigning owners to FF Ids)
  Please let me konow if nay one of you encountered same issue and how you resolved..
  Error while processing your query
  What has happened?
  The URL call http://yashgrcsrv.sapyash.com:8010/sap/bc/webdynpro/SAP/GRAC_UI_SPM_OWNER_POWL was terminated because of an error.
  Note
  The following error text was processed in system G10 : The ASSERT condition was violated.
  The error occurred on the application server YASHGRCSRV_G10_10 and in the work process 1 .
  The termination type was: RABAX_STATE
  The ABAP call stack was:
  Method: IF_POWL_FEEDER~HANDLE_ACTION of program CL_GRAC_POWL_SPM_FFOWNER======CP
  Method: FEEDER_HANDLE_ACTION of program CL_POWL_MODEL=================CP
  Method: DISPATCH_ACTION of program CL_POWL_MODEL=================CP
  Method: DISPATCH_PREPARED_ACTION of program CL_POWL_TABLE_HELPER==========CP
  Method: ON_OBJECT_ACTION of program /1BCWDY/07CT55XNN6UHRCSZMBJE==CP
  Method: IF_TABLE_DATA~ON_OBJECT_ACTION of program /1BCWDY/07CT55XNN6UHRCSZMBJE==CP
  Method: ON_TOOLBAR_OBJECT_ACTION of program /1BCWDY/07CT55XNN6UHRCSZMBJE==CP
  Method: ON_TOOLBAR_OBJECT_ACTION of program /1BCWDY/07CT55XNN6UHRCSZMBJE==CP
  Method: IF_WDR_VIEW_DELEGATE~WD_INVOKE_EVENT_HANDLER of program /1BCWDY/07CT55XNN6UHRCSZMBJE==CP
  Method: INVOKE_EVENTHANDLER of program CL_WDR_DELEGATING_VIEW========CP
  What can I do?
  If the termination type is RABAX_STATE, you will find more information on the cause of termination in system G10 in transaction ST22.
  If the termination type is ABORT_MESSAGE_STATE, you will find more information on the cause of termination on the application server YASHGRCSRV_G10_10 in transaction SM21.
  If the termination type is ERROR_MESSAGE_STATE, you cansearch for further information in the trace file for the work process 1 in transaction ST11 on the application server. YASHGRCSRV_G10_10 . You may also need to analyze the trace files of other work processes.
  If you do not yet have a user ID, contact your system adminmistrator.
  Error Code: ICF-IE-http -c: 100 -u: GRCADMIN -l: E -s: G10 -i: YASHGRCSRV_G10_10 -w: 1 -d: 20111117 -t: 124258 -v: RABAX_STATE -e: ASSERTION_FAILED -X: 00188B01D3231EE1849D72367EF328EF_00188B01D3231EE1849D723252D408EF_1 -x: 91EB10E1F7B3F19FA8EF00188B01D323
  HTTP 500 - Internal Server Error
  Your SAP Internet Communication Framework Team
  Regards,
  Ravi Alluri.

  Hi,
  I could able to create FF-owner,and FF-controller under GRC Role assignments > Access control owners..and could also able to see Active queries - central owners as All(2) on top of the screen ..
  After that when i go to super user Assignment > owners where in which i tryed to assign FF owners to FFID's then it is giving me the error as mentioned earlier..
  One thing i noticed in the screen -super user Assignment > owners  where we assign owners i noticed on the top of the screen  Active queries - central owners as All(0) which means the data (owners & controlers )created earlier are not reflecting here ..
  I have already run the incremental job Repository object (role,user,profile)sync..
  Does any one know the reason .?
  Thanks in advance,
  Ravi.

• How to provide access to Critical Transactions in GRC AC 10.0

  +Hello Gurus,+
  +We are in phase of implementing GRC AC 10.0 , and have a requirement where there are "Critical Transactions" identified by the Business and if there is any end user who wants to access any specific "Critical Transaction" e.g. PA30 etc then it must automatically go to a specific Owner of that transaction.+
  +As far as i know , we can have a workflow for getting a role assigned, but not sure if it is possible to have a workflow where every "critical transaction" will have an owner and then on selection of the transaction it will trigger a workflow.+
  +I would also like to know what is a standard or rather best practice in SAP GRC , regarding providing access to "CRITICAL Transactions" ??+
  +We thought of creating a role containing multiple "Critical transactions" and then assigning to the firefighter ID , for which we have an approval workflow !! But that does not help , as assigning the role will give user access to some other "critical transactions" as well which we would like to control.+
  +Looking forward to know about the suggestion/solution for this issue.+
  +Thanks in advance.+
  +Regards,+
  +Victor+

  Hello,
  Victor Ger wrote:
  > +We thought of creating a role containing multiple "Critical transactions" and then assigning to the firefighter ID , for which we have an approval workflow !! But that does not help , as assigning the role will give user access to some other "critical transactions" as well which we would like to control.+
  > +Victor+
  I think that only one firefighter with all the critical transactions is not a good idea. I guess it's better to have different firefighters IDs assigned to different users. The point here is to decide if you really want to have a trace for all critical transactions executions.
  An example:
  Tx. SM37 is considered a critical transaction if the user has also the auth. object S_BTCH_ADM set to "yes".  This allows to delete or copy others user's jobs. This is and authorization that a Basis person must have. Do you really want to trace this?
  I think that force a Basis person to use a firefighter for this is nonsense, because this tx. is part of his/her job. Then, you should accept this sort of risks, otherwise you'll get the point where you replace the normal users with FF users. This is not the idea of FF.
  Of course, this is just a thought and all depends on your business requirements.
  Cheers,
  Diego.

• Not able to see approvers in grc ac 10.0

  Hello gurus,
  I have configured workflows for access request for grc ac 10.0. When I submit a access request, my approver is not able to see any requests waiting for his approval. Also in the request status of the access request, no approvers are seen in given path when we click the instance status button. Please let me know where do we populate these approvers and how can we make them appear.
  Thanks in advance,
  Reyas

  Faisal,
  There are 2 places you need to define this.
  1) Within the "Access Control Owner" settings (NWBC>Access Managemetn), you need to assign the "Role Owner" tag to the user/s. this will enable you to select the user to be assigned as a assignement or content approver within the role definition (2)
  2) Against the actual role definition in Business Role Management (BRM/ERM) - you need to assign the user ID as the Assignment Approver of the role for the user to be able to approve the request as a Role Owner.
  If you have somehow created your own BRFplus custom agent for role owners (SAP standard delivered agent is fine!), then you obviously need to maintain your Decision table/Tree results.
  I strongly suggest you check these quick start guides out if you are having trouble configuring the basic settings.
  Business Role Management set up and terminology
  http://www.sdn.sap.com/irj/bpx/go/portal/prtroot/docs/library/uuid/80063a8e-1da6-2e10-aaa5-fda1f0936c37
  First Access Request
  http://www.sdn.sap.com/irj/bpx/go/portal/prtroot/docs/library/uuid/5067e447-5c64-2e10-7d9c-8f7e5953aadb
  I hope this helps answer your question Faisal
  All the best

• Standard Approvers on GRC 10.0

  Hi Guys,
  I've got a quick queston for you all.
  Do you know where I can define the Point of Contact and Security Agents in GRC 10?
  I have assigned the user ID as a Point of Contact in the "Access Control Owners" area but I cannot find where to associate that user to a functional area or into the master data setup in the NWBC. I'm sure I'm missing a setup step here where the standard approvers are identified against the relevant data elements.
  I have the workflow paths setup in the MSMP workflow config, but it cannot determine the recipients for the approval and therefore it goes nowhere!
  If you can help, it will be greatly appreciated.
  Cheers, Simon

  Hi Triera,
  That's not strictly true. It is possible to derive risk owner into the decision table but it does not allow you to have it as the result in this case. Creating FM rules is effectively ABAP coding. For BRF+ I would use the Flat Rules and then setup the details in the decision tables.
  Having chewed this around with a few colleagues, we came to the conclusion that its actually a fairly stupid requirement in the end anyway. Picture the scene...
  You have multiple roles in the request and then you submit it.
  Each of these roles then generate risks based upon the access. There could be multiple risks for each role and some roles which could indeed generate risks which might have multiple owners. They could also create risks when assigned together but that is only visible after each role owner has approved. Effectively, this could have endless branches and sub branches and explode out the required approvals. Once those branches get split, the approver (risk owner will only be looking at their own risk) and then would not really be assessing the total request as such.
  It works fine as a requirement if you'll only have 1 risk generated but any more than that and it gets proper messy.
  I still think there is value in being able to use agents across different Process IDs and so it's not completely dead but I'm not going to advocate Risk Owner directly in this manner for the access request process. The closest I would get is to effectively generate the CAD on the new technology (directly mapped users) and manage it from there.
  Cheers,
  Simon

• GRC EAM Authorizations: Few Anomalies in Standard Roles

  Hi GRC/ Security Experts,
  To brief you quickly, we have an SAP GRC AC 10 SP13 about to be deployed with ARA & EAM Modules as a first phase deployment.
  All of the functionality is almost setup, just refining few things before going live.
  About the GRC Authorizations, I observed few anomalies in the standard delivered SAP Roles for EAM.
  I am aware that processes & compliance's, can vary from organization to organization. I am trying to redesign some of the EAM related authorizations, especially for Firefighter Owner/Controller.
  In the standard delivered EAM roles, there are few things missing and few unnecessarily attached.
  I am already aware of the provided information in the following resources:
  - 1730649 - Firefighter owner can assign ANY Firefighter ID to Firefighter User
  - 1663949 - EAM: Authorization Fixes for Central Owners and Reason Codes and have referred to EAM Authorization
  - EAM Authorization Concepts & Guide
  - GRC AC Latest Security Guide.
  I am wondering, many of GRC AC 10 implementations must have gone live by now, and how can be the following authorization hardening concerns be addressed.
  I observed the following anomalies, and used ST01 tracing to refine and address few of them still some of them I cant seem to get hold of:
  1) [SOLVED] EAM Owners should technically not be allowed to Create/Maintain Reason Codes, that should be EAM Administrator's task. This was addressed by adjusting the auth objects from Owner's Role and only Reason Codes Display was provisioned to the owner's, hence this is addressed.
  2) [SOLVED] EAM Owners should not be allowed to Create/Maintain EAM Controllers. This is a grey controversy I believe, as in my organization EAM Controller is treated on even Higher Scale than Owner and thus EAM Controller maintenance should only be done by the EAM admin rather than EAM Owner. This also I have addressed by adjusting few auth objects, which leaves the EAM Owners with Display only access of EAM Controllers.
  3) [UNSOLVED] EAM Owner is able to assign any Firefighter ID to End-User: This is anomaly as per me, and is also specified in notes 1730649 & 1663949, but I find it hard to figure out the real solution of that specific issue. The notes just point to EAM Authorization Guide, which explain the GRC Authorization concept in general, which I of course get it. The GRC SP13 is already higher than the one applicable for the issue.
  Technically EAM Owner should only be able ASSIGN the FF IDs that are Owned by him, this I cant seem to figure out how exactly.
  I have gone through the Authorization Guide, Security Guide, Played too much with System Trace ST01 trying to redesign the authorizations. How would you have done it? This wasn't there in Virsa earlier, it used to bug you back saying that FF ID is not owned by you.
  4) [UNSOLVED] Similarly like above, EAM Owner is able to modify assignments/delete assignments of any FF ID. This is of course cascaded from the above issue. I believe it doesn't has to be like this, EAM Owner should only be able to access/modify/maintain the FF IDs owned. Maintenance of the FF IDs not owned by EAM Owner should be truly abstained.
  5) EAM Owners should not be able to Add/Delete the Assignments of Owner with FF ID. This is the starting point of the Firefighter Structure and must be restricted to EAM Administrator. In the Standard EAM Owner role, an EAM Owner can created another OWner, assign a FF ID to another Owner, Delete a Owner-FF ID assignment. EAM Owner should have display only access as far as it is concerned about the EAM Owners access Area. This one I have yet to test, which I think would be possible. Can't get hold of points 3 & 4.
  I have already studied/implemented the suggestions/recommendations/corrections from Authorization Guide.
  But i still feel that these are few loopholes and must be closed before I conclude the implementation.
  What do you think?
  Would truly appreciate, if you can point out the objects and values that can help to address the open issues.
  Apologies, for such a lengthy post, but the authorization goes deep here I guess and ST01 isn't helping me anymore to get over this.
  Regards,
  Akshay

  Hi Colleen,
  Thanks for your reply, I was sure I will be getting first response from you, as you are really proactive in GRC Space.
  W.r.t. your suggestions:
  1) I am not able to follow what you mean by "Are you able to try debugging "CALL METHOD cl_grac_auth_engine=>authority_check" ?? I am not much of a ABAPper/DEBUGGer, but if you can point what exactly is to be done/or to be get done I wouldn't mind getting my hands dirty at this too.
  Correct me if I am wrong, do you imply that, even though the specified correction in note is available in system (SP13), still this inbuilt authority check is not happening and is being bypassed?
  2) I checked the EAM Authorization Guide for Auth Object GRAC_USER.
  With what you feel in the below message of yours=>
  Starting to wonder if it is as the EAM Guide attached to the above notes mentions authorisation GRAC_USER which contains a field for user (quote from guide below).
  User ID : This Field Specifies which firefighter users you can Display and Perform other activities based on the Activity Field .
  That suggests you need different roles to restrict owners? I would have thought SAP would differentiate between authorisation to maintain FF as and Administrator versus Owner allow access to their Ids.
  I would have thought Administrator would get the GRAC* authorisations whilst Owners would obtain access via owner setup (mapping for FF Id)
  I went back to the EAM Guide and tried to put it all together to make sense.
  With my below observations, I think too that there is no such thing as mapping of FF ID with the Owner, out of the Box in GRC AC 10 so that Owner is able to access only the FF IDs owned.
  So, if that would be true, then to achieve this sort of wish, I would have to have separate roles from each EAM Owner specifying, the FF IDs that particular EAM Owner is able to access. And then there would be n number of Roles for n number of Owners, which is subject to change and has to be maintained again. Then also, the FF ID owned could also be added/removed etc, Whoa! That wouldn't make me far away from rationalizing the whole objective.
  I just wonder, if this is actually Ok? If there is no approach to this, would it be OK to let any EAM Owner work with any FF ID subject to their own desire.
  Anyways, check this out below , I will sideways open a message with SAP just to have my closure.
  From EAM Authorizations Guide in the note=>
  Now from the EAM Owner's Role=>
  This no where mentions of Restricting the FF IDs in the Role, if at all this concept exists, it would be through some internal check like the one above i.e. CALL METHOD cl_grac_auth_engine=>authority_check or something.
  Also, found these few specifications as well, which affirms the same I believe.
  Much thanks for your effort and patience.
  Regards,
  Akshay