GRC AC - HCM as user search data source

Similar Messages

• GRC AC User Search Data Source Configuration

  Hello all!
  I´ve configured BRM and ARM as recommended on SAP Access Control 10.0. A lot of things are working ok and some of them not. At this moment I´m testing an Access Request to lock a user, the problem happens when I try to search the user, I didn´t receive any return. Please check the print screen:
  "Maintain Data Sources Configuration" is configured as the print bellow pointing to our ECC/HR system:
  Someone can help?
  Regards,
  SAP Legend

  HI,
  Also maintain detail data source and make sure you run repository sync job..
  Also check if the user you are trying to lock is present in the table GRACUSER/GRACUSERCONN.
  Regards,
  Neeraj

• GRC 10 - Legacy connector as user detail data source

  Hello, 
  I'm trying to use a legacy connector (with a text file as input) as a user data-source.
  Repository user sync for this legacy connector works : checked GRACUSER table, it is populated with all the user details from the input file (id,firstname,lastname,mail,department,phone
  I got it working for user search data source : when creating an access request for "other" user, searching for a user ID/name works : data are displayed in search result, however when I select the user from the serach result the user details are not populated in an access-request form.
  Any clue about this ? Any one already got this working ?
  GRC 10.0 SP13.
  Checked SP14 and SP15 release notes, and found no relevant notes yet.
  repository-related notes applied :
  -1864423
  -1950231
  Regards,
  Emmanuel.

  Hi Pedro,
  You only have confirmed that 2 accounts are maintained in HCM and in SU01 as well, so you would be able to see these accounts' details both ways.
  Yes, you are right about user account maintenance first in HCM at the time of new hire, then you can manually raise the access request to grant them access to various SAP systems. Or in order to automate this process as Prasahant suggested, you can take help from HR Triggers.
  You can refer: GRC 10.0 - HR Trigger configuration - Governance, Risk and Compliance - SCN Wiki
  But responding to your original discussion, whatever user accounts are maintained in HCM you would see those details provided you define HR for the "user search data source" AND from SU01 for "user detail data source"
  In your case you have 2 accounts which have been maintained in HCM as well as SU01, so that is what creating confusion for you.
  Let us know if you need any more clarifications.
  Regards,
  Ameet

• User Details Data Source

  Hello all,
  I´m working to configure the user search data source and also user details data source from our GRC AC environment. Bellow my doubt:
  Can I configure GRC AC to automatically fill the Manager field in the access request screen? Obviously the User Details Data Source must be configured. Is it possible using SU01? HR? LDAP? All of them? Some examples would be really appreciated.
  In other words:
  When an Access Request is made, I want all User Details filled automatically, including the Manager.
  Regards,
  SAP Legend

  Hi,
  Yes you can configure the manager look up functionality by configuring the detail data source in the IMG and make sure you do all the configurations respective to what data source you are using.
  If you are using LDAP then make sure you have done the mapping for your AC field name and target system field name and all the LDAP related configurations.
  If you are using HR system as the data source please check the below link.
  Configure Manager Look-Up in ARM for GRC 10
  Regards,
  Neeraj

• GRC 10.0 Access Request Creation- Data Source of User Details

  Hi Experts,
  I was doing GRC 10.0 Configuration and found a query which I am not able to resolve.
  While creation of any kind of Access Request in GRC through NWBC> Acces Management Tab>Access Request>Access Request Creation.
  In the user details section, I can see the HR records( like Pernr, position, manager) have been visible to some extent.
  My question is where from these details came in GRC. What configuration we should maintain to achieve these HR records?
  Hope to get a quick response as this is one of the requirement of the implementation which I am doing with my customer.
  Thanks,
  Atanu

  Alessandro,
  Thanks for your response. It helped me to know certain things.
  But when I am navigating to SPRO > GRC > Access Control > Maintain Data Sources Configuration > [User Detail Data Source], it is configured with a ECC system in target connector and User data type is maintained as "SU01".
  Now my question is where from in my case the GRC is pulling the HR records (PA20) like PERNR, POSITION,PERSONEL AREA etc? SU01 does not provide these information. My ECC box is integrated with HR module, so is it taking the data from HR directly?
  Thanks in advance!
  Atanu

• GRC AC 10 CUA Configuration for Data Sources

  When using CUA as the search data source in GRC AC 10.0 the search is not working. If I change the data source to my ECC system it works fine. Also trying to use CUA as the first sequence in the Details sources, but it does not work either. Also noticed that the details sources only seems to recognize one sequence when multiple sequences are setup. Has anyone come across this as a problem?

  Hi all,
  I agree with Patrick, I received the answer from SAP, that once a user is found in a detail data source, GRC will take all data from this data source and not continue looking in the following details systems.
  Eg. USER1 is existing in CUA and HR, it will find the user in the CUA system, take email, phone no etc from CUA but will not continue looking for e.g. the missing personnel no data in HR.
  USER2 is existing in HR only but not in CUA - GRC will take the detail data from HR only.
  Did you try these scenarios?
  Regards
  Daniela

• User Details Data Source in CUP 5.3

  Dear GRC Gurus,
  Iam configuring CUP 5.3., in the User data source (which is used to fetch users,approvers,managers from backend)  there is User Details Data Source -> i select SAP and i get the system name -> There is a Field Function Template -> there are two options, standard and Custom. 
  What is the use of Function Template ?
  What is standard and Custom?
  If we select Custom, what should we enter in Function Template Name?
  Can you please clarify
  Thanks a lot...
  Regards
  Selva

  Hi,
  The user data source only reads the user details for use in defaulting the information into request forms / workflow.
  I believe that the function template just tells the system whether to use standard fields within the SAP user master or whether you have requirements to use alternative field mappings.
  I don't think that the custom template name matters as it is identified.
  I must admit that I haven't used it so I may be wrong but that is my current understanding!
  Regards, Simon
  Edited by: Simon P Persin on Oct 26, 2009 4:40 PM

• Lync monitoring Details reports are not getting opened, Getting SQL error like "Cannot impersonate user for data source 'CDRDB"

  Hi,
       Two month before, We have deployed Lync 13 set up with lync monitoring and archiving service enabled. After configuring we have the Lync monitoring and archiving services are working fine... few weeks back I have changed the Admin Password
  of the Lync Setup. After that Lync Monitoring and Archiving services are not working.
  when I try open Lync monitoring service from web UI, 
  http://localhost/ReportServer_LyncMonitoring/
  Web UI is opening but Reports home page is not Accessible , Getting error Like
  "An error has occurred during report processing. (rsProcessingAborted)
  Cannot impersonate user for data source 'CDRDB'. (rsErrorImpersonatingUser)
  Log on failed. Ensure the user name and password are correct. (rsLogonFailed)
  The user name or password is incorrect"
  Please help me to trouble shoot this problem.
  Thanks,
  Rajarajan.D

  Hi Rajarajan.D
  You probably need to update the password against the CDRDB datasource in SSRS Report manager, take a look at this article: http://lyncme.co.uk/microsoft-lync-server-2013/cannot-impersonate-user-for-data-source-cdrdb-rserrorimpersonatinguser-error/
  If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer"
  Georg Thomas | Lync MVP
  Blog www.lynced.com.au | Twitter
  @georgathomas
  Lync Edge Port Check (Beta)
  This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Got rid of User Profiles data source in 2013?

  We're trying to put together an approval workflow using 2013, but it seems like they got rid of the "User Profiles" data source, so you cant simply select the Manager of the current user. I wanted to add that manager to the Participants of a Task
  process, but I kind of hit a brick wall with that.
  Is the process overall different in how I would talk to the active directory through the workflow? Or should I just stick to 2010 workflow?

  Correct, it is no longer there. You're going to have to use the user profile web service. See here:
  http://sharepointrocks.wordpress.com/2013/08/22/sharepoint-2013-using-infopath-and-userprofileservice-asmx-with-claims-based-web-applications/
  Andy Wessendorf SharePoint Developer II | Rackspace [email protected]

• Cannot impersonate user for data source 'SMSDB'. --- Microsoft.ReportingServices.Diagnostics.Utilities.LogonFailedException: Log on failed. ---

  After Upgrading from SCCM 2012 Sp1 to SCCM 2012 R2 we are getting following error:
  System.Web.Services.Protocols.SoapException: An error has occurred during report processing. ---> Microsoft.ReportingServices.ReportProcessing.ProcessingAbortedException: An error has occurred during report processing. ---> Microsoft.ReportingServices.ReportProcessing.ReportProcessingException:
  Cannot impersonate user for data source 'SMSDB'. ---> Microsoft.ReportingServices.Diagnostics.Utilities.LogonFailedException: Log on failed. ---> System.Runtime.InteraopServices.COMException: The referenced account is currently locked out and may not
  be logged on to. (Exception from HRESULT: 0x80070775)
     at Microsoft.ReportingServices.WebServer.ReportingService2005Impl.GetReportParameters(String Report, String HistoryID, Boolean ForRendering, ParameterValue[] Values, DataSourceCredentials[] Credentials, ReportParameter[]& Parameters)
     at Microsoft.ReportingServices.WebServer.ReportingService2005.GetReportParameters(String Report, String HistoryID, Boolean ForRendering, ParameterValue[] Values, DataSourceCredentials[] Credentials, ReportParameter[]& Parameters)
  Microsoft.ConfigurationManagement.ManagementProvider.SmsException
  An error has occurred during report processing.
  Stack Trace:
     at Microsoft.ConfigurationManagement.AdminConsole.SrsReporting.ParameterPresenter.GetParameters()
     at Microsoft.ConfigurationManagement.AdminConsole.SrsReporting.ParameterPresenter.LoadParameters(IReport report, Collection`1 navigationParameters, IResultObject resultObject)
     at Microsoft.ConfigurationManagement.AdminConsole.SrsReporting.ReportViewerPresenter.Worker_DoWork(Object sender, DoWorkEventArgs e)
     at System.ComponentModel.BackgroundWorker.OnDoWork(DoWorkEventArgs e)
     at System.ComponentModel.BackgroundWorker.WorkerThreadStart(Object argument)
  System.Web.Services.Protocols.SoapException
  System.Web.Services.Protocols.SoapException: An error has occurred during report processing. ---> Microsoft.ReportingServices.ReportProcessing.ProcessingAbortedException: An error has occurred during report processing. ---> Microsoft.ReportingServices.ReportProcessing.ReportProcessingException:
  Cannot impersonate user for data source 'SMSDB'. ---> Microsoft.ReportingServices.Diagnostics.Utilities.LogonFailedException: Log on failed. ---> System.Runtime.InteropServices.COMException: The referenced account is currently locked out and may not
  be logged on to. (Exception from HRESULT: 0x80070775)
     at Microsoft.ReportingServices.WebServer.ReportingService2005Impl.GetReportParameters(String Report, String HistoryID, Boolean ForRendering, ParameterValue[] Values, DataSourceCredentials[] Credentials, ReportParameter[]& Parameters)
     at Microsoft.ReportingServices.WebServer.ReportingService2005.GetReportParameters(String Report, String HistoryID, Boolean ForRendering, ParameterValue[] Values, DataSourceCredentials[] Credentials, ReportParameter[]& Parameters)
  Stack Trace:
     at Microsoft.ConfigurationManagement.AdminConsole.SrsReporting.ParameterPresenter.GetParameters()
     at Microsoft.ConfigurationManagement.AdminConsole.SrsReporting.ParameterPresenter.LoadParameters(IReport report, Collection`1 navigationParameters, IResultObject resultObject)
     at Microsoft.ConfigurationManagement.AdminConsole.SrsReporting.ReportViewerPresenter.Worker_DoWork(Object sender, DoWorkEventArgs e)
     at System.ComponentModel.BackgroundWorker.OnDoWork(DoWorkEventArgs e)
     at System.ComponentModel.BackgroundWorker.WorkerThreadStart(Object argument)

  HI,
  Check the SQL Reporting services account that is used, the one that you supplied when setting up the SQL Reporting Services point in the Configuration Manager 2012 console, it seems to be locked out.
  I believe it has been asked once before on the forums as well.
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• GRC 10/10.1 User Data Source question

  Hi folks, I've been unable to find any document that addresses this so I thought I'd ask.
  I've configured GRC 10.1 so that the GRC system is looking at the ECC system and all the scenarios are configured and things are working well.  We have a separate LDAP issue, and until that's resolved, the user data sources have been set to the ECC system.
  Specifically for Firefighter, we want to create Firefighters in the GRC system and assign them IDs that are configured in the ECC system so that they can get in for Firefighter related access and get their work done.  Many of these people are not in the ECC system.
  I realized that I have not set up the GRC system as a connector within the GRC connectors configuration.  I also did not find any reference to this in any of the documentation that's available out there.
  So I wanted to know how do you get the GRC system to become available as a user data source so that in the event a user is not available in the ECC system, and as in our case, LDAP isn't working, the user will still pull up because they exist in the GRC system?
  Can I use a connection type of LOCAL in the "Change View "Connection type definition": Overview" Screen?
  Please advice.
  Thanks,
  Santosh

  Hi Santosh,
  If your requirement is to use GRC as a data source, configure it as a SAP connector as you do for other SAP systems (the underlying system of GRC is Netweaver so its SAP as well).
  Once the connector is configured, you can use that in your "data sources configuration - user search data source". List all your connectors and the sequence in which the user ID has to be searched for.
  For  your case.,
  1. LDAP connector
  2. ECC connector
  3. GRC connector
  Thanks.
  Regards,
  Muthu

• GRC 10: Maintain Data Sources Config Problem

  Hi All,
  I was trying to configure the User Data Sources for:
  1. Search
  2. User Details
  During this, I went to SPRO->GRC->AC->Maintain Data Sources Configuration. Here, first I tried to configure User Search Data Sources. When I clicked on New Entries, It gave me a screen wherein I have to fill details for:
  1. Target Connector
  2. Sequence
  3. User Data Type
  In Target Connector, I could find the connector I defined for the back end system and I could select it.
  In Sequence field, it is not showing any possible values. However, we can mention any value I believe. Then I mentioned like 12.
  In User Data Type, I shows as a possible values option. But when I click F4, it says:
  No Values Found
  Can anybody help me configuring this?
  Regards,
  Faisal

  Hello Faisal,
  Please note that you can have backend connectors as LDAP, SAP HR system
  Now the question is if you are using SAP HR system (i.e. a ECC system with HR module implemented) then
  1) Target Connector --> RFC name for the SAP ECC system
  2) Sequence --> you can put it as 1 ( if multiple  then you may decide which should be 1st source , 2nd source and so on)
  3) User data Type : It can be SU01 or HR
  If you are using LDAP as data source then ,see to it that you have maintained all the details for LDAP as required in SPRO configuration.
  i.e. create LDAP connector,Register the program at OS level, make necessary settings in transaction : LDAP
  Hope this helps.
  Regards,
  Victor

• User Data Source in CUP AC5.3

  Hello,
  What is the functionality of the User data sourcein Compliant User Provisioning?
  We are using HR module and i have created the connector using the Jco destination VIRSA_HRModel.
  I have configured the User data source type as SAP HR System as VIRSA_HRModel and Details source type as SAPHR with System name as VIRSA_HRModel.
  Please explain the functionality.
  Regards,
  Kumar Rayudu

  Kumar,
     As you know CUP is an ticket creation, user provisioning tool with automated workflow. So CUP will need to bring user details or user information for requestor, approver, manager etc. from some kind of source. This is where data source comes into picture. Whenever you need to search for an user ID, CUP will look at the search data source and whenever CUP needs to bring in user information like name, email, phone etc., CUP will use user details data source.
  DO NOT USE JCO IN CUP, ERM AND SPM. You will need to have exactly same connector names in all four modules of AC 5.3 for all of the integration functionality to work. When you use JCo, it will not allow you to change the default name (virsahr_model in your case).
  ONE MORE THING, NEVER EVER TOUCH JCo OTHER THAN VIRSAXSR3 EVEN FOR RAR (CC). VIRSAHR AND VIRSAR3 ARE NOT RECOMMENDED TO USE.
  I hope this helps.
  Regards,
  Alpesh

• User Data Source - Access Enforcer

  Hi,
  I currently have my User Details Data Source and Search Data Source in AE pointed to the UME. In the UME I have my requestors and approvers set up. However when I go to raise a request to change a user account and want to search for an SAP user, the search only returns the requestors and approvers set up in the UME and does not show user data from SAP. How can set up AE so that it shows me user data from SAP and requestor/approver data from the UME?
  Thanks,
  Gary

  What you can do is... to point your UME to your SAP system,  where you can find all users.....
  And keep your configuration of AE the way you have it....
  Another way is, to change your configuration of User Details Data Source pointing to SAP.
  Youy User Details Data Source have to point to the system that have all the new users....
  For example, in my company before giving the SAP access we give LDAP access, so my User Details Data Source  are pointing to my LDAP system.... this way i can find easily the  user that need to request access..
  Hope this help.
  Regards,

• "Sequence number already exists in table" maintining Data Sources

  Hi fellows, i am seting up a new connector in GRC 10.0, but when configuring the connector for the User detailed Data sources i get the same error; "Sequence number already exists in table".
  I have tried with over 200 numbers which I know for sure are available and still get the same error. Where can I find the table with this information?
  Can the information be removed to clean up table space?
  Thanks for your help!!!

  Hi Gabriela
  I recall getting this error a lot and it seemed to be a buffering/memory problem where it was remember the old value was getting remember. I had to exit out of the IMG navigation and reenter it again. It'd happen if I deleted one entry and then went to add another (even after saving). Not sure if you are getting this
  Other thing is to check the backed tables to see if any orphaned values on the primary key
  Regards
  Colleen