GRC AC V10 - Escalation

Similar Messages

• GRC AC v10 SPM WF - Workflow Item not showing up in WF Inbox

  GRC AC v10 - SP12
  The outlook email notification for the Workflow Item goes out, but there is nothing in the NWBC Inbox for the WF Item. Subsitution is setup correctly.
  Any ideas?
  -john

  Hi John
  this is probably be a silly question but what substitution did you set up for ZFF_CTL_01? I assume the item is in that user's inbox. Which user is meant to be receiving?
  I also noticed this KB article (1589130) which mentions the delegated person needs GRAC_REQ authorisation. Have you checked if security access issue?
  There was also mention that the delegated approver does not appear in the MSMP instance runtime (your screen shot suggests same situation unless you have not set up the delegation). SP14 delivers the fix or refer to  1915928 - UAM: Delegated Approver is not visible in the Instance status
  Possibly have a look at both of them to see if they resolve your issue.
  Regards
  Colleen

• GRC AC V10 - UAR config steps

  Hi together,
  I didn't find any config guide or input for the configuration of UserAccessReview UAR.
  Can anybody mention the most import steps and jobs?
  The RKT info is not that detailed.
  Thanks,
  Alexa

  Hi Alexa,
  I am not sure how much I'll be able to help you without a proper documentation.I'll try my best.
  Go to SPRO->GRC0->Access Control->Maintain Configuration settings. Please maintain these values as required.
  Parm Group        ParmID     Parm value                            Description
  UAR Review        2004     011             Request Type for UAR
  UAR Review        2005     004             Default Priority
  UAR Review        2006     MANAGER             Who are the reviewers?
  UAR Review        2007     YES             Admin. review required before sending tasks to reviewers
  SOD Review     2016     010             Request Type for SoD
  SOD Review     2018     RISK OWNER      Who are the reviewers?
  SOD Review     2023     YES             Is actual removal of role allowed
  Then go to Go to SPRO->GRC0->Access Control->Workflow for Access Control-> Maintain MSMP workflow. Customize the Processid SAP_GRAC_USER_ACCESS_REVIEW. Maintain all the required details. Save and activate it. Now you are ready for review.
  For issues follow the SAP Notes: Note 1620495 - GRC 10.0 UAR - Submission failure of request &   1620493 - GRC 10.0 UAR Background Job stuck
  Don't forget to implement the note 1622281 after your configuration.  Get back if you have any issues further.
  All the very best
  Regards,
  Guru

• GRC AC v10 NWBC: Configure LaunchPad for Menus

  I would like to add a new menu Launchpad, but am having trouble getting it to appear in NWBC.
  I followed the instructions at: http://scn.sap.com/community/grc/blog/2014/01/31/configure-launchpad-for-menus
  However, it still does not appear.
  Any help would be appreciated.
  thanks,
  -john

  Dear John,
  did you authorize the end user for the application? If the user is missing authorization the work center is not applicable in the screen. Hence the user cannot see it.
  Regards,
  Alessandro

• GRC AC V10 - one approval step for manager and role owner

  Hello Community,
  I have one, perhaps easy, question. Where is it possible to maintain the solution of one approval step for manager and roleowner, if both are unique.
  E.g.:
  simple approval workflow: manager stage afterwards roleowner stage afterwards auto-provisioning
  So if the request is routed to the manager and the manager is also the roleowner of the requested authorization role (same UserID). The user has to approve one and the same request twice.
  Is it possible in V.10 to change the config that the user has only to approve the request once? And then to decide on which relevant stage settings are valid for this process.
  Thanks,
  Alexa

  Hi Alexa,
  We have had a similar questions raised in a project. In an ideal world, a single "Sign-off approval" would be a great functionality where the same user has to approve the same consecutive stages, but the reason for different stages would entail that the responsibilities entailed per stage differ, e.g. Line Manager would just check the over request, and the role owner etc may be reviewing the elegibility of a specifc role etc.
  If it is likely to be the same person reviewing the 2 consecutive stages, maybe a single stage workflow would be sufficient to cover this scenario.
  I think the logic you are trying to configure in the workflow is possible but will require alot of work with knowing how to create a clever custom workflow with BRF+ or the actual WF stuff in SAP itself.

• GRC AC v10: User Request Field (User Group for Authorisation Check)

  Good Day,
  I am wondering if anyone has had any success in pulling across the User Group in the User Access Request Form. In EUP Default View settings, this is set as visible and editable. Yet, I am not seeing the field in the AR form. I would expect to see this field in the User Details tab. That being said, I am also curious about the User System Details tab. I would think the  User Group will come across in one of these two tabs. Appreciate any insight... ~Triera

  Hi,
  The user group of the selected user would be populated in 'User System Details' tab . This field is not there is user details tab as each system can have different user group and we can have multiple systems in the request .
  Please check if the user selected in the request has a usergroup assigned in the detail datasource system.
  Best Regards,
  Aman

• GRC AC V10 - Mitigation Control Approval Workflow

  Hi guys,
  can me explain somebody the difference between the processID SAP_GRAC_CONTROL_ASGN und SAP_GRAC_CONTROL_MAINT?
  And as well can somebody provide me the initiator rule ID for both so that we can have a detailed look into the brfplus rule.
  We only want to mitigate controls via an controlowner approval and not a process for the creation of new controls.
  That means an asisgnment approval workflow for mitigation controls.
  Thanks a lot.

  Hello Alexa,
  Did you ever employ SAP_GRAC_CONTROL_ASGN ? Were you able to identify the included agents ?
  I am interested in identifying approvers for mitigating controls who can be included in the workflow but are not risk owners. Would you have any suggestions for this type of agent ?
  Any information would be appreciated.
  Thanks,
  Jamie

• GRC AC v10 ARA

  Hi Experts!
  My client has a "stand-alone" ARA impementation and want to have notifications when certain SAP TCodes (ARA Actions) are assigned to userIDs. I cannot find this functionality. Am I just blind?
  I have implemented and tested the "Critical Actions" & "Critical Roles/Profiles" functionality. But, they want notification at tcode assignment. Any ideas?
  Thanks in advance.
  -john

  Dear John,
  there is no such standard functionality. You can check the possibility of monitoring for critical actions so that a notificaiton is sent out when someone executes a critical tcode. But be aware that the notification is sent out after execution and not while assigning tcodes.
  Also as you have already mentioned the critical action functionality for access requests. But as you aren't using ARM you cannot check assignments in the workflow. So therefore alternatively you can use the SOD review workflow so that you define the critical actions and send out a workflow when a risk appears.
  Let me know if you have further questions.
  Regards,
  Alessandro

• GRC AC V10 - GRAC_SERVICE agent

  Hi experts,
  it exists two standard agent rule (GRAC_SECURITY und GRAC_POINT_CONTACT). But where can I define the several users for each agent?
  The rule IDs (numbers, only names) aren't available so that we can have a look into the brfplus details.
  Thanks for your help,
  Alexa

  Hi,
  Both of them are Function module based rules and following function modules are used
  GRAC_MSMP_POINT_CONTACT_AGENT
  GRAC_MSMP_SECURITY_LEAD_AGENT
  The list of Security lead and POC is fetched from 'Access Owners' application .
  Best Regards,
  Aman

• GRC AC 10 on SAP NW 7.3

  Hi,
  Need your valuable input regarding GRC Access control V 10.  I dont have much of knowledge about GRC, but unfortunately I need to collect some information about GRC AC V 10 on SAP NW 7.3.
  From my search I think SAP has not released the GRC Access control V10 for SAP NW 7.3 and as per note 1532805 I think its not released yet. Is my understandign right or if any one has installed please give you valuable input.
  Also I am trying to serach PAM for GRC AC V10 but unfortunately I cant find any. Any link to the same will be of great relief.
  Is there any document related for sizing GRC AC V10? I can find document for 5.3 only.
  Any help in this will be of great help to me.
  Thanks in advance.

  We have been communicated that GRC 10.0 was not tested on NW 7.3  We were strongly suggested to use recommended NW 7.02

• GRC 10 - Job Sync Legacy System large files

  When I run the job GRAC_REPOSITORY_OBJECT_SYNC sync with the files from the legacy system, the file "USER_PERMISSION.txt" is about the size of 231 MB, and this happening to this job sincornismo canceled, the error "TSV_TNEW_PAGE_ALLOC_FAILED", the basis verified the memory allocated.
  We check the SAP note "1593704 - legacy file upload issue for large files" is already applied in SP05.
  Server: SAP GRC AC v10:
  [Config My System|http://www.2shared.com/file/rhXVfRcX/My_system.html]
  Could you help me with some information to have solved the problem.
  grateful
  Inacio

  Hello Inacio,
  I know that this is a very old post, but have you managed to solve this issue?
  I've found this note, that is included in SP10
  Note 1741277 - Repository Role sync ends with TSV_TNEW_PAGE_ALLOC_FAILED
  Have you changed memory parameters in order to solve it?
  Thanks!
  Diego.

• Role Certification search and notification

  Hello,
  I have configured role certification functionality in GRC-AC  v10.0 SP13, and everything works fine.
  When the role owner does the certification, by clicking on the certify button and writing some certification text, this text is saved in the Comments History field in the role. It's fine, but I have two questions:
  1) Is there a way to search those certification texts easily, like a list of several roles?
  2) When the role owner certifies the role, is there a way to configure some notification to anyone?
  Thanks in advance for any help.
  Regards,
  Gabriel Aquino

  Dear Gabriel,
  reagarding your questions to role certification. I don't think that you can search for comments in the web client. Basically comments are stored in long text and hence searching is not that easy. Probably it is possible to search directly in the tables (e.g. you can create a report to search). If you are interested I can search the tables.
  Basically role certification is calculated based on the period and the last certification date. After the defined days an email reminder is automatically sent to the role owner. The reminder template can be customized in SPRO. Further notifications are not possible with standard functionality. I suggest to raise an idea on the idea space: https://ideas.sap.com/SAPAccessControl
  Best regards,
  Alessandro

• GRC v10 AC Owners

  Good day,
       OK, it seems that I am missing something with GRC 10.  We are upgrading from CC4.0 to GRC 10.  I believe I have everything configured through SPRO correctly.  I can run a risk analysis on end users and I get results.  I am now at the point where I put the mitigations into the system but I have seem to run into a snag.  When I go to master data > Mitigation, I start to fill in the information but when I try to add a AC Owner I get "No Results Found".
       I have tried adding a Owner to a risk and then going back, I have also added a user under "Access Management" tab with "Access Control Owners".  I have reviewed almost every node in SPRO and I can not seem to find where I am missing something.
  I am sure it is simple since I can not find any documentation on this almost anywhere.  We are currently running GRC v10 SP5.  We are only planning to use the RAR (5.3 term) portion of AC not the other part (Example: Risk Terminator).  Please let me know if there is a simple solution to get a user populated in the AC Owner tab.
  Kind Regards,
  Paul

  Some of the GRC Roles ..
  SAP_GRAC_ACCESS_APPROVER                   Role for Access Request Approver 
  SAP_GRAC_ACCESS_REQUESTER            Role for End user  
  SAP_GRAC_ACCESS_REQUEST_ADMIN     Role for Access Request Administrator 
  SAP_GRAC_ALERTS                                   Generate, clear and delete SOD Alerts
  SAP_GRAC_ALL                                           Super Admin for AC  
  SAP_GRAC_BASE                                        Base Role for all Access Control Users.
  SAP_GRAC_CONTROL_APPROVER          Create AC MIT control, approve, assign, alert and perform Risk analysis
  SAP_GRAC_CONTROL_MONITOR                 Ability to assign MIT control to Risk and perform risk analysis
  SAP_GRAC_CONTROL_OWNER                 Create AC MIT control.  
  SAP_GRAC_DISPLAY_ALL                         Display Access To All AC Objects.
  SAP_GRAC_END_USER                                     End User as a GRC Guest
  SAP_GRAC_FUNCTION_APPROVER            Approve Function for Workflow  
  SAP_GRAC_NWBC                                            View Access Control Information Architecture. 
  SAP_GRAC_REPORTS                                   Ability to run all AC reports.
  SAP_GRAC_RISK_ANALYSIS                 Ability to Perform Risk Analysis 
  SAP_GRAC_RISK_OWNER                       Risk maintainence And Risk Analysis 
  SAP_GRAC_ROLE_MGMT_ADMIN            Role Management Admin   
  SAP_GRAC_ROLE_MGMT_DESINGER         Role Management Designer   
  SAP_GRAC_ROLE_MGMT_ROLE_OWNER     Role Owner    
  SAP_GRAC_ROLE_MGMT_USER                      Role Management Business User  
  SAP_GRAC_SUPER_USER_MGMT_USER     Super User Firefighter   
  SAP_GRAC_SUPER_USER_MGMT_ADMIN     Super User Administrator Role  
  SAP_GRAC_SUPER_USER_MGMT_CNTLR     Super User Controller Role  
  SAP_GRC_MSMP_WF_ADMIN_ALL     MSMP Overall Administrator   
  SAP_GRC_MSMP_WF_CONFIG_ALL     MSMP Overall Configurator   
  SAP_GRAC_RULE_SETUP                       Ability to define Access Rules 
  SAP_GRAC_SETUP                                    Ability to setup Access Control 
  SAP_GRC_FN_BASE                            GRC - Base role to run applications
  Hope it helps ..
  Vikas

• How can I change the escalation manager at support in GRC 5.3?

  Anyoone please let me answers for the above question.
  Is it from the support link in Configuration tab in CUP?
  Regards,
  Pankaj

  hi all,
  I am facing the same issue of changing the escalation manager in GRC 5.3 . Helpful reviews needed urgently. Thanks in advance.

• WebServices in GRC v10.0

  Hi all,
  I have three questions to WebServices regarding SAP GRC v10.0:
  1. Is it possible with v10 to check permissions via WebServices (SAPGRC_AC_IDM_*) only with the RAR component? In v5.3 it was only possible, if CUP was installed too.
  2. Contain the WebService SAPGRC_AC_IDM_RISKANALYSIS in v10 a analysis of critical permissions? In v5.3 only SoDs and critical actions was checked.
  3. What is the task of the parameter includeCrossSystemsAnalysis of the WebService VirsaCCRiskAnalysisService in v10? In v5.3 the value of this WebService has no impact to the SoD check (it SHOULD be:
  includeCrossSystemsAnalysis == true ==> cross system SoD check
  includeCrossSystemsAnalysis == false ==> single system SoD check
  But doesn't matter what's the value of the parameter. There is always a cross system check. Has this changed in v10.0?
  Regards
  Peter

  Hi Peter,
  AFAIK the web services have not yet been published.
  If you had the web service return violations without the requirement for CUP, what would you do with that information?
  I hear that question a lot, I would really like to understand the ideas behind it.
  To one of your other questions: cross system check is only possible for dedicated cross system risks. If there are no such risks defined, this will not yield any results no matter what the value of the parameter is.
  Thanks,
  Frank.