GRC AC v5.3 CUP "User Access Reviews" (UAR) requires implementation of ERM?

Similar Messages

• Configuration of  User Access Review process

  Hi,
  I'm new to the forum.
  I´m looking at the User Access Review process in CUP.
  I would like implement the User Access Review request. So, my question is:
  1.  Where take GRC the data to make the analysis? I need to know the exactly place where data are collected (which table, transaction code or  statistical data)
  In case that GRC use the backend tables, I should be aware of time that tables are operational in the system, correct?
  2. Otherwise, how affects this analysis the performance in backend system?
  3. I have read that it is possible obtain reports with use of Action Usage. The report that I mention is: RAR --> Informer --> Security Reports --> Miscellaneous --> Action Usage by User
  Where does it gets information from? Could be data in the same place that use User Access Review process?
  4. Is it possible to introduce another actors in the Reviewers (In Configuration Tab, User Review > Options > User Review pane)? Now, the reviewers configured are Manager or Role Owner.
  5. To set User Access Reviews, I need some additional technical or is an automatic procedure?
  If there is any requirements that I should be taken into account please, let me know.
  Thanks in advance
  Marta

  Hi,
  I have found this document that answers all my questions:   www.sdn.sap.com/irj/bpx/go/portal/prtroot/docs/library/uuid/b05010a3-ed45-2c10-79b2-96df60a6bf2b
  So, now I have another question:
  The GRC Access Control that I have, ERM is not configured and there is no communication with it; (only RAR and CUP are configured).  So, I would like to know if it´s possible configured User Access Review apart from ERM.
  To realize the Role Usage Synchronization job in ERM, the transaction usage information from RAR alert data is needed. The job also obtains role to user assignments and role content information from the back-end systems. Access Control then translates the transaction usage information into role usage.
  If this information could be extracted from the backend tables, I am looking for an alternative to way to load data in the system, regardless ERM. Is it possible?
  Thanks in advance
  Marta

• GRC AC 10.0 - CUP User Authentication

  Hi All
  We have installed GRC AC 10.0 as a part of ramp up implementation. We will soon start with the configuration steps. For user interfacing we have 2 options (1) NWBC (2) Portal. Architecture of GRC AC 10.0 is based on webdynpro ABAP.
  Now we had a question wherein if we choose NWBC as a front end, then how do we integrate the LDAP for CUP user authentication.
  If we need to integrate LDAP as a authentication source for users in CUP, do we have the only option of going with Portal as a user interface.
  Please advise.
  Thank you.
  Anjan pandey

  > That feature in AC 10.0 is called End User Login and will have it's own URL to access via browser.
  Thanks Frank for your response. I did go through the RKT documents and seems that there is a link through which the end users will create request. we have also planned to setup a LDAP connectivity for user authentication.
  Thanks.
  Anjan Pandey

• User Access Review Workflow - GRC 10

  Hi Team,
  UAR request contains items which are not directly assigned to users/roles,
  Example: child roles of composite roles
  We are on GRC SP13.
  1807552 - UAM: UAR request shows indirect roles and wrong usage count
  1821101 - UAM: User Id missing from provisioning log for UAR requests
  1865864 - UAM: Wrong data in UAR Request & adding Expired Roles filter
  1829331 - UAM: Issues with UAR requests
  I have went through the above four SAP notes and all are part of SP13.
  I just want to know if anyone has faced the same issue and whether the below note is applicable for our GRC system SP13 or not.
  1970118 - UAM : Expired and locked Users and indirect role assignment are also display in UAR request
  Please suggest
  Regards,
  Madhu.

  Hi Shweta,
  We have already raised a OSS message for the same 336348 / 2014.
  Regards,
  Madhu.

• User Access Management(UAM) in SAP

  What are the various options to perform UAM for SAP solutions from an external application? For example can we create Users, groups, assign roles etc within SAP?
  1) Is webservice an option? If so, is it RESTful or SOAP based?
  2) Is an RFC call available?
  3) Can we use any other mechanism such as a BAPI wrapped with our own custom module exposed as an RFC?​

  I have looked at your screeenshots, and not too concerned with the MSMP settings yet as we are trying to first fix your Generation job
  I would enable the admin review in your setting to just see if all the necessary data is being generated, i.e. in case there are blank role owners for some roles, this could be causing an issue.
  As for your criteria selection, ensure no blank fields were left in the selection made.
  I would have a read of the following WIKI and see if any of the points mentioned are applicable. The first mistake made by many is to not perform the sync jobs in the correct order.
  Troubleshooting UAR Request Generation - Governance, Risk and Compliance - SCN Wiki
  From my memory, I know for SOD reviews "offline risk analysis" had to be enabled, but unsure if this is also necessary for UAR.
  Also refer to the following general wiki User Access Review(UAR) Workflow Configuration and Description - Governance, Risk and Compliance - SCN Wiki

• Set Single user with reviewer access to multiple conference room calendars

  Want to add a single user with reviewer access to multiple conference room calendars, used the below but it given a below error , Single user i am able to add but single user for multiple confernce room calendars hot happening.
  Import-csv C:\smtp1.csv | foreach-object {Add-MailboxFolderPermission -identity $_mail":\Calendar" -User "Mike" -AccessRights "Reviewer"}
  Smtp1.csv
  mail
  [email protected]
  [email protected]
  Error:--
  [PS] C:\>Import-csv "C:\smtp1.csv" | foreach-object {Add-MailboxFolderPermission -identity "$_mail:\Calendar" -User "Mike" -AccessRights "Reviewer"}
  The specified mailbox "\Calendar" doesn't exist.
      + CategoryInfo          : NotSpecified: (0:Int32) [Add-MailboxFolderPermission], ManagementObjectNotFoundException
      + FullyQualifiedErrorId : 78C23328,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission
  The specified mailbox "\Calendar" doesn't exist.
      + CategoryInfo          : NotSpecified: (0:Int32) [Add-MailboxFolderPermission], ManagementObjectNotFoundException
      + FullyQualifiedErrorId : 78C23328,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission
  The specified mailbox "\Calendar" doesn't exist.
      + CategoryInfo          : NotSpecified: (0:Int32) [Add-MailboxFolderPermission], ManagementObjectNotFoundException
      + FullyQualifiedErrorId : 78C23328,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission
  The specified mailbox "\Calendar" doesn't exist.
      + CategoryInfo          : NotSpecified: (0:Int32) [Add-MailboxFolderPermission], ManagementObjectNotFoundException
      + FullyQualifiedErrorId : 78C23328,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission

  i tried with that as well but getting the below
  A positional parameter cannot be found that accepts argument ':\Calendar'.
      + CategoryInfo          : InvalidArgument: (:) [Add-MailboxFolderPermission], ParameterBindingException
      + FullyQualifiedErrorId : PositionalParameterNotFound,Add-MailboxFolderPermission
  A positional parameter cannot be found that accepts argument ':\Calendar'.
      + CategoryInfo          : InvalidArgument: (:) [Add-MailboxFolderPermission], ParameterBindingException
      + FullyQualifiedErrorId : PositionalParameterNotFound,Add-MailboxFolderPermission
  A positional parameter cannot be found that accepts argument ':\Calendar'.
      + CategoryInfo          : InvalidArgument: (:) [Add-MailboxFolderPermission], ParameterBindingException
      + FullyQualifiedErrorId : PositionalParameterNotFound,Add-MailboxFolderPermission
  Cannot process argument transformation on parameter 'Identity'. Cannot convert value "" to type "Microsoft.Exchange.Configuration.Tasks.MailboxFolderIdParameter". Error: "Valu
  e cannot be null.
  Parameter name: mailboxFolderId"
      + CategoryInfo          : InvalidData: (:) [Add-MailboxFolderPermission], ParameterBindin...mationException
      + FullyQualifiedErrorId : ParameterArgumentTransformationError,Add-MailboxFolderPermission

• Not able to search for FF IDs on clicking Super user access tab in request

  Hi experts
  in GRC AC 5.3 CUP , Im trying to create new request with Superuser Access request type . On selecting the request type , I get the superuser access tab enabled in the request , Now when I click on that , I am not able to search any Firefighter Ids which are present in the backend SAP system .
  However when I try the same in anohter CUP box in the landscape , it worked .I could see all the FF Ids in that system
  What configuration do I miss in the first box which is not allowing me to view the Ids on search .
  Thanks

  Yes , I had chosen a wrong connector . you are right .
  if the connector is working fine , all the Firefighter Ids are fetched properly.
  Thanks

• SAP GRC AC 5.3 (CUP) connecting to module of R/3 (HR)

  Hello,
  I have a problem.
  I want to monitor from the SAP GRC AC 5.3 (CUP) some event or activation or trigger when someone create or does some modificaction to an employee from the module HR. Maybe from the Tcode PA20, AP30 or PA40.
  IS there a "how to" or a manual to configure this from the SAP GRC AC 5.3?
  Thank you in advance
  Best Regards...
  Pablo Mortera.

  Pablo,
     I am not clear on what exactly you want but as far as I know there is no monitoring capability in CUP. If you want to monitor something, you will have to write your own Java code (for CUP front-end) or ABAP code (SAP back-end) to access particular database tables.
  Regards,
  Alpesh

• Multiple users accessing single application in HTML DB 2.1 with XE

  Hi,
  I am struggling to setup an application in HTMLDB 2.1 on XE.
  I would like multiple users to be able to access the same application. I have created the application and the users but now I need to give the new users access to the application.
  Can some highlight how to do this? Is it with authorisation schemes?
  Thanks
  Joel.

  Joel,
  Have you reviewed the XE documentation on Managing End Users?
  http://download-west.oracle.com/docs/cd/B25329_01/doc/appdev.102/b25309/wrkspc.htm#CHDDFDCH
  Sergio

• Can multiple XP users access the same iTunes library?

  Because I'm having a REALLY hard time getting that to work at all. I've moved my entire iTunes folder into 'Shared Documents' so that all users should be able to access it and changed the option in iTunes Preferences to the correct 'all users' path, but iTunes still tries to find the info in 'my' (sal's) documents instead of 'all.'
  Anyone figure this out, or does it somehow break the EULA and isn't supported? The wife and I just want to use the same library since we're on one computer. Seems silly to not allow a user with admin rights to allow other users access.
  Thanks,
  Sal
    Windows XP  

  Sal,
  As this article in the Apple Knowledge Base explains the trick is to move the iTunes Music folder, not the entire iTunes folder, to "a publicly accessible location" and I believe they mean to suggest C:\Documents and Settings\All Users\Documents\My Music as a good place.
  It is important that the iTunes Library files remain in Sal's Documents and Sal's Wife's Documents.

• Multiple simutaneously logged in users accessing AFP home directories?

  Hi,
  Many of our problems are described in this guy's blog:
  http://alblue.blogspot.com/2006/08/rantmac-migrating-from-afp-to-nfs.html
  The basic capability we want is to have multiple simultaneously logged in users to have access to their AFP mounted home directory, which is configured in a sane, out-of-the box setup using WGM and Server Admin.
  Multiple user access could take the form of FUS (fast user switching), or simply allowing a user to SSH into a machine that another user is already logged into and expect to be able to manipulate the contents of her home directory.
  From my extensive searches, I have no reason to believe this is currently possible with 10.4 Server and AFP.
  (here's the official word from apple: http://docs.info.apple.com/article.html?artnum=25581)
  I've read that using NFS home directories will work, though.
  I want to believe that Apple has a solution for this by now (it's been almost a year since we first had difficulty), or at least a sanctioned workaround. If Apple doesn't have one, maybe someone else has come up with something clever. I find it hard to believe that more people haven't wanted this capability! (not being able to easily search the discussion boards doesn't help, though...)
  Thanks for your help!
  Adam

  Parallels Issue. Track at http://forum.parallels.com/showthread.php?p=135585

• Service Desk User access

  Hi Experts,
  I want my service desk users login on Solman and they can update Msg status and ther remarks.
  so what are auth. object needs on there profile, please suggest.
  Can we block users access in such a way , they are not able to do add change on other users issue msg.
  bcoz , if i give access on crm_dno_monitor to any user, he may access and process all issue tickets.
  Thanks
  Andrew

  Andree,
  Actually we provide variants for crm_dno_monitor.
  so they have option of seeing only tickets belonging to themselves only
  For e.g create a variant of crm_dno_monitor by choosing mine and then save it and create a ztcode in se93 for the same.
  assign this tcode for the user menu to the respective role of the user.
  So whn this user logs in and click on the link he sees only mine tickets or tickets belonging to him..he doesnt hav access to crm_dno_monitor.
  Pls assign pts.

• How to set up reverse proxy to allow user access portal site from internet

  Hi all,
  I have installed 10g(10.1.2.0.2) AS on same machine(single IP for both mid and infra with different users respectively). there is a DMZ on which windows IIS is working through which we need to redirect the request to application server such that users access portal page from internet (within intranet all URLs are working fine). I have went through technet documentation where i found 3 ways : through this link
  http://download.oracle.com/docs/cd/B14099_19/core.1012/b13998/variants.htm
  Section 9.2.1.1, "Configuring OracleAS Web Cache as a Reverse Proxy"
  Section 9.2.1.2, "Configuring the Oracle HTTP Server as a Reverse Proxy"
  Section 9.2.1.3, "Configuring Internet Information Services as a Reverse Proxy"
  I am confused to which option to use. Also i went through the metalink document 270160.1
  Please help me which option to choose to do this.
  Thanks.

  Hi Hozy,
  May be it's too late, I am thinking to go in the same route for our sap portal access to external customers. Please can you share your experience , like what are the challenges have you faced? what is the complexity? what are all the resources we need to configure this?
  I appreciate your feedback.
  Thanks
  Krish

• How to trace an user access

  Even if I've got no DBA permission (for example I don't see the v$session table), have I got any way to trace the users accessing the DB? How can I do? I was told about trace but can someone tell me more? I'd like to know the user accessing the DB and the operation that he's launching. Is it possible?
  Thanks!

  Anything is possible if you have the correct privileges. But then you probably don't have those privileges, and probably for a reason, as you probably also don't have the DBA role for a reason.
  If you are to enable trace in a different session, you would need execute access on an Oracle provided package, which differs by version, and of course you assume Oracle never changes, and there is only one version out there: yours.
  For a DBA it would be the easiest to grant you the select_catalog_role and the execute_catalog_role.
  But then again one would ask why you think you should spy on him, and why you don't cooperate with him and/or try to convince him.
  Sybrand Bakker
  Senior Oracle DBA

• Way to allow the user access to the saved lists of this Z report

  We have a Z report that we want to run at midnight each Sunday and then view the output/layout first thing Monday morning. We can schedule the report to run but it appears that the only way we can save the output as a 'file' for later viewing is by using the "Save with ID" option, which puts the output into a SAP 'saved list'.
  The problem with this is that it doesn't appear to be possible to access that list from the Z-report - it would appear that you have to go into SQ01 and use the 'saved list' button. This means giving the Z- report user access to SQ01 as well as Z-report, which, for security (SOD) reasons we don't want to do.
  We can run the report in foreground with the output option "File store" and save the output as a file to a specified location,. But this option doesn't appear to be available when the report is scheduled as a background job. If this is done, the background job runs but there's no output anywhere, as far as we can tell.
  So what want is to run the report in background but with the output option 'File store' or equivalent (i.e. an output stored somewhere that the report user can view). Is this not possible, or have we missed something in setting up the report run?
  Or is there a way to allow the user access to the saved lists of this Z report without giving them T-code SQ01?
  Thanks

  Hi !
  I just wonder if the answer from Varishtb below did solve your propblem.
  I have exactly the same problem as you. I also want to be able to look at the saved list without using the sq01.
  If you solved it I will be grateful to get the solution.
  regards Lars
  answer:
  You can call the infoset query directly from a transaction code. There's
  no need to copy it as a 'Z-report' (or as a custom report). In fact,
  everytime you're copying an infoset query to a report, you're calling
  for problems the next time you face an upgrade. (That is because SAP
  changes the internal logic used to handle the infosets queries from
  version to version)
  We're using some infoset queries and they work fine this way.