GRC AC10 Agent based upon Role Attributes

Similar Messages

• Work flow issue: Assign agent based on role

  Hi,
  We are facing an issue in SAP workflow.
  How to assign agent based on the role of an employee.
  Thanks for your input.
  Thanks
  Muthukumar

  Hi,
  Make sure that you have configured properly in transaction OMGS.
  If it is done, then we can not do much about it.
  I faced the similar issue and i had to convince the user that it is a porblem.
  PO release workflow has some problems.
  Hope it helps.
  Regards,
  Shashank

• GRC AC10 RAR :"Ignore Critical Roles/Profile" option not available in

  Hello Gurus,
  I have configured RAR and the reports are working as usual , but i observed that i could not see two things
  1) Option to select "IGNORE CRITICAL ROLES/PROFILE" during Role/User ANALYSIS under "Reports & Analytic" tab.
  I checked in SPRO>GRC>AC-->Maintain Config Settings
  There is a parameter "Ignore Critical  Roles/ Profiles" which i first set to "Yes" and then checked in NWBC , i was unable to see the option under "Additional Option".
  Later i changed SPRO setting to "NO" , then again it did not show me .
  Where can i find this option , so that if i upload say 10 roles which are assigned to firefighter ID they should not be analyzed for RAR ??
  2) I also could not find any option to upload "DEFAULT roles" which need to be assigned to any "NEW USER" request coming through CUP ??
  Where can we make this setting, so that the basic roles can get assigned to the user when any new user request comes in.
  Will you please put some light on this area ?
  Thanks in advance.
  Regards,
  Victor

  Hi Johanna
  Have you run the synchronization job subsequent to the configuration of critical roles / profiles ? If not so try running the Synchronization job and then try risk analysis.
  Regards
  Swarna

• Report on document based on document attributes (custom or standard)

  Hi All,
  Got a requirement to create a custom report in Solman to display document details under a project based upon the attributes (Custom or standard) of the document eg- Doc attribte phase 1 would result in a set of documents, phase 2 in another set.
  Please help me from where I can get the required data.
  Regards,

  I think i should have asked my question in a seperate thread...since it is considered as a reply to this thread....No indication/tool bar for rewardings points is found.....
  May be next time will reward more than expected..
  Thanks for all your service.
  Regards,
  Murali.S

• How to update Activity based upon Campaign

  Hi !
  We have created some Campaigns with campaignelements.
  These elements has been "connected" to different BP - based upon roles.
  The corresponding Activities, then has to be updated (Fields: Dates and Status)
  Our task is to create a routine/program, where, based upon Campaign, the corresponding Activities can be updated.
  Could any one please tell us how to do this?
  Regards
  Torben

  Hi Torben,
  I hope I've got your problem correct. I  think that a update of the Activities created during the campaign is not possible. You can try to search for the activities created by the campaign throu the link.
  If I've got you wrong could you describe your business case in more detail please.
  Regards
  Gregor

• Help with Role Attribute config in ERM in SAP GRC AC 5.3

  Hello, 
  I have a doubt.
  We are configuring the Role Attributes of the ERM in SAP GRC AC 5.3.
  Where can I get the Business Process & sub-process of a SAP ECC 5.0, in witch Tcode?
  An in the part of u201CProject/Releaseu201D where can I get this element from SAP ECC 5.0?
  Thank you in advance.
  Best regards.
  Pablo Mortera.

  Pablo,
     You won't be able to get BP, SBP and Project/Release information from any Tcode. Whenever security admin creates a role, they assign the role to a Business process, functional area etc. This information comes from Business.
  Project/Release field is used to identify the project name for which this role is being created/maintained.
  These are role attributes which help in role documenation so business needs to decide about the association.
  Regards,
  Alpesh

• IDM, GRC and position based security

  We use position based security in our ERP  system and are implementing GRC.  In our BI system the roles are directly assigned to the User ID, but we need them to dynamically update if a position change occurs.  We have this functionality working in QAS by implementing CUA, but we are considering if IDM can be used instead.  There seems to much less documentation on how to configure IDM with position based security (compared to CUA), so I have a few questions.
  Assuming IDM is receiving its provisioning requests from GRC, can it be configured to provision a role to the position on one system and a user on another?     
  How can IdM be configured to react to a position change and update the roles appropriately?
  Has anyone implemented GRC and IDM with position based security?
  Regards,
  Wayne

  Hi Wayne,
  In IdM, you can define business roles (for your positions) and map these to the technical roles that you can distribute to your SAP systems.
  You can configure IdM to react to changes in your HCM system and automatically create and distribute roles based upon e.g. the new job description of a user.
  I've attended Teched, and the SAP recommendation is to use IdM to manage your users and do the provisioning and to use GRC for compliance checking.
  So in HCM the position of a user changes (e.g. promotion), IdM picks this up and proposes a set of roles for the user, IdM sends this to GRC via web service, GRC checks for compliance (SOD) issues and if there are none, GRC tells IdM all is OK, then IdM starts the provisioning. If GRC reports issues, you should have a workflow in place to handle these.
  This is all theory though, I'm just getting started with IdM myself.
  Kind regards,
  Dagwin

• Restrict data based on role ?

  There are several levels in on organization structure - how would i implement security such that folks in the org. tree can seen only data at/below their levels.
  ex;
  CEO->VP->DIR->MGR->DEPT
  The fact table carries dept only. So CEO should be able to see rollups at VP,DIR,MGR,DEPT levels. DIR should be able to see across all departments he manages.
  What facilities does discoverer provide to handle this kind of a requirement.
  The reports i have all need to present the same kind of information but the content should be based on the role.

  http://download-west.oracle.com/docs/html/B13918_03/security2.htm#sthref1002
  14.8.1 Introducing Virtual Private Databases, Single Sign-On, and Discoverer
  The Oracle9i Release 1 (and later) Enterprise Edition database's powerful Virtual Private Database (VPD) feature enables you to define and implement custom security policies. Among other things, the VPD feature enables you to enforce fine-grained access control based upon attributes of a user's session information (referred to as application context). This VPD functionality is commonly employed as a way of controlling access to data using the currently logged-on user's Single Sign-On (SSO) identity. For more information about setting up a VPD, see Oracle9i Application Developer's Guide - Fundamentals.
  If Discoverer has been configured to require SSO authentication, Discoverer can pass a Discoverer end-user's SSO user name to the database (as the CLIENT_IDENTIFIER attribute of the built-in application context USERENV). Providing a VPD policy based on SSO user names has been implemented in the database, the data returned to a Discoverer worksheet will be restricted to the data that the SSO user is authorized to access.
  You can optionally add user-defined PL/SQL statements to both database LOGON (and subsequent) triggers and to a Discoverer trigger (eul_trigger$post_login) to use the SSO user name to further control the data that is returned. You can use the database and Discoverer triggers separately or in conjunction with each other.
  14.8.2 Example showing how SSO user names can limit Discoverer data
  The Discoverer manager at Acme Corp. does the following:
  1.
  Configures the Discoverer middle tier machines so that SSO authentication is necessary to access the Discoverer URLs.
  2.
  Creates a Discoverer public connection called 'Analysis', that has access to a workbook called 'Sales'.
  3.
  Creates a VPD policy against the base tables of the workbooks. The VPD policy determines the data that is returned, based on the value of a variable called 'CONTEXT1'.
  4.
  Creates a database LOGON trigger that sets variable CONTEXT1 to the value of the SSO user name (extracted from the application context information passed to the database by Discoverer).
  The Sales workbook is used by two Discoverer users at ACME Corp., Fred Bloggs and Jane Smith. A typical workflow for these two users is shown below:
  1.
  User 'Fred.Bloggs' authenticates via SSO and accesses the top level Discoverer URL.
  2.
  Fred selects the public connection 'Analysis', and opens the workbook 'Sales'.
  3.
  Fred views the data in the default worksheet, and then logs out.
  4.
  User 'Jane.Smith' authenticates via SSO and accesses the top level Discoverer URL.
  5.
  Jane selects the public connection 'Analysis', and then opens workbook 'Sales'.
  6.
  Jane views the data in the default worksheet.
  Jane sees different data to Fred, despite the identical database connection, workbook, worksheet and database query. The difference is determined by the VPD policy being based on SSO user identities.
  FYI

• EAM ID based or Role based? Why settle for just one?

  G'Day All,
  I've raised a question in the following blog, however I would like to open it up to other people as well so they might get something out of it and in the process might share their own thoughts on the matter at hand.
  ID-Based Firefighting vs. Role-Based Firefighting
  So this is where I am at this point:
  From what I can gather so far, my understanding of EAM ID/ROLE based is as follows:
  - Id Based: Logs in using own U.ID and through GRAC_SPM accesess FFID from the GRC Server and logs into the system assigned to them (ECC, SRM, CRM etc)
  Only one user at a time can use a FFID.
  Firefighter need not exist in every system assigned to them due to central logon however they need to exist in the GRC system
  Knows exactly when FFID is being used as he/she has to login so has a psychological effect (good thing)
  Better tracking of FF tasks - Specific log reports with Reason Codes. Bonus point from Auditors!
  Two Log ins so potential to commit fraud. (1 action using own UserID and 1 action using FFID)
  Could be hard to track and find out when a fraud has been committed so can be a problem with auditors.
        ID Based -> GRAC_SPM : TCode for Centralised FFighting -> You will see FFIDs assigned to you
        ID Based -> /n/GRCPI/GRIA_EAM : TCode for DCentralised FFighting -> You can see  the FFIDs assigned to you
  - Role Based: Logs into the remote system only using U.ID, so everything gets logged against that one ID. 
  Multiple users can use the FFROLE at once.
  Firefighter has to exist in every system assigned to them - so multiple logons.
  Hard to differentiate between FF tasks and normal tasks as no login required  So easy to slip up
  Time consuming to track FF tasks - No Specific log reports. No Reason Codes
       R.Based -> GRAC_SPM : TCode for Centralised FFighting -> You will see FFROLEs
       R.Based -> /n/GRCPI/GRIA_EAM : TCode for DCentralised FFighting -> Not applicable so wont work
  So based on this there are pros and cons in both however according to SAP only one can be used. To me personally,  it makes more sense to get the best of both the worlds right? So here is my question why can’t we just use both?
      . Really critical tasks -> FFID
      . Normal EAM tasks -> FFRole
  Alessandaro from the original post pointed this out:
  "Per design it isn't possible to achieve both types of firefighting at the same time. It's a system limitation and hence to configurable."
  Well this is what I can't seem to get my head around. For a FFID, there is a logon session so it has to be enabled and as far as I can tell there is no way around it.
  However for FFRole, there isn't such limitations/restrictions like starting a separate session. FFRole is just assigned to an end user for him/her to perform those tasks using their own user ID.
  So in what way is it different from any of their other tasks/roles, other than the fact that they've got an Owner/Controller assigned to the FFRole? and
  What is stopping us from using it when ID based is the default?
  If I were to do the following does it mean I can use both ?
      . Config Parameter: 4000 = 1 (GRC System) -> ID Based
      . Config Parameter: 4000 = 2 (Plug-In)  - > Role Based
  Please excuse me if my logic is a bit silly, Role Based firefighting is only done on Plug-in systems so the following should work just fine:
     . Config Parameter: 4000 = 2 (Plug-In)  - > Role Based
  However for ID based, it is a Central Logon, so the following is a must:
      . Config Parameter: 4000 = 1 (GRC System) -> ID Based
  Which means both ID/Role based can be used at the same time, which seems to be working just fine on my system. Either way I leave it you experts and I hope you will shed some light on it.
  Cheers
  Leo..

  Gretchen,
  Thank you for thoughts on this.
  Looks like I'm failing to articulate my thoughts properly as the conversation seems to be going in a different direction from what I am after. I'll try once more!
  My query/issue is not in regards to if/what SAP needs to do about this or why there isn't more support from Companies/Organizations and not even, which one is a better option.
  My query is what is stopping us(as in the end users ) from using both ID/Role based at the same time?
  Now before people start referencing SAP documentation and about parameter 4000, humour me with the following scenario please. Again I would like to reiterate that I am still in the learning phase so my logic might be all wrong/misguided, so please do point out to me where I am going wrong in my thought process as I sincerely would like to know why I am the odd one out in regards to this.
  Scenario
  I've created the following:
  FFID
  FFROLE
  Assigned them to, two end users
  John Doe
  Jane Doe
  I set the Configuration Parameters as follows: 
  IMG-> GRC-> AC-> Maintain Configuration Settings -> 4000:1 - ID Based
  IMG-> GRC (Plug-in)-> AC-> Maintain Plug-In Configuration Settings-> 4000:2 - Role Based
  User1
  John Doe logs into his regular backend system (ECCPROD001)-> executes GRAC_SPM-> Enters the GRC system (GRCPROD001)-> Because the parameter is set to ID based in the GRC Box, so he will be able to see the FFID assigned to him-> and will be presented with the logon screen-> Logs in -> Enters the assigned system (lets say CRMPROD001) At this point the firefighting session is under progress
  User2
  Jane Doe logs into her regular backend system (ECCPROD001) -> (can execute GRAC_SPM to check which FF Role has been assigned to her but she can see that in her regular menu, so there is no point) -> Executes the transactions assigned in FFROLEThis is done at the same time while FFID session is in progress
  So all I want to know is if this scenario is possible? if the answer is No, then why not?
  I physically carried out this scenario in my system and I had no problems(unless I am really missing the plot here), which brings me back to my original question: Why settle for just one?
  Again to reiterate I am not getting into the efficacy or merits of this or even if one should use this. Just want to know if it is possible/feasible or not.
  So there you have it. That's the whole enchilada(as they say there in Texas). I tried to word my thoughts as concisely as I can, if there are still any clarifications, more information you or anyone else reading this would like, please do let me know.
  Regards,
  Leo..

• How to go about changing settings based upon logged in user

  Hi all,
  I'm wondering if anyone has any thoughts on how one would go about changing a property on a node based upon the logged in user.
  For example, say you have a path property at /apps/myComponent/settings.path=/content/dam/genericfolder that for an author have the value of /apps/myComponent/settings.path=/content/dam/sandbox, and for an approver have the value of /apps/myComponent/settings.path=/content/dam/approvalsandbox

  Hi Ove,
  Thanks for the tip on the user role. I had thought about taking that approach, however, leveraging the user role and properties associated with it would be the correct approach if writing custom components. What I am looking for is a way to take existing components, and essentially use them in context of the user.
  For example, say if you are trying to give a sub group of users access to a subset of the DAM directory, and you don't particularly wish to hack around the existing WCM DAM component, there is a setting in the tree navigator (/libs/wcm/core/content/damadmin/treeRoot) that lets you specify where the root of the tree is. (There are more settings to work with, but this is just one used to illustrate.)
  If you can change the property based upon the user, that gives you the functionality without altering code.
  I would like to know if this is possible, if this is an inherently bad practice, if so why, and whether there may be another alternative out there which lets you avoid having to alter the code of an existing component.
  Thanks again for answering.

• Use of Role Attributes

  Can anyone explain the use of the role attributes found in PFCG change under Utilities/Info Objects/Display Attributes. 
  I found 4 related tables:  AGR_ATTS, AGR_FLAGS, AGR_FLAGSB, and AGR_LSD.  How are these tables populated?  Can additional attributes be added?

  Hi Kathy,
  An answer from SAP: for your requirements "sensitivity of the roles, SOX approval identifier, etc." the role attributes are not a good way to start. Especially for your requirements SAP has created a new business unit <a href="http://www.sap.com/solutions/grc/index.epx">Governance, Risk, and Compliance</a>.
  The SAP Compliance Calibrator is ment to manage risks and controls in SAP systems. The standard functionality does not provide in depth functionality for this.
  Without any extra tools I would suggest using the free text description field of the roles for the type of documentation that you want to do currently.
  Best regards,
  Christian

• Difference Between Attribute Tab and Role Attribute Option

  Hi Experts,
  What is the relation between option custom fields and sub-option attribute under option roles in CUP> config.
  I am asking this because, i have created a workflow based on functional area and now i am getting two functional area options in CAD(select attribute) and in initiator.I know, from where they are coming from....
  1.Custom field>functional area.
  2.Roles>Attributes>functional area.
  Under both options different values are maintained for functional areas,for e.g.AP and AR in first and Bank and Asset in the other one.
  The strange thing to me is that i am able to view only values maintained in Custom field>functional area while creating a test request no value is coming from Roles>Attributes>functional area.
  However, while selecting role(option selct role), initially creating request, i can see the values maintained under functional area(coming from Roles>Attributes>functional area)
  Regards,
  Mukesh

  Mukesh,
      In simple words, there is no relationship between custom fields and role attributes.
  Function area under role attribute is referred as "Functional Area of Role" in CUP. The other functional area refers to the "functional area of the user". In a company, both these functional areas can be similar or different as an user from "AP" can have roles from "AP" as well as "FI".
  When you are creating CAD, do not select functional area of role and you would not see the attribute values from role FA.
  I hope this helps you.
  Regards,
  Alpesh

• CUP Custom Role Attributes

  All -
  My question is about creating custom role attributes in CUP. I read in the "SAPu2122 GRC Access Control 5.3 Document Version 3.10 u2013 December 2009" on page 245 that "You can also define your own attributes to support your needs by adding custom fields." I have two questions:
  1) Can I defined custom role attributes outside of the delivered ones (Company, Functional Area, Application Area, Business Process, Business Sub-Process, and Functional Area & Company)?
  2) If "yes", where do I do this in CUP?
  I'm running AC 5.3 SP10.
  Any help would be appreciated.
  Thanks,
  Daniel

  Hi Daniel,
     Yes , you can define your own attributes as many as you want
  Configuration --> Custom Fields --> Field Label
  All these Field Labels will be shown as separate tab (Tab Name : Custom Attribute) , so in this tab you will get all the attributes which you have creates manually .( You can check this in configuration guide CUP)
  Hope this will help you
  Thanks
  Uma Shankar Tekumudi

• Create maintenance order based upon notification in NWBC / Portal

  Dear experts,
  How to create a maintenance order based upon a notification, using the POWL for notifications ?
  I am using NWBC and would like to create a maintenance order, based upon a notification put in process.
  In R/3, this works fine using transaction IW22 / IW28 and all info from the noticiation is copied in the new order.
  How can I get the same functionality using  the role SAP_BPR_MAINTENANCE_TECH_12 ?
  Kind regards,
  Dirk

  Dirk,
     You should be able to select the Notification number from the POWL overview list and choose the "Create Order" push button on the Tollbar (along with display notification, change notification etc).
    What i have noticed is that once you are inside the notification from the Portal application, the create Order push button or functionality doesn't seem to exists. This is probably incomplete functionality taking into consideration the standard IW22 transaction /Or a  Bug  and maybe you could raise a OSS Note for the same.
  Regards
  Narasimhan

• Create order based upon notification in NWBC / Portal

  Dear experts,
  How to create a maintenance order based upon a notification, using the POWL for notifications ?
  I am using NWBC and would like to create a maintenance order, based upon a notification put in process.
  In R/3, this works fine using transaction IW22 / IW28 and all info from the noticiation is copied in the new order.
  How can I get the same functionality using the role SAP_BPR_MAINTENANCE_TECH_12 ?
  Kind regards,
  Dirk

  Dirk,
     You should be able to select the Notification number from the POWL overview list and choose the "Create Order" push button on the Tollbar (along with display notification, change notification etc).
    What i have noticed is that once you are inside the notification from the Portal application, the create Order push button or functionality doesn't seem to exists. This is probably incomplete functionality taking into consideration the standard IW22 transaction /Or a  Bug  and maybe you could raise a OSS Note for the same.
  Regards
  Narasimhan