GRC Access Enforcer - Technical Dependency?

Similar Messages

• Integrate external identity management solution in SAP GRC Access Control

  We need to integrate an external identity management solution into SAP GRC Access Enforcer. Some white paper mention extensibility is provided by web services. It seems that none of these web services are documented. Does anybody have infos about these services and documentation. Any hint is appreciated.
  thanks
  Detlef

  Unfortunately Access Enforcer doesn't implement a number of critical requirements and implementing it "as is" would be a lot of steps backwards in our process.
  what do the published webservices do? Is there any documentation about them?
  In a part of our process, we must manually pick the current roles(1), the pending roles(2) (roles that were approved but not given due to training prerequisites) and the requested new roles(3) and make the simulation in the VCC.
  The information (1) and (2) and (3) we have in our internal system, the information (1) we have inside VCC and (2) and(3) must be manually inputted by the operator to run the simulations. Since this operation is repeated 6000+ times a month in my company, eliminating this manual input will cause a great gain in efficiency.
  Other thing that we want to do is to create a job where it would automatically desassociate the mitigating controls if the user does not have the risks anymore (users can lose roles automatically in some events here, so it would be coherent that the user also loses the associated mitigating controls)
  IMHO as a former programmer, these are classic cases where I would like to consume some webservices for this tasks to avoid a lot of ctrc ctrlv from the operators (inefficient and error prone)
  VCC has any documentation that would help me to find how I would do this integrations?
  Thanks in advance

• Impliment GRC Access control in difffrent landscape

  Hi Friends,
  In our company we have different landscapes in SAP and now we are planning to implement Access control in all landscape.
  R/3 landscapes with out  any Java stack( both ECC6 and 4.7 EE)
  Solution manager landscape
  XI landscape.
  BW
  and EP.
  Our first target is R/3 Landscape. Can you please guide me. what will be the best approach to implement  AC in R/3 systems as they don't have any Java stack.
  I  will appreciate if you can guide me with other landscape also.
  Thanks,
  Satyabrat

  Satyabrat
  The GRC landscape is technically separate from the different SAP Application components you mention so technically, you can connect the GRC system to any of the other components but creating the appropriate JCOs and SLD entries.
  You will need to instal the RTAs in each of the required source systems (ERP, ECC, BW, XI, SM, CRM, SRM etc!) but they can all link to the sepearate GRC systems.
  The exact landscape setup is dependant on what you wish to use GRC for. For example, you may wish to only link production GRC to production backend systems for Risk analysis and SoD. However, if you wish to use ERM or use Role bases analysis, you may find it useful to connect your production GRC system to your development backend systems where the roles are actually defined!
  The architecture is deliverately flexible to allow you to do this.
  For the initial use cases, it may make sense to keep Production segregated away from Pre-production systems but in the future, you may find that you wish to re-assess this as your useage grows.
  Regards, Simon

• Virsa Access Enforcer Upgrading from 5.1 to 5.2

  Hi,
  we are upgrading Virsa Access Enforcer from 5.1 to 5.2 GRC acording to the Access Control 52 Product Migration Guide.
  All required steps were finished successfully.
  After this not a single request in AE can be displayed (Error:Request Approval Screen is not displayed because Request Status has changed),
  One example of the error from the AE log:
  2007-11-08 10:24:32,160 [SAPEngine_Application_Thread[impl:3]_12] ERROR SQL Exception in insert : [NWMss][SQLServer JDBC Driver][SQLServer]Violation of PRIMARY KEY constraint 'PK__VIRSA_AE_WF_STGF__149DFBA3'. Cannot insert duplicate key in object 'dbo.VIRSA_AE_WF_STGFLD'. ==> VIRSA_AE_WF_STGFLD : {FLD_NAME=Request Role, WFTYPE=AE, FLD_DESCRIPTION=Request Role}
  neither the audit trail can be displayed (Erro:No audit trail found for given range or invalid range specified).
  In AE52 there are four new tables where has new column REQPATHID added:
  VIRSA_AE_RQD_WPCLD
  VIRSA_AE_RQD_WPFWD
  VIRSA_AE_RQD_WPHST
  VIRSA_AE_RQD_WPTRN
  Entries to this tables were copied during upgrade from tables:
  VIRSA_AE_RQD_WFCLD
  VIRSA_AE_RQD_WFFWD
  VIRSA_AE_RQD_WFHST
  VIRSA_AE_RQD_WFTRN,
  but REQPATHID entries was not properly created.
  Btw. when did AE52 installation from scratch, not upgrade, on PROD system, i was copying table entries manualy and also had to insert REQPATHID values manually in above mentioned tables.
  What I am expecting, when upgrading, this should be done by the system automatically.
  Has anyone similar experience with upgrading and how you handle with this.
  Thank you.
  Regards,
  Robert Bilicic

  Hi Christof,
  The VB codes used in the excel sheets are only excel dependent. I don't think Microsoft has any backward compatability issue with 2003 to 2007. Similarly the VB commands from 5.1 is maintained in 7 so you should not face any major issues there too.
  Badrish

• Is Compliance Calibrator the same as GRC Access Control?

  I have been asked to look at<b> Compliance Calibrator </b>and am getting confused about what functionality is offered. I have done the basic e-learning course for Compliance Calibrator (GRC200): this was all about separation of duties etc. Fair enough. But I also have a Document called "<b>SAP GRC Access Control</b>" which talks about the same S.O.D compliance functionality but also talks of "roles triggering workflows", "users creating roles", "automated approvals for roles" eg:
  "SAP GRC Access Control streamlines access requests by filling each request automatically with user identity information from a lightweight directory access protocol (LDAP) directory or HR database, thereby eliminating the need for user intervention. Approvers receive an e-mail with a direct hyperlink to the request inside the application, where they can easily view and approve the request. The application then checks for security violations before updating accounts  automatically."
  None of this was covered on the Compliance Calibrator course, so what product offers this? I can see another product by Virsa called <b>Access Enforcer</b> but have no info on this... can anyone enlighten me?

  SAP GRC Access Control is the SAP application that comprises the former Virsa products Compliance Calibrator, Access Enforcer, Risk Terminator, Firefighter and Role Expert.

• Connector problem with access enforcer

  Hi Guys,
  I am facing a really strange problem with my connectors.
  We have a test installation of GRC which was down for about 3 months.
  During this time we migrated our central SLD to another system so I needed to change the connection after getting the system up again.
  Anyhow I still can't modify, test or even create a new connector for access enforcer.
  The only error I get is "Action failed".
  I tried to analyze the logs but found no help there too.
  2007-06-18 20:41:56,833 [SAPEngine_Application_Thread[impl:3]_4] ERROR java.lang.NullPointerException
  java.lang.NullPointerException
       at com.virsa.ae.dao.sqlj.SAPConnectorDAO.iterToDTO(SAPConnectorDAO.sqlj:75)
       at com.virsa.ae.dao.sqlj.SAPConnectorDAO.findByConnectorName(SAPConnectorDAO.sqlj:15)
       at com.virsa.ae.configuration.bo.ConnectorsBO.findSAPConnectorDetails(ConnectorsBO.java:76)
       at com.virsa.ae.configuration.actions.ManageConnectorsAction.testConnection(ManageConnectorsAction.java:163)
       at com.virsa.ae.configuration.actions.ManageConnectorsAction.execute(ManageConnectorsAction.java:66)
       at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:229)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:412)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java(Compiled Code))
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java(Compiled Code))
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java(Compiled Code))
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java(Compiled Code))
       at java.security.AccessController.doPrivileged1(Native Method)
       at java.security.AccessController.doPrivileged(AccessController.java(Compiled Code))
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java(Compiled Code))
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java(Compiled Code))
  Did anybody here face a problem like that?
  Kind regards,
  Bastian
  Message was edited by:
          Bastian Schneider
  Message was edited by:
          Bastian Schneider

  I had a simular problem with CC and I had to contact SAP. They gave me a script to run against the database that remove the connector. The problem seemed somewhat common for CC 5.1. Not sure if this applies to AE.

• Multi User request in Access Enforcer

  Is anyone aware of a user limit in an access enforcer multi user request?
  We get errors when we submit  a multi user access enforcer request with more than 25 users.
  Thanks

  Hi
  There is no standard limit even though we advice to keep the user to max of 20 .
  The limit depends upon the email content you have configured .
  In case in your email notifications you have taken the argument USERID then mulitple user creation request causes issue and the limit gets set to anything between 20-25 , again depending on content of the email .
  Thanks

• Upload of role in Access Enforcer 5.2.

  Hi All,
  I need to upload roles in Access Enforcer from SAP ECC system. Actually i have uploaded the roles in Access Enforcer, but all unwanted roles have also got uploaded.
  Now i need some way, first to clean entire uploaded roles & then upload selected roles.
  Please suggest.
  Thanks & Regards,
  Pravin

  Hi Pravin,
     Here are the steps:
  1) Download all the roles into an excel spreadsheet:
  Go to configuration -> Roles- Search roles -> Click on 'Export' button. This CUP, go to 'Search Roles'. Click on 'Search' button without providing any search criteria. This will return all the roles available in CUP. Now, click on Export button. CUP will export all the roles into Excel spreadsheet in the format which CUP understands.
  2) Delete all the roles from CUP: Now, in the same screen as above, select all the roles and delete them.
  3) Delete not needed roles from spreadsheet and upload it into CUP:
  Now, delete all the unwanted roles from CUP and play with the spreadsheet to manipulate other parameters like role approvers, systems, business process etc and upload that spreadsheet into CUP.
  Regards,
  Alpesh
  SAP GRC Manager (PwC)

• CUA still necessary/recommended with Access Enforcer?

  Hello forum members,
  we are planning to implement SAP GRC Access Control for one of our clients. There are 5 R/3 Systems in the landscape, one of them a HR System. Currently there is no CUA in place an all users and roles are maintained separately in each system. Now with the introduction of GRC Access Control there is the question, if we should at the same time also have a CUA introduced or if it is better to directly provision the Users and Roles from Access Enforcer to the target systems.
  What are the pros/cons to have a CUA in between? Does Access Enforcer also provide overview on all users in all system and the assigned roles?
  Thanks for your replies.

  This is a question that I'm asked all the time.  For some environments, using CUA with AE is really nice.  For other environments, it's just not feasible to have CUA as the security authorisation strategies are too inconsistent across systems.
  For example:
  a. There are three systems (ECC, BI, and SRM) implemented with a consistent top-down (job) approach to defining roles.  So, a AP clerk will receive the 'AP Clerk' role in ECC, 'AP Clerk' role in BI, and 'AP Clerk' role in SRM (for simplicity).   Obviously, the roles are different as they are for different systems, but the point is, it is easy to categorise the authorisations for a particular job across each of the systems.  If security is consistent like this, then CUA can be implemented and the three single roles for the three systems can be grouped together in a cross-system composite role called 'AP Clerk'.  When AE is implemented over the top of this, a user only has to request the 'AP Clerk'  role (composite).  AE performs the workflows, risk analysis etc and then finally passes the request to CUA, which then provisions out to the other two systems.  Very easy from a user point of view as they only have to request one role, which is their job.
  b.  If however due to inconsistency between the systems, it is not feasible to group access into cross-system composites, it may just be better to go with AE without CUA.  In this scenario, a user must request the applicable roles from each of the three systems.  It is more flexible, but a little more difficult for the end user.
  I normally spend quite a bit of time developing the Access Controls strategy during the blueprint phase of the implementation just to make sure that I'm coming up with the optimal design.  A bit of prototyping helps also!

• "Refresh" of development Access Enforcer system

  Greetings!
  Our Access Enforcer system is now in production. Our development system is quite a mess, with old requests and configuration.  We would like to make the dev system look more like the production and test systems and get rid of all of the old requests, initiators, stages, etc. Does anyone know how to clean up AE so we can start over with a clean slate? We are on 5.2 with SP3, running on an AIX box with Netweaver only.
  Thanks!

  Hi,
  I am not sure on the reasons for system refresh. Look at the below points:
  1. The RAR data c(Rules, Functions, Risks etc) an be downloaded and uploaded in the Development environment. Why you need the production user data in Development?
  2. The SPM users are intended for production. Why you are planning to copy/simulate them in development?
  3. The ERM and CUPs are workflows, where the systems and other settings have to be created manually. What is your intention in getting them to development?
  As per my knowledge, no system refresh is performed for GRC systems? May be you need to educate the client on these things. Please look for the ideas from the other experts too before you go back to your client.
  Hope this helps!!
  Warm Regards,
  Raghu

• Error in Risk Analyzer of Access Enforcer

  We are getting the below error in Risk analyzer of access enforcer in the GRC system that we have
  Risk analysis failed: Exception in getting the results from the web service : Service call exception; nested exception is: com.sap.engine.services.webservices.jaxrpc.exceptions.XmlUnmarshalException: XML Deserialization Error. Invalid parser state. This exception is caused when deserializing XML type [http://www.w3.org/2001/XMLSchema] and wrong XML node is found.
  The version of the system is AE 5.2 SP11 (Build-59112)
  could come one help on this?
  Regards
  Bharathwaj V

  Hi alpesh,
  Thanks for your answers.
  We were able to sort out the problem.The problem was with the load balancing at java level.
  We had 2 server nodes and only 1 server node was taking all the requests and so it was choked up.
  Bharathwaj V

• SAP Access Enforcer

  Do anybody know where I can find information about Access Enforcer?   What I'm interested in is what steps are required to implement the application for user automation.

  Try these sites....
  http://www.virsa.com/products/access_enforcer.php
  http://www.sap.com/solutions/grc/accessandauthorization/index.epx
  HB

• Access Enforcer 5.2 open request details including stage.

  Dear All,
  We have requirement to pull the open requests in Access Enforcer 5.2, with the information of the stage at which the open request is.
  We have a workflow with 5 stages. Now we have requirement to pull the information about open request along with the respective stage in which the request is. In AE 5.2, we can pull the information for open or closed request, but not with stage information for open request.
  Please assist is there any alternate way to pull this information. or the java table in which the request details are stored. We have access to database.
  Thanks & Regards,
  GRC Team.

  There is a query below that you need to list in the SQL box, but this address varies based upon your support pack.  If you're up to date (or close to) on SPs, enter the following address into your web browser AFTER logging into AE:  http://<server>:<port>/AE/opensql_test.jsp.
  Paste the following query into the SQL box:
  SELECT DISTINCT
  WPHST.REQNO,
  WPHST.REQPATHID,
  WPHST.PATHNAME,
  WPHST.STATUS AS REQUEST_STATUS,
  TBLPATHSTAGE.STAGENAME
  FROM
  (VIRSA_AE_RQD_WPHST AS WPHST INNER JOIN VIRSA_AE_WF_PTSTG AS TBLPATHSTAGE ON (WPHST.PATHNAME = TBLPATHSTAGE.PATHNAME) AND (WPHST.CURRENTAPPRVRSEQ = TBLPATHSTAGE.STAGESEQ)) INNER JOIN VIRSA_AE_RQD_WPTRN AS WPTRN ON (TBLPATHSTAGE.STAGENAME = WPTRN.STAGE_NAME) AND (WPHST.REQNO = WPTRN.REQNO)WHERE   
  (WPHST.ISCURRENTFLAG = 1) AND ((WPHST.STATUS='OPEN') OR (WPHST.STATUS='HOLD'))

• Access Enforcer/ CUP   - Export/ Import?

  Hi, I wanted to know if there is a export functionality in the access enforcer/CUP (GRC v 5.2)?? I wanted to export the workflows and other items I have created outside the current environment and import it to a different environment. Is this actually possible??
  Thanks,
  Ken

  Hi,
    You can go to configuration -> initial system data and select the checkboxes in front of the data you want to export. Click on export button and save the file. Now, you can import this data by going to same place in the other CUP system and import the file with 'clean and insert' option.
  Regards,
  Alpesh

• CUA vs. Access Enforcer

  Can anyone explain the need for implemented both CUA and Access Enforcer?
  We are currently upgrading to ECC6.0 and implementing the GRC tools(5.2) and CUA  With the distributed access provisioning available in Access Enforcer, I am trying to determine the benefit of implementing CUA .

  Hi Patrick
  1) In this scenario the only benefit with CUA i can see is
       a) Password reset
       b) locking and unlocking the user.
  2) If you use GRC AC in landscape, it is not at all recommended to assign roles, profiles using CUA. This can lead to high level compliance /regulatory issues.
  3) If you are implementing new CUA, then i would recommend to go for NW Identity Management Solution. Advantages are
      1) User provisioning for SAP and non-SAP system
      2) can be integrated with GRC for Risk analysis and remediation.
      3) Password Management also possible.
          https://www.sdn.sap.com/irj/sdn/nw-identitymanagement
  regards
  Anand.M