GRC Access Enforcer - Technical Dependency?
All,
My organisation currently has GRC Compliance Calibrator and Firefighter installed with version 4.0. Our landscape is based on SAP NW 2004 (XI3.0) with ERP2004 (ECC5), BW3.5 and SRM4.0
We want to implement Access Enforcer but do not have a java stack currently enabled on our landscape.
I know that GRC 5.2 requires a java enabled instance but is it possible to implement Access Enforcer onto our current landscape?
Do you know of any implementation guides or technical documentation that could assist?
Cheers,
Simon
Hello Simon,
Java Stack is mandatory to install and operate GRC Access Control 5.2.
For installation,user and secruity guides please check at service.sap.com in the following path:
Service.sap.com>Release & Upgrade Info>Installation & Upgrade Guides>SAP Solution Extensions>SAP Solutions for GRC>SAP GRC Access Control>SAP GRC Access Control 5.2
Also check following links for GRC Access Control Pre-Implementation Guide and Access Enforcer checklist.
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/0079de64-f5f1-2910-3688-b16619da82fb
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/f0b41ebb-34aa-2910-379f-d9e48fb771ee
Thanks
Himadama
Similar Messages
-
Integrate external identity management solution in SAP GRC Access Control
We need to integrate an external identity management solution into SAP GRC Access Enforcer. Some white paper mention extensibility is provided by web services. It seems that none of these web services are documented. Does anybody have infos about these services and documentation. Any hint is appreciated.
thanks
DetlefUnfortunately Access Enforcer doesn't implement a number of critical requirements and implementing it "as is" would be a lot of steps backwards in our process.
what do the published webservices do? Is there any documentation about them?
In a part of our process, we must manually pick the current roles(1), the pending roles(2) (roles that were approved but not given due to training prerequisites) and the requested new roles(3) and make the simulation in the VCC.
The information (1) and (2) and (3) we have in our internal system, the information (1) we have inside VCC and (2) and(3) must be manually inputted by the operator to run the simulations. Since this operation is repeated 6000+ times a month in my company, eliminating this manual input will cause a great gain in efficiency.
Other thing that we want to do is to create a job where it would automatically desassociate the mitigating controls if the user does not have the risks anymore (users can lose roles automatically in some events here, so it would be coherent that the user also loses the associated mitigating controls)
IMHO as a former programmer, these are classic cases where I would like to consume some webservices for this tasks to avoid a lot of ctrc ctrlv from the operators (inefficient and error prone)
VCC has any documentation that would help me to find how I would do this integrations?
Thanks in advance -
Impliment GRC Access control in difffrent landscape
Hi Friends,
In our company we have different landscapes in SAP and now we are planning to implement Access control in all landscape.
R/3 landscapes with out any Java stack( both ECC6 and 4.7 EE)
Solution manager landscape
XI landscape.
BW
and EP.
Our first target is R/3 Landscape. Can you please guide me. what will be the best approach to implement AC in R/3 systems as they don't have any Java stack.
I will appreciate if you can guide me with other landscape also.
Thanks,
SatyabratSatyabrat
The GRC landscape is technically separate from the different SAP Application components you mention so technically, you can connect the GRC system to any of the other components but creating the appropriate JCOs and SLD entries.
You will need to instal the RTAs in each of the required source systems (ERP, ECC, BW, XI, SM, CRM, SRM etc!) but they can all link to the sepearate GRC systems.
The exact landscape setup is dependant on what you wish to use GRC for. For example, you may wish to only link production GRC to production backend systems for Risk analysis and SoD. However, if you wish to use ERM or use Role bases analysis, you may find it useful to connect your production GRC system to your development backend systems where the roles are actually defined!
The architecture is deliverately flexible to allow you to do this.
For the initial use cases, it may make sense to keep Production segregated away from Pre-production systems but in the future, you may find that you wish to re-assess this as your useage grows.
Regards, Simon -
Virsa Access Enforcer Upgrading from 5.1 to 5.2
Hi,
we are upgrading Virsa Access Enforcer from 5.1 to 5.2 GRC acording to the Access Control 52 Product Migration Guide.
All required steps were finished successfully.
After this not a single request in AE can be displayed (Error:Request Approval Screen is not displayed because Request Status has changed),
One example of the error from the AE log:
2007-11-08 10:24:32,160 [SAPEngine_Application_Thread[impl:3]_12] ERROR SQL Exception in insert : [NWMss][SQLServer JDBC Driver][SQLServer]Violation of PRIMARY KEY constraint 'PK__VIRSA_AE_WF_STGF__149DFBA3'. Cannot insert duplicate key in object 'dbo.VIRSA_AE_WF_STGFLD'. ==> VIRSA_AE_WF_STGFLD : {FLD_NAME=Request Role, WFTYPE=AE, FLD_DESCRIPTION=Request Role}
neither the audit trail can be displayed (Erro:No audit trail found for given range or invalid range specified).
In AE52 there are four new tables where has new column REQPATHID added:
VIRSA_AE_RQD_WPCLD
VIRSA_AE_RQD_WPFWD
VIRSA_AE_RQD_WPHST
VIRSA_AE_RQD_WPTRN
Entries to this tables were copied during upgrade from tables:
VIRSA_AE_RQD_WFCLD
VIRSA_AE_RQD_WFFWD
VIRSA_AE_RQD_WFHST
VIRSA_AE_RQD_WFTRN,
but REQPATHID entries was not properly created.
Btw. when did AE52 installation from scratch, not upgrade, on PROD system, i was copying table entries manualy and also had to insert REQPATHID values manually in above mentioned tables.
What I am expecting, when upgrading, this should be done by the system automatically.
Has anyone similar experience with upgrading and how you handle with this.
Thank you.
Regards,
Robert BilicicHi Christof,
The VB codes used in the excel sheets are only excel dependent. I don't think Microsoft has any backward compatability issue with 2003 to 2007. Similarly the VB commands from 5.1 is maintained in 7 so you should not face any major issues there too.
Badrish -
Is Compliance Calibrator the same as GRC Access Control?
I have been asked to look at<b> Compliance Calibrator </b>and am getting confused about what functionality is offered. I have done the basic e-learning course for Compliance Calibrator (GRC200): this was all about separation of duties etc. Fair enough. But I also have a Document called "<b>SAP GRC Access Control</b>" which talks about the same S.O.D compliance functionality but also talks of "roles triggering workflows", "users creating roles", "automated approvals for roles" eg:
"SAP GRC Access Control streamlines access requests by filling each request automatically with user identity information from a lightweight directory access protocol (LDAP) directory or HR database, thereby eliminating the need for user intervention. Approvers receive an e-mail with a direct hyperlink to the request inside the application, where they can easily view and approve the request. The application then checks for security violations before updating accounts automatically."
None of this was covered on the Compliance Calibrator course, so what product offers this? I can see another product by Virsa called <b>Access Enforcer</b> but have no info on this... can anyone enlighten me?SAP GRC Access Control is the SAP application that comprises the former Virsa products Compliance Calibrator, Access Enforcer, Risk Terminator, Firefighter and Role Expert.
-
Connector problem with access enforcer
Hi Guys,
I am facing a really strange problem with my connectors.
We have a test installation of GRC which was down for about 3 months.
During this time we migrated our central SLD to another system so I needed to change the connection after getting the system up again.
Anyhow I still can't modify, test or even create a new connector for access enforcer.
The only error I get is "Action failed".
I tried to analyze the logs but found no help there too.
2007-06-18 20:41:56,833 [SAPEngine_Application_Thread[impl:3]_4] ERROR java.lang.NullPointerException
java.lang.NullPointerException
at com.virsa.ae.dao.sqlj.SAPConnectorDAO.iterToDTO(SAPConnectorDAO.sqlj:75)
at com.virsa.ae.dao.sqlj.SAPConnectorDAO.findByConnectorName(SAPConnectorDAO.sqlj:15)
at com.virsa.ae.configuration.bo.ConnectorsBO.findSAPConnectorDetails(ConnectorsBO.java:76)
at com.virsa.ae.configuration.actions.ManageConnectorsAction.testConnection(ManageConnectorsAction.java:163)
at com.virsa.ae.configuration.actions.ManageConnectorsAction.execute(ManageConnectorsAction.java:66)
at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:229)
at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:412)
at javax.servlet.http.HttpServlet.service(HttpServlet.java(Compiled Code))
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java(Compiled Code))
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java(Compiled Code))
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java(Compiled Code))
at java.security.AccessController.doPrivileged1(Native Method)
at java.security.AccessController.doPrivileged(AccessController.java(Compiled Code))
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java(Compiled Code))
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java(Compiled Code))
Did anybody here face a problem like that?
Kind regards,
Bastian
Message was edited by:
Bastian Schneider
Message was edited by:
Bastian SchneiderI had a simular problem with CC and I had to contact SAP. They gave me a script to run against the database that remove the connector. The problem seemed somewhat common for CC 5.1. Not sure if this applies to AE.
-
Multi User request in Access Enforcer
Is anyone aware of a user limit in an access enforcer multi user request?
We get errors when we submit a multi user access enforcer request with more than 25 users.
ThanksHi
There is no standard limit even though we advice to keep the user to max of 20 .
The limit depends upon the email content you have configured .
In case in your email notifications you have taken the argument USERID then mulitple user creation request causes issue and the limit gets set to anything between 20-25 , again depending on content of the email .
Thanks -
Upload of role in Access Enforcer 5.2.
Hi All,
I need to upload roles in Access Enforcer from SAP ECC system. Actually i have uploaded the roles in Access Enforcer, but all unwanted roles have also got uploaded.
Now i need some way, first to clean entire uploaded roles & then upload selected roles.
Please suggest.
Thanks & Regards,
PravinHi Pravin,
Here are the steps:
1) Download all the roles into an excel spreadsheet:
Go to configuration -> Roles- Search roles -> Click on 'Export' button. This CUP, go to 'Search Roles'. Click on 'Search' button without providing any search criteria. This will return all the roles available in CUP. Now, click on Export button. CUP will export all the roles into Excel spreadsheet in the format which CUP understands.
2) Delete all the roles from CUP: Now, in the same screen as above, select all the roles and delete them.
3) Delete not needed roles from spreadsheet and upload it into CUP:
Now, delete all the unwanted roles from CUP and play with the spreadsheet to manipulate other parameters like role approvers, systems, business process etc and upload that spreadsheet into CUP.
Regards,
Alpesh
SAP GRC Manager (PwC) -
CUA still necessary/recommended with Access Enforcer?
Hello forum members,
we are planning to implement SAP GRC Access Control for one of our clients. There are 5 R/3 Systems in the landscape, one of them a HR System. Currently there is no CUA in place an all users and roles are maintained separately in each system. Now with the introduction of GRC Access Control there is the question, if we should at the same time also have a CUA introduced or if it is better to directly provision the Users and Roles from Access Enforcer to the target systems.
What are the pros/cons to have a CUA in between? Does Access Enforcer also provide overview on all users in all system and the assigned roles?
Thanks for your replies.This is a question that I'm asked all the time. For some environments, using CUA with AE is really nice. For other environments, it's just not feasible to have CUA as the security authorisation strategies are too inconsistent across systems.
For example:
a. There are three systems (ECC, BI, and SRM) implemented with a consistent top-down (job) approach to defining roles. So, a AP clerk will receive the 'AP Clerk' role in ECC, 'AP Clerk' role in BI, and 'AP Clerk' role in SRM (for simplicity). Obviously, the roles are different as they are for different systems, but the point is, it is easy to categorise the authorisations for a particular job across each of the systems. If security is consistent like this, then CUA can be implemented and the three single roles for the three systems can be grouped together in a cross-system composite role called 'AP Clerk'. When AE is implemented over the top of this, a user only has to request the 'AP Clerk' role (composite). AE performs the workflows, risk analysis etc and then finally passes the request to CUA, which then provisions out to the other two systems. Very easy from a user point of view as they only have to request one role, which is their job.
b. If however due to inconsistency between the systems, it is not feasible to group access into cross-system composites, it may just be better to go with AE without CUA. In this scenario, a user must request the applicable roles from each of the three systems. It is more flexible, but a little more difficult for the end user.
I normally spend quite a bit of time developing the Access Controls strategy during the blueprint phase of the implementation just to make sure that I'm coming up with the optimal design. A bit of prototyping helps also! -
"Refresh" of development Access Enforcer system
Greetings!
Our Access Enforcer system is now in production. Our development system is quite a mess, with old requests and configuration. We would like to make the dev system look more like the production and test systems and get rid of all of the old requests, initiators, stages, etc. Does anyone know how to clean up AE so we can start over with a clean slate? We are on 5.2 with SP3, running on an AIX box with Netweaver only.
Thanks!Hi,
I am not sure on the reasons for system refresh. Look at the below points:
1. The RAR data c(Rules, Functions, Risks etc) an be downloaded and uploaded in the Development environment. Why you need the production user data in Development?
2. The SPM users are intended for production. Why you are planning to copy/simulate them in development?
3. The ERM and CUPs are workflows, where the systems and other settings have to be created manually. What is your intention in getting them to development?
As per my knowledge, no system refresh is performed for GRC systems? May be you need to educate the client on these things. Please look for the ideas from the other experts too before you go back to your client.
Hope this helps!!
Warm Regards,
Raghu -
Error in Risk Analyzer of Access Enforcer
We are getting the below error in Risk analyzer of access enforcer in the GRC system that we have
Risk analysis failed: Exception in getting the results from the web service : Service call exception; nested exception is: com.sap.engine.services.webservices.jaxrpc.exceptions.XmlUnmarshalException: XML Deserialization Error. Invalid parser state. This exception is caused when deserializing XML type [http://www.w3.org/2001/XMLSchema] and wrong XML node is found.
The version of the system is AE 5.2 SP11 (Build-59112)
could come one help on this?
Regards
Bharathwaj VHi alpesh,
Thanks for your answers.
We were able to sort out the problem.The problem was with the load balancing at java level.
We had 2 server nodes and only 1 server node was taking all the requests and so it was choked up.
Bharathwaj V -
Do anybody know where I can find information about Access Enforcer? What I'm interested in is what steps are required to implement the application for user automation.
Try these sites....
http://www.virsa.com/products/access_enforcer.php
http://www.sap.com/solutions/grc/accessandauthorization/index.epx
HB -
Access Enforcer 5.2 open request details including stage.
Dear All,
We have requirement to pull the open requests in Access Enforcer 5.2, with the information of the stage at which the open request is.
We have a workflow with 5 stages. Now we have requirement to pull the information about open request along with the respective stage in which the request is. In AE 5.2, we can pull the information for open or closed request, but not with stage information for open request.
Please assist is there any alternate way to pull this information. or the java table in which the request details are stored. We have access to database.
Thanks & Regards,
GRC Team.There is a query below that you need to list in the SQL box, but this address varies based upon your support pack. If you're up to date (or close to) on SPs, enter the following address into your web browser AFTER logging into AE: http://<server>:<port>/AE/opensql_test.jsp.
Paste the following query into the SQL box:
SELECT DISTINCT
WPHST.REQNO,
WPHST.REQPATHID,
WPHST.PATHNAME,
WPHST.STATUS AS REQUEST_STATUS,
TBLPATHSTAGE.STAGENAME
FROM
(VIRSA_AE_RQD_WPHST AS WPHST INNER JOIN VIRSA_AE_WF_PTSTG AS TBLPATHSTAGE ON (WPHST.PATHNAME = TBLPATHSTAGE.PATHNAME) AND (WPHST.CURRENTAPPRVRSEQ = TBLPATHSTAGE.STAGESEQ)) INNER JOIN VIRSA_AE_RQD_WPTRN AS WPTRN ON (TBLPATHSTAGE.STAGENAME = WPTRN.STAGE_NAME) AND (WPHST.REQNO = WPTRN.REQNO)WHERE
(WPHST.ISCURRENTFLAG = 1) AND ((WPHST.STATUS='OPEN') OR (WPHST.STATUS='HOLD')) -
Access Enforcer/ CUP - Export/ Import?
Hi, I wanted to know if there is a export functionality in the access enforcer/CUP (GRC v 5.2)?? I wanted to export the workflows and other items I have created outside the current environment and import it to a different environment. Is this actually possible??
Thanks,
KenHi,
You can go to configuration -> initial system data and select the checkboxes in front of the data you want to export. Click on export button and save the file. Now, you can import this data by going to same place in the other CUP system and import the file with 'clean and insert' option.
Regards,
Alpesh -
CUA vs. Access Enforcer
Can anyone explain the need for implemented both CUA and Access Enforcer?
We are currently upgrading to ECC6.0 and implementing the GRC tools(5.2) and CUA With the distributed access provisioning available in Access Enforcer, I am trying to determine the benefit of implementing CUA .Hi Patrick
1) In this scenario the only benefit with CUA i can see is
a) Password reset
b) locking and unlocking the user.
2) If you use GRC AC in landscape, it is not at all recommended to assign roles, profiles using CUA. This can lead to high level compliance /regulatory issues.
3) If you are implementing new CUA, then i would recommend to go for NW Identity Management Solution. Advantages are
1) User provisioning for SAP and non-SAP system
2) can be integrated with GRC for Risk analysis and remediation.
3) Password Management also possible.
https://www.sdn.sap.com/irj/sdn/nw-identitymanagement
regards
Anand.M
Maybe you are looking for
-
Hooking up music and pictures to my stereo and flatscreen Help!
Gidday from New Zealand. I have an older G-4 450 dual processor and I would like to accomplsih two things. 1) Hook my computers I Tunes up to my stereo/receiver so it will play through the system speakers. I have a pair of Sound Sticks which are hook
-
help me
-
Font size in outgoing bbms and texts
How can I make the font on my outgoing bbms and texts bigger? Since updating the software I'm having difficulty reading what I'm typing. I have my font set on 14 but this only works on incoming messages. I had no problems with this prior to 2 updates
-
A very Happy New Year to all of you !. I have already asked this but i didn't get any proper answer . 1) If i submitted an anonymous sub program to the server from my client (client machine is far away from the server ) 2) If i invoked a stored sub p
-
Creating Planning Application on 9.3.1
I'm new to Hyperion Planning and I've trouble creating an application on Workspace. I want to create a multi-currencies application. Before I creating the application on Workspace, I've created a database in SQL server and instance, created datasourc