GRC Access requests - Audit Log

Similar Messages

• Access request Audit log

  Hi experts,
  For all the access requests we are getting the complete audit trail and Even we will get whether Risk Analysis is scheduled in the Workflow.
  But is there any possibility to get the output of Risk Analysis in the audit trail?
  Please suggest.
  Thanks,

  Hi Sriram,
  in standard solution what you can see in audit log is the information risk analysis during access request was executed, there is no standard way to see this information in audit log.
  If you go for abap customization, please note this information is usualy very big and long and adding it to audit log my simply make audit log unclear...and very much complicated.
  Hope this helps,
  Filip

• Print Access Request Audit Log

  Dear all,
  we want do export or print an audit log of an access request.
  If have tried to use the print-button in the audit log.
  The IE opens, but I only get an grey screen.
  Does anyone know how I can export (as pdf or something else) or print the audit log?
  Which settings must be made or is there an other possiblity?
  BR
  Melanie

  Melanie,
  please check the following notes that might help you:
  http://service.sap.com/sap/support/notes/1848748
  http://service.sap.com/sap/support/notes/1767179
  Please let us know.
  Regards,
  Alessandro

• An error occurred while trying to access the audit log

  Hi I have run Set-Mailbox ian.shapton -AuditOwner Update, Move, MoveToDeletedItems, SoftDelete, HardDelete
  I then created and deleted an email and ran Search-MailboxAuditLog -Identity "ian shapton" -LogonTypes Owner -StartDate "12/21/2014 12:00" -EndDate "12/21/2014 13:00" -ShowDetails
  I see An error occurred while trying to access the audit log. For more details, see the inner exception.
      + CategoryInfo          : NotSpecified: (:) [Search-MailboxAuditLog], AuditLogException
      + FullyQualifiedErrorId : [Server=Mailbox01,RequestId=07f17915-f25d-4fd5-b23e-f07a2482f4a4,TimeStamp=21/12/2014 16:45:39] [FailureCategory=Cmdlet-AuditLogException] 255D6156,Microsoft.Exchange.Management.SystemConfigurationTasks.SearchMailboxAuditLog
  MSExchange CmdletLogs shows Microsoft.Exchange.Data.ApplicationLogic.AuditLogServiceException: The Exchange Web Service returned an error while trying to access the audit log. Reason: 'Error','ErrorTimeoutExpired','The search operation could
  not be completed within the allotted time limit. Please try to narrow down your scope to reduce the result set.'.
  I am a Recipient Admin and Org Admin and can search other mailboxes using -LogonTypes Delegate
  Any idea what I am missing here?
  shapi

  Hi,
  I have the same problem when I run the Search-MailboxAuditLog command.  It has been working for 2 weeks but suddenly after moving databases from one datacenter to another and back again it stopped working.  The account running the command
  is in all necessary roles needed.
  This is what I have tested after it stopped working:
  - Search-MailboxAuditLog -Identity "xxxxxxx" -LogonTypes Delegate -StartDate (Get-Date).Adddays(-1) = Works
  - Search-MailboxAuditLog -Identity "xxxxxxx" -LogonTypes Delegate -StartDate (Get-Date).Adddays(-1) -showdetails = does not work and comes with an error.
  "The Exchange Web Service returned an error while trying to access the audit log. Reason: 'Error','ErrorTimeoutExpired',
  'The search operation could not be completed within the allotted time limit. 
  Please try to narrow down your scope to reduce the result set.'."
  This is very bad for us because we use a lot of shared mailboxes with delegates and want to report delegate action on these mailboxes.
  Environment:
  - 3 datacenters
  - Exchange 2013 CU7
  Thorir
  thorir

• Email content in GRC access request

  Dear Experts,
  Can any one let me know from where GRC access request email content is picked up which creating creating throught access request.?
  I.e when ever the requestor creating request, the manager will get an email( and in my scenario the email document is maintained in document maintenance(se61 tcode) ). Now i need to prefix user full name in email content(which the manager receives) with Mr./Ms.
  Thanks
  Katrice

  Hi,
  My issue is resolved my enhancing the method GET_NOT_VARS_AND_ATTACHMNTS( ) of class CL_GRFN_MSMP_NOTIFICATION
  """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""$"$\SE:(1) Class CL_GRFN_MSMP_NOTIFICATION, Method GET_NOT_VARS_AND_ATTACHMNTS, End                                                                          A
  *$*$-Start: (1)---------------------------------------------------------------------------------$*$*
  ENHANCEMENT 1  ZGRC_EMAIL_TITLE.    "active version
  DATA: lw_fullname  TYPE string,
         lw_variables TYPE grfn_s_msg_variable,
         lw_logsys    TYPE logsys,
         lw_system_id_temp  TYPE string,
         lw_user            TYPE grac_user,
         lw_return TYPE int4,
         lW_user_details    TYPE grac_s_user_detail.
         SELECT SINGLE logsys  INTO lw_logsys FROM t000 WHERE mandt = sy-mandt.
         IF sy-subrc = 0.
          lw_system_id_temp = lw_logsys.
         ENDIF.
  READ TABLE et_variables INTO lw_variables WITH KEY name = 'USER_ID'.
     IF sy-subrc EQ 0.
      lw_user = lw_variables-value.
        TRY.
                CALL METHOD cl_grac_ad_access_mgmt=>get_user_detail
                  EXPORTING
                    iv_system_id    = lw_system_id_temp
                    iv_user         = lw_user
                  IMPORTING
                    ev_return_code  = lw_return
                    es_user_details = lw_user_details.
             CATCH cx_grfn_exception .                   "#EC NO_HANDLER
            ENDTRY.  
  ENDIF.
     READ TABLE et_variables INTO lw_variables WITH KEY name = 'USER_FULL_NAME'.
     IF sy-subrc EQ 0.
       CONCATENATE lw_user_details-address-title_p lw_variables-value INTO lw_variables-value SEPARATED BY space.
       MODIFY et_variables FROM lw_variables index sy-tabix.
     ENDIF.
  ENDENHANCEMENT.
  *$*$-End:   (1)---------------------------------------------------------------------------------$*$*
  Thanks
  KH

• GRC 10.1 Access Request - Provisioning Logs Not Available

  Hello guys,
  I am currently running into an issue with the user provisioning logs, the Request Approval notification which is sent to the user are at the end of an approved access request are as below and the Provisioning Logs tab is throwing a timeout error when opened.
  "Hi Varsha Upadhyay (B001193),
  The Request number : 26 , has been processed and the Request is Closed. The details are as follows:
  Provisioning failed; check provisioning log for details.
  Kind regards,
  Access Control Administrator "
  I have checked the table 'GRACREQPROVLOG'  and I see the logs available in the table, When I open the logs for a particular request no I see the below error message under the 'Prov Message' field
  "Type conflict when calling a function module (field length)"
  Similarly in SLG1, I find the following message at the end of each provisioning task that has taken place at the end of a request being approved.
  "Error in RFC; 'Type conflict when calling a function module (field length)'.
  I made sure I gave SAP_ALL to all the RFC ID's and also the WF-BATCH ID's, and the integration scenarios are also defined correctly for all the target system.
  It seems that this error is just preventing the provisioning details from being displayed in the email or in the Provisioning logs, but the user provisioning has actually taken place as expected (viewed in SU01).
  So i'm wondering even after provisioning has actually taken place successfully, why would this error occur. Does anyone know the source for this error message, please let me know what am I missing?

  Hi Narsimha,
  The error seems to be associated with wrong type being passed as a parameter to a function module.
  Can you check the field mapping for your connectors in SPRO? There might be a mismatch happenning there.
  Thanks
  Sammukh

• Audit Logs failing to load

  The Audit Logs in the Azure Portal are not working at all for me today. Is there a deployment going on right now? Is this affecting other people or just me?

  Hi,
  I have tried accessing the Audit Logs from my Subscription and it works.
  I suggest you to try the below
  Sign out and Sign in again and check if you are able to access
  Try opening the Portal on a different Web Browser and check
  Hope this helps !
  Regards,
  Sowmya

• GRC 10.0 Access request Management Audit

  Hello All,
  Can Anyone let me know what  Auditors Check When they Audit GRC 10.0 Access request Management (excluding Configuration).
  Thanks
  Mohammed Wasim

  Hi,
  ARM supports key ITGC controls for user access management, so probably audit would also cover:
  - review of updated processes & controls
  - check (based on sample) if all requests were properly approved
  - review of correctness of approvers assignment
  - verification if what was requested was provisioned
  - timely removal of terminated access
  - review of SoD controls embedded in process
  - periodic review of user access
  and maybe some more controls. In most cases it will be sample based testing so auditors may ask for a sample of requests to trace them to back-end systems and opposite sample of changes in users privileges to verify if proper requests were prepared for those changes...
  Sometimes they could perform more tests on configuration and process, but this is up to particular auditor.
  Best regards, Andrzej

• Error while trying to submit Access request to GRC from IDM

  Hello
  We have SAP IDM 7.2 SP8 installed and done all the prerequisite for connecting to GRC AC 10 as in configuration document.
  We are trying to submit request to GRC using Standard GRC provisioning framework task ( AC Validation) but pass: Submit AC Request fails with error: "Pass stopped by script"
  Is there anything wrong with the script which put RoleData details since its getting aborted ?
  I tried providing Role name directly in Role data attribute inside the action task and got following error:
  Error
  putNextEntry failed
  storingcn=IDMUSR0023,ou=useraccessrequest,o=grc
  Exception from Add operation:javax.naming.NamingException: [LDAP: error code
  82 - (GRC User Access Request:82:Script execution failed)]; remaining name
  'cn=IDMUSR0023,ou=useraccessrequest,o=grc'
  I checked VDS Logs and there was one error :
  Additional message = msgcode=4;msgdescription=Mandatory field ITEM NAME  is empty in line no 1 ;msgtype=ERROR
  From where exactly ITEM NAME field value will be fetched and pass to GRC for request creation ?
  Regards
  Deepak Gupta

  Thanks Christopher
  I got my issue fixed, There was issue with my GRC Initial load job which couldn't enrich repository privileges and hence the issue was coming since script wasn't able to find GRC ROLE ID and Application ID attribute from privileges.
  Regards
  Deepak Gupta

• Provisioning log is not available on Access request type Change Account

  Hi,
  So I have and issue when I try to submit a request to add a role to a user and I'm trying to understand what could be the reason for it.  Basically I have a workflow that works perfectly for a "Change Request".  I can see that all the steps are executed and then at the end of the request when is suppose to do the actual role assignment I see the message "Provisioning log is not available" then the approval path is finish and the request is closed but when I take a look at the user in the back end the role is not assign.  In terms of access I have try giving SAP_ALL to WF-Batch, nothing shows in Yellow or Red on SLG1 and in SPRO->AC-> User Provisioning -> Define request Type I see "Change Account" with SAP_GRAC_ACCESS_REQUEST.  What else can I do to troubleshoot this error?
  Note: I when back to the  to the AC 10.0 Pre-Implementation From Post-Installation to First Access Request and everythings looks right in terms of the AC Configuration settings.

  Hi Jonathan,
  In my question I was referring to SPRO - GRC/access control/user provisioning / maintain provisioning settings. Those need to be setup (min. global provisioning settings) in order to have role being assigned to user at the end of path.
  Change account option you can see under request type is referring to change user master data(e.g. password/ account validity / details).
  Is this system maintain by CUA? If so settings have to be different (see CUA settings in SPRO)
  I would recommend moving to SP14 as in SP13 there were many bugs, by the way I believe the worst SP ever since beginning of AC is SP13 (maybe due to number), as it destroys many working functionality.
  Filip         

• User details are missing in Access request in GRC 10.0

  Hello All,
  When we are trying to create Access request in GRC 10.0 for an user it results as user  details not found.
  Under SPRO - Maintain data source configuration we have configured 2 HR systems HR1 and HR2.
  But the User details exits in HR1 system and lies in validity also. We have tried to run the Repository Object Sync also still unable to search the details.
  But we observed even after the Sync job User details are not created in table GRACUSER and GRACUSERCONN. Is this could be the problem. Why its not updating even after the Sync job many times almost 10 times.
  We have also configured parameter 5023 to YES.Please advise.
  Thanks in advance.

  Did the sequence for HR1 set to 1 or 2, I hope you are following the suggestions given by Luciana in other thread.
  Please post your data source config screenshots otherwise.
  BR,
  Mangesh

• Audit Log Fails Access Denied

  Hi all,
  We just recently installed SP1 for AQ6.0 and it has helped out alot. Fixed alot of our small issues, but seems to have brougt up a new one. Our Audit Log Management job is now failing every run. It is getting an Access denied error. Actually the error line is JobShell: Exception occurred when processing operation operation 0:103: \\ntapmd01\Plumtree5\PtAudit\audit 9-8-06 2.log (Access is denied). Running verbose dosen't help. I see that the job is running as owner Administrator and I am trying to copy the audit log to a shared network location, but this worked before. Nothing changed except for installing the SP. Any ideas?
  Berney

  First off, it seems like installing the patch reset the user account that ran the plumtree automation service. All I had to do was change the user who runs the automation service and that fixed it.
  As far as service patch 1 goes we had alot of issues when we went to 6.0 with remote users opening documents. SSO redirect kept sending them back to the home page. We had issues with the Intrinsic Community Links portlet, protected excel files, along with some others I can't think of right now. Everything looked fine from the admin point of view, but users were going crazy. All of that went away with the service patch.
  Thanks,
  Berney

• Audit log is not showing any data GRC 10 PC

  Hi,
  when we are trying to execute the audit logs
  under reports in process controls,not showing data and getting
  error like no data matching the entere selec criteria.
  do we need any configuration changes required
  Thanks
  GRC Admin

  Hello,
  check the table DBTABLOG if data contains or not,if no data then maintain the parameter rec/client in RZ11 and try the same
  while executing the audit log need to maintain the time frame as HH:MM not HH:MM:SS
  check the below link about DBTABLOG
  Change Log Monitor Enabling by Table log Activation in SAP Production Environment - Governance, Risk and Compliance - SC…
  Regards
  Baithi

• GRC 10.0: Access Request Creation - LDAP user advanced search not working

  Dear Experts,
  We are implementing SAP GRC Access Control and we have an issue in Access Request Creation. If we put the user name in “User” field and press intro, the user details are updated, but if we want to make an "Advanced search" the user is not found and the application give us the following message: “No records found for the search criteria entered.”
  Scenario 1: If we put the user name in “User” field and press intro, the user details are updated:
  Scenario 2: If we want to make an "Advanced search" the user is not found and the application give us the following message: “No records found for the search criteria entered.”
  We are using the Active Directory as Data Source.
  Thanks and Regards.

  Hi Jose,
  Try maintaning the parameter 2050 as YES and check once.
  Kindly, also make refer to  the below list of SAP notes:
  1757906 - GRC 10.0 - LDAP user search does not work in NWBC
  1745370 - LDAP search in GRC does not work anonymously
  1718242- UAM: User search not working in Access Request.
  Regards,
  Neeraj Agarwal

• GRC 10.0 Access Request Creation- Data Source of User Details

  Hi Experts,
  I was doing GRC 10.0 Configuration and found a query which I am not able to resolve.
  While creation of any kind of Access Request in GRC through NWBC> Acces Management Tab>Access Request>Access Request Creation.
  In the user details section, I can see the HR records( like Pernr, position, manager) have been visible to some extent.
  My question is where from these details came in GRC. What configuration we should maintain to achieve these HR records?
  Hope to get a quick response as this is one of the requirement of the implementation which I am doing with my customer.
  Thanks,
  Atanu

  Alessandro,
  Thanks for your response. It helped me to know certain things.
  But when I am navigating to SPRO > GRC > Access Control > Maintain Data Sources Configuration > [User Detail Data Source], it is configured with a ECC system in target connector and User data type is maintained as "SU01".
  Now my question is where from in my case the GRC is pulling the HR records (PA20) like PERNR, POSITION,PERSONEL AREA etc? SU01 does not provide these information. My ECC box is integrated with HR module, so is it taking the data from HR directly?
  Thanks in advance!
  Atanu