GRC CUP CAD

Similar Messages

• GRC CUP Error creating request. Approver not found

  Hi,
  We just upgrade from GRC CUP 14 to GRC CUP 15.6 support pack.I already performed post upgrade steps and when i try to create a request i am getting approver not found.i didnot change workflow.In stage for role approver we have approver determinator "role".
  system log report
  com.virsa.ae.workflow.NoApproverFoundException: No approvers found for req no : 493, for reqPathId, 662, for path, PROD_APPRV_PATH and approver determinator : Role
       at com.virsa.ae.workflow.bo.WorkFlowBOHelper.handleApproversTransactions(WorkFlowBOHelper.java:1469)
       at com.virsa.ae.workflow.bo.WorkFlowRequestCreateHelper.handleWFForNewPath(WorkFlowRequestCreateHelper.java:278)
       at com.virsa.ae.workflow.bo.WorkFlowRequestCreateHelper.createNewWorkflow(WorkFlowRequestCreateHelper.java:167)
       at com.virsa.ae.workflow.bo.WorkFlowBO.saveNewWorkflow(WorkFlowBO.java:120)
       at com.virsa.ae.accessrequests.bo.RequestBO.saveNewRequest(RequestBO.java:579)
       at com.virsa.ae.accessrequests.actions.CreateRequestAction.createRequest(CreateRequestAction.java:381)
       at com.virsa.ae.accessrequests.actions.EUCreateRequestAction.createRequestHandler(EUCreateRequestAction.java:135)
       at com.virsa.ae.accessrequests.actions.EUCreateRequestAction.execute(EUCreateRequestAction.java:68)
       at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:295)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  Please let me know solution ASAP.This is high priority.
  Thanks
  Yakoob.

  It looked like some old request stuck in DB.But, not sure about it.I tried by changing the number ranges in configuration by giving the current request number in "from number",but it didn't work.
  This is strange some time it gives "error creating request: path not found." and once this error gone then "error creating request : approver not found".
  To avoid this i created one more stage by custom approver determinator with application attribute and approver assiged.This stage, i assigned before role approver stage then it worked,Request get created and request get provisioned.
  i don't understand why it's not working,if i assigned role approver stage first in a path of workflow.role approver (approver determinator:"role" standard one, "approver" gets from configuration:roles:create role:role approver OR upload from role import).
  Please help
  Thanks
  Yakoob.

• Role Upload template for SAP GRC CUP 5.3

  Good Morning / Afternoon / Evening SAP Security Gurus,
  I am looking to upload end user roles via a role upload template spreadsheet for use in SAP GRC CUP 5.3.  I am referring specifically to the recommended template mentioned in step 11 of the 5.3 Post Installation CUP guide, so that roles can be picked within ERM for workflow.
  According to the guide, it recommends uploading from the backend systems via a spreadsheet - any template versions or advice on finalising this would be most appreciated.
  Best Regards
  Steve

  Thanks Ashish,
  Someone else recommended this option as well via another forum. Have tried it out and working fine. 
  Thanks for the reply
  Steve

• How does GRC CUP handle scheduled termination set up in SAP HR ?

  Dear Experts,
  We are planning to use "HR Tiggers"  for Hire, Terminate and transfer events in GRC CUP ? Can some body help me understand how does GRC CUP handle the termination requests that are scheduled in future ?
  Thanks
  Kumar

  I configured HR trigger rule for infotype 0000 & subtype Z1,field MASSN with value equal to 01 to trigger new hire...i don't see any data being populated into table /VIRSA/INT_TRIG & ?VIRSA/DATA.
  I could see the rule in table /VIRSA/RULEATTR.
  Any help would be appreciated.
  Thanks,
  Srinu

• GRC CUP 5.3 SP16.3 Mitigation Controls automation removal

  Does anyone know that if you create any user requests to remove roles from a user, that if any mitigation controls were assigned to the users for those roles, the mitigating control ids can also be automatically removed from RAR during auto provisioning of the request?
  Right now, GRC CUP, if configured properly, during auto provisioning, will assign the mitigation controls automatically to the userid in RAR to mitigate the risks when the request is processed if the new access will give any SOD violations.  But if you remove the roles from a user and he/she had any mitigation ids assigned in RAR, can the request also automatically remove the mitigated control id associated with it if the user will no longer have that risk?  I have not seen the request automatically remove the mitigated id from RAR when the role was removed from the user id during auto provisioning. But I'm not sure if this requires additional workflow configuration or not.
  Will greatly appreciate if any1 is aware of this issue and how to resolve it. Or is the only solution to manually remove it from RAR..but this can be tiresome..bc then you have to run the report every week or month in RAR to remove the excessive controls assigned if the users do not have the risks anymore..comparing reports from current to previous month, etc.
  Thanks,
  A.

  Hi Alley,
  It is not possible to automate the removal of mitigation controls through a workflow in CUP. The only solution is to review on a regular basis and remove them manually from RAR
  We also has the same issue and performing manual review at regular intervals of the user & role assigned mitigation controls
  Best Regards,
  Srihari.K

• HR triggers in GRC CUP.. How and when does this work

  Dear Experts,
  I would really appreciate if some one could shed some light on how HR triggers work in GRC CUP ?
  When does this get triggered ?
  Is it when the the user master record is saved or when the Info type 105 is linked ? Are there any pre-requisities that should be taken care from the Hr perspective so that I can set the expectations accordignly with HR team ?
  P.S I already went through the article " How to configure HR triggers with GRC CUP ?
  Thanks
  Kumar

  I configured HR trigger rule for infotype 0000 & subtype Z1,field MASSN with value equal to 01 to trigger new hire...i don't see any data being populated into table /VIRSA/INT_TRIG & ?VIRSA/DATA.
  I could see the rule in table /VIRSA/RULEATTR.
  Any help would be appreciated.
  Thanks,
  Srinu

• GRC CUP how can i remove  auto link "view" display from email configuration

  Hi,
  When approver/manager gets email.They get display "view" as a link to process the request. How can i remove this and put a full link in email configuration of stages workflow.
  Thanks
  Yakoob.

  Hi,
  I have a similar query on this. We have a clustered environment for our production GRC CUP system. Access to the CUP system is via a load balanced Webdispatcher.
  My question is, when a notification e-mail is sent out from CUP, the "View" link is showing a direct link to one of our clustered server instead of the Webdispatcher link. How can we customize the "View" link?
  We need to ensure the approvers are able to access the link via the webdispatcher so that when a failover in the cluster occurs, they are not affected.
  Thanks.
  Regards,
  Daniel Wong

• Deletion of mass roles from GRC CUP 5.3

  Dear All,
  I have requirement to delete 1000 roles from GRC CUP 5.3.
  I can see option to delete the roles individually under "search role" option but I am not able to find option to delete mass roles.
  Please advice.
  Regards
  Trinadh Bokka

  Hello Trinadh,
  It is not possible to delete all the roles at once through the User Interface. However, you can select a lot of roles at the same time by searching for a role pattern. For example, retrieve all roles starting with Z*:
  Hope it helps,
  Fernando

• GRC CUP & GRC ERM & ECC6_PPOM

  Hi all,
  we have 10.000 users managed & authorized with HR organizationa structure (PPOM) in a ECC6 system.
  We are approachin GRC Compliant User Provisionig(CUP)  & Enterprise Role Management (ERM).
  Do you know if HR organizational structure is considered in GRC CUP ?
  My impression is that (generally speaking) the identity management (SAP IDM, Novell, Tivoli TIM) do not consider the PPOM scenario.
  Any comments ?
  Thanks.
  Andrea

  > My impression is that (generally speaking) the identity management (SAP IDM, Novell, Tivoli TIM) do not consider the PPOM scenario.
  Novell IDM does support both OrgManagement (PPOME) and Position based management, to build up the OrgChart (manager/directReports relationship) inside the Identity Vault.
  Regards
  Holger

• Future direction of User Provisioning Tools ( GRC CUP or IDM)

  Hi Security Colleagues,
  We all know that SAP has GRC CUP(Access Enforcer) and NW IDM for provisioing.
  We can use either of toll for user provisioning.
  Based on your experience , what is the best tool ? ofcourse ,It changes from one company to other depends on requirements.
  I am noticed that  lot of SAP devlopment activity going on around IDM.
  Based on SAP's future direction, what is the best tool ?
  Its a common problem for most of SAP customers as SAP is giving IDM freely as part of NW license.
  please share your thoughts..
  Thank You.

  For Futuristic product availabliliy, I always prefer the following two places to check. Can you please also check their?
  http://service.sap.com/pam
  http://service.sap.com/scl
  Check the following Two points under the 2nd Link:
  Scenario & Process Component
  SAP's Release Strategy
  Now based on your query I will also stick to the suggestions given in the Other two posts. To add few more points which you may get helpful I would like to emphasize on the below discussion:
  u2022 SAP NetWeaver Identity Management helps companies to centrally manage their user accounts (identities) in a complex system landscape. This includes both SAP and non-SAP systems.
  u2022 The solution provides an authoritative, single source of user information and enables self-service management of user information and authorizations using workflow technology.
  u2022 In many cases resources such as meeting rooms, PCs and mobile devices, which all may have their own identity in some context, can be included in an identity management solution.
  Out of all other points, lets discuss about Provisioning:
  u2022 The term provisioning is often used to denote user provisioning or account provisioning.
  u2022 The functionality includes:
  o creation of accounts
  o setting initial passwords
  o setting and modifying access rights
  o disabling (revoking) an account
  o deleting an account
  u2022 The overall purpose is to make sure an identity (for example a user) has the correct access to the applications.
  u2022 User provisioning products also include workflow capabilities to apply business rules to the account provisioning process and typically provide user self-service capabilities (e.g., password reset)
  (All these details I picked up and pasted here from different section of a Solutioning Material I prepared for my company to introduce IDM solutions to my customer... couldn't give here properly due to space constraints). You can understand the Importance SAP is imposing on this product for All aspects of Automating Security and Identity of Living and Non-Living staffs as well. By using this you can get more benefits besides of Provisioning which is available in separate Solutions under other products like Virsa etc. Please go through the relevant materials available in the IDM Forum (Bernhard provided u the link) to understand go for an realization assessment.
  regards,
  Dipanjan
  Edited by: Dipanjan Sanpui on Oct 5, 2009 11:42 AM

• SAP GRC CUP Getting message "Some unmitigated risks exist".

  Hi,
  when there is one profile or role,when approver mitigate the request.It gets message" Some unmitigated risks exist".
  Already it's configured as unchecked for "Allow Approvers to approve access, despite any conflicts" in GRC CUP.
  Any advise or solution.
  Thanks
  shahed.

  Hi Shahed,
  When u you the seeting "Allow approver to approve dispite Risks" as unchecked. This setting exist at stage level as well as at global level. Stage level setting get the preference. With this setting Approver will not be able to approve the request untill all risks are mitigated or no risks exists. It will show an error some unmitigated risk.
  Kind Regards,
  Srinivasan

• De activating the users upon user Termination in GRC CUP.

  Dear Experts,
  I have a requirement to de-activate users(should not delete physically) in SAP after the users are terminated. we are planning to use HR triggers for HR terminate event in GRC CUP
  Q) I understand there is a De-provision functionality in GRC CUP.  Will this delete users in SU01 physically ? Is  there any way to use this functionality to deactivate the users ?
  Thanks
  Kumar

  Kumar,
     Delete request type will delete users in CUP. What do you mean by deactiving users? Do you mean to change the validity date of the users? You will have to use change request type if you want to change any other information in the user master record other than delete/locking/unlocking of the user.
  Alpesh

• Restrict global (network) directory account in GRC CUP

  Hi,
  How can i restrict to Globad directory( active directory) account in GRC CUP.When i try to create new account in GRC CUP with example test id or any id that is not active directory account,Request is created and approval can approve it too. I want to restrict to global(network) directory.In workflow,intiator i try to define network status,but it asking a value.I have no idea what value to assign.
  Thanks
  Shahed

  Hi Shahed,
  When CUP is allowing you to create IDs with generic names, that means the configuration is not done correctly. Please visit the below link which has complete information on configuring CUP with LDAP:
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/b089fb71-a3b7-2a10-64a2-8c77243b0664
  Hope this helps!!
  Regards,
  Raghu

• Error while creating new connector in GRC CUP 5.3

  Hi,
  I am  trying to create a new SAP Connector in CUP 5.3, when i fill in all the fields in the new connection and select  "Test Connection" it says Connection successful and when i save it and look at the Available connectors, i am unable to see my new connector there.
  Does anyone know why is this happening.
  a quick response is appriciated.
  Thanks.
  Edited by: Chaitanya Pallapotu on Jul 14, 2009 9:17 PM

  Hi Chetan,
  I have the same issue when configuring connectors in CUP. I solved it in this way:
  1- Go to RAR(Risk, Analysis and Remediation) --> Configuration --> Connector --> Search
  2- Select one of the connectors and write down the values in the list box of the field JCO Destination.
  3 - Now, go to CUP, and create the connector using the names writed down in step 2.
  CUP will warn you with an error, ignore it,  and then save the connector.
  Note: when creating the connector in CUP, fill the fields, then save/create(here you will have the error msg), then Test Connection, and then save again.
  That works for me!!!
  PD: Always log in to GRC with the same language configured in CUP.
  Hope this works for you!!!

• GRC CUP - How to change SNC Name to lower case during user creation.

  Hi All,
  We are using GRC 5.3. CUP automatically creates user in R3 but SNC p:username'@'DOMAIN.COM is in upper case.
  1. During automated user creation.
  2. How change default DOMAIN.COM to lower case "domain.com"
  Currently we have to manually change is via SU01 after user has been created.
  Thank you
  Regards,
  Jacky

  Sorry please ignore this thread. I got the wrong details. Post cancelled