GRC CUP & GRC ERM & ECC6_PPOM

Hi all,
we have 10.000 users managed & authorized with HR organizationa structure (PPOM) in a ECC6 system.
We are approachin GRC Compliant User Provisionig(CUP)  & Enterprise Role Management (ERM).
Do you know if HR organizational structure is considered in GRC CUP ?
My impression is that (generally speaking) the identity management (SAP IDM, Novell, Tivoli TIM) do not consider the PPOM scenario.
Any comments ?
Thanks.
Andrea

> My impression is that (generally speaking) the identity management (SAP IDM, Novell, Tivoli TIM) do not consider the PPOM scenario.
Novell IDM does support both OrgManagement (PPOME) and Position based management, to build up the OrgChart (manager/directReports relationship) inside the Identity Vault.
Regards
Holger

Similar Messages

  • Create user in SAP GRC AC 5.3 for each module (RAR, CUP, SPM, ERM).

    Hello,
    I have a doubt.
    The users of the modules of the SAP GRC AC 5.3 have to created in the UME of the EP Core, is that right?? And thet add the roles of each user for each module (RAR, CUP, SPM, ERM), is that right?
    Best Regards.
    Pablo Mortera.

    Hi Pablo,
    To access GRC AC 5.3 you can create one UME user and assign different roles related to four GRC component.
    Or you can create different GRC user and assign respective components roles.
    The example of GRC Admin role are.
    AEADMIN
    READMIN
    VIRSA_CC_ADMINISTRATOR
    regards,
    Sudip,

  • Role Upload template for SAP GRC CUP 5.3

    Good Morning / Afternoon / Evening SAP Security Gurus,
    I am looking to upload end user roles via a role upload template spreadsheet for use in SAP GRC CUP 5.3.  I am referring specifically to the recommended template mentioned in step 11 of the 5.3 Post Installation CUP guide, so that roles can be picked within ERM for workflow.
    According to the guide, it recommends uploading from the backend systems via a spreadsheet - any template versions or advice on finalising this would be most appreciated.
    Best Regards
    Steve

    Thanks Ashish,
    Someone else recommended this option as well via another forum. Have tried it out and working fine. 
    Thanks for the reply
    Steve

  • GRC UAR without ERM

    Hi Gurus,
         In my client we are planning to go for UAR. Currently we are using CUP, RAR and SPM. We are not using ERM. In this case is it possible to go for UAR without ERM. Is it possible to implement UAR only for CUP. Please clarify us.
    Info:
    SAP GRC 5.3
    SP11
    Imp: CUP, RAR and ERM.
    Thanks and Regards,
    Vasa

    Hello Vasa,
    CUP requires ERM only to capture the Role Usage Data and nothing else for functionality of UAR. All other data is gathered either from RAR or from within CUP itself. You do not need to use ERM completely but you do need to set it up with minimum settings to make it work. You need to configure basic attributes, Landscape, Connectors & run the role usage synchronization job.
    Regards, Varun

  • GRC CUP Error creating request. Approver not found

    Hi,
    We just upgrade from GRC CUP 14 to GRC CUP 15.6 support pack.I already performed post upgrade steps and when i try to create a request i am getting approver not found.i didnot change workflow.In stage for role approver we have approver determinator "role".
    system log report
    com.virsa.ae.workflow.NoApproverFoundException: No approvers found for req no : 493, for reqPathId, 662, for path, PROD_APPRV_PATH and approver determinator : Role
         at com.virsa.ae.workflow.bo.WorkFlowBOHelper.handleApproversTransactions(WorkFlowBOHelper.java:1469)
         at com.virsa.ae.workflow.bo.WorkFlowRequestCreateHelper.handleWFForNewPath(WorkFlowRequestCreateHelper.java:278)
         at com.virsa.ae.workflow.bo.WorkFlowRequestCreateHelper.createNewWorkflow(WorkFlowRequestCreateHelper.java:167)
         at com.virsa.ae.workflow.bo.WorkFlowBO.saveNewWorkflow(WorkFlowBO.java:120)
         at com.virsa.ae.accessrequests.bo.RequestBO.saveNewRequest(RequestBO.java:579)
         at com.virsa.ae.accessrequests.actions.CreateRequestAction.createRequest(CreateRequestAction.java:381)
         at com.virsa.ae.accessrequests.actions.EUCreateRequestAction.createRequestHandler(EUCreateRequestAction.java:135)
         at com.virsa.ae.accessrequests.actions.EUCreateRequestAction.execute(EUCreateRequestAction.java:68)
         at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:295)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
         at java.security.AccessController.doPrivileged(Native Method)
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
    Please let me know solution ASAP.This is high priority.
    Thanks
    Yakoob.

    It looked like some old request stuck in DB.But, not sure about it.I tried by changing the number ranges in configuration by giving the current request number in "from number",but it didn't work.
    This is strange some time it gives "error creating request: path not found." and once this error gone then "error creating request : approver not found".
    To avoid this i created one more stage by custom approver determinator with application attribute and approver assiged.This stage, i assigned before role approver stage then it worked,Request get created and request get provisioned.
    i don't understand why it's not working,if i assigned role approver stage first in a path of workflow.role approver (approver determinator:"role" standard one, "approver" gets from configuration:roles:create role:role approver OR upload from role import).
    Please help
    Thanks
    Yakoob.

  • How does GRC CUP handle scheduled termination set up in SAP HR ?

    Dear Experts,
    We are planning to use "HR Tiggers"  for Hire, Terminate and transfer events in GRC CUP ? Can some body help me understand how does GRC CUP handle the termination requests that are scheduled in future ?
    Thanks
    Kumar

    I configured HR trigger rule for infotype 0000 & subtype Z1,field MASSN with value equal to 01 to trigger new hire...i don't see any data being populated into table /VIRSA/INT_TRIG & ?VIRSA/DATA.
    I could see the rule in table /VIRSA/RULEATTR.
    Any help would be appreciated.
    Thanks,
    Srinu

  • GRC CUP 5.3 SP16.3 Mitigation Controls automation removal

    Does anyone know that if you create any user requests to remove roles from a user, that if any mitigation controls were assigned to the users for those roles, the mitigating control ids can also be automatically removed from RAR during auto provisioning of the request?
    Right now, GRC CUP, if configured properly, during auto provisioning, will assign the mitigation controls automatically to the userid in RAR to mitigate the risks when the request is processed if the new access will give any SOD violations.  But if you remove the roles from a user and he/she had any mitigation ids assigned in RAR, can the request also automatically remove the mitigated control id associated with it if the user will no longer have that risk?  I have not seen the request automatically remove the mitigated id from RAR when the role was removed from the user id during auto provisioning. But I'm not sure if this requires additional workflow configuration or not.
    Will greatly appreciate if any1 is aware of this issue and how to resolve it. Or is the only solution to manually remove it from RAR..but this can be tiresome..bc then you have to run the report every week or month in RAR to remove the excessive controls assigned if the users do not have the risks anymore..comparing reports from current to previous month, etc.
    Thanks,
    A.

    Hi Alley,
    It is not possible to automate the removal of mitigation controls through a workflow in CUP. The only solution is to review on a regular basis and remove them manually from RAR
    We also has the same issue and performing manual review at regular intervals of the user & role assigned mitigation controls
    Best Regards,
    Srihari.K

  • HR triggers in GRC CUP.. How and when does this work

    Dear Experts,
    I would really appreciate if some one could shed some light on how HR triggers work in GRC CUP ?
    When does this get triggered ?
    Is it when the the user master record is saved or when the Info type 105 is linked ? Are there any pre-requisities that should be taken care from the Hr perspective so that I can set the expectations accordignly with HR team ?
    P.S I already went through the article " How to configure HR triggers with GRC CUP ?
    Thanks
    Kumar

    I configured HR trigger rule for infotype 0000 & subtype Z1,field MASSN with value equal to 01 to trigger new hire...i don't see any data being populated into table /VIRSA/INT_TRIG & ?VIRSA/DATA.
    I could see the rule in table /VIRSA/RULEATTR.
    Any help would be appreciated.
    Thanks,
    Srinu

  • GRC CUP how can i remove  auto link "view" display from email configuration

    Hi,
    When approver/manager gets email.They get display "view" as a link to process the request. How can i remove this and put a full link in email configuration of stages workflow.
    Thanks
    Yakoob.

    Hi,
    I have a similar query on this. We have a clustered environment for our production GRC CUP system. Access to the CUP system is via a load balanced Webdispatcher.
    My question is, when a notification e-mail is sent out from CUP, the "View" link is showing a direct link to one of our clustered server instead of the Webdispatcher link. How can we customize the "View" link?
    We need to ensure the approvers are able to access the link via the webdispatcher so that when a failover in the cluster occurs, they are not affected.
    Thanks.
    Regards,
    Daniel Wong

  • Deletion of mass roles from GRC CUP 5.3

    Dear All,
    I have requirement to delete 1000 roles from GRC CUP 5.3.
    I can see option to delete the roles individually under "search role" option but I am not able to find option to delete mass roles.
    Please advice.
    Regards
    Trinadh Bokka

    Hello Trinadh,
    It is not possible to delete all the roles at once through the User Interface. However, you can select a lot of roles at the same time by searching for a role pattern. For example, retrieve all roles starting with Z*:
    Hope it helps,
    Fernando

  • Future direction of User Provisioning Tools ( GRC CUP or IDM)

    Hi Security Colleagues,
    We all know that SAP has GRC CUP(Access Enforcer) and NW IDM for provisioing.
    We can use either of toll for user provisioning.
    Based on your experience , what is the best tool ? ofcourse ,It changes from one company to other depends on requirements.
    I am noticed that  lot of SAP devlopment activity going on around IDM.
    Based on SAP's future direction, what is the best tool ?
    Its a common problem for most of SAP customers as SAP is giving IDM freely as part of NW license.
    please share your thoughts..
    Thank You.

    For Futuristic product availabliliy, I always prefer the following two places to check. Can you please also check their?
    http://service.sap.com/pam
    http://service.sap.com/scl
    Check the following Two points under the 2nd Link:
    Scenario & Process Component
    SAP's Release Strategy
    Now based on your query I will also stick to the suggestions given in the Other two posts. To add few more points which you may get helpful I would like to emphasize on the below discussion:
    u2022 SAP NetWeaver Identity Management helps companies to centrally manage their user accounts (identities) in a complex system landscape. This includes both SAP and non-SAP systems.
    u2022 The solution provides an authoritative, single source of user information and enables self-service management of user information and authorizations using workflow technology.
    u2022 In many cases resources such as meeting rooms, PCs and mobile devices, which all may have their own identity in some context, can be included in an identity management solution.
    Out of all other points, lets discuss about Provisioning:
    u2022 The term provisioning is often used to denote user provisioning or account provisioning.
    u2022 The functionality includes:
    o creation of accounts
    o setting initial passwords
    o setting and modifying access rights
    o disabling (revoking) an account
    o deleting an account
    u2022 The overall purpose is to make sure an identity (for example a user) has the correct access to the applications.
    u2022 User provisioning products also include workflow capabilities to apply business rules to the account provisioning process and typically provide user self-service capabilities (e.g., password reset)
    (All these details I picked up and pasted here from different section of a Solutioning Material I prepared for my company to introduce IDM solutions to my customer... couldn't give here properly due to space constraints). You can understand the Importance SAP is imposing on this product for All aspects of Automating Security and Identity of Living and Non-Living staffs as well. By using this you can get more benefits besides of Provisioning which is available in separate Solutions under other products like Virsa etc. Please go through the relevant materials available in the IDM Forum (Bernhard provided u the link) to understand go for an realization assessment.
    regards,
    Dipanjan
    Edited by: Dipanjan Sanpui on Oct 5, 2009 11:42 AM

  • SAP GRC CUP Getting message "Some unmitigated risks exist".

    Hi,
    when there is one profile or role,when approver mitigate the request.It gets message" Some unmitigated risks exist".
    Already it's configured as unchecked for "Allow Approvers to approve access, despite any conflicts" in GRC CUP.
    Any advise or solution.
    Thanks
    shahed.

    Hi Shahed,
    When u you the seeting "Allow approver to approve dispite Risks" as unchecked. This setting exist at stage level as well as at global level. Stage level setting get the preference. With this setting Approver will not be able to approve the request untill all risks are mitigated or no risks exists. It will show an error some unmitigated risk.
    Kind Regards,
    Srinivasan

  • De activating the users upon user Termination in GRC CUP.

    Dear Experts,
    I have a requirement to de-activate users(should not delete physically) in SAP after the users are terminated. we are planning to use HR triggers for HR terminate event in GRC CUP
    Q) I understand there is a De-provision functionality in GRC CUP.  Will this delete users in SU01 physically ? Is  there any way to use this functionality to deactivate the users ?
    Thanks
    Kumar

    Kumar,
       Delete request type will delete users in CUP. What do you mean by deactiving users? Do you mean to change the validity date of the users? You will have to use change request type if you want to change any other information in the user master record other than delete/locking/unlocking of the user.
    Alpesh

  • GRC CUP CAD

    Hi,
    We have  different SOD Approvers in approver matrix for risk level (high,medium,low)(risk levels from Risk Analysis and Remediaton system).I didn't see in CAD attributes(workflow) any risk level or risk ids to map priority ( high medium and low) for SOD approver.So, i cannot define or create SOD approvers for risk analysis levels(high medium and low).We are not using mitigated rule org attribute.
    Thanks
    Yakoob.

    Hi Vani,
    If i create custom field,Let say SOD Violations(RISK Level) with high,medium and low.When i do field mapping,where do i map.I cannot create connector to Risk Analysis and Remediation to map the fields.Looks like, i cannot segregate SOD approvers for SOD Violations(risk levels) in GRC CUP 5.3.
    Regards
    Yakoob.

  • Restrict global (network) directory account in GRC CUP

    Hi,
    How can i restrict to Globad directory( active directory) account in GRC CUP.When i try to create new account in GRC CUP with example test id or any id that is not active directory account,Request is created and approval can approve it too. I want to restrict to global(network) directory.In workflow,intiator i try to define network status,but it asking a value.I have no idea what value to assign.
    Thanks
    Shahed

    Hi Shahed,
    When CUP is allowing you to create IDs with generic names, that means the configuration is not done correctly. Please visit the below link which has complete information on configuring CUP with LDAP:
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/b089fb71-a3b7-2a10-64a2-8c77243b0664
    Hope this helps!!
    Regards,
    Raghu

Maybe you are looking for

  • Buffalo Linkstation not connecting to SLM2024

    I have recently installed an SLM2024 Gigabit switch. We have a mixture of devices on the switch, desktops, servers, printers, wireless access points and all are working ok. We also have four Buffalo Linkstations with Gigabit Ethernet. Each linkstatio

  • Adding text to PDF form Text field

    Hello there, i'm trying add text to textfield in PDF programatically using java. if text  contain "(" or ")" brakets are not displaying in PDF textfiled,if i convert "(" to "[" then the text is displaying in the pdf textfield.how do I allow "(" insid

  • Je veux souscrire a un abonnement mensuel photoshop cs6 et lightroom 5

    j'ai déjà une licence pour lightroom 4 et je veux souscrire a un abonnement mensuel pour photoshop cs6 qui inclue aussi lightroom 5, dois-faire et payer pour la mise a jour de lightroom 5 avant , ou bien sera t -elle inclue dans l'abonnement mensuel

  • The LDAP configuration for Oracle Service Registry 11g(OSR 11.1.1.2.0)

    Hi All, Please teach about user management in Oracle Service Registry(OSR). We want to manage all users in LDAP(OID). Questions Q1) How can we manage the user in OID? Q2) OSR default user(admin) will not be displayed on the security realm in WebLogic

  • Viewing Folder/File sizes in list view

    Anyone know of a good app to preview folder/file sizes across the entire HD? Since I transitioned to a MBP I suffer from juggling my data from HD to external FW drives, especially when I return from traveling or I leave to travel some more. So I find