GRC CUP workflow

Similar Messages

• How to send the 3rd email in the MSMSP CUP workflow?

  Hello GRC community,
  at first thank you all for your great support during the last months. Four month ago I started the implementation of AC in our department without any GRC experience. But now, four months later we are just about to implement the AC 10.0. Thank you all.
  Now we are working on the following issue, where we need your help. Let me explain what the issue is:
  After the finishing the last step in CUP workflow (WS76300056) the workflow sends out 2 emails: (method CL_GRFN_MSMP_WF_TEMPLATE_BASE --> UPDATE_PATH_FINISHED sends out these 2 emails)
  1.to the USER
  2.to the REQUESTER
  But due to our presystem which is a part of the Access request workflow we want to send out a 3rd email to a 3rd recipient. Getting the 3rd recipient is not the issue. The issue is: where do we have to implement the sending of the notification? Our own Investigation comes up to an enhancement point which seems to be the right place to add ABAP code which sends out the 3rd email.
  Has anybody similar issue or the experience with the following enhancement and could help us? Or maybe there is an alternative solution? Any hints are welcome.
  Package: GRFN_MSMP_WORKFLOW
  Enhancement: GRFN_MSMP_END_OF_PATH_NOTIF
  Thanks, and best regards
  Sabrina

  The send mail function will send mail to the users and or alias in the workflow step where you invoke it. The IDOC script guide will help you with implementing these kinds of things.
  http://download.oracle.com/docs/cd/E10316_01/cs/cs_doc_10/sdk/idoc_script_reference/wwhelp/wwhimpl/js/html/wwhelp.htm
  IDOC script by usage / Workflow
  wfNotify is the one you want to look at specifically.
  Workflow
  The following Idoc Script variables and functions are related to workflows.
  Configuration Variables
  isRepromptLogin
  IsSavedWfCompanionFile
  PrimaryWorkQueueTimeout
  WorkflowDir
  WorkflowIntervalHours
  Global Functions
  getValueForSpecifiedUser
  Workflow Functions
  wfAddActionHistoryEvent
  wfAddUser
  wfComputeStepUserList
  wfCurrentGet
  wfCurrentSet
  wfCurrentStep
  wfDisplayCondition
  wfExit
  wfGet
  wfGetStepTypeLabel
  wfIsFinishedDocConversion
  wfIsNotifyingUsers
  wfIsReleasable
  wfLoadDesign
  wfNotify
  wfReleaseDocument
  wfSet
  wfSetIsNotifyingUsers
  wfUpdateMetaData
  Other Variables
  AllowReview
  dWfName
  dWfStepName
  entryCount
  IsEditRev
  IsWorkflow
  lastEntryTs
  SingleGroup
  wfAction
  wfAdditionalExitCondition
  wfJumpEntryNotifyOff
  wfJumpMessage
  wfJumpName
  wfJumpReturnStep
  wfJumpTargetStep
  wfMailSubject
  wfMessage
  wfParentList
  WfStart

• GRC CUP Error creating request. Approver not found

  Hi,
  We just upgrade from GRC CUP 14 to GRC CUP 15.6 support pack.I already performed post upgrade steps and when i try to create a request i am getting approver not found.i didnot change workflow.In stage for role approver we have approver determinator "role".
  system log report
  com.virsa.ae.workflow.NoApproverFoundException: No approvers found for req no : 493, for reqPathId, 662, for path, PROD_APPRV_PATH and approver determinator : Role
       at com.virsa.ae.workflow.bo.WorkFlowBOHelper.handleApproversTransactions(WorkFlowBOHelper.java:1469)
       at com.virsa.ae.workflow.bo.WorkFlowRequestCreateHelper.handleWFForNewPath(WorkFlowRequestCreateHelper.java:278)
       at com.virsa.ae.workflow.bo.WorkFlowRequestCreateHelper.createNewWorkflow(WorkFlowRequestCreateHelper.java:167)
       at com.virsa.ae.workflow.bo.WorkFlowBO.saveNewWorkflow(WorkFlowBO.java:120)
       at com.virsa.ae.accessrequests.bo.RequestBO.saveNewRequest(RequestBO.java:579)
       at com.virsa.ae.accessrequests.actions.CreateRequestAction.createRequest(CreateRequestAction.java:381)
       at com.virsa.ae.accessrequests.actions.EUCreateRequestAction.createRequestHandler(EUCreateRequestAction.java:135)
       at com.virsa.ae.accessrequests.actions.EUCreateRequestAction.execute(EUCreateRequestAction.java:68)
       at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:295)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  Please let me know solution ASAP.This is high priority.
  Thanks
  Yakoob.

  It looked like some old request stuck in DB.But, not sure about it.I tried by changing the number ranges in configuration by giving the current request number in "from number",but it didn't work.
  This is strange some time it gives "error creating request: path not found." and once this error gone then "error creating request : approver not found".
  To avoid this i created one more stage by custom approver determinator with application attribute and approver assiged.This stage, i assigned before role approver stage then it worked,Request get created and request get provisioned.
  i don't understand why it's not working,if i assigned role approver stage first in a path of workflow.role approver (approver determinator:"role" standard one, "approver" gets from configuration:roles:create role:role approver OR upload from role import).
  Please help
  Thanks
  Yakoob.

• Role Upload template for SAP GRC CUP 5.3

  Good Morning / Afternoon / Evening SAP Security Gurus,
  I am looking to upload end user roles via a role upload template spreadsheet for use in SAP GRC CUP 5.3.  I am referring specifically to the recommended template mentioned in step 11 of the 5.3 Post Installation CUP guide, so that roles can be picked within ERM for workflow.
  According to the guide, it recommends uploading from the backend systems via a spreadsheet - any template versions or advice on finalising this would be most appreciated.
  Best Regards
  Steve

  Thanks Ashish,
  Someone else recommended this option as well via another forum. Have tried it out and working fine. 
  Thanks for the reply
  Steve

• GRC CUP 5.3 SP16.3 Mitigation Controls automation removal

  Does anyone know that if you create any user requests to remove roles from a user, that if any mitigation controls were assigned to the users for those roles, the mitigating control ids can also be automatically removed from RAR during auto provisioning of the request?
  Right now, GRC CUP, if configured properly, during auto provisioning, will assign the mitigation controls automatically to the userid in RAR to mitigate the risks when the request is processed if the new access will give any SOD violations.  But if you remove the roles from a user and he/she had any mitigation ids assigned in RAR, can the request also automatically remove the mitigated control id associated with it if the user will no longer have that risk?  I have not seen the request automatically remove the mitigated id from RAR when the role was removed from the user id during auto provisioning. But I'm not sure if this requires additional workflow configuration or not.
  Will greatly appreciate if any1 is aware of this issue and how to resolve it. Or is the only solution to manually remove it from RAR..but this can be tiresome..bc then you have to run the report every week or month in RAR to remove the excessive controls assigned if the users do not have the risks anymore..comparing reports from current to previous month, etc.
  Thanks,
  A.

  Hi Alley,
  It is not possible to automate the removal of mitigation controls through a workflow in CUP. The only solution is to review on a regular basis and remove them manually from RAR
  We also has the same issue and performing manual review at regular intervals of the user & role assigned mitigation controls
  Best Regards,
  Srihari.K

• GRC CUP how can i remove  auto link "view" display from email configuration

  Hi,
  When approver/manager gets email.They get display "view" as a link to process the request. How can i remove this and put a full link in email configuration of stages workflow.
  Thanks
  Yakoob.

  Hi,
  I have a similar query on this. We have a clustered environment for our production GRC CUP system. Access to the CUP system is via a load balanced Webdispatcher.
  My question is, when a notification e-mail is sent out from CUP, the "View" link is showing a direct link to one of our clustered server instead of the Webdispatcher link. How can we customize the "View" link?
  We need to ensure the approvers are able to access the link via the webdispatcher so that when a failover in the cluster occurs, they are not affected.
  Thanks.
  Regards,
  Daniel Wong

• Provisioning roles in UME with CUP workflow

  Hello,
  to give our users permission to approve requests in CUP we assign them to LDAP groups. These LDAP groups have different UME roles.
  Is there any possibility to request permnissions for UME roles via a CUP-workflow in general?
  We are using GRC 5.3 SP 8.1
  Thanks
  Manuel Kunkel

  There are some pre-requisites - you need portal content on your AS Java, the "plain" AS Java install won't do.
  Here's a detailed guide on how to set this up:
  http://www.sdn.sap.com/irj/bpx/grc?rid=/library/uuid/502a14db-6261-2c10-22b5-95117ab0e5ed
  Frank.

• Future direction of User Provisioning Tools ( GRC CUP or IDM)

  Hi Security Colleagues,
  We all know that SAP has GRC CUP(Access Enforcer) and NW IDM for provisioing.
  We can use either of toll for user provisioning.
  Based on your experience , what is the best tool ? ofcourse ,It changes from one company to other depends on requirements.
  I am noticed that  lot of SAP devlopment activity going on around IDM.
  Based on SAP's future direction, what is the best tool ?
  Its a common problem for most of SAP customers as SAP is giving IDM freely as part of NW license.
  please share your thoughts..
  Thank You.

  For Futuristic product availabliliy, I always prefer the following two places to check. Can you please also check their?
  http://service.sap.com/pam
  http://service.sap.com/scl
  Check the following Two points under the 2nd Link:
  Scenario & Process Component
  SAP's Release Strategy
  Now based on your query I will also stick to the suggestions given in the Other two posts. To add few more points which you may get helpful I would like to emphasize on the below discussion:
  u2022 SAP NetWeaver Identity Management helps companies to centrally manage their user accounts (identities) in a complex system landscape. This includes both SAP and non-SAP systems.
  u2022 The solution provides an authoritative, single source of user information and enables self-service management of user information and authorizations using workflow technology.
  u2022 In many cases resources such as meeting rooms, PCs and mobile devices, which all may have their own identity in some context, can be included in an identity management solution.
  Out of all other points, lets discuss about Provisioning:
  u2022 The term provisioning is often used to denote user provisioning or account provisioning.
  u2022 The functionality includes:
  o creation of accounts
  o setting initial passwords
  o setting and modifying access rights
  o disabling (revoking) an account
  o deleting an account
  u2022 The overall purpose is to make sure an identity (for example a user) has the correct access to the applications.
  u2022 User provisioning products also include workflow capabilities to apply business rules to the account provisioning process and typically provide user self-service capabilities (e.g., password reset)
  (All these details I picked up and pasted here from different section of a Solutioning Material I prepared for my company to introduce IDM solutions to my customer... couldn't give here properly due to space constraints). You can understand the Importance SAP is imposing on this product for All aspects of Automating Security and Identity of Living and Non-Living staffs as well. By using this you can get more benefits besides of Provisioning which is available in separate Solutions under other products like Virsa etc. Please go through the relevant materials available in the IDM Forum (Bernhard provided u the link) to understand go for an realization assessment.
  regards,
  Dipanjan
  Edited by: Dipanjan Sanpui on Oct 5, 2009 11:42 AM

• GRC CUP CAD

  Hi,
  We have  different SOD Approvers in approver matrix for risk level (high,medium,low)(risk levels from Risk Analysis and Remediaton system).I didn't see in CAD attributes(workflow) any risk level or risk ids to map priority ( high medium and low) for SOD approver.So, i cannot define or create SOD approvers for risk analysis levels(high medium and low).We are not using mitigated rule org attribute.
  Thanks
  Yakoob.

  Hi Vani,
  If i create custom field,Let say SOD Violations(RISK Level) with high,medium and low.When i do field mapping,where do i map.I cannot create connector to Risk Analysis and Remediation to map the fields.Looks like, i cannot segregate SOD approvers for SOD Violations(risk levels) in GRC CUP 5.3.
  Regards
  Yakoob.

• Restrict global (network) directory account in GRC CUP

  Hi,
  How can i restrict to Globad directory( active directory) account in GRC CUP.When i try to create new account in GRC CUP with example test id or any id that is not active directory account,Request is created and approval can approve it too. I want to restrict to global(network) directory.In workflow,intiator i try to define network status,but it asking a value.I have no idea what value to assign.
  Thanks
  Shahed

  Hi Shahed,
  When CUP is allowing you to create IDs with generic names, that means the configuration is not done correctly. Please visit the below link which has complete information on configuring CUP with LDAP:
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/b089fb71-a3b7-2a10-64a2-8c77243b0664
  Hope this helps!!
  Regards,
  Raghu

• Need help with a CUP workflow scenario

  Dear Experts,
  I'm sure it is not just me encountered this required scenario (or something similar).  I would like some pointers how to transcript it to a CUP workflow:
  Application admin logs a provisioning request.
  Security creates a user account and provisioning the roles on QA.
  Application admin ensures that the user undergoes training on QA.
  Upon passing the training, security replicates the user account and role assignment on PRD.
  The esoteric solution would be one request, two paths, two provisions. Is it somehow possible?
  Client doesn't use CUA.
  The security requirements are higher on PRD, where SoD handling will be required.
  Kind Regards,
  Vit Vesely
  Edited by: Vit Vesely on Apr 29, 2010 3:29 PM

  Hii Vit,
  If you want to have two paths for a single request than only possible solution will be to create role based initiator's.
  Role Based Initiatator's can be created by following Configuration -> Workflow-> Initiator-> create.
  Here Select the attibute as roles.
  For example create two Initiator
  Intiator1 -> having Role1 attribute -> Path1
  Intiator2 -> having Role2 attribute -> Path2
  Now in the request if u select Role 1 & Role 2, than request will follow the parallel path ( path1 & path 2)
  Else it is not possible to have parrallel workflow path for any other attribute.
  In Case you can have provisioning at end of the paths as well as end of the request.
  Kind Regards,
  Srinivasan

• How does GRC CUP handle scheduled termination set up in SAP HR ?

  Dear Experts,
  We are planning to use "HR Tiggers"  for Hire, Terminate and transfer events in GRC CUP ? Can some body help me understand how does GRC CUP handle the termination requests that are scheduled in future ?
  Thanks
  Kumar

  I configured HR trigger rule for infotype 0000 & subtype Z1,field MASSN with value equal to 01 to trigger new hire...i don't see any data being populated into table /VIRSA/INT_TRIG & ?VIRSA/DATA.
  I could see the rule in table /VIRSA/RULEATTR.
  Any help would be appreciated.
  Thanks,
  Srinu

• HR triggers in GRC CUP.. How and when does this work

  Dear Experts,
  I would really appreciate if some one could shed some light on how HR triggers work in GRC CUP ?
  When does this get triggered ?
  Is it when the the user master record is saved or when the Info type 105 is linked ? Are there any pre-requisities that should be taken care from the Hr perspective so that I can set the expectations accordignly with HR team ?
  P.S I already went through the article " How to configure HR triggers with GRC CUP ?
  Thanks
  Kumar

  I configured HR trigger rule for infotype 0000 & subtype Z1,field MASSN with value equal to 01 to trigger new hire...i don't see any data being populated into table /VIRSA/INT_TRIG & ?VIRSA/DATA.
  I could see the rule in table /VIRSA/RULEATTR.
  Any help would be appreciated.
  Thanks,
  Srinu

• Deletion of mass roles from GRC CUP 5.3

  Dear All,
  I have requirement to delete 1000 roles from GRC CUP 5.3.
  I can see option to delete the roles individually under "search role" option but I am not able to find option to delete mass roles.
  Please advice.
  Regards
  Trinadh Bokka

  Hello Trinadh,
  It is not possible to delete all the roles at once through the User Interface. However, you can select a lot of roles at the same time by searching for a role pattern. For example, retrieve all roles starting with Z*:
  Hope it helps,
  Fernando

• GRC CUP & GRC ERM & ECC6_PPOM

  Hi all,
  we have 10.000 users managed & authorized with HR organizationa structure (PPOM) in a ECC6 system.
  We are approachin GRC Compliant User Provisionig(CUP)  & Enterprise Role Management (ERM).
  Do you know if HR organizational structure is considered in GRC CUP ?
  My impression is that (generally speaking) the identity management (SAP IDM, Novell, Tivoli TIM) do not consider the PPOM scenario.
  Any comments ?
  Thanks.
  Andrea

  > My impression is that (generally speaking) the identity management (SAP IDM, Novell, Tivoli TIM) do not consider the PPOM scenario.
  Novell IDM does support both OrgManagement (PPOME) and Position based management, to build up the OrgChart (manager/directReports relationship) inside the Identity Vault.
  Regards
  Holger