GRC: defining and maintaining profile with GRC.

Similar Messages

• Validation for Project defination and project profile

  Hello,
  I have to create validation for Project Definition and Project Profile.User requirement is when the project (Exp: Z/0120) is creating with project profile Exp: Z0001_Z system should allow , If user is trying to select other than this profile system has to give the error.
  I tried below validation but it is not working:
  Prerequisite - PROJ-PSPID = 'Z'
  Check   -  PROJ-PROFL = Z0001_Z
  Kindly any suggest how can i give the validation for the same.
  Regards,
  Lakshmi.
  Message was edited by: Mohamed Rafi - Many threads available on this topic search for those.

  Hi,
  Have you tried to save the project? Because validation rule will call at time of saving the Project.
  I have created the same but for start with 'U'
  When I create project and at time of saving, validation rule will call and system throw error if I don't create project start with 'U'.
  Now If I am creating here, start with 'J'. System  is throwing error as per validation rule.
  Also Pl check if you have assigned same correct rule on project profile.
  Regards
  Shishir

• Critical Action and Role/Profile Analysis job in not running in GRC 5.3

  Hi Team,
  I  am working for a client where GRC 5.3 is installed( support pack 4 and patch 1).
  The installation is complete and also the post processing is done.
  We have scheduled a periodic ( weekly ) incremental background job for Critical Action and Role/Profile.
  Following are the parameter setting used:
  Task: Risk Analysis -Batch
  Batch Mode : Incremental
  First time it run successfully on 28th June'09 and it is completed with spool also. But next time it is supposed to run on 4th of July'09 . But it does not. And since then it is in same state.
  I am not able to find any reason that why it is behaving this way where other incremental jobs are running successfully.
  It will be helpfull if any one can guide me providing the solution.
  Regards,
  Kakali

  Hi Varun,
  I go to the Job History Button. It shows the following data only :
  2009-06-28 00:00:59 Done Job Completed successfully
  2009-06-27 23:45:00 Started RAR_PE1CLNT100_Critical Action and Role/Profile Analysis started :threadid: 0
  Under the Last Run Colomn it shows 28th June ( Status -completed)
  Under Next Run Date it is showing 4th July
  Follwoing are the list of Updates available From SP05
  When executing the critical roles/profile jobs in background, a message
  "error while executing the Job: null" comes up. ---( this one is for which come under Informer Tab)
  Background job spools are not available after upgrade from 5.2 to 5.3.
  Critical action and critical role/profile analysis cannot be run in
  background by system. --- ( But in my case It ran for once )
  Selection parameters (System, User and User Group) have been provided for
  "Critical Action and Role/Profile Analysis" in Configuration->Background
  Job->Schedule Job. --- ( it means it run usually)
  Critical Actions report in detail view shows no results after executing the
  Risk Analysis Job in the background. The same report shows data when
  executed in the foreground. ( this one is for which come under Informer Tab )
  When there is only one periodic job configured in RAR, this job fails to
  start after the first time in the specified time. ( this is not true, becoz there other periodic jobs running successfuly)
  Unable to run Informer - audit reports - critical role and profiles with
  logical systems. ( this is again under Informer Tab )
  I had gone through this  earlier also, but not able to match any update with my problem. If if have any other suggestion you can provide me the same.
  Is there any way to check for job log so that I can check what is the problem. View Log option is also greyed out as we have sap logger set up as a default logger Parameter. I have made it enable just to check but there is nothing.
  Please Guide.
  Regards,
  Kakali

• End User Unlock and Password Reset in GRC AC 10.0

  Hi Dears,
  I have an issue related to End User Unlock and Password Reset.
  We maintained Data Source as SU01 in SPRO, So that User can able to access GRC Application through End User Login with ECC System login
  Details for raise a request.
  If user is locked or forget ECC system password, then user not able to access GRC Application through End User Login with ECC System login Details for Unlock or reset Password.
  In this situation, how user can unlock or reset the Password for ECC System.
  Could you please provide the solution to resolve the Issue.
  Note:- No LDAP or Acitive Directory.
  System Details :- GRC AC 10.0 , SP12.
  Regards,
  Karnatak.

  Hi Rupesh
  That was my warning on the post I linked you to
  Quite a few PSS solutions have this as a setup (even SCN). The key thing you are reliant on is that the email account must be restricted to only the user to receive the password/link as well as appropriate Challenge Response Questions defined as part of their registration.
  But yes, they can technically enter any User id to request the password and if they know the answers to the questions then they will get the password issue.
  Your alternatively is to introduce another system (i.e. AD which you ruled out) or see if there is a way to introduce a second factor authentication (I don't believe this is delivered with GRC).
  Regards
  Colleen

• False Positives with GRC AC 5.2

  Hi,
  I actually have been working with GRC AC 5.2 (Compliance Calibrator) and we encountered several problems with false positives, working in the risk analysis.
  ¿do anyone knows how to solve this problem? ¿do you have documents or links to help?
  Thanks,
  Ricardo.

  Thank you Alpesh for response.
  In fact, i have several problem with false positives, but with transactional level. For example, i have a user with pfcg and su01 transaction. The configutation of profiles in SAP r/3 system do not allow to user involved in this, to execute both transactions in end-to-end process, i mean, the user have a transaction vía s_tcode object, have some other objects related with pfcg and su01 transactions, but he doesn´t have the values that allow to a transactions work properly. Then the Compliance Calibrator informs risks that it doesn´t exists.
  It seems that is a ruleset configuration problem in the CC, then my question is, ¿the standard ruleset detects properly these problems?
  Let my explain the reason that causes the problem.
  We have been working with personalized ruleset, for customer-request. For that reason we look the usobt_c table and we form the ruleset-->functions in CC so that this functions were equal to usobt_c table. We did that because the standard ruleset shows false positives, such as first example of this post.
  Thank you very much,
  RCL.
  Edited by: Ricardo  Carrasco on Jun 18, 2009 11:58 PM

• GRC 4.0 running with GRC 10.1 plugins

  Hi Everyone,
  I am commencing a GRC Access Control 10.1 migration Proof of Concept for my current customer. We do not have the luxury of a project environment or of system copying the ERP Development system. GRC AC 4.0 content is currently in use in ERP Production, so the ERP Development system is the configuration master for the GRC 4.0 content.
  One of the ealry steps in the migration guide is installing the GRC 10.1 plugins. I have searched on here and on SAP notes but cannot find a definitive answer, though there are a number of threads which come very close to what I need.
  My question is simple: once I have installed  the 10.1 plugins will the GRC AC 4.0 content still function?
  This is important to us since there is no knowing whether out Proof of Concept will be approved to become a full project. If installing the GRC 10.1 plugins breaks the GRC AC 4.0 content and the project is not approved to continue, we will then have a broken system landscape.
  If anyone has any personal experience of this scenario I would greatly appreciate hearing what you have to say. I assume that experience of the 10.0 plugins will be relevant if that is what you have.
  Looking forward to hearing from you,
  Kind regards,
  Andy

  Thanks for your response Harinam. Must admit I thought more people on here would have had experience of this jump, but clearly most people went from 4 to a 5.x system. In some ways it is a very good thing the customer has held back from jumping to Java.
  Anyway, I had logged a message with OSS in parallel to posting here, thought I would get a good balance of views doing both.
  Here is the official answer we received :
  Once the GRC 10.1 plugin will be installed on the GRC 4.0 system,
  though the 4.0 product is still accessible and the data will still
  remain in the tables, it is no longer supported and it must be clear
  to your users and administrators that the 4.0 product is not to be
  used with the v10.1 plugin.
  SAP Active Global Support
  SAP Labs Palo Alto
  So although I could argue that 4.0 is unsupported so what is the difference, this response is useful to our project team as it further justifies the need to upgrade.
  I am still interested in hearing from anyone who has done this migration path and tried the old tcodes, to know for sure what the result would be.
  I assume also based on the response from OSS we should lock the 4.0 tcodes to make sure no-one hits an old favourite, seeing as they clearly are not removed as part of the migration process.
  cheers,
  Andy

• Sequence of Installs of RTA and SCA files for GRC AC 5.3

  Hello,
  I would like to confirm the correct sequence of applying RTA and SCA files for GRC AC 5.3.
  On ABAP Stack
  1- Install VirsaNH RTA on ECC 6.0 System with SAINT
  2- Install VirsaHR RTA on ECC 6.0 system which has SAP_HR
  3- Install both VirsaNH RTA and VIRSAHR RTA on a system which is SAP HR
  4- Install VIRSANH RTA on BI System. (There is no need of VirsaHR on BI system)
  5- Install all Support Packages up to 10 or 11 for VIRSANH & VIRSAHR with SPAM
  Next
  On JAVA Stack
  6- Install
  VIRCC00_0.sca
  VIRAE00_0.sca
  VIRRE00_0.sca
  VIRFF00_0.sca
  7- Install VIRACLP00_0.sca
  8- Then install VIRACCNTNT.SAR
  9- Next install EP RTA VIREPRTA00_0.sca
  10- Install all Java patches for the above components
  Based on the above,
  a- Plz confirm if the above sequence is right.
  b- My question is can I install 6, 7,8, 9 with JSPM at once as one step?
  c- Also can I install SCA files with JSPM first and then install RTA files on ABAP stack later?
  d- Also we have BI system with ABAP & JAVA Stacks. Is VIRSANH sufficient for both ABAP & JAVA, or do we need an additonal RTA for BI JAVA ?
  Thanks for your valuable inputs in advance.
  Regards,
  Haleem

  Hi,
  > 1- What is the UME of your BI Java stack ?
  >
  > Answer: We have installed BI JAVA, EP, EP Core, so we use SSO with EP and BI ABAP. So the portal is UME for BI Java stack.
  >
  Check below link which will answer your queries:
  Java RTA for GRC 5.3
  > 2- Check SAP Note 1174625 - Access Control 5.3 Java Support Pack Installation
  >
  > I checked the note 1174625, which says the following
  >
  > All of the sap.com/grc files have to be undeployed except the db and dictionary files for each component. The files that are NOT to be undeployed are:
  >
  > - sap.com/grc/ccxsysdb
  > - sap.com/grc/aedict
  > - sap.com/grc/redictionary
  > - sap.com/grc/ffdb
  >
  > Since this is a GRC AC 5.3 install on a fresh Netweaver 7.0 EHP1 Java stack install, do I need to undeploy all the above components, before doing AC 5.3 install, as mentioned in the note.
  >
  This is used when you do upgrade your old GRC release to latest one. So if you are doing fresh install then you need not to do these steps.
  > 3- Also this note 1174625 answers to most of my questions, but does not mention anything about VIRACCNTNT.SAR.  Is >this SAR file installed on JAVA Stack or ABAP stack? Is there a OSS note on VIRACCNTNT.SAR?
  >
  This file contains Roles, Rules, functions for RAR, CUP, ERM etc. in txt files which you need to upload when you will do the configuration of GRC.
  Thanks
  Sunny

• Integrating BOBJ XI 3.1 with GRC AC 5.3

  Hi all
  Has anyone worked on integrating BOBJ with GRC Access Control 5.3.
  We have been using GRC CUP for access provisioning all the SAP (ECC, BI, Portal) systems. Now, we have integrated SAP Business Objects Enterprise XI 3.1 with our SAP BW system.
  We are looking to provision the BOBJ groups to users when they request BI roles. Has any one done this integration or do you have any documentation on this topic?
  Appreciate your response.
  Thanks
  Kee

  Hi Kee,
  AC 5.3 CUP can only provision ABAP roles and via the portal RTA UME and portal roles.
  Best,
  Frank

• Oracle IAM integration with GRC 10

  Hi All,
  Our client is using Oracle IAM for user provisioning process. Now they have SAP GRC being implemented for two of their SAP systems. Now client wants to integrate SAP GRC Access Risks analysis (ARA) for SOD analysis and User Access Management(UAM) for user provisioning modules of SAP GRC 10 with Oracle IAM.
  As far as i know, webservices needs to be activated in GRC 10 and has done that. Now i want to know how Oracle IAM communicates with GRC 10. How connectors needs to be developed, User account to be created for web service access and how the parameters are passed from oracle to grc.
  Also how many different scenarios are there in oracle IAM for this integration?
  In SAP IDM vs SAP GRC integration we have 2 scenarios.
  1. Request raised in IDM -> SOD analysis in GRC -> Provisioning in GRC -> Return success/failure status back to IDM
  2. Request raised in IDM -> SOD analysis in GRC -> Return SOD success/failure status back to IDM -> Provisioning in IDM
  So can anyone help with possible scenarios for this integration process??

  Hi vikas and Frank,
  Do you have any information related on How to enable the webservices in the GRC 10 (does NWBC holds the key). if you have any information related to it  please share it with me.
  Thanks and regards,
  keerthi

• Auto-provisioning new users with GRC 10.1

  There is some lack of clarity at my client on auto-provisioning new users into SAP systems with GRC 10.  Here's what they want and I'm telling them they need SAP IdM.
  The client will regularly have upwards of 500 new users on an on-going basis.  These users are approved and created in Active Directory.  The client believes that GRC 10 can now pick up these new users from Active Directory and then go ahead and provision them into ECC and CRM automatically, as soon as they're created, with no further approval required.
  To the best of my knowledge, the easiest way to do this would be for IdM to do this, and have IdM trigger GRC for certain users, and to provision users who fall into this group of 500 users.
  These users are different from regular users, who need to go through the approval workflows.  Regular users will have managers and roles that need approval.  These 500 or so users are approved to be created in the system and don't need to get caught up in the approval workflow.
  Am I wrong in saying that IdM 7.2 is the best way to do this, or am I missing something about what GRC 10 can do?
  Thanks for your help.  I really appreciate it.

  Hi Santosh,
  In AC 10.1, I created one brf plus initiator rule.Although I saved it in GRAC_ACCESS_REQUEST package.Transport button is not available(Not greyed).
  Dis you faced this issue..How to get this change in transport??
  PS:Application are activated.
  Thanks,
  Mamoon

• BI_CONT 7.35 with GRC 5.3

  Hi All,
  Has anyone had experience with activating this business content version with GRC 5.3 CC and AE?
  I have created the UD connection and activated all the process chains and downstream objects, however I am pulling almost no data into the DSO's and cubes.
  Master data looks to be populated fine.
  Any help is greatly appreciated.
  Kind Regards,
  Eric

  Hi Eric,
  I've not used the Business Content as such but have been involved with connecting GRC 5.3 to BW for reporting purposes.
  We had to resort to DB connect in our version to connect properly.
  Have you got Data Mart functionality (verson 5.3 SP9 and above)? If so, you can use that to prepare the data extract which makes life a little easier than having to manually identify the source of your key fields and characteristics.
  Simon

• Merging/Flattening Layers with different blending modes and maintaining the visual appearance

  Hello,
  I see there are many others that are having the same problem as me. And alas, it doesn't seem like the problem has been solved or very understood for that matter.
  I want to be able to take a document, that has multiple layers, inside of multiple groups with various layers having various blending modes applied to them and from within that document, select simply two of those layers, one with a Divide blending mode and the other layer Normal, merge those two layers, but have the visual appearance of the merged layer maintain the visual appearance of what the layers looked like before I merged them.
  Everytime I attempt this, Ps takes my Divide layer, reverts it back to Normal and then merges the layers, thus changing the appearance of what it was before the merge. This is not the desired result.
  I understand that when you flatten an entire series of layers, it applies all the blending modes and maintains the visual appearance. Is there a way to do this with just two layers instead of all the layers? If so, that would be great information. If not, why not?
  Thank you
  Jake

  Short answer:  No. 
  A "layer" with a specific blending mode implies a sequence of math operations on a given pixel.  Think of the visible pixel R, G, and B values as the result of a potentially complex math formula that combines numbers from each layer in complex ways (those ways being defined by the blending mode you've chosen).  You can't always simplify particular factors of your choosing in a given math formula.
  The next step is to examine why you would want to do so.  Perhaps there's a more direct way to achieve your goal that would avert the need entirely.
  Another possibility, if the effect of several layers together is something you'd like to manipulate as a unit, is to Group the layers.
  -Noel

• SAP GRC v10 and OIM 11g SoD

  Hi,
  I need some information about implementing integration with SAP GRC v10 and SoD. Does anyone of you has any experience in that configuration?
  We have only base information in SAP UM Connector doc and on metalink either. Dooes anyone work with SAP GRC v10 and OIM 11g?
  best
  mp

  See if this helps:
  http://www.oracle.com/technetwork/testcontent/oimconnectordatasheet-saperp-134222.pdf
  regards,
  GP

• Importing workflows from GRC 5.3 to GRC 10 and then changing them

  Hello Experts,
  We are migrating our SPM,RAR and CUP data from GRC 5.3 to GRC 10.1.At present in our CUP we have user access request workflow as 2 stage workflow.Now in GRC 10.1 we require a 1 stage workflow.
  I wanted an advise if it would be feasable to import the GRC 5.3 workflows and then make changes into it and remove 1 stage.
  Or create new workflows using BRF+.
  we are not sure as to what changes can be performed in the GRC 5.3 imported workflows in GRC 10.
  Please advise
  Regards,
  Apeksha

  Hello Steve,
  Migration you deploy Java component and extract data form 5.3 and import in 10.
  still lots of work to be done like and implementation as there are pre-requisite.
  second approach does not need to extract all data from 5.3 system(apart from Ruleset,if at all its required)
  I never migrate workflows better to create new one identical and faster i believe .
  Second approach is little time consuming but good from my point of view.
  In java stack people normally go with 2 system landscape .
  there has been client where in ABAP people go with 3 system landscape.
  now where tricky consulting part play and which data to be imported where.
  and few other points needed to be looked like when you use tools and import data.
  you actually import all transaction  data which contain all active and inactive
  expired.
  in you go with 2nd option you will have only valid data to start with.
  Regards,
  Prasant

• Configuring FPN with GRC portal.

  Hi,
  My requirement is to configure FPN between SAP EP and GRC portal. GRC roles should be available in portal.
  users in SAP EP will be assigned GRC roles and will work further. We don't want user to access the GRC url directly.
  If anyone has done this before or has any idea please suggest.
  Regards
  Amit

  Hi Amit,
  In that case you need to configure SSO between your SAP Portal and GRC Portal which is non SAP Application.
  Depending on your non-SAP Portal and SAP Portal datasource, if datasource is same, you may need to generate Logon Ticket while login in to Non-SAP portal itself and if different you may need to implement some user mapping feature.
  [Single Sign-On to Non-SAP Systems and Applications|http://help.sap.com/saphelp_nw70/helpdata/en/12/9f244183bb8639e10000000a1550b0/frameset.htm]
  [Single Sign-On with User ID and Password|http://help.sap.com/saphelp_nw70/helpdata/en/1c/22afe6b26011d5993800508b6b8b11/content.htm]
  Also check below threads -
  SAP.Net Connector & SAP Logon Ticket
  How to create SSO2 tickets on non-SAP systems?
  Regards,
  Sen