GRC EAM Workflow

Similar Messages

• GRC EAM - Single Firefighter Multiple User Login

  Hi Folks,
  Good Day...Please need your valuable suggestion on the below issue...
  We have configured GRC EAM 10.0 with a mapping of Single User Id to Single Firefighter but now we have got a scenario where Multiple Users require single Firefighter ID .
  Mapping is done for Multiple users with single Firefighter ID., we have logged in with first user and successfully working but same time when the other user logged in, it is not allowing to enter into same firefighter (Popping a message as User1 is already using Firefighter)
  Please provide me if any solution...

  Hi Hima
  Good to hear (sorry for your first question and this one led me down that path)
  I assume the program to login to SAP (can't remember name off the top of my head) performs a check to see if FF is configured and the User is a FF Id. This program is locked down so you cannot view the code (if it's not the program then the kernel is performing a check but pretty sure it's the program).
  So in short, as soon as you configure the user to become a FF Id then it cannot be logged into via logon pad.
  As an additional security measure you should be able to deactivate the FF Id password as it is not required by GRC. This will add additional certainty that no user can access it (you will have change documents to show this should the account ever be removed as a FF Id).
  Regards
  Colleen

• GRC EAM Authorizations: Few Anomalies in Standard Roles

  Hi GRC/ Security Experts,
  To brief you quickly, we have an SAP GRC AC 10 SP13 about to be deployed with ARA & EAM Modules as a first phase deployment.
  All of the functionality is almost setup, just refining few things before going live.
  About the GRC Authorizations, I observed few anomalies in the standard delivered SAP Roles for EAM.
  I am aware that processes & compliance's, can vary from organization to organization. I am trying to redesign some of the EAM related authorizations, especially for Firefighter Owner/Controller.
  In the standard delivered EAM roles, there are few things missing and few unnecessarily attached.
  I am already aware of the provided information in the following resources:
  - 1730649 - Firefighter owner can assign ANY Firefighter ID to Firefighter User
  - 1663949 - EAM: Authorization Fixes for Central Owners and Reason Codes and have referred to EAM Authorization
  - EAM Authorization Concepts & Guide
  - GRC AC Latest Security Guide.
  I am wondering, many of GRC AC 10 implementations must have gone live by now, and how can be the following authorization hardening concerns be addressed.
  I observed the following anomalies, and used ST01 tracing to refine and address few of them still some of them I cant seem to get hold of:
  1) [SOLVED] EAM Owners should technically not be allowed to Create/Maintain Reason Codes, that should be EAM Administrator's task. This was addressed by adjusting the auth objects from Owner's Role and only Reason Codes Display was provisioned to the owner's, hence this is addressed.
  2) [SOLVED] EAM Owners should not be allowed to Create/Maintain EAM Controllers. This is a grey controversy I believe, as in my organization EAM Controller is treated on even Higher Scale than Owner and thus EAM Controller maintenance should only be done by the EAM admin rather than EAM Owner. This also I have addressed by adjusting few auth objects, which leaves the EAM Owners with Display only access of EAM Controllers.
  3) [UNSOLVED] EAM Owner is able to assign any Firefighter ID to End-User: This is anomaly as per me, and is also specified in notes 1730649 & 1663949, but I find it hard to figure out the real solution of that specific issue. The notes just point to EAM Authorization Guide, which explain the GRC Authorization concept in general, which I of course get it. The GRC SP13 is already higher than the one applicable for the issue.
  Technically EAM Owner should only be able ASSIGN the FF IDs that are Owned by him, this I cant seem to figure out how exactly.
  I have gone through the Authorization Guide, Security Guide, Played too much with System Trace ST01 trying to redesign the authorizations. How would you have done it? This wasn't there in Virsa earlier, it used to bug you back saying that FF ID is not owned by you.
  4) [UNSOLVED] Similarly like above, EAM Owner is able to modify assignments/delete assignments of any FF ID. This is of course cascaded from the above issue. I believe it doesn't has to be like this, EAM Owner should only be able to access/modify/maintain the FF IDs owned. Maintenance of the FF IDs not owned by EAM Owner should be truly abstained.
  5) EAM Owners should not be able to Add/Delete the Assignments of Owner with FF ID. This is the starting point of the Firefighter Structure and must be restricted to EAM Administrator. In the Standard EAM Owner role, an EAM Owner can created another OWner, assign a FF ID to another Owner, Delete a Owner-FF ID assignment. EAM Owner should have display only access as far as it is concerned about the EAM Owners access Area. This one I have yet to test, which I think would be possible. Can't get hold of points 3 & 4.
  I have already studied/implemented the suggestions/recommendations/corrections from Authorization Guide.
  But i still feel that these are few loopholes and must be closed before I conclude the implementation.
  What do you think?
  Would truly appreciate, if you can point out the objects and values that can help to address the open issues.
  Apologies, for such a lengthy post, but the authorization goes deep here I guess and ST01 isn't helping me anymore to get over this.
  Regards,
  Akshay

  Hi Colleen,
  Thanks for your reply, I was sure I will be getting first response from you, as you are really proactive in GRC Space.
  W.r.t. your suggestions:
  1) I am not able to follow what you mean by "Are you able to try debugging "CALL METHOD cl_grac_auth_engine=>authority_check" ?? I am not much of a ABAPper/DEBUGGer, but if you can point what exactly is to be done/or to be get done I wouldn't mind getting my hands dirty at this too.
  Correct me if I am wrong, do you imply that, even though the specified correction in note is available in system (SP13), still this inbuilt authority check is not happening and is being bypassed?
  2) I checked the EAM Authorization Guide for Auth Object GRAC_USER.
  With what you feel in the below message of yours=>
  Starting to wonder if it is as the EAM Guide attached to the above notes mentions authorisation GRAC_USER which contains a field for user (quote from guide below).
  User ID : This Field Specifies which firefighter users you can Display and Perform other activities based on the Activity Field .
  That suggests you need different roles to restrict owners? I would have thought SAP would differentiate between authorisation to maintain FF as and Administrator versus Owner allow access to their Ids.
  I would have thought Administrator would get the GRAC* authorisations whilst Owners would obtain access via owner setup (mapping for FF Id)
  I went back to the EAM Guide and tried to put it all together to make sense.
  With my below observations, I think too that there is no such thing as mapping of FF ID with the Owner, out of the Box in GRC AC 10 so that Owner is able to access only the FF IDs owned.
  So, if that would be true, then to achieve this sort of wish, I would have to have separate roles from each EAM Owner specifying, the FF IDs that particular EAM Owner is able to access. And then there would be n number of Roles for n number of Owners, which is subject to change and has to be maintained again. Then also, the FF ID owned could also be added/removed etc, Whoa! That wouldn't make me far away from rationalizing the whole objective.
  I just wonder, if this is actually Ok? If there is no approach to this, would it be OK to let any EAM Owner work with any FF ID subject to their own desire.
  Anyways, check this out below , I will sideways open a message with SAP just to have my closure.
  From EAM Authorizations Guide in the note=>
  Now from the EAM Owner's Role=>
  This no where mentions of Restricting the FF IDs in the Role, if at all this concept exists, it would be through some internal check like the one above i.e. CALL METHOD cl_grac_auth_engine=>authority_check or something.
  Also, found these few specifications as well, which affirms the same I believe.
  Much thanks for your effort and patience.
  Regards,
  Akshay

• SAP GRC ARM Workflow

  Hi,
  We are planning to implement GRC ARM could any one help me in this regard and please let me know the workflow process.
  Thanks,
  Venkatesh

  Dear Venkatesh,
  depends on your requirement as Mangesh mentioned. Basically you have to check what kind of stages you want to have and what is the process in the end. A good approach is to make sure that all upcoming risks are considered during ARM process and to ensure that those risks are either remediated or mitigated before implementing in productive environment.
  See for example a possible process design for role requests:
  ICS Responsible in my case is the responsible person for Internal Controls which are documented in an Internal Control System (ICS).
  Looking forward to hear from you.
  Regards,
  Alessandro

• GRC AC- Workflow in CUP

  Dear All,
  We encountered an issue with one of our customers regarding the definition of WFu2019s path.
  The customer has a WF : START -> risk manager -> business manager 1 -> business manager 2  (**) -> auth. Manager -> FINISH
  (**) u2013 The second approval of business manager is needed only in the case where the Functional area of the role is not the same of the one of the Request.
  We thought about defining CAD approvers for every combination of Role Functional Area & Request Functional Area (for the cases they are not the same).
  The problem is that in the case where both is the same, this stage is not needed at all. So we thought about using an escape rout u2013 but then it will be relevant for all WFs, and this is not what we want.
  Do you have any idea how to deal with this situation ?
  Thanks

  Hi Yudit,
  Unfortunately CUP does not have the sort of functional logic you require in your workflow.
  You will have to try another angle to fulfill the business requirement.
  Hope this helps.
  Rgds,
  Prevo.

• GRC CUP workflow

  Hi,
  We want  request from security stage to forward request to  next stage specific SOX approver.i saw forward request is allowed only with in the stage.Is there any option for one stage to forward request to next stage specific approver.
  Thanks
  Yakoob.

  Hi Chinmaya,
  Reroute option only work for previous stage,not for next stage.Reroute only go for 2nd stage to 1st stage(previous one).I want 2nd stage to 3rd stage,forward request to particular approver.
  Thanks and Regards
  Yakoob

• GRC 10 HR Triggers Workflow

  Hello Experts,
  I have cconfigured HR Triggers for change of position using Procedural call method. Created BRF+ Rule that identifies the condition and returns ACTION-ID. I can see that condition is satisfied when change of Position occurs, but it not following any workflow.
  Where do we link the ACTION-ID to a workflow? Do we need to create new initiator with BRF+ Function ID ?
  Already followed note 1591291 but did not help.
  Thanks and Regards,
  Ajesh.
  Edited by: Ajesh Raju Pujari on Mar 4, 2012 2:56 PM

  Hi all, 
  check the transavtion SLG1 run it backend system mention the following
  Object: GRAC
  Subobject:HRTRIGGER 
  External ID: *
  then mention the dates and make * in remaning fileds  for log class select All Logs  and Log Creation ANy
  Log Source Formatting select the first option then run the report
  select the date which Hire actiivity taken place and Double click on it
  you will get the log report and the exact error issue
  Normally you define the workflow in SPRO as i nthe following the path 
  SPRO ->GRC -> Access Control ->  Maintain mAC Application anf BRF+Fucntion mapping
  maintain the workflow name 
  then you need to map the workflow in the MSMP  GOto GRC->AC->workflow for access control -> Maintain MSMP workflow - select the standerd workflow you mentioned then go to the stage Maintain Path and maintain the path mentioned then go to stage Maintain Route Mapping and RUle ID for HR Trigger and PAth ID 
  hope it you solve 

• GRC - Test Cases

  Hi All,
  We are approaching SIT phase for GRC. Are there any standard scripts for GRC in specific during testing.
  I assume that below are SIT test cases. But if I am missing something, experts can advise.
  All my MSMP workflows - Using Template based requests (We are using Templates for each request type)
  checking Msmp workflows buttons (Approve, Reject, Forward, Return)
  checking UAR workflows
  Checking Risk analysis during workflows - For few important risks
  checking EAM workflows and how log review report workflows work
  Checking all Email notifications (If they are proper)
  Are there any other scenarios than the mentioned one's which will be crucial during roll out?
  Please suggest
  Thanks,
  Sai.

  Dear Sai,
  depends on your setup. Basically you have to define the test cases based on your requirements and setup. Hence it is difficult to tell you what needs to be tested.
  Best practise from my experience is to define all cases and expected output. Best if you think in processes and define test scripts for each process. In the end the process has to work from A to Z.
  Regards,
  Alessandro

• Error while configuring Workflow on AC 10

  i am getting below errors
  MSMP process GRAC_ACCESS_REQUEST version IMG Configuration tables contains errors'
  Path ID cannot be empty. Please enter correct value
  Configuration ID <stage_name> check reported errors (BADI for task TS76308026- class CL_GRAC_ACCESS_REQUEST_WF)
  Unknown Function ID <Id_value> *there are 4 such Function ID errors*
  Configuration ID <stage_name> check reported errors (BADI for task TS76308026- class CL_GRAC_ACCESS_REQUEST_WF)
  Doubts:
  1. Agent Ids are sometimes showing Rule Results. Agent IDs should not ask/give Rule Results.
  2. I do not think Route Mapping is mandatory. But, inspite of giving Route mapping values, activation of workflow is giving error. Sometimes, the error is Invalid Rule result .
  What is the MINIMUM correct configuration for setting up a Workflow in AC 10?

  Hi Plaban,
  Kindly check the following notes:
  1672088:  GRA AC Workflow - Class Based Agents - configuration issues
  1667154 - Error in Generate Version after making changes in a stage
  1671150:  GRC AC Workflow Rules - API for Class Based Rules - FAQ
  Best regards,
  Smriti

• GRC AC10 Agent based upon Role Attributes

  Hi Experts,
  Need your help on the issue.
  We are trying to achieve below configuration-
  After the Access request is generated, at the first stage, the approver should be selected based upon the business process of the role. If there are multiple roles with different Business Processes and their approvers, all of them should approve the request and then request should go to the next stage.
  There is also a field Business Process in the Access Request Screen which denotes the User's association with Business Process and not of the role. We are able to trigger the approval based upon this field, but we can;t find any option of approver selection based upon the business process of the role.
  Can some one show a way to achieve that?
  We are facing another problem, when the request is approved based upon the field Business Process in the Access Request screen, we are not able to find the request in next stage, it is still showing in the same stage while the role attached is only one and no other approver defined.
  What could be the reason behind it? Any help is highly appreciated.
  Thanks in advance,
  Sabita

  Hello Sabita,
  You can use the transaction : GRFNMW_DBGMONITOR_WD to check the logs.
  What i understand from your requirement and what would be my approach.
  1) Approvers who will be ROLE OWNERS
  > In this case 1st thing is you should upload few ROLES( NWBC>Access Mgmt-->Role Import) with all the details i.e function area, company , role owner, alternate approver
  ---> Now create a "Custom Initiator from SPRO >GRC>AC>workflow for access control>Define  Worflow Related to MSMP rules for Process ID SAP_GRAC_ACCESS_REQUEST
  Run Tx: BRF+ , and you will see a rule created , drill down to "Expression-->Decision Tree"
  and use "Table settings" to select "Condition Column" & "Result Rule sets", where you can configure the Custom Initiator
  Now run Open MSMP workflow config window
  1) Process Global settings ( Notification details if necessary)
  2) Maintain Rules (add your custom initiator rule )
  3) Maintain agents ( check & if not present add Role owner agent)
    i.e. GRAC_AR_ROLE_OWNER  (This will satisfy 1 st requirement)
  Create a new agent as BSM and mapp them as "directly mapped user" , similarly for the 3rd stage you can use directly mapped user.
  4)Variables & Templates --> Skip
  5)Maintain Path ( add 3 stages as required i.e role owner, BSM & security officer)
  Now for each stage click on "modify Task Settings" & click on individual check boxes as relevant , you can select "All approvers" or "Any one approver", Approve Request based on System & Role , or Request .
  Same applies to all the other 2 stages.
  6) Maint Route Mapping  --> put the path ID created in previous stage and save and activate.
  I hope this should give you some fair idea.
  Thanks
  Victor

• SAP IDM vs SAP GRC

  Hi All,
  One basic question is coming again and again due to overlapping features of SAP IDM and SAP GRC. Why SAP IDM is required when all most all use cases can be fulfilled by SAP GRC? Is there any document available which can tell me why customer can choose IDM when he already has GRC?
  1. SAP IDM and GRC both can accomplish access request and provisioning.
  2. SAP IDM and GRC both has capability of risk management.
  Then why SAP IDM is required?
  Thanks,
  Dhiman Paul.

  Hi Dhiman,
  SAP IDM is more flexible and is Java based (providing excellent customizations).  GRC 10 is ABAP based and originally designed for Access Control.  As mentioned by Chris, IDM connectors are flexible than GRC & provisioning workflow is highly variable.
  I'd say if there are quite a few number of Legacy systems to be connected for IDM solution, SAP IDM would be an ideal choice than SAP GRC, as it can be implemented with less cost and customization.
  My simple opinion.  There may be other points as well.
  BR,
  Ganesh

• Parallel workflows in CUP

  Hello Experts,
  our environment has SAP HR , GRC CUP (5.3) and Active directory(connected to IBM tivoli Manager).
  I have a requirement where I need to provision user IDs to SAP systems through GRC CUP after the Hire event is completed in SAP HR.  To provision in SAP, we need to first create  Active directory ID ( network ID) before we can use this ID as sap user ID. we are planning to use position based security in SAP HR.
  Question: After the Hiring event is completed,can I initiate 2 paths in  GRC CUP workflow where one path creates the Active directory ID and then provides that Active directory ID to the second path which will then use this to provision in SAP systems.
  The Active directory is connected to IBM Tivoli Identity manager.  so we have to create Active Directory account through IBM Tivoli Manager.
  Can you share your thougts on this. can we build a workflow like that. If not, any other alternative thoughts ??
  Thanks

  My 2 cents on SAP IdM and GRC integration scenario (draft):
  1.     HR will create an employee record in HCM
  2.     IdM monitors changes and create a network (AD) id and email id (Assumption : Network id and SAP UserIds same)
  3.     IdM updates the email address back to the HCM systems
  4.     Hiring manager enters the required roles. 1* (one more option, manager may add the business role and the business roles are mapped to the technical roles in IdM)
  5.     IdM sends the SAP systems requests to GRC 5.3 RAR
  6.     If there are no violations, the request returns to the IdM and IdM completes the provisioning process and roles need to be approved.
  7.     If there are violations in the request(CUP approval), after the role owners approval, request returns to the IdM and then IdM completes the provisioning process.
  8.     Manager (Only) gets the notification of user creation and logon credentials will be given to the new employee If non-SAP (AD) provisioning process not happened prior to SAP provisioning process. (not clear yet)
  Questions:
  1.     1* Does IdM complete creation of network id? If it does, then manager could enter the new employeeu2019s email id. (Not sure whether manager only able to add roles or adding roles and email id)
  2.     Not sure whether IdM completes the non-SAP systems (like AD, etc) prior to SAP systems in the same request.
  Reference:
  Page 11/14:
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/60a4802f-b6cd-2b10-1ebf-e269d127a634?quicklink=index&overridelayout=true
  Page 8/48:
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/30027e41-b5cd-2b10-4593-df65027f8c55?quicklink=index&overridelayout=true
  Thanks
  Himadama

• IDM request grouping issue

  Hi All,
  We have designed our landscape to provision to SAP systems via GRC. IDM is sending add/remove role request to GRC via VDS-GRC web service but request is not properly grouped and logged in GRC. Here is the example:
  There are two positions named P1 and P2 which has 2 and 4 tech roles within it.
  Position-1 has tech role A and B
  Position-2 has tech role A,B,C,D
  User already has Position-1 and tech role A and B. Now user's Position-1 is getting replaced by Position-2. In this scenario following requests are getting logged on GRC:
  1. One request to remove tech role A and B
  2. One request to add tech role C and D
  3. One request to add tech role A
  4. One request to add tech role B
  Note : All tech roles are from same GRC repository.
  As per my understanding, this many requests should not be there when we are using GRC repository constant MX_PRIV_GROUPING_ATTRIBUTE = P:0
  I have also observed "Write RequestId and opt. Start Polling" this job is getting executed even before "AC Submit requests" on position replacement even. This job is getting executed number of times based on number of common tech roles.
  Any thought why requests are getting splited like this?
  Thanks,
  Dhiman Paul.

  Dhiman,
  The aggregation of the privileges into one request is done via custom javascript that we attached to our Prepare AC Request job in the GRC 10 workflow.  It was modified so that it would look up what privileges are assigned to the IdM business role(s) prior to it being submitted to GRC and subsequently approved.
  The script that should be modified is: sap_grc10_prepareRiskCheckExecution
  This script can be modified to look up all the privs assigned to all roles requested, aggregate them into one object/array, then pass (return) that information along with all mskeys (privs/roles/pvo)back to the pending value for the remaining GRC tasks.  This customization is required in order for AC Polling to kick off (which by the way needs to have the GRC10 repository explicitly assigned):
  This explicit GRC10 repository setting must also be on the Submit AC Request:
  Lastly, you MUST have the Risk Validation job (that also comes with the GRC 10 Framework) in the GRC 10 WF so that when your request comes back from GRC it will provision (or not) based upon the status returned from GRC.
  One more thing, the grouping should be P:4 not P:0
  There are a lot of nuances and gotchas in this integration but the above should be helpful to get you on the right path.

• GRC AC Emergency Access Management (EAM) and STAD report data

  Dear Community,
  we use EAM (ID based fire fighting) and the Log synchronization jobs are scheduled every half hour in order to get the fire fighter logs from the back-ends for review by the controller. Due to a technical issue the synchronization jobs are not working correctly over several days. We experienced missing session details (executed transactions, programs, changes, etc.) for many Fire fighter sessions. As one the source of of the fire fighter log is STAD on the back end and these data are only buffered 48 hours per default, I expect that I can't recover the logs and they are irreversible lost if GRC is down or the sync-jobs are not running for more that time. That can happen over a weekend....
  I ask you:
  can you confirm my expectation?
  does it make sense to extend the STAD buffer up to e. g. 96 hours for all GRC production back ends?
  have you controls in place to check if the sync-jobs are running and the logs are synchronized correct and complete?
  I would appreciate, if you can share some thoughts with me about this.
  Thanks in advance,
  Andreas Langer

  Hi Andreas,
  - Please check the below note, for missed log entries
  1934127 - GRC10 EAM: EAM recovery program to retrieve missing log and to generate the missing workflows
  - The maximum value is 99, and it is the number of stat files that  are generated. So, you can get records upto 4 days.
  - Periodic Monitoring activity activity can be set, which is done manually. I am not aware if Process Control, can take care of this monitoring.
  regards

• GRC 10.0 Workflow customizing problem

  Hi experts,
  We are working with GRC Access Control 10.0 and when doing the customizing tasks related with workflows we have an issue that doesnt let us continue.
  Here is the background information.
  We are in the "IMG/Governance Risk and Compliance/General Settings/Workflow/Perform Automatic Workflow Customizing" or easiest, we are in transaction code SWU3.
  Here we have: Maintain Runtime Environment, all green, Maintain Definition Environment, all green, Maintain Additional Settings and Services, a red cross :(.
  So, when opening the tree of our red cross task, we find that the only task that is with a red cross is "Maintain Web Server".
  So, we execute the task, and here we have the following information:
  Service = Webflow (Internet)
  Address web server = http://<our web server>:8000/
  Protocol Address = HTTP
  Path of service = sap/bc/workflow_xml/?
  URL = http://<our web server>:8000/sap/bc/workflow_xml/?
  And here is something that kept our attention. When we push the button to test the URL, our IE opens a page but it is in blank (it doesnt show anything).
  As we saw that, we thought that the service was not active and so went to transaction SICF and checked it, and yes, when you test the service, it doesnt work.
  We finally, checked support packages upgrades and went to SP5 in our GRC server and SP5 in both plugins in our SAP ERP server.
  And, here we are. Have no idea what else to do or check.
  Any suggestion?
  Thanks very much in advance.

  Hi,
  I have just checked my SICF settings and found that we have not actually activated those services at all and our NWBC sessions work fine now.
  Have you activated the sap/bc/nwbc and sap/bc/webdynpro services?
  Also, have you activated the required BC sets for the standard content on Access Controls? This removes the need to do a lot of the basic setups but you still need to follow through the event linkages to check the successful generation etc.
  Simon
  Edited by: Simon Persin on Sep 21, 2011 5:51 PM