GRC HR triggers in CUP

Similar Messages

• SAP GRC AC 5.3 (CUP) connecting to module of R/3 (HR)

  Hello,
  I have a problem.
  I want to monitor from the SAP GRC AC 5.3 (CUP) some event or activation or trigger when someone create or does some modificaction to an employee from the module HR. Maybe from the Tcode PA20, AP30 or PA40.
  IS there a "how to" or a manual to configure this from the SAP GRC AC 5.3?
  Thank you in advance
  Best Regards...
  Pablo Mortera.

  Pablo,
     I am not clear on what exactly you want but as far as I know there is no monitoring capability in CUP. If you want to monitor something, you will have to write your own Java code (for CUP front-end) or ABAP code (SAP back-end) to access particular database tables.
  Regards,
  Alpesh

• GRC AC v5.3 CUP - Initial Data Files

  Hi All,
  re: GRC AC v5.3 CUP - Initial Data Files
  Our GRC-AC v5.3 CUP Dev system has too many roles and we want it to match our GRC-AC v5.3 CUP QA system. We do not want to go through one role at a time and delete them. Would it be the correct procedure to export the CUP QA system "Initial Data" files for "Roles" and import into CUP DEV using the setting "Clean and Insert".
  Both systems are on the same CUP Version / SP / Build.
  Any help on this would be greatly appreciated.
  Thanks,
  John

  >
  John Stephens wrote:
  > Hi All,
  >
  > Yes, you are correct. An attempt gives the following error message:
  >
  > "x Please select Insert or Append option, to avoid Data Integrity errors, Clean and Insert option is not available."
  >
  > We came up with some additional options that we will pursue to resolve this.
  >
  > Thanks for your help on this.
  >
  > -john
  Hi John,
  Can you elaborate on what options you pursued to do mass role removal in CUP?
  Thanks!
  Jes

• GRC AC v5.3 CUP "User Access Reviews" (UAR) requires implementation of ERM?

  Hi Experts,
  re: GRC AC v5.3 CUP "User Access Reviews" (UAR) requires implementation of ERM?
  After reading the guides and forum it is still not clear to me if ERM is absolutely required in order to use CUP "User Access Reviews". The guide mentions in ERM the Role Usage Synch job has to be run, and then that data is to be loaded into CUP. Is this step absolutely required or can we skip it.

  Gary,
    ERM is a necessity if you want to fully use UAR in CUP. I don't know why SAP did it this way but it is how it is.
  Regards,
  Alpesh

• Attributes for HR triggers on CUP

  Hi Forum guru's,
  I am currently configuring HR triggers on CUP version 5.3.  I have read through the HR triggers reference guide but require some assistance.
  I am trying to setup a trigger for employee terminations in particular.  The actions and rules has been configured, however I don't think I have the correct attributes configured for the rules.
  Can anybody assist and advise what the info type, sub type and fields should be?  Or alternatively, point me to a document that can assist.
  Your assistance is highly appreciated.
  Rgds,
  Prevo

  Hi all,
  Eventually logged an OSS note.
  Please review this link which turned out to be really helpful in configuring the HR triggers.
  [https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b050c6bf-f8f4-2b10-67aa-95573e611ee4]
  Cheers,
  Prevo.

• GRC AC 5.3 CUP to create users in AD?

  Hello Experts,
  Could anyone answer to the following questions?
  Can I script in CUP to update HR master  record email address (infotype: 0105) while request workflow in progress?
  What are the functionalities in CUP can be customized and scripted?
  Thanks in advance!
  Himadama

  Hi,
     As Zaheer mentioned, SAP doesn't allow custom coding or scripting in GRC AC 5.3. I also doubt that you will be able to provisiong user email address in HR record. Mostly, the provisioning happens in user master record (SU01). It would be better if you check it out with SAP.
  Alpesh

• GRC AC 10.0 - CUP User Authentication

  Hi All
  We have installed GRC AC 10.0 as a part of ramp up implementation. We will soon start with the configuration steps. For user interfacing we have 2 options (1) NWBC (2) Portal. Architecture of GRC AC 10.0 is based on webdynpro ABAP.
  Now we had a question wherein if we choose NWBC as a front end, then how do we integrate the LDAP for CUP user authentication.
  If we need to integrate LDAP as a authentication source for users in CUP, do we have the only option of going with Portal as a user interface.
  Please advise.
  Thank you.
  Anjan pandey

  > That feature in AC 10.0 is called End User Login and will have it's own URL to access via browser.
  Thanks Frank for your response. I did go through the RKT documents and seems that there is a link through which the end users will create request. we have also planned to setup a LDAP connectivity for user authentication.
  Thanks.
  Anjan Pandey

• GRC AC 5.3 CUP error

  Hi
  We have installed GRC AC 5.3 and did the configurations for CUP. Now when I try to submit my request in CUP I am getting the below listed error while trying to go to the request submission screen. This error is recieved only after application of SP14 for CUP. However when I try to create a request on behalf of someone, i am able to move to the next screen to provide request details.
  Also with the application of latest support pack, I am no more able to see the sign out/my name etc.. on the GRC screen. Earlier I used to see the same after I looged in to the same.
  Below are more details from configuration side.
  Authentication Source: LDAP
  User Details Souce: LDAP
  Search Data source: UME
  500   Internal Server Error
    SAP J2EE Engine/7.01 
    Application error occurred during request processing.
    Details:   java.lang.NullPointerException: null
  Exception id: [001F29E657BC00620000004600004AD400049AD377D5A94E]
  Below are listed the system logs
  2011-01-27 18:25:46,132 [SAPEngine_Application_Thread[impl:3]_36] ERROR java.lang.NullPointerException
  java.lang.NullPointerException
       at com.virsa.ae.accessrequests.actions.RequestDetailsHelper.copyUserPropertiesToRequest(RequestDetailsHelper.java:1032)
       at com.virsa.ae.accessrequests.actions.EUCreateRequestAction.loadHandler(EUCreateRequestAction.java:344)
       at com.virsa.ae.accessrequests.actions.EUCreateRequestAction.execute(EUCreateRequestAction.java:72)
       at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:295)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  Please help.
  Thanks.
  Anjan Pandey

  Hi Anjan/Chinmaya,
  We are facing the same error in our landscape here for the self service password reset functionality. We have GRC AC 5.3 SP15.
  We are considering reimporting the initial data files in CUP but have a few concerns.
  Will the reimport erase or affect existing CUP/SPM functionalities? With an audit around the corner, we don't want any existing request details/logs to be erased or the system to be affected.
  Can you please help out with the steps on how to proceed with this upload? Is it necessary to click on Upgrade once the reimport is complete?
  Thanks,
  Mahesh Pai

• GRC AC 10 (RAR/CUP/ERM) configuration for EP system

  Hello Gurus,
  We are aware of configuring RAR/CUP/ERM in GRC AC 10 for ERP system(back-end)
  Are there any documents /links to provide information on configuring the above components for EP system ??
  Or rather specific which of the following configuration is possible for EP system ?? CUP /RAR/ ERM ??
  Also going further , is there any way in which we can configure the same for BO system ??
  I am not quite sure if there is any PLUG-In as such which is available for BO system or not .
  But in my opinion there is no need to perform configuration for BOBJ system as the roles in them are imported from Backend system (ERP/BI etc) , hence if these roles are already taken care during ERP system cleanup and SOD analysis , there should be no need to configure seperately RAR/ERM/CUP.
  Please provide your comments.
  Regards,
  Victor

  Hello Prasad,
  Thank You for your quick response .. the info was quite helpful.
  Will you please put some light on aspects of integrating AC 10 with BO ??
  Is there any connecter available for it?? Which scenarios are possible ??
  Humbly Requesting your help.
  Thanks in advance.
  Regards,
  Victor

• GRC AC 5.3 - CUP automatically pick up Risk Owners?

  Hi GRC Experts,
  Just wanted to know, is there any way CUP can pick up Risk Approvers without configuring them in CAD? Role approvers automatically get picked up when choosing the "Role" as the approver determinator within a CUP "stage"; Is there any such option for a CUP stage to pick up the Risk Approvers in the same manner?
  Thanks and Best regards,
  Sandeep

  Hi Chinmaya,
  Firstly, thanks for your help and support.
  According to the post, I mean when the user manager or approver, receives the request to assign one role to a user, the approver has to decide the needs of the user to use that role.
  Then the approver can check (clicking on Risk Analysis button) the number of concflicts or criticals risk that the user could violate. The issue is when the approver launched the anaylisis and it shows same conflict risks that have been mitigated in the previously assignment. It may show the possible risks between the new role and the others, isn´t it?, or instead of the case ,that the oldest risks are showed. Must that  risks showed  as mitigated?
  Thanks, regards.

• GRC AC 5.3 | CUP Request Type = Information

  Hello All,
  We have recently deployed GRC 5.3 and have seen in many demos by different partners that GRC CUP has request Type: "Information" which is used to search and view information about request types.
  During our implementation of CUP we didn't realize that some users would have difficulty in choosing Request types such as New/Change/Unlock etc, so we didn't bother configuring anything. But there are users who, for some reason, unable to select the right request type.
  I would like to know how do I configure Information request type where users can search information about request types? I was able to create the request type but not sure what action to assign to it or do I even need to?
  Any documentation or help would be greatly appreciated.
  Thanks!

  Thanks Raghu but I did try the wiki page section:
  "Configuring Requestor Landing Page for Compliant User Provisioning (PDF 220 KB")
  The purpose of this article is to provide the procedure required to customize the requestor landing page i.e. the request types on the request access screen in compliant user provisioning in SAP GRC Access Control.
  but I get the error message that:
  "Sorry, the page or document you've requested can't be found on our site (404 error). It may have been moved or removed, or (yikes!) the site may be down."

• GRC-AC 5.3  CUP  Functional Area and Company - How does it works?

  Hello experts,
  Can someone give a clue on how do Roles Attributes -> "Functional Area and Company" works?
  I was imagining that it could be used a stage with Approver Determinator by "Role" , but had no success, is that the right way to use it?

  Hello Chinmaya,
  Thanks for your reply.
  In fact, I already use Company and also Functional Area in the role for filtering purposes.  I do not need different initiators for different Companies.
  What I really tried to do was make GRC-CUP determine the role approvers of a stage to those I informed in Configuration -> Roles -> Attributes -> "Functional Area and Company".
  Consider this example:  if someone ask for a role that have Functional Areas F1 and F2 and Companies C1 and C2, and I configured Funcional Area and Company F1C1 to approver A, F1C2 to approver B, F2C1 to approver C, F2C2 to approver D.  Then the request would go to approvers A, B, C and D.  This is sort of what I was expecting, but could not make it work.
  Regards,
  Vaner

• GRC AC- Workflow in CUP

  Dear All,
  We encountered an issue with one of our customers regarding the definition of WFu2019s path.
  The customer has a WF : START -> risk manager -> business manager 1 -> business manager 2  (**) -> auth. Manager -> FINISH
  (**) u2013 The second approval of business manager is needed only in the case where the Functional area of the role is not the same of the one of the Request.
  We thought about defining CAD approvers for every combination of Role Functional Area & Request Functional Area (for the cases they are not the same).
  The problem is that in the case where both is the same, this stage is not needed at all. So we thought about using an escape rout u2013 but then it will be relevant for all WFs, and this is not what we want.
  Do you have any idea how to deal with this situation ?
  Thanks

  Hi Yudit,
  Unfortunately CUP does not have the sort of functional logic you require in your workflow.
  You will have to try another angle to fulfill the business requirement.
  Hope this helps.
  Rgds,
  Prevo.

• SAP GRC AC 5.3 CUP Risk Analysis issue

  Hi all,
  I have assigned a new SoD Role to a user, who has been given previously other SoD Roles that were authorized to assingn, then I launched the Risk Analysis and it shows the risk between the previously SoD Roles, but I want to see the new posible risks between the new SoD Role and the others.
  Is there any parameter into CUP to set up that controls the issue ? How must I do?
  Thanks in advance.
  Regards.

  Hi Chinmaya,
  Firstly, thanks for your help and support.
  According to the post, I mean when the user manager or approver, receives the request to assign one role to a user, the approver has to decide the needs of the user to use that role.
  Then the approver can check (clicking on Risk Analysis button) the number of concflicts or criticals risk that the user could violate. The issue is when the approver launched the anaylisis and it shows same conflict risks that have been mitigated in the previously assignment. It may show the possible risks between the new role and the others, isn´t it?, or instead of the case ,that the oldest risks are showed. Must that  risks showed  as mitigated?
  Thanks, regards.

• SAP GRC Compliant User Provisioning (CUP) Password Self Service

  Hello everyone,
  I am setting up Password Self Service within CUP.  For those users that do not already have access to the UME frontend, I know that I need to create a user ID in the UME frontend for each user so that they can access the Password Self Service option.  Since I only want the user to access the Password Self Service option, what UME role do I assign to them to ensure that they cannot access anything else within CUP?
  Thank you!
  Johonna

  Johonna,
  The 3 defined roles are only those suggested by SAP.
  You can create your own roles by assigning the various actions as needed to provide access or restrict as your organisation requires.
  However, depending on your patch level, you may find that certain actions are dependant on others to work properly.
  Also, you either grant access to the functionality or not. There is no partial or display only setting in the java stack.
  Enjoy!
  Simon