GRC v10 AC Owners
Good day,
OK, it seems that I am missing something with GRC 10. We are upgrading from CC4.0 to GRC 10. I believe I have everything configured through SPRO correctly. I can run a risk analysis on end users and I get results. I am now at the point where I put the mitigations into the system but I have seem to run into a snag. When I go to master data > Mitigation, I start to fill in the information but when I try to add a AC Owner I get "No Results Found".
I have tried adding a Owner to a risk and then going back, I have also added a user under "Access Management" tab with "Access Control Owners". I have reviewed almost every node in SPRO and I can not seem to find where I am missing something.
I am sure it is simple since I can not find any documentation on this almost anywhere. We are currently running GRC v10 SP5. We are only planning to use the RAR (5.3 term) portion of AC not the other part (Example: Risk Terminator). Please let me know if there is a simple solution to get a user populated in the AC Owner tab.
Kind Regards,
Paul
Some of the GRC Roles ..
SAP_GRAC_ACCESS_APPROVER Role for Access Request Approver
SAP_GRAC_ACCESS_REQUESTER Role for End user
SAP_GRAC_ACCESS_REQUEST_ADMIN Role for Access Request Administrator
SAP_GRAC_ALERTS Generate, clear and delete SOD Alerts
SAP_GRAC_ALL Super Admin for AC
SAP_GRAC_BASE Base Role for all Access Control Users.
SAP_GRAC_CONTROL_APPROVER Create AC MIT control, approve, assign, alert and perform Risk analysis
SAP_GRAC_CONTROL_MONITOR Ability to assign MIT control to Risk and perform risk analysis
SAP_GRAC_CONTROL_OWNER Create AC MIT control.
SAP_GRAC_DISPLAY_ALL Display Access To All AC Objects.
SAP_GRAC_END_USER End User as a GRC Guest
SAP_GRAC_FUNCTION_APPROVER Approve Function for Workflow
SAP_GRAC_NWBC View Access Control Information Architecture.
SAP_GRAC_REPORTS Ability to run all AC reports.
SAP_GRAC_RISK_ANALYSIS Ability to Perform Risk Analysis
SAP_GRAC_RISK_OWNER Risk maintainence And Risk Analysis
SAP_GRAC_ROLE_MGMT_ADMIN Role Management Admin
SAP_GRAC_ROLE_MGMT_DESINGER Role Management Designer
SAP_GRAC_ROLE_MGMT_ROLE_OWNER Role Owner
SAP_GRAC_ROLE_MGMT_USER Role Management Business User
SAP_GRAC_SUPER_USER_MGMT_USER Super User Firefighter
SAP_GRAC_SUPER_USER_MGMT_ADMIN Super User Administrator Role
SAP_GRAC_SUPER_USER_MGMT_CNTLR Super User Controller Role
SAP_GRC_MSMP_WF_ADMIN_ALL MSMP Overall Administrator
SAP_GRC_MSMP_WF_CONFIG_ALL MSMP Overall Configurator
SAP_GRAC_RULE_SETUP Ability to define Access Rules
SAP_GRAC_SETUP Ability to setup Access Control
SAP_GRC_FN_BASE GRC - Base role to run applications
Hope it helps ..
Vikas
Similar Messages
-
WebServices in GRC v10.0
Hi all,
I have three questions to WebServices regarding SAP GRC v10.0:
1. Is it possible with v10 to check permissions via WebServices (SAPGRC_AC_IDM_*) only with the RAR component? In v5.3 it was only possible, if CUP was installed too.
2. Contain the WebService SAPGRC_AC_IDM_RISKANALYSIS in v10 a analysis of critical permissions? In v5.3 only SoDs and critical actions was checked.
3. What is the task of the parameter includeCrossSystemsAnalysis of the WebService VirsaCCRiskAnalysisService in v10? In v5.3 the value of this WebService has no impact to the SoD check (it SHOULD be:
includeCrossSystemsAnalysis == true ==> cross system SoD check
includeCrossSystemsAnalysis == false ==> single system SoD check
But doesn't matter what's the value of the parameter. There is always a cross system check. Has this changed in v10.0?
Regards
PeterHi Peter,
AFAIK the web services have not yet been published.
If you had the web service return violations without the requirement for CUP, what would you do with that information?
I hear that question a lot, I would really like to understand the ideas behind it.
To one of your other questions: cross system check is only possible for dedicated cross system risks. If there are no such risks defined, this will not yield any results no matter what the value of the parameter is.
Thanks,
Frank. -
Hi,
I need some information about implementing integration with SAP GRC v10 and SoD. Does anyone of you has any experience in that configuration?
We have only base information in SAP UM Connector doc and on metalink either. Dooes anyone work with SAP GRC v10 and OIM 11g?
best
mpSee if this helps:
http://www.oracle.com/technetwork/testcontent/oimconnectordatasheet-saperp-134222.pdf
regards,
GP -
Hello All,
Currently we are in GRC 5.3 SP13.We are planning to migrate to GRC 10 with PLUGIN level 7.We are in process of upgrading GRC 5.3 to Sp16 before migrating to GRC AC 10.As per the note 1655924 and 1662113,we find that GRC PLUGIN is compatible with GRC 5.3 RTA's.
Can you please confirm upto which RTA Level GRC 5.3 RTA is compatible with GRC 10 PLUGIN 7.
Thanks,
JagatHi Jagat,
I don't think there is a hard dependency between the RTA VIRSA* and GRCPI* Plugin as each have a completely separate code base.
The dependency is really on the GRC 5.3 system so that the export utility can extract the data in the correct format and load into GRC 10.0 correctly (GRCFND_A).
Regards, Simon -
Hi Everyone,
We used to have search functionality in previous versions of GRC, where if you want to look up certain transaction to see which functions has it? It was possible up until v5.3, but this seems to be missing in GRCv10, please correct me if I am wrong.
If this functionality exists can someone please guide how to search for a particular transaction in all functions or selected group of fucntions.
thanks in advance
KevHi Everyone,
We used to have search functionality in previous versions of GRC, where if you want to look up certain transaction to see which functions has it? It was possible up until v5.3, but this seems to be missing in GRCv10, please correct me if I am wrong.
If this functionality exists can someone please guide how to search for a particular transaction in all functions or selected group of fucntions.
thanks in advance
Kev -
Hi,
we generated our own brfplus agent. But how is it possible to add more than one user ID to a rule result? We want to inform a group of userIDs.
We don´t want to use MSMP Approver GroupID for the scenario, because we have to make flexible approver results regarding the request details.
Any ideas?
Thanks for your help.
AlexaHi Alexa,
I'm theorising here but you should be able to have a separate decision table which actually lists the user IDs out and reports them into a new result key.
This would effectively be your CAD (in 5.3 terminology). You can then make your original decision table reference that new decision table to find the appropriate result (a list of User IDs rather than just a single entry). Alternatively, you could play with the other types of expressions (e.g. boolean formula etc) to directly work through the logic.
This could quickly end up being a complex over-engineered solution to a potentially simple problem so whilst it may be possible, I'm still not sure I'd go for it. I'd really look back at the core requirement and see whether it would be possible to manage with the direct users mapped or approvers group.
Simon -
GRC V10 SPM: login notification
Hi experts,
we created a lot of Z-objects via SE61 (saved+activated). As well we mapped the MSMP-objects. Everythings fine and work well. We transported every object to the PRD and all Z-objects for MSMP where used. But the login-notification is not a relevant MSMP-event. So where is it possible to change the SAP-object to our Z-object for the login notification of the SPM?
I cannot find the relevant configuration setting in SPRO. Any ideas?
I am talking about the objects: GRAC_SPM_NOTIFICATION + GRAC_SPM_LOG_NOTIFICATION which are used for the login notification events.
Thanks,
AlexaHI Alexa
You will need to configure the custom notification message in the IMG
Path: Governance, Risk and Compliance > Access Control > Workflow for Access Control > Maintain Custom Notification Messages
Screen shot below is the example you will need for the FF Login Notification Event
The Document Object is the SE61 custom message you created
Note, if you are implemented decentralised FF then you will need to configure this message in the plug-in configuration via IMG path:
Governance, Risk and Compliance (Plug-In) > Access Control > Maintain Custom Notification Messages for Emergency Access (Plug-In)
The program looks for this configuration first based on the message class before using the SAP standard as default.
The message classes you need to create entries for can be found by searching in the matchcode
0AC_SPM_INSTRUCTION 000 SPM workflow instruction
0AC_SPM_LOG_NOTIFY 000 SPM Log notification
0AC_SPM_NOTIFICATION 000 SPM Login Notification -
GRC V10: BRFplus rule transport
Hi experts,
how is it possible to transport a brfplus rule.
we generate a function module via SE37 and afterwards the rule. Are the decision table and all brfplus rule settings in the transport of the function module?
Or should I transport the rule as well via brfplus? But there the "Transport" button is greyed-out, because of local object.
But the generated rule has still a local package in the settings, although the function module was assigned to a customer-package. As well I found a note 1624157, but this note doesn't work.
Any ideas?
Thanks a lot.
AlexaHi Alexa,
Yes brfplus rules will be transported along with function module, no need to transport separately.
First create the function module and assign to to customer package with transport request and dont forget to activate it. Once this is done select "Define Wofkflow-Related MSMP Rules" from SPRO -> Access Control -> Workflow for Access Control.
There select correct process id, rule type, rule kind, Rule id and in Application/Func. Group Name insert the function module which you have created and execute it.
Let me know if it fixes your issue.
Thanks,
Soman -
No Pop-Up Window Opening in GRC AC 10.0 the First Time
Hi Community,
We are encountering a weird issue with GRC AC 10.0 and IE8. After logging in to NWBC and the clicking for the first time on my inbox hyperlink or a report hyperlink, the screen freezes and no pop-up appears. I have to hit the browser back button to go back to the NWBC screen and then when clicking on my inbox or the report hyperlink a second time, the pop-up with my inbox or the report selection criteria screen appears. Has anyone come across a similar issue? Cannot seem to find in on SCN or SAP Note search. Thanks!Hi Joerg
did you see NWBC Web GRC v10 WSOD
The comments in there imply it's an issue with IE8. Have you been able to try a different browser? There is a reference to specific IE8 note
Regards
Colleen -
Request Administration in GRC 10.
Dear GRC Experts,
Currently, my GRC system in I have two issues in GRC AC 10 (SP 10), for which I couldn't find an answer here. Help me if you have encountered the same and solved it.
1. When we search the request, we are not able to see the approver there with whom request is pending.
- We have created a BRF+ initiator and agents. we rechecked again to make sure that we have not skipped any step.
- Even the version generation was without any error).
- Also made sure that the Approver of the request has the correct GRC R/3 Role assigned.
2. When we go to Access Request Administration, there we can't find where the request is pending, we are not able to approve any request with admin rights. In the other action there no drop down is available or no approve or submit. It has only "other Actions" as the option and it has only 'return' which prompts to return at any stage.
- I have assigned all the admin / super user roles to the administrator, but still he is not able to see perform any activity, apart from cancel instance.
3. We have selected the functional area during the request, however we are not able to see post submission of the request. The administrator is not able to see the functional area selected. I have also checked in the user detail tab but could not find it.
Please advise.
Look forward to hear from you.
Regards,
Sahil.
Message was edited by: Sahil BhanushaliHi Sahil,
I have migrated to GRC V10 2 months ago and also have been struggling against issues with Request with no approver found and that could not be redirected in Administration.
I have reviewed all my Decision Tables - Table Settings - and marked "Return initial value if no match is found". With this flag, I could define a Escape Route for Approver Not Found and set up a PATH with one stage for which a BRF+ rule find the proper GRC Support Team to be the approver.
In my case I have some people designed by Company pattern [NA_*] for North America, [SA_*] for South America an so on...
With that, I am now receiving the requests with no approver and use Administration to fix information in the request and then Return to the proper path. I can also you manual Forwards with return to involve proper managers.
Hope this can help you.
Vaner -
Calling GRC NWBC in SAP Portal
I have a requirement where current GRC users are required to use SAP Portal for GRC requests.
I tried to create URL iView calling NWBC but have been facing layout issues. Layout is very short and unable to change even if I use FULL PAGE layout.
I have already tried creating NWBC launch iView but it shows a blank screen along with NWBC screen.
Please guys help me out with this situation.
Please do remember that our Portal is on HTTP while NWBC is one HTTPS.I'm trying to call GRC v10 NWBC with the help of "Launch NWBC" standard iView.
What currently happens is like the moment I click on the NWBC icon in the Portal, it opens a window within portal which BLANK and actually GRC screen (attached screenshot) and at the same time it opens another window that has NWBC and works absolutely fine.
If someway we can stop showing GRC main screen in the Portal which is blank. It will help me solve the problem. -
Error in Role level SoD violations Dashboard
Hi All,
We are running on GRC V10 SP06.
When role level SoD violations dashboard is opened there is no relation between Number of role analyzed (X) in system and Number of roles with violations(Y).
In our case Y is far greater than actual X.
Even the percentage of roles with and without violatons together doesnt constitute 100 % ...
Please help what may be a solution to fix it.
-ThanksHi All,
We are running on GRC V10 SP06.
When role level SoD violations dashboard is opened there is no relation between Number of role analyzed (X) in system and Number of roles with violations(Y).
In our case Y is far greater than actual X.
Even the percentage of roles with and without violatons together doesnt constitute 100 % ...
Please help what may be a solution to fix it.
-Thanks -
Search button is non responsive in Safari and no pop up window appearing
When trying to search for a product in a page on safari, when trying to press the search button is non responsive.
Before the iOS7 update I would press the search button and a pop up window would appear.
This no longer happens, any help with this would be fanatstic - Thank youHi Joerg
did you see NWBC Web GRC v10 WSOD
The comments in there imply it's an issue with IE8. Have you been able to try a different browser? There is a reference to specific IE8 note
Regards
Colleen -
Print Button window Crashed in IE8 browser using SAP EP7.0
Hi,
I have to logon to CRM B2b application in SAP EP7.0 , in B2B application in any print Button click on Print button window is displaying in another window, after few seconds the IE8 browser is closed
Error Message
"Internet Explorer has closed this webpage to help protect your computer
A malfunctioning or malicious add-on has caused Internet Explorer to close this webpage. "
But print button click on IE8 window closed it comes only SAP Enetrpriseportal
Please give me any suggestions.
Thanks
sriniHi Joerg
did you see NWBC Web GRC v10 WSOD
The comments in there imply it's an issue with IE8. Have you been able to try a different browser? There is a reference to specific IE8 note
Regards
Colleen -
GRC AC V10 - one approval step for manager and role owner
Hello Community,
I have one, perhaps easy, question. Where is it possible to maintain the solution of one approval step for manager and roleowner, if both are unique.
E.g.:
simple approval workflow: manager stage afterwards roleowner stage afterwards auto-provisioning
So if the request is routed to the manager and the manager is also the roleowner of the requested authorization role (same UserID). The user has to approve one and the same request twice.
Is it possible in V.10 to change the config that the user has only to approve the request once? And then to decide on which relevant stage settings are valid for this process.
Thanks,
AlexaHi Alexa,
We have had a similar questions raised in a project. In an ideal world, a single "Sign-off approval" would be a great functionality where the same user has to approve the same consecutive stages, but the reason for different stages would entail that the responsibilities entailed per stage differ, e.g. Line Manager would just check the over request, and the role owner etc may be reviewing the elegibility of a specifc role etc.
If it is likely to be the same person reviewing the 2 consecutive stages, maybe a single stage workflow would be sufficient to cover this scenario.
I think the logic you are trying to configure in the workflow is possible but will require alot of work with knowing how to create a clever custom workflow with BRF+ or the actual WF stuff in SAP itself.
Maybe you are looking for
-
Problem with Date Formatting in BW server - Urgent
Hi, I have one requirement in which i need to find a date which is 5 days prior to system date. example if sys date is 27.02.2007, then required date is 04.03.2007. how to find? is there any function module to do this? in R/3 system, we have one func
-
Help before I throw this into the wall.
I just received a ipod for my birthday. I have installed software and have loaded music and some podcasts to itunes successfully. However, when I plug in my ipod it opens up itunes but doesn't send the songs to my ipod. My ipod is empty. help! Othe
-
Button tabular form strange behaviour
Hello everibody. Working with Oracle 10G Forms & Database. I have a tabular form. In this I have some buttons added to every row of tabular. I use a Access Key to can execute any of those buttons. The problem. If I use the Access Key the trigger fire
-
When i try and import my iPhoto Libary i cant select the files! Its really annoying, i went to file -> import then iPhoto libary but it wont let me! Argh, sorry if this is a frequent post, Thanks in advance, Jimbo
-
Choose not to include a song in 'shuffle' function
I used to be able to select particular songs which would not get included in random shuffle. I could play all the music on my ipod randomly but avoid playing non-music items on my ipod like audiobooks, iTrip station settings, etc. Can the latest vers