GRC V10 - Agent BRFplus
Hi,
we generated our own brfplus agent. But how is it possible to add more than one user ID to a rule result? We want to inform a group of userIDs.
We don´t want to use MSMP Approver GroupID for the scenario, because we have to make flexible approver results regarding the request details.
Any ideas?
Thanks for your help.
Alexa
Hi Alexa,
I'm theorising here but you should be able to have a separate decision table which actually lists the user IDs out and reports them into a new result key.
This would effectively be your CAD (in 5.3 terminology). You can then make your original decision table reference that new decision table to find the appropriate result (a list of User IDs rather than just a single entry). Alternatively, you could play with the other types of expressions (e.g. boolean formula etc) to directly work through the logic.
This could quickly end up being a complex over-engineered solution to a potentially simple problem so whilst it may be possible, I'm still not sure I'd go for it. I'd really look back at the core requirement and see whether it would be possible to manage with the direct users mapped or approvers group.
Simon
Similar Messages
-
Good day,
OK, it seems that I am missing something with GRC 10. We are upgrading from CC4.0 to GRC 10. I believe I have everything configured through SPRO correctly. I can run a risk analysis on end users and I get results. I am now at the point where I put the mitigations into the system but I have seem to run into a snag. When I go to master data > Mitigation, I start to fill in the information but when I try to add a AC Owner I get "No Results Found".
I have tried adding a Owner to a risk and then going back, I have also added a user under "Access Management" tab with "Access Control Owners". I have reviewed almost every node in SPRO and I can not seem to find where I am missing something.
I am sure it is simple since I can not find any documentation on this almost anywhere. We are currently running GRC v10 SP5. We are only planning to use the RAR (5.3 term) portion of AC not the other part (Example: Risk Terminator). Please let me know if there is a simple solution to get a user populated in the AC Owner tab.
Kind Regards,
PaulSome of the GRC Roles ..
SAP_GRAC_ACCESS_APPROVER Role for Access Request Approver
SAP_GRAC_ACCESS_REQUESTER Role for End user
SAP_GRAC_ACCESS_REQUEST_ADMIN Role for Access Request Administrator
SAP_GRAC_ALERTS Generate, clear and delete SOD Alerts
SAP_GRAC_ALL Super Admin for AC
SAP_GRAC_BASE Base Role for all Access Control Users.
SAP_GRAC_CONTROL_APPROVER Create AC MIT control, approve, assign, alert and perform Risk analysis
SAP_GRAC_CONTROL_MONITOR Ability to assign MIT control to Risk and perform risk analysis
SAP_GRAC_CONTROL_OWNER Create AC MIT control.
SAP_GRAC_DISPLAY_ALL Display Access To All AC Objects.
SAP_GRAC_END_USER End User as a GRC Guest
SAP_GRAC_FUNCTION_APPROVER Approve Function for Workflow
SAP_GRAC_NWBC View Access Control Information Architecture.
SAP_GRAC_REPORTS Ability to run all AC reports.
SAP_GRAC_RISK_ANALYSIS Ability to Perform Risk Analysis
SAP_GRAC_RISK_OWNER Risk maintainence And Risk Analysis
SAP_GRAC_ROLE_MGMT_ADMIN Role Management Admin
SAP_GRAC_ROLE_MGMT_DESINGER Role Management Designer
SAP_GRAC_ROLE_MGMT_ROLE_OWNER Role Owner
SAP_GRAC_ROLE_MGMT_USER Role Management Business User
SAP_GRAC_SUPER_USER_MGMT_USER Super User Firefighter
SAP_GRAC_SUPER_USER_MGMT_ADMIN Super User Administrator Role
SAP_GRAC_SUPER_USER_MGMT_CNTLR Super User Controller Role
SAP_GRC_MSMP_WF_ADMIN_ALL MSMP Overall Administrator
SAP_GRC_MSMP_WF_CONFIG_ALL MSMP Overall Configurator
SAP_GRAC_RULE_SETUP Ability to define Access Rules
SAP_GRAC_SETUP Ability to setup Access Control
SAP_GRC_FN_BASE GRC - Base role to run applications
Hope it helps ..
Vikas -
WebServices in GRC v10.0
Hi all,
I have three questions to WebServices regarding SAP GRC v10.0:
1. Is it possible with v10 to check permissions via WebServices (SAPGRC_AC_IDM_*) only with the RAR component? In v5.3 it was only possible, if CUP was installed too.
2. Contain the WebService SAPGRC_AC_IDM_RISKANALYSIS in v10 a analysis of critical permissions? In v5.3 only SoDs and critical actions was checked.
3. What is the task of the parameter includeCrossSystemsAnalysis of the WebService VirsaCCRiskAnalysisService in v10? In v5.3 the value of this WebService has no impact to the SoD check (it SHOULD be:
includeCrossSystemsAnalysis == true ==> cross system SoD check
includeCrossSystemsAnalysis == false ==> single system SoD check
But doesn't matter what's the value of the parameter. There is always a cross system check. Has this changed in v10.0?
Regards
PeterHi Peter,
AFAIK the web services have not yet been published.
If you had the web service return violations without the requirement for CUP, what would you do with that information?
I hear that question a lot, I would really like to understand the ideas behind it.
To one of your other questions: cross system check is only possible for dedicated cross system risks. If there are no such risks defined, this will not yield any results no matter what the value of the parameter is.
Thanks,
Frank. -
Hi,
I need some information about implementing integration with SAP GRC v10 and SoD. Does anyone of you has any experience in that configuration?
We have only base information in SAP UM Connector doc and on metalink either. Dooes anyone work with SAP GRC v10 and OIM 11g?
best
mpSee if this helps:
http://www.oracle.com/technetwork/testcontent/oimconnectordatasheet-saperp-134222.pdf
regards,
GP -
GRC V10: BRFplus rule transport
Hi experts,
how is it possible to transport a brfplus rule.
we generate a function module via SE37 and afterwards the rule. Are the decision table and all brfplus rule settings in the transport of the function module?
Or should I transport the rule as well via brfplus? But there the "Transport" button is greyed-out, because of local object.
But the generated rule has still a local package in the settings, although the function module was assigned to a customer-package. As well I found a note 1624157, but this note doesn't work.
Any ideas?
Thanks a lot.
AlexaHi Alexa,
Yes brfplus rules will be transported along with function module, no need to transport separately.
First create the function module and assign to to customer package with transport request and dont forget to activate it. Once this is done select "Define Wofkflow-Related MSMP Rules" from SPRO -> Access Control -> Workflow for Access Control.
There select correct process id, rule type, rule kind, Rule id and in Application/Func. Group Name insert the function module which you have created and execute it.
Let me know if it fixes your issue.
Thanks,
Soman -
GRC AC10 Agent based upon Role Attributes
Hi Experts,
Need your help on the issue.
We are trying to achieve below configuration-
After the Access request is generated, at the first stage, the approver should be selected based upon the business process of the role. If there are multiple roles with different Business Processes and their approvers, all of them should approve the request and then request should go to the next stage.
There is also a field Business Process in the Access Request Screen which denotes the User's association with Business Process and not of the role. We are able to trigger the approval based upon this field, but we can;t find any option of approver selection based upon the business process of the role.
Can some one show a way to achieve that?
We are facing another problem, when the request is approved based upon the field Business Process in the Access Request screen, we are not able to find the request in next stage, it is still showing in the same stage while the role attached is only one and no other approver defined.
What could be the reason behind it? Any help is highly appreciated.
Thanks in advance,
SabitaHello Sabita,
You can use the transaction : GRFNMW_DBGMONITOR_WD to check the logs.
What i understand from your requirement and what would be my approach.
1) Approvers who will be ROLE OWNERS
> In this case 1st thing is you should upload few ROLES( NWBC>Access Mgmt-->Role Import) with all the details i.e function area, company , role owner, alternate approver
---> Now create a "Custom Initiator from SPRO >GRC>AC>workflow for access control>Define Worflow Related to MSMP rules for Process ID SAP_GRAC_ACCESS_REQUEST
Run Tx: BRF+ , and you will see a rule created , drill down to "Expression-->Decision Tree"
and use "Table settings" to select "Condition Column" & "Result Rule sets", where you can configure the Custom Initiator
Now run Open MSMP workflow config window
1) Process Global settings ( Notification details if necessary)
2) Maintain Rules (add your custom initiator rule )
3) Maintain agents ( check & if not present add Role owner agent)
i.e. GRAC_AR_ROLE_OWNER (This will satisfy 1 st requirement)
Create a new agent as BSM and mapp them as "directly mapped user" , similarly for the 3rd stage you can use directly mapped user.
4)Variables & Templates --> Skip
5)Maintain Path ( add 3 stages as required i.e role owner, BSM & security officer)
Now for each stage click on "modify Task Settings" & click on individual check boxes as relevant , you can select "All approvers" or "Any one approver", Approve Request based on System & Role , or Request .
Same applies to all the other 2 stages.
6) Maint Route Mapping --> put the path ID created in previous stage and save and activate.
I hope this should give you some fair idea.
Thanks
Victor -
Error in Generating GRC BRF Agent Rule
Hello Gurus,
I am atrying to generate a BRF Agent Rule but am aaunable to activate MSMP workflow corresponding to that:
Error in MSMP Workflow while activation:
1) MSMP process SAP_GRAC_ACCESS_REQUEST_HR version IMG Configuration Tables contains errors
2) abap dictionary data object binding is out of synchronization
Below are the screen shots of my BRF Rule configuration. I have created a procedure call which is tied to function moduleHello,
I assume you have already checked the below document where it is explained the procedure call and Function
cross check your settings with below document
AC10.0/10.1: Create Rule Based on Risk Violation in Request, Using BRF+ Procedure Calls
if everything is fine provide the MSMP error screen shot.
Regards
Baithi -
Hello All,
Currently we are in GRC 5.3 SP13.We are planning to migrate to GRC 10 with PLUGIN level 7.We are in process of upgrading GRC 5.3 to Sp16 before migrating to GRC AC 10.As per the note 1655924 and 1662113,we find that GRC PLUGIN is compatible with GRC 5.3 RTA's.
Can you please confirm upto which RTA Level GRC 5.3 RTA is compatible with GRC 10 PLUGIN 7.
Thanks,
JagatHi Jagat,
I don't think there is a hard dependency between the RTA VIRSA* and GRCPI* Plugin as each have a completely separate code base.
The dependency is really on the GRC 5.3 system so that the export utility can extract the data in the correct format and load into GRC 10.0 correctly (GRCFND_A).
Regards, Simon -
Hi Everyone,
We used to have search functionality in previous versions of GRC, where if you want to look up certain transaction to see which functions has it? It was possible up until v5.3, but this seems to be missing in GRCv10, please correct me if I am wrong.
If this functionality exists can someone please guide how to search for a particular transaction in all functions or selected group of fucntions.
thanks in advance
KevHi Everyone,
We used to have search functionality in previous versions of GRC, where if you want to look up certain transaction to see which functions has it? It was possible up until v5.3, but this seems to be missing in GRCv10, please correct me if I am wrong.
If this functionality exists can someone please guide how to search for a particular transaction in all functions or selected group of fucntions.
thanks in advance
Kev -
GRC V10 SPM: login notification
Hi experts,
we created a lot of Z-objects via SE61 (saved+activated). As well we mapped the MSMP-objects. Everythings fine and work well. We transported every object to the PRD and all Z-objects for MSMP where used. But the login-notification is not a relevant MSMP-event. So where is it possible to change the SAP-object to our Z-object for the login notification of the SPM?
I cannot find the relevant configuration setting in SPRO. Any ideas?
I am talking about the objects: GRAC_SPM_NOTIFICATION + GRAC_SPM_LOG_NOTIFICATION which are used for the login notification events.
Thanks,
AlexaHI Alexa
You will need to configure the custom notification message in the IMG
Path: Governance, Risk and Compliance > Access Control > Workflow for Access Control > Maintain Custom Notification Messages
Screen shot below is the example you will need for the FF Login Notification Event
The Document Object is the SE61 custom message you created
Note, if you are implemented decentralised FF then you will need to configure this message in the plug-in configuration via IMG path:
Governance, Risk and Compliance (Plug-In) > Access Control > Maintain Custom Notification Messages for Emergency Access (Plug-In)
The program looks for this configuration first based on the message class before using the SAP standard as default.
The message classes you need to create entries for can be found by searching in the matchcode
0AC_SPM_INSTRUCTION 000 SPM workflow instruction
0AC_SPM_LOG_NOTIFY 000 SPM Log notification
0AC_SPM_NOTIFICATION 000 SPM Login Notification -
Request Administration in GRC 10.
Dear GRC Experts,
Currently, my GRC system in I have two issues in GRC AC 10 (SP 10), for which I couldn't find an answer here. Help me if you have encountered the same and solved it.
1. When we search the request, we are not able to see the approver there with whom request is pending.
- We have created a BRF+ initiator and agents. we rechecked again to make sure that we have not skipped any step.
- Even the version generation was without any error).
- Also made sure that the Approver of the request has the correct GRC R/3 Role assigned.
2. When we go to Access Request Administration, there we can't find where the request is pending, we are not able to approve any request with admin rights. In the other action there no drop down is available or no approve or submit. It has only "other Actions" as the option and it has only 'return' which prompts to return at any stage.
- I have assigned all the admin / super user roles to the administrator, but still he is not able to see perform any activity, apart from cancel instance.
3. We have selected the functional area during the request, however we are not able to see post submission of the request. The administrator is not able to see the functional area selected. I have also checked in the user detail tab but could not find it.
Please advise.
Look forward to hear from you.
Regards,
Sahil.
Message was edited by: Sahil BhanushaliHi Sahil,
I have migrated to GRC V10 2 months ago and also have been struggling against issues with Request with no approver found and that could not be redirected in Administration.
I have reviewed all my Decision Tables - Table Settings - and marked "Return initial value if no match is found". With this flag, I could define a Escape Route for Approver Not Found and set up a PATH with one stage for which a BRF+ rule find the proper GRC Support Team to be the approver.
In my case I have some people designed by Company pattern [NA_*] for North America, [SA_*] for South America an so on...
With that, I am now receiving the requests with no approver and use Administration to fix information in the request and then Return to the proper path. I can also you manual Forwards with return to involve proper managers.
Hope this can help you.
Vaner -
No Pop-Up Window Opening in GRC AC 10.0 the First Time
Hi Community,
We are encountering a weird issue with GRC AC 10.0 and IE8. After logging in to NWBC and the clicking for the first time on my inbox hyperlink or a report hyperlink, the screen freezes and no pop-up appears. I have to hit the browser back button to go back to the NWBC screen and then when clicking on my inbox or the report hyperlink a second time, the pop-up with my inbox or the report selection criteria screen appears. Has anyone come across a similar issue? Cannot seem to find in on SCN or SAP Note search. Thanks!Hi Joerg
did you see NWBC Web GRC v10 WSOD
The comments in there imply it's an issue with IE8. Have you been able to try a different browser? There is a reference to specific IE8 note
Regards
Colleen -
Calling GRC NWBC in SAP Portal
I have a requirement where current GRC users are required to use SAP Portal for GRC requests.
I tried to create URL iView calling NWBC but have been facing layout issues. Layout is very short and unable to change even if I use FULL PAGE layout.
I have already tried creating NWBC launch iView but it shows a blank screen along with NWBC screen.
Please guys help me out with this situation.
Please do remember that our Portal is on HTTP while NWBC is one HTTPS.I'm trying to call GRC v10 NWBC with the help of "Launch NWBC" standard iView.
What currently happens is like the moment I click on the NWBC icon in the Portal, it opens a window within portal which BLANK and actually GRC screen (attached screenshot) and at the same time it opens another window that has NWBC and works absolutely fine.
If someway we can stop showing GRC main screen in the Portal which is blank. It will help me solve the problem. -
Error in Role level SoD violations Dashboard
Hi All,
We are running on GRC V10 SP06.
When role level SoD violations dashboard is opened there is no relation between Number of role analyzed (X) in system and Number of roles with violations(Y).
In our case Y is far greater than actual X.
Even the percentage of roles with and without violatons together doesnt constitute 100 % ...
Please help what may be a solution to fix it.
-ThanksHi All,
We are running on GRC V10 SP06.
When role level SoD violations dashboard is opened there is no relation between Number of role analyzed (X) in system and Number of roles with violations(Y).
In our case Y is far greater than actual X.
Even the percentage of roles with and without violatons together doesnt constitute 100 % ...
Please help what may be a solution to fix it.
-Thanks -
Search button is non responsive in Safari and no pop up window appearing
When trying to search for a product in a page on safari, when trying to press the search button is non responsive.
Before the iOS7 update I would press the search button and a pop up window would appear.
This no longer happens, any help with this would be fanatstic - Thank youHi Joerg
did you see NWBC Web GRC v10 WSOD
The comments in there imply it's an issue with IE8. Have you been able to try a different browser? There is a reference to specific IE8 note
Regards
Colleen
Maybe you are looking for
-
Hyperlinks in PDF linking incorrectly
I created a document in InDesign (CS4) with hyperlinks. When I test them in the document from the Hyperlinks panel, they all work great. After I have converted it into a PDF, some of the links are linking incorrectly. In the document, the name of the
-
How can I delete the huge "other" section in my storage?
How can I delete this huge "other" category? I don't even know what is in that category. Thank you!
-
Can't add any new files to itunes
Hi In the past I've managed to add new music files via "file" then "add file to library" from the top toolbar - the file is then added to your libra. For some reason this isn't working now! Get to select a file, but when press oK nothing is added. Wo
-
Cost center locked but SAP allows for PO creation
Dear All, We have a requirement such that whenever a cost center is locked, system should not allow users to create PRs / POs for locked cost center. I tried it through authorization control, but in MM there is no object for cost center. Could expert
-
I've created a master/detail infobus applet with jdeveloper2. In the detail panel, I want to see multiple rows and therefore I used the gridcontrol component. However, this way I can't manipulate the columns (e.g. change one column into a combo box).