Hi GRC AC expert!

Similar Messages

• GRC - Role Expert v5.2: how does the Transaction Usage functionality work

  Hi All,
  re: GRC - Role Expert v5.2: how does the Transaction Usage functionality work
  We are implementing GRC suite v5.2, but specifically my question is regarding Role Expert:
  SAP documentation states that it is possible to use Role Expert to do the following: for roles allows you to see if, or how much, a transaction is being used, when it was last used, and who used it.
  My question is how without Audit Log or RBE?
  Let me know if you have ever used this functionality and if it requires the SAP Back-End Audit Log to be turned on or RBE.
  Thanks in advance!

  Hi Gary,
  You dont need a RBE tool activation to get the successful transaction usage log with Role Expert.
  Role Expert functionality allows you to log all the transactions that have been added/deleted to the role that is changed. Also when you create a new role via the Role Expert then automatically the transaction log starts.
  If you go the "History" tab in the Role Expert, then you can find all the last changes made to the role.
  Also you can go to the "Risk Analysis" tab to find the log of Risk Analysis performed with the added tcodes.
  Hope this helps.
  Thanks,
  Kiran Kandepalli.

• GRC - CRM Org.Update

  Hi All,
  I want to update BP employee master data using GRC. Is this supported by GRC? Experts please share your opinion.
  Requirement:
  Whenever a new user is created, update this User's sap UserID into BP master data through GRC. Can GRC be used for this kind of update?
  How is the HR org structure assignment request working with GRC? Can i use it for fetching CRM org structure and update it using this MSMP process ID (SAP_GRAC_ACCESS_REQUEST_HR) ?
  Can i use Organizational assignment request in SAP GRC to update the org.structure in my CRM system? Will that work? As i can see in the template used for org.assignment request below are the attributes mentioned. Is this role mentioned in this template is a business role tagged to a position in CRM? or Is this different?
  Please share your thoughts.
  Regards,
  Madhu.

  Hi Claudio,
  Thanks for the details.
  We have a org.structure defined in our system.
  We have PFCG roles created for each position in org.structure.
  Now can i assign my PFCG role to position in my org.structure? How does this actually work? How does GRC connect and update the org.structure?
  We are using SAP transportation management (TM) system.
  Is this request type "Organizational Assignment Request" applicable for only HR system?
  Any guidance or documents to understand the concept of organizational assignment request will be very helpful.
  Thanks & Regards,
  Madhu.

• GRC EAM Authorizations: Few Anomalies in Standard Roles

  Hi GRC/ Security Experts,
  To brief you quickly, we have an SAP GRC AC 10 SP13 about to be deployed with ARA & EAM Modules as a first phase deployment.
  All of the functionality is almost setup, just refining few things before going live.
  About the GRC Authorizations, I observed few anomalies in the standard delivered SAP Roles for EAM.
  I am aware that processes & compliance's, can vary from organization to organization. I am trying to redesign some of the EAM related authorizations, especially for Firefighter Owner/Controller.
  In the standard delivered EAM roles, there are few things missing and few unnecessarily attached.
  I am already aware of the provided information in the following resources:
  - 1730649 - Firefighter owner can assign ANY Firefighter ID to Firefighter User
  - 1663949 - EAM: Authorization Fixes for Central Owners and Reason Codes and have referred to EAM Authorization
  - EAM Authorization Concepts & Guide
  - GRC AC Latest Security Guide.
  I am wondering, many of GRC AC 10 implementations must have gone live by now, and how can be the following authorization hardening concerns be addressed.
  I observed the following anomalies, and used ST01 tracing to refine and address few of them still some of them I cant seem to get hold of:
  1) [SOLVED] EAM Owners should technically not be allowed to Create/Maintain Reason Codes, that should be EAM Administrator's task. This was addressed by adjusting the auth objects from Owner's Role and only Reason Codes Display was provisioned to the owner's, hence this is addressed.
  2) [SOLVED] EAM Owners should not be allowed to Create/Maintain EAM Controllers. This is a grey controversy I believe, as in my organization EAM Controller is treated on even Higher Scale than Owner and thus EAM Controller maintenance should only be done by the EAM admin rather than EAM Owner. This also I have addressed by adjusting few auth objects, which leaves the EAM Owners with Display only access of EAM Controllers.
  3) [UNSOLVED] EAM Owner is able to assign any Firefighter ID to End-User: This is anomaly as per me, and is also specified in notes 1730649 & 1663949, but I find it hard to figure out the real solution of that specific issue. The notes just point to EAM Authorization Guide, which explain the GRC Authorization concept in general, which I of course get it. The GRC SP13 is already higher than the one applicable for the issue.
  Technically EAM Owner should only be able ASSIGN the FF IDs that are Owned by him, this I cant seem to figure out how exactly.
  I have gone through the Authorization Guide, Security Guide, Played too much with System Trace ST01 trying to redesign the authorizations. How would you have done it? This wasn't there in Virsa earlier, it used to bug you back saying that FF ID is not owned by you.
  4) [UNSOLVED] Similarly like above, EAM Owner is able to modify assignments/delete assignments of any FF ID. This is of course cascaded from the above issue. I believe it doesn't has to be like this, EAM Owner should only be able to access/modify/maintain the FF IDs owned. Maintenance of the FF IDs not owned by EAM Owner should be truly abstained.
  5) EAM Owners should not be able to Add/Delete the Assignments of Owner with FF ID. This is the starting point of the Firefighter Structure and must be restricted to EAM Administrator. In the Standard EAM Owner role, an EAM Owner can created another OWner, assign a FF ID to another Owner, Delete a Owner-FF ID assignment. EAM Owner should have display only access as far as it is concerned about the EAM Owners access Area. This one I have yet to test, which I think would be possible. Can't get hold of points 3 & 4.
  I have already studied/implemented the suggestions/recommendations/corrections from Authorization Guide.
  But i still feel that these are few loopholes and must be closed before I conclude the implementation.
  What do you think?
  Would truly appreciate, if you can point out the objects and values that can help to address the open issues.
  Apologies, for such a lengthy post, but the authorization goes deep here I guess and ST01 isn't helping me anymore to get over this.
  Regards,
  Akshay

  Hi Colleen,
  Thanks for your reply, I was sure I will be getting first response from you, as you are really proactive in GRC Space.
  W.r.t. your suggestions:
  1) I am not able to follow what you mean by "Are you able to try debugging "CALL METHOD cl_grac_auth_engine=>authority_check" ?? I am not much of a ABAPper/DEBUGGer, but if you can point what exactly is to be done/or to be get done I wouldn't mind getting my hands dirty at this too.
  Correct me if I am wrong, do you imply that, even though the specified correction in note is available in system (SP13), still this inbuilt authority check is not happening and is being bypassed?
  2) I checked the EAM Authorization Guide for Auth Object GRAC_USER.
  With what you feel in the below message of yours=>
  Starting to wonder if it is as the EAM Guide attached to the above notes mentions authorisation GRAC_USER which contains a field for user (quote from guide below).
  User ID : This Field Specifies which firefighter users you can Display and Perform other activities based on the Activity Field .
  That suggests you need different roles to restrict owners? I would have thought SAP would differentiate between authorisation to maintain FF as and Administrator versus Owner allow access to their Ids.
  I would have thought Administrator would get the GRAC* authorisations whilst Owners would obtain access via owner setup (mapping for FF Id)
  I went back to the EAM Guide and tried to put it all together to make sense.
  With my below observations, I think too that there is no such thing as mapping of FF ID with the Owner, out of the Box in GRC AC 10 so that Owner is able to access only the FF IDs owned.
  So, if that would be true, then to achieve this sort of wish, I would have to have separate roles from each EAM Owner specifying, the FF IDs that particular EAM Owner is able to access. And then there would be n number of Roles for n number of Owners, which is subject to change and has to be maintained again. Then also, the FF ID owned could also be added/removed etc, Whoa! That wouldn't make me far away from rationalizing the whole objective.
  I just wonder, if this is actually Ok? If there is no approach to this, would it be OK to let any EAM Owner work with any FF ID subject to their own desire.
  Anyways, check this out below , I will sideways open a message with SAP just to have my closure.
  From EAM Authorizations Guide in the note=>
  Now from the EAM Owner's Role=>
  This no where mentions of Restricting the FF IDs in the Role, if at all this concept exists, it would be through some internal check like the one above i.e. CALL METHOD cl_grac_auth_engine=>authority_check or something.
  Also, found these few specifications as well, which affirms the same I believe.
  Much thanks for your effort and patience.
  Regards,
  Akshay

• Content Life Cycle Management - Portal or NW Client.

  Hello GRC PC Experts,
  Kindly let us know whether Content Life Cycle Management is compatible on  Portal as front end.
  Or whether CLM is only compatible with NW Client.
  Please let us know.
  Thanks and regards
  Babu

  Hi,
  You need to integrate the system with portal
  system administration - system configuration and then add system.
  If you have sso then it is better.
  Then create new iview using templetes and then use SAP bsp iview templete and then select the system and then give the application name and start page of your BSP application.
  Thanks and Regards,
  gopal

• Difference between SAP Access Control and IDM

  Hi Expert,
  I have one question What is the difference between SAP Access Control and SAP Identity Management ?

  Ali,
  That's a good question, but a tough one.
  While both applications can do most of what the other can do, it's a matter of specialization in my opinion.
  Access Control is all about managing and controlling access to SAP system roles and has the ability to report on role conflicts for compliance and reporting purposes. (I'm sure I'm leaving a lot out, but maybe a GRC / AC expert can fill in more details)
  SAP IDM is about managing the user life cycle with regards to landscape and enterprise systems. It will handle the creation, update and ultimately the removal (or de-provisioning) of users in SAP ABAP, SAP JAVA, LDAP, JDBC, and API based applications.  It will also do Role Management through a web based UI (User management is web based as well). and as of the latest Service pack for SAP IDM 7.2, it will do attestation (limited certification) as well. It is a definite upgrade to CUA as it will work with a greater variety of systems, include workflows and approvals.
  GRC will do some provisioning, but it's somewhat limited, as is IDM's compliance abilities.
  The applications are designed to work together, however it does not have a great track record and the integration is typically heavily modified to work as desired.
  If you have specific questions, feel free to post / DM.  Obviously I am more knowledgeable about IDM, but I'll be happy to help you in any way possible.
  Regards,
  Matt

• Removing Role expert from the GRC Pad

  Hi Guys
  we are using three products of GRC ie RAR , SUP and Compliance user provisioning but NOT the Role Expert. Is there any way that I can show only these three tools in the GRC pad and remove the Role expert. At the moment it is grey out but still there.
  Parveen

  Hi Praveen,
  All capabilities are integrated into Launch Pad which are part of VIRACLP****.ear file. And there is no way we can take it out for the current release.
  Best Regards,
  Sirish Gullapalli.

• GRC AC 5.3 - Role Expert / Enterprise Role Management Dev Environ Connect

  We are looking to start using Role Expert/Enterprise Role Management.  As I am working through the planning process, I am looking at where to connect our ERM DEV/QA/PROD environments.  We want the ERM Production environment to our R/3 Development environment, so we can transport the roles from R/3 DEV to Q/A to PROD.  So, if our production ERM system is connected to the R/3 DEV, where do I connect the ERM DEV and QA environments?  I still think it's important to have those environments, so we can test support pack upgrades as well as use for the initial deployment/connections.  Any suggestions?  How have others done this?

  Found Answer - SAP provided Access Control Landscape Diagram on SAP.com.

• Problem with Edit option for a role created in GRC 10.0

  Hello Experts,
  I created a role in GRC 10.0 , I see my newly created role in the list of roles . If I want to Edit the role I select the row and click " OPEN" and edit the role.
  But when I click the role directly and enter the role , the "EDIT"  button is disabled and even maintain authorization button is disabled.
  Did SAP defined in such  a way that we should selct the role and click OPEN then only we can Edit or is this a Bug??
  Please let me know if any one of you faced the same problem.
  Regards,
  Jagadish Bhandaru

  Hi,
  Sabita is correct.
  Here is the link to the documentation
  SAP Access Control 10.0
  Simon

• Logical Groups in GRC-AC

  Dear Experts,
  We are using business role concept.Only business roles are assigned and not technical roles.
  Requirement is To assign business role from GRC Prod system to ECC DEV and ECC QA also apart from ECC Prod.
  To do so we have a logical group SAP_R3_LG mapped to ECC Prod for all action 1,2,3 and 4. Do I need to create other  2 logical groups mapped to  ECC DEV and QA  respectively.
  Also  I believe we need to create different  business role name for QA and DEV system .
  Appreciate  your thoughts on this...
  Thanks,
  Mamoon

  Hi Mamoon,
  First of all, you need to create unique connector groups per each connectors in order to create/maintain the roles in the backend systems. Then you need to map the connector in the corresponding connector groups.
  In BRM, you can have only one system as default connector and this would not let you to maintain the roles in case you have to use multiple connectors for role maintenance.
  Make sure to define the integration scenarios for each connectors individually.
  Hope this would help.
  Regards,
  Ameet

• Sessão Meet-The-Expert de NF-e - Escolha o tema e registre-se!!!

  Oi Pessoal,
  No dia 23 de abril iremos realizar uma sessão meet-the-expert sobre NF-e e gostaríamos da colaboração de vocês para moldar essa sessão. Esse webinar ocorrerá tanto em inglês como em português, sendo as 10:00 da manhã em inglês e as 14:00 em português.
  O objetivo da sessão é mostrar os erros mais comuns da nota fiscal no ERP e no GRC e como analisá-los e resolvê-los, desta forma minimizando impacto nas operações e facilitando implementação de mudanças/melhorias.
  Para isso criamos um formulário do google no qual listamos os principais incidentes de NF-e e gostaríamos que vocês nos ajudassem a priorizar quais seriam os mais relevantes para apresentar.
  Para registrar-se na sessão é necessário possuir S-User e utilizar o seguinte link.
  Você podem entrar no formulário e votar nos assuntos neste link.
  Além dessa sessão iremos criar uma séria de posts no formato documento ( que permite colaboração e edição de várias pessoas ) descrevendo esses cenários.
  att,
  Renan Correa

  Olá Paulo,
  Você pode acessar o service marketplace, procurar por uma área chamada SAP Enterprise Support Academy e buscar o curso abaixo:
  Analyze and Solve Nota Fiscal Issues in SAP ERP and SAP Nota Fiscal 10.0
  att,
  Renan

• Instalação GRC independente do NetWeaver atual

  Olá Experts,
  Necessito instalar o GRC para implantação da NF-e v2.00. Atualmente temos um ambiente ECC 6.0 que será atualizado via Notas até o SP necessário (aprox. 351 notas). Temos também um ambiente NetWeaver PI que se comunica com este ECC e possui diversas Interfaces via ABAP Proxy, IDOC e RCF.
  Queria saber se é possível a instalação de um novo ambiente NetWeaver PI para o GRC, independente do PI atual. E se é possível que o ECC se comunique normalmente com os dois Integration Servers.
  Desde já agradeço.

  Entao, sao 2 coisas diferentes:
  1 - usar o PI atual como PI apenas e criar um novo ABAP Stack 7.0 para o client do GRC
  2 - usar o PI atual tanto como PI quanto como ABAP stack para o client do GRC.
  A 1 eu nao vejo problemas, até facilita a manutencao de seu landscape.
  Para a 2, eu nao recomendaria por diversos motivos, principalmente:
  a) complicacao da manutencao de um PI que já é central em sua empresa.
  b) a proxima versao do NFE, a ser liberada no fim do ano, vai demandar que o ABAP Stack do client do GRC seja atualizado para o NW 7.02 (7.0 EhP 2), o que poderá gerar impactos em seu ambiente PI.
  Eu vejo o modelo 2 como um modelo aceitável caso você ache que o ambiente PI atual nao vai conseguir te dar o SLA necessário para processar as NFes, pois vocês já enfrentam muitos problemas com as outras interfaces. Contudo, se você tem problemas de administração em um PI, a tendência é que vc terá os mesmos problemas no outro PI também, ou seja, a empresa precisa aprender a ter uma cultura de gestão pró-ativa e não reativa do PI de qualquer maneira, o que meio que acaba por eliminar a necessidade de ter o 2o... Mas se mesmo assim a empresa acha que seria mais fácil, no curto prazo, instalar um novo do que "limpar" o atual, é possível sim. Mas sempre com o objetivo de migrar isso pra um PI único no médio/longo prazo.
  Abs,
  Henrique.
  PS: seja para o modelo 1 ou 2, o sizing necessário para atender ao cenário NFe é relevante. Seja em um servidor separado ou adicionando capacidade ao servidor existente, você precisa de mais hardware (memoria, processador, disco) para o processo de NFes. E isso é tão mais crítico quanto maior for seu volume de NFes.

• Subcontratação GRC 10.0 - Categoria de Item

  Olá Experts,
  Estamos enfrentando a seguinte situação:
  Na configuração de categoria de NF-e precisamos deixar o campo Tipo de Item como Item Normal.
  Quando fazemos o cenário de Subcontratação, ele não está determinando a categoria de Item = "31" para o material acabado devolvido.
  Com isso, o CFOP desta entrada fica incorreto.
  Gostaríamos de saber o que é necessário ajustar para o sistema reconhecer esta categoria "31", visto que se tirarmos a categoria de Item "1" do Tipo de Nota, o GRC não efetua nenhum recebimento de pedido normal.
  Foram aplicadas todas as notas do componente XX-CSC-BR-NFEIN.
  Obrigado!

  Oi Thamir,
  Primeiro vc precisa entender se é um bug ou uma configuração errada.
  Funciona quando fazendo a MIRO manualmente? Se não, porque? Debug nele.
  Depois, se vc descobrir que é bug, abra chamado. (acho pouco provável).
  Se for problema de configuração ou precedimento, tem que corrigir.
  Não se pode sair assim desenvolvendo. Isso vai dar um problema bem maior posteriormente.
  Abs

• Error- while assigng FF-Owners to FF-Id's in GRC-10 AC

  Hi Experts,
  Iam  facing  issue as below.. while configuring Super user assignment (while assigning owners to FF Ids)
  Please let me konow if nay one of you encountered same issue and how you resolved..
  Error while processing your query
  What has happened?
  The URL call http://yashgrcsrv.sapyash.com:8010/sap/bc/webdynpro/SAP/GRAC_UI_SPM_OWNER_POWL was terminated because of an error.
  Note
  The following error text was processed in system G10 : The ASSERT condition was violated.
  The error occurred on the application server YASHGRCSRV_G10_10 and in the work process 1 .
  The termination type was: RABAX_STATE
  The ABAP call stack was:
  Method: IF_POWL_FEEDER~HANDLE_ACTION of program CL_GRAC_POWL_SPM_FFOWNER======CP
  Method: FEEDER_HANDLE_ACTION of program CL_POWL_MODEL=================CP
  Method: DISPATCH_ACTION of program CL_POWL_MODEL=================CP
  Method: DISPATCH_PREPARED_ACTION of program CL_POWL_TABLE_HELPER==========CP
  Method: ON_OBJECT_ACTION of program /1BCWDY/07CT55XNN6UHRCSZMBJE==CP
  Method: IF_TABLE_DATA~ON_OBJECT_ACTION of program /1BCWDY/07CT55XNN6UHRCSZMBJE==CP
  Method: ON_TOOLBAR_OBJECT_ACTION of program /1BCWDY/07CT55XNN6UHRCSZMBJE==CP
  Method: ON_TOOLBAR_OBJECT_ACTION of program /1BCWDY/07CT55XNN6UHRCSZMBJE==CP
  Method: IF_WDR_VIEW_DELEGATE~WD_INVOKE_EVENT_HANDLER of program /1BCWDY/07CT55XNN6UHRCSZMBJE==CP
  Method: INVOKE_EVENTHANDLER of program CL_WDR_DELEGATING_VIEW========CP
  What can I do?
  If the termination type is RABAX_STATE, you will find more information on the cause of termination in system G10 in transaction ST22.
  If the termination type is ABORT_MESSAGE_STATE, you will find more information on the cause of termination on the application server YASHGRCSRV_G10_10 in transaction SM21.
  If the termination type is ERROR_MESSAGE_STATE, you cansearch for further information in the trace file for the work process 1 in transaction ST11 on the application server. YASHGRCSRV_G10_10 . You may also need to analyze the trace files of other work processes.
  If you do not yet have a user ID, contact your system adminmistrator.
  Error Code: ICF-IE-http -c: 100 -u: GRCADMIN -l: E -s: G10 -i: YASHGRCSRV_G10_10 -w: 1 -d: 20111117 -t: 124258 -v: RABAX_STATE -e: ASSERTION_FAILED -X: 00188B01D3231EE1849D72367EF328EF_00188B01D3231EE1849D723252D408EF_1 -x: 91EB10E1F7B3F19FA8EF00188B01D323
  HTTP 500 - Internal Server Error
  Your SAP Internet Communication Framework Team
  Regards,
  Ravi Alluri.

  Hi,
  I could able to create FF-owner,and FF-controller under GRC Role assignments > Access control owners..and could also able to see Active queries - central owners as All(2) on top of the screen ..
  After that when i go to super user Assignment > owners where in which i tryed to assign FF owners to FFID's then it is giving me the error as mentioned earlier..
  One thing i noticed in the screen -super user Assignment > owners  where we assign owners i noticed on the top of the screen  Active queries - central owners as All(0) which means the data (owners & controlers )created earlier are not reflecting here ..
  I have already run the incremental job Repository object (role,user,profile)sync..
  Does any one know the reason .?
  Thanks in advance,
  Ravi.

• Warnings while activating BC SETs in  configuring ERM on  GRC 10.0

  Hello ,
  We are trying to configure GRC 10.0 , when I tried to configure ERM and tried to active the given BC Sets as per the Config Guide , We found that one of the BC SETS " GRAC_ROLE_MGMT_LANDSCAPE" is throwing a warning.All the other BC SETS are activated Successfully.
  Please let me know if any one tried the same and getting the warnings.
  Regards,
  Jagadish

  Dear Rajan,
  Today I tried to activate in Expert mode , still its throwing Warning !!.
  Regards,
  Jagadish Bhandaru