IDM GRC Business Role managment

Similar Messages

• GRC 10 Role Management - Mass Role Derivation

  Hi All - 
  Does anyone know if it is possible to propagate the authorization data from multiple parent roles to their relevant child derived roles in mass in GRC 10? 
  Using the standard 'Role Management -> Role Maintenance' feature you can propagate one parent role's auth data to all it's children derived roles; or alternatively if accessing one child role you can copy the auth data from the parent role.  Either of these options would require you to open each parent role or each child role to push/pull auth data from a parent role to a child role. 
  If this is not possible, it seems to leave a gap in the process of creating derived roles in mass?
  Via the 'Role Mass Maintenance -> Role Derivation' feature you can create derived roles in mass across multiple parent roles with multiple levels of derivation from each using Org Maps.  This will crate my derived roles and populate the organizational values only in PFCG. You can also update the derived role's org values in mass if they change by updating your Org Maps and using the 'Role Mass Maintenance -> Derived Role Org values Update' feature. 
  However these features do not propagate the non-org authorizations from the parent roles.  Without a way to push/pull the non-org authorizations from the parent to the child, creating all the derived roles in mass doesn't quite actually create usable roles. 
  I've noticed when propagating authorization on a one-by-one basis, GRC creates a background job "Auth Data Propagate".  I'm really just hoping there is a way to do this in mass and I am just missing the obvious.  I also know it would be possible via an eCATT script directly in SAP, but I'm looking specifically for options via the GRC tool.
  Thanks for the help!

  Nick -
  I actually just received a "final" response from SAP OSS support on this one.  Had a note open for the past 9 months or so where apparently the product management & development teams were discussing this issue.  The last update I received was about 10 days ago and essentially said this is not currently part of the tool:
  "This is an enhancement and is not currently supported. We will take it up in a future release. Please log this in the ideaplace under Access Controls"
  While I respect the decision, I can't necessarily say I agree that a "Mass Derivation" tool is working as intended if it cannot push / copy authorizations from a parent to a child role. If it can't create roles that are actually usable it would seem to be an issue with the current solution rather than a future enhancement imo. 
  The best workaround to this, is to utilize an eCATT script to go through all your derived roles you create in mass via GRC and have it go into PFCG and 'copy from' the parent authorizations and then regenerate the profiles.  That will give you actually complete & usable roles in a semi-automated fashion.

• Use GRAC_USER_ACCES_WS to provision Business Role

  I have situation where I need to provision several hundred users across 90 business roles. I have been experimenting with FM GRAC_IDM_USR_ACCS_REQ_SERVICES (underlying FM for enterprice service GRAC_USER_ACCES_WS) to automate mass provisioning using GRC access requests. I figured out how to use the FM to provision technical roles to users but cannot get it to work for GRC Business Roles.
  If the service cannot provision business roles, that would imply that an IdM would also not be able to do so. We are currently looking at IdM (non-SAP) solutions. Now I wonder if the value of business roles we are building will be diminished if an IdM is used.
  Is it possible to provision business roles using the service and/or FM? If so, any details on the input values required would be much appreciated.

  Hi Harinam,
  Thanks for the details. I have already raised a OSS message to SAP.
  I have implemented SAP note 1930923 in GRC sandbox system and can see that the mail issue I am reporting was no longer appearing. But I have seen new one this time
  After note implementation: (Change Account Request Type with Business Role Assignment)
  Hi GRC User Demo 1 (Z_GRAC_USER1),
  The Request number : 592 , has been processed and the Request is Closed. The details are as follows:
  XX Business role assigned to Z_GRAC_USER1
  Kind regards,
  Access Control Administrator
  Before and After note implementation: (Change Account Request Type with Business Role removal)
  Hi GRC User Demo 1 (Z_GRAC_USER9),
  The Request number : 593 , has been processed and the Request is Closed. The details are as follows:
  YY Role removed from Z_GRAC_USER9 ( )
  Kind regards,
  Access Control Administrator
  Now the issue during role assignment is resolved, but during role removal mail notification says role has been removed from user and ends with empty brackets ().
  For single roles in this brackets it usually fills the system name. May be for business roles since there will not be any specific system it is coming empty, but I think SAP should fix this.
  Let me know if you are also facing the same
  Since you confirmed that you are using business roles, let me know any critical issues which you came across as part of SP13 as we are also on SP13 and could be helpful.
  Thanks once again for taking your time in replying for my issue.
  Regards,
  Sai.

• Pfcg and business roles

  hi all,
  we have the requirement where we have to create 4 businessroles and out of 4 a manager  rolerequires authrization for all 4and customer rep requires authrization . for 3
  how to achieve that?
  i have crated 4 pfcg id s for 4 roles and assigned it to a business role(manager) which is copied from the standard.
  since manager requires 4 roles i  created 4 manager roles and assigned 4 pfcg ids
  is this the correct approach?
  please help out as i was new to crm 2007
  thanks
  madhuri

  The business role is user for customazion of web ui screens, while authorization roles are used for security reasons. So you need 4 business roles only if you need to maintan 4 different types of screens. If not, use just one.
  On the other hand I guess you need 4 authorization roles because you want to give 4 different types of authorizations to users.
  So, if you need just one type of screen, create one business role and assign it to users simply by using parameter CRM_UI_PROFILE. and authorization role assign via pfcg.
  But if you need 4 b roles and 4 a roles that are always in corelation 1:1 then you can do it also as you wrote.

• Business roles in GRC  AC

  Hello,
  Is it possible in SAP GRC AC to create so-called business roles like in SAP IdM. This roles are not assigned to any backend system but derive backend system roles. The aim is to create set of roles that consist of roles in different backend systems.
  As I understand role mapping can't fully implement this functionality, because main role is assigned to backend system.
  Thanks,
  Yakov
  Edited by: Yakov Silin on Feb 24, 2010 7:00 AM

  Hi Yakhov,
  I was wondering if this is your dilemma.  We want to use this role mapping feature for the purposes of adding an Enterprise Portal role for every ABAP role that gets approved for the user in an ABAP component system (i.e. ECC, BW, CRM etc). We will have a 1:1 mapping of Enterprise Portal role to ABAP role defined in the role mapping section in GRC.
  - We want to set up the workflow in such a way that the main role (ABAP role) is the only role that needs to be approved. The dependent role (Enterprise Portal role) should be added or not added based on the approval or denial of the main role (ABAP role). In other words if the role owner for the abap role approves the abap role, then both the abap and EP role will be provisioned by GRC and if the role owner rejects/denies the role, then neither the abap or EP role will be provisioned by GRC.
  Is this similar to the challenge you ar facing?

• GRC 10 - Business role, no role owner but associated role have owner....

  Dear All,
  In GRC 5.3 we perform the following mapping:
  Business Role A mapped with (no owner)
  - Technical Role 1 (from ECC with Owner1)
  - Technical Role 2 (from CRM with Owner2)
  - Technical Role 3 (from HR with Ownwer3)
  IN GRC 5.3 we have a business role mapped with multiple child role(techinical role) from other system.
  GRC 5.3 request is able to close and provisioned as it can see owners from child role.
  Now in GRC 10, we did the same. Create a business role, then mapped the child role (technical role). Unfortunately, when manager approves the workflow reroute to "NO OWNER DETOUR PATH" because it cannot see the technical role owner.
  Seems like GRC 10 is only looking at business role owner. We are unable to add Owner1, Owner2, Owner3 to the business role because when one of the owner approves, it will provision all the technical roles. We might have owners who will reject their role.
  Please advice.
  Jacky

  Hi Mustafa,
  you can use end user personalization to avoid a role owner to approve roles for himself. Define a dedicated EUP for role owner stage and restrict via "Approve/Reject Own Requests" like shown below:
  Does this answer your question?
  Regards,
  Alessandro

• 500   Internal Server Error in GRC 5.3 Enterprise Role Management

  Hi All;
  We've installed Sap GRC Access Control 5.2 on Sap Netweaver 7.0.
  We installed SAP NetWeaver 7.0 (2004s)
  SAP Internet Graphics Service (SAP IGS)
  VIRCC00_0.SCA -SP15
  VIRAE00_0.SCA -SP15
  VIRRE00_0.SCA -SP15
  VIRFF00_0.SCA -SP15
  VIRSANH  -SP15
  VIRACCNTNT.SAR-SP15
  Our sp levels are for abap side;
  SAP_ABA     700     0014
  SAP_BASIS     700     0014
  PI_BASIS     2005_1_700     0014
  SAP_BW     700     0016
  VIRSANH     530_700     0015
  When we started to configure the components according to the Configuration Guide,In Enterprise Role Management part,i want to do the Configuring Risk Analysis Integration with RAR but on the CONFIGURATION tab when i navigate to the Miscellaneous,the page gives me the error message :
  "500   Internal Server Error
    SAP J2EE Engine/7.00 
    Application error occurred during request processing.
    Details:   java.lang.NullPointerException: null
  The logs are;
  #1.5 #0050568C003D006800000011000026540004A12E73AF8A7C#1303120788268#com.sap.ip.collaboration.sync.impl.scf.usermanagement.SCFSystemManager#sap.com/irj#com.sap.ip.collaboration.sync.impl.scf.usermanagement.SCFSystemManager.addDefaultAlias#J2EE_GUEST#0##n/a##98478fc069a211e0cef50050568c003d#Thread[ConfigurationEventDispatcher,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Error##Plain###
  [BEGIN] Exception -
  javax.naming.NameNotFoundException: Child not found: Collaboration_Integration_WebEx at portal_content [Root exception is javax.naming.NameNotFoundException: Child not found: Collaboration_Integration_WebEx at portal_content]
       at com.sapportals.portal.pcd.gl.PcdFilterContext.filterLookup(PcdFilterContext.java:407)
       at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1248)
       at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254)
       at com.sapportals.portal.pcd.gl.PcdProxyContext.proxyLookupLink(PcdProxyContext.java:1353)
       at com.sapportals.portal.pcd.gl.PcdProxyContext.proxyLookup(PcdProxyContext.java:1300)
       at com.sapportals.portal.pcd.gl.PcdProxyContext.lookup(PcdProxyContext.java:1067)
       at com.sapportals.portal.pcd.gl.PcdGlContext.lookup(PcdGlContext.java:68)
       at com.sapportals.portal.pcd.gl.PcdURLContext.lookup(PcdURLContext.java:238)
       at javax.naming.InitialContext.lookup(InitialContext.java:347)
       at com.sap.ip.collaboration.sync.impl.scf.usermanagement.SCFSystemManager.addDefaultAlias(SCFSystemManager.java:239)
       at com.sap.ip.collaboration.sync.impl.scf.usermanagement.SCFSystemManager.doAliasOperations(SCFSystemManager.java:111)
       at com.sap.ip.collaboration.sync.impl.scf.config.ServiceRegistryConfiguration.refreshCache(ServiceRegistryConfiguration.java:203)
       at com.sap.ip.collaboration.sync.impl.scf.config.ServiceRegistryConfigEventListener.refreshConfigCache(ServiceRegistryConfigEventListener.java:13)
       at com.sap.ip.collaboration.sync.impl.scf.config.AbstractConfigEventListener.configEvent(AbstractConfigEventListener.java:28)
       at com.sapportals.config.event.ConfigEventService.dispatchEvent(ConfigEventService.java:227)
       at com.sapportals.config.event.ConfigEventService.configEvent(ConfigEventService.java:112)
       at com.sapportals.config.event.ConfigEventDispatcher.callConfigListeners(ConfigEventDispatcher.java:308)
       at com.sapportals.config.event.ConfigEventDispatcher.flushEvents(ConfigEventDispatcher.java:251)
       at com.sapportals.config.event.ConfigEventDispatcher.run(ConfigEventDispatcher.java:110)
  Caused by: javax.naming.NameNotFoundException: Child not found: Collaboration_Integration_WebEx at portal_content
       at com.sapportals.portal.pcd.gl.xfs.XfsContext.getChildAtomicName(XfsContext.java:431)
       at com.sapportals.portal.pcd.gl.xfs.XfsContext.lookupAtomicName(XfsContext.java:235)
       at com.sapportals.portal.pcd.gl.xfs.BasicContext.lookup(BasicContext.java:919)
       at com.sapportals.portal.pcd.gl.PcdPersContext.lookup(PcdPersContext.java:387)
       at com.sapportals.portal.pcd.gl.PcdFilterContext.filterLookup(PcdFilterContext.java:403)
       ... 18 more
  [END] Exception -
  Exception id: [0050568C003D007500000039000026540004A12E88C68DAE]"
  #1.5 #0050568C003D006D000000A7000026540004A12E79B6901C#1303120889408#System.err#sap.com/tc~kw_tc#System.err#J2EE_GUEST#0##n/a##9ea951f069a211e0c6f00050568c003d#SAPEngine_Application_Thread[impl:3]_39##0#0#Error##Plain###Apr 18, 2011 1:01:29 PM      com.sap.kw.framework.FrontController [SAPEngine_Application_Thread[impl:3]_39] Info: FrontController: app init failed ...
  #1.5 #0050568C003D006D000000A8000026540004A12E79B6925E#1303120889408#System.err#sap.com/tckw_tc#System.err#J2EE_GUEST#0##n/a##9ea951f069a211e0c6f00050568c003d#SAPEngine_Application_Thread[impl:3]_39##0#0#Error##Plain###Apr 18, 2011 1:01:29 PM      com.sap.kw.framework.FrontController [SAPEngine_Application_Thread[impl:3]_39] Path: Caught java.lang.NullPointerException: FATAL ERROR: Could not load E:
  usr
  sap
  MGD
  DVEBMGS00
  j2ee
  cluster
  server0
  apps
  sap.com
  tckw_tc
  servlet_jsp
  SAPIKS2
  root
  WEB-INF
  ApplConfig.xml
       at com.sap.kw.framework.XMLConfiguration.<init>(XMLConfiguration.java:53)
       at com.sap.kw.actions.ApplConfig.init(ApplConfig.java:83)
       at com.sap.kw.framework.FrontController.init(FrontController.java:222)
       at com.sap.engine.services.servlets_jsp.server.runtime.context.WebComponents.addServlet(WebComponents.java:139)
       at com.sap.engine.services.servlets_jsp.server.container.ApplicationThreadInitializer.loadServlets(ApplicationThreadInitializer.java:386)
       at com.sap.engine.services.servlets_jsp.server.container.ApplicationThreadInitializer.run(ApplicationThreadInitializer.java:110)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
  #1.5 #0050568C003D007200000021000026540004A12E7AD53183#1303120908190#com.sap.slm.exec.message.SLMApplication#sap.com/tcslmslmapp#com.sap.slm.exec.message.SLMApplication#J2EE_GUEST#0##n/a##a061141069a211e0890c0050568c003d#SAPEngine_Application_Thread[impl:3]_32##0#0#Error##Java###"CfgObjectLoadVisitor" cannot load com.sap.slm.util.config.objects.CfgSDTServer from SLM configuration. Cannot read configuration in path ''SLM''##
  #1.5 #0050568C003D001B00000002000026540004A12E7B3058F9#1303120914164#com.sap.sl.ut##com.sap.sl.ut####n/a##e362b43069a211e0c20e0050568c003d#SAPEngine_System_Thread[impl:5]_29##0#0#Info#1#/System/Server#Plain### Location :<com.sap.sl.ut> is initialized!#
  #1.5 #0050568C003D001B00000004000026540004A12E7B3059B1#1303120914164#com.sap.sl.ut##com.sap.sl.ut####n/a##e362b43069a211e0c20e0050568c003d#SAPEngine_System_Thread[impl:5]_29##0#0#Info#1#/System/Server#Plain### Cotegory :</System/Server> is initialized and bound to Location: <com.sap.sl.ut>#
  #1.5 #0050568C003D001B00000006000026540004A12E7B3076F4#1303120914172#com.sap.sl.ut##com.sap.sl.ut####n/a##e362b43069a211e0c20e0050568c003d#SAPEngine_System_Thread[impl:5]_29##0#0#Info#1#/System/Server#Plain###Establishing db connection...#
  #1.5 #0050568C003D002400000297000026540004A12E7CC1E87F#1303120940477#com.sap.portal.prt.sapj2ee.error##com.sap.portal.prt.sapj2ee.error####n/a##39c1422069a211e08b030050568c003d#SAPEngine_System_Thread[impl:5]_86##0#0#Error#1#/System/Server#Java###Exception while starting: sap.com/ccxsysbgear
  [EXCEPTION]
  #1#com.sap.engine.services.deploy.container.DeploymentException: <Localization failed: ResourceBundle='com.sap.engine.services.deploy.DeployResourceBundle', ID='Exception while starting: SAPJ2EE::sap.com/grc~ccxsysejbear', Arguments: []> : Can't find resource for bundle java.util.PropertyResourceBundle, key Exception while starting: SAPJ2EE::sap.com/grc~ccxsysejbear
       at com.sap.portal.prt.sapj2ee.SAPJ2EEPortalRuntime.getAndStartSAPJ2EEApplicationItem(SAPJ2EEPortalRuntime.java:876)
       at com.sap.portal.prt.sapj2ee.PortalRuntimeContainer.prepareStart(PortalRuntimeContainer.java:511)
       at com.sap.engine.services.deploy.server.DeployServiceImpl.startApplicationLocalAndWait(DeployServiceImpl.java:4361)
       at com.sap.engine.services.deploy.server.ReferenceResolver.processReferenceToApplication(ReferenceResolver.java:589)
       at com.sap.engine.services.deploy.server.ReferenceResolver.processMakeReference(ReferenceResolver.java:399)
       at com.sap.engine.services.deploy.server.ReferenceResolver.beforeStartingApplication(ReferenceResolver.java:328)
       at com.sap.engine.services.deploy.server.application.StartTransaction.beginCommon(StartTransaction.java:162)
       at com.sap.engine.services.deploy.server.application.StartTransaction.beginLocal(StartTransaction.java:141)
       at com.sap.engine.services.deploy.server.application.ApplicationTransaction.makeAllPhasesLocal(ApplicationTransaction.java:356)
       at com.sap.engine.services.deploy.server.application.ParallelAdapter.runInTheSameThread(ParallelAdapter.java:132)
       at com.sap.engine.services.deploy.server.application.ParallelAdapter.makeAllPhasesLocalAndWait(ParallelAdapter.java:250)
       at com.sap.engine.services.deploy.server.DeployServiceImpl.startApplicationLocalAndWait(DeployServiceImpl.java:4450)
       at com.sap.engine.services.deploy.server.DeployServiceImpl.startApplicationsInitially(DeployServiceImpl.java:2610)
       at com.sap.engine.services.deploy.server.DeployServiceImpl.clusterElementReady(DeployServiceImpl.java:2464)
       at com.sap.engine.services.deploy.server.ClusterServicesAdapter.containerStarted(ClusterServicesAdapter.java:42)
       at com.sap.engine.core.service630.container.ContainerEventListenerWrapper.processEvent(ContainerEventListenerWrapper.java:144)
       at com.sap.engine.core.service630.container.AdminContainerEventListenerWrapper.processEvent(AdminContainerEventListenerWrapper.java:19)
       at com.sap.engine.core.service630.container.ContainerEventListenerWrapper.run(ContainerEventListenerWrapper.java:102)
       at com.sap.engine.frame.core.thread.Task.run(Task.java:64)
       at com.sap.engine.core.thread.impl5.SingleThread.execute(SingleThread.java:81)
       at com.sap.engine.core.thread.impl5.SingleThread.run(SingleThread.java:152)
  Caused by: com.sapportals.portal.prt.runtime.PortalRuntimeException: [ExternalApplicationItem.prepare]: SAPJ2EE::sap.com/grc~ccxsysejbear
       at com.sapportals.portal.prt.core.broker.ExternalApplicationItem.prepare(ExternalApplicationItem.java:188)
       at com.sapportals.portal.prt.core.broker.SAPJ2EEApplicationItem.prepare(SAPJ2EEApplicationItem.java:232)
       at com.sapportals.portal.prt.core.broker.SAPJ2EEApplicationItem.start(SAPJ2EEApplicationItem.java:192)
       at com.sapportals.portal.prt.service.sapj2ee.Mediator.getAndStartExternalApplication(Mediator.java:132)
       at com.sap.portal.prt.sapj2ee.StartPortalApplication.coreRun(StartPortalApplication.java:59)
       at com.sap.portal.prt.sapj2ee.StartPortalApplication.run(StartPortalApplication.java:36)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
  Caused by: com.sapportals.portal.prt.core.broker.PortalApplicationNotFoundException: Could not find portal application ccxsysbgear
       at com.sapportals.portal.prt.core.broker.PortalApplicationItem.prepare(PortalApplicationItem.java:415)
       at com.sapportals.portal.prt.core.broker.ExternalApplicationItem.prepare(ExternalApplicationItem.java:180)
       ... 9 more
  #1.5 #0050568C003D00750000003B000026540004A12E88C693CF#1303121142088#com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl#sap.com/grc~reear#com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl#J2EE_ADMIN#117##YDSAPGRC_MGD_2172750#J2EE_ADMIN#4bfa377069a311e0b9230050568c003d#SAPEngine_Application_Thread[impl:3]_1##0#0#Error#1#/System/Server/WebRequests#Plain###application [RE] Processing HTTP request to servlet [REController] finished with error.
  The error is: java.lang.NullPointerException: null
  Exception id: [0050568C003D007500000039000026540004A12E88C68DAE]#
  waiting for your responses as soon as possible because the system has to be up and running till wednesday.
  Tahnx in advance

  Hi Bilge,
  did you put your text in a blender before sending it?
  I understood everything works fine except the miscellaneous menu item in the configuration tab of ERM?
  Have you already tried to clear all browser cache, close all browsers and try it again?
  Best,
  Frank

• Copied Business Role in Solution Manager ITSM

  Hi All
  This is eunhwa.
  I have a question regarindg copied business role in Solution Manager ITSM.
  To copy business role, I copied technical roles Navigation profile, configuration key and PFCT Role ID. And then I copied
  a business Role. And assign copied technical roles to copied business role.
  And I changed Direct link group UI. For example, in copied business role ZSOLMANPRO, There were many
  direct links, I only left ‘incident’ and ‘problem.
  However when I selected incident’ in direct link, there was no transaction ‘zmin’ assign. I couldn’t create a incident.
  Why this error happened? Is there anything which I miss?
  Thanks.
  Best Regards,
  Eunhwa Park

  Hi,
  Well, there are multiple things you can check.
  1. If you are using IE
  You have to add the page/pop-up to the compatibility mode of your Browser.
  IE -> EXTRAS -> Settings for Compatibility Mode -> Add -> Refresh the CRM WEB UI
  2. Check if you had assign SM-CREATE in the ZSOLMANPRO Navigation profile. (In Assigning the direct link groups to Nav. Bar profile.
  3. Check whether you had authorizations for ZMIN in PFCG profile.
  4. Additionally check
  1905448 - How to restrict the suggested transaction codes when creating an ITSM
  Incident using CRM Web UI - Solution Manager
  5. In define transaction types corresponding transaction types are active. (In SPRO under solman ->Capabilities->ITSM-> Transactions)
  6. Check the copy control whether they are fine. (In SPRO under solman ->Capabilities->ITSM-> Transactions)
  7. Ensure that the transaction type's channel definition in customizing is set to 'CRM Web-Client UI'
  If your issue is still not resolved yet, please paste the error/screen you are getting.
  Regards
  Rishav

• SAP Technical roles and IDM Business roles mapping

  Hi Guys
  Just wondering if there is an easy way to export SAP Positions and create them automatically as Business Roles in IDM and the SAP technical roles that are related to that corresponding position into privledges assigned to that Business Role. Or am I going about this the wrong way? What do you normally do in terms of getting all your sap technical roles from the sap system and assigning them to business roles in IDM. Any help on this is much appreciated?
  Cheers
  Leo

  Thanks Matt,
  I think get I the picture now
  One thing that I am still not sure about is how the sap abap technical roles or profiles are provisioned through workflow
  Here is what Ive done so far
  1. HCM data loaded into productive identity store via vds
  2. Did an initial load of the abap system into the productive identity store (now the technical roles and profiles are loaded as privileges in the idstore)
  3. Through workflow I select a user that already has an abap account and assign that user some additional sap technical roles, for e.g. sap_all and sap_new. The corresponding privileges for these roles are namely PRIV:PROFILE:ECX:SAP_ALL and PRIV:PROFILE:ECX:SAP_NEW .
  4. For the provisioning to occur so that these new privileges are reflected in the ABAP system for this user, I have used the setABAPRole&ProfileForUser task from sap provisioning framework folder and set it as the add/mod/del  event task for the MXREF_MX_PRIVILEGE attribute. That way whenever a privilege is added to a user account the setABAPRole&ProfileForUser task will run and the sap_all and sap_new profiles will be added in the backend. This way I can avoid setting a provisioning task for each abap privilege that gets loaded.
  But it should be obvious now that there is a flaw with this kind of setup, because all non abap privileges that get added or removed will trigger the setABAPRole&ProfileForUser task anyway because the privileges use the same attribute i.e.MXREF_MX_PRIVILEGE. So it brings me to the question how do you provision abap technical roles or profiles through workflow without setting a provisioning task for each abap related privilege.
  Thanks again for all your help!
  Leo

• GRC AC 10.0  Risk Analysis -Risk Terminator Vs BRM-Role Management

  Hi All,
  After having seen the configuration for Risk Analysis- Risk Terminator and Role Management , I observed that there is very little difference  for eg parameters 1085 and 3011 ,3014 .  If we configure all three parameters to TRUE which one would take effect ?Can anyone let us know under what circumstances we must configure RT and Role Management . BRM to has a whole lot of new features which supercede RT. 
  Best Regards,
  Vishal

  Hi Vishal,
  The parameters will be invoked in different scenarios. 1085 is specific to when roles are generated in the SAP Backend system using risk terminator and therefore this will have no impact if you are using BRM to generate the roles.
  3011 & 3014 are specific to BRM and govern different behaviours. 3011 will facilitate the risk analysis prior to triggering the generation steps in the methodology and 3014 will allow the roles to be generated despite any permission risks that are returned.
  They are not exclusive and actually work together. For instance, you may want to have a block on generation of roles when there are open conflicts identified and therefore you should have 3011 set to YES and 3014 set to NO. If both are set to YES, then you could propagate conflicts in the roles.
  You can use Risk Terminator if you wish to continue to develop roles within the SAP system itself rather than to rely on the GRC BRM system wholly.
  There are still wide discussions and differing opinions about which represents the best approach for this and so it depends on your organisation as to which process you follow.
  The parameter descriptions in question are:  
  1085 - Stop Role Generation if violations exist
  3011 - Conduct Risk Analysis before Role Generation
  3014 - Allow role generation with Permission Level violations
  Regards, Simon

• GRC 10.1 Business role and HR Trigger

  Hello, masters and GURUs.
  I have recently deployed HR trigger in our system, and it works fine -  creating requests for lock or unlock users.
  But i am wondering if it is possible to create access request not only for the systems, but also for business roles using standard functionality.
  For example:
  We'v department where people must have the same authorization to do their job.
  When they hire a new employee, HR triggers this event(only for this department) and creates access request with pre-defined business roles.
  I hope, i explained good enough my idea.
  I will be very thankful for any thoughts or ideas.
  With best regards, Ivan.

  Hi Ivan,
  There is a functionality of default roles, that you could use to add roles to your request by implementing this logic in your BRF rule for HR triggers.
  The bad news is that assignment for the default roles based upon Department is not supported.
  There are only a certain fields which are supported for the Default Roles assignment, below:
  Business Process, Business Subprocess, Company, Role Critical Level, Functional Area, Landscape, Location, Project Release, Role sensitivity, and System.
  Lets suppose you can use Functional Area instead of Department. You will need to maintain Default Roles settings in SPRO, at REQUEST level, (parameters 1302, 2009, 2010, 2011, 2012, 2013).
  In NWBC>Access Management>..>Default Roles, make sure that the entry maintained there (for attribute Functional Area) has SYSTEM set to "All Systems" or "All system in the role Landscape".
  This should work.
  Note 1964884 has a correction for this functionality, so if you go for it, make sure to have this Note applied.
  Now, if any of the fields available for Default Roles will be good for your scenario, then it will not be possible to use Role Defaults, thus I am not aware of any customization on this area.
  Hope this helps!
  Luciana.

• IDM & GRC (including Firefighter ) role in SAP Security

  Please provide me information reg IDM,GRC & FIREFIGHTER in SAP

  That is quite a difficult task, given the eloquent description in your question
  I suggest you have a look at the GRC area here in BPX, and browse through the GRC and Identity Management forums.
  The solution web pages (like http://www.sap.com/solutions/grc/index.epx) should also provide you with a lot of information.
  Feel free to come back here if you have detailed questions.

• GRC 10 BRM - Approve Single Role assignment in Business Roles

  Hello,
  I want to set up a workflow where any Single Role assigned to a Business Role requires an approval of the Single Role Owner.
  The thing is that my customer doesn't have a Security Administrator, so what they want is that each Single Role Owner could be aware when their roles are assigned to a Business Role, especially when the Business Role Owner is another person.
  Once the Business Role is created, the provisioning would be in charge of Business Role Owners.
  Do you know any way to configure this?
  Thanks,
  Fernando

  Hi Claudio - thanks for breaking it down
  @ Fernando - for the Role Approval Methodology you need to split your approval out to be based on request type. Claudio has shown this up above already. In continuing his example, where the business role goes to path C - you would then have Path C do a line by line approval based on the single role owners
  By using this role approval methodology your single role approvers are indirectly allowing  any user who are approved the business role via an access request and that request is approved by business role owner (which is role owner).
  As mentioned - you are using two different workflow process ids
  Role Build - using BRM to approve the single roles being part of the business role
  Access Assignment - approving the user to receive the business role which includes the single roles
  Regards
  Colleen

• GRC AC 5.3 - Role Expert / Enterprise Role Management Dev Environ Connect

  We are looking to start using Role Expert/Enterprise Role Management.  As I am working through the planning process, I am looking at where to connect our ERM DEV/QA/PROD environments.  We want the ERM Production environment to our R/3 Development environment, so we can transport the roles from R/3 DEV to Q/A to PROD.  So, if our production ERM system is connected to the R/3 DEV, where do I connect the ERM DEV and QA environments?  I still think it's important to have those environments, so we can test support pack upgrades as well as use for the initial deployment/connections.  Any suggestions?  How have others done this?

  Found Answer - SAP provided Access Control Landscape Diagram on SAP.com.

• IDM / GRC 10 - Post approval issue

  We are using IdM 7.2 sp8 and GRC 10 and have a full workflow created as follows:
  NOTE: Risk Validation and GRC System Auto-Approval Step are currently both disabled
  Manager -> Role Owner -> GRC Risk Analysis -> Approval -> Provision  Seems quite simple. right?  :-)  Getting every detail correct to make sure this works seemlessly is the issue I seem to be running into.
  My issue is that I am trying to assign an IdM Business role that contains privileges from two different ABAP systems (very standard).  After everything gets to approved, submitted to GRC and comes back to IdM, polling starts and the result is read back in and the check status task runs its "Approve" tasks.  It looks like the provision job is trying to provision the requested roles into the GRC10 repository instead of the ABAP systems the privileges should be provisioned in and I get the following in the log:
  This is found in the provisioning framework
  Naturally the privileges have a default repository but the Business Role does not.
  The GRC10 Repository only has the workflow (full not just AC Validation stage) in the Validate add task, no assignment tasks
  Each ABAP system only has the three normal provisioning tasks assigned, 601, 1345 and 751
  The error I get when its all said and done is "uSkip Called to skip entry"
  There is some small detail I'm missing.
  Your thoughts?

  We are using IdM 7.2 sp8 and GRC 10 and have a full workflow created as follows:
  NOTE: Risk Validation and GRC System Auto-Approval Step are currently both disabled
  Manager -> Role Owner -> GRC Risk Analysis -> Approval -> Provision  Seems quite simple. right?  :-)  Getting every detail correct to make sure this works seemlessly is the issue I seem to be running into.
  My issue is that I am trying to assign an IdM Business role that contains privileges from two different ABAP systems (very standard).  After everything gets to approved, submitted to GRC and comes back to IdM, polling starts and the result is read back in and the check status task runs its "Approve" tasks.  It looks like the provision job is trying to provision the requested roles into the GRC10 repository instead of the ABAP systems the privileges should be provisioned in and I get the following in the log:
  This is found in the provisioning framework
  Naturally the privileges have a default repository but the Business Role does not.
  The GRC10 Repository only has the workflow (full not just AC Validation stage) in the Validate add task, no assignment tasks
  Each ABAP system only has the three normal provisioning tasks assigned, 601, 1345 and 751
  The error I get when its all said and done is "uSkip Called to skip entry"
  There is some small detail I'm missing.
  Your thoughts?