Migarting from Approva to SAP GRC AC 5.3

Hello All,
One of our client using Approva applications now they are planning to move to SAP GRC Access Controls 5.3, so kindly help me or guide he how I proceed.
Key doubts u2013
1-How we upload rules in RAR, because we downloaded the rules from Approva.
2-Creation of mitigation controls etc.
It would be great if some share some documents related to above.
Thanks,
Jagat

Hi Jagat,
Once your GRC system is configured. You have to follow the following steps:
1. Create system connector
2. Define Master User Source
3. Upload text & authorization objects. (Follow the AC53 Configuration guide to download these files from backend)
4. Now as Frank has suggested you have to convert the downloaded Apporava files to .txt files. There are 9 .txt files you have to create:
1. Business Process
BusinessProcessId (CHAR 4)     LANGUAGE  (CHAR 2)     DESCRIPTION LANGUAGE  (CHAR 120)
*fileds are TAB seperated
2. Function
FUNCTION ID (CHAR 8)     LANGUAGE  (CHAR 2)     DESCRIPTION LANGUAGE  (CHAR 120)     FUNCTION SCOPE (CHAR 1 (S:Single System, C: Cross System))
3. Function-Business Process
FUNCTION ID (CHAR 8)     BusinessProcessId (CHAR 4)
4. Function-Action
FUNCTION ID (CHAR 8)    TRANSACTION(CHAR 20)     STATUS (NUMC 1 (0 or 1))
5. Function-Permission
FUNCTION ID (CHAR 8)     T-CODE (CHAR 20)     OBJECT(CHAR 10)     FIELD(CHAR 10)     FROM VALUE(CHAR 40)     TO VALUE(CHAR 40)     SEARCH TYPE(CHAR3 (AND,OR,NOT))       STATUS (NUMC 1 (0 or 1))       
6. Rule Set
RuleSetId (CHAR 8)     LANGUAGE  (CHAR 2)     DESCRIPTION (CHAR 132)
7. Risk ID
RISKID (CHAR 4)     FUNCTION_1_ID  (CHAR 8)     FUNCTION_2_ID  (CHAR 8)     FUNCTION_3_ID  (CHAR 8)     FUNCTION_4_ID  (CHAR 8)     FUNCTION_5_ID  (CHAR 8)     BusinessProcessId (CHAR 4)       PRIORITYDESCRIPTION (NUMC 1 (0=Medium
1=High 2=Low 3=Critical))      STATUS (NUMC 1 (0 or 1))        RISKTYPE (CHAR 1 (1=SoD 2=Critical Action 3=Critical Permission))
8. Risk Description
RISKID (CHAR 4)       LANGUAGE  (CHAR 2)     RISKDESCRIPTION (CHAR 132)     DETAILDESCRIPTION (CHAR 1000)     CONTROLOBJECTIVE (CHAR 1000)
9. RISK_RULESET
RISKID (CHAR 4)       RuleSetId (CHAR 8)
For more information on templates follow the configuration guide.
Upload these files and generate the rules.
Hope with this you will be able to continue.
Thanks & Regards,
Jitan

Similar Messages

  • Rule converstion from Approva to SAP GRC AC RAR 5.3

    Hello All,
    We have rule files of approva in XML format , please let me know is there any short cut mettod or process to change it into SAP GRC Rule files
    Please help me on this.....
    Thanks in advance
    Jagat

    Jagat,
    the import file structure is documented in the appendix of the configuration guide.
    Now all you need is a PERL or XML style sheet wizard to make one into another (or the ability to generate a flat file download you can work with in Excel).
    Frank.

  • SAP GRC 5.3 CUP: Approver Determinator "Super Access Owner"

    Hi,
    when configuring a stage, a standard approver determinator called "Super Access Owner" could be selected.My question is where to specify the Super Access Owner in SAP GRC CUP? In the Config Guide of SAP GRC AC 5.3 a hint explains on page 145
    "If you select Superuser Access Owner as the approver determinator, the system
    fetches the configured owner from the SAP system where the Superuser Privilege
    Management is installed and assigns the request to that particular approver." 
    I do not really unterstand where to specifiy. Is it the former FireFighter in the backend.
    Did anybody user this Approver Determinator already?
    Thank you in advance.
    Marco

    Hi Marco,
    Yes this approver is defined in the backend Firefighter which is now Super User Privelege Management. The Firefighter ID owner will be taken as the approver if we select Super User Access Owner in the CUP request. This option is basically being provided for  Integration of Compliant User Provisioning and Super User Privelege Management for SAP GRC AC 5.3. You may now create a request to assign a Firefighter ID to a Firefighter in CUP and do not need to go to SPM for the same.
    In case you do not want to use this approver, please create a Custom Approver Determinator for the same.
    Hope this helps.
    Harleen

  • Nota fiscal send from R/3 to SAP GRC NFE

    Hello Everyone,
    We have send NFe from sap r/3 to sap grc nfe thru RFC . We cannot trace in GRC .
    What could be the possible error .
    please help.
    Honey

    Hi Honey,
    If configuration is correct on R/3 you can see the received data on tables /xnfe/nfehd (header), /xnfe/nfeit (item) and /xnfe/nfe_hist (history).
    A good approuch to you check what system is being called is put a break-point before R/3 call GRC on the end of function J_1B_NF_MAP_TO_XML or include LJ_1B_NFEF42.
    You can easily start debug on R/3 and follow inside GRC automatically when debugging, but the user of RFC need to be DIALOG and have debug rights. It's not possible do it with a service user.
    Check if the correct FM is being called /xnfe/nfe_create, for other messaging system the FM is J_1B_NFE_XML_OUT (if customizations is wrong you will check this error on ST22 on GRC).
    Kind regards, Fernando Da Ros

  • SAP GRC 10.1 AMF No data selected when adding duplicate fields from separate tables for configurable data sources

    Hi There,
    In SAP GRC 10.0, our team had an issue where we could not add duplicate fields from separate table (see ERROR: Select Currency/UoM field for the selected analyzed fields). This was resolved by the SAP Note 1904313/ 1904314 (http://service.sap.com/sap/support/notes/1904313).
    We upgraded our system to SAP GRC 10.1 SP05 and could now add the duplicate fields from separate tables. SAP Note 1904313/ 1904314 was part of SAP GRC 10.1 SP03 so it makes sense that we, in a higher version (SP05), would be able to do this.
    The issue now is when we add the duplicate fields from different tables and run the Ad-hoc Query to test if the data source works correctly, the No Data Selected warning persists. This means that the data source provides no data for analysis, which is required to write our business rules.
    Below is an example:
    Basic data source with just one currency reference field EBAN-WAERS.
    When you run the Ad-Hoc Query you receive data.
    Basic data source with second currency reference field EKKO-WAERS.
    When you run the Ad-Hoc Query no data is found.
    Please also make reference to the following thread logged by my colleague (ERROR: Select Currency/UoM field for the selected analyzed fields)
    Any assistance to receive data with duplicate fields from separate tables will be highly appreciated.
    Thanking you in advance.
    Regards
    Gary Khan

    Hi
    following are the  error messages from dump
    hrtText
       There is already a line with the same key.
    hat happened?
       Error in ABAP application program.
       The current ABAP program "SAPLCKMS" had to be terminated because one of the
       statements could not be executed.
       This is probably due to an error in the ABAP program.
    rror analysis
       You wanted to add an entry to table "\FUNCTION-POOL=CKMS\DATA=T_DYN_CKMLCR",
        which you declared
       with a UNIQUE KEY. However, there was already an entry with the
       same key.
       This may have been in an INSERT or MOVE statement, or within a
       SELECT ... INTO statement.
       In particular, you cannot insert more than one initial line into a
       table with a unique key using the INSERT INITIAL LINE... statement.
    rigger Location of Runtime Error
       Program                                 SAPLCKMS
       Include                                 LCKMSF01
       Row                                     226
       Module type                             (FORM)
       Module Name                             DYNAMIC_PERIOD_CLOSING
    Source code where dump ocured
    222
    223           APPEND ht_ckmlpp TO t_add_ckmlpp.
    224           APPEND LINES OF ht_ckmlcr TO t_add_ckmlcr.
    225           INSERT ht_ckmlpp INTO TABLE t_dyn_ckmlpp.
    >>>>           INSERT LINES OF ht_ckmlcr INTO TABLE t_dyn_ckmlcr.
    227         ENDWHILE.
    Also I guess there is problem with material ledger in R/3 side
    I have never worked on material ledger before so dont hav idea of Tcode and tables in SAP R/3 for material ledger.
    Thanks
    Navneet

  • Reset password, block or unblock user in a R/3 from the SAP GRC AC 5.3

    Hello,
    I have 2 doubts.
    I want to know if a user can reset his password of the R/3 from the SAP GRC AC 5.3 automaticly.
    And can someone block or unblock a user using  the GRC AC 5.3 automaticly too?.
    I know you can create a user automaticly from GRC, but can I do those 2 things?
    Best Regards.
    Pablo Mortera.

    Hello,
    What I don't get is, that why do I need the HR module (HR Trigger) to lock, unlock, password slñf service of a user ID. The HR module uses employees attached to a user ID if it has one.
    Why do I need the HR module to configure the automatic request access?
    Best regards.
    Pablo Mortera.

  • SPM in CUP in a SAP GRC AC 5.3 -- "Approver not found" & "Path not found"

    hello,
    I have a problem when I try to do a request.
    I have configured the SPM in the CUP in a SAP GRC AC 5.3
    I gives me an error about "Error creating request. Approver not found ". When I took out the Manager in the Stage it gave me this error in the request "Error creating request. Path not found".
    Best regards.
    Pablo Mortera.

    You can either type in the configuration, like the what option you selected for approver (CAD or role or...etc), or other way is to capture the change log which shows what was the configuration for that stage....
    (Configuration -< Change Log -> Search Change log)
    Cheers !!
    Zaheer

  • Can  approval workflow in GRC  be avoided

    Hi All
    i  have  following query
    Following are the steps
    1) I am using Oracles Identity Management  .
    2) User data iam fetching from OIM
    3) Iam using SAP GRC 5.3 ( CUP )
    4)  I am using  SAPGRC_AC_IDM_SUBMITREQUEST web service  for request Type ( eg ) say New ACCOUNT
    5)  A request id is generated
    6) Now can i provision the user  into the SAP backend system without the approval process
    7) if yes then let us know how it is done
    In short can we bypass the approval workflow in GRC ( as approval has to be done at Oracles Identity Management  ) and directly provision the user  into the SAP backend system
    Thanks
    Jagan

    That's an easy one:
    - go to the stage configuration of your provisioning workflow
    - chose "No Stage" as the approver determinator
    Done.
    Frank.

  • Benefits of implementing SAP GRC AC in Lifescience/Pharma.

    Dear All,
    Would be great if anyone could please share the benefits of implementing SAP GRC Access Controls in Lifescience/Pharma industry, more specifically which all regulations and laws it takes care of.
    Regards,
    Hersh.
    Edited by: HERSH GUPTA on Dec 18, 2008 6:04 PM

    Hersh,
    Look for some of the Success stories out there. That should help you. Below is one of it.
    http://www.securintegration.com/fileadmin/redakteur/binary/Success_Story_KRKA_SI.pdf
    I too work at a Pharma client and having AC in place really helps. CC will help the internal SOX and audit team to verify that there are no SOD's. RE can streamline the role change approval process which will be of a great help when you see it from a auditor prospective. (You will always have the right approvals for the role changes a developer makes) and AE will help you reduce the paper work and the biggest advantage is the right approvals. Before using AE we used to have the paper based access request and we used to get a lot of audit issues because of the people approving roles that doesn't fall under their own space. (which will be taken very seroiously if it is a Pharma company.) FF advanages reamins the same across the industries.
    Hope this helps,
    Naveen

  • What tool do you use to route/approve/track SAP security requests?

    We're currently using Remedy Action Request System software from BMC to route/approve/track SAP security requests, and we were just wondering what other companies are using?
    Thanks,
    Brad

    Hi,
    SAP Solutions for Governance, Risk, and Compliance: Access and Authorization Controls
    http://www.sap.com/solutions/grc/accessandauthorization/index.epx
    I hope this would help you.
    Cheers
    Soma

  • Integrate external identity management solution in SAP GRC Access Control

    We need to integrate an external identity management solution into SAP GRC Access Enforcer. Some white paper mention extensibility is provided by web services. It seems that none of these web services are documented. Does anybody have infos about these services and documentation. Any hint is appreciated.
    thanks
    Detlef

    Unfortunately Access Enforcer doesn't implement a number of critical requirements and implementing it "as is" would be a lot of steps backwards in our process.
    what do the published webservices do? Is there any documentation about them?
    In a part of our process, we must manually pick the current roles(1), the pending roles(2) (roles that were approved but not given due to training prerequisites) and the requested new roles(3) and make the simulation in the VCC.
    The information (1) and (2) and (3) we have in our internal system, the information (1) we have inside VCC and (2) and(3) must be manually inputted by the operator to run the simulations. Since this operation is repeated 6000+ times a month in my company, eliminating this manual input will cause a great gain in efficiency.
    Other thing that we want to do is to create a job where it would automatically desassociate the mitigating controls if the user does not have the risks anymore (users can lose roles automatically in some events here, so it would be coherent that the user also loses the associated mitigating controls)
    IMHO as a former programmer, these are classic cases where I would like to consume some webservices for this tasks to avoid a lot of ctrc ctrlv from the operators (inefficient and error prone)
    VCC has any documentation that would help me to find how I would do this integrations?
    Thanks in advance

  • A/P Invoice created from Approved Drafts, through DIAPI

    Please I need help with this error.
    I need create A/P Invoice  from approved drafts with DIAPI.
    There are no errors if the "A/P Invoice" is copy of "Purchase Order" or without base document. In this case the Invoice is created without problems.
    But, if the invoice is copy of "Goods Receipt PO", it is not created and DIAPI retrieve an error:
    "Field cannot be updated (ODBC -1029)"
    is a bug in  sdk?
    Thanks a lot.
    Please help.

    Hello Norman,
    This sounds really like a bug which you should report to SAP Support... - sorry!
    ...but let me (and others) give you some advice how to be more sure in such conclusions:
    In such cases you should check:
    a) Does it work in the B1 GUI application?
    If yes, it's a bug (or limitation?) which you should raise to SAP Support.
    ...and of course it works...
    b) If you are not sure about a) - or if there are problems too, but you still think it should work... you should check the DB documentation.
    In your case the information is more-or-less obvious (could surely be easier to find...) available as the "Constraints" for the field PCH1.BaseType...
    The DB documentation says that Purchase Orders + Goods Receipts POs (GRPO) as base types - and thus your problem is certainly a bug (but Support will do the final judgement).
    But you should make sure that the GRPO is OK - i.e. the lines you need are not closed etc., but I assume you checked all that a couple of times already.
    Regards,
    Frank

  • SAP GRC 10.0 on ECC

    Hi Guys,
    We are planning on implementing SAP GRC 10.0. Our Basis guy has suggested that we can use ECC (EHP 6) box for installing the add on(GRCFND_A) component for it. The reason for this is to avoid adding another system to the landscape and to reduce the cost of implementation
    Are there any known issues using this approach?
    Thanks in advance,
    Silver

    Hi
    the GRC project is totally IT driven.
    I get why you are having to drive this - especially when you have to respond to audit requirements and your focus is on support processes.
    However, GRC is all about business risk management - Governance, Risk and Compliance (well internal controls). The GRC System is just the tool to manage this. Without business buy in how is this going to be successful? Who will review business process to determine what a risk is? Who in a senior leadership position will determine what risks are acceptable? Who will determine appropriate controls, report on them, and more importantly enforce them? Who in a leadership position will champion the project and support why a user must work a certain why (including access removed from them)?
    I get that you are focussing on a POC and trying to minimise cost but what happens post POC? I've given recommendations where I've said don't put in GRC until you sort your process and culture. I've done this as much as the innner techy in me knows I won't get to play with a new toy because without all the business buy-in you will have a system built and deployed that gives you a false sense of security when it comes to managing access controls.
    Another way to look at the SP issues - what happens if it's on ECC and the functional team (aka the business representatives) demand an SP increase for their functionality? They proceed to increase SP and now your functionality stops working.. which then impacts the business as you can't process their access requests and give them timely access to the system (assume this is your business case). Are your basis team going to tell the business that they can't have the SP stack increase because IT needs the system on a certain level and they need to wait until next time it's compatible?
    Good luck with your POC. I understand it will allow you to use the tool and check what will work for the business. If you are still undecided on system landscape post POC, take care in having that decision made for you. As you go down the POC path and time runs out the project may move from POC to design/build and now that it's working there will be reluctance to move it to a separate system.
    Regards
    Colleen

  • SAP IDM 7.0 connecting to SAP GRC 10.1

    Hi Gurus,
    I was looking into connecting SAP IDM 7.0 with SAP GRC AC 10.1 and I cannot find a suitable connector for this.
    Could any of you provide some guidance on how to make this connections.
    Thanks and Regards,
    Juan

    If i remember correctly the 7.0 version had only mx_provision, mx_deprovision and mx_modify -tasks so the integration would have be built on these tasks. As there is no validate add task to hang the GRC call GRC would have to do provisioning.
    7.0 datamodel is different than 7.2, I haven't studied in detail but would guess there is enough difference also in the tables that store tasks/jobs etc that the 7.2 GRC provisioning framework would not   even import to 7.0. You would need to set-up a 7.2 on the side to study the framework to see how to duplicate the tasks..
    VDS in the middle is another thing as it would need to be able to communicate with your custom connector in 7.0.
    If you must stick with 7.0 maybe the GRC connector of 7.1 is worth a try.. But you would probably need also older VDS.
    Depending on the level of your existing customisations and what data from 7.0 is worth keeping the upgrade to 7.2 is not necessarily big thing compared to the effort of building the interim custom interface.. The real question is how big and complex is your 7.0 implementation?
    regards, Tero

  • Mitigation in SAP GRC AC

    Hi all,
    Two questions regarding mitigation in SAP GRC AC:
    1)
    Reading through the forum, we have seen that if monitor does not execute the report (action) within the frequecny set and alert is generated. Are these alerts sent out to the mitigation controls' approvers automatically or need to be triggered by executing alerts generation with mitigation flags set?
    2)
    If WF  is set and appropriate configuration is set in RAR, approver activities in CUP are approval for mitigation control maintenance and mitigation control assignment. Is this correct?
    Thanks in advance. Best regards,
      Imanol

    Hi Imanol,
       Here is my response:
    1) Reading through the forum, we have seen that if monitor does not execute the report (action) within the frequecny set and alert is generated. Are these alerts sent out to the mitigation controls' approvers automatically or need to be triggered by executing alerts generation with mitigation flags set?
    You need to go to Alert Generation -> Select Generate Alert log, Control Monitoring under Action Monitoring and Alert notification.
    2) If WF is set and appropriate configuration is set in RAR, approver activities in CUP are approval for mitigation control maintenance and mitigation control assignment. Is this correct?
    Yes, that is correct.
    Regards,
    Alpesh

Maybe you are looking for

  • Creating View for a table with parent child relation in table

    I need help creating a view. It is on a base table which is a metadata table.It is usinf parent child relationship. There are four types of objects, Job, Workflow, Dataflow and ABAP dataflow. Job would be the root parent everytime. I have saved all t

  • My music isn't in my library anymore

    I had music that I've previously purchased and was in my itunes, but now it's gone. How do I get it back?

  • What to use for

    Im am new to motion 5, and im trying to work out how it fits in with what im wanting to do. Basically im wanting to create a 3-4 minute product video/demo like this: http://www.riba-insight.com/buildpresence I want all the fancy typography and cool e

  • Playback Freezes Briefly Every Few Seconds? The Solution!

    This may be of help to anyone who experiences jerky playback. I exported a video to quicktime and when played back it froze briefly every few seconds as though it were dropping frames. When I viewed the video in the Canvas it was also behaving the sa

  • Can't change alias icon

    I've created an alias to a file on my Yosemite desktop.  I want to change the icon, so I've found a PNG file I want to use. When I open the Get Info window for the alias, click the little icon and copy/paste or drag the PNG file there, all I get for