Mitigation in SAP GRC AC
Hi all,
Two questions regarding mitigation in SAP GRC AC:
1)
Reading through the forum, we have seen that if monitor does not execute the report (action) within the frequecny set and alert is generated. Are these alerts sent out to the mitigation controls' approvers automatically or need to be triggered by executing alerts generation with mitigation flags set?
2)
If WF is set and appropriate configuration is set in RAR, approver activities in CUP are approval for mitigation control maintenance and mitigation control assignment. Is this correct?
Thanks in advance. Best regards,
Imanol
Hi Imanol,
Here is my response:
1) Reading through the forum, we have seen that if monitor does not execute the report (action) within the frequecny set and alert is generated. Are these alerts sent out to the mitigation controls' approvers automatically or need to be triggered by executing alerts generation with mitigation flags set?
You need to go to Alert Generation -> Select Generate Alert log, Control Monitoring under Action Monitoring and Alert notification.
2) If WF is set and appropriate configuration is set in RAR, approver activities in CUP are approval for mitigation control maintenance and mitigation control assignment. Is this correct?
Yes, that is correct.
Regards,
Alpesh
Similar Messages
-
Mitigating Control creation and application in SAP GRC 10
Hi Expert,
We have SAP GRC Access Control 10 being implemenmted for our client. While trying to create Mitigating Control, we just realized that Before creating mitigating controls you need to create a Root Org entry, this replaces the Business Units in previous AC versions which is visible only when we activate the GRC-PC Application.
My queries are:
1. Is it that Mitigation control can only be created if PC is enable.
2. What about Licencing if GRC-PC Application is used for Mitigating Control Creation.
Thanking you i advance.
Thanks & Regards,
Abhimanu Kumar SinghHI,
Thank you for the response, I just checked and could find that I can create Mitigating control without PC application. It is just that PC relevant fields are not displayed.
However can anybody answer as to what happens if I use PC to create Mitigating Control, Do I have to purchase the license for SAP GRC PC or it is ok for shared resources.
Thanks again.
Thanks & Regards,
Abhimanu Kumar Singh -
SAP GRC AC 5.3 integrated with BW
Hi all,
Has anyone of you implemented integration between SAP GRC AC 5.3 and BW and develop custom reports?
Thanks in advance. Regards,
ImanolImanol,
There is documentation available for the integration. You can find that here:
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/e05a9879-d204-2c10-54a9-ebc94eaddc4e?quicklink=index&overridelayout=true
Also, there are numerous pre-delivered queries already developed. However, if you wish to develop your own reports, then you will need a BW resource to do so.
Pre-delivered queries:
For RAR:
Alert Detail Listing
Alert Header Listing
Critical Action Violations by User
Critical Role Viols Analysis with Long Portal IDs
Current User Permission Risk-Perm Violation Analysis Breakdowns
Current User Permission Risk Violation Analysis Breakdowns
Management Summary Total Listing
Mitigated Users Analysis
Risk Long Descriptions
Risk-Rule Set Relationship Listing
Role Permission Risk Violation Analysis
Role (Portals) Permission Risk Violation Analysis
Supplementary Rule Detail Listing
Supplementary Rule Header Listing
User Permission Risk Violation with Functions
User Permission Risk Violation with Remediation by User
User Permission Risk Violation with Remediation by User (Top 10)
User Permission Violation with Remediation by Risk
User Permission Violation with Remediation by Risk (Top 10)
For CUP:
Access Requests
Risk Violations
Role Provisioning
Service Levels
SOD Review
User Access Review
User Provisioning
Thanks!
Ankur
SAP GRC RIG -
Migarting from Approva to SAP GRC AC 5.3
Hello All,
One of our client using Approva applications now they are planning to move to SAP GRC Access Controls 5.3, so kindly help me or guide he how I proceed.
Key doubts u2013
1-How we upload rules in RAR, because we downloaded the rules from Approva.
2-Creation of mitigation controls etc.
It would be great if some share some documents related to above.
Thanks,
JagatHi Jagat,
Once your GRC system is configured. You have to follow the following steps:
1. Create system connector
2. Define Master User Source
3. Upload text & authorization objects. (Follow the AC53 Configuration guide to download these files from backend)
4. Now as Frank has suggested you have to convert the downloaded Apporava files to .txt files. There are 9 .txt files you have to create:
1. Business Process
BusinessProcessId (CHAR 4) LANGUAGE (CHAR 2) DESCRIPTION LANGUAGE (CHAR 120)
*fileds are TAB seperated
2. Function
FUNCTION ID (CHAR 8) LANGUAGE (CHAR 2) DESCRIPTION LANGUAGE (CHAR 120) FUNCTION SCOPE (CHAR 1 (S:Single System, C: Cross System))
3. Function-Business Process
FUNCTION ID (CHAR 8) BusinessProcessId (CHAR 4)
4. Function-Action
FUNCTION ID (CHAR 8) TRANSACTION(CHAR 20) STATUS (NUMC 1 (0 or 1))
5. Function-Permission
FUNCTION ID (CHAR 8) T-CODE (CHAR 20) OBJECT(CHAR 10) FIELD(CHAR 10) FROM VALUE(CHAR 40) TO VALUE(CHAR 40) SEARCH TYPE(CHAR3 (AND,OR,NOT)) STATUS (NUMC 1 (0 or 1))
6. Rule Set
RuleSetId (CHAR 8) LANGUAGE (CHAR 2) DESCRIPTION (CHAR 132)
7. Risk ID
RISKID (CHAR 4) FUNCTION_1_ID (CHAR 8) FUNCTION_2_ID (CHAR 8) FUNCTION_3_ID (CHAR 8) FUNCTION_4_ID (CHAR 8) FUNCTION_5_ID (CHAR 8) BusinessProcessId (CHAR 4) PRIORITYDESCRIPTION (NUMC 1 (0=Medium
1=High 2=Low 3=Critical)) STATUS (NUMC 1 (0 or 1)) RISKTYPE (CHAR 1 (1=SoD 2=Critical Action 3=Critical Permission))
8. Risk Description
RISKID (CHAR 4) LANGUAGE (CHAR 2) RISKDESCRIPTION (CHAR 132) DETAILDESCRIPTION (CHAR 1000) CONTROLOBJECTIVE (CHAR 1000)
9. RISK_RULESET
RISKID (CHAR 4) RuleSetId (CHAR 8)
For more information on templates follow the configuration guide.
Upload these files and generate the rules.
Hope with this you will be able to continue.
Thanks & Regards,
Jitan -
Allowed variables in SAP GRC RAR messages
Hi experts,
I'm using SAP GRC AC 5.3.
In RAR, I want to configure message 0269 in cc_messages.txt file in order to change text including the description of the mitigation control.
Does anybody knows what's is this variable name ? Or even, where can I find a list of allowed variables for insertion in messages ?
Thanks,
Roque.Roquevalder,
I understand your question now. I see the message you are talking about:
VIRSA_CC_MSG 0269 EN error The mitigating control was updated by #_!USERID#_! on #_!DATE#_! at #_!TIME#_!. This email serves a notification that you have been #_!STATUSCHANGED#_! as the monitor for : #_!LINESEP#_! #_!LINESEP#_! #_!LINESEP#_! #_!CONTROLIDTEXT#_! #_!CONTROLID#_! #_!LINESEP#_! #_!HROBJTYPELINE#_! #_!LINESEP#_! #_!OBJECTTYPE#_! #_!OBJECTID#_! #_!LINESEP#_! #_!ORGRULELINE#_! #_!LINESEP#_! #_!RISKIDTEXT#_! #_!RISKID#_! #_!LINESEP#_! #_!LINESEP#_! #_!MONTEXT#_! #_!MONITOR#_! #_!LINESEP#_! #_!LINESEP#_! #_!VALIDFROMTEXT#_! #_!VALIDFROM#_! #_!VALIDTOTEXT#_! #_!VALIDTO#_! #_!LINESEP#_! #_!LINESEP#_! #_!STATUSTEXT#_! #_!STATUS#_!
But at the end of the file you have something like this:
D VIRSA_CC_MSGPRMS 0269 EN CONTROLIDTEXT CONTROLIDTEXT
D VIRSA_CC_MSGPRMS 0269 EN CONTROLID CONTROLID
D VIRSA_CC_MSGPRMS 0269 EN HROBJTYPELINE HROBJTYPELINE
D VIRSA_CC_MSGPRMS 0269 EN ORGRULELINE ORGRULELINE
D VIRSA_CC_MSGPRMS 0269 EN RISKIDTEXT RISKIDTEXT
I guess if you want to add a value in the message you have also to define it at the tail of the file.
My advice is to open a OSS message to ask for this functionality. You shouldn´t change it manually. Take into account that this file must be uploaded each time you update your GRC java components. So, if you make a custom change, you have to repeat that change every time you update. So I think you should ask SAP for this. They will probably include this field in next patches.
Regards,
Diego. -
Cross Organization SOD Conflict in SAP GRC
Hi,
I have a quick question:
Does SAP GRC allow you to capture cross Organization level value conflict. I just checked the Auth. Object for Org level Company code with $BUKRS under transaction codes in Functions, this shows disabled by default.
Example: If I have access to SU01 in Company Code 1 and access to PFCG in Company Code 2 will this be risk based on SAP standard SOD Rule set.
Your quick response will be appreciated. Thaning you in advance.
Thanks & Regards,
Abhimanu Kumar SinghHi
As already stated by Martin, one of the option for handling adtional backup access to users could be through Superuser Privilage management(If GRC has been implemented with your client). This would allow detailed reporting at transaction level for audit purposes.
If GRC is not implemented with your client then any additional access which is resulting in SoD, there has to a proper documentation of temporary access assignment to users(For Audit purpose). Mitigation control should be documented and submitted by the supervisor of the user to the SoD team to ensure proper compliance is in place for the additional access provided to the user.
Thanks.
Anjan -
Integrate external identity management solution in SAP GRC Access Control
We need to integrate an external identity management solution into SAP GRC Access Enforcer. Some white paper mention extensibility is provided by web services. It seems that none of these web services are documented. Does anybody have infos about these services and documentation. Any hint is appreciated.
thanks
DetlefUnfortunately Access Enforcer doesn't implement a number of critical requirements and implementing it "as is" would be a lot of steps backwards in our process.
what do the published webservices do? Is there any documentation about them?
In a part of our process, we must manually pick the current roles(1), the pending roles(2) (roles that were approved but not given due to training prerequisites) and the requested new roles(3) and make the simulation in the VCC.
The information (1) and (2) and (3) we have in our internal system, the information (1) we have inside VCC and (2) and(3) must be manually inputted by the operator to run the simulations. Since this operation is repeated 6000+ times a month in my company, eliminating this manual input will cause a great gain in efficiency.
Other thing that we want to do is to create a job where it would automatically desassociate the mitigating controls if the user does not have the risks anymore (users can lose roles automatically in some events here, so it would be coherent that the user also loses the associated mitigating controls)
IMHO as a former programmer, these are classic cases where I would like to consume some webservices for this tasks to avoid a lot of ctrc ctrlv from the operators (inefficient and error prone)
VCC has any documentation that would help me to find how I would do this integrations?
Thanks in advance -
Olá a todos.
Poderiam por gentileza me ajudar com a questão abaixo?
Estou com o seguinte problema na interface NFB2B_procNFe_IB do SAP GRC NF-e 10.0 (Support Package 15):
Recebemos uma série de XML's de montadoras de automóveis que contém informações adicionais nas tags <infAdProd> e <infCpl>, como por exemplo:
<infAdProd>VLR. PIS R$ 6,81 VLR. COFINS R$ 31,44<![CDATA[<ID ITEM=005115/><PED=4500159772/> <UM=PC/>]]></infAdProd>
Porém ao inserir essa mensagem na interface NFB2B_procNFe_IB, a interface interpreta da seguinte forma:
<infAdProd>VLR. PIS R$ 6,81 VLR. COFINS R$ 31,44
<![CDATA[
<ID ITEM=005115/>
<PED=4500159772/>
<UM=PC/>]]>
</infAdProd>
Sendo assim, ocorre o erro abaixo:
<nm:ExchangeFaultDataExt xmlns:nm="http://sap.com/xi/NFE/common" xmlns:prx="urn:sap.com:proxy:NED:/1SAI/TAS8DFA2846CCAA9B6570C6:702">
<faultText>Erro durante a transformação: Fim de elemento '{http://www.portalfiscal.inf.br/nfe}infAdProd' esperado programa: /1SAI/SAS6F90159886715E7C4560 caminho: nfeProc(1)NFe(1)infNFe(1)det(4)infAdProd(3)ID(1)</faultText>
</nm:ExchangeFaultDataExt>
Sei que temos algumas opções como:
1. Alterar o XML no mapping do PI; (Funcionaria com mensagens processadas através do PI, mas não conseguiria inserir um XML manualmente via SE80)
2. Alterar o XML no ABAP ao executar a classe /XNFE/CL_006NFB2B_PROC_NFE_IB; (Fazer algum replace nesses caracteres "<" e ">" por "<" ">"
Mas como fazer isso sem danificar a assinatura do XML que já está assinado e autorizado na SEFAZ?
Existe alguma nota SAP para corrigir esse problema?
Agradeço desde já a atenção.
Rodrigo Costa.Felipe,
também tive o mesmo problema do lado do NTB2B_procNFe_OB. Tentei de várias formas transformar o XML para ficar aderente ao cliente, porém o PI sempre alterava o XML (possivelmente devido ao encoding).
Vi muitos posts sobre o tema, mas ainda quando era o GRC NF-e 1.0, com a assinatura no Java. Para o GRC 10.0 não funciona, pois quando o xml chega no PI, o mesmo já está assinado, portanto não se pode alterar nada.
A solução foi para nesses casos específicos enviar o xml através do ECC mesmo.
Mas para o NFB2B_procNFe_IB ainda sem solução.
Abs.
Rodrigo. -
SAP GRC NFE não processa NFE's com itens que possuam diferentes alíquotas de IPI.
SAP GRC NFE não processa NFE's com itens que possuam diferentes alíquotas de IPI.
Alguém sabe se esse problema já foi resolvido ou conhece um contorno para essa situação ?
Desde a implantação em junho de 2013 não conseguimos processar notas que possuem itens com diferentes aliquotas de IPI.Bom dia Fernando (que bom te encontrar aqui também :-)!
Então, o Denny da SAP Alemanha me retornou dizendo que temos que instalar o XI Content SLL-NFE 10.0 e criar novamente os cenários da NF-e.
Eu estou entrando em contato com o nosso Basis que fica em Lima para ver se é possível que ele instale este componente, para que eu crie novamente os cenários da NF-e (extensão _900).
Após a recriação dos cenários, será que eu consigo reenviar as NF-e de teste novamente ou terei que estornar os documentos e fazer os processos novamente?
Obrigado pela ajuda!
Att.
Daniel -
SAP SP necessária para suportar os componentes para o SAP GRC NFE 1.0 no XI
oi,
Como estamos atualizando as nossas caixas de XI de SAP XI SAP PI 3.0 para 7,11, verificando o SLD notamos que Nota Fiscal componente de software está disponível. Assim, a pergunta é o que é que os Service Packs do sistema fonte precisa ter, a fim de fornecer todos os componentes necessários para a NF-e?
temos dois sistemas de fonte da qual enviamos os dados para XI, você pode sugerir o que é o pacote de serviços adequados para apoiar SAP GRC NFE 1.0 no XI
1> 6,0 SAP ECC, SP, 14
EHP 2, Nível 2
PI_Basis = 2005_1_700, Level 14
ST = PI 2008_1_700 Nível 2
2> 6,0 SAP ECC, EHP 4
Muito obrigadoOla, vi o seu e-mail mas resolvi responder por aqui!
Na realidade, se voce for realmente trabalhar com o GRC, dependendo da secretaria da fazenda que voce ira trabalhar aconselhor que voce aplique o sp15 no grc, consule SAP Note 1487119, nessa nota haverao todos os procedimentos necessarios.
Como haviamos falado anteriormente por e-mail, seria necessario, caso vc realmente queira trabalhar com o GRC a aplicacao de algumas notas tecnicas no proprio GRC.
1477834 XML Layout Version 2.00: Missing parameters in NF-e BAdI
1487119 SAPK-10015INSLLNFE: Support Package 15 for SLL-NFE
1496216 Rejection of NFe because of wrong data type of date fields
1499921 Problem with validation after implementing SP15
1498700 Problem on signing NF-e
1497767 Fill field qTrib for new layout version 2.0
1500046 Upgrade validation rule for field ID for version 2.0
1500742 Adjust validation for field NADICAO and NSEQADIC layout 2.00
1501545 Problems in trying to see a XML in the IE
1502612 Select the NFe Status Check Service for Incoming B2B message
1502217 Extend validation rules for <DI>/<adi>, layout 2.00
Sem mais, precisando me mais ajuda avise -
Hello,
eu estou trabalhando no electronica fiscal de Nota. Nós temos seguintes sistemas: --
SAP R/3 -
SAP GRC NFE--JAVA (assinaturas digitais)-SAP NETWEAVER PI/XI -
As AUTORIDADES (PARA A AUTORIZAÇÃO)
como eu verificam a conexão entre estes sistemas. Como eu sei uma comunicação existe entre
SAP GRC NFE--JAVA (assinaturas digitais)-SAP NETWEAVER PI/XI -
A conexão das AUTORIDADES (PARA A AUTORIZAÇÃO)
foi feita já com sucesso entre SAP R/3 E SAP GRC NFE através do RFC.
Por favor ajuda.
Agradecimentos adiantado,
HoneyBom dia Honey,
Além da comunicação entre os sistemas, você deve customizar as Sefaz-es e também os CNPJs na SPRO do GRC.
Acompanhe as telas aqui:
SAP GRC NFE 1.0 - New Solution Introduction & Implemention Best Practices
Você pode testar o serviço assinador (java) diretamente pelo web service:
Web Service Navigator
Leonardo deu uma boa dica para testar o customizing dos serviços e comunicação com o sistema externo (Sefaz).
Atenciosamente, Fernando Da Ró -
SAP GRC NF-e 10.0 - Problema durante Upgrade (mensagem /XNFE/APP 011)
Boa tarde a todos!
Realizamos o "Upgrade" do SAP GRC NF-e da versão 1.0 para a versão 10.0 (SLL-NFE 900, nível 0008) e estamos convivendo com um problema em uma mensagem XML do PI.
Na transação SXMB_MONI, monitor de mensagens processadas, ao filtrar por mensagens com SELSTAT = 017 Application Error - Manual Restart Possible, encontramos problemas em mensagens do seguinte tipo:
Sender: BATCH_BatchProcess_006
Receiver: CLNT100TND (Mandante 100 do Sistema TND)
Receiver Interface Namespace: http://sap.com/xi/NFE/006
Receiver Interface: BATCH_nfeRecepcaoLoteResponse_IB
Para estes, quando vou até o detalhe da mensagem e seleciono "Call Inbound Proxy" (com status vermelho), em "Payloads", vejo o erro "Não existe ID de lote 000000000000000".
Pelo que vi na tabela T100, a mensagem se refere ao código /XNFE/APP, número 011.
Por que será que está acontecendo este erro? Alguém já vivenciou esta situação antes?
P.S.: Já abri chamado na SAP e eles encaminharam o problema para a SAP Alemanha...
Obrigado,
DanielBom dia Fernando (que bom te encontrar aqui também :-)!
Então, o Denny da SAP Alemanha me retornou dizendo que temos que instalar o XI Content SLL-NFE 10.0 e criar novamente os cenários da NF-e.
Eu estou entrando em contato com o nosso Basis que fica em Lima para ver se é possível que ele instale este componente, para que eu crie novamente os cenários da NF-e (extensão _900).
Após a recriação dos cenários, será que eu consigo reenviar as NF-e de teste novamente ou terei que estornar os documentos e fazer os processos novamente?
Obrigado pela ajuda!
Att.
Daniel -
List of Issues/ problems in SAP GRC AC 5.3 Implementation
Hello,
Can anyone provide me with the list of most commonly occurring problems related to
1- SAP GRC Suite Installation
2- RAR Module implementation
3- CUP Module implementation
4- ERM Module implementation
5- SPM Module implementation
6- SAP PC 2.5 implementation
7- SAP RT Module implementation
8- SAP GRC Suite Upgradation.
Thanks in advance!!!Hi Abdul,
As such there are no issues in implemeting the AC modules.
Just make sure that you undeploy previously installed SP before deploying the new Support packages.
1. You have to upload the initial file (xml files) again in CUP and ERM. These files should be corresponding to latest support pack.
2. upload the CC 53_Messages.txt file in RAR with every upgrade.
Also restart the server after deploying any following the above steps.
For RT you can follow the note 1225960, 1060673 and make sure to restart the server after configuring the SAP Adapter.
Regards,
shweta -
Can SAP GRC AC 5.3 connect without any problem with SAP R/3 4.7 Enterprise?
hello,
I went to the PAM in the SAP Marketplace to see if SAP GRC AC 5.3 could connect to SAP R/3 4.7 Enterprise but I can't see all the "Add-On Product Version for...", it's cut off.
Can SAP GRC AC 5.3 connect without any problem with SAP R/3 4.7 Enterprise?
If I can't is there any proof about it? I have to show it to a client.
Best Regards,
Pablo Mortera,Pablo,
GRC AC 5.3 works perfectly fine with SAP's R/3 4.6c, mySAP ERP 4.7 and ECC systems. In fact we have two 4.7 Enterprise systems connected to GRC AC 5.3 system.
You can get the details of supported SAP ERP systems under prerequisite section of Info page of GRC AC 5.3 , it can be accessed on marketplace at -
Downloads-->Installations and Upgrades - Entry by Application Group > SAP Solutions for Governance, Risk, and Compliance>SAP GRC Access Control>SAP GRC ACCESS CONTROL>SAP GRC ACCESS CONTROL 5.3
Just ensure to have proper BASIS and ABAP support pack level as mentioned in prerequisites.
Regards,
Amol -
Nota fiscal send from R/3 to SAP GRC NFE
Hello Everyone,
We have send NFe from sap r/3 to sap grc nfe thru RFC . We cannot trace in GRC .
What could be the possible error .
please help.
HoneyHi Honey,
If configuration is correct on R/3 you can see the received data on tables /xnfe/nfehd (header), /xnfe/nfeit (item) and /xnfe/nfe_hist (history).
A good approuch to you check what system is being called is put a break-point before R/3 call GRC on the end of function J_1B_NF_MAP_TO_XML or include LJ_1B_NFEF42.
You can easily start debug on R/3 and follow inside GRC automatically when debugging, but the user of RFC need to be DIALOG and have debug rights. It's not possible do it with a service user.
Check if the correct FM is being called /xnfe/nfe_create, for other messaging system the FM is J_1B_NFE_XML_OUT (if customizations is wrong you will check this error on ST22 on GRC).
Kind regards, Fernando Da Ros
Maybe you are looking for
-
Get the request id from a PSA in start routine in transformation
Hello All, I need to get the request id of the PSA (source_package) during the start routine or field routine and then use it to look up the Date when requested was created using the table RSREQDONE. I'm extracting data from ECC, and then I load the
-
Converting non-ascii characters generated by MS word
Hello, I've encountered some files that were originally exported from MS Word as html. The problem is they contain some characters that fall into the 128 to 255 range. Some appear to be fancy quotes and apostrophes, but others I just can't figure out
-
Change aspect ratio in a nearly completed project
I need to change the aspect ratio of a nearly completed class project from 720x480 down to 720x418. My source material is x418, but I started the project at x420, and I need to get rid of the black bars. I thought the crop tool might do it, but it
-
Hi, The following query is showing error An INSERT EXEC statement cannot be nested CREATE PROCEDURE [dbo].[Procedur3] @para1 int AS BEGIN CREATE TABLE #tem select * from detialpar where did=@para1 --this code is quite big and is called from many
-
Hi Experts, XI is not able to connect to the IBCO server and all the channels are in errorr status with the error " Channel error occurred: detailed error description: com.sap.aii.adapter.jms.api.cpnnector.ConnectorException: Error looking up destina