Mitigation in SAP GRC AC

Similar Messages

• Mitigating Control creation and application in SAP GRC 10

  Hi Expert,
  We have SAP GRC Access Control 10 being implemenmted for our client.  While trying to create Mitigating Control, we just realized that Before creating mitigating controls you need to create a Root Org entry, this replaces the Business Units in previous AC versions which is visible only when we activate the GRC-PC Application.
  My queries are:
  1. Is it that Mitigation control can only be created if PC is enable.
  2. What about Licencing if GRC-PC Application is used for Mitigating Control Creation.
  Thanking you i advance.
  Thanks & Regards,
  Abhimanu Kumar Singh

  HI,
  Thank you for the response, I just checked and could find that I can create Mitigating control without PC application. It is just that PC relevant fields are not displayed.
  However can anybody answer as to what happens if I use PC to create Mitigating Control, Do I have to purchase the license for SAP GRC PC or it is ok for shared resources.
  Thanks again.
  Thanks & Regards,
  Abhimanu Kumar Singh

• SAP GRC AC 5.3 integrated with BW

  Hi all,
  Has anyone of you implemented integration between SAP GRC AC 5.3 and BW and develop custom reports?
  Thanks in advance. Regards,
     Imanol

  Imanol,
  There is documentation available for the integration.  You can find that here:
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/e05a9879-d204-2c10-54a9-ebc94eaddc4e?quicklink=index&overridelayout=true
  Also, there are numerous pre-delivered queries already developed.  However, if you wish to develop your own reports, then you will need a BW resource to do so.
  Pre-delivered queries:
  For RAR:
  Alert Detail Listing
  Alert Header Listing
  Critical Action Violations by User
  Critical Role Viols Analysis with Long Portal IDs
  Current User Permission Risk-Perm Violation Analysis Breakdowns
  Current User Permission Risk Violation Analysis Breakdowns
  Management Summary Total Listing
  Mitigated Users Analysis
  Risk Long Descriptions
  Risk-Rule Set Relationship Listing
  Role Permission Risk Violation Analysis
  Role (Portals) Permission Risk Violation Analysis
  Supplementary Rule Detail Listing
  Supplementary Rule Header Listing
  User Permission Risk Violation with Functions
  User Permission Risk Violation with Remediation by User
  User Permission Risk Violation with Remediation by User (Top 10)
  User Permission Violation with Remediation by Risk
  User Permission Violation with Remediation by Risk (Top 10)
  For CUP:
  Access Requests
  Risk Violations
  Role Provisioning
  Service Levels
  SOD Review
  User Access Review
  User Provisioning
  Thanks!
  Ankur
  SAP GRC RIG

• Migarting from Approva to SAP GRC AC 5.3

  Hello All,
  One of our client using Approva applications now they are planning to move to SAP GRC Access Controls 5.3, so kindly help me or guide he how I proceed.
  Key doubts u2013
  1-How we upload rules in RAR, because we downloaded the rules from Approva.
  2-Creation of mitigation controls etc.
  It would be great if some share some documents related to above.
  Thanks,
  Jagat

  Hi Jagat,
  Once your GRC system is configured. You have to follow the following steps:
  1. Create system connector
  2. Define Master User Source
  3. Upload text & authorization objects. (Follow the AC53 Configuration guide to download these files from backend)
  4. Now as Frank has suggested you have to convert the downloaded Apporava files to .txt files. There are 9 .txt files you have to create:
  1. Business Process
  BusinessProcessId (CHAR 4)     LANGUAGE  (CHAR 2)     DESCRIPTION LANGUAGE  (CHAR 120)
  *fileds are TAB seperated
  2. Function
  FUNCTION ID (CHAR 8)     LANGUAGE  (CHAR 2)     DESCRIPTION LANGUAGE  (CHAR 120)     FUNCTION SCOPE (CHAR 1 (S:Single System, C: Cross System))
  3. Function-Business Process
  FUNCTION ID (CHAR 8)     BusinessProcessId (CHAR 4)
  4. Function-Action
  FUNCTION ID (CHAR 8)    TRANSACTION(CHAR 20)     STATUS (NUMC 1 (0 or 1))
  5. Function-Permission
  FUNCTION ID (CHAR 8)     T-CODE (CHAR 20)     OBJECT(CHAR 10)     FIELD(CHAR 10)     FROM VALUE(CHAR 40)     TO VALUE(CHAR 40)     SEARCH TYPE(CHAR3 (AND,OR,NOT))       STATUS (NUMC 1 (0 or 1))       
  6. Rule Set
  RuleSetId (CHAR 8)     LANGUAGE  (CHAR 2)     DESCRIPTION (CHAR 132)
  7. Risk ID
  RISKID (CHAR 4)     FUNCTION_1_ID  (CHAR 8)     FUNCTION_2_ID  (CHAR 8)     FUNCTION_3_ID  (CHAR 8)     FUNCTION_4_ID  (CHAR 8)     FUNCTION_5_ID  (CHAR 8)     BusinessProcessId (CHAR 4)       PRIORITYDESCRIPTION (NUMC 1 (0=Medium
  1=High 2=Low 3=Critical))      STATUS (NUMC 1 (0 or 1))        RISKTYPE (CHAR 1 (1=SoD 2=Critical Action 3=Critical Permission))
  8. Risk Description
  RISKID (CHAR 4)       LANGUAGE  (CHAR 2)     RISKDESCRIPTION (CHAR 132)     DETAILDESCRIPTION (CHAR 1000)     CONTROLOBJECTIVE (CHAR 1000)
  9. RISK_RULESET
  RISKID (CHAR 4)       RuleSetId (CHAR 8)
  For more information on templates follow the configuration guide.
  Upload these files and generate the rules.
  Hope with this you will be able to continue.
  Thanks & Regards,
  Jitan

• Allowed variables in SAP GRC RAR messages

  Hi experts,
  I'm using SAP GRC AC 5.3.
  In RAR, I want to configure message 0269 in cc_messages.txt file in order to change text including the description of the mitigation control.
  Does anybody knows what's is this variable name ? Or even, where can I find a list of allowed variables for insertion in messages ?
  Thanks,
  Roque.

  Roquevalder,
  I understand your question now. I see the message you are talking about:
  VIRSA_CC_MSG     0269     EN     error     The mitigating control was updated by #_!USERID#_! on #_!DATE#_! at #_!TIME#_!. This email serves a notification that you have been #_!STATUSCHANGED#_! as the monitor for : #_!LINESEP#_! #_!LINESEP#_! #_!LINESEP#_! #_!CONTROLIDTEXT#_! #_!CONTROLID#_! #_!LINESEP#_! #_!HROBJTYPELINE#_! #_!LINESEP#_! #_!OBJECTTYPE#_! #_!OBJECTID#_! #_!LINESEP#_! #_!ORGRULELINE#_! #_!LINESEP#_! #_!RISKIDTEXT#_! #_!RISKID#_! #_!LINESEP#_! #_!LINESEP#_! #_!MONTEXT#_! #_!MONITOR#_! #_!LINESEP#_! #_!LINESEP#_! #_!VALIDFROMTEXT#_! #_!VALIDFROM#_! #_!VALIDTOTEXT#_! #_!VALIDTO#_! #_!LINESEP#_! #_!LINESEP#_! #_!STATUSTEXT#_! #_!STATUS#_!
  But at the end of the file you have something like this:
  D     VIRSA_CC_MSGPRMS     0269     EN     CONTROLIDTEXT     CONTROLIDTEXT
  D     VIRSA_CC_MSGPRMS     0269     EN     CONTROLID     CONTROLID
  D     VIRSA_CC_MSGPRMS     0269     EN     HROBJTYPELINE     HROBJTYPELINE
  D     VIRSA_CC_MSGPRMS     0269     EN     ORGRULELINE     ORGRULELINE
  D     VIRSA_CC_MSGPRMS     0269     EN     RISKIDTEXT     RISKIDTEXT
  I guess if you want to add a value in the message you have also to define it at the tail of the file.
  My advice is to open a OSS message to ask for this functionality. You shouldn´t change it manually. Take into account that this file must be uploaded each time you update your GRC java components. So, if you make a custom change, you have to repeat that change every time you update. So I think you should ask SAP for this. They will probably include this field in next patches.
  Regards,
  Diego.

• Cross Organization SOD Conflict in SAP GRC

  Hi,
  I have a quick question:
  Does SAP GRC allow you to capture cross Organization level value conflict. I just checked the Auth. Object for Org level Company code with $BUKRS under transaction codes in Functions, this shows disabled by default.
  Example: If I have access to  SU01 in Company Code 1 and access to PFCG in Company Code 2 will this be risk based on SAP standard SOD Rule set.
  Your quick response will be appreciated. Thaning you in advance.
  Thanks & Regards,
  Abhimanu Kumar Singh

  Hi
  As already stated by Martin, one of the option for handling adtional backup access to users could be through Superuser Privilage management(If GRC has been implemented with your client). This would allow detailed reporting at transaction level for audit purposes.
  If GRC is not implemented with your client then any additional access which is resulting in SoD, there has to a proper documentation of temporary access assignment to users(For Audit purpose). Mitigation control should be documented and submitted by the supervisor of the user to the SoD team to ensure proper compliance is in place for the additional access provided to the user.
  Thanks.
  Anjan

• Integrate external identity management solution in SAP GRC Access Control

  We need to integrate an external identity management solution into SAP GRC Access Enforcer. Some white paper mention extensibility is provided by web services. It seems that none of these web services are documented. Does anybody have infos about these services and documentation. Any hint is appreciated.
  thanks
  Detlef

  Unfortunately Access Enforcer doesn't implement a number of critical requirements and implementing it "as is" would be a lot of steps backwards in our process.
  what do the published webservices do? Is there any documentation about them?
  In a part of our process, we must manually pick the current roles(1), the pending roles(2) (roles that were approved but not given due to training prerequisites) and the requested new roles(3) and make the simulation in the VCC.
  The information (1) and (2) and (3) we have in our internal system, the information (1) we have inside VCC and (2) and(3) must be manually inputted by the operator to run the simulations. Since this operation is repeated 6000+ times a month in my company, eliminating this manual input will cause a great gain in efficiency.
  Other thing that we want to do is to create a job where it would automatically desassociate the mitigating controls if the user does not have the risks anymore (users can lose roles automatically in some events here, so it would be coherent that the user also loses the associated mitigating controls)
  IMHO as a former programmer, these are classic cases where I would like to consume some webservices for this tasks to avoid a lot of ctrc ctrlv from the operators (inefficient and error prone)
  VCC has any documentation that would help me to find how I would do this integrations?
  Thanks in advance

• SAP GRC NF-e 10.0: Erro na interface NFB2B_procNFe_IB (contendo CDATA)

  Olá a todos.
  Poderiam por gentileza me ajudar com a questão abaixo?
  Estou com o seguinte problema na interface NFB2B_procNFe_IB do SAP GRC NF-e 10.0 (Support Package 15):
  Recebemos uma série de XML's de montadoras de automóveis que contém informações adicionais nas tags <infAdProd> e <infCpl>, como por exemplo:
    <infAdProd>VLR. PIS R$ 6,81 VLR. COFINS R$ 31,44<![CDATA[<ID ITEM=005115/><PED=4500159772/> <UM=PC/>]]></infAdProd>
  Porém ao inserir essa mensagem na interface NFB2B_procNFe_IB, a interface interpreta da seguinte forma:
      <infAdProd>VLR. PIS R$ 6,81 VLR. COFINS R$ 31,44
        <![CDATA[
          <ID ITEM=005115/>
          <PED=4500159772/>
          <UM=PC/>]]>
          </infAdProd>
  Sendo assim, ocorre o erro abaixo:
  <nm:ExchangeFaultDataExt xmlns:nm="http://sap.com/xi/NFE/common" xmlns:prx="urn:sap.com:proxy:NED:/1SAI/TAS8DFA2846CCAA9B6570C6:702">
    <faultText>Erro durante a transformação: Fim de elemento '{http://www.portalfiscal.inf.br/nfe}infAdProd' esperado programa: /1SAI/SAS6F90159886715E7C4560 caminho: nfeProc(1)NFe(1)infNFe(1)det(4)infAdProd(3)ID(1)</faultText>
    </nm:ExchangeFaultDataExt>
  Sei que temos algumas opções como:
  1. Alterar o XML no mapping do PI; (Funcionaria com mensagens processadas através do PI, mas não conseguiria inserir um XML manualmente via SE80)
  2. Alterar o XML no ABAP ao executar a classe /XNFE/CL_006NFB2B_PROC_NFE_IB; (Fazer algum replace nesses caracteres "<" e ">" por "&lt;" "&gt;"
  Mas como fazer isso sem danificar a assinatura do XML que já está assinado e autorizado na SEFAZ?
  Existe alguma nota SAP para corrigir esse problema?
  Agradeço desde já a atenção.
  Rodrigo Costa.

  Felipe,
  também tive o mesmo problema do lado do NTB2B_procNFe_OB. Tentei de várias formas transformar o XML para ficar aderente ao cliente, porém o PI sempre alterava o XML (possivelmente devido ao encoding).
  Vi muitos posts sobre o tema, mas ainda quando era o GRC NF-e 1.0, com a assinatura no Java. Para o GRC 10.0 não funciona, pois quando o xml chega no PI, o mesmo já está assinado, portanto não se pode alterar nada.
  A solução foi para nesses casos específicos enviar o xml através do ECC mesmo.
  Mas para o NFB2B_procNFe_IB ainda sem solução.
  Abs.
  Rodrigo.

• SAP GRC NFE não processa NFE's com itens que possuam diferentes alíquotas de IPI.

  SAP GRC NFE não processa NFE's com itens que possuam diferentes alíquotas de IPI.
  Alguém sabe se esse problema já foi resolvido ou conhece um contorno para essa situação ?
  Desde a implantação em junho de 2013 não conseguimos processar notas que possuem itens com diferentes aliquotas de IPI.

  Bom dia Fernando (que bom te encontrar aqui também :-)!
  Então, o Denny da SAP Alemanha me retornou dizendo que temos que instalar o XI Content SLL-NFE 10.0 e criar novamente os cenários da NF-e.
  Eu estou entrando em contato com o nosso Basis que fica em Lima para ver se é possível que ele instale este componente, para que eu crie novamente os cenários da NF-e (extensão _900).
  Após a recriação dos cenários, será que eu consigo reenviar as NF-e de teste novamente ou terei que estornar os documentos e fazer os processos novamente?
  Obrigado pela ajuda!
  Att.
  Daniel

• SAP SP necessária para suportar os componentes para o SAP GRC NFE 1.0 no XI

  oi,
  Como estamos atualizando as nossas caixas de XI de SAP XI SAP PI 3.0 para 7,11, verificando o SLD notamos que Nota Fiscal componente de software está disponível. Assim, a pergunta é o que é que os Service Packs do sistema fonte precisa ter, a fim de fornecer todos os componentes necessários para a NF-e?
  temos dois sistemas de fonte da qual enviamos os dados para XI, você pode sugerir o que é o pacote de serviços adequados para apoiar SAP GRC NFE 1.0 no XI
  1> 6,0 SAP ECC, SP, 14
  EHP 2, Nível 2
  PI_Basis = 2005_1_700, Level 14
  ST = PI 2008_1_700 Nível 2
  2> 6,0 SAP ECC, EHP 4
  Muito obrigado

  Ola, vi o seu e-mail mas resolvi responder por aqui!
  Na realidade, se voce for realmente trabalhar com o GRC, dependendo da secretaria da fazenda que voce ira trabalhar aconselhor que voce aplique o sp15 no grc, consule SAP Note 1487119, nessa nota haverao todos os procedimentos necessarios.
  Como haviamos falado anteriormente por e-mail, seria necessario, caso vc realmente queira trabalhar com o GRC a aplicacao de algumas notas tecnicas no proprio GRC.
  1477834     XML Layout Version 2.00: Missing parameters in NF-e BAdI
  1487119     SAPK-10015INSLLNFE: Support Package 15 for SLL-NFE
  1496216     Rejection of NFe because of wrong data type of date fields
  1499921     Problem with validation after implementing SP15
  1498700     Problem on signing NF-e
  1497767     Fill field qTrib for new layout version 2.0
  1500046     Upgrade validation rule for field ID for version 2.0
  1500742     Adjust validation for field NADICAO and NSEQADIC layout 2.00
  1501545     Problems in trying to see a XML in the IE
  1502612     Select the NFe Status Check Service for Incoming B2B message
  1502217     Extend validation rules for <DI>/<adi>, layout 2.00
  Sem mais, precisando me mais ajuda avise

• SAP GRC NFE

  Hello,
  eu estou trabalhando no electronica fiscal de Nota. Nós temos seguintes sistemas: --
  SAP R/3 -
  SAP GRC NFE--JAVA (assinaturas digitais)-SAP NETWEAVER PI/XI -
  As AUTORIDADES (PARA A AUTORIZAÇÃO)
  como eu verificam a conexão entre estes sistemas. Como eu sei uma comunicação existe entre
  SAP GRC NFE--JAVA (assinaturas digitais)-SAP NETWEAVER PI/XI -
  A conexão das AUTORIDADES (PARA A AUTORIZAÇÃO)
  foi feita já com sucesso entre SAP R/3 E SAP GRC NFE através do RFC.
  Por favor ajuda.
  Agradecimentos adiantado,
  Honey

  Bom dia Honey,
  Além da comunicação entre os sistemas, você deve customizar as Sefaz-es e também os CNPJs na SPRO do GRC.
  Acompanhe as telas aqui:
  SAP GRC NFE 1.0 - New Solution Introduction & Implemention Best Practices
  Você pode testar o serviço assinador (java) diretamente pelo web service:
  Web Service Navigator
  Leonardo deu uma boa dica para testar o customizing dos serviços e comunicação com o sistema externo (Sefaz).
  Atenciosamente, Fernando Da Ró

• SAP GRC NF-e 10.0 - Problema durante Upgrade (mensagem /XNFE/APP 011)

  Boa tarde a todos!
  Realizamos o "Upgrade" do SAP GRC NF-e da versão 1.0 para a versão 10.0 (SLL-NFE 900, nível 0008) e estamos convivendo com um problema em uma mensagem XML do PI.
  Na transação SXMB_MONI, monitor de mensagens processadas, ao filtrar por mensagens com SELSTAT = 017 Application Error - Manual Restart Possible, encontramos problemas em mensagens do seguinte tipo:
  Sender: BATCH_BatchProcess_006
  Receiver: CLNT100TND (Mandante 100 do Sistema TND)
  Receiver Interface Namespace: http://sap.com/xi/NFE/006
  Receiver Interface: BATCH_nfeRecepcaoLoteResponse_IB
  Para estes, quando vou até o detalhe da mensagem e seleciono "Call Inbound Proxy" (com status vermelho), em "Payloads", vejo o erro "Não existe ID de lote  000000000000000".
  Pelo que vi na tabela T100, a mensagem se refere ao código /XNFE/APP, número 011.
  Por que será que está acontecendo este erro? Alguém já vivenciou esta situação antes?
  P.S.: Já abri chamado na SAP e eles encaminharam o problema para a SAP Alemanha...
  Obrigado,
  Daniel

  Bom dia Fernando (que bom te encontrar aqui também :-)!
  Então, o Denny da SAP Alemanha me retornou dizendo que temos que instalar o XI Content SLL-NFE 10.0 e criar novamente os cenários da NF-e.
  Eu estou entrando em contato com o nosso Basis que fica em Lima para ver se é possível que ele instale este componente, para que eu crie novamente os cenários da NF-e (extensão _900).
  Após a recriação dos cenários, será que eu consigo reenviar as NF-e de teste novamente ou terei que estornar os documentos e fazer os processos novamente?
  Obrigado pela ajuda!
  Att.
  Daniel

• List of Issues/ problems in SAP GRC AC 5.3 Implementation

  Hello,
  Can anyone provide me with the list of most commonly occurring problems related to
  1- SAP GRC Suite Installation
  2- RAR Module implementation
  3- CUP Module implementation
  4- ERM Module implementation
  5- SPM Module implementation
  6- SAP PC 2.5 implementation
  7- SAP RT Module implementation
  8- SAP GRC Suite Upgradation.
  Thanks in advance!!!

  Hi Abdul,
  As such there are no issues in implemeting the AC modules.
  Just make sure that you undeploy previously installed SP before deploying the new Support packages.
  1. You have to upload the initial file (xml files) again in CUP and ERM. These files should be corresponding to latest support pack.
  2. upload the CC 53_Messages.txt file in RAR with every upgrade.
  Also restart the server after deploying any following the above steps.
  For RT you can follow the note 1225960, 1060673 and make sure to restart the server after configuring the SAP Adapter.
  Regards,
  shweta

• Can SAP GRC AC 5.3 connect without any problem with SAP R/3 4.7 Enterprise?

  hello,
  I went to the PAM in the SAP Marketplace to see if SAP GRC AC 5.3 could connect to SAP R/3 4.7 Enterprise but I can't see all the "Add-On Product Version for...", it's cut off.
  Can SAP GRC AC 5.3 connect without any problem with SAP R/3 4.7 Enterprise?
  If I can't is there any proof about it? I have to show it to a client.
  Best Regards,
  Pablo Mortera,

  Pablo,
  GRC AC 5.3 works perfectly fine with SAP's R/3 4.6c, mySAP ERP 4.7 and ECC systems. In fact we have two 4.7 Enterprise systems connected to GRC AC 5.3 system.
  You can get the details of supported SAP ERP systems under prerequisite section of Info page of GRC AC 5.3 , it can be accessed on marketplace at -
  Downloads-->Installations and Upgrades - Entry by Application Group > SAP Solutions for Governance, Risk, and Compliance>SAP GRC Access Control>SAP GRC ACCESS CONTROL>SAP GRC ACCESS CONTROL 5.3
  Just ensure to have proper BASIS and ABAP support pack level as mentioned in prerequisites.
  Regards,
  Amol

• Nota fiscal send from R/3 to SAP GRC NFE

  Hello Everyone,
  We have send NFe from sap r/3 to sap grc nfe thru RFC . We cannot trace in GRC .
  What could be the possible error .
  please help.
  Honey

  Hi Honey,
  If configuration is correct on R/3 you can see the received data on tables /xnfe/nfehd (header), /xnfe/nfeit (item) and /xnfe/nfe_hist (history).
  A good approuch to you check what system is being called is put a break-point before R/3 call GRC on the end of function J_1B_NF_MAP_TO_XML or include LJ_1B_NFEF42.
  You can easily start debug on R/3 and follow inside GRC automatically when debugging, but the user of RFC need to be DIALOG and have debug rights. It's not possible do it with a service user.
  Check if the correct FM is being called /xnfe/nfe_create, for other messaging system the FM is J_1B_NFE_XML_OUT (if customizations is wrong you will check this error on ST22 on GRC).
  Kind regards, Fernando Da Ros