No Roles In Access Request - GRC 10 SP06
Hello Experts ,
With GRC 10 SP 06 ,I am facing strange issue .In Access request when I search for roles to be assigned I am not getting any result .
I have performed all post installation system and same working with SP 05 in other landscape .
Important steps like running back ground jobs for user.role.profile synch role import all is done .
Thanks & Regards
Ashish
Hi,
You have hit a similar problem I faced after moving to SP06.
What is the value assigned to the "Role Status"? If it is not "Production/PRD", then Access request doesn't allow it to be displayed as a selectable option for assignment. Prior to SP06, this was not checked, but SP06 got updated to ensure roles that are not in Productive use status can not be assigned for usage.
Once you change this status over in the roles you wish to make available for assignment via Access Request, you should be able to search and select them.
Hope that helps.
Similar Messages
-
GRC 10 Not able to search roles in Access Request Creation
Hello Experts,
I am unable to search for roles while creating access request by giving system name.
I am able to search with any other search criteria except system.
When I look for valid entries for System I get the following connector group values:
ECC - (Custom Connector Group)
SAP_BAS_LG
SAP_ECC_LG
SAP_HR_LG
SAP_R3_LG
All the above connector groups are pointing to the same system XXXCLNT100. I want to get only ECC as the result when I search for the system (Probably then it might work right).
Others that start with SAP are linked to the XXXCLNT100 for generating rules after activating BC Sets.
Any ideas how to get this work !!
Thanks and Regards,
Ajesh Raju.Found Note:
Note 1654033 - Role search by System is giving same result
Regards,
Ajesh. -
Composite role not showing in Access request screen. (BRM not used)
Dear All
I have created a composite role in backend system with 2 single roles.
a. I have imported the single roles using the NWBC screen.
b. run the auth sync job.
c. imported the composite role as a techincal role using the NWBC import screen.
the import procedure was successfully completed.
But when i try to search for the role in Access request screen for a user - i can only see the single roles & not the composite roles?
Pls advise
RajuHi Raju,
In addition to Alessandro's valuable inputs, you need to be sure whether or not you were able to generate the composite roles (in NWBC).
The final stage of the composite role has to be in complete status.
Regards,
Ameet -
GRC 10.0 SP 14 access request form displays unassigned roles
Dear experts, when I open the Access Request form and I select a user, and then I click on existing assignments, I am shown a list of roles and systems assigned to this user. However, when I go to those corresponding backend systems to see if the roles are actually assigned, it turns out that they are not. I have rerun all the sync jobs and they all completed successfully. Auto provisioning works on all these systems and there are no issues in terms of the RFC. However, as indicated by the attachments, it continues to show rules that were unassigned from this user some time ago. where might these assignments be coming from?
Hi Santosh,
did you run the repository object sync job in full mode for this connector? This has mostly to do with outdated sync information as you can also see in the following note:
http://service.sap.com/sap/support/notes/1667112
Please check again.
Regards,
Alessandro -
Error while trying to submit Access request to GRC from IDM
Hello
We have SAP IDM 7.2 SP8 installed and done all the prerequisite for connecting to GRC AC 10 as in configuration document.
We are trying to submit request to GRC using Standard GRC provisioning framework task ( AC Validation) but pass: Submit AC Request fails with error: "Pass stopped by script"
Is there anything wrong with the script which put RoleData details since its getting aborted ?
I tried providing Role name directly in Role data attribute inside the action task and got following error:
Error
putNextEntry failed
storingcn=IDMUSR0023,ou=useraccessrequest,o=grc
Exception from Add operation:javax.naming.NamingException: [LDAP: error code
82 - (GRC User Access Request:82:Script execution failed)]; remaining name
'cn=IDMUSR0023,ou=useraccessrequest,o=grc'
I checked VDS Logs and there was one error :
Additional message = msgcode=4;msgdescription=Mandatory field ITEM NAME is empty in line no 1 ;msgtype=ERROR
From where exactly ITEM NAME field value will be fetched and pass to GRC for request creation ?
Regards
Deepak GuptaThanks Christopher
I got my issue fixed, There was issue with my GRC Initial load job which couldn't enrich repository privileges and hence the issue was coming since script wasn't able to find GRC ROLE ID and Application ID attribute from privileges.
Regards
Deepak Gupta -
ARQ: Default Role Provisioning Problem in Access Request???
Hi,
This Business Scenario is very common to have default role(s) assigned to a User at the back end system. So I have the same requirement. In achieving this, I followed below thread here:
MSMP Issue - GRC 10
I have also followed the note#1616092 for configuring the Default Roles.
I have performed below activities:
1. Param#2009 = YES
2. Param#2010 = 001
3. Param#2011 = REQUEST
4. Param#2013 = SYSTEM
5. Param#2038 = YES
6. Imported a test role and NO ROLE OWNER is maintained.
7.In NWBC->-AM->RM, I maintained a test role as a default.
Now when I raise a request, application is successfully adding the default role to the request. However, the problem I am facing is that, one Manager approves the request, it is getting failed.
The Audit Log says that, the STAGE is "Completed" but I could also see "No Agent Found, Cancelling path XYZ (in stage no. 002- GRAC_ROLEOWNER)
May I know what I am missing here? Why I am getting error and how can I resolve it?
Please advise.
Regards,
FaisalHi Faisal,
sorry for late resposne I was away traveling.
default roles are being added by default to access request
Yes, these roles are added to the access request.
FN: OK
and this roles are following your normal paths which I guess assumes manager and role owner.
How such roles (not having role owner) will follow the normal path Manager->Role Owner if we are enabling routing (Rule ID: GRAC_MSMP_ROUTE_NO_ROLEOWNER) at manager stage level? Can you please help me understand this?
FN: OK If you enable routing it will go to routing path. I have understood your post as you put in question the behavior of default roles and my point was - they act exacly the same like regular roles.
- request is going to detour path
Does it answer my question?
FN: My point was default roles like all other will go to detur path (assuming you setup it globaly)
Deafault roles can have separate path (in my case) where only supervisor is approving it.
Instead of "GRAC_MSMP_ROUTE_NO_ROLEOWNER" I believe we can have our own rule to have a separate path for such default roles based upon business requirement. Correct me, if required.
FN; correct
It was design in way that initiator rule based on role crtivality is sending this rule to separate path without role owner.
Again, I believe you have enabled your custom rule here to achieve your business requirement instead standard rule id.
correct
If you do not have separate path - this role like any other will follow standard path you have.
Here, I had used a stage called "ZNO_STAGE_PATH" for routing the system line item, which does not have any owner. I used the same path ID for "GRAC_MSMP_ROUTE_NO_ROLEOWNER"Rule ID and it is working fine as of now.
FN: good
My question is that, do you think if I don't use "ZNO_STAGE_PATH" as Path ID for "GRAC_MSMP_ROUTE_NO_ROLEOWNER" Rule ID, should it follow the standard Manager->Role Owner path and these default roles get approved and assigned automatically?
FN: You should use the path ZNO_STAGE_PATH as path ID for routing rule.
If the role does not have role owner it will not allow you the even get to Role Onwer stage - request will be detured.
My point from the begining was - instead of using the routing rule - in our case we used separate path for default roles without role owner:) only consisted with manager stage. Again your approach is different but also will work.
Then which Path ID should I use for "GRAC_MSMP_ROUTE_NO_ROLEOWNER" Rule ID, as it is mandatory?
Should I use my current path for New/Change Account where at Manager level this was routed due to non availability of role owner?
Are you asking for default roles?
Please advise.
Regards,
Faisal -
Split of an Access Request in GRC
Hello GRC Experts,
I have a following issue in my MSMP workflow:
I have created a MSMP workflow using detour Rule GRAC_MSMP_DETOUR_SODVIOL ar first stage. If an Access request contains SOD violations the request should be routed to Security stage. If works fine so far, but with one exception. We have requests which contain three roles, two of them have SODs and one is clean. I expect that only two roles which contain SOD should be routed to SOD path, and the role which is clean should go the normal path (No SOD path). However I am facing the situation that the whole request is routed to the SOD path and Security stage.
Do you have any idea how to solve this issue?
thank you in advance
best regards
Sabrina
Here are the screenshots from the MSMP workflowHi Sabrina,
we had exactly the same challenge - this is how we solve it:
- check parameter: 1073 Enable sod violations detour on risks from existing roles (recommended YES)
- routing level - make sure the stage settings (where your routing rule is executed) are set to "line item level" under MSMP Workflow configuration / Maintain paths/ maintain stage settings
Hope this helps,
Filip -
Access Request "Model User" - Role Type "Role" disabled in "Select Model Access" screen.
Hi All,
I am implementing GRC AC 10.0 - ARM for provisioning in SAP R/3 and Enterprise Portal systems.
While using "Model User" access request, I find that UME portal groups are coming as disabled and are not available for selection in tab 'Select Model Access'.
Also only Type "Single Roles" appear for assignment or selection in the "Model User" form. Type "Role" appears disabled.
Request help, thanks.
Regards,
Piyush.Thanks all for the suggestions but issue persists.
I ran repository object sync in full sync mode for the portal system.
I re-imported the portal groups.
Still as earlier while using "Model User" request, I can see the groups with the reference user but it is grayed out and not available for selection.
The other three scenarios (Access request, Copy Request & Template) work fine. In those request I can select the portal groups as well. -
Access Request Creation - Role or System Required at Creation
Hi - We are installing GRC 10.1 SP6. When I create a request it is forcing me to include at least one system or role. Is there a system setting that I'm missing to not enforce the requirmenet to add either a system or a role at the time you create a request?
This is not a huge deal to me as I created templates that include the systems we provision to by default. However, if I don't need to include a system or role at time of request creation I would prefer that this requirement be turned off.
Thanks,
RichHi Richard,
additionally to what Colleen has already mentioned you can set up the provisioning configuration in the way that you don't have to select a system in the access request. So basically a requests requires either a system or a role. Most of the time (best practice) users select a role without a system. Personally I also recommend that way as the system comes with the role automatically.
In the global provisioning configuration (SPRO > AC > User Provisioning > Maintain Provisioning Settings) you have to define that the user gets created when the role gets assigned.
Alternatively, as you would like to remove both, you can check if it is workable via the request type settings. I don't have a system to test, but you might be lucky. Remove the "Assign object" action from the request type and check if it is still mandatory to add at least one assignment.
SPRO > GRC > AC > User Provisionign > Define Request Type
Please let me know if this helps.
Regards,
Alessandro -
User details are missing in Access request in GRC 10.0
Hello All,
When we are trying to create Access request in GRC 10.0 for an user it results as user details not found.
Under SPRO - Maintain data source configuration we have configured 2 HR systems HR1 and HR2.
But the User details exits in HR1 system and lies in validity also. We have tried to run the Repository Object Sync also still unable to search the details.
But we observed even after the Sync job User details are not created in table GRACUSER and GRACUSERCONN. Is this could be the problem. Why its not updating even after the Sync job many times almost 10 times.
We have also configured parameter 5023 to YES.Please advise.
Thanks in advance.Did the sequence for HR1 set to 1 or 2, I hope you are following the suggestions given by Luciana in other thread.
Please post your data source config screenshots otherwise.
BR,
Mangesh -
GRC 10.0: Access Request Creation - LDAP user advanced search not working
Dear Experts,
We are implementing SAP GRC Access Control and we have an issue in Access Request Creation. If we put the user name in “User” field and press intro, the user details are updated, but if we want to make an "Advanced search" the user is not found and the application give us the following message: “No records found for the search criteria entered.”
Scenario 1: If we put the user name in “User” field and press intro, the user details are updated:
Scenario 2: If we want to make an "Advanced search" the user is not found and the application give us the following message: “No records found for the search criteria entered.”
We are using the Active Directory as Data Source.
Thanks and Regards.Hi Jose,
Try maintaning the parameter 2050 as YES and check once.
Kindly, also make refer to the below list of SAP notes:
1757906 - GRC 10.0 - LDAP user search does not work in NWBC
1745370 - LDAP search in GRC does not work anonymously
1718242- UAM: User search not working in Access Request.
Regards,
Neeraj Agarwal -
GRC 10.0 Access Request Creation- Data Source of User Details
Hi Experts,
I was doing GRC 10.0 Configuration and found a query which I am not able to resolve.
While creation of any kind of Access Request in GRC through NWBC> Acces Management Tab>Access Request>Access Request Creation.
In the user details section, I can see the HR records( like Pernr, position, manager) have been visible to some extent.
My question is where from these details came in GRC. What configuration we should maintain to achieve these HR records?
Hope to get a quick response as this is one of the requirement of the implementation which I am doing with my customer.
Thanks,
AtanuAlessandro,
Thanks for your response. It helped me to know certain things.
But when I am navigating to SPRO > GRC > Access Control > Maintain Data Sources Configuration > [User Detail Data Source], it is configured with a ECC system in target connector and User data type is maintained as "SU01".
Now my question is where from in my case the GRC is pulling the HR records (PA20) like PERNR, POSITION,PERSONEL AREA etc? SU01 does not provide these information. My ECC box is integrated with HR module, so is it taking the data from HR directly?
Thanks in advance!
Atanu -
GRC 10.0 Access request Management Audit
Hello All,
Can Anyone let me know what Auditors Check When they Audit GRC 10.0 Access request Management (excluding Configuration).
Thanks
Mohammed WasimHi,
ARM supports key ITGC controls for user access management, so probably audit would also cover:
- review of updated processes & controls
- check (based on sample) if all requests were properly approved
- review of correctness of approvers assignment
- verification if what was requested was provisioned
- timely removal of terminated access
- review of SoD controls embedded in process
- periodic review of user access
and maybe some more controls. In most cases it will be sample based testing so auditors may ask for a sample of requests to trace them to back-end systems and opposite sample of changes in users privileges to verify if proper requests were prepared for those changes...
Sometimes they could perform more tests on configuration and process, but this is up to particular auditor.
Best regards, Andrzej -
GRC 10.1 Simplified Access Request and Remediation View Issues
Hi Everyone,
We recently upgraded our GRC 10.0 environment to 10.1, SP 5 and am having the following issues--has anyone else also experienced?
In the simplified access request form, it keeps telling me to enter a “valid user ID”—even though the ID is valid and works fine in the normal access request screen. Also tried to search and then select the ID in this field with the same error.
In the SoD Remediation view, I keep getting “No Data Found”, even though in the detail view, there are risks the same request:
I’ve checked the following things:
I’ve used IE 8, IE 9, FireFox, Chrome, and the NWBC to see if any of these fix the issue
I double checked the 10.1 “upgrade guide” to make sure Gateway configurations are correct
It looks like we are on the latest support packs:
Any help on this would be greatly appreciated!
Thanks,
BrettHi Brett,
For Remediation issue you can check the below thread.
http://scn.sap.com/thread/3574790
Regards,
Neeraj -
Email content in GRC access request
Dear Experts,
Can any one let me know from where GRC access request email content is picked up which creating creating throught access request.?
I.e when ever the requestor creating request, the manager will get an email( and in my scenario the email document is maintained in document maintenance(se61 tcode) ). Now i need to prefix user full name in email content(which the manager receives) with Mr./Ms.
Thanks
KatriceHi,
My issue is resolved my enhancing the method GET_NOT_VARS_AND_ATTACHMNTS( ) of class CL_GRFN_MSMP_NOTIFICATION
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""$"$\SE:(1) Class CL_GRFN_MSMP_NOTIFICATION, Method GET_NOT_VARS_AND_ATTACHMNTS, End A
*$*$-Start: (1)---------------------------------------------------------------------------------$*$*
ENHANCEMENT 1 ZGRC_EMAIL_TITLE. "active version
DATA: lw_fullname TYPE string,
lw_variables TYPE grfn_s_msg_variable,
lw_logsys TYPE logsys,
lw_system_id_temp TYPE string,
lw_user TYPE grac_user,
lw_return TYPE int4,
lW_user_details TYPE grac_s_user_detail.
SELECT SINGLE logsys INTO lw_logsys FROM t000 WHERE mandt = sy-mandt.
IF sy-subrc = 0.
lw_system_id_temp = lw_logsys.
ENDIF.
READ TABLE et_variables INTO lw_variables WITH KEY name = 'USER_ID'.
IF sy-subrc EQ 0.
lw_user = lw_variables-value.
TRY.
CALL METHOD cl_grac_ad_access_mgmt=>get_user_detail
EXPORTING
iv_system_id = lw_system_id_temp
iv_user = lw_user
IMPORTING
ev_return_code = lw_return
es_user_details = lw_user_details.
CATCH cx_grfn_exception . "#EC NO_HANDLER
ENDTRY.
ENDIF.
READ TABLE et_variables INTO lw_variables WITH KEY name = 'USER_FULL_NAME'.
IF sy-subrc EQ 0.
CONCATENATE lw_user_details-address-title_p lw_variables-value INTO lw_variables-value SEPARATED BY space.
MODIFY et_variables FROM lw_variables index sy-tabix.
ENDIF.
ENDENHANCEMENT.
*$*$-End: (1)---------------------------------------------------------------------------------$*$*
Thanks
KH
Maybe you are looking for
-
I bought an iPhone 5 at Best Buy, and they started the setup assistant process. Now I can't go back and start over so I can sync my phone to my iTunes account. I have an old iPhone 3GS and didn't use the iCloud. I backed up to my computer. And no
-
Can't open CR2 files in CS3 after recovery from memory card deletion
I accidentally deleted some photos from a memory card. I recovered them using software called "Recover My Files". This software recovered the files but now I can't open them in CS3. I took these with an old Canon Rebel DSLR and they should not need c
-
Can't export some clips, can others, Compressor failing me
I've been exporting a large series of clips from FCP HD using compressor. I didn't have a problem with the first 15 or so clips. Now, I can't get my remaining sequences to export. Each time I try I get a notification in compressor that the export fai
-
First, I apologize; I posted this in General Discussion, when I should have posted it here. With that said, I created a demo using Captivate 1, and would like to add a question slide at the end soliciting feedback from the users. I don't have an LMS,
-
Is there a quick way to replace all the faces in the crowd with those of a few friends' faces?
I took some photos of the crowd at the fabulous McCartney concert in Phoenix. I would like to replace them with the faces of three people for an article I'm doing about the concert. I was hoping that there was a feature that would automate this someh