NWBC access in GRC 10

Similar Messages

• No Roles In Access Request - GRC 10 SP06

  Hello Experts ,
  With GRC 10 SP 06 ,I am facing strange issue .In Access request when I search for roles to be assigned I am not getting any result .
  I have performed all post installation system and same working with SP 05 in other landscape .
  Important steps  like running back ground jobs for user.role.profile  synch role import all is done .
  Thanks & Regards
  Ashish

  Hi,
  You have hit a similar problem I faced after moving to SP06.
  What is the value assigned to the "Role Status"? If it is not "Production/PRD", then Access request doesn't allow it to be displayed as a selectable option for assignment. Prior to SP06, this was not checked, but SP06 got updated to ensure roles that are not in Productive use status can not be assigned for usage.
  Once you change this status over in the roles you wish to make available for assignment via Access Request, you should be able to search and select them.
  Hope that helps.

• HOW TO CONFIGURE MANAGER or APPROVER USER IN ACCESS REQUEST MANAGEMENT TO APPROVE OR REJECT REQUEST

  hi sap gurus,
  i configured grc 10 system successfully. I created one user: GR_AR_APP001 and assign following roles:
  SAP_GRAC_ACCESS_APPROVER
  SAP_GRAC_ACCESS_REQUEST_ADMIN
  SAP_GRC_FN_BASE
  SAP_GRC_FN_NUSINESS_USER
  and I maintained GR_AR_APP001 in access control owners as "POINT OF CONTACT", "SECURITY LEAD" and "WORKFLOW ADMINISTRATOR"
  but when i am creating access request for new user and defining MANAGER under user details tab as GR_AR_APP001.
  the user GR_AR_APP001 is not receiving any request for APPROVE or REJECT in his WORK INBOX.
  can u please guide me how to configure APPROVER or MANAGER to approve or reject request.
  I will be very much thankful if you guide me successfully.

  Hi Colleen,
  thanks a lot for your time.
  PIC1: I created one user: GR_AR_APP001
  and assigned all the GRC ROLES.
  PIC2: I assigned owner type to GR_AR_APP001 user : POINT OF CONTACT, SECURITY LEAD and WORKFLOW ADMINISTRATOR in NWBC ACCESS CONTROL OWNERS
  PIC3: I created one EUP 980 (copied from default EUP)
  PIC4: I maintained default manager as GR_AR_APP001 user in 980 EUP
  PIC5: I selected SAP_GRAC_ACCESS_REQUEST process id
  PIC6: I created one agent id as ZGRAC_MANAGER11 in which I added approver user id: GR_AR_APP001
  PIC7: I saved agent id
  PIC8: I added agent id as ZGRAC_MANAGER11 in stage5 in manager stage.
  PIC9: I saved
  PIC10: I maintained EUP 980 (in which I configured manager as GR_AR_APP001 user) in stage 5 task settings
  PIC11: Maintain Route Mapping, I clicked on next
  PIC12 and PIC13: I saved and activated.
  After this process I created one request for new account and selected the manager as GR_AR_APP001 and one request is created with request no 9000000030.
  now I logged into system by user GR_AR_APP001 and checked, there is no request under his work inbox.
  please guide me at least one procedure, how to receive request in approver work inbox so that I can learn other procedures to configure approver as per our organization requirement.
  thanks for your support Colleen.

• Problem with Role import in GRC 10.0

  Dear GRC Gurus,
  I want to import roles from backend to GRC 10.0 system. for this I am using NWBC.
  In NWBC --> Access Management --> Mass Role Maintenance --> Role Import --> in this age below OPtions are selected:
  Role Selection --> Technical Role
  Import Source: Role Attribute Source: User Input, Role Authorization Source: Backend System
  Definition Criteria:Application Type: SAP, Landscape: nothing is shown in the dropdown, Source System: nothing is shown in the dropdown
  Without Defining Landscape and Source system I cannot proceed further
  Please advise why the system is not showing up the values in the dropdown.
  I have maintained role status as production in SPRO.
  I appreciate your help.
  Thanks,
  Swathi

  Hi,
  Sabita is correct.
  Here is the link to the documentation
  SAP Access Control 10.0
  Simon

• Not able to see approvers in grc ac 10.0

  Hello gurus,
  I have configured workflows for access request for grc ac 10.0. When I submit a access request, my approver is not able to see any requests waiting for his approval. Also in the request status of the access request, no approvers are seen in given path when we click the instance status button. Please let me know where do we populate these approvers and how can we make them appear.
  Thanks in advance,
  Reyas

  Faisal,
  There are 2 places you need to define this.
  1) Within the "Access Control Owner" settings (NWBC>Access Managemetn), you need to assign the "Role Owner" tag to the user/s. this will enable you to select the user to be assigned as a assignement or content approver within the role definition (2)
  2) Against the actual role definition in Business Role Management (BRM/ERM) - you need to assign the user ID as the Assignment Approver of the role for the user to be able to approve the request as a Role Owner.
  If you have somehow created your own BRFplus custom agent for role owners (SAP standard delivered agent is fine!), then you obviously need to maintain your Decision table/Tree results.
  I strongly suggest you check these quick start guides out if you are having trouble configuring the basic settings.
  Business Role Management set up and terminology
  http://www.sdn.sap.com/irj/bpx/go/portal/prtroot/docs/library/uuid/80063a8e-1da6-2e10-aaa5-fda1f0936c37
  First Access Request
  http://www.sdn.sap.com/irj/bpx/go/portal/prtroot/docs/library/uuid/5067e447-5c64-2e10-7d9c-8f7e5953aadb
  I hope this helps answer your question Faisal
  All the best

• Multiple Rulesets in GRC AC 10

  Hi All,
  Would like some guidance regarding usage of multiple rule sets in GRC 10 AC. I have multiple rule sets and don't get any option to choose the specific rule set while doing risk analysis for some roles.
  Do we have a option to configure one of the rule set as a default one so that all the risk analysis is being done against that rule set . As of now while doing risk analysis i don't get an option to choose a specific rule set .
  Woudl appreciate your guidance or any help on this .
  Vikas

  Hi,
  Would like some guidance regarding usage of multiple rule sets in GRC 10 AC. I have multiple rule sets and don't get any option to choose the specific rule set while doing risk analysis for some roles.
  - Go via NWBC - Access Management - Access Risk Analysis - Role Analysis - select Analysis Criteria "Rule set".
  Do we have a option to configure one of the rule set as a default one so that all the risk analysis is being done against that rule set . As of now while doing risk analysis i don't get an option to choose a specific rule set .
  - Go to AC Configuration Setting and search for PARAM ID 1025.
  Regards,
  Andreas

• GRC 10.1 HR trigger BEGDA

  Hello, everybody,
  I have faced a problem with HR-trigger:
  I need to delimit system in access requests that are created by HR trigger in GRC. I want to delimit valid from(for system) with BEGDA.
  BEGDA comes from 0302 IT with MASSN and IT.
  I checked lots of notes with describes this problem:
  1738853 - UAM: System line item not added for mapped roles in HR req
  1970860 - Valid To date of users not getting captured in the HR trigger request for Separation process and HR trigger request not getting due to No user assigned error
  1705700 - UAM: Future termination does not work in HR Triggers
  1823821 - UAM: HR Trigger delimit date is not captured
  1999133 - HR Trigger is not capturing the termination date as end date
  Maybe i need to set some parameters in spro?
  Hoping for your soon help.
  Thanks beforehand, Ivan.

  Hi Ivan,
  There is a functionality of default roles, that you could use to add roles to your request by implementing this logic in your BRF rule for HR triggers.
  The bad news is that assignment for the default roles based upon Department is not supported.
  There are only a certain fields which are supported for the Default Roles assignment, below:
  Business Process, Business Subprocess, Company, Role Critical Level, Functional Area, Landscape, Location, Project Release, Role sensitivity, and System.
  Lets suppose you can use Functional Area instead of Department. You will need to maintain Default Roles settings in SPRO, at REQUEST level, (parameters 1302, 2009, 2010, 2011, 2012, 2013).
  In NWBC>Access Management>..>Default Roles, make sure that the entry maintained there (for attribute Functional Area) has SYSTEM set to "All Systems" or "All system in the role Landscape".
  This should work.
  Note 1964884 has a correction for this functionality, so if you go for it, make sure to have this Note applied.
  Now, if any of the fields available for Default Roles will be good for your scenario, then it will not be possible to use Role Defaults, thus I am not aware of any customization on this area.
  Hope this helps!
  Luciana.

• GRC AC10 Agent based upon Role Attributes

  Hi Experts,
  Need your help on the issue.
  We are trying to achieve below configuration-
  After the Access request is generated, at the first stage, the approver should be selected based upon the business process of the role. If there are multiple roles with different Business Processes and their approvers, all of them should approve the request and then request should go to the next stage.
  There is also a field Business Process in the Access Request Screen which denotes the User's association with Business Process and not of the role. We are able to trigger the approval based upon this field, but we can;t find any option of approver selection based upon the business process of the role.
  Can some one show a way to achieve that?
  We are facing another problem, when the request is approved based upon the field Business Process in the Access Request screen, we are not able to find the request in next stage, it is still showing in the same stage while the role attached is only one and no other approver defined.
  What could be the reason behind it? Any help is highly appreciated.
  Thanks in advance,
  Sabita

  Hello Sabita,
  You can use the transaction : GRFNMW_DBGMONITOR_WD to check the logs.
  What i understand from your requirement and what would be my approach.
  1) Approvers who will be ROLE OWNERS
  > In this case 1st thing is you should upload few ROLES( NWBC>Access Mgmt-->Role Import) with all the details i.e function area, company , role owner, alternate approver
  ---> Now create a "Custom Initiator from SPRO >GRC>AC>workflow for access control>Define  Worflow Related to MSMP rules for Process ID SAP_GRAC_ACCESS_REQUEST
  Run Tx: BRF+ , and you will see a rule created , drill down to "Expression-->Decision Tree"
  and use "Table settings" to select "Condition Column" & "Result Rule sets", where you can configure the Custom Initiator
  Now run Open MSMP workflow config window
  1) Process Global settings ( Notification details if necessary)
  2) Maintain Rules (add your custom initiator rule )
  3) Maintain agents ( check & if not present add Role owner agent)
    i.e. GRAC_AR_ROLE_OWNER  (This will satisfy 1 st requirement)
  Create a new agent as BSM and mapp them as "directly mapped user" , similarly for the 3rd stage you can use directly mapped user.
  4)Variables & Templates --> Skip
  5)Maintain Path ( add 3 stages as required i.e role owner, BSM & security officer)
  Now for each stage click on "modify Task Settings" & click on individual check boxes as relevant , you can select "All approvers" or "Any one approver", Approve Request based on System & Role , or Request .
  Same applies to all the other 2 stages.
  6) Maint Route Mapping  --> put the path ID created in previous stage and save and activate.
  I hope this should give you some fair idea.
  Thanks
  Victor

• ARQ: GRC work items refresh problem in Work Inbox???

  Hi All,
  While accessing any GRC work items from Work Inbox in NWBC, I have to click on "Refresh" button manually to reflect the latest work items!
  I tried to look for any ABAP program which does this but could not succeed.
  May I know what is the program used to update these GRC work items for all users? OR How do I make it automatic to reflect the latest work items quickly?
  Please advise.
  Regards,
  Faisal

  Hi Mangesh,
  Thanks for your reply.
  Below are my settings:
  As you can see, no role is assigned
  Currently the refresh type is "On Every Page visit" as per note#1635072 (which is default)
  Not sure why this is not working for me.
  Regards,
  Faisal

• Access Control up grade from 5.2 to 5.3

  Hi,
  One of my client have
  1. Earlier Access control 5.2 was installed but only FF are configured and is in use.
  2. After some time Access Control GRC 5.2 server (front end) have some problem so they have
  installed 5.3 to front end level
    --no back end patch was updated
  --no connector are created.
  Now the situation is as follows
  Front end -access control 5.3 -
  Back end -RTA is access control 5.2(they are only using FF)
  No connector are created
  From this situation how can we take it forward to access control 5.3.
  I have following question
  1. can  we update back end to 5.3 and start configuration --what is the impact?
  2. Do we need to take back up of table FF as client is using only FF.
  Thanks,
  Digambar

  Hi
  5.2 RTA will not be compatible with with GRC 5.3 RTA .
  So best would ne to upgrade your backend RTA to 5.3 and SP level shoul;d be in Synch with level of SP of front end i.e SA P GRC 5.3 .
  Thanks & Regards
  Asheesh

• Change in Access Control components on the Service Marketplace

  Hello GRC community:
  We would like to inform you that as of yesterday (5/30) the Access Control components for support messages/SAP Notes have been changed (they have actually been replaced so all messages/notes logged under the old component will be moved/replaced to the new).
  The main 4 components are now:
  New: GRC-SAC-ARA     Access Risk Management
  Old: GRC-SAC-SCC          Risk Analysis & Remediation (formerly Compliance Calibrator) 
  New: GRC-SAC-ARQ     Access Request
  Old: GRC-SAC-SAE          Compliant User Provisoning (formerly  Virsa Access Enforcer) 
  New: GRC-SAC-EAM     Emergency Access Management
  Old: GRC-SAC-SFF          Superuser Privilege Management (formerly Virsa Firefighter) 
  New: GRC-SAC-BRM     Business Role Management
  Old: GRC-SAC-SRE          Enterprise Role Management (formerly Virsa Role Expert)
  There are also NEW components specific to areas of functionality. If you are not sure of what component to log your message under, please use the main components above.
  GRC-SAC-ADS          Directory Services
  GRC-SAC-BI             Access Control BW
  GRC-SAC-CONF       Configuration
  GRC-SAC-DAS          Dashboard
  GRC-SAC-REP          Repository
  GRC-SAC-RPT          Reporting
  GRC-SAC-UAR          User Access Review
  GRC-SAC-UPG          Installation & Upgrade
  GRC-SAC-WF           Workflow
  Ramelyn Paredes
  AGS Primary Support

  Hello COmmunity,
  To Summarise in Short: New features introduced to V10.0 : GRC 10.0 is ABAP based, so extraction of data from users is fast & analysis as well.
  As usual, the names for the Access control tool has been changed
  A. Access Risk Analysis (RAR)
  1. USOBT & object information will be automatically updated with GRC rather than manual upload (earlier version)
  2. Mass Users can be imported from .CSV file for risk analysis, Role analysis etc.,
  3. Variant creation / reuse for any report analysis
  4. Option of having multiple rule sets & simulating users across multiple rule sets at same time
  5. Risk analysis for CUA, Composite roles
  6. Mitigation by system, risk id, mass mitigation for users, audit trail etc.,
  7. Risk analysis for HR objects
  B. Emergency Access Management (SPM)
  1. Mass reporting for all FF users, Ids, Executions
  2. Centrally maintained for all systems rather than individual ERPs.
  C. User Access Management (CUP)
  1. Customizable Access request forms
  2. HR based role assignment for position, org unit
  3. IDM integration using GRC Web services
  D. Business Role Management (ERM)
  1. Concept of Business role mapping for Technical roles.
  2. Audit Trails & PFCG Change history.
  Finally, the look, reporting format has been changed to provide additional information for analysis.
  More important - GRC V5.3 support is till 2015 & SAP has planned to push the customers to upgrade to 10.0. Eventually SAP is also planning to release GRC 11.0 by mid next year. So we have to wait & watch the show

• GRC 10.1 Business role and HR Trigger

  Hello, masters and GURUs.
  I have recently deployed HR trigger in our system, and it works fine -  creating requests for lock or unlock users.
  But i am wondering if it is possible to create access request not only for the systems, but also for business roles using standard functionality.
  For example:
  We'v department where people must have the same authorization to do their job.
  When they hire a new employee, HR triggers this event(only for this department) and creates access request with pre-defined business roles.
  I hope, i explained good enough my idea.
  I will be very thankful for any thoughts or ideas.
  With best regards, Ivan.

  Hi Ivan,
  There is a functionality of default roles, that you could use to add roles to your request by implementing this logic in your BRF rule for HR triggers.
  The bad news is that assignment for the default roles based upon Department is not supported.
  There are only a certain fields which are supported for the Default Roles assignment, below:
  Business Process, Business Subprocess, Company, Role Critical Level, Functional Area, Landscape, Location, Project Release, Role sensitivity, and System.
  Lets suppose you can use Functional Area instead of Department. You will need to maintain Default Roles settings in SPRO, at REQUEST level, (parameters 1302, 2009, 2010, 2011, 2012, 2013).
  In NWBC>Access Management>..>Default Roles, make sure that the entry maintained there (for attribute Functional Area) has SYSTEM set to "All Systems" or "All system in the role Landscape".
  This should work.
  Note 1964884 has a correction for this functionality, so if you go for it, make sure to have this Note applied.
  Now, if any of the fields available for Default Roles will be good for your scenario, then it will not be possible to use Role Defaults, thus I am not aware of any customization on this area.
  Hope this helps!
  Luciana.

• Will GRC AC RAR (CC) add value to SOA  based SAP implementation?

  Hello GRC Experts,
  I thought of asking other GRC experts to get their opinions on the GRC AC RAR for the following scenario:
  These days there are numerous SAP clients implementing SOA based Composite Applications using the CAF. These SAP PORTAL applications use Adaptive RFC (direct calls) and Web services calls (thru PI/middleware) to the back end SAP applications to complete the 75-100% of the work. The remaining 0-25% work may be completed using the transaction codes. There are also calls to the back end systems originating from non-SAP applications using the web services via some middleware tool to complete the 100% work.
  When the GRC AC RAR deals only transaction codes and their associated authorization objects, how do you assess the risk for this type of access in GRC AC RAR and how do you build a custom rules matrix for this type of applications?
  Thanks,
  Himadama

  Hello again,
  Has anyone implemented SAP GRC RAR for the SOA based application? What are the challenges faced? If this is not possible, then anyone has any idea if this is covered in GRC AC 2010 version.
  Regards,
  Himadama

• GRC 5.3 help location

  How do I change the help link (located in header of web pages) that now points to http://help.sap.com to point to a local file system?  I have loaded the plain HTML help on a local directory and need to use that location since the internet is not accessable from GRC for the users?

  Jack,
    You can not change this link without changing the underlying jsp/java code. This is not a standard functionality so if you make this change it will be overwritten with any SP change.
  Alpesh

• GRC-AC SLOW

  dear, access to GRC-AC, some pages are extremely slow, with the same login on another PC but this problem does not happen.
  Anyone been through this? Memory loads slow GRC leaving?

  Hi Sergio
  If it works fine on one machine and not on the other I would be looking at the network side for connectivity issues.
  Has your basis team looked at response times,etc to rule out any application or database issues? Also, are you testing the exact same functionality (including selection inputs) to compare apples for apples?
  Regards
  Colleen