PD profiles in Access Enforcer

Similar Messages

• CUA vs. Access Enforcer

  Can anyone explain the need for implemented both CUA and Access Enforcer?
  We are currently upgrading to ECC6.0 and implementing the GRC tools(5.2) and CUA  With the distributed access provisioning available in Access Enforcer, I am trying to determine the benefit of implementing CUA .

  Hi Patrick
  1) In this scenario the only benefit with CUA i can see is
       a) Password reset
       b) locking and unlocking the user.
  2) If you use GRC AC in landscape, it is not at all recommended to assign roles, profiles using CUA. This can lead to high level compliance /regulatory issues.
  3) If you are implementing new CUA, then i would recommend to go for NW Identity Management Solution. Advantages are
      1) User provisioning for SAP and non-SAP system
      2) can be integrated with GRC for Risk analysis and remediation.
      3) Password Management also possible.
          https://www.sdn.sap.com/irj/sdn/nw-identitymanagement
  regards
  Anand.M

• How do I enable multiple profiles to access the same itunes library?

  Family of 4; with 4 different user profiles/log ins.  One family iTunes library; how can I allow all profiles to access the one master iTunes library?

  annafromsalt lake city wrote:
  how can I allow all profiles to access the one master iTunes library?
  move the entire iTunes folder to <MacintoshHD>/users/shared. on each user account, launch iTunes while holding the option(⌥) key, click on choose library when prompted, and select the iTunes folder you moved to the share folder.
  be aware only one iTunes at a time can access the library !

• Access Enforcer (error in creating a request)

  Hi All,
  when i am creating a new request in Access Enforcer . After filling alll the details and clicking the submit button it is showing  a error in creating request .Path not found.

  Hello,
  You must have to select at least one condition attribute while creating your initiator. It seems initiator condition not meeting the details you are filling in your request. So it is not able to trigger the workflow initiator.
  For simple scenario, if you are filling your company details in your request then change your initiator condition attribute to "Company".(Don't include more condition attributes for now). Once it works out then change initiator details back to your requirements.
  Please let me know if this will not resolve your issue.
  Thanks
  Himadama

• Access Enforcer(error in approving the request) and import roles

  Dear all,
  error in approving the request at security stage(last)
  manager and role owner are successfully approved.
  and also importing roles into access enforcer was not successful.
  imortstatus : 0 roles imported of 28 records found.
  please find the system log:
  2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.messaging.MessageFormatter : parseDesc :   : INTO the method : desc :Please specify a file to import.paramNames :paramsMap :{FIELD_NAME=#_!FIELD_NAME#_!}
  2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
  2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
  2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
  2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
  2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
  2008-09-05 13:02:28,234 [Thread-47] DEBUG

  In Addition to my previous response:
  I meant to include the following:
  Some of the fields that need to be properly defined with attributes are:
         System: must have the know SAP system defined here
         Role Approver (i presently are using most of the roles without having need for approval; I created a user called NOAPPRV in AE)
         Functional Area: need to have all the areas defined that roles will be assigned to
         Company: I only have one company so that's an easy one
  Some areas I presently do not use but found they must ne coded and coded properly:
         ResponsibilityID:   N/A  (coded as is)
         CommentsMandatory: NO (coded as is)
         Parent Role Owner:   NO
         Business Process: NA  (I believe I originally coded N/A and it did not like that)
         Sub Process: NA  (again N/A I believe error on me)
         Reaffirm Period: presently I am using 0 (zero)
         LastReaffirm: presently using 12/31/9999
  Hope this helps a bit
  I wanted to include an attachment with a sample of my Role Import spreadsheet but I'm not sure exactly how to do that; if I figure that out or someone can provide me the process I will include it
  Jerry Synoga
  Ryerson Inc.
  630-758-2021

• Validity date issue: Access Enforcer

  Hi All,
  There is a request in Access Enforcer wherein there are total 4 stages of approval, the first 2 stages have been properly approved however when the same arrived to the 3rd stage of approval, the validity date for the request was over and therefore the approvers tried to extend the same, but the "more" tab is not appearing and therefore the approvers are not able to approve the request by extensing the validity date.
  Can you please help with this issue?
  Thanks
  Vani

  Vani,
    Go to the stage level settings for this particular stage via configuration -> workflow -> stage. Change the option of 'Change request content' to 'Yes' and the approver in this stage should be able to change the vailidity dates.
  Regards,
  Alpesh

• Access enforcer and User Data Source for HR

  We are on Access Enforcer 5.2 - service pack 2:
  My problem is that when creating a new request in AE, I able to get a list of all users when I point my User Data Source to either SAP or UME. However when I attempt to create a request whilst pointing the User Data Source at the SAPHR system, I do not get any users back (and we have user set up in the SAP HR system).
  I’ve changed the connector to ‘YES’ under the HR System box, I’ve changed the Data Source Type and Details Source Type to point at the SAPHR and still it fails to fetch any users.
  I've tried looking at the log, but can't get much out of it.
  I would appreciate it, if anyone could provide any assistance.
  Thanks you in advance.
  Amarjit
  Message was edited by:
          amarjit singh

  Hi Micheal,
  Thanks for your reply.
  I'm pointing both Data Source Type and Details Source Type to the same system SAPHR and to the same system name (which is our dev system)
  Regards,
  Amarjit

• Connector problem with access enforcer

  Hi Guys,
  I am facing a really strange problem with my connectors.
  We have a test installation of GRC which was down for about 3 months.
  During this time we migrated our central SLD to another system so I needed to change the connection after getting the system up again.
  Anyhow I still can't modify, test or even create a new connector for access enforcer.
  The only error I get is "Action failed".
  I tried to analyze the logs but found no help there too.
  2007-06-18 20:41:56,833 [SAPEngine_Application_Thread[impl:3]_4] ERROR java.lang.NullPointerException
  java.lang.NullPointerException
       at com.virsa.ae.dao.sqlj.SAPConnectorDAO.iterToDTO(SAPConnectorDAO.sqlj:75)
       at com.virsa.ae.dao.sqlj.SAPConnectorDAO.findByConnectorName(SAPConnectorDAO.sqlj:15)
       at com.virsa.ae.configuration.bo.ConnectorsBO.findSAPConnectorDetails(ConnectorsBO.java:76)
       at com.virsa.ae.configuration.actions.ManageConnectorsAction.testConnection(ManageConnectorsAction.java:163)
       at com.virsa.ae.configuration.actions.ManageConnectorsAction.execute(ManageConnectorsAction.java:66)
       at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:229)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:412)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java(Compiled Code))
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java(Compiled Code))
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java(Compiled Code))
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java(Compiled Code))
       at java.security.AccessController.doPrivileged1(Native Method)
       at java.security.AccessController.doPrivileged(AccessController.java(Compiled Code))
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java(Compiled Code))
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java(Compiled Code))
  Did anybody here face a problem like that?
  Kind regards,
  Bastian
  Message was edited by:
          Bastian Schneider
  Message was edited by:
          Bastian Schneider

  I had a simular problem with CC and I had to contact SAP. They gave me a script to run against the database that remove the connector. The problem seemed somewhat common for CC 5.1. Not sure if this applies to AE.

• Auto Email generation in multiple language in Access Enforcer 5.2

  Hi All,
  We have configured workflow in Access Enforcer 5.2 for autoprovisioning of users in the system. Requestor gets an email in english with the userid and password once the user is provisioned in the system. Now the requirment is to send these emails in different language, which is specific to the user. Like a spanish user should receive the email in spanish language.
  Whether this has anything to do with language setting while user creation.
  Please suggest.
  Thanks & Regards,
  Pravin

  Hi Pravin,
      It has nothing to do with the language settings for the user. This configuration has to be done in closing section of Email reminders under workflow. As per my experience with AE 5.2/CUP 5.3, I don't think this is possible as of now. This could be a good functionality, so you can open an enhancement request with SAP.
  Regards,
  Alpesh

• Multi User request in Access Enforcer

  Is anyone aware of a user limit in an access enforcer multi user request?
  We get errors when we submit  a multi user access enforcer request with more than 25 users.
  Thanks

  Hi
  There is no standard limit even though we advice to keep the user to max of 20 .
  The limit depends upon the email content you have configured .
  In case in your email notifications you have taken the argument USERID then mulitple user creation request causes issue and the limit gets set to anything between 20-25 , again depending on content of the email .
  Thanks

• Why Access Enforcer 5.2 considers u201CCritical Transactionu201D as a SOD Risk ?

  Hello,
  When I submit a request with Critical Transaction and no SOD conflict, Access Enforcer forwards my request to the SOD Manager.
  I have a Detour Path triggered by the condition u201CSOD Violationsu201D.
  The settings are in:
  - Access Enforcer 5.2: Configurations -> Risk Analysis -> Default Analysis Type: Object Level
  - Compliance Calibrator 5.2:
  Configuration -> Risk Analysis -> Default Values -> Default report type for risk analysis: Permission Level
  I am wondering why Access Enforcer 5.2 considers u201CCritical Transactionu201D as a SOD Risk
  Thank you.
  Abderrahim

  Hi,
  As per my knowledge even though you set the risk analysis to be done at a single level, AE will do at all the levels, i.e., at SoD, critical action, and critical permission. If you want to have only SOD risks, you need to either deactivate all critical action rules in RAR, or create a new ruleset and assign all the SOD risks to it and use it with AE.
  This will help you to address the issue.
  Best Regards,
  Raghu

• Can't import profiles in Access Connection​s 5.02

  I exported location profiles in Access Connections 5.02. When I exported, it prompted me for a password, which I entered. However, when I tried to re-import the profiles, it did NOT prompt me for a password and failed with an error saying "Unable to import file. Incorrect passphrase or corrupted file." Well, how can I enter a passphrase when it doesn't prompt me for one on import?!!
  This is on a Thinkpad T61p.

  Hi bravedave,
  should your update say something meaningfull, or just a sticky note?
  BTW: for the above situation, you will be prompted for the passphrase, once you open AC GUI and import this .loc file manually.
  BTW2: I would more advice to use the LOA export file, as this is more extended and you can do more, then just import and export AC profies. However, for this second option you need to download the Admin pack for AC.
  Cheers

• Upload of role in Access Enforcer 5.2.

  Hi All,
  I need to upload roles in Access Enforcer from SAP ECC system. Actually i have uploaded the roles in Access Enforcer, but all unwanted roles have also got uploaded.
  Now i need some way, first to clean entire uploaded roles & then upload selected roles.
  Please suggest.
  Thanks & Regards,
  Pravin

  Hi Pravin,
     Here are the steps:
  1) Download all the roles into an excel spreadsheet:
  Go to configuration -> Roles- Search roles -> Click on 'Export' button. This CUP, go to 'Search Roles'. Click on 'Search' button without providing any search criteria. This will return all the roles available in CUP. Now, click on Export button. CUP will export all the roles into Excel spreadsheet in the format which CUP understands.
  2) Delete all the roles from CUP: Now, in the same screen as above, select all the roles and delete them.
  3) Delete not needed roles from spreadsheet and upload it into CUP:
  Now, delete all the unwanted roles from CUP and play with the spreadsheet to manipulate other parameters like role approvers, systems, business process etc and upload that spreadsheet into CUP.
  Regards,
  Alpesh
  SAP GRC Manager (PwC)

• Access Enforcer Role Import - Reaffirm period

  Hello
  What does the following terms mean;
  last reaffirm
  reaffirmperiod
  We current upload roles into AE, with last reaffirm as current date, and reaffirmperiod of 60 which means 5 years.
  Can someone please explain what these terms mean, because many roles have reaffirm periods that end in 2010.
  Thanks

  Hi Prakas,
  Reaffirm period ( in months ) is the duration after which you would like the Approver of the Role ( Role Owner /Role Approver ) to get notified on which all user in SAP has access to that Role and Does he want to continue giving that role to them or wants to remove that Role from all of them or any one of them .
  He would get the details on which Role requires Reaffrim at following location :
  In AE 5.2 ;  login with Role approver id ( eg ABC )  into AE .
  In tab Access Enforcer > Reaffirm .
  A list of All the roles of which ABC is apporver and which require re-affrim would display here.
  ABC can now take approriate action by selecting the role name.
  *Last reaffrim * is the date when the Role was Reaffrim /revisited/reassgined last.
  In your scenario you have given Reaffrim period = 60 which means your Role Owner would get the Role in his Reaffrim inbox after 5 years .
  This is not best practise . For security reason , SAP advices to keep the Reaffrim period to a maximum of 2 months.
  I hope this answers your query .
  Thanks
  Jasmine

• Access Enforcer - Downloading Requestor Lists

  We would like to see a list of all of those who have submitted Access Enforcer requests to date. There is no option on the Informer tab that gives us this information. The only way we can find is to download each page from a request search.
  Has anyone done any SQL-type queries on the database to get reports with information that is not offered by AE?
  Any help will be appreciated.

  Hi,
  What is your AE version ?
  Informer tab has analytical reports , you can use them.
  Have A nice Day.