Role level mitigating controls not affecting position level reports

Similar Messages

• SRM 4.0 notes on position-level, possible?

  Hi together,
  does anyone know, if it is possible, to add a textfield on position level to a shoppingcart for release and rejection?
  Can this be done through customizing or will it be a bigger modification?
  Thanks in advance for the answers!
  Cheers
  -Jens

  Hi
  Did by any chance you looked to SAP OSS Note - 672960 for creating customer (bespoke ) fields - at any level (Header / Item level in shopping cart ) ??
  Regards
  - Atul

• ReportViewer control not connecting to the report server - Connection refused

  I'm having an issue with connecting to SQL report server using the ReportViewer control.  Thing is when I connect to the reporting services web service (http://10.3.27.80/ReportServer/ReportService2010.asmx)
  it works fine and I can successfully pull the data I need.  But when I use the web control, its then that I cannot connect.  Here's my code:
  ASP.net code:
  <%@ Page Title="Reports" Language="C#" MasterPageFile="~/Site.Master" AutoEventWireup="true" CodeBehind="Results.aspx.cs" Inherits="RSReportViewer.Results" %>
  <%@ Register Assembly="Microsoft.ReportViewer.WebForms, Version=11.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" Namespace="Microsoft.Reporting.WebForms" TagPrefix="rsweb" %>
  <asp:Content ID="BodyContent" ContentPlaceHolderID="MainContent" runat="server">
  <rsweb:ReportViewer ID="ReportViewer2" runat="server" Width="90%" ProcessingMode="Remote">
  <ServerReport ReportServerUrl="http://10.3.27.80:80/" />
  </rsweb:ReportViewer>
  Error message:
  ConnectionRefused
  Inner Exception: No connection could be made because the target machine actively refused it 176.74.176.178:8080
  I have not got the IP signified above configured anywhere throughout my solution!  So not sure where its getting that in the message.
  Stack trace:
     at Microsoft.Reporting.WebForms.Internal.Soap.ReportingServices2005.Execution.RSExecutionConnection.GetSecureMethods()
     at Microsoft.Reporting.WebForms.Internal.Soap.ReportingServices2005.Execution.RSExecutionConnection.IsSecureMethod(String methodname)
     at Microsoft.Reporting.WebForms.Internal.Soap.ReportingServices2005.Execution.RSExecutionConnection.SetConnectionSSLForMethod(String methodname)
     at Microsoft.Reporting.WebForms.Internal.Soap.ReportingServices2005.Execution.RSExecutionConnection.ProxyMethodInvocation.Execute[TReturn](RSExecutionConnection connection, ProxyMethod`1 initialMethod, ProxyMethod`1 retryMethod)
     at Microsoft.Reporting.WebForms.Internal.Soap.ReportingServices2005.Execution.RSExecutionConnection.LoadReport(String Report, String HistoryID)
     at Microsoft.Reporting.WebForms.SoapReportExecutionService.LoadReport(String report, String historyId)
     at Microsoft.Reporting.WebForms.ServerReport.EnsureExecutionSession()
     at Microsoft.Reporting.WebForms.ServerReport.SetParameters(IEnumerable`1 parameters)
     at RSReportViewer.Results.Page_Load(Object sender, EventArgs e) in c:\Users\admin\Desktop\RSViewer\RSViewer\RSReportViewer\Results.aspx.cs:line 71
     at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)
     at System.Web.UI.Control.OnLoad(EventArgs e)
     at System.Web.UI.Control.LoadRecursive()
     at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
  Firewalls are disabled between the two boxes. 
  Thanks in advance for any pointers!

  Hi rmccabe82,
  Generally, “actively refused it" means that the host sent a reset instead of an acknowledge when you tried to connect. As per my understanding, the issue can be caused by the process that is hosting the service is not listening on that port, this may be
  because it is not running at all or because it is listening on a different port. Please try to ping ‘netstat –anb’ (requires admin privileges) to verify that it is running and listening on the expected port.
  Furthermore, please make sure the user has permissions to access the report server.
  References:
  http://www.smartftp.com/support/kb/connection-refused-f58.html
  http://stackoverflow.com/questions/9695224/no-connection-could-be-made-because-the-target-machine-actively-refused-it-127-0
  Thanks,
  Katherine Xiong
  Katherine Xiong
  TechNet Community Support

• HR Object Mitigation does not works in CUP

  Hello,
  We are on GRC 5.3 SP07 and have position based security. Our mitigation controls are also position based (meaning thereby that we implement mitigation control at the position level, and not to the user occupying the position).
  Our CUP is also based for indirect provisioning at the position level and it works fine. The only problem is when the request comes in via CUP for roles and the role has some risks (in itself or in combination with other roles already attached to the position), and then even if the position is mitigated for that risk, the risk analysis in CUP still shows that risk (ie the tool cannot detect the mitigation applied at the position level) and because of this the request gets routed to the detour path.(the detour path is based on condition u201Cif SOD found u201C).Ideally the request should detect the risk at the position level and should neglect the resulting risk as it is already mitigated. But this does not happens.
  My question is this possible at all with CUP 5.3 or am I missing some configuration.
  For you reference,
  At the configuration part in CUP, for risk analysis I have checked the box for u201Cconsider mitigation controlsu201D
  The validity of both the roles and mitigation controls all end with 12/31/9999.
  Regards,
  Matt

  Venky,
  If the risk is mitigated at user level , the request does NOT goes to detour path. If the risk is mitigated at role level again it does NOT goes to detour path. This is because the tool is smart enough to catch user and role level mitigation from RAR. However if the risk is mitigated at HR Object level it still goes to detour path. This is probably because the CUP cannot catch the mitigation done at HR Object level done at RAR. Although ideally it should catch the mitigation applied at the position.
  Regards,
  Matt

• CUP-5.3-SP13-Mitigation Controls by rol/users

  Hi all!
  Since RAR consider mitigations contros both by rol and users, If I have the role ZROL1 mitigated for the ID risk P001* then, would be able CUP to consider this mitigation control even when CUP is managing users?
  I mean, if ZROL1 has a mitigation control, would appear at the request the ID risk whenever I add this role to a user?
  Many thanks in advance! any help would be welcomed.
  Margarita.

  Hi Margarita,
  If you want it will consider the role level mitigation controls. So in the request risk violation will not be shown.
  For this u need check the option, consider mitigation control in CUP. Configuration-> Risk anlsysis.
  Also in RAR following things needs to be done.
  RAR Configuration->Risk analysis-> Defaults values.
  Exclude mitigated Risk as yes.
  RAR Configuration-> Risk Analysis ->Additional options
  Include Role/Profile Mitigating Controls in User Analysis  as yes.
  If above values are defined as No. than Risk Voilation will be shown in the request.
  Kind Regards,
  Srinivasan

• Mass application of mitigating control to users

  Hello
  Is there a way to apply a mitigating control to a large number of users at the user level (not at the role level)?  We have an SOD for the ability to park and post GL entries for which we have a monitoring control.  There are a large number of users that have this access. 
  Is there a way to - in mass - apply a mitigating control at the user level?
  Thank you in advance,
  JD Schmidt

  Hi JD,
  thats the way the software logic works.
  Question is why you would mitigate such a mass of users and instead choose to mitigate that role.
  Or out of an auditor, why would such a mass of useres need authorizations which cause an SoD violation.
  Best,
  Frank

• GRC CUP 5.3 SP16.3 Mitigation Controls automation removal

  Does anyone know that if you create any user requests to remove roles from a user, that if any mitigation controls were assigned to the users for those roles, the mitigating control ids can also be automatically removed from RAR during auto provisioning of the request?
  Right now, GRC CUP, if configured properly, during auto provisioning, will assign the mitigation controls automatically to the userid in RAR to mitigate the risks when the request is processed if the new access will give any SOD violations.  But if you remove the roles from a user and he/she had any mitigation ids assigned in RAR, can the request also automatically remove the mitigated control id associated with it if the user will no longer have that risk?  I have not seen the request automatically remove the mitigated id from RAR when the role was removed from the user id during auto provisioning. But I'm not sure if this requires additional workflow configuration or not.
  Will greatly appreciate if any1 is aware of this issue and how to resolve it. Or is the only solution to manually remove it from RAR..but this can be tiresome..bc then you have to run the report every week or month in RAR to remove the excessive controls assigned if the users do not have the risks anymore..comparing reports from current to previous month, etc.
  Thanks,
  A.

  Hi Alley,
  It is not possible to automate the removal of mitigation controls through a workflow in CUP. The only solution is to review on a regular basis and remove them manually from RAR
  We also has the same issue and performing manual review at regular intervals of the user & role assigned mitigation controls
  Best Regards,
  Srihari.K

• Mitigating Controls in GRC10

  Hi,
  Is their a way we can maintain and update mitigating controls on GRC (GUI) back-end.UI can't be able to find those i created and migrated. Any ideas?
  Regards, Melvin

  Hi,
  REF CALL # : 968707 / 2011
  I created mitigating controls and imported the old mitigating controls from GRC 5.3.
  When I go to the mitigating controls on the UI no mitigating controls appear when opening the page. When I do a drop down (drill) on the TAB (SETUP) Work Centre &#61664; Link - Mitigating Control
  When drilling down on Mitigating Control IDu2019s
  The only two displayed is the ones I created on the UI. When I import the GRC5.3 mitigating controls I get the following
  message on the import tool within GRC10 back-end
  --Start Loading File - Scenario of 5.3 Mitigation - Migration
  sapvirdevexport53/BUNITdata.dat
  Mitigation Control EA:BS001 already exists
  Mitigation Control EA:BU001 already exists
  Mitigation Control SOLMAN99 already exists
  --File loaded successfully
  The migration document refers to the following steps and this was followed
  Why is the screen empty when going into the mitigating control link on the  UI - Another strange phenomenon is when I run the mitigating report from report and analytics the mitigating control comes up blank.
  When in the report and analytic work centre, and running the mitigation control report - -> I drill down on the Control ID and get the blank screen.
  This is why im asking can I look at mitigating controls not from ECC but GRC back-end system and maintain it from their
  Regards, Melvin

• F-32 residual payment is affecting my ageing report.

  When I am doing the residual payment using f-32 then we are getting two document generated out this, one for the incoming payment and the other for the balance amount as new invoice with new posting date, this is affecting my ageing report.
  For Example: My old invoice is 01.01.2010 with 1000 USD, when I am applying the residual payment method on 08.03.2010 with 500 USD then two documents are generated out this, one for the incoming payment i.e. for 500 USD and the other for the balance amount as new invoice with new posting date i.e. 500 USD on 08.03.2010.
  My original invoice ageing is under over 81 days, but when we applied the residual payment method then it got changed to less than 21 days, which is incorrect. When we analysis the issue and found that due the residual payment method we are getting this problem i.e. during this process new invoice which is generated ahs replaced my original invoice with the new invoice with new posting date, system is taking that as base and doing the ageing analysis. Which is incorrect?
  We just want to have the original invoice date 01.01.2010 in the new document which is generated on 08.03.2010, so that this may not affect my ageing report.
  Thanks a lot in advance.
  Rajesh Kumar Mantri.

  When you post a residual payment, SAP creates 1 document with 2 line items for the customer.  One line item clears the original invoice and the other posts the difference (residual) as a new open item on the customer.  With the settings in OBA3, you can transfer the baseline date and payment terms from the original invoice to the residual item.  The baseline date is normally used for aging, so with the baseline date and payment terms transfer, the residual will have the same aging as the original invoice.  Also, since the original invoice is cleared when a residual payment is created, it will not show on the aging.
  If you want the original invoice to remain open, not cleared, after the payment, then you need to do a partial payment instead of a residual payment.  With a partial payment, the original invoice and the payment will both be open items on the customer.  The payment will reference the original invoice so that when the remaining payment is made, the two items will be cleared together.
  Regards,
  Shannon

• Assign role request through code not going to Operational level

  Hi All
  We are trying to assign roles through code using the OIM API's as suggested in the documentation
  "http://docs.oracle.com/cd/E27559_01/doc.1112/e28183/oim_up.htm#autoId40".
  We have 2 Approval policies one is at Request Level (i.e. Auto Approval) and the other is Operational level(Scope=ALL Scope) with workflow, So once the request is getting raised with the code successfully it is getting completed. The expected behavior is that it should go to the approval workflow attached at operational level.
  When we tried to attach a workflow at the request level, the request is going through Approval workflow attached at request level and once we approve at request level it is getting completed and not going to operational level.
  But we will have Request level as auto approved and Operational level with two level of Workflow.
  Thanks in Advance

  Check whether you have configured Request Type in your approval policy properly for operational level approval. In the Rule Components section check whether you have configured everything correctly. Also dont raise the request from system admin login as it will be treated as a direct provisioning request and your approval policies will not be invoked. Login through an end-user and test it

• 'Control terminals on connector pane not on top level block diagram.' comment on CLD report

  Hello All
  Could anybody enlighten me please , what does that comment mean on CLD report
  'Control terminals on connector pane not on top level block diagram.
  Does it mean that some terminals are hidden within some case structures and not showing on block diagram without going into case structures or by 'top level block diagram' it means
  main.vi and controls on main.vi must also be connected to its connector pane?
  Thank you
  K.Waris
  Solved!
  Go to Solution.

  For one thing it means that they run VI analyzer on your VIs since that is a verbatim warning that you receive.  It simply means a terminal which is wired to the ConPane is not on the top level diagram, ie. inside a case structure.
  As to why it is often not a good idea to do this read this classic thread:
  http://forums.ni.com/t5/LabVIEW/case-structure-parameter-efficiency/m-p/382516#M191622

• SRM Process Controlled Workflow Issue - Process Level Agent not shown up

  System: SRM 7.0 (SP09)
  Implemented BADI to determine agents at process level - BADI Definition /SAPSRM/BD_WF_PROCESS_CONFIG
  Configuration: 1 Process Level (Seq 100, Lvl Type A, Resp. Resolver Name: Z_XXXXXX, Task ID 40007954, Decision Type 1)
  When creating the Shopping cart based on the cart value, the agents are determined correctly and process level GUID is created with Agent ID associated.
  something like
  GUID1 - APPR1
  GUID2 - APPR2
  GUID3 - APPR3
  GUID4 - APPR4
  Before "Order" when we do preview of Approval Process, it shows all the approvers in the sequence as expected. As soon as the cart is ordered, the first process level GUID lost its agent thus throwing error saying "Strategy Z_XXXXXX did not determine any approver"
  But when we look at the table /SAPSRM/D_WF_016, the corresponding entires of GUID1 has the agent ID as APPR1.
  The task 40007954 has been GENERALIZED so as the master workflow template 40000014. The same is working in our Dev system but throwing error "Strategy Z_XXXXXX did not determine any approver" in QA system.
  Any input is highly appreciated.

  See the thing is the agents were picked up & saved in the table /SAPSRM/D_WF_016 in the process level BADI. The first process level guid doesn't get processed in the RESP_RESOLVER BADI. I put the break point and can see the agents were picked up & saved in Process Level BADI.
  The funny part is it is working just fine in the Dev system. Secondly, when we do BOB for the same user (requester), it picks up the first level approver without the error.
  Meaning, If USER1 shops for himself (Creator & Requester are same), we encounter this error. If USER2 shops for USER1, then the corresponding approvers were picked up correctly without the error. USER1 & USER2 have same authorizations in SU01D (USER2 is copy of USER1, so no authorization issues). Approvers determination is based on the requester.
  Somewhere, we miss the settings. Don't know where though.

• Field Level Authorisation Control

  Hi Expert,
              i want field level authorisation control for Usage Probablity in Bill of Material. In CS02- Change Material BOM for some user i want to restrict to change the usage probablity of particular component.
  how to do this. i already tried through creating & adding authorisation object in Role but it's not working.
  Pls suggest solution with detailed steps.
  Regards,
  Dev

  Dev,
  You can better try using, transaction variants using transaction SHD0 and assign them to the respective users.
  You can do a search in this forum to find topics on how to create transaction variants.
  Regards,
  Prasobh

• Sharepoint 2010 Permission level Full Control and explicit deny

  I am facing a very frustating permission level issue with Sharepoint 2010. First, everything worked as expected up to few days ago.
  I have a user on my sharepoint 2010 env (publishing portal) named rjo who is site collection administrator and has also Full Control permission level.
  When I execute the Check Permission command from the ribbon I get the following:
  Permission levels given to xxxx\rjo
  Full Control
  Given through the "xxx Owners" group.
  The following factors also affect the level of access for xxx\rjo (xxx\rjo)
  Deny
  Manage Permissions
  Create and change permission levels on the Web site and assign permissions to users and groups.
  Deny
  Create Subsites
  Create subsites such as team sites, Meeting Workspace sites, and Document Workspace sites.
  etc.. Seems like all the individual permissions are set to deny.
  If I remove the user rjo from the Full Control permission level, all the deny permissions disappear. I have tried creating a brand new permission level with Allow permission on al items but I still get the deny when I check the permissions. Notice that this
  happens for all the users.
  Does anyone experienced a similar issue? I suspect some kind of Windows update to have messed up the permissions but I cannot find a way to get proper permissions to my users.

  I had a similar issue.  When checking user permissions on any member of the site collection Owners group, the results were similar to those posted above.  Also noticed that some buttons on the ribbon were missing.  Also found that no user
  could add content to Library.  The Add button was missing.  Issue was only happening on one site collection in the web application, so it was not a Web App Policy issue.
  Eventually discovered that the site collection was locked as read-only.
  Central Administration > Application Management > Configure Quotas and Locks
  change the web application and site collection as needed to view setting for the affected site collection
  Found lock set to 'Read-only'  Changed to 'Not Locked'

• Check if Custom Permission level exists or not

  I have cretaed a custom permission level.
  On feature activation, i need to check if that custom permission level exists or not. How can i do that?
  Thanks,
  Avni Bhatt

  Check if below helps
  SPWeb web = SPContext.Current.Web;
  // Validate the page request to avoid
  // any malicious posts
  if (Request.HttpMethod == “POST”)
     SPUtility.ValidateFormDigest();
  // Get a reference the roles that are
  // bound to the current user and the role
  // definition to which we need to verify
  // the user against
  SPRoleDefinitionBindingCollection usersRoles = web.AllRolesForCurrentUser;
  SPRoleDefinitionCollection roleDefinitions = web.RoleDefinitions;
  SPRoleDefinition roleDefinition = roleDefinitions["Full Control"];
  // Check if the user is in the role. If not
  // redirect the user to the access denied page
  if (usersRoles.Contains(roleDefinition))
     //Check if post back to run
     //code that initiates the page
     if (IsPostBack != true)
      //Do your stuff here
  else
     Response.Redirect(“/_layouts/accessdenied.aspx”);
  http://blog.rafelo.com/2008/10/13/programmatically-checking-user-roles-or-permission-levels-in-sharepoint-2007/
  http://yoursandmyideas.wordpress.com/2011/10/08/setting-custom-permission-levels-in-sharepoint-programmatically/
  Or check if it exist and then delete and recreate it
  string[] yourCustomRoles = {"Level1", "Level2"};
  using (var web = spSite.OpenWeb())
  var roles = web.RoleDefinitions;
  foreach(var levelName in yourCustomRoles)
  try
  roles[levelName];
  roles.Delete(levelName);
  catch(Exception)
  // web has no this role
  //Add code here
  http://go4answers.webhost4life.com/Example/delete-specific-permissions-108626.aspx