Role Methodology Workaround

Does anyone know a way for admins to get around a BRM methodology configured for business roles? I need to update the long description for hundreds of business roles in production and don’t want to send them all through the methodology / MSMP approval process. Normally I would just download and upload the roles using the template but long description isn’t available through the template.
Does anyone know of a way to temporarily turn off the methodology make the changes and turn is back on? I know you can activate /deactivate it but that didn’t seem to be the correct solution.
Any suggestions would be appreciated!

Hi Kyle,
role description you can update with Role Mass Maintenance function in GRC. Use Role Update function.
Alternatively you can try CATT scripting directly in your backend.
Regards,
Alessandro

Similar Messages

  • ERM role methodology configuration

    Hi
    For some reason the stages in the role methodology process in the configuration tab are not in the same order as those showen in the create role screen in the role management tab.
    Does anyone have an idea how it can be fixed?
    Thank you for your help

    Hi...
    First Role definition -> Defining Authorization ->Deriving roles -> Performing risk analysis -> approval -> Generating role*
    we can use the arrow buttons to move the step up or down.
    For creating the methodology
    Login to ERM -> Configuration -> Methodology -> Process -> Create
    Regards
    Gangadhar

  • Import Roles methodology @ ERM

    Hello all,
    We are facing some concerns regarding import roles methodology and would like to consult we you.
    The import roles methodology raised a concern since it is done partially by uploading data from an excel file (template by SAP).
    Our customer wants reassurance that this is a safe process and to know about other customers experience and results (how many problems they encounter? How fast is the process? What issues occur while uploading the roles to ERM? Related information etc.
    Could you advice?
    Thanks in advance
    Rothem

    Hello Rothem,
    1. Our customer wants reassurance that this is a safe process and to know about other customers experience and results (how many problems they encounter?
    The process is completely safe and even if you miss out on some of the role updates, you can still do specifically the ones you missed.
    2. How fast is the process?
    This is not generally a very time consuming tasks and provided your machine configuration is as per standards, this would not really be an area for concern at all. I mean, to my knowledge and experience I have not cme accross a situation where it took a lot of time and became a thing to worry about.
    3. What issues occur while uploading the roles to ERM? Related information etc.
    These I guess have already been mentioned by people in the above posts and are mostly of the similar nature, just as they are mentioning. Better to try first with a few of the Roles and then if it happens smoothly, you can upload the rest all in one go.
    Regards,
    Hersh.
    http://www.linkedin.com/in/hersh13
    Edited by: HERSH GUPTA on Jun 4, 2009 1:42 PM

  • ERM Role Methodology Process - Steps

    Hello Gurus,
    I am on SP17 and have uploaded relevant init files. Have also performed background job sync.
    When I create a role in Role Definition stage and save it, the role does not pass or promote to next step i.e. Role Authorization Stage. GRC saves the role properly.
    I have not defined any condition groups or custom fields. It is just plain role definition.
    Request your help on this.
    Thanks,
    SA

    Hi,
    Please, can you give more details for your configuration?
    I´m thinking that you don´t have ERM Workflow in CUP for workflow approval criteria. Do you have workflow configuration for ERM in CUP?
    Good luck!

  • ERM SP13: New methodology for import roles

    Hi all,
    We have created and set as active a new process for the methodology, with only 3 steps (Definition, Testing and Approval).The problem is that when we import roles from R3, the roles are import to the system within the SAP default methodology which is inactive, with 7 steps (Definition, Authorization, Derivation, Risk Analysis, Approval, Generation and Testing).
    I have two questions:
    - How can i import the roles to the new and active methodology (3 steps)?
    - How can i select that the roles imported go to the last stage of the methodology? I mean, all the steps will be in "green option"?
    Thanks in advance. Best regards,
    Sergio

    Hi R M,
    Thanks for your quickly response,
    - About the apply to existing roles option, yes, i try that. But ERM continues apply the standard process for methodology. You think wil be resolved if i delete it?
    - About the column Set Role Methodology, youre right, now i can put all the import roles in the last stage of the methodology in "green option".
    Many thanks for your help,
    Sergio

  • Warning - Role not generated on default connector

    Warning - "Role not generated on default connector" when creating a composite role with derived roles:
    Hi All,
    I get the above error message post addition of roles in the define roles phase of the Role methodology process.
    I have referred through the below note which is valid for Business roles and is for GRC 10 SP12 whereas we are on GRC 10 SP16. I couldn't find a similar note for the Composite role.
    1794860 - Warning message not correct when generated roles added in BR
    Any inputs/notes would be helpful to address this issue to closure.
    Regards,
    Arun

    Hello Arun,
    In SPRO config. there is a setting "Maintain mapping for Actions and Connector Groups".
    Maintain this setting for all the connectors in the landscape and also define one connector as default for all the four recommended actions something like this.
    Regards,
    Deepak M

  • GRC AC 10.0 - BRM - Methodology is not working

    Hi Gurus!
    I'm having an issue with BRM component.
    I've configured all steps necessary for role maintenance, as it's indicated in document "AC 10.0 - Business Role Management".
    I'll be creating derived roles, composite roles, simgle roles and profiles. There is a methodology defined, and 5 phases for the creation are set.
    When creating a single role, methodology works OK. However, the rest of the roles doesn't have those 6 phases: composite has 4 and derived and profile have 2.
    Do you know ahy this happens and how can I solve it? Prints will be given if needed.
    Thank you in advance!

    Hi Colleen,
    I've configured all settings you mentioned, you can see them in the screen shots. Also, i've pressed "Save" button but it did not bring the methodology.
    BRFplus rule was created from SPRO and BRF+.

  • GRC BRM TCodes of Role cannot be updated

    Hi Expert,
    I am facing problem in creating role from BRM, while trying to Genearte the role from Generate Stage of Role Methodology. I am getting the error when I click on Generate button under Generate Roles tab.
    When I click on Generate button it opens a new screen with stages, 1 Select system and roles 2 Schedule 3 Analysze Risk 4 Confirmation.
    In the Analyze Risk stage when I click on Submit button post risk analysis, i get the error "TCodes of Role Z:ECC_Test cannot be updated (System).
    Please let me know if anybody is facing issue and have reached to some solution.
    Thanking you in advance.
    Thanks & Regards,
    Jatin.

    Hi, Jatin.
    I am in SP6 and facing the same issue. SAP tell you something?
    In my case the transactions added in pfcg are maintained in SU24.
    Also, I am facing an issue when copy authorization from a function in RAR: "Authorization data cannot be updated".
    Please, tell me if you have news.
    Regads,

  • BRM: What should happen if violations arise while role creation???

    Hi,
    I have configured the role methodology and it is working fine. But, I would like to know if any violations are arising while performing analysis, what should be done? Should be routed to some one? If yes, then how can we do it?
    What should be the standard process?
    Please help me understand this.
    Regards,
    Faisal

    Hi Faisal,
    If you have conflicts on action level that is not an issue, if on permission level nothing was reported.
    From practical perspective I prefer to have one role for one business activity, each time when broad roles where created it was very difficult to resolve SoD issues. Maybe instead of one you will have to assign two / or more to users, but long term it is really easier to maintain environment SoD clean. All other roles could go through FF.
    Unless you have some specific situation (like job position roles or sth similar), please share if this kind of approach may be suitable for you environment, or what could be the blocker.
    Best regards, Andrzej

  • ERM - MASS ROLE UPLOAD

    Hi All,
    when using the Mass role upload from SAP backend systems, i expect that all roles will be uploaded to the final stage in the role methodology inthe ERM and that they will be already generated.
    After all, those roles already exists in the systems.
    well, i see that this is not the case and i have to go through the different stages with every role.
    is this indeed the system behavior or did we do somthing wrong ?
    thanks

    Hi
    We did as you suggested but configured the approval stage in the methodology since the role is already approved and is in ECC PROD.
    Now we encountered a situation where we need to update the role in ERM as part of continuos maintainance (after upload) but we don't have the authorization option to enter and change it but only the "save" and "change history" push buttons.
    We changed bach the methodology to the relevant one with all the stages but still we can't maintain the uploaded role. the change in the methodology did not effect the role already uploaded.
    Do you have any suggestions regarding how we can fix this issue?
    Thank you

  • BRM - role in locked mode (in define stage)

    Hi Experts,
    We created derive roles through 'mass role derivation' and in the same time master role has not been approved yet.
    All created derive roles are in locked mode (see screenshot below), even after approval of master role, those locks were not removed.
    Now it is not possible to edit or delete them from BRM.
    Any ideas how to remove those locks on derived roles? (currently we consider creating a program to remove those locks manually from GRACROLE table), but maybe someone has better solution? (We are on SP13)
    Best regards, Andrzej

    Hi Andrzej
    I think you need to raise a customer message an incident  on marketplace if you have already ruled out existing WF approvals as SM12 data locks
    There is a KB article for a Z program to unlock the role
    1805237 - How to Unlock the Role
    but implies root cause was because you had insufficient authorisation to generate the role in the plug-in. Being stuck on the define stage doesn't make sense then
    It may be that the program there is the way to fix it (at least it's SAP code) but if this issue is related to an SP then it needs to be fixed. E.g. maybe SAP should have a check preventing mass role derivation if the imparting is awaiting approval.
    Also check role methodology to make sure you have defined what to do for a derived role. When you upload the roles did you attempt to choose complete methodology or intend to step through the process?
    Regards
    Colleen

  • ERM Unhandled error; Unable to create role (Please provide a profile name.)

    All -
    <br><br>
    I am running into 'yet another' issue in ERM! This error really has me going in circles because I am able to execute the exact same process in our Sandbox environment with NO PROBLEM... If any of you Guru's can help to point me in the right direction on how to address this issue it would be greatly appreciated.
    <br><br>
    Here's the issue:
    <br><br>
    In our SANDBOX enviroment, the role creation process works as designed (Role Methodology: Definition --> Authorization --> Derivation --> Risk Analysis --> etc.). I'm able to define the role, add t-codes in the Authorization step and even Maintain them in PFCG.
    <br><br>
    However in our DEV environment when I take the same steps and I add t-codes to the role, I get an error when I try to Maintain in PFCG --> <b>Unhandled error; Unable to create role (Please provide a profile name.)</b>
    <br><br>
    The crazy thing is that when I remove the t-codes (to zero) I'm able to Maintain in PFCG!!! I am then able to save the Role 'Shell' in the backend (not adding any t-codes), come back into ERM and add t-codes there and Maintain in PFCG somehow works with the t-codes added now. So it seems as if that connection to the back through PFCG with no t-codes establishes the profile somehow and allows me to finish the process as intended. This is a pain because I will have to take this work around step for every role that I create in Development.
    <br><br>
    In Sandbox however this works as intended and generates a profile at this step after adding the T-codes, thereby allowing me to Maintain in PFCG with no error.
    <br><br>
    The configuration of these 2 boxes is exactly the same and the connections are both working successfully, I'm going crazy trying to figure this out! PLEASE HELP!
    <br><br>
    Here are the Error Logs:
    <br><br>
    2010-04-13 18:07:29,427 [SAPEngine_Application_Thread[impl:3]_19] ERROR com.virsa.re.exception.RoleGenerationException: Unable to create role (Please provide a profile name.)<br><br>
    java.lang.Throwable: Unable to create role (Please provide a profile name.)<br><br>
         at com.virsa.re.service.sap.dao.GenerateRoleDAO.createRoleFromAuthorizations(GenerateRoleDAO.java:1502)<br>
         at com.virsa.re.bo.impl.GenerateRoleBO.createRoleFromAuthorizations(GenerateRoleBO.java:597)<br>
         at com.virsa.re.role.actions.AuthAuthorizationDataAction.loadPFCG(AuthAuthorizationDataAction.java:420)<br>
         at com.virsa.re.role.actions.AuthAuthorizationDataAction.execute(AuthAuthorizationDataAction.java:198)<br>
         at com.virsa.framework.NavigationEngine.execute(NavigationEngine.java:273)<br>
         at com.virsa.framework.servlet.VFrameworkServlet.service(VFrameworkServlet.java:230)<br>
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)<br>
         at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.runServlet(FilterChainImpl.java:117)<br>
         at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:62)<br>
         at com.virsa.comp.history.filter.HistoryFilter.doFilter(HistoryFilter.java:43)<br>
         at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:58)<br>
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:384)<br>
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)<br>
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)<br>
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)<br>
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)<br>
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)<br>
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)<br>
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)<br>
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process<br>
    <br>
    (ApplicationSessionMessageListener.java:33)<br><br>
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)<br>
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)<br>
         at java.security.AccessController.doPrivileged(Native Method)<br>
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)<br>
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)<br>

    Thanks Sirish,
    I have run the configuration validator for both Sandbox & Dev Environments and received the same results in both. I would like to export the results, but am getting the following error when I select the 'Export' button for both:
    ./temp/webdynpro/web/sap.com/grc~accvwdcomp/Components/com.sap.grc.ac.cv.wdapp.CheckComp (Is a directory)
    Initially I thought that the error was result of the "ERMApplicationRTACheck" failing, however it is failing for both environments with this Reason:
    Devleopment:
    ECD Client 150
    VIRSANH version does not match (9)
    VIRSAHR version does not match (7)
    OCD Client 100
    VIRSANH version does not match (9)
    VIRSAHR version does not match (7)
    Sandbox:
    ECC Sandbox
    VIRSANH version does not match (9)
    VIRSAHR version does not match (7)
    SAM Sandbox ECC
    VIRSANH version does not match (9)
    VIRSAHR version does not match (7)
    So I'm still at a loss as to why its working in one environment and not the other...?

  • Mass Reprovisioning Business Roles

    Hello,
    I have a situation where we are updating 100+ existing business roles that are currently assigned to user for our next release of SAP. I am wondering, is there a way to update the business role via import template (add / remove roles) and then push the changes out to users on a mass level?
    We use the role methodology “provisioning” stage to push these changes under normal circumstance but with 100+ roles that would be quite cumbersome.
    I also know there is an option under Role Update > Authorization Data Sync, but that doesn’t appear to update the user assignment. Only authorization under the role. 
    Any suggestion would be appreciated!

    Business Roles concept and usability in GRC AC10 - Governance, Risk and Compliance - SCN Wiki
    the link above says that "update assignment" button will do the update and will be enabled when the business role has been provisioned at least once.
    I guess this is what you have already tried, but i can see your dilemma when you may have many business roles. I wish there was an option under the mass update functionality (unless I have not found it).
    maybe it's time to go to #ideaplace.

  • BRM Approval Process and MSMP Stage Configuration Problems!

    G'Day All,
    I've raised a question in the following blog but it got to a stage where it is not related to the original post anymore. So I would like to draw upon your collective knowledge and appreciate it if you all can jump in and help me out here.
    http://scn.sap.com/thread/3555700
    So this is where I'm at this point:
    Why use two kinds of Approvals in BRM Role Generation?
    Role Content Approval - Through BRF+ Condition
    MSMP Approval - Role Owner etc
    It seems redundant to have two approvals for pretty much the same thing. I believe in both cases (I am guessing) the Approver would be the same person, approving precisely the same thing. So why not have just one?
    Is there a way I can tie up the BRF+ Approver Rule I created, with an 'Agent Rule' in MSMP so I can use the conditions defined to dictate who the request should go to.
    For Example:
    Condition1: Then Request should go to Approver1
    Condition2: Then Request should go to Approver 2
    * These Conditions are defined in BRF+ Approver Rule and linked in IMG and 'Role Owners' in NWBC.
    Alternatively, I tried creating an Initiator Rule from scratch for SAP_GRAC_ROLE_APPR Process ID, using BRF+ with the exact same conditions and everything seems to be OK except the Configuration ID part in Stages. Screen shots of my MSMP WF is as follows:
    Step 1: Process ID
    Step 2: Maintain Rules
    Step 3: Mantain Agents
    Step 5: Maintain Paths
    Step 6: Route Mapping
    I have encountered errors while generating the WF, which are as follows:
    I tried defining my own configuration ID for Stage 1:
    So I tried changing the name of the config ID thinking maybe there is a particular naming convention I have to follow:
    Next I tried using the default configuration ID and link my Agent ID to it:
    So I would appreciate it if any of you could tell me what on earth is happening as I never had this problem with my other Initiator Rules. Is there a particular 'Naming Convention' for stage config IDs or can I give anything as long as they start with a Z/Y/X?
    Regards,
    Leo..

    Hiya Colleen,
    For each path did you go into the Stage Settings of the Step?
    No I haven't as at this point my focus is on testing the WF, so I haven't really mucked around with any settings. So let me know if there is something I need to do in Stage Settings please.
    By the way, the default approval is useful if you are actually using the SAP delivered Agent Rule for roel Owner.
    Thank You.I gathered that from my problem.
    Are you splitting the intiator rule as you want to send the request to different approvers or because you want to do different approval steps? If the first scenario (different approvers) you could just use the BRF+ rule to set the approvers. But if you want the different levels of approval then the MSMP would be used.
    I only created this Initiator Rule because I wasn't sure how to Integrate my Approver Rule created in BRF+ with MSMP WF. My intention is to send the approval to its intended Approver based on the defined Condition. So I believe BRF+ will take care of this as long as long as the 'SAP delivered Agent Rule for Role Owner' is used (as pointed out by you earlier).
    Another thing - for the initiator rule you have covered Single Role Sensitive and Non Sensitive but do you have any other Roles? If so, you have not factored them in.
    Again at this point I am just testing and trying to learn how to integrate BRF+ into Role Methodology Process, so I just picked Single Roles.
    Regards,
    Leo..

  • Issue in ERM - GRC AC 10 - Is risk analysis not mandatory

    Hi,
    We have defined our Role Methodology in 10 as Define Role - Maintain Authorizations - Analyze access risks - Derive role - approval - generation
    When we defined the role and maintained authorization data and proceeding without running risk analysis the role is moving to the next stage without stating any warning that "Risk Analysis is Mandatory". Upon click on Save & COntinue it is proceeding to further stages.
    Is there any parameter which needs to be set to throw a warning message for Risk Analysis to be run before the role is moved to next stage.
    We arleady set the paramater 3011 as YES - Conduct Risk Analysis before Role Generation.
    Thanks and Best Regards,
    Srihari.K

    Hi,
    Note the definition of the parameter 3011 as per "Maintaining Configuration Settings Guide - SAP AC 10.0":
    "Set the value to YES to automatically perform risk analysis when the user generates roles."
    This parameter applies only at generation stage.
    Cheers,
    Diego.

Maybe you are looking for

  • HT1933 Why is it that I rented a movie from iTunes on my computer but it is not showing in my Apple TV to view

    Why is it that I rented a movie from iTunes on my computer but it is not showing in my Apple TV to view

  • How to preview a page in Oracle Portal?

    Hi gurus, I'd like to know if there is anyway to preview a page in Oracle Portal 10g 9.0.4. Customer needs to preview the page (how it will looks like) before inserting new contents (image, link, url, item, portlet etc.) in it, so just the page manag

  • OIM 11g R2-Issue while configuring oim domain in weblogic

    Hi, I'm trying to install OIM 11g R2 version and downloaded the entire suit from edelivery site. Oracle DB version: Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production Others like Weblogic, RCU and IdM suite versions are 11g

  • Created IDVD Watch on a Blue Ray

    I created an IDVD as I always have. It is still pictures only. A Main Page with 5 slide shows to choose from. I can watch it on my computer after it is burned. I can watch it on my insigna dvd player. However, when I put it in my new BlueRay player w

  • Time zone does not stick

    On my new MBP (late 2008) the time is permanently incorrect. Instead of GMT+1 (central European time) it shows only GMT. I've manually set it several times, ticked time server, closed the lock, reset the PRAM and started up in safe mode; to no avail.