Role Reaffirm in GRC10

Similar Messages

• GRC Access Control 5.3 - Role Reaffirm Notification Email

  Hi Experts,
  We have GRC 5.3 system and we want to change the content of Role Reaffirm notification email.
  Is there any way to change the default email text?
  We want to add few additional lines and CUP link in the email notification.
  Thanks,
  Rajendra

  Hi Alpesh,
  I found the entry in table VIRSA_AE_MESSAGE which is the same message as in the email notification.
  I changed the value for field MSGDESC in our test system but the new text is not reflecting in email.
  The email subject is coming as- Here are the roles that need to be reaffirmed
  The body of the email is as below-
  Here are the roles that need to be reaffirmed
  Z_FI_MANAGER
  Z_ALL_HR_DISPLAY_ALL
  I updated the table at database level.
  Is there anything else needs to be done?
  Also we are using UAR as well as Role Reaffirm (don't know why), is there any oss note which says that UAR can be used instead of Role Reaffirm?
  Thanks,
  Rajendra

• Access Enforcer - Role Reaffirmation

  Hi,
  Access Enforcer offers a role <-> user assignment reaffirmation after a defined period.
  My question is, what happens if using the Remove or Hold button in the Role Reaffirm menu entry.
  I tried removing the access, but all that happens is the user entry is marked as "Remove".
  Should an automatic Request for the role removal be triggered or what's the purpose of these two options?
  Thanks,
  Daniela

  I answered the question myself.
  Hold will keep the role in the queue to reaffirm.
  Remove will automatically remove the role from the user once all user-role assignments have either been affirmed or removed.

• CUP 5.3 SP11.1 - Role Reaffirm - Java Overflow error

  Hi!
  We are currently using the CUP Role Reaffirm.  An user is trying to access the role reaffirm screen, he received an error message:
  Java.lang.StackOverflowError:Null   Exception: (00145EC6363A0065000005F100174014000490DB915AF7A1).
  The application log shows: 3]_20##0#0#Error#1#/Applications/AccessEnforcer#Plain### Ignoring Exception - U
  ser : 10102021  not found to get full name #.
  Does anyone know what this error message is?
  Thank you.
  Lynn

  Hi Alpesh,
  Yes, 10102021 is a valid user id.
  Here is the CUP system log:
  2010-09-22 12:51:04,289 [SAPEngine_Application_Thread[impl:3]_8] ERROR Requested navigation control not found
  com.virsa.ae.commons.utils.framework.ControlNotFoundException: Action not found - loadRequestorLoginPage
       at com.virsa.ae.commons.utils.framework.ScreenDefn.getActionDefn(ScreenDefn.java:141)
       at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:157)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(AccessController.java:219)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  2010-09-22 13:05:57,833 [SAPEngine_Application_Thread[impl:3]_7] ERROR java.lang.VerifyError: com/virsa/cc/xsys/ejb/RiskAnalysis.execRiskAnalysis(Lcom/virsa/cc/xsys/webservices/dto/WSRAInputParamDTO;)Lcom/virsa/cc/xsys/webservices/dto/RAResultDTO;
  java.lang.VerifyError: com/virsa/cc/xsys/ejb/RiskAnalysis.execRiskAnalysis(Lcom/virsa/cc/xsys/webservices/dto/WSRAInputParamDTO;)Lcom/virsa/cc/xsys/webservices/dto/RAResultDTO;
       at com.virsa.ae.service.sap.RiskAnalysisEJB53DAO.execRiskAnalysis(RiskAnalysisEJB53DAO.java:305)
       at com.virsa.ae.service.sap.RiskAnalysisEJB53DAO.getViolations(RiskAnalysisEJB53DAO.java:277)
       at com.virsa.ae.service.sap.RiskAnalysisEJB53DAO.getViolations(RiskAnalysisEJB53DAO.java:419)
       at com.virsa.ae.service.sap.RiskAnalysisEJB53DAO.determineRisks(RiskAnalysisEJB53DAO.java:527)
       at com.virsa.ae.service.sap.RiskAnalysis53DAO.determineRisks(RiskAnalysis53DAO.java:103)
       at com.virsa.ae.accessrequests.bo.RiskAnalysisBO.findViolations(RiskAnalysisBO.java:182)
       at com.virsa.ae.accessrequests.actions.RiskAnalysisAction.doRiskAnalysis(RiskAnalysisAction.java:1108)
       at com.virsa.ae.accessrequests.actions.RiskAnalysisAction.doAnalysis(RiskAnalysisAction.java:335)
       at com.virsa.ae.accessrequests.actions.RiskAnalysisAction.execute(RiskAnalysisAction.java:112)
       at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:295)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(AccessController.java:219)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  2010-09-22 13:05:57,835 [SAPEngine_Application_Thread[impl:3]_7] ERROR Exception during EJB call, Ignoring and trying Webservice Call
  com.virsa.ae.service.ServiceException: Exception in getting the results from the EJB service : com/virsa/cc/xsys/ejb/RiskAnalysis.execRiskAnalysis(Lcom/virsa/cc/xsys/webservices/dto/WSRAInputParamDTO;)Lcom/virsa/cc/xsys/webservices/dto/RAResultDTO;
       at com.virsa.ae.service.sap.RiskAnalysisEJB53DAO.getViolations(RiskAnalysisEJB53DAO.java:295)
       at com.virsa.ae.service.sap.RiskAnalysisEJB53DAO.getViolations(RiskAnalysisEJB53DAO.java:419)
       at com.virsa.ae.service.sap.RiskAnalysisEJB53DAO.determineRisks(RiskAnalysisEJB53DAO.java:527)
       at com.virsa.ae.service.sap.RiskAnalysis53DAO.determineRisks(RiskAnalysis53DAO.java:103)
       at com.virsa.ae.accessrequests.bo.RiskAnalysisBO.findViolations(RiskAnalysisBO.java:182)
       at com.virsa.ae.accessrequests.actions.RiskAnalysisAction.doRiskAnalysis(RiskAnalysisAction.java:1108)
       at com.virsa.ae.accessrequests.actions.RiskAnalysisAction.doAnalysis(RiskAnalysisAction.java:335)
       at com.virsa.ae.accessrequests.actions.RiskAnalysisAction.execute(RiskAnalysisAction.java:112)
       at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:295)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(AccessController.java:219)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  Caused by:
  java.lang.VerifyError: com/virsa/cc/xsys/ejb/RiskAnalysis.execRiskAnalysis(Lcom/virsa/cc/xsys/webservices/dto/WSRAInputParamDTO;)Lcom/virsa/cc/xsys/webservices/dto/RAResultDTO;
       at com.virsa.ae.service.sap.RiskAnalysisEJB53DAO.execRiskAnalysis(RiskAnalysisEJB53DAO.java:305)
       at com.virsa.ae.service.sap.RiskAnalysisEJB53DAO.getViolations(RiskAnalysisEJB53DAO.java:277)
       ... 28 more
  Thank you.
  Lynn

• Role Reaffirm

  Friends,
  we are planning to use role reaffirm functionality in CUP.Is anybody using this functionality.Please share your experience on this.
  Thanks,
  Srinu

  Thanks Frann.
  Is there any way that we can put some stage in between rolereaffirm so that security can review them.
  I understand that we can use UAR process but the user information being displayed in rolereaffirm screen is really helpfull for the role owners to know more about the users before taking any action.
  Edited by: Srinu Koveta on Apr 6, 2011 8:55 PM

• CUP 5.3 - Role Reaffirmation for roles coming from ERM

  Hi All,
  our source system for roles in the CUP is the ERM.
  can i do Role Reaffirmation for those  roles ? because i saw that they don't come with validity dats
  Thanks
  Yudit

  Hi,
    My personal recommendation would be to either go with spreadsheet or backend system. Even when you bring roles from SAP system, it doesn't have any role reaffirm date as there is no such field in backend system. If you want to maintain roles properly then please configure them in spreadsheet so if you need to do mass changes it would be very easy to perform those updates.
  Regards,
  Alpesh

• Access Control View All Role

  Hello Experts,
  We are currently implementing GRC Compliant User Provisioning for the client. Apart from the configuration team with role AEAdmin, we have few client experts to look into the sandox system and understand the cnfiguration we made is as per the requirement.
  In doing so, they tend to modify some or other configuration at times knowingly/ unknowingly which lead us to longer debugging time.
  Is there a way I can create a UME role with only View Configuration Action to avoid such circumstances.
  Thanks
  Rashmi

  Hi Rashmi,
  1- Assign following actions to Role:-
  ViewReject
  ViewHold
  ViewCopyRequest
  ViewCreateRequest
  ViewSearchRequestAll
  ViewRequstAuditTrail
  ViewForwardRequest
  ViewReRoute
  ViewAccessEnforcer
  ViewSelectPDProfiles
  ViewMitigation
  ViewRiskAnalysis
  ViewSelectRoles
  ViewReaffirms
  ViewRiskAnalysis
  ViewSelectRoles
  ViewReaffirms
  ViewApprove
  ViewApproverDelegation
  Using this action You can saw following Tabs in Access Enforcer
  1- Access Enforcer
          -Requests For Approval
          -Create Request
          - Search Requests
          -Requests On Hold
          -Approver Delegation
          -Copy Request
          -Search Request Audit Trail 
          -Role Reaffirms
  2-Informer Tab
          -Services Level For Requests
          -Conflicts And Mitigations
          -Request By Roles And Role Owners
          -List Roles And Owners
          -Requests By PD/Structural Profiles
  3-Configuration Tab
          -Monitoring
                    -System Log
                    -Application log
         - Upgrade
  Rest of the Tabs in Configuration is running along with Modify action in  AE5.2.
  2- Some new actions are added by SAP GRC RND Team  In Compliant User Provisioning 5.3( Access Enforcer 5.3) for only view the Initiators,Stages,Path,Connectors,Provisioning,HR Trigger,Userdefaults Etc.
  In AE 5.3 independent  View and Modify actions are available
  for each tab like for initiators ,Connectors Ect, But this type of provision is not available in AE 5.2.
  Regards,
  Jagat

• IDM / GRC 10 - Post approval issue

  We are using IdM 7.2 sp8 and GRC 10 and have a full workflow created as follows:
  NOTE: Risk Validation and GRC System Auto-Approval Step are currently both disabled
  Manager -> Role Owner -> GRC Risk Analysis -> Approval -> Provision  Seems quite simple. right?  :-)  Getting every detail correct to make sure this works seemlessly is the issue I seem to be running into.
  My issue is that I am trying to assign an IdM Business role that contains privileges from two different ABAP systems (very standard).  After everything gets to approved, submitted to GRC and comes back to IdM, polling starts and the result is read back in and the check status task runs its "Approve" tasks.  It looks like the provision job is trying to provision the requested roles into the GRC10 repository instead of the ABAP systems the privileges should be provisioned in and I get the following in the log:
  This is found in the provisioning framework
  Naturally the privileges have a default repository but the Business Role does not.
  The GRC10 Repository only has the workflow (full not just AC Validation stage) in the Validate add task, no assignment tasks
  Each ABAP system only has the three normal provisioning tasks assigned, 601, 1345 and 751
  The error I get when its all said and done is "uSkip Called to skip entry"
  There is some small detail I'm missing.
  Your thoughts?

  We are using IdM 7.2 sp8 and GRC 10 and have a full workflow created as follows:
  NOTE: Risk Validation and GRC System Auto-Approval Step are currently both disabled
  Manager -> Role Owner -> GRC Risk Analysis -> Approval -> Provision  Seems quite simple. right?  :-)  Getting every detail correct to make sure this works seemlessly is the issue I seem to be running into.
  My issue is that I am trying to assign an IdM Business role that contains privileges from two different ABAP systems (very standard).  After everything gets to approved, submitted to GRC and comes back to IdM, polling starts and the result is read back in and the check status task runs its "Approve" tasks.  It looks like the provision job is trying to provision the requested roles into the GRC10 repository instead of the ABAP systems the privileges should be provisioned in and I get the following in the log:
  This is found in the provisioning framework
  Naturally the privileges have a default repository but the Business Role does not.
  The GRC10 Repository only has the workflow (full not just AC Validation stage) in the Validate add task, no assignment tasks
  Each ABAP system only has the three normal provisioning tasks assigned, 601, 1345 and 751
  The error I get when its all said and done is "uSkip Called to skip entry"
  There is some small detail I'm missing.
  Your thoughts?

• Access Control v5.3 CUP Config error in Miscellaneous Configuration

  Hi Experts,
  We have recently upgraded from AE v5.2 to CUP v5.3 SP7 and have the following error when trying to save changes to the "Miscellaneous Configuration" parameters section:
  Please enter a valid numeric value for Background Job Time Interval In Minutes, Value less than or equal to Configured Background Job interval 0"
  I have tried to change it to what it asks and have attempted to make sure the Background Job interval was more than 0, but I continue to get the hard error. If you put "0" in, it returns the following error:
  "Please enter a positive value for interval"
  Any ideas on this one?

  No, not really. I have tried to change/activate background jobs to fix this, but think i may have an issue with the back ground jobs list itself. We have repeated background jobs in the background schedule itself. Does anyone else have this? Our entries are repeated for EMail Dispatcher, Email reminder and escalation, just one group in uppercase and one in lower. I can only change the lowercase.
  Below is the list of entries from the background jobs:
  Background Jobs
  Job Schedule 
  Job Name  Description  Start Time  Next Invoke Time  Current Status  Job Type  Days  Recurrence Interval (Seconds)  Active
  EMAIL DISPATCHER  2/27/2007 12:00 AM PST   Available  Other 1-1-1-1-1-1-1-1-23 5  
  EMAIL REMINDER  3/27/2008 6:00 AM PDT   Available  Daily  0  
  ESCALATION 4 Hours 8/24/2007 12:00 AM PDT   Available  Other 1-1-1-1-1-1-1-1-23 2  
  Email Dispatcher EMAIL DISPATCHER 12/1/2009 1:00 AM PST  12/1/2009 1:00 AM PST  Available  Other 1-1-1-1-1-1-1-1-23 300  
  Email Reminder EMAIL REMINDER 12/1/2009 1:00 AM PST  12/1/2009 2:00 AM PST  Available  Other 1-1-1-1-1-1-1-2-23 300  
  Escalation ESCALATION 12/31/9999 8:00 AM PST   Available  On Date  0  
  HR Triggers HR TRIGGERS 12/31/9999 8:00 AM PST   Available  On Date  0  
  HR Triggers Load Data HR TRIGGERS LOAD DATA 12/31/9999 8:00 AM PST   Available  On Date  0  
  Role Reaffirm Notification ROLE REAFFIRM NOTIFICATION 12/31/9999 8:00 AM PST   Available  On Date  0  
  SOD Review Load Data with Mitigated Risks SOD Review Load Data with Mitigated Risks 12/31/9999 8:00 AM PST   Available  On Date  0  
  SOD Review Load Data without Mitigated Risks SOD Review Load Data without Mitigated Risks 12/31/9999 8:00 AM PST   Available  On Date  0  
  SOD Review Process Rejected SOD Review Process Rejected 12/31/9999 8:00 AM PST   Available  On Date  0  
  SOD Review Update WorkFlow SOD Review Update WorkFlow 12/31/9999 8:00 AM PST   Available  On Date  0  
  Stale Requests Stale Requests 12/1/2009 1:00 AM PST  12/1/2009 1:00 AM PST  Available  Other 1-1-1-1-1-1-1-1-23 300  
  UAR Review Load Data UAR Review Load Data 12/31/9999 8:00 AM PST   Available  On Date  0  
  UAR Review Process Rejected UAR Review Process Rejected 12/31/9999 8:00 AM PST   Available  On Date  0  
  UAR Review Update WorkFlow UAR Review Update WorkFlow 12/31/9999 8:00 AM PST   Available  On Date  0  
  Current Time on Server :5/12/2009 4:19 PM PDT

• Qurergy regarding HR trigger

  Hi,
  I am trying to implement HR trigger for the first time.
  We have have a process to reaffirm role every 3 months so while creating the role i have set  reaffirm period as 3 months.
  Now i login as one of the role approver and go to Mywork -> Role reaffirm.
  I select one of the role and one of the user and click remove .
  I have a few question here.
  1. Do the role get removed from the user .(not happening in my case)
  2. Does the validity of the user come to and end..(not happening in my case)
  3.Will the role get remove or validity will expire on Due date of the role.
  4.Do i have to create a worklfow to get that happening.
  Regards,
  Pranab Singh

  Hi,
  SAP support came back saying this can be put in as an enhancement request to SAP for future devlopement.
  I am really surprised. If that's the case then HR trigger for new hire is totally useless.
  Can someone please let me know if there is any better way of implementing HR trigger for new hires?
  Regards,
  Jay

• GRC10 Firefighter - Role-based & ID-based

  GRC Gurus,
  I am looking for a solution or at least theoretical discussion about a scenario in which GRC 10 system is connected to more than 1 target system and in one system I want to use FFID-based option where as in other system it is FF-Role based. For example, in a system where all the users are logging in through SAP GUI, it will be better to have FFID-based firefighter where as in system where most of the users are logging in through portal it will be better to have role-based firefighter. under GRC5.3 it was pretty simple as RTAs were independent in each separate system but in GRC10 since type of firefighter is controlled by single parameter, what will be a way to implement such hybrid approach.
  Regards,
  Shivraj

  Thanks Anji,
  Thanks for the response, I am aware of the 4000 situation, I was just wondering if someone has figured out any workaround for this. Because otherwise, it is a step backward for new version as under 5.3, systems could have been on different setups whereas under GRC10 that is not possible.
  Regards,
  Shivraj Singh

• Access Enforcer Role Import - Reaffirm period

  Hello
  What does the following terms mean;
  last reaffirm
  reaffirmperiod
  We current upload roles into AE, with last reaffirm as current date, and reaffirmperiod of 60 which means 5 years.
  Can someone please explain what these terms mean, because many roles have reaffirm periods that end in 2010.
  Thanks

  Hi Prakas,
  Reaffirm period ( in months ) is the duration after which you would like the Approver of the Role ( Role Owner /Role Approver ) to get notified on which all user in SAP has access to that Role and Does he want to continue giving that role to them or wants to remove that Role from all of them or any one of them .
  He would get the details on which Role requires Reaffrim at following location :
  In AE 5.2 ;  login with Role approver id ( eg ABC )  into AE .
  In tab Access Enforcer > Reaffirm .
  A list of All the roles of which ABC is apporver and which require re-affrim would display here.
  ABC can now take approriate action by selecting the role name.
  *Last reaffrim * is the date when the Role was Reaffrim /revisited/reassgined last.
  In your scenario you have given Reaffrim period = 60 which means your Role Owner would get the Role in his Reaffrim inbox after 5 years .
  This is not best practise . For security reason , SAP advices to keep the Reaffrim period to a maximum of 2 months.
  I hope this answers your query .
  Thanks
  Jasmine

• GRC10 Role vs Request Approval

  Gurus, we are currently attempting to maintain the approval and rejection setting at the Request (vs the Role, System and Role) level for one of our stages. Irrespective of this setting being maintained at the Request level, when reviewing the request, the Approval Status column is still visible. Therefore the approver can still reject/approve individual roles within the request, vs rejecting/approving the request as whole. The status is set to 'Partially Ok'. This causes issue with our integration with NW IdM. I can maintain other stage settings that are reflected in the stage; once the workflow is re-activated; the role/request approval setting seems to have no impact. How do make this setting change so its reflected at the stage?
  We recently upgraded to SP7 in hopes that this issue would be resolved. Unfortunately it still exists. While we wait for SAP to get back to us on this I figured I would see if anyone else faced this same issue.
  Insight is appreciated.

  you can follow these videos to see if you can get a basic manager approval working for a self request resource.
  http://www.youtube.com/watch?v=KCA_cxKsi_o&feature=channel_video_title

• GRC10 Exclude Objects (Roles) - Batch Risk Analysis Job

  All -
  We are setting up some non-production GRC 10.1 systems at this time and are trying to exclude project roles from our dashboards via the "Maintain Exclude Objects for Batch Risk Analysis" table [SPRO --> GRC --> AC --> ARA --> Batch Risk Analysis].
  The problem that we are encountering is that this Batch Risk Analysis is taking an extremely long time to run on our Project Users even though we have excluded the project roles that these users are assigned.
  For example, User A has 3 project roles which hit a very large number of SoD violations in our rule set, however in the exclusion list we have defined the three roles the user is assigned to be in the exclusion table for All systems and for the specific system that the job is running against. With no luck. The job still takes an average of 30 minutes to run on each user even though the roles they are assigned are excluded.
  We have tested that the exclusion table works because we can exclude the users by adding them to this table and we can also exclude the groups that they are in and this also works. However we have instances where there are other users in this groups that have other roles in addition to these excluded roles that need to be checked.
  Does anyone have any recommendations for how to excluded roles so that the job quickly checks the users with these roles? It is my understanding that if the roles are in the exclusion list they should be skipped by the Batch Risk Analysis job which is running to check these users for the dashboards.
  Thanks,
  Darnell

  Hi,
  Was a solution found for this error?
  Thanks,
  Glen

• GRC10 AC Role approver not updated

  Hi,
  We have updated role with new approver and it is updated successfully.When I open role in Role Maintenance and I am able see new approver with role.
  When we are raising Access Request for the same role,we are able to find old approver but not the new approver which we have updated.
  Please check and advice in this.
  Thanks & Regards,
  Koteswara Rao.

  Dear Koteswara,
  you mentioned that you are not using BRM. Anyways, you have imported the roles into BRM and therefore the roles are available. Can you please check the following:
  Goto Role Search, open a role which has the wrong approver and show us the following screen:
  Check if the role owner is updated accordingly and that "Assignment Approver" checkbox is checked.
  If all these is correct than you have to check the role sync job. Run it manually and check if you have some errors.
  Looking forward to hear from you.
  Best regards,
  Alessandro