Role Reaffirm in GRC10
Hi all,
did anyone use the Role Reaffirm functionality within GRC10?
The functionality seems to be available, but we cannot get any roles listed to be reaffirmed.
We have defined approvers for roles in GRC, have users assigned, ran the RR Reminder background job.
Is there anything missing?
The config parameters seem to have magically disappeared from the list of available parameters.
Also could not find any documentation on Role Reaffirm in AC 10
Thanks for some input,
Daniela
Hello experts,
I get the same issue:
I have 1 role with reaffirm expiration on 05/16/2013 and 1 role which already had expired on 05/08/2013.
In order of the fact, that today is 05/15/2013, I expect in 'Access Management > Role Mining > Role Reaffirm' a result of 2 roles which have to be reaffirmed.
But it already gives the warning "No records found"!
In advice of Leon I tried to type the value '1' in "Number of days before Duedate", so I would expect 1 role as result... but: "No records found"!
I attached some screenshots of my configuration.
Any ideas?
EDIT: can somebody tell me the reminder email notification Job for role reaffirm? I only know the Job "GRAC_ERM_ROLE_CERTIFY_NOTIF" for role certification
Thanks in advance :-)
Edgar
Similar Messages
-
GRC Access Control 5.3 - Role Reaffirm Notification Email
Hi Experts,
We have GRC 5.3 system and we want to change the content of Role Reaffirm notification email.
Is there any way to change the default email text?
We want to add few additional lines and CUP link in the email notification.
Thanks,
RajendraHi Alpesh,
I found the entry in table VIRSA_AE_MESSAGE which is the same message as in the email notification.
I changed the value for field MSGDESC in our test system but the new text is not reflecting in email.
The email subject is coming as- Here are the roles that need to be reaffirmed
The body of the email is as below-
Here are the roles that need to be reaffirmed
Z_FI_MANAGER
Z_ALL_HR_DISPLAY_ALL
I updated the table at database level.
Is there anything else needs to be done?
Also we are using UAR as well as Role Reaffirm (don't know why), is there any oss note which says that UAR can be used instead of Role Reaffirm?
Thanks,
Rajendra -
Access Enforcer - Role Reaffirmation
Hi,
Access Enforcer offers a role <-> user assignment reaffirmation after a defined period.
My question is, what happens if using the Remove or Hold button in the Role Reaffirm menu entry.
I tried removing the access, but all that happens is the user entry is marked as "Remove".
Should an automatic Request for the role removal be triggered or what's the purpose of these two options?
Thanks,
DanielaI answered the question myself.
Hold will keep the role in the queue to reaffirm.
Remove will automatically remove the role from the user once all user-role assignments have either been affirmed or removed. -
CUP 5.3 SP11.1 - Role Reaffirm - Java Overflow error
Hi!
We are currently using the CUP Role Reaffirm. An user is trying to access the role reaffirm screen, he received an error message:
Java.lang.StackOverflowError:Null Exception: (00145EC6363A0065000005F100174014000490DB915AF7A1).
The application log shows: 3]_20##0#0#Error#1#/Applications/AccessEnforcer#Plain### Ignoring Exception - U
ser : 10102021 not found to get full name #.
Does anyone know what this error message is?
Thank you.
LynnHi Alpesh,
Yes, 10102021 is a valid user id.
Here is the CUP system log:
2010-09-22 12:51:04,289 [SAPEngine_Application_Thread[impl:3]_8] ERROR Requested navigation control not found
com.virsa.ae.commons.utils.framework.ControlNotFoundException: Action not found - loadRequestorLoginPage
at com.virsa.ae.commons.utils.framework.ScreenDefn.getActionDefn(ScreenDefn.java:141)
at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:157)
at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(AccessController.java:219)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
2010-09-22 13:05:57,833 [SAPEngine_Application_Thread[impl:3]_7] ERROR java.lang.VerifyError: com/virsa/cc/xsys/ejb/RiskAnalysis.execRiskAnalysis(Lcom/virsa/cc/xsys/webservices/dto/WSRAInputParamDTO;)Lcom/virsa/cc/xsys/webservices/dto/RAResultDTO;
java.lang.VerifyError: com/virsa/cc/xsys/ejb/RiskAnalysis.execRiskAnalysis(Lcom/virsa/cc/xsys/webservices/dto/WSRAInputParamDTO;)Lcom/virsa/cc/xsys/webservices/dto/RAResultDTO;
at com.virsa.ae.service.sap.RiskAnalysisEJB53DAO.execRiskAnalysis(RiskAnalysisEJB53DAO.java:305)
at com.virsa.ae.service.sap.RiskAnalysisEJB53DAO.getViolations(RiskAnalysisEJB53DAO.java:277)
at com.virsa.ae.service.sap.RiskAnalysisEJB53DAO.getViolations(RiskAnalysisEJB53DAO.java:419)
at com.virsa.ae.service.sap.RiskAnalysisEJB53DAO.determineRisks(RiskAnalysisEJB53DAO.java:527)
at com.virsa.ae.service.sap.RiskAnalysis53DAO.determineRisks(RiskAnalysis53DAO.java:103)
at com.virsa.ae.accessrequests.bo.RiskAnalysisBO.findViolations(RiskAnalysisBO.java:182)
at com.virsa.ae.accessrequests.actions.RiskAnalysisAction.doRiskAnalysis(RiskAnalysisAction.java:1108)
at com.virsa.ae.accessrequests.actions.RiskAnalysisAction.doAnalysis(RiskAnalysisAction.java:335)
at com.virsa.ae.accessrequests.actions.RiskAnalysisAction.execute(RiskAnalysisAction.java:112)
at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:295)
at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(AccessController.java:219)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
2010-09-22 13:05:57,835 [SAPEngine_Application_Thread[impl:3]_7] ERROR Exception during EJB call, Ignoring and trying Webservice Call
com.virsa.ae.service.ServiceException: Exception in getting the results from the EJB service : com/virsa/cc/xsys/ejb/RiskAnalysis.execRiskAnalysis(Lcom/virsa/cc/xsys/webservices/dto/WSRAInputParamDTO;)Lcom/virsa/cc/xsys/webservices/dto/RAResultDTO;
at com.virsa.ae.service.sap.RiskAnalysisEJB53DAO.getViolations(RiskAnalysisEJB53DAO.java:295)
at com.virsa.ae.service.sap.RiskAnalysisEJB53DAO.getViolations(RiskAnalysisEJB53DAO.java:419)
at com.virsa.ae.service.sap.RiskAnalysisEJB53DAO.determineRisks(RiskAnalysisEJB53DAO.java:527)
at com.virsa.ae.service.sap.RiskAnalysis53DAO.determineRisks(RiskAnalysis53DAO.java:103)
at com.virsa.ae.accessrequests.bo.RiskAnalysisBO.findViolations(RiskAnalysisBO.java:182)
at com.virsa.ae.accessrequests.actions.RiskAnalysisAction.doRiskAnalysis(RiskAnalysisAction.java:1108)
at com.virsa.ae.accessrequests.actions.RiskAnalysisAction.doAnalysis(RiskAnalysisAction.java:335)
at com.virsa.ae.accessrequests.actions.RiskAnalysisAction.execute(RiskAnalysisAction.java:112)
at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:295)
at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(AccessController.java:219)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
Caused by:
java.lang.VerifyError: com/virsa/cc/xsys/ejb/RiskAnalysis.execRiskAnalysis(Lcom/virsa/cc/xsys/webservices/dto/WSRAInputParamDTO;)Lcom/virsa/cc/xsys/webservices/dto/RAResultDTO;
at com.virsa.ae.service.sap.RiskAnalysisEJB53DAO.execRiskAnalysis(RiskAnalysisEJB53DAO.java:305)
at com.virsa.ae.service.sap.RiskAnalysisEJB53DAO.getViolations(RiskAnalysisEJB53DAO.java:277)
... 28 more
Thank you.
Lynn -
Friends,
we are planning to use role reaffirm functionality in CUP.Is anybody using this functionality.Please share your experience on this.
Thanks,
SrinuThanks Frann.
Is there any way that we can put some stage in between rolereaffirm so that security can review them.
I understand that we can use UAR process but the user information being displayed in rolereaffirm screen is really helpfull for the role owners to know more about the users before taking any action.
Edited by: Srinu Koveta on Apr 6, 2011 8:55 PM -
CUP 5.3 - Role Reaffirmation for roles coming from ERM
Hi All,
our source system for roles in the CUP is the ERM.
can i do Role Reaffirmation for those roles ? because i saw that they don't come with validity dats
Thanks
YuditHi,
My personal recommendation would be to either go with spreadsheet or backend system. Even when you bring roles from SAP system, it doesn't have any role reaffirm date as there is no such field in backend system. If you want to maintain roles properly then please configure them in spreadsheet so if you need to do mass changes it would be very easy to perform those updates.
Regards,
Alpesh -
Hello Experts,
We are currently implementing GRC Compliant User Provisioning for the client. Apart from the configuration team with role AEAdmin, we have few client experts to look into the sandox system and understand the cnfiguration we made is as per the requirement.
In doing so, they tend to modify some or other configuration at times knowingly/ unknowingly which lead us to longer debugging time.
Is there a way I can create a UME role with only View Configuration Action to avoid such circumstances.
Thanks
RashmiHi Rashmi,
1- Assign following actions to Role:-
ViewReject
ViewHold
ViewCopyRequest
ViewCreateRequest
ViewSearchRequestAll
ViewRequstAuditTrail
ViewForwardRequest
ViewReRoute
ViewAccessEnforcer
ViewSelectPDProfiles
ViewMitigation
ViewRiskAnalysis
ViewSelectRoles
ViewReaffirms
ViewRiskAnalysis
ViewSelectRoles
ViewReaffirms
ViewApprove
ViewApproverDelegation
Using this action You can saw following Tabs in Access Enforcer
1- Access Enforcer
-Requests For Approval
-Create Request
- Search Requests
-Requests On Hold
-Approver Delegation
-Copy Request
-Search Request Audit Trail
-Role Reaffirms
2-Informer Tab
-Services Level For Requests
-Conflicts And Mitigations
-Request By Roles And Role Owners
-List Roles And Owners
-Requests By PD/Structural Profiles
3-Configuration Tab
-Monitoring
-System Log
-Application log
- Upgrade
Rest of the Tabs in Configuration is running along with Modify action in AE5.2.
2- Some new actions are added by SAP GRC RND Team In Compliant User Provisioning 5.3( Access Enforcer 5.3) for only view the Initiators,Stages,Path,Connectors,Provisioning,HR Trigger,Userdefaults Etc.
In AE 5.3 independent View and Modify actions are available
for each tab like for initiators ,Connectors Ect, But this type of provision is not available in AE 5.2.
Regards,
Jagat -
IDM / GRC 10 - Post approval issue
We are using IdM 7.2 sp8 and GRC 10 and have a full workflow created as follows:
NOTE: Risk Validation and GRC System Auto-Approval Step are currently both disabled
Manager -> Role Owner -> GRC Risk Analysis -> Approval -> Provision Seems quite simple. right? :-) Getting every detail correct to make sure this works seemlessly is the issue I seem to be running into.
My issue is that I am trying to assign an IdM Business role that contains privileges from two different ABAP systems (very standard). After everything gets to approved, submitted to GRC and comes back to IdM, polling starts and the result is read back in and the check status task runs its "Approve" tasks. It looks like the provision job is trying to provision the requested roles into the GRC10 repository instead of the ABAP systems the privileges should be provisioned in and I get the following in the log:
This is found in the provisioning framework
Naturally the privileges have a default repository but the Business Role does not.
The GRC10 Repository only has the workflow (full not just AC Validation stage) in the Validate add task, no assignment tasks
Each ABAP system only has the three normal provisioning tasks assigned, 601, 1345 and 751
The error I get when its all said and done is "uSkip Called to skip entry"
There is some small detail I'm missing.
Your thoughts?We are using IdM 7.2 sp8 and GRC 10 and have a full workflow created as follows:
NOTE: Risk Validation and GRC System Auto-Approval Step are currently both disabled
Manager -> Role Owner -> GRC Risk Analysis -> Approval -> Provision Seems quite simple. right? :-) Getting every detail correct to make sure this works seemlessly is the issue I seem to be running into.
My issue is that I am trying to assign an IdM Business role that contains privileges from two different ABAP systems (very standard). After everything gets to approved, submitted to GRC and comes back to IdM, polling starts and the result is read back in and the check status task runs its "Approve" tasks. It looks like the provision job is trying to provision the requested roles into the GRC10 repository instead of the ABAP systems the privileges should be provisioned in and I get the following in the log:
This is found in the provisioning framework
Naturally the privileges have a default repository but the Business Role does not.
The GRC10 Repository only has the workflow (full not just AC Validation stage) in the Validate add task, no assignment tasks
Each ABAP system only has the three normal provisioning tasks assigned, 601, 1345 and 751
The error I get when its all said and done is "uSkip Called to skip entry"
There is some small detail I'm missing.
Your thoughts? -
Access Control v5.3 CUP Config error in Miscellaneous Configuration
Hi Experts,
We have recently upgraded from AE v5.2 to CUP v5.3 SP7 and have the following error when trying to save changes to the "Miscellaneous Configuration" parameters section:
Please enter a valid numeric value for Background Job Time Interval In Minutes, Value less than or equal to Configured Background Job interval 0"
I have tried to change it to what it asks and have attempted to make sure the Background Job interval was more than 0, but I continue to get the hard error. If you put "0" in, it returns the following error:
"Please enter a positive value for interval"
Any ideas on this one?No, not really. I have tried to change/activate background jobs to fix this, but think i may have an issue with the back ground jobs list itself. We have repeated background jobs in the background schedule itself. Does anyone else have this? Our entries are repeated for EMail Dispatcher, Email reminder and escalation, just one group in uppercase and one in lower. I can only change the lowercase.
Below is the list of entries from the background jobs:
Background Jobs
Job Schedule
Job Name Description Start Time Next Invoke Time Current Status Job Type Days Recurrence Interval (Seconds) Active
EMAIL DISPATCHER 2/27/2007 12:00 AM PST Available Other 1-1-1-1-1-1-1-1-23 5
EMAIL REMINDER 3/27/2008 6:00 AM PDT Available Daily 0
ESCALATION 4 Hours 8/24/2007 12:00 AM PDT Available Other 1-1-1-1-1-1-1-1-23 2
Email Dispatcher EMAIL DISPATCHER 12/1/2009 1:00 AM PST 12/1/2009 1:00 AM PST Available Other 1-1-1-1-1-1-1-1-23 300
Email Reminder EMAIL REMINDER 12/1/2009 1:00 AM PST 12/1/2009 2:00 AM PST Available Other 1-1-1-1-1-1-1-2-23 300
Escalation ESCALATION 12/31/9999 8:00 AM PST Available On Date 0
HR Triggers HR TRIGGERS 12/31/9999 8:00 AM PST Available On Date 0
HR Triggers Load Data HR TRIGGERS LOAD DATA 12/31/9999 8:00 AM PST Available On Date 0
Role Reaffirm Notification ROLE REAFFIRM NOTIFICATION 12/31/9999 8:00 AM PST Available On Date 0
SOD Review Load Data with Mitigated Risks SOD Review Load Data with Mitigated Risks 12/31/9999 8:00 AM PST Available On Date 0
SOD Review Load Data without Mitigated Risks SOD Review Load Data without Mitigated Risks 12/31/9999 8:00 AM PST Available On Date 0
SOD Review Process Rejected SOD Review Process Rejected 12/31/9999 8:00 AM PST Available On Date 0
SOD Review Update WorkFlow SOD Review Update WorkFlow 12/31/9999 8:00 AM PST Available On Date 0
Stale Requests Stale Requests 12/1/2009 1:00 AM PST 12/1/2009 1:00 AM PST Available Other 1-1-1-1-1-1-1-1-23 300
UAR Review Load Data UAR Review Load Data 12/31/9999 8:00 AM PST Available On Date 0
UAR Review Process Rejected UAR Review Process Rejected 12/31/9999 8:00 AM PST Available On Date 0
UAR Review Update WorkFlow UAR Review Update WorkFlow 12/31/9999 8:00 AM PST Available On Date 0
Current Time on Server :5/12/2009 4:19 PM PDT -
Hi,
I am trying to implement HR trigger for the first time.
We have have a process to reaffirm role every 3 months so while creating the role i have set reaffirm period as 3 months.
Now i login as one of the role approver and go to Mywork -> Role reaffirm.
I select one of the role and one of the user and click remove .
I have a few question here.
1. Do the role get removed from the user .(not happening in my case)
2. Does the validity of the user come to and end..(not happening in my case)
3.Will the role get remove or validity will expire on Due date of the role.
4.Do i have to create a worklfow to get that happening.
Regards,
Pranab SinghHi,
SAP support came back saying this can be put in as an enhancement request to SAP for future devlopement.
I am really surprised. If that's the case then HR trigger for new hire is totally useless.
Can someone please let me know if there is any better way of implementing HR trigger for new hires?
Regards,
Jay -
GRC10 Firefighter - Role-based & ID-based
GRC Gurus,
I am looking for a solution or at least theoretical discussion about a scenario in which GRC 10 system is connected to more than 1 target system and in one system I want to use FFID-based option where as in other system it is FF-Role based. For example, in a system where all the users are logging in through SAP GUI, it will be better to have FFID-based firefighter where as in system where most of the users are logging in through portal it will be better to have role-based firefighter. under GRC5.3 it was pretty simple as RTAs were independent in each separate system but in GRC10 since type of firefighter is controlled by single parameter, what will be a way to implement such hybrid approach.
Regards,
ShivrajThanks Anji,
Thanks for the response, I am aware of the 4000 situation, I was just wondering if someone has figured out any workaround for this. Because otherwise, it is a step backward for new version as under 5.3, systems could have been on different setups whereas under GRC10 that is not possible.
Regards,
Shivraj Singh -
Access Enforcer Role Import - Reaffirm period
Hello
What does the following terms mean;
last reaffirm
reaffirmperiod
We current upload roles into AE, with last reaffirm as current date, and reaffirmperiod of 60 which means 5 years.
Can someone please explain what these terms mean, because many roles have reaffirm periods that end in 2010.
ThanksHi Prakas,
Reaffirm period ( in months ) is the duration after which you would like the Approver of the Role ( Role Owner /Role Approver ) to get notified on which all user in SAP has access to that Role and Does he want to continue giving that role to them or wants to remove that Role from all of them or any one of them .
He would get the details on which Role requires Reaffrim at following location :
In AE 5.2 ; login with Role approver id ( eg ABC ) into AE .
In tab Access Enforcer > Reaffirm .
A list of All the roles of which ABC is apporver and which require re-affrim would display here.
ABC can now take approriate action by selecting the role name.
*Last reaffrim * is the date when the Role was Reaffrim /revisited/reassgined last.
In your scenario you have given Reaffrim period = 60 which means your Role Owner would get the Role in his Reaffrim inbox after 5 years .
This is not best practise . For security reason , SAP advices to keep the Reaffrim period to a maximum of 2 months.
I hope this answers your query .
Thanks
Jasmine -
GRC10 Role vs Request Approval
Gurus, we are currently attempting to maintain the approval and rejection setting at the Request (vs the Role, System and Role) level for one of our stages. Irrespective of this setting being maintained at the Request level, when reviewing the request, the Approval Status column is still visible. Therefore the approver can still reject/approve individual roles within the request, vs rejecting/approving the request as whole. The status is set to 'Partially Ok'. This causes issue with our integration with NW IdM. I can maintain other stage settings that are reflected in the stage; once the workflow is re-activated; the role/request approval setting seems to have no impact. How do make this setting change so its reflected at the stage?
We recently upgraded to SP7 in hopes that this issue would be resolved. Unfortunately it still exists. While we wait for SAP to get back to us on this I figured I would see if anyone else faced this same issue.
Insight is appreciated.you can follow these videos to see if you can get a basic manager approval working for a self request resource.
http://www.youtube.com/watch?v=KCA_cxKsi_o&feature=channel_video_title -
GRC10 Exclude Objects (Roles) - Batch Risk Analysis Job
All -
We are setting up some non-production GRC 10.1 systems at this time and are trying to exclude project roles from our dashboards via the "Maintain Exclude Objects for Batch Risk Analysis" table [SPRO --> GRC --> AC --> ARA --> Batch Risk Analysis].
The problem that we are encountering is that this Batch Risk Analysis is taking an extremely long time to run on our Project Users even though we have excluded the project roles that these users are assigned.
For example, User A has 3 project roles which hit a very large number of SoD violations in our rule set, however in the exclusion list we have defined the three roles the user is assigned to be in the exclusion table for All systems and for the specific system that the job is running against. With no luck. The job still takes an average of 30 minutes to run on each user even though the roles they are assigned are excluded.
We have tested that the exclusion table works because we can exclude the users by adding them to this table and we can also exclude the groups that they are in and this also works. However we have instances where there are other users in this groups that have other roles in addition to these excluded roles that need to be checked.
Does anyone have any recommendations for how to excluded roles so that the job quickly checks the users with these roles? It is my understanding that if the roles are in the exclusion list they should be skipped by the Batch Risk Analysis job which is running to check these users for the dashboards.
Thanks,
DarnellHi,
Was a solution found for this error?
Thanks,
Glen -
GRC10 AC Role approver not updated
Hi,
We have updated role with new approver and it is updated successfully.When I open role in Role Maintenance and I am able see new approver with role.
When we are raising Access Request for the same role,we are able to find old approver but not the new approver which we have updated.
Please check and advice in this.
Thanks & Regards,
Koteswara Rao.Dear Koteswara,
you mentioned that you are not using BRM. Anyways, you have imported the roles into BRM and therefore the roles are available. Can you please check the following:
Goto Role Search, open a role which has the wrong approver and show us the following screen:
Check if the role owner is updated accordingly and that "Assignment Approver" checkbox is checked.
If all these is correct than you have to check the role sync job. Run it manually and check if you have some errors.
Looking forward to hear from you.
Best regards,
Alessandro
Maybe you are looking for
-
Can't Get My Click Wheel to Work
I just updated my software on my ipod and restored all of the settings now i can't get passed the language prompt.
-
Information on SAP XI and Informatica PowerConnect for SAP.
Hi all, Need information on SAP XI as well as on Informatica and Informatica Powerconnect for SAP . Thanks santosh
-
Hello, I purchased abode and it isn't converting my pdf into Word. It made gaps, symbols, columns bleed into the other column, and some blank context. I thought acrobat was included. Here is an example below. Let me know if this will be fixed? I don'
-
Bonjour, j'ai acheté un ipad 2 récemment je suis sur pc et quand je veux synchroniser mes photos depuis itunes mon pc vers mon ipad les photos naparaisse pas! pour transférer de la musique il ny a aucun problème. par contre je suis la bonne méthode.
-
Réparez iCloud pour Windows pour utiliser iCloud avec Outlook
Hello, I receive the following message: Réparez iCloud pour Windows pour utiliser iCloud avec Outlook each tim I open iCloud 4.02 newly installed Then When i made a repair and reboot noting is corrected Evidently this arive on Windows 7 with Outlook