SAP Access Enforcer

Similar Messages

• Is there an IDES system of "Access Enforcer" internally at SAP?

  Hi expert,
  Is there an IDES system of "Access Enforcer" in SAP so that we can access it internally from SAP network?
  Thanks.

  Very well.
  <b>This information is only applicable within SAP's corporate network.</b>
  Access Controls 5.1 - compliant user provisioning (Virsa Access Enforcer for SAP)
  http://idphl930.phl.sap.corp:50000/AE/index.jsp
  ERP Backend: Application Server: idphl932.phl.sap.corp, System Number: 50, system ID: G13, Client: 870
  Updated Demo Scripts are located here:
  Rsophltrndb\FEPublic\Public\GRC_Workshop\DemoScripts

• Access Enforcer(error in approving the request) and import roles

  Dear all,
  error in approving the request at security stage(last)
  manager and role owner are successfully approved.
  and also importing roles into access enforcer was not successful.
  imortstatus : 0 roles imported of 28 records found.
  please find the system log:
  2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.messaging.MessageFormatter : parseDesc :   : INTO the method : desc :Please specify a file to import.paramNames :paramsMap :{FIELD_NAME=#_!FIELD_NAME#_!}
  2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
  2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
  2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
  2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
  2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
  2008-09-05 13:02:28,234 [Thread-47] DEBUG

  In Addition to my previous response:
  I meant to include the following:
  Some of the fields that need to be properly defined with attributes are:
         System: must have the know SAP system defined here
         Role Approver (i presently are using most of the roles without having need for approval; I created a user called NOAPPRV in AE)
         Functional Area: need to have all the areas defined that roles will be assigned to
         Company: I only have one company so that's an easy one
  Some areas I presently do not use but found they must ne coded and coded properly:
         ResponsibilityID:   N/A  (coded as is)
         CommentsMandatory: NO (coded as is)
         Parent Role Owner:   NO
         Business Process: NA  (I believe I originally coded N/A and it did not like that)
         Sub Process: NA  (again N/A I believe error on me)
         Reaffirm Period: presently I am using 0 (zero)
         LastReaffirm: presently using 12/31/9999
  Hope this helps a bit
  I wanted to include an attachment with a sample of my Role Import spreadsheet but I'm not sure exactly how to do that; if I figure that out or someone can provide me the process I will include it
  Jerry Synoga
  Ryerson Inc.
  630-758-2021

• Access enforcer and User Data Source for HR

  We are on Access Enforcer 5.2 - service pack 2:
  My problem is that when creating a new request in AE, I able to get a list of all users when I point my User Data Source to either SAP or UME. However when I attempt to create a request whilst pointing the User Data Source at the SAPHR system, I do not get any users back (and we have user set up in the SAP HR system).
  I’ve changed the connector to ‘YES’ under the HR System box, I’ve changed the Data Source Type and Details Source Type to point at the SAPHR and still it fails to fetch any users.
  I've tried looking at the log, but can't get much out of it.
  I would appreciate it, if anyone could provide any assistance.
  Thanks you in advance.
  Amarjit
  Message was edited by:
          amarjit singh

  Hi Micheal,
  Thanks for your reply.
  I'm pointing both Data Source Type and Details Source Type to the same system SAPHR and to the same system name (which is our dev system)
  Regards,
  Amarjit

• Connector problem with access enforcer

  Hi Guys,
  I am facing a really strange problem with my connectors.
  We have a test installation of GRC which was down for about 3 months.
  During this time we migrated our central SLD to another system so I needed to change the connection after getting the system up again.
  Anyhow I still can't modify, test or even create a new connector for access enforcer.
  The only error I get is "Action failed".
  I tried to analyze the logs but found no help there too.
  2007-06-18 20:41:56,833 [SAPEngine_Application_Thread[impl:3]_4] ERROR java.lang.NullPointerException
  java.lang.NullPointerException
       at com.virsa.ae.dao.sqlj.SAPConnectorDAO.iterToDTO(SAPConnectorDAO.sqlj:75)
       at com.virsa.ae.dao.sqlj.SAPConnectorDAO.findByConnectorName(SAPConnectorDAO.sqlj:15)
       at com.virsa.ae.configuration.bo.ConnectorsBO.findSAPConnectorDetails(ConnectorsBO.java:76)
       at com.virsa.ae.configuration.actions.ManageConnectorsAction.testConnection(ManageConnectorsAction.java:163)
       at com.virsa.ae.configuration.actions.ManageConnectorsAction.execute(ManageConnectorsAction.java:66)
       at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:229)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:412)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java(Compiled Code))
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java(Compiled Code))
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java(Compiled Code))
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java(Compiled Code))
       at java.security.AccessController.doPrivileged1(Native Method)
       at java.security.AccessController.doPrivileged(AccessController.java(Compiled Code))
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java(Compiled Code))
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java(Compiled Code))
  Did anybody here face a problem like that?
  Kind regards,
  Bastian
  Message was edited by:
          Bastian Schneider
  Message was edited by:
          Bastian Schneider

  I had a simular problem with CC and I had to contact SAP. They gave me a script to run against the database that remove the connector. The problem seemed somewhat common for CC 5.1. Not sure if this applies to AE.

• Auto Email generation in multiple language in Access Enforcer 5.2

  Hi All,
  We have configured workflow in Access Enforcer 5.2 for autoprovisioning of users in the system. Requestor gets an email in english with the userid and password once the user is provisioned in the system. Now the requirment is to send these emails in different language, which is specific to the user. Like a spanish user should receive the email in spanish language.
  Whether this has anything to do with language setting while user creation.
  Please suggest.
  Thanks & Regards,
  Pravin

  Hi Pravin,
      It has nothing to do with the language settings for the user. This configuration has to be done in closing section of Email reminders under workflow. As per my experience with AE 5.2/CUP 5.3, I don't think this is possible as of now. This could be a good functionality, so you can open an enhancement request with SAP.
  Regards,
  Alpesh

• Upload of role in Access Enforcer 5.2.

  Hi All,
  I need to upload roles in Access Enforcer from SAP ECC system. Actually i have uploaded the roles in Access Enforcer, but all unwanted roles have also got uploaded.
  Now i need some way, first to clean entire uploaded roles & then upload selected roles.
  Please suggest.
  Thanks & Regards,
  Pravin

  Hi Pravin,
     Here are the steps:
  1) Download all the roles into an excel spreadsheet:
  Go to configuration -> Roles- Search roles -> Click on 'Export' button. This CUP, go to 'Search Roles'. Click on 'Search' button without providing any search criteria. This will return all the roles available in CUP. Now, click on Export button. CUP will export all the roles into Excel spreadsheet in the format which CUP understands.
  2) Delete all the roles from CUP: Now, in the same screen as above, select all the roles and delete them.
  3) Delete not needed roles from spreadsheet and upload it into CUP:
  Now, delete all the unwanted roles from CUP and play with the spreadsheet to manipulate other parameters like role approvers, systems, business process etc and upload that spreadsheet into CUP.
  Regards,
  Alpesh
  SAP GRC Manager (PwC)

• Access Enforcer Role Import - Reaffirm period

  Hello
  What does the following terms mean;
  last reaffirm
  reaffirmperiod
  We current upload roles into AE, with last reaffirm as current date, and reaffirmperiod of 60 which means 5 years.
  Can someone please explain what these terms mean, because many roles have reaffirm periods that end in 2010.
  Thanks

  Hi Prakas,
  Reaffirm period ( in months ) is the duration after which you would like the Approver of the Role ( Role Owner /Role Approver ) to get notified on which all user in SAP has access to that Role and Does he want to continue giving that role to them or wants to remove that Role from all of them or any one of them .
  He would get the details on which Role requires Reaffrim at following location :
  In AE 5.2 ;  login with Role approver id ( eg ABC )  into AE .
  In tab Access Enforcer > Reaffirm .
  A list of All the roles of which ABC is apporver and which require re-affrim would display here.
  ABC can now take approriate action by selecting the role name.
  *Last reaffrim * is the date when the Role was Reaffrim /revisited/reassgined last.
  In your scenario you have given Reaffrim period = 60 which means your Role Owner would get the Role in his Reaffrim inbox after 5 years .
  This is not best practise . For security reason , SAP advices to keep the Reaffrim period to a maximum of 2 months.
  I hope this answers your query .
  Thanks
  Jasmine

• CUA still necessary/recommended with Access Enforcer?

  Hello forum members,
  we are planning to implement SAP GRC Access Control for one of our clients. There are 5 R/3 Systems in the landscape, one of them a HR System. Currently there is no CUA in place an all users and roles are maintained separately in each system. Now with the introduction of GRC Access Control there is the question, if we should at the same time also have a CUA introduced or if it is better to directly provision the Users and Roles from Access Enforcer to the target systems.
  What are the pros/cons to have a CUA in between? Does Access Enforcer also provide overview on all users in all system and the assigned roles?
  Thanks for your replies.

  This is a question that I'm asked all the time.  For some environments, using CUA with AE is really nice.  For other environments, it's just not feasible to have CUA as the security authorisation strategies are too inconsistent across systems.
  For example:
  a. There are three systems (ECC, BI, and SRM) implemented with a consistent top-down (job) approach to defining roles.  So, a AP clerk will receive the 'AP Clerk' role in ECC, 'AP Clerk' role in BI, and 'AP Clerk' role in SRM (for simplicity).   Obviously, the roles are different as they are for different systems, but the point is, it is easy to categorise the authorisations for a particular job across each of the systems.  If security is consistent like this, then CUA can be implemented and the three single roles for the three systems can be grouped together in a cross-system composite role called 'AP Clerk'.  When AE is implemented over the top of this, a user only has to request the 'AP Clerk'  role (composite).  AE performs the workflows, risk analysis etc and then finally passes the request to CUA, which then provisions out to the other two systems.  Very easy from a user point of view as they only have to request one role, which is their job.
  b.  If however due to inconsistency between the systems, it is not feasible to group access into cross-system composites, it may just be better to go with AE without CUA.  In this scenario, a user must request the applicable roles from each of the three systems.  It is more flexible, but a little more difficult for the end user.
  I normally spend quite a bit of time developing the Access Controls strategy during the blueprint phase of the implementation just to make sure that I'm coming up with the optimal design.  A bit of prototyping helps also!

• Can access enforcer be implemented with going through the SOD check.

  Hi All,
  I have couple of questions regarding Access enforcer:
  1. Can Access enforcer be implemented with going through the SOD check?
  2. Can we provision roles for the project team using Access Enforcer (without having a million SOD conflicts which need to be cleared)?
  I would really appreciate any insight on these questions.
  Thanks

  https://websmp103.sap-ag.de/~form/sapnet?_FRAME=OBJECT&_HIER_KEY=501100035870000015092&_HIER_KEY=601100035870000206624&_HIER_KEY=601100035870000212731&_HIER_KEY=601100035870000210510&_HIER_KEY=701100035871000519581&_SCENARIO=01100035870000000202&#HOME

• Error in Risk Analyzer of Access Enforcer

  We are getting the below error in Risk analyzer of access enforcer in the GRC system that we have
  Risk analysis failed: Exception in getting the results from the web service : Service call exception; nested exception is: com.sap.engine.services.webservices.jaxrpc.exceptions.XmlUnmarshalException: XML Deserialization Error. Invalid parser state. This exception is caused when deserializing XML type [http://www.w3.org/2001/XMLSchema] and wrong XML node is found.
  The version of the system is AE 5.2 SP11 (Build-59112)
  could come one help on this?
  Regards
  Bharathwaj V

  Hi alpesh,
  Thanks for your answers.
  We were able to sort out the problem.The problem was with the load balancing at java level.
  We had 2 server nodes and only 1 server node was taking all the requests and so it was choked up.
  Bharathwaj V

• Access Enforcer Import Role Automation

  We would like to automatically import roles from SAP.
  We do know that you can use Role Expert which in itself can be used to automate the import. However, we still have to manually import into AE - even if RE is used as the role source.
  Is there a way to periodically automate the import from either SAP or RE because it does not make sense to have to manuall import roles every time a new role is created in SAP.
  Thanks

  Actually, it does make sense.
  One of the prime features of Access Enforcer is that you don't import all the roles, but just the ones you want users to be able to request.
  For each of the roles, it's useful to put them into some kind of category (functional area, business process, sub-process), which makes handling for users a lot easier, and you have to assign approvers.
  One way to do that is to use an Excel spreadsheet and manage the data there. Easy to use and update, and quick to upload into AE.
  Kind regards,
  Frank.

• CUA vs. Access Enforcer

  Can anyone explain the need for implemented both CUA and Access Enforcer?
  We are currently upgrading to ECC6.0 and implementing the GRC tools(5.2) and CUA  With the distributed access provisioning available in Access Enforcer, I am trying to determine the benefit of implementing CUA .

  Hi Patrick
  1) In this scenario the only benefit with CUA i can see is
       a) Password reset
       b) locking and unlocking the user.
  2) If you use GRC AC in landscape, it is not at all recommended to assign roles, profiles using CUA. This can lead to high level compliance /regulatory issues.
  3) If you are implementing new CUA, then i would recommend to go for NW Identity Management Solution. Advantages are
      1) User provisioning for SAP and non-SAP system
      2) can be integrated with GRC for Risk analysis and remediation.
      3) Password Management also possible.
          https://www.sdn.sap.com/irj/sdn/nw-identitymanagement
  regards
  Anand.M

• GRC Access Enforcer - Technical Dependency?

  All,
  My organisation currently has GRC Compliance Calibrator and Firefighter installed with version 4.0. Our landscape is based on SAP NW 2004 (XI3.0) with ERP2004 (ECC5), BW3.5 and SRM4.0
  We want to implement Access Enforcer but do not have a java stack currently enabled on our landscape.
  I know that GRC 5.2 requires a java enabled instance but is it possible to implement Access Enforcer onto our current landscape?
  Do you know of any implementation guides or technical documentation that could assist?
  Cheers,
  Simon

  Hello Simon,
  Java Stack is mandatory to install and operate GRC Access Control 5.2.
  For installation,user and secruity guides please check at service.sap.com in the following path:
  Service.sap.com>Release & Upgrade Info>Installation & Upgrade Guides>SAP Solution Extensions>SAP Solutions for GRC>SAP GRC Access Control>SAP GRC Access Control 5.2
  Also check following links for GRC Access Control Pre-Implementation Guide and Access Enforcer checklist.
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/0079de64-f5f1-2910-3688-b16619da82fb
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/f0b41ebb-34aa-2910-379f-d9e48fb771ee
  Thanks
  Himadama

• Risk Analysis Error - Access Enforcer

  Hi Experts,
  I am getting error while running risk analysis in Access Enforcer and the error is
  <b>Risk analysis failed: Exception in getting the results from the web service : Service call exception; nested exception is: java.lang.Exception: Incorrect content-type found 'text/html'
  </b>
  We are using seperate RFC IDs for Access Enforcer connector and Comlaince Calibrator connector.
  Please help me.
  Thanks&Regards,
  Vijay

  Reddy,
  The user must indeed be created in the UME as a Compliance Calibrator user.
  I don't know exactly which role he should be assigned, usually I indicate there my CC admin user-id and password.
  When you see it is working with that user-id, you can try to re-fine the roles.
  Some more info regarding what needs to be set in the URI in case the one I inducated in my previous answer is not working:
  "There are two selectable versions of Compliance Calibrator. If you select 5.0 Web Service, three additional fields appear (URI, UserName, and Password). For the URI field, you need to navigate to the SAP NetWeaver Web Application Server Home page > Web Services Navigator > CCRiskAnalysisService > WSDLs > Standard link of Document, where you will see a list of all web services in the server. Select the desired URI address. If you select Compliance Calibrator 4.0, there is no need to connect to a URI address."
  Karim