SAP GRC 3.0 Custom workflow

Similar Messages

• Load approvers, solicitors & workflows to the CUP (SAP GRC AC 5.3)

  Hello,
  I want to know if there is a way to load the approvers, solicitors & workflows to the CUP (SAP GRC AC 5.3) massively.
  Best Regards.
  Pablo Mortera.

  Most of the configuration screens in CUP have an export button and an associated excel/text upload template. Use this template to mass create/update configuration data.
  Regards,
  Alpesh

• Custom workflow integrated into SAP Standard

  I have a requirement were the business would like a workflow to create material master, but prior to actually creating the material they have a form that needs passed around and approved my many business units. Once all approvals are obtained a material master can be created. What I would like is to create a custom BOR and event to route the form and get approvals, but I would like to some how carry over or link this custom workflow with the SAP standard for material master so you can view the log of who and what was approved for this material. Any suggestions?

  Hi,
  Create a workflow or copy the SAP standard. Insert a fork step with the number for branches corresponding to the number of approvals you need. Say you need 5 approvals, have 5 branches and 5 required for completion.
  In each branch use a Form step or a custom method to get the approval.
  After the fork has completed then insert your step which call the CREATE method for your material.
  Everything will be contained in the workflow log.
  Regards,
  Eddie

• SAP GRC Access Control - Compliance Calibrator - License Cost

  Dear all,
  I have some questions on Compliance Calibrator implementation.
  1. Do  we have to pay additional cost for the license to implement Compliance Calibrator?
  2. Since SAP GRC 5.3 is just released, which one do you recommend? SAP GRC 5.2 or 5.3?
  3. What would be the major difference between Compliance Calibrator in GRC 5.2 and 5.3?
  Best regards,
  Rolando

  Hi Rolando-
  1. Yes, there lies some license cost and the amount should not as much as taking SAP R/3 license. I am not sure of exact amount but its nominal as compared to other SAP products.
  2. SAP always recommend for the latest version available and why not one would go for latest version if you are paying something for that.
  Also, it depends on your existing R/3 version and its compatibility. In short run, you can choose per your existing versions but in long run everyone has to move to latest version. Say for example whoever is using SAP R/3 technology with whatever version, they all need to upgrade to ECC6.0 by 2011 with extension upto 2013. I am not sure of any such information about GRC AC though.
  3. Some enhancement have been done with CC 5.3. Those features include-
  1. Risk analysis for SAP Enterprise Portal and UME
  2. BI integration for custom reporting
  3. Reporting enhancement features include additional auditor, business manager and IT reports
  4. SOD management by exception. Can be integrated with workflow.
  5. Import/Export of configuration data
  6. Migration scripts
  7. Download and print capability on every report.
  Some performance improvements-
  1. Concurrent risk analysis.
  2. batch mode risk analysis
  3. Improved memory mgmnt etc.
  Hope it gives you now some more visibility.
  Cheers!
  Ashok

• SAP GRC PC 10.1 Policy Management

  Hi Gurus,
  I am performing a Policy Management Cycle in SAP GRC PC 10.1, and I find the following problem. The approver receives in the Workinbox the notification for perform the approval of the policy, and, if he decide Send to Rework, no one receives the rework, but if I activate a fallback user, he receives everything
  I configured the following business events in the SPRO Actibity : "Maintain Custom Agent Determination Rules".
  Business
    Event
  Role
  Entity ID
  Subtype
  Business Event
    Name
  0FN_AHISSUE_DEFAULT_PRC
  1
  SAP_GRC_SPC_CRS_POLICY_OWNER
  POLICY
  Default processor for ad-hoc issue
  0FN_AHISSUE_DEFAULT_PRC
  1
  SAP_GRC_SPC_GLOBAL_ORG_OWNER
  ORGUNIT
  Default processor for ad-hoc issue
  0FN_POLICY_APPROVE
  1
  SAP_GRC_SPC_CRS_PLC_APPR
  POLICY
  Approve policy
  0FN_POLICY_DEFAULT_APPR
  1
  SAP_GRC_SPC_GLOBAL_ORG_OWNER
  ORGUNIT
  Default apporver for policy
  0FN_POLICY_DEFAULT_APPR
  2
  SAP_GRC_SPC_GLOBAL_ORG_ADMIN
  ORGUNIT
  Default apporver for policy
  0FN_POLICY_REVIEW
  1
  SAP_GRC_SPC_CRS_PLC_REVIEW
  POLICY
  Review policy
  0FN_ISSUE_NOTIFY
  1
  SAP_GRC_SPC_CRS_POLICY_OWNER
  POLICY
  Send notification to object owner
  I am working with a copy of the standard roles, so I configure the table with the copy of these roles.
  In the transaction SWIA an error appears which says in field Executed Action: "No Action". I am wondering if maybe it could happens because user WF_BATCH (user used for the workflow) doen't have enought authorizations.
  I also test it in the sandbox and it works perfect (without fallback and with SAP_ALL in WF_BATCH user).
  Some help will be appreciated.
  Thanks!

  Hello Giridhar,
  What parameters are you referring to?
  You meant the parameters in General Configuration in AC?
  Best Regards,
  Fernando

• SAP IDM vs SAP GRC

  Hi All,
  One basic question is coming again and again due to overlapping features of SAP IDM and SAP GRC. Why SAP IDM is required when all most all use cases can be fulfilled by SAP GRC? Is there any document available which can tell me why customer can choose IDM when he already has GRC?
  1. SAP IDM and GRC both can accomplish access request and provisioning.
  2. SAP IDM and GRC both has capability of risk management.
  Then why SAP IDM is required?
  Thanks,
  Dhiman Paul.

  Hi Dhiman,
  SAP IDM is more flexible and is Java based (providing excellent customizations).  GRC 10 is ABAP based and originally designed for Access Control.  As mentioned by Chris, IDM connectors are flexible than GRC & provisioning workflow is highly variable.
  I'd say if there are quite a few number of Legacy systems to be connected for IDM solution, SAP IDM would be an ideal choice than SAP GRC, as it can be implemented with less cost and customization.
  My simple opinion.  There may be other points as well.
  BR,
  Ganesh

• SAP GRC NFE

  Hello,
  eu estou trabalhando no electronica fiscal de Nota. Nós temos seguintes sistemas: --
  SAP R/3 -
  SAP GRC NFE--JAVA (assinaturas digitais)-SAP NETWEAVER PI/XI -
  As AUTORIDADES (PARA A AUTORIZAÇÃO)
  como eu verificam a conexão entre estes sistemas. Como eu sei uma comunicação existe entre
  SAP GRC NFE--JAVA (assinaturas digitais)-SAP NETWEAVER PI/XI -
  A conexão das AUTORIDADES (PARA A AUTORIZAÇÃO)
  foi feita já com sucesso entre SAP R/3 E SAP GRC NFE através do RFC.
  Por favor ajuda.
  Agradecimentos adiantado,
  Honey

  Bom dia Honey,
  Além da comunicação entre os sistemas, você deve customizar as Sefaz-es e também os CNPJs na SPRO do GRC.
  Acompanhe as telas aqui:
  SAP GRC NFE 1.0 - New Solution Introduction & Implemention Best Practices
  Você pode testar o serviço assinador (java) diretamente pelo web service:
  Web Service Navigator
  Leonardo deu uma boa dica para testar o customizing dos serviços e comunicação com o sistema externo (Sefaz).
  Atenciosamente, Fernando Da Ró

• SAP GRC 10.0 Risk Management - Forecasting Horizon Scoring Analysis Mode

  Hi everyone,
  In SAP GRC 10.0 Risk Management Support Package 7, we need to assess a corporate risk by performing an automatic analysis aggregation based on a scoring analysis profile.
  The problem is that corporate risks must be created based on a forecasting horizon.
  So, can we create forecasting horizons with scoring analysis mode? How? Must be enabled through customizing or applying a SAP note?
  Best Regards,
  Chema Traveso

  Hi,
  I think this is still user-specific, as it was in 5.X. I have checked the new GRC authorisation object parameters delivered within the roles and also tried to see if a Admin user was able to see all the variants created by the different users, but so far I have not found a solution.
  It may be worthwhile to raise this in "IdeaPlace", hoping it gets enough votes and SAP's attention for implementing in a future Support Pack delivery.

• SAP IDM 7.0 connecting to SAP GRC 10.1

  Hi Gurus,
  I was looking into connecting SAP IDM 7.0 with SAP GRC AC 10.1 and I cannot find a suitable connector for this.
  Could any of you provide some guidance on how to make this connections.
  Thanks and Regards,
  Juan

  If i remember correctly the 7.0 version had only mx_provision, mx_deprovision and mx_modify -tasks so the integration would have be built on these tasks. As there is no validate add task to hang the GRC call GRC would have to do provisioning.
  7.0 datamodel is different than 7.2, I haven't studied in detail but would guess there is enough difference also in the tables that store tasks/jobs etc that the 7.2 GRC provisioning framework would not   even import to 7.0. You would need to set-up a 7.2 on the side to study the framework to see how to duplicate the tasks..
  VDS in the middle is another thing as it would need to be able to communicate with your custom connector in 7.0.
  If you must stick with 7.0 maybe the GRC connector of 7.1 is worth a try.. But you would probably need also older VDS.
  Depending on the level of your existing customisations and what data from 7.0 is worth keeping the upgrade to 7.2 is not necessarily big thing compared to the effort of building the interim custom interface.. The real question is how big and complex is your 7.0 implementation?
  regards, Tero

• Custom workflow for Fiori Approve Timesheets

  Hello All,
  I am investigating complexity of adding custom workflow to Approve Timesheets.
  There is BADI SRA010_BADI_TIMESHEET_APV.
  Any experiences/advices  ?

  Hi Lukasz,
  How do you change approver using data from Ztable in the current system?
  If you are talking about workflow approver determination logic, it is a job for Workflow Engine and not for Fiori.
  Regards, Masa
  SAP Customer Experience Group - CEG

• Role Upload template for SAP GRC CUP 5.3

  Good Morning / Afternoon / Evening SAP Security Gurus,
  I am looking to upload end user roles via a role upload template spreadsheet for use in SAP GRC CUP 5.3.  I am referring specifically to the recommended template mentioned in step 11 of the 5.3 Post Installation CUP guide, so that roles can be picked within ERM for workflow.
  According to the guide, it recommends uploading from the backend systems via a spreadsheet - any template versions or advice on finalising this would be most appreciated.
  Best Regards
  Steve

  Thanks Ashish,
  Someone else recommended this option as well via another forum. Have tried it out and working fine. 
  Thanks for the reply
  Steve

• Standard AC Roles in SAP GRC AC 5.3

  Hello,
  Can anyone list the STANDARD AC ROLES in SAP GRC AC 5.3 Suite for
  1- RAR,
  2- SPM,
  3- CUP,
  4- RT,
  5- ERM,
  6- GRC PC 2.5
  7- GTS,
  8- GRC Repository.
  I know that the Standard AC Roles that are delivered for CUP are
  1- AEADMIN,
  2- AESecurity &
  3-AEApprover.
  Each role comes with different actions in them.
  I need similar type of standard AC roles for the above listed modules.
  Thanks!!!

  Hello Varun,
  Below are answers to your statements.
  1- There are no portal roles for AC5.3 as such. There is portal role for RM which you have already found.
  **ANSWER 1: *There are portal roles for AC 5.3. Kindly see the link http://help.sap.com/saphelp_grcpc30/helpdata/en/27/c67fe32e684e4c85125645dc5918ee/frameset.htm.***
  *The role I found in from the above link.*
  2- To access AC5.3 applications from portal you would have to create IViews etc.
  ANSWER 2 Since SAP provides the predelivered roles, as seen in HELP.SAP.COM in above link, we need not create iViews. The custom IViews are required for custom roles, not the standard roles**
  Thanks!!!
  Edited by: abdul haleem on Jul 21, 2009 9:44 AM

• SAP GRC AC 5.3 integrated with BW

  Hi all,
  Has anyone of you implemented integration between SAP GRC AC 5.3 and BW and develop custom reports?
  Thanks in advance. Regards,
     Imanol

  Imanol,
  There is documentation available for the integration.  You can find that here:
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/e05a9879-d204-2c10-54a9-ebc94eaddc4e?quicklink=index&overridelayout=true
  Also, there are numerous pre-delivered queries already developed.  However, if you wish to develop your own reports, then you will need a BW resource to do so.
  Pre-delivered queries:
  For RAR:
  Alert Detail Listing
  Alert Header Listing
  Critical Action Violations by User
  Critical Role Viols Analysis with Long Portal IDs
  Current User Permission Risk-Perm Violation Analysis Breakdowns
  Current User Permission Risk Violation Analysis Breakdowns
  Management Summary Total Listing
  Mitigated Users Analysis
  Risk Long Descriptions
  Risk-Rule Set Relationship Listing
  Role Permission Risk Violation Analysis
  Role (Portals) Permission Risk Violation Analysis
  Supplementary Rule Detail Listing
  Supplementary Rule Header Listing
  User Permission Risk Violation with Functions
  User Permission Risk Violation with Remediation by User
  User Permission Risk Violation with Remediation by User (Top 10)
  User Permission Violation with Remediation by Risk
  User Permission Violation with Remediation by Risk (Top 10)
  For CUP:
  Access Requests
  Risk Violations
  Role Provisioning
  Service Levels
  SOD Review
  User Access Review
  User Provisioning
  Thanks!
  Ankur
  SAP GRC RIG

• Migrate SAP GRC AC 5.3 SP13 (System A - System B)

  Hello all,
  currently we have setup 2 SAP GRC AC 5.3 SP13 SAP instances (DEV / PRD) for the customer's SAP ERP system landscape. Those systems also contain some customer business functionality.
  Because of business requirements the PRD Java Instance needs to be deleted and built up again from scratch with another WebAS Java Release Version (same SID, same Hardware, etc.).
  Our plan is now to setup a dedicated Java instance which will contain the PRD installation of SAP GRC AC (new SID, different hardware, etc.) to avoid similar problems in the future. Therefore we have to migrate all of the RAR data from the "old" Java instance to the newly setup Java system. We especially need to migrate all of the RAR analysis data (e.g. SoD violation analyses of previous months, etc.), otherwise we would loose all of this information when the "old" installation is deleted and built up again.
  I have checked all of the SAP documentation for SAP GRC AC 5.3 and only found these clues:
  In document "SAP GRC AC 5.3 Configuration Guide v3.16 - Chapter Utilities -> Export Utility / Import Utility" it only says
  something about exporting / importing rule sets, mititgating controls, etc. Can these tools also be used to export / import
  analysis data too ?
  In document "SAP GRC AC 5.3 Installation Guide v2.2 - Chapter Post-System Copy Configuration" it only says something about
  steps to be executed if the SAP GRC AC installation was done via system copy. But there is no information about migrating RAR analysis data.
  In document "SAP GRC AC 5.3 Operations Guide v2.1 - 7.2 Backup strategies" it says that in order to restore the system "you need to back up all tables with the following prefixes: VIRSA and VT". Can we simply do a backup of all of those tables, import
  them into the database of the new system and the use the export/import utility to move all of the configuration etc. from the old system to the new one ?
  Regards,
  Benjamin
  Edited by: Benjamin Schlotz on Jun 30, 2011 11:57 AM

  Hello Sunny, hello Frank,
  thanks for the quick replies.
  I did know about the SNOTE regarding the post migration steps, but the To-Do's Frank posted had some additional info in them.
  One question remains still open though:
  How to actually migrate all the GRC AC RAR data (incl. old analysis data) from System A to System B
  Our intended course of action would be:
  1. Deploy SAP GRC AC on System B (same Version, SP-level etc. as in System A)
  2. Export all VIRSA* and VT* tables from DB of System A, import them all in DB of system B
  3. Export all configuration, etc. from System A, import it into System B (using the export / import functionality within RAR)
  4. Do all the post-migration tasks described by you
  Would you agree with that course of action / know any pitfalls, etc ? We need to have all the "old" RAR analysis data from System A in System B after the migration because System A will be shutdown and deleted.
  Regards,
  Benjamin

• SAP GRC 5.3 CUP: Approver Determinator "Super Access Owner"

  Hi,
  when configuring a stage, a standard approver determinator called "Super Access Owner" could be selected.My question is where to specify the Super Access Owner in SAP GRC CUP? In the Config Guide of SAP GRC AC 5.3 a hint explains on page 145
  "If you select Superuser Access Owner as the approver determinator, the system
  fetches the configured owner from the SAP system where the Superuser Privilege
  Management is installed and assigns the request to that particular approver." 
  I do not really unterstand where to specifiy. Is it the former FireFighter in the backend.
  Did anybody user this Approver Determinator already?
  Thank you in advance.
  Marco

  Hi Marco,
  Yes this approver is defined in the backend Firefighter which is now Super User Privelege Management. The Firefighter ID owner will be taken as the approver if we select Super User Access Owner in the CUP request. This option is basically being provided for  Integration of Compliant User Provisioning and Super User Privelege Management for SAP GRC AC 5.3. You may now create a request to assign a Firefighter ID to a Firefighter in CUP and do not need to go to SPM for the same.
  In case you do not want to use this approver, please create a Custom Approver Determinator for the same.
  Hope this helps.
  Harleen