SAP GRC 5.3 CUP: Approver Determinator "Super Access Owner"

Hi,
when configuring a stage, a standard approver determinator called "Super Access Owner" could be selected.My question is where to specify the Super Access Owner in SAP GRC CUP? In the Config Guide of SAP GRC AC 5.3 a hint explains on page 145
"If you select Superuser Access Owner as the approver determinator, the system
fetches the configured owner from the SAP system where the Superuser Privilege
Management is installed and assigns the request to that particular approver." 
I do not really unterstand where to specifiy. Is it the former FireFighter in the backend.
Did anybody user this Approver Determinator already?
Thank you in advance.
Marco

Hi Marco,
Yes this approver is defined in the backend Firefighter which is now Super User Privelege Management. The Firefighter ID owner will be taken as the approver if we select Super User Access Owner in the CUP request. This option is basically being provided for  Integration of Compliant User Provisioning and Super User Privelege Management for SAP GRC AC 5.3. You may now create a request to assign a Firefighter ID to a Firefighter in CUP and do not need to go to SPM for the same.
In case you do not want to use this approver, please create a Custom Approver Determinator for the same.
Hope this helps.
Harleen

Similar Messages

  • CUP 5.3: SOD violations detour to Super Access Owner

    Hi GRC Experts
    Is it possible for us to set-up SOD violations detour to  a super access owner as an approver when violation is identified?
    Has anyone done does this before?
    Edited by: Donovan Mathews on Oct 6, 2009 2:47 PM

    I'm fairly sure that you could configure the workflow to trigger an approval stage which is then approved by the SuperUser Owners.
    However, you may need to be on patch level 08 to allow this approval mechanism to work correctly.
    I've not had the chance to play with detours massively yet so cannot comment on that element but I'm sure others here have.
    Simon

  • SPM in CUP in a SAP GRC AC 5.3 -- "Approver not found" & "Path not found"

    hello,
    I have a problem when I try to do a request.
    I have configured the SPM in the CUP in a SAP GRC AC 5.3
    I gives me an error about "Error creating request. Approver not found ". When I took out the Manager in the Stage it gave me this error in the request "Error creating request. Path not found".
    Best regards.
    Pablo Mortera.

    You can either type in the configuration, like the what option you selected for approver (CAD or role or...etc), or other way is to capture the change log which shows what was the configuration for that stage....
    (Configuration -< Change Log -> Search Change log)
    Cheers !!
    Zaheer

  • SAP GRC 5.3 CUP Archiving Requests

    All,
    I have a question about archiving and re reviewing requests after they are closed (approved/rejected).
    Let's say I create a request, my manager performs a risk analysis and SOD violations occur, but my manager approves the request. If at some point (say a year down the line) I want to review the request to see what the conflicts were would the request: a. still be in CUP to review and b. would it show the conflicts that were identified at the time.
    How would archiving play into this scenario as well.
    Unfortunately, I cannot test this in CUP as it is time sensitive, but I'm hoping someone has come across this before.
    Thanks,
    Kunal

    Hello Kunal,
    You can test this in a development by re-creating the scenario and archiving the completed request. The length of time archived is not an issue.
    In answer, yes you can pull up the archived request information (provided that you did not delete the archive) and you can see what were the recorded SOD risks at the time. However, the request itself will not tell you the individual transactions that caused the conflicts and may no longer be accurate if the risks and business functions have changed in their content since the time of the request.
    This said, GRC AC seems to be changing in "leaps and bounds" with recent support packs... Who knows if the archiving process will change in the future.
    Best Regards, Dylan

  • SAP GRC 5.3 CUP: Initial Password not displayed

    Hi,
    when a user account is created in the backend system CUP sents automatically the user ID and a link such as
    http://<Server>:50100/AE/showPassword.do?userId=NEWUSER30&ReqNo=1061&System=ERD
    to the user's email adresse. When opening the link no password is displayed.
    Could anybody help?
    Marco

    Hi Marco,
    Have you checked the Send Password in Mail option is  to Yes at Configuration>Workflow>Email reminder-->Closing Tab.
    This option is coming only in 5.3 version not in 5.2.
    Regards,
    Jagat

  • CUP Approve using SPM Owner table

    All,
    I am trying to implement CUP to automatically provision elevated access using SPM.
    I have found the SUPER_USER_ACCESS request type and this would appear to perform the required actions to provision the access but is there a way of using the SPM Owners table to derive the relevant approvers within CUP.
    This would be instead of using defined CABs at the approval stage within CUP?
    Please advise me on whether this is technically possible and how I would need to go about configuring it?
    Thanks, Simon

    All,
    Just in case you were wondering - when configuring the stage, rather than selecting a custom Approver Determinator, there is a standard one already there called, "Super Access Owner".
    This appears to perform the exact function which I was looking for.
    Enjoy,
    Simon

  • Cutover Plan SAP GRC AC

    Hi all,
    I´m interested in getting some templates for planning and describe a detailed Cutover Plan for SAP GRC Access Control, which includes all activities for performing in each one of the modules for SAP GRC (RAR, ERM, CUP and SPM).
    Anybody has some template or related information for prepare cutover plan for SAP GRC AC?
    Thanks in advance,
    Santiago

    Hi Santiago,
    here you could find a AC5.3 Project Plan:
    http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/b00a372f-ddb7-2b10-88aa-d6eaae69a756
    And this is the Pre-Installation Checklist:
    http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/50692df1-67da-2b10-2995-84a0d0c82193
    Best,
    Frank

  • SAP GRC CUP password issue

    Hi,
    to get user password, i set email reminder, closing as send password in mail No and password display period : 0.It throws a password as sap default string .How can it be standard password,so user can reset by entering it.In SAP GRC 5.3 AC-CUP 5.3_05.0, I can't see password self service tab too.Is there any better way so user can get password in email as sap standard in 8 words (number , letters or any special characters as set like us).

    when i try to create request type for password self service. i have only these actions to select
    CREATE_USER  Create User 
      CHANGE_USER  Change User 
      DELETE_USER  Delete User 
      LOCK_USER  Lock User 
      UNLOCK_USER  Unlock User 
      ASSIGN_ROLES  Assign Roles 
      SUPER_USER_ACCESS  Super User Access 
      USER_DEFAULTS  User Defaults 
    i can't see any action for password self service in configuration->request type-> create  option.please answer it.

  • CUP Forks & Security Approver Determinator

    Hi All,
    We are currently working on our CUP workflows and are planning on using forms to distinguish between manual provisioning (systems such as MDM console) and autoprovisioning (ABAP and java stacks). My question is, when we use the fork condition NON-SAP and SAP, where does CUP look to determine this? We are planning on using applications to setup our manual provisioning systems but I also know we could create them as dummy "other" connectors (although messy).
    Also, what is the difference between Security Lead and Security approver determinators when configuring a stage? What IDs does CUP look at for these two? I only see Security Lead under Approvers.
    Thanks!
    Grace Rae

    Hi Grace,
    Forks only work for non-SAP connectors, so you's have to go for a dummy system if you really need fork. Alternatively you can chose an initiator based on roles, which will also allow you to fork the request on the first stage.
    The security approver determinator is a group approver which looks for everyone with the UME role "AESecurity" and routes the request to them in parallel.
    Frank.

  • Rule converstion from Approva to SAP GRC AC RAR 5.3

    Hello All,
    We have rule files of approva in XML format , please let me know is there any short cut mettod or process to change it into SAP GRC Rule files
    Please help me on this.....
    Thanks in advance
    Jagat

    Jagat,
    the import file structure is documented in the appendix of the configuration guide.
    Now all you need is a PERL or XML style sheet wizard to make one into another (or the ability to generate a flat file download you can work with in Excel).
    Frank.

  • Role Upload template for SAP GRC CUP 5.3

    Good Morning / Afternoon / Evening SAP Security Gurus,
    I am looking to upload end user roles via a role upload template spreadsheet for use in SAP GRC CUP 5.3.  I am referring specifically to the recommended template mentioned in step 11 of the 5.3 Post Installation CUP guide, so that roles can be picked within ERM for workflow.
    According to the guide, it recommends uploading from the backend systems via a spreadsheet - any template versions or advice on finalising this would be most appreciated.
    Best Regards
    Steve

    Thanks Ashish,
    Someone else recommended this option as well via another forum. Have tried it out and working fine. 
    Thanks for the reply
    Steve

  • Create user in SAP GRC AC 5.3 for each module (RAR, CUP, SPM, ERM).

    Hello,
    I have a doubt.
    The users of the modules of the SAP GRC AC 5.3 have to created in the UME of the EP Core, is that right?? And thet add the roles of each user for each module (RAR, CUP, SPM, ERM), is that right?
    Best Regards.
    Pablo Mortera.

    Hi Pablo,
    To access GRC AC 5.3 you can create one UME user and assign different roles related to four GRC component.
    Or you can create different GRC user and assign respective components roles.
    The example of GRC Admin role are.
    AEADMIN
    READMIN
    VIRSA_CC_ADMINISTRATOR
    regards,
    Sudip,

  • Add Fields in CUP Request - SAP GRC Access Control 5.3

    Dear Friends,
    I am wondering on how to add fields value in CUP (Compliant User Provisioning) SAP GRC AC 5.3.
    Currently i'm leading 9 SAP Security Coordinators in Indonesia and i want to create Performance Metrics on how long the CUP Requests is processed. It needs to enhance the CUP by adding value Delegation of Authority and the record no. of the DOA requests.
    Really appreciate your inputs on how to add fields value in CUP.
    Thank you so much
    -Mesti-
    Edited by: AnnisaPramesti on Jan 2, 2012 5:37 PM

    Hi.
    Check under http://service.sap.com/instguides
    SAP BusinessObjects -> SAP BusinessObjects Governance, Risk, Compliance (GRC) -> Access Control -> SAP GRC Access Control 5.3
    Cheers,
    Diego.

  • Load approvers, solicitors & workflows to the CUP (SAP GRC AC 5.3)

    Hello,
    I want to know if there is a way to load the approvers, solicitors & workflows to the CUP (SAP GRC AC 5.3) massively.
    Best Regards.
    Pablo Mortera.

    Most of the configuration screens in CUP have an export button and an associated excel/text upload template. Use this template to mass create/update configuration data.
    Regards,
    Alpesh

  • Migarting from Approva to SAP GRC AC 5.3

    Hello All,
    One of our client using Approva applications now they are planning to move to SAP GRC Access Controls 5.3, so kindly help me or guide he how I proceed.
    Key doubts u2013
    1-How we upload rules in RAR, because we downloaded the rules from Approva.
    2-Creation of mitigation controls etc.
    It would be great if some share some documents related to above.
    Thanks,
    Jagat

    Hi Jagat,
    Once your GRC system is configured. You have to follow the following steps:
    1. Create system connector
    2. Define Master User Source
    3. Upload text & authorization objects. (Follow the AC53 Configuration guide to download these files from backend)
    4. Now as Frank has suggested you have to convert the downloaded Apporava files to .txt files. There are 9 .txt files you have to create:
    1. Business Process
    BusinessProcessId (CHAR 4)     LANGUAGE  (CHAR 2)     DESCRIPTION LANGUAGE  (CHAR 120)
    *fileds are TAB seperated
    2. Function
    FUNCTION ID (CHAR 8)     LANGUAGE  (CHAR 2)     DESCRIPTION LANGUAGE  (CHAR 120)     FUNCTION SCOPE (CHAR 1 (S:Single System, C: Cross System))
    3. Function-Business Process
    FUNCTION ID (CHAR 8)     BusinessProcessId (CHAR 4)
    4. Function-Action
    FUNCTION ID (CHAR 8)    TRANSACTION(CHAR 20)     STATUS (NUMC 1 (0 or 1))
    5. Function-Permission
    FUNCTION ID (CHAR 8)     T-CODE (CHAR 20)     OBJECT(CHAR 10)     FIELD(CHAR 10)     FROM VALUE(CHAR 40)     TO VALUE(CHAR 40)     SEARCH TYPE(CHAR3 (AND,OR,NOT))       STATUS (NUMC 1 (0 or 1))       
    6. Rule Set
    RuleSetId (CHAR 8)     LANGUAGE  (CHAR 2)     DESCRIPTION (CHAR 132)
    7. Risk ID
    RISKID (CHAR 4)     FUNCTION_1_ID  (CHAR 8)     FUNCTION_2_ID  (CHAR 8)     FUNCTION_3_ID  (CHAR 8)     FUNCTION_4_ID  (CHAR 8)     FUNCTION_5_ID  (CHAR 8)     BusinessProcessId (CHAR 4)       PRIORITYDESCRIPTION (NUMC 1 (0=Medium
    1=High 2=Low 3=Critical))      STATUS (NUMC 1 (0 or 1))        RISKTYPE (CHAR 1 (1=SoD 2=Critical Action 3=Critical Permission))
    8. Risk Description
    RISKID (CHAR 4)       LANGUAGE  (CHAR 2)     RISKDESCRIPTION (CHAR 132)     DETAILDESCRIPTION (CHAR 1000)     CONTROLOBJECTIVE (CHAR 1000)
    9. RISK_RULESET
    RISKID (CHAR 4)       RuleSetId (CHAR 8)
    For more information on templates follow the configuration guide.
    Upload these files and generate the rules.
    Hope with this you will be able to continue.
    Thanks & Regards,
    Jitan

Maybe you are looking for

  • Dbms_output package on oracle apex

    Hi CREATE OR REPLACE PROCEDURE TEST_PROC AS V_FNAME EMPLOYEES.FIRST_NAME%TYPE; BEGIN SELECT FIRST_NAME INTO V_FNAME FROM EMPLOYEES WHERE FIRST_NAME = 'JOHN'; DBMS_OUT.PUT_LINE(V_FNAME); END; begin TEST_PROC; end; when we execute procedure like this h

  • About large_pool_size

    I configured my oracle server(oracle 8.0.5) dedicated mode.I set large_pool_size=500M,SGA=4G. I never used rman.why large_pool_size automatically rise to 700M.why? Thanks!!!

  • HD error?

    Hello, my MB Pro 2.2 had the Nvidia chip problem. Apple fortunately replaced the Logic Board by warranty, but now I have another problem. Apple told me, that the HD would be defective. I can't imagine that, because it worked without any error till th

  • No audio playback after loading project

    Im using Logic 7.2.3, and just loaded a project up, but im not hearing any sound from almost all my tracks. Only 2 audio tracks are still playing back, all other audio and audio instrument tracks are silent. I was using a Presonus Firewire interface

  • "This software cannot install"?

    Okay, So a little more than a year ago, i purchased a black macbook that came with the mac os x 10.4.10. i installed it and everything was fine and dandy. However, the computer got stolen, but i still have the two install discs. Recently, i bought a