SAP GRC AC ARM -Access Request approval

Dear Community Members,
my question relates to practice advise in respect to risk analysis type on access request.
Can anybody share experience with type of analysis on access request.
According to SAP HELP we have: In the Analysis Type dropdown list, select the relevant analysis type.
You use Risk Analysis to determine violations pertaining to the authorizations assigned to the role. For example, when the authorizations result in segregation of duties violations.
You use Impact Analysis to determine authorization violations pertaining to other roles. That is, the authorizations for the selected role, in combination with authorizations for another role, result in violations
In particular I am interested when I have requested Role A and Role B with both creates SoD risks, would this be catch by access risk analysis during request creation? Assuming user have no role at backend.
Thanks,
Filip

Hi Filip,
Yes, your understanding is correct.
Risk analysis in the access request is intended to find out any sorts of risks associated to the roles in the request inaddition to the roles assigned to the user already.
When Risk analysis is performed, it will take into account all roles which are added to request and show the correct results.
You can also run the simulation to see what will happen if the role is assigned to user beforehand.
Regards,
Shweta
SAP - GRC

Similar Messages

  • GRC 10.0 Access request Management Audit

    Hello All,
    Can Anyone let me know what  Auditors Check When they Audit GRC 10.0 Access request Management (excluding Configuration).
    Thanks
    Mohammed Wasim

    Hi,
    ARM supports key ITGC controls for user access management, so probably audit would also cover:
    - review of updated processes & controls
    - check (based on sample) if all requests were properly approved
    - review of correctness of approvers assignment
    - verification if what was requested was provisioned
    - timely removal of terminated access
    - review of SoD controls embedded in process
    - periodic review of user access
    and maybe some more controls. In most cases it will be sample based testing so auditors may ask for a sample of requests to trace them to back-end systems and opposite sample of changes in users privileges to verify if proper requests were prepared for those changes...
    Sometimes they could perform more tests on configuration and process, but this is up to particular auditor.
    Best regards, Andrzej

  • GRC 10.0: Access Request Creation - LDAP user advanced search not working

    Dear Experts,
    We are implementing SAP GRC Access Control and we have an issue in Access Request Creation. If we put the user name in “User” field and press intro, the user details are updated, but if we want to make an "Advanced search" the user is not found and the application give us the following message: “No records found for the search criteria entered.”
    Scenario 1: If we put the user name in “User” field and press intro, the user details are updated:
    Scenario 2: If we want to make an "Advanced search" the user is not found and the application give us the following message: “No records found for the search criteria entered.”
    We are using the Active Directory as Data Source.
    Thanks and Regards.

    Hi Jose,
    Try maintaning the parameter 2050 as YES and check once.
    Kindly, also make refer to  the below list of SAP notes:
    1757906 - GRC 10.0 - LDAP user search does not work in NWBC
    1745370 - LDAP search in GRC does not work anonymously
    1718242- UAM: User search not working in Access Request.
    Regards,
    Neeraj Agarwal

  • SAP GRC 10 - PSS Access from SAP ECC System

    I have configured Password Self Service in GRC System and is working perfectly fine for all password resets if access provided to NWBC from  GRC System.
    We have requirement to provide end users to reset password using SAP ECC System only. I have tried to access NWBC using SAP ECC System but is giving me error that Menu not configured or roles not assigned.
    Currently Maintain Data Sources is configured as below
    User Search Data Sources , User Detail Data Sources  & User Authentication Data Sources set to ECC Connector and End User Vertification Set to yes.We are not using LDAP / Active Directory for the User Search Database and instead ECC Only
    Can anyone provide the roles to be assigned in SAP ECC System to access NWBC - Password Reset .

    Hi Anil,
    In support to Colleen's comments, It seems that you have not configured the USER on the End User Services.  You need to make sure that the guest user (not available in GRC) is configured in each of the 10 services in SICF for the end user Login Pages to work.
    Here are the 10 required services to be activated:
    1.)GRAC_OIF_MY_PROFILE_EU
    2.)GRAC_GAF_NAME_CHANGE_SERV_EU
    3.)GRAC_POWL_REQUEST_STATUS_EU
    4.)GRAC_GAF_PWD_SELFSERVICE_EU
    5.)GRAC_OIF_USER_REGISTER_EU
    6.)GRAC_GAF_ACCREQ_WITH_REQREF_EU
    7.)GRAC_OIF_REQUEST_SUBMISSION_EU
    8.)GRAC_GAF_ACCREQ_WITH_TEMPL_EU
    9.)GRAC_GAF_ACCREQ_WITH_USEREF_EU
    10.)GRAC_UIBB_END_USER_LOGIN
    You can refer note#http://service.sap.com/sap/support/notes/1628387
    If the user is not present in GRC system then, they have to go with end-user-logon page to reset their passwords where you can always define the user authentication configurations.
    Regards,
    Ameet
    Message was edited by: Ameet kumar

  • GRC 10.0 Access Request Creation- Data Source of User Details

    Hi Experts,
    I was doing GRC 10.0 Configuration and found a query which I am not able to resolve.
    While creation of any kind of Access Request in GRC through NWBC> Acces Management Tab>Access Request>Access Request Creation.
    In the user details section, I can see the HR records( like Pernr, position, manager) have been visible to some extent.
    My question is where from these details came in GRC. What configuration we should maintain to achieve these HR records?
    Hope to get a quick response as this is one of the requirement of the implementation which I am doing with my customer.
    Thanks,
    Atanu

    Alessandro,
    Thanks for your response. It helped me to know certain things.
    But when I am navigating to SPRO > GRC > Access Control > Maintain Data Sources Configuration > [User Detail Data Source], it is configured with a ECC system in target connector and User data type is maintained as "SU01".
    Now my question is where from in my case the GRC is pulling the HR records (PA20) like PERNR, POSITION,PERSONEL AREA etc? SU01 does not provide these information. My ECC box is integrated with HR module, so is it taking the data from HR directly?
    Thanks in advance!
    Atanu

  • GRC 10.1 Access Request - Provisioning Logs Not Available

    Hello guys,
    I am currently running into an issue with the user provisioning logs, the Request Approval notification which is sent to the user are at the end of an approved access request are as below and the Provisioning Logs tab is throwing a timeout error when opened.
    "Hi Varsha Upadhyay (B001193),
    The Request number : 26 , has been processed and the Request is Closed. The details are as follows:
    Provisioning failed; check provisioning log for details.
    Kind regards,
    Access Control Administrator "
    I have checked the table 'GRACREQPROVLOG'  and I see the logs available in the table, When I open the logs for a particular request no I see the below error message under the 'Prov Message' field
    "Type conflict when calling a function module (field length)"
    Similarly in SLG1, I find the following message at the end of each provisioning task that has taken place at the end of a request being approved.
    "Error in RFC; 'Type conflict when calling a function module (field length)'.
    I made sure I gave SAP_ALL to all the RFC ID's and also the WF-BATCH ID's, and the integration scenarios are also defined correctly for all the target system.
    It seems that this error is just preventing the provisioning details from being displayed in the email or in the Provisioning logs, but the user provisioning has actually taken place as expected (viewed in SU01).
    So i'm wondering even after provisioning has actually taken place successfully, why would this error occur. Does anyone know the source for this error message, please let me know what am I missing?

    Hi Narsimha,
    The error seems to be associated with wrong type being passed as a parameter to a function module.
    Can you check the field mapping for your connectors in SPRO? There might be a mismatch happenning there.
    Thanks
    Sammukh

  • GRC 10.0 Access Request workflow error

    Hi,
    While creating change request in AC10 to assign roles I get task errors (see example in attachment) and request does not appear in approver`s (manager stage) work Inbox.
    Can anyone help and advice what can be missing and what should be checked additionally?
    I`ve checked all configuration settings as described in Post-Installation and Pre-Implementation docs but still get the same error and request does not appear in work Inbox.
    WF-BATCH user has assigned in GRC system roles as below:
    SAP_BC_BMT_WFM_SERV_USER
    SAP_GRC_FN_ALL
    SAP_GRC_FN_BASE
    Thanks a lot for advice!
    Aga

    Hi
    yes it helped. Now no errors on this stage and request appeared in manager work inbox. I`ve only assigned recommended roles as first. It looks like I need to look for additional roles for both users or authorization objects which are missing for SAP standard roles to avoid assignment of SAP_ALL.
    Thanks a lot!!!
    Regards,
    Aga

  • Access request creation - select roles screen - field boxes were not aligned

    I'm not sure if this is really the screen of SAP GRC 10.1 access request creation. The field boxes were not aligned. Is there a note to fix this issue? Thank you.
    Regards,
    Jenilyn

    Hi Mohamed,
    Even I used Google Chrome, it's the same. Still facing the same issue. Is there any other way to solve this issue?
    Thank you.
    Regards,
    Jenilyn

  • SAP GRC 5.3 CUP: Approver Determinator "Super Access Owner"

    Hi,
    when configuring a stage, a standard approver determinator called "Super Access Owner" could be selected.My question is where to specify the Super Access Owner in SAP GRC CUP? In the Config Guide of SAP GRC AC 5.3 a hint explains on page 145
    "If you select Superuser Access Owner as the approver determinator, the system
    fetches the configured owner from the SAP system where the Superuser Privilege
    Management is installed and assigns the request to that particular approver." 
    I do not really unterstand where to specifiy. Is it the former FireFighter in the backend.
    Did anybody user this Approver Determinator already?
    Thank you in advance.
    Marco

    Hi Marco,
    Yes this approver is defined in the backend Firefighter which is now Super User Privelege Management. The Firefighter ID owner will be taken as the approver if we select Super User Access Owner in the CUP request. This option is basically being provided for  Integration of Compliant User Provisioning and Super User Privelege Management for SAP GRC AC 5.3. You may now create a request to assign a Firefighter ID to a Firefighter in CUP and do not need to go to SPM for the same.
    In case you do not want to use this approver, please create a Custom Approver Determinator for the same.
    Hope this helps.
    Harleen

  • Add Fields in CUP Request - SAP GRC Access Control 5.3

    Dear Friends,
    I am wondering on how to add fields value in CUP (Compliant User Provisioning) SAP GRC AC 5.3.
    Currently i'm leading 9 SAP Security Coordinators in Indonesia and i want to create Performance Metrics on how long the CUP Requests is processed. It needs to enhance the CUP by adding value Delegation of Authority and the record no. of the DOA requests.
    Really appreciate your inputs on how to add fields value in CUP.
    Thank you so much
    -Mesti-
    Edited by: AnnisaPramesti on Jan 2, 2012 5:37 PM

    Hi.
    Check under http://service.sap.com/instguides
    SAP BusinessObjects -> SAP BusinessObjects Governance, Risk, Compliance (GRC) -> Access Control -> SAP GRC Access Control 5.3
    Cheers,
    Diego.

  • HOW TO CONFIGURE MANAGER or APPROVER USER IN ACCESS REQUEST MANAGEMENT TO APPROVE OR REJECT REQUEST

    hi sap gurus,
    i configured grc 10 system successfully. I created one user: GR_AR_APP001 and assign following roles:
    SAP_GRAC_ACCESS_APPROVER
    SAP_GRAC_ACCESS_REQUEST_ADMIN
    SAP_GRC_FN_BASE
    SAP_GRC_FN_NUSINESS_USER
    and I maintained GR_AR_APP001 in access control owners as "POINT OF CONTACT", "SECURITY LEAD" and "WORKFLOW ADMINISTRATOR"
    but when i am creating access request for new user and defining MANAGER under user details tab as GR_AR_APP001.
    the user GR_AR_APP001 is not receiving any request for APPROVE or REJECT in his WORK INBOX.
    can u please guide me how to configure APPROVER or MANAGER to approve or reject request.
    I will be very much thankful if you guide me successfully.

    Hi Colleen,
    thanks a lot for your time.
    PIC1: I created one user: GR_AR_APP001
    and assigned all the GRC ROLES.
    PIC2: I assigned owner type to GR_AR_APP001 user : POINT OF CONTACT, SECURITY LEAD and WORKFLOW ADMINISTRATOR in NWBC ACCESS CONTROL OWNERS
    PIC3: I created one EUP 980 (copied from default EUP)
    PIC4: I maintained default manager as GR_AR_APP001 user in 980 EUP
    PIC5: I selected SAP_GRAC_ACCESS_REQUEST process id
    PIC6: I created one agent id as ZGRAC_MANAGER11 in which I added approver user id: GR_AR_APP001
    PIC7: I saved agent id
    PIC8: I added agent id as ZGRAC_MANAGER11 in stage5 in manager stage.
    PIC9: I saved
    PIC10: I maintained EUP 980 (in which I configured manager as GR_AR_APP001 user) in stage 5 task settings
    PIC11: Maintain Route Mapping, I clicked on next
    PIC12 and PIC13: I saved and activated.
    After this process I created one request for new account and selected the manager as GR_AR_APP001 and one request is created with request no 9000000030.
    now I logged into system by user GR_AR_APP001 and checked, there is no request under his work inbox.
    please guide me at least one procedure, how to receive request in approver work inbox so that I can learn other procedures to configure approver as per our organization requirement.
    thanks for your support Colleen.

  • Integrate external identity management solution in SAP GRC Access Control

    We need to integrate an external identity management solution into SAP GRC Access Enforcer. Some white paper mention extensibility is provided by web services. It seems that none of these web services are documented. Does anybody have infos about these services and documentation. Any hint is appreciated.
    thanks
    Detlef

    Unfortunately Access Enforcer doesn't implement a number of critical requirements and implementing it "as is" would be a lot of steps backwards in our process.
    what do the published webservices do? Is there any documentation about them?
    In a part of our process, we must manually pick the current roles(1), the pending roles(2) (roles that were approved but not given due to training prerequisites) and the requested new roles(3) and make the simulation in the VCC.
    The information (1) and (2) and (3) we have in our internal system, the information (1) we have inside VCC and (2) and(3) must be manually inputted by the operator to run the simulations. Since this operation is repeated 6000+ times a month in my company, eliminating this manual input will cause a great gain in efficiency.
    Other thing that we want to do is to create a job where it would automatically desassociate the mitigating controls if the user does not have the risks anymore (users can lose roles automatically in some events here, so it would be coherent that the user also loses the associated mitigating controls)
    IMHO as a former programmer, these are classic cases where I would like to consume some webservices for this tasks to avoid a lot of ctrc ctrlv from the operators (inefficient and error prone)
    VCC has any documentation that would help me to find how I would do this integrations?
    Thanks in advance

  • Error while trying to submit Access request to GRC from IDM

    Hello
    We have SAP IDM 7.2 SP8 installed and done all the prerequisite for connecting to GRC AC 10 as in configuration document.
    We are trying to submit request to GRC using Standard GRC provisioning framework task ( AC Validation) but pass: Submit AC Request fails with error: "Pass stopped by script"
    Is there anything wrong with the script which put RoleData details since its getting aborted ?
    I tried providing Role name directly in Role data attribute inside the action task and got following error:
    Error
    putNextEntry failed
    storingcn=IDMUSR0023,ou=useraccessrequest,o=grc
    Exception from Add operation:javax.naming.NamingException: [LDAP: error code
    82 - (GRC User Access Request:82:Script execution failed)]; remaining name
    'cn=IDMUSR0023,ou=useraccessrequest,o=grc'
    I checked VDS Logs and there was one error :
    Additional message = msgcode=4;msgdescription=Mandatory field ITEM NAME  is empty in line no 1 ;msgtype=ERROR
    From where exactly ITEM NAME field value will be fetched and pass to GRC for request creation ?
    Regards
    Deepak Gupta

    Thanks Christopher
    I got my issue fixed, There was issue with my GRC Initial load job which couldn't enrich repository privileges and hence the issue was coming since script wasn't able to find GRC ROLE ID and Application ID attribute from privileges.
    Regards
    Deepak Gupta

  • GRC CUP Error creating request. Approver not found

    Hi,
    We just upgrade from GRC CUP 14 to GRC CUP 15.6 support pack.I already performed post upgrade steps and when i try to create a request i am getting approver not found.i didnot change workflow.In stage for role approver we have approver determinator "role".
    system log report
    com.virsa.ae.workflow.NoApproverFoundException: No approvers found for req no : 493, for reqPathId, 662, for path, PROD_APPRV_PATH and approver determinator : Role
         at com.virsa.ae.workflow.bo.WorkFlowBOHelper.handleApproversTransactions(WorkFlowBOHelper.java:1469)
         at com.virsa.ae.workflow.bo.WorkFlowRequestCreateHelper.handleWFForNewPath(WorkFlowRequestCreateHelper.java:278)
         at com.virsa.ae.workflow.bo.WorkFlowRequestCreateHelper.createNewWorkflow(WorkFlowRequestCreateHelper.java:167)
         at com.virsa.ae.workflow.bo.WorkFlowBO.saveNewWorkflow(WorkFlowBO.java:120)
         at com.virsa.ae.accessrequests.bo.RequestBO.saveNewRequest(RequestBO.java:579)
         at com.virsa.ae.accessrequests.actions.CreateRequestAction.createRequest(CreateRequestAction.java:381)
         at com.virsa.ae.accessrequests.actions.EUCreateRequestAction.createRequestHandler(EUCreateRequestAction.java:135)
         at com.virsa.ae.accessrequests.actions.EUCreateRequestAction.execute(EUCreateRequestAction.java:68)
         at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:295)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
         at java.security.AccessController.doPrivileged(Native Method)
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
    Please let me know solution ASAP.This is high priority.
    Thanks
    Yakoob.

    It looked like some old request stuck in DB.But, not sure about it.I tried by changing the number ranges in configuration by giving the current request number in "from number",but it didn't work.
    This is strange some time it gives "error creating request: path not found." and once this error gone then "error creating request : approver not found".
    To avoid this i created one more stage by custom approver determinator with application attribute and approver assiged.This stage, i assigned before role approver stage then it worked,Request get created and request get provisioned.
    i don't understand why it's not working,if i assigned role approver stage first in a path of workflow.role approver (approver determinator:"role" standard one, "approver" gets from configuration:roles:create role:role approver OR upload from role import).
    Please help
    Thanks
    Yakoob.

  • GRC 10.1 Simplified Access Request and Remediation View Issues

    Hi Everyone,
         We recently upgraded our GRC 10.0 environment to 10.1, SP 5 and am having the following issues--has anyone else also experienced?
    In the simplified access request form, it keeps telling me to enter a “valid user ID”—even though the ID is valid and works fine in the normal access request screen. Also tried to search and then select the ID in this field with the same error.
    In the SoD Remediation view, I keep getting “No Data Found”, even though in the detail view, there are risks the same request:
    I’ve checked the following things:
    I’ve used IE 8, IE 9, FireFox, Chrome, and the NWBC to see if any of these fix the issue
    I double checked the 10.1 “upgrade guide” to make sure Gateway configurations are correct
    It looks like we are on the latest support packs:
    Any help on this would be greatly appreciated!
    Thanks,
    Brett

    Hi Brett,
    For Remediation issue you can check the below thread.
    http://scn.sap.com/thread/3574790
    Regards,
    Neeraj

Maybe you are looking for

  • What to look for when i download

    Hi, Im a previous Dell user and as of today i converted to the macbook pro 13". Im still familiarizing myself with the laptop and the system. On my previous laptop i just downloaded things without a worry, however in the apple store today i was told

  • Is it possible to retrieve a backup that is not available on the drop-down bar in iTunes "restore from backup"?

    I was attempting to sync my phone so that I could get all of my pictures on the computer to free up some space on my phone. I have done this several times before with no problems. An error message popped up informing me that I needed to update my pho

  • Can't get past Terms of Use

    I'm trying to download Acrobat XI free trial to my MacBook Pro. First step is to accept the terms of use. But it will only let me scroll part of the way down. It stops me at 24.9, so I can't get to the box to check to indicate I accept the terms of u

  • Activity step is not visible in workflow log

    Hi All. I added two task  in my workflow and transported it to qualityand it got transpported successfully. then i triggered the workflow and when i am checking the log one of my task is not visible in my log. Please guide me in this. Thanks in  adva

  • Essbase server - automatic change of substitution variable from SQL

    Hi,I would like to automaticaly change the substitution variable in Essbase Server. Is it posible to change the substitition variable from external source e.g. SQL statement?Simple sample:I would like to assign value "2003" to "CurYear" substitution