SPM 10.0 Roles

Similar Messages

• SPM 5.3: Role Based FF

  Dear all,
  Has anyone used the role based fire-fighter before? I have assigned a role to the firefighter owner in /VIRSA/VFAT, but, unlike the firefighter ID, there is no logon button. Can someone explain how to use role based fire-fighter ?
  Thanks & regards,
  Debbie

  Hi Debbie,
  I am assuming that the firefighter role has been created and mapped for the respective user. As of my understanding there is no separate log in tab unlike the user based firefighter. Only the audit trails can be found in CUP for the reference purpose. Like any other T-code execution, he can also perform the firefighter task in the same ID. Therewould be no separate logon button here.
  If your question is anything else, please revert back.
  Hi Experts,
  Please correct me, if I am wrong.
  Thanks,
  Gurugobinda
  Edited by: gurugobinda harichandan parida on Sep 23, 2009 5:34 PM
  Edited by: gurugobinda harichandan parida on Sep 23, 2009 5:34 PM

• RE: Different GRC Suites available

  Hi all,
  I am new to GRC and want to know what are the different types of GRC suites available in the market that companies buy from SAP.
  I mean i heard about  Business Objects GRC and Access Controller GRC , what is the difference between both these suites?
  thanks in advance.
  Sree

  Sree,
     GRC is a functional area or a department under SAP Business Objects which develops products related to Governance, Risk and Compliance. GRC has different products like Access Control (AC), Process Control (PC), Risk Management(RM) and Global Trade Services (GTS).
  As far as I know, AC (Access Control) is referred to as a suite as it is made of four different modules called Risk analysis and remediation (RAR), Compliant User provisioning (CUP), Superuser privilege management (SPM) and Enterprise Role Management (ERM).
  For more information, you can look at the following link or contact you SAP AE.
  http://www.sap.com/solutions/sapbusinessobjects/large/governance-risk-compliance/index.epx
  Regards,
  Alpesh

• Tcodes & Roles for SAP GRC AC 5.3 SPM in R/3

  Hello,
  After installing part of the SAP GRC AC 5.3 SPM in the Tcode SAINT (R/3).
  I want to know what Tcodes do I need to use the Tcode /VIRSA/VFAT.
  Or what type of roles do I need. Is there some.
  I have read the PDF "SAP Governance, Risk & Compliance Access Control 5.3 - 02 Post-Installation - SPM.pdf", and I have seen some roles. Are this the standard roles for the SPM in R/3?
  Best Regards.
  Pablo Mortera.

  Hi Pablo,
  In 5.3 we can use the SPM by two different ways.
  1. FFID based: In this you make a user as a FFID and then you use this FFID to perform all the actions.
  User based roles are for the above.
  3. Role based: In this you assign the roles(maintained in SPM) to the user.
  Role based roles are for above.
  The basic diffeence is in first one you use user (FFID) to perform the activities whereas in second you use role (which are maintained in SPM).
  You can get more details of this in user guide and configuration guide.
  Regards,
  Shweta

• SPM Detailed Role level Reports don't show and other minor usage issues

  We have successfully installed SPM on our DEV and QA boxes and are trying to test our reporting.  We have setup role based firefighter and have got it to work on the ABAP side as well as on the Java side.  However, when I go to the Role Reports in the web UI for SPM, and I run the Log Report, I have a problem.
  The Log Report pulls the role firefighter data from the backend and displays it.  There is an icon at the top right called "Display Detailed Reports", and upon clicking it, it tells me there's no match or conflict found.
  However if I go into the firefighter tcode and then look at the same logs, there is a little more detail which I'd have expected to see in the web based detail report.
  Do you know what I'm missing?  I already checked the trace for any auth failures, and there is no auth failure.
  Thanks,
  Santosh

  Santosh,
  Which traces have you run? I have a few similar issues which may benefit from running a trace.
  The only other authorisations I would check is that the RFC / Connector user has the authorisations to be full logs in both the backend and web versions.
  Simon

• GRC SPM 5.3: Auth. object GRCFF_0001 in the role /VIRSA/Z_VFAT_FIREFIGHTER

  Hi experts,
  According to latest version of "SAP GRC Access Control 5.3 Security Guide" available on SAP service marketplace:
  https://websmp105.sap-ag.de/~sapdownload/011000358700000406492008E/AC53_Sec_Guide_en.pdf
  I should assign the default role "/VIRSA/Z_VFAT_FIREFIGHTER" to FF users. (see page 18):
  Base user authorizations required to logon as a firefighter. The firefighter role provides authorization for users who have a firefighter ID to run a firefighter transaction. Read SAP Note 1319031 for additional authorizations required after installation of AC5.3 SP07.
  The authorization object GRCFF_0001 field ACTVT is * as per default, and as the Sec. Guide says, see page 22.
  What is this authorization for?
  The documentation of this field (PFCG-> press <F1> on object) states following:
  "Authorization Object is used to restrict maintaining and uploading data various tables such as Configuration,Reason Codes, Controllers, Owners and Firefighters"
  Iu2019ve removed completely this authorization for the role "/VIRSA/Z_VFAT_FIREFIGHTERu201D and users still can use their FF without problems.
  The problem is in the case of a user having the following auth:
  GRCFF_0001 ACTV *
  S_TABU_DIS  ACTV 02  Table group: Z****
  This combination allows FF users to change all the configuration tables in tx. /n/virsa/vfat.
  What do you think? Is the security guide correct? Why we should give FF users this authorization?. As I said Iu2019ve removed this auth from the role and all works fine anyway.
  Regards
  Diego.

  Hi sunny,
  I've removed the authorization from the users. It means, no user has this authorization. I've checked it using SUIM. I've done a lot of test already.
  If you've a look at the sec. guide, you'll understand what I'm saying. Note for example the role /VIRSA/Z_VFAT_ID_OWNER and compare it with /VIRSA/Z_VFAT_FIREFIGHTER.
  As per the security guide a owner should have ONLY ACTV 02 and 03, while I should give FF users *. This makes no sense at all. ACTV * should be granted only to admins.
  Agian, note what is this authorization for:
  "Authorization Object is used to restrict maintaining and uploading data various tables such as Configuration,Reason Codes, Controllers, Owners and Firefighters"
  Do u think is correct to give FF users ACTV *  taking into account this definition from PFCG???
  Cheers,
  Diego.

• SPM Reporting - Log reports display on front end

  Hi,
  We have implemented GRC 5.3 and have an issue on the SPM reporting through the front end.
  We have done config in dev and have the following jobs running in the background every 1 hour:
  1. /VIRSA/ZVFATBAK
  2. /VIRSA/ZVFAT_LOG_REPORT
  3. /VIRSA/ZVFAT_V01
  4. /VIRSA/ZVFAT_V03
  The log on the back-end displays all activity of FF user, but when going to the front end I seem not to get any reports to display.
  We have created the connectors via the config page, but when trying to drill through the selection criteria we found that the FF user does not come up as a selection variable. We see the system defined though.
  Any suggestions how to get the reporting to display on the front-end?
  Kind Regards, Melvin

  Santosh,
  You should only need the /virsa/zvfatbak job running in the background. However, if the emails are not triggered for the log reports, you may wish to schedule the /virsa/zvfat_log_report program to run after completion of /virsa/zvfatbak as that is the program which actually sends the notifications.
  Regarding the RFC user, check the authorisations held in the Firefighter Administrator role as those will not be too far away!
  Simon

• Upload SPM data in GRC 10.0 CEA

  In version 5.3 there was an upload functionality in the SPM cockpit for all the FF data (user, controllers, owners etc.)
  Is such a functionality also available for GRC 10.0 CEA? We are using CEA over 66 SID's and then it is a lot of work te create the users and connect them to their rol of controller/user. How can these elements be uploaded in mass?
  Can we use the transaction GRC_GRAC_MIGRATION for this? If that is the case does any one know the configuration of the data.dat files? I don't have a 5.3 version to access so I can't check this.
  GRACSPMUSERdata.dat
  GRACSPMIUSERTdata.dat
  GRACSPMOBJECTdata.dat
  GRACSPMOBJECTTdata.dat
  GRACSPMRCODEdata.dat
  GRACSPMRCODETdata.dat
  GRACSPMRCODESYSdata.dat
  GRACSPMCTRLdata.dat
  GRACSPMCTRLTdata.dat
  GRACSPMOWNERdata.dat
  GRACSPMOWNERTdata.dat
  If this is not a possibility, please advice how to create users in mass for CEA.
  Thanx.
  Best Regards,
  Jurgen.

  Good question, and the answer is not pretty.
  In Role-Based Firefighter Application, the firefighter ID on the target system contains the user's regular access plus his/her firefighter access.
  Reporting turns on when the user runs a transaction in the firefighter role.
  If the transaction is in both the user's regular access and the firefighter role, reporting will turn on because the firefighter role access is in use.
  The reports only track firefighter role usage.  So if a user runs a firefighter transaction but also uses access defined in the user's regular access, the only thing recorded is the transaction.
  If your company is not completely married to the idea of using Role-Based Firefighter Application, I suggest you consider the ID-Based Firefighter Application.  In this, there are separate firefighter IDs on the target system and a firefighter gains access to them by going into GRC and completing a form showing how the firefighter ID will be used, and then the GRC system will let the firefighter into the target system using that firefighter ID.

• GRC 10 EAM - Unable to assign Firefighter roles to owners

  Greetings SAP gurus,
  I am currently on a new GRC 10 installation and having issues with the Emergency Access Management (EAM) component previously known as FireFighter or SPM.  Note: We are trying to implement the Firefighter ''Role-Based" Approach.
  Issue: We are unable to assign EAM roles to owners within NWBC. Click on 'Assign owners to Firefigher ID's and provision Firefighter ID's to firefighters' via the Access Management Tab within NWBC, option Superuser Assignment. Click on Assign.  We are able to find the owners, but when I search for roles to assign, I get the error, 'No records found for the search criteria entered''.
  We are on SP7.
  Items completed:
  1) All post installation tasks were completed correctly, i.e. BC sets activated, connector groups created and working.
  2) EAM roles created on target system and imported via BRM.
  3) EAM role properties edited for "Firefighting' usage in BRM, role owners defined, functional areas defined, business process and sub process areas defined.
  4) Access control owners (i.e. role owners and controllers) defined.
  5) The ID being used for configuration is currently assigned all GRC_NWBC roles available.
  6) The connector groups are working fine and we are using for the Access risk Analysis component which is working fine.
  7) The post EAM configuration steps has been completed.
  Has anyone else experienced a similar issue?  I look forward to your responses.
  Rgds,
  Prevlin Moodley

  Hello Prevlin,
  Are you using a FF role owner for the assignment. This might be helpful:
  [Note 1289579 - Firefighter Owner additional authorization for Role based FF|https://service.sap.com/sap/support/notes/1289579]
  Cheers,
  Diego.

• Delete standard queries in SPM

  Hi All,
  We are on SPM 2.1 SP5. SPM out of the box list the standard queries as the list of datasources on the SPM UI. In my current assignment we dont use any other queries other than Spend Analysis Final and Spend Analysis Detail. We would ideally like to delte all the remaining queries from front end. When I goto Administration --> Analysis Administration --> Application Properties --> Datasources i see delete icon next to each data source. But for some reason there is no action post clicking the delete icon next to standard datasources. Also i could successfully delete "Z" datasources created and added by me.
  PS: Datasources above means the Bex queries included in SPM UI as datasources.
  - Help Appreciated.
  Regards,
  Sampat Desai

  Hi Sampat,
  I think you need the content creator role for this, create a blank ABAP role ZXSA_CONTENT_CREATOR and assign it to yourself in the back end (SU01). Or you can do it in the UI if you have the relevant auths. That should enable you to delete the out of the box data sources. Be careful with this role, you can delete all standard content. Also, SAP say you should only have this role applied for a specific action that explicitly requires it, not general use, so either create a special user for it, or remove it after completing the aforementioned action.
  Also would recommend upgrading to the latest SP. SP6 patch 4 as there are some important fixes that were affecting our system.
  Hope this helps, let me know if it works
  Thanks
  Neil

• SPM:Misc Queries

  Hi
  Need help with below queries
  1) When  a user with only a SPM role logs into the portal, he can see Spend performance management mentioned 3 times. Can we make it just visible one time?
  2) Can we restrict language in SPM UI only  to english?
  3) Can we edit the description for time zone in SPM i.e e.g. ESTNO -Eastern Time(Indianapolis) to Eastern Time (US)?
  4)What is the minimum Internet Explorer version supported by SPM?
  Regards

  Hi Malathi,
  We have that open under an OSS message at the moment. Apparently a "fix" for this is due to be released for this in the coming days SP6 patch 2 I think.
  I believe this will state that you're attempting to run in an incompatible language.
  I understand the requirement here as the portal supports more languages than SPM, so a user will have to change their entire portal language to use SPM and this will affect any language-dependent master data texts in other portal applications.
  You may wish to verify this via OSS?
  Kind regards
  Neil

• Configuring error message in BEx link in SPM 2.1

  Hi,
  Currently working on Spend Performance Management(SPM) 2.1 application. I am trying to configure error message which pops up along with BEx link whenever we run reports with large amount of data.
  I would like to configure error message so that it displays "Large data in report", hence user find it easier to understand why he is being given BEx link.
  Please guide me on this.
  Regards,
  Deeraj.

  Hi ,
  As suggested above , you'd have to remove content creator role if your user profile has it .
  When you go to
  -  application properties > General > Warning mesg for large reports(field) and
  -  change the default message ,
  -  hit save logout of the application ,
  -  log back in
  - go back to  application properties > General > Warning mesg for large reports(field) and
  Do you see the message you had entered in step 2 above?

• Data Uploads done with one User Id not visible to other users in SPM

  Hi,
  Data uploads were successfully carried out by one of the SPM users. However, other users (with different user id) are not able to see anything in the Data Upload Summary screen.
  Is there a restriction on the visibility of Data Upload Summary for data uploads carried out with one User id to other users in SPM? A similar behaviour is observed for other screens within the Data upload workbench.
  Incase this is not the expected behaviour, it would be great if you could please provide pointers to possible reasons for this.
  Just for your information, all users have been granted same privileges in the SPM application.
  Thanks in advance.
  Regards,
  Ashish Sharma

  Hi Ashish,
  No this is not the expected behavior. We have seen this issue for other customers in the past but the reason has always turned out to be role related.
  Can you ensure that the required SPM roles are assigned to the user who do not see the DM data both in ABAP as well as portal.
  Thanks,
  Divyesh

• SPM integration with CUP 5.3

  All the issues regarding SPM integration with CUP is resolved, with the exception of one which is mentioned below:
  Any user can go and raise a request for the FF ID from CUP Super User Access workflow, and are created in the backend, but they do not get the access to FF ID when trying to Login.
  My query: is there any means to capture the user detail much in advance while the request is processed in the workflow and reject the request before it could be created and stored in backend.
  Ideally The user not having minimum privilege of u201C/VIRSA/Z_VFAT_FIREFIGHTERu201D should not Login with the FF ID, which is met here, but this is checked only after the user get the access to FF ID and try to LOG into FF ID using his Login detail.
  Please put some clarity on this.
  Thanks,
  Abhimanu Singh

  Hi Sabita,
  Thanks for the reply but this do not answer my question. Let me come in detail on this topic:
  SAP Backend:
  We have FF ID Owner, FF ID Controller, FF ID and Firefighters in the Backend.
  FF ID owner has the minimun role required for becoimng the owner is /VIRSA/Z_VFAT_ID_OWNER.
  FF ID Controller created with the minimum role /VIRSA/Z_VFAT_ID_OWNER for the monitoring purpose of all the reports.
  FF ID is defined with the defined task in the role being assigned to it.
  Firefighter is created with the minimum role /VIRSA/Z_VFAT_FIREFIGHTER to get the access to FF ID for the limited period as defined by the FF ID Owner.
  For example:
  FF ID Owner: User ID is FFO
  FF ID Controller: User ID is FFC
  FF ID: User ID is FID
  Firefighter: User ID is FFS
  Now the Question is from
  SAP Frontend Java stack
  I can see that the users(other than FFS) who are not defined as firefighter in the backend can still go and put a request for the FF ID access and gets provisioned.
  When you go and check in the backend with the firefighter Owner ID/FF Administrator ID you can see the requested user listed there with the limited time period in the firefighter list.
  Now comes the real picture: when this user(other than FFS) tries to login using his user ID he will not get the FF ID Login link on the page which is ideally correct. This is because any user not defined as firefighter in the backend with the minimum role /VIRSA/Z_VFAT_FIREFIGHTER should not get the access to FF ID.
  My question comes here:
  Is there any option in the frontend which could inform the user (other than FFS) much in advance and stop him requesting for the FF ID which has no meaning since it is finally not going to get the access in the backend to the FF ID.
  Please get back to me if you require some more information.
  Thanks,
  Abhimanu Singh

• Who joins the FF ID & the User ID in the SPM (GRC AC 5.3)

  Hello,
  I have a SAP GRC AC 5.3. I have configures the CUP for the SPM.
  What user does the connection between the FF ID and the user that request that FF ID? does it do it the RFC user connected to the R/3 or does it the Owner of the FF ID?.
  I want to know if it's the RFC user so I have to put hime the special role od the FF Administrator or not?
  Best Regards.
  Pablo Mortera

  Pablo,
      CUP uses the same RFC user you have defined in the connector section for that particular SAP backend system where SPM is installed. Have a look at the following doc for more info:
  http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/2086538f-038e-2b10-da83-b84afc042cf1&overridelayout=true
  Regards,
  Alpesh