Quantcast
Channel: SCN : Popular Discussions - Governance, Risk and Compliance (SAP GRC)
Viewing all 1383 articles
Browse latest View live

GRC 10.1 EAM getting Incorrect Password at Firefighter Logon

December 17, 2014, 12:32 pm
$
0
0

Hi SCN community,

   Kind of an odd ball issue I am seeing in GRC 10.1's emergency access area.  We have one particular firefighter that is no longer allowing users to login as it through GRAC_EAM, while other firefighters work just fine.  The error we are getting is either:

Incorrect Name/Password

Too many failed attempts account locked

 

I have attempted:

Reset the password of/unlocked the firefighter account (both to a set value, and the generate password), closed SAP, and tried to logon as the firefighter again

Ran EAM Master Data Sync through SPRO on our GRC box

 

I do not see any errors in SLG1 or ST22 (both GRC and the plug in system, in this case our ECC environment) that line up with the time of my attempts of trying to logon as the firefighter.

 

Has anyone seen this happen before, and how did you fix it?  My next option im weighing is dropping the account and recreating it.

 

Thanks,

Josh

Search

GRC at GERMAN bank

December 17, 2014, 10:12 pm
$
0
0

Dear Community,

 

I have to prepare a benchmark analysis and want to know if SAP GRC is already in use at a GERMAN bank like 'Deutsche Bank'.

If someone knows, please let me know which bank.

 

Thanks for your support in advance.

 

Kind Regards

Matthias

Issue in GRC EAM 10.0 Firefighter user not able to view Logon tab

December 19, 2014, 6:25 am
$
0
0

Hi All,

 

We have configured GRC 10.0 EAM centralized Fire-fighter. When end user logons into GRC system and execute Tcode GRAC_SPM then user not able to view logon tab in GRC system. Please mention the authorizations and Roles required for Firefighter User in source and target system.

 

Thanks& Regards,

Shivani

Error while creating Single role -BRM - Uncaught Exception CX_FDT_INPUT

December 20, 2014, 3:57 am
$
0
0

Hi,

 

I am trying to create Single role and getting error when i click Save or Save and continue.

 

Version I am using is:

Version.jpg

 

 

This is occurring when I go to Owners/Approvers tab and as 'Add' button is disabled, I am clicking 'Save' as shown below.

Single_Role_Def.jpg

 

The error I am getting is:

Error.jpg

From the tcode ST22, the info i got is: (error is in line 33, red in color)

 

----------------------------------------------------------------------------------------------------

Category               ABAP Programming Error

Runtime Errors         UNCAUGHT_EXCEPTION

Except.                CX_FDT_INPUT

ABAP Program           CL_GRFN_AC_BRFP===============CP

 

Application Component  GRC

 

Short text

     An exception occurred that was not caught.

 

What happened?

     The exception 'CX_FDT_INPUT' was raised, but it was not caught anywhere along

     the call hierarchy.

 

     Since exceptions represent error situations and this error was not

     adequately responded to, the running ABAP program

      'CL_FDT_FUNCTION===============CP' has to be    terminated.

 

Error analysis

     An exception occurred that is explained in detail below.

     The exception, which is assigned to class 'CX_FDT_INPUT', was not caught in

     procedure "EXECUTE_BRF_RULE" "(METHOD)", nor was it propagated by a RAISING

      clause.

     Since the caller of the procedure could not have anticipated that the

     exception would occur, the current program is terminated.

     The reason for the exception is:

     An exception because of wrong method interface usage occurred

 

Missing RAISING Clause in Interface

     Program                                 CL_GRFN_AC_BRFP===============CP

     Include                                 CL_GRFN_AC_BRFP===============CM005

     Row                                     1

     Module type                             (METHOD)

     Module Name                             EXECUTE_BRF_RULE

 

Trigger Location of Exception

     Program                                 CL_FDT_FUNCTION===============CP

     Include                                 CL_FDT_FUNCTION===============CM00D

     Row                                     33

     Module type                             (METHOD)

     Module Name                             LOAD_BUFFER

 

Source Code Extract

 

Line  SourceCde

 

     3   DATA: lts_version TYPE if_fdt_admin_data=>ts_version,

     4         ls_message  TYPE if_fdt_types=>s_message,

     5         lt_message  TYPE if_fdt_types=>t_message,

    6         lv_version    TYPE if_fdt_types=>version,

    7         lv_no_version TYPE abap_bool,

    8         lv_timestamp_string type string,

    9         lv_i type i.

 

   10

 

   11   FIELD-SYMBOLS <ls_version> TYPE if_fdt_admin_data=>s_version.

 

   12

 

   13   ASSERT NOT ( iv_timestamp IS SUPPLIED AND iv_version IS SUPPLIED ). ">>>

 

   14

 

   15   IF iv_timestamp IS NOT SUPPLIED AND iv_version IS NOT SUPPLIED.

 

   16 *   when we have the last version we can read from the buffer

   17     IF mv_ms_buffer_loaded EQ abap_false.

   18 *     load the buffer with the last version

   19       ms_buffer           = load_buffer_db( ).

   20       mv_ms_buffer_loaded = abap_true.

   21     ENDIF.

   22     rs_buffer = ms_buffer.

   23     RETURN. ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

 

   24   ELSEIF iv_timestamp IS SUPPLIED. "get the right version for the tmstmp

   25     if_fdt_admin_data~get_active_version(

   26       EXPORTING iv_timestamp  = iv_timestamp

   27       IMPORTING ev_version    = lv_version

   28                 ev_no_version = lv_no_version ).

   29     IF lv_no_version EQ abap_true.

   30       cl_fdt_services_internal=>get_date_and_time_utc( EXPORTING iv_timestamp = iv_timestamp

   31                                                        IMPORTING ev_utc_date_time_string = l

   32       MESSAGE x006(fdt_core) WITH lv_timestamp_string INTO ls_message-text.

>>>>>       message_exception ls_message lt_message cx_fdt_input.

   34     ENDIF.

 

   35   ELSEIF iv_version IS SUPPLIED. "use this version

   36     lv_version = iv_version.

 

   37   ENDIF.

 

   38

 

   39 * do we have a valid version now?

 

   40   if_fdt_admin_data~get_versions( IMPORTING ets_version = lts_version ).

 

   41   READ TABLE lts_version ASSIGNING <ls_version>

   42     WITH TABLE KEY version = lv_version.

 

   43   IF sy-subrc NE 0.

   44     MESSAGE x002(fdt_core) WITH iv_version INTO ls_message-text.

   45     message_exception ls_message lt_message cx_fdt_input.

 

   46   ENDIF.

 

   47

   48    lv_i = lines( lts_version ).

 

   49   READ TABLE lts_version INDEX lv_i ASSIGNING <ls_version>.

 

   50   IF <ls_version>-version EQ lv_version.

 

   51 *   when we have the last version we can read from the buffer

   52     IF mv_ms_buffer_loaded EQ abap_false.

 

----------------------------------------------------------------------------------------------------

I performed all the configuration steps required.

 

I cannot proceed further and your help is much required.

 

Regards

Ashok

unable to Execute back end Transaction through nwbc menu in GRC

December 19, 2014, 11:44 am
$
0
0

Hi Experts,

 

I have a created a role to access back end GRC system from NWBC menu.

I was able to see and navigate to the initial screen of Back end transactions. But however whenever I tried to navigate further on

those Tcodes (eg : selecting the role from PFCG) , I'm unable to proceed  further and receiving error page error.

 

GRC version : 10.1

 

Please advise if there is any setting to overcome this issue.

 

Thanks in advance.

 

The description of error in the browser page

Webpage error details

 

 

User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; chromeframe/26.0.1410.43; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Timestamp: Fri, 19 Dec 2014 16:40:23 UTC

 

Message: 'oPageUpdater' is null or not an object

Line: 38

Char: 2663

Code: 0

URI: http://grcdapp0.xxxxxxx:8000/sap/public/icmandir/its/ls/js/lightspeed.js?17

 

 

Capture.PNG

How to get a fresh copy of global ruleset?

December 18, 2014, 2:35 pm
$
0
0

Hi,

 

I come across a situation where I am thinking to delete all old/existing rules and want to refresh global ruleset. I want a fresh copy of ruleset as we have straight out of box. Any idea please, how to?

 

I tried to find it on “service.sap.com” but no luck. If some one knows the link please share.

 

Thanks in advice for your help and time.

 

Regards,

Nasir

GRC AC 10.0 - MSMP Workflow is not sending email for Firefighter provisioning

April 11, 2012, 3:28 pm
$
0
0

Hi Gurus,

 

I have installed GRC - AC 10.0 and I want to configure EAM to allow automatically provisioning of Firefighter with following steps:

1. -In Access Management,  AC Owners, FF ids, Controlles, Reason Codes are setup in advance

2. - I can create a manual  Access Request for a Firefighter assignment and is functional without any issue

3. - Common workflow has been activated

4. - Email server has been configured and checked that can send emails

5. - In IMG  -> GRC -> Access Control -> Workflow for Access Control -> Maintain MSMP Workflow  I have activated SAP Process Id-s :

 

SAP_GRAC_ACCESS_REQUEST

 

using the default settings .

6. At Pct #5 Maintain Paths- Stage Definition- I have checked boxes - Approve by Email & Approve and I have Activated it.

Then, I create a access request again and no email is send it out to Owner.

In MSMP, in Pct #5, I have all for Process Id SAP_GRAC_ACCESS_REQUEST , I have left all 3 paths:

GRAC_MANAGER

GRAC_ROLEOWNER

GRAC_SECURITY

 

7. I have tried to activate other processes id-s:

SAP_GRAC_FIREFIGHTER_LOG_REPORT 

SAP_GRAC_ROLE_APPR

 

however with the same result.

 

All my SPM Owners and FF-ids have email adress, how should I maintain their email in MSMP, as the documentation is confusing for me.

 

8. Then, at Point #3 - Maintain Agents - I have created a Z Rule where I have mapped directly the Account ID-s and I have assigned it in Pct 5 (Maintain Paths) and activated- without any result.

 

Thank You,

 

Marc

Can we trap a value from a customised role as SoD

December 29, 2014, 6:16 pm
$
0
0

Hi Friends,

 

I am attaching a snapshot here. Please look into it before your comments. Here is customised role “Z40R-ALL-PTP-PR_APR_TIER_1” with Auth_Object “M_EINK_FRG” and value “R1”.

 

Capture1.JPG

N.B: Only ARA and EAM is configured in system (no BRM etc).

 

I want to check in system, if someone having value R1 in field FRGCO.

 

Please help me how to done it.

 

Regards,

Nasir

Search

SAP GRC AC 10.0 installation

December 16, 2014, 1:53 am
$
0
0

We have a two test system, one is GRC System (Source), second one is target system (ECC) . On both the system GRC Component GRCFND_A  and GRCPINW (SAP GRC Plug in) is installed.

 

I am facing issue while doing the post installation activities and establishing the connector . Please suggest.

Ticket Number

December 29, 2014, 7:28 am
$
0
0

Hello all!

 

I have a doubt! During the "Sync. with PFCG" step at the Role Creation GRC AC asks for a ticket number. I know it is related to parameter 3008. What I don´t know is for what can I use this information after creating the role?

 

How can I search for a role based on the ticket number?

 

SDN1.jpg

 

Regards,

Pedro

Critical Action reports shows incorrect data

December 25, 2014, 3:03 am
$
0
0

Hi ,

 

Two users A and B have access to OB52 transaction via separate roles. These two roles are derived from same parent role.

A critical Action risk (ZFIN)has been created with OB52 transaction code. While running Critical Action report for both A and B, surprisingly report is showing only for user A with ZFIN risk and OB52 transaction code, for other user it is showing ZFIN risk and it is not showing OB52 in report.

i.e. Critical Action report generating incorrect report.

 

Any idea about this issue?

 

Thank

Mohan

LDAP Search in Access Request shows no results

October 1, 2014, 12:01 pm
$
0
0

Hello

 

I've been trying to configure LDAP as the User Data source for the Access Request functionality within Access Control.

I used the LDAP Configuration guide provided by SAP in the note. Unfortunately I haven't been able to get a successfull result in the Sync Job and in the Access Request Form.

I have been able to get results in the LDAP tcode when I do Find, but I can't get any in the Business Client.

I'm adding screenshots of all the configuration I've done so you can get the idea of what I've done.

I left the mapping provided by default in the LDAP tcode, didn't do any changes to it.

LDAP tcode.jpg

LDAP Find.jpg

Here's the connectors config. Two things here. 1- the USER ID is provided by our LDAP team (not sure if I have to change it to match in LDAP tcode) 2- the group field mapping and parameters is maintained for scenarios 3 and 4, I just included the screenshots for 3.

Connectors.jpg

Config:

Config.jpg

Lastly here's the sync job result. I get a User Adapter Empty when checking SLG1.

Sync.jpg

Regards

Maria Alejandra Piedra

SAP Basis/Security

Unable to view report from Dashboard

December 28, 2014, 11:25 pm
$
0
0

Hello,

 

We have implemented the SAP GRC  Access control 10.1 RDS.

 

Our System config is as follow :

SAP ERP 6.0 EHP7 + HANA Database.

 

From NWBC when i am trying to access data from Reports & Analytics -> Access Dashboard -> User Analysis.

It shows 0 users violation.. Same for other reports also.. for all it says no violation.

 

But from when i fetch the report from access management -> access risk analysis -> User level.. It shows data.

 

Any suggestion why i am unable to view data/reports from Dashboard

 

Regards

Ashish

MSMP Generate Versions

December 26, 2014, 10:05 am
$
0
0

Hello all!

 

I´ve just added a notification at Notification Settings and the tried to generate a new MSMP Version. The erro bellow happens:

 

1 - Choosed the Process Global Settings:

 

SDN1.jpg

 

2 - At step 5 "Maintan Paths" chossed Notification settings and added the line bellow:

 

 

SDN2.jpg

 

3 - Tried to Generate a New Version at step 7:

 

SDN3.jpg

 

This error happened and I don´t know what it means. Any idea?

 

Regards,

Pedro

Multiple users at the same request

December 22, 2014, 8:52 am
$
0
0

Hello all!

 

When I create a request for multple users (with various managers) if only one of the managers reject the request it is rejected for all users (even those where the manager approved the request). Is there a way to approve the roles from those manager who approved the request? And ignore the rejected ones.

 

Regards,

Pedro

Search

GRC AC ARA v10 SP13 - Org Rule Org Level Missing

December 9, 2014, 7:14 pm
$
0
0

Hi Experts!

 

Testing ARA Organization Rules soon and have noticed that one of my key Org Levels, $BUKRS, is missing. I have not yet used this functionality on this system. I am already doing the following:

  • running the authorization sync job daily (we are in the middle of multiple project builds)
  • checked the target systems USORG table for Org Level $BUKRS entry.
  • active ruleset function has that Org Level $BUKRS entry and it appears on the Risk Analysis reports

 

All other Org Levels are available to use except for this one. Any ideas!

 

Thanks in advance.

 

-john

Strange Issue with EAM logs

December 31, 2014, 12:56 am
$
0
0


Dear Experts,

 

I have been facing a strange issue with EAM GRC 10.0 on Consolidation Logs.

 

Background - GRC system version 10.0 , SP12.

System connected to GRC - ECC, CRM, BW, Net weaver Gateway.

Findings Made - This is not related to Time difference issue, the GRC is getting right data in Tables

Issue with System - Net weaver Gateway

 

Actual Issue - The Netweaver Gateway system has been integrated correctly with GRC and I am able to get all the FF logs.

In the GRC, the GRACACTUSAGE table is also getting correct data on the FF user activities.

However, when I go to NWBC and click on the Session details on FF log , it displays Blank. Even when I try to fetch from Cosolidation logs, it says No Record Found

 

This is quite strange as the correct data is flowing in GRC sytem but not getting displayed via NWBC consolidation logs.

 

Could you please share you ideas on this. Your help is highly appreced..

 

Wish you a very Happy New Year in Advance!

 

Thanks,

Mrudula

Reafirm Roles

January 1, 2015, 12:21 pm
$
0
0

Hello everyone!

 

I´m trying to discover how to send notification for Role Owners when their roles are in the Reafirm Period.

 

My configuration was done as bellow:

 

TO SET THE REAFFIRMATION PERIOD:

 

-Go to Role Maintenance > Select the role to set the reaffirmation period.
-open the Role and click on Properties.
-New screen will appear showing Role Reaffirm area with fields like,
Reaffirm Period in Days, Next Reaffirm, Last Reaffirm and Reaffirmed by.
-Enter the number of days for the reaffirmation period.
-The next reaffirm field will show the date on or before the Role needs
to be reaffirmed.

 

 

RUN JOB in SE38

 

 

TO REAFFIRM THE ROLES:

 

-Go to Access management > Role Mining > Role Re-affirm
-Click on Role Reaffirm
-To retrieve the Roles data, there are two options:
a) If Role owner wants to have specific data shown on the screen, data
can be filtered by choosing different search attributes.
b) Or Role owner can see all the Roles, assigned by Role Owner

Once the Roles data appear on the screen, the User (Role owner) can do
the following actions on it:
- Approve
- Reject
- hold

 

Just need a Job or something like that to inform them 15 days before (for example). Someone knows how can I do this? Or maybe have a suggestion.

 

Thanks in advance,

Pedro

Escalation at Role Owner Stage - Wrong Behaviour

November 23, 2014, 10:00 pm
$
0
0

Hi All,

 

We have an issue with escalation at Role Owner Stage.

 

I have enabled escalation to Alternate Role Owner after 5 days, if the role owner hasn't approved.

 

Now that my request has 4 roles, out of which 3 roles are approved and 1 role is pending approval.

 

Once escalation criteria is met, only the role which is pending approval should escalate to alternate role owner.

 

Instead all the roles (which are already approved) are being escalated to alternate role owner.

 

We have already implemented the below SAP notes. We are on GRC SP13.

 

2008881 - Approved request items are also escalated alongwith unapproved items

 

2000779 - UAM: Esclation on roleowner stage not working properply

 

Experts please help me in getting this issue fixed?

 

~ Madan

GRC 10.0 RFC connections and Value for Parameter 1000 and 1001

December 22, 2014, 11:50 pm
$
0
0

Hi All,

 

We have installed GRC 10.0 and trying to implement Access Control all modules. Can somebody give us detail regarding RFC connections required and maintain connection settings for GRC. We have created RFC from GRC-ECC and from ECC to GRC but as per some documents only one RFC required so please give us clear picture of the same.

 

Also need a clarification on Plugin settings in SPRO->GRC(Plugin )-> Access Control->Maintain Plugin Configuration Settings ->Parameter value 1000 and 1001 . Do we have to maintain these parameter only in plugin system or in GRC system as well?

 

Please suggest..

 

Thanks,

Shivani

Viewing all 1383 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>