Hi Experts,
I am new to GRC AC 10 and I need to configure workflow for various modules of AC.
How do I configure the same and are there any documents highlighting the various steps involved in the same.
Thanks,
Arjun
↧
SAP GRC AC 10 Workflow
↧
Need help to understand this standard SAP BRM Workflow???
Dear All,
This thread may cause some one of us to think that how a simple workflow can not be understood!
Please bear with me.
Below picture is taken from BRM document from SCN and I think most of us have already followed it. I have configured the basic BRM workflow and it worked fine.
However, I was pondering on this attached workflow and suddenly some doubts started coming to my mind which might be silly.
Below are my doubts:
1. The first action of "Role Design Team": Business Need identified and communicated, who it is being communicated to? I guess it is Security Analysis. Please correct me, if need be.
2. The second action of "Role Design Team": Evaluate need and approach. It is not that clear to me. May anybody help me understand this?
3. The first 2 actions on Security Analyst are spanning across Role Design Team also. Is this the drawing issue? Please advise.
4. How 'Manage Risk' action of Security Analyst is triggering 2 actions: "Role Owner Approval" and "Generate Results"?
5. How "Role Owner" Approval again triggering "Generate Results" action for Security Analyst and then again "Perform testing a document results"
action for Role Design Team?
I configured below simple Role Methodology:
(1) Role Definition->(2) Analyze Access Risk->(3) Maintain Test Cases->(4) Request Approval->(5)Generate Roles
This triggered actions one after the another. However, I am not able to understand how "Approval" action is again triggering "Generate Results" action, unless it is defined in the methodology. But do we define "Generate Roles" actions after approval again? What significance it has?
Please help me understand above figure in detail.
Regards,
Faisal
↧
↧
In ARM, while creating a new/change request, roles are not added.
Hello Gurus,
I am implementing SAP GRC 10.1, in which I have encountered this issue in ARM whenever I am creating a new/change request, the new user is been created but the assignment of the roles to this new user is not done. The roles for the new user is empty.
FYI, in MSMP i have defined an agent ID as pfcg user groups, so basically it means all the approvals will come to the users who belongs to the user group and as a approver i m going into the inbox and approving the request and the request has been successfully processed and the new user has been created but the role is not assigned to him.
Please help.
Thanks
↧
GRC AC 10.0 - MSMP Workflow is not sending email for Firefighter provisioning
Hi Gurus,
I have installed GRC - AC 10.0 and I want to configure EAM to allow automatically provisioning of Firefighter with following steps:
1. -In Access Management, AC Owners, FF ids, Controlles, Reason Codes are setup in advance
2. - I can create a manual Access Request for a Firefighter assignment and is functional without any issue
3. - Common workflow has been activated
4. - Email server has been configured and checked that can send emails
5. - In IMG -> GRC -> Access Control -> Workflow for Access Control -> Maintain MSMP Workflow I have activated SAP Process Id-s :
SAP_GRAC_ACCESS_REQUEST
using the default settings .
6. At Pct #5 Maintain Paths- Stage Definition- I have checked boxes - Approve by Email & Approve and I have Activated it.
Then, I create a access request again and no email is send it out to Owner.
In MSMP, in Pct #5, I have all for Process Id SAP_GRAC_ACCESS_REQUEST , I have left all 3 paths:
GRAC_MANAGER
GRAC_ROLEOWNER
GRAC_SECURITY
7. I have tried to activate other processes id-s:
SAP_GRAC_FIREFIGHTER_LOG_REPORT
SAP_GRAC_ROLE_APPR
however with the same result.
All my SPM Owners and FF-ids have email adress, how should I maintain their email in MSMP, as the documentation is confusing for me.
8. Then, at Point #3 - Maintain Agents - I have created a Z Rule where I have mapped directly the Account ID-s and I have assigned it in Pct 5 (Maintain Paths) and activated- without any result.
Thank You,
Marc
↧
Prerequisites for GRCPINW add-on
Just reading through OSS note 1497971 to check pre-requisites for the GRC AC add-on for my R/3 4.7 system. I noticed it lists these minimum support pack levels:
| SAP_BASIS | SAPKB62063 | |
| SAP_ABA | SAPKA62063 |
Mine are, er, just a little below that (well, OK, quite a lot below that). Does anyone know if these are just recommended support pack levels, or are they actually required? Has anyone installed the addons on a system with a lower support pack? How low? Did it work?
Are there specific things needed that could be added independently of whole support packs?
We are going to be upgrading R/3 to ERP 6 later this year, but I wanted to get the GRC 5.3 -> 10.0 upgrade done first. Given the pending R/3 upgrade there's no point in going through the process up applying support packs to get them up to date, so if there's no way around this I'll just have to postpone the GRC upgrade.
Thanks,
Steve.
↧
↧
GRC 10.1 new functionalities
Hello,
Anyone saw a presentation of GRC 10.1? What about new functionalities? (in particular in AC)
It looks likes the ramp up will be available for customers from tomorrow...
Julien
↧
GRC AC 10.0 - MSMP Workflow is not sending email for Firefighter provisioning
Hi Gurus,
I have installed GRC - AC 10.0 and I want to configure EAM to allow automatically provisioning of Firefighter with following steps:
1. -In Access Management, AC Owners, FF ids, Controlles, Reason Codes are setup in advance
2. - I can create a manual Access Request for a Firefighter assignment and is functional without any issue
3. - Common workflow has been activated
4. - Email server has been configured and checked that can send emails
5. - In IMG -> GRC -> Access Control -> Workflow for Access Control -> Maintain MSMP Workflow I have activated SAP Process Id-s :
SAP_GRAC_ACCESS_REQUEST
using the default settings .
6. At Pct #5 Maintain Paths- Stage Definition- I have checked boxes - Approve by Email & Approve and I have Activated it.
Then, I create a access request again and no email is send it out to Owner.
In MSMP, in Pct #5, I have all for Process Id SAP_GRAC_ACCESS_REQUEST , I have left all 3 paths:
GRAC_MANAGER
GRAC_ROLEOWNER
GRAC_SECURITY
7. I have tried to activate other processes id-s:
SAP_GRAC_FIREFIGHTER_LOG_REPORT
SAP_GRAC_ROLE_APPR
however with the same result.
All my SPM Owners and FF-ids have email adress, how should I maintain their email in MSMP, as the documentation is confusing for me.
8. Then, at Point #3 - Maintain Agents - I have created a Z Rule where I have mapped directly the Account ID-s and I have assigned it in Pct 5 (Maintain Paths) and activated- without any result.
Thank You,
Marc
↧
GRC 10.0 Firefighter Log Review "Other Action"
Has anyone seen any documentation or know how to exand the choices in GRC 10.0 (SP08) Firefighter Log review? When controller reviews log, he can hit "submit" to approve. Our audit team would like other options ("revoke security" or "inappropriate action; should be reversed", etc). I do see "Other Action" but only offers "Hold".
Thanks in advance..
↧
Need help to understand this standard SAP BRM Workflow???
Dear All,
This thread may cause some one of us to think that how a simple workflow can not be understood!
Please bear with me.
Below picture is taken from BRM document from SCN and I think most of us have already followed it. I have configured the basic BRM workflow and it worked fine.
However, I was pondering on this attached workflow and suddenly some doubts started coming to my mind which might be silly.
Below are my doubts:
1. The first action of "Role Design Team": Business Need identified and communicated, who it is being communicated to? I guess it is Security Analysis. Please correct me, if need be.
2. The second action of "Role Design Team": Evaluate need and approach. It is not that clear to me. May anybody help me understand this?
3. The first 2 actions on Security Analyst are spanning across Role Design Team also. Is this the drawing issue? Please advise.
4. How 'Manage Risk' action of Security Analyst is triggering 2 actions: "Role Owner Approval" and "Generate Results"?
5. How "Role Owner" Approval again triggering "Generate Results" action for Security Analyst and then again "Perform testing a document results"
action for Role Design Team?
I configured below simple Role Methodology:
(1) Role Definition->(2) Analyze Access Risk->(3) Maintain Test Cases->(4) Request Approval->(5)Generate Roles
This triggered actions one after the another. However, I am not able to understand how "Approval" action is again triggering "Generate Results" action, unless it is defined in the methodology. But do we define "Generate Roles" actions after approval again? What significance it has?
Please help me understand above figure in detail.
Regards,
Faisal
↧
↧
GRC EAM "Transactional log and session detail" not giving any report
IN GRC 10.0.
GRC EAM "Transnational log and session detail" not giving any report
All other reports such as Consolidated report,Invalid superuser report,FF log summary report ,reason code and activity report are coming fine.
Job: GRAC_SPM_LOG_SYNC_UPDATE is running fine in every 30 mins.
This problem is encountered after Back end system migration from AIX to Linux server
Any help would be appreciated.
↧
Error when opening an RFC connection (CPIC-CALL:'ThSAPOCMNIT':cmRC=20thrc=236 SAP Gateway conne
Hello All,
My client had raised a HR Trigger Separation action for a user. The request got generated in GRC system.It followed all the stages as per
the design. But after getting approved at the final stage, there was an error. And the User ID did not get deleted from the HR system ( Auto-Provisioning did not take place ).
The ID’s were getting deleted in HR system using HR Trigger – separation action till yesterday ( Auto-provisioning was working ).
Please find the below screenshot of the Audit Log for the same :
The error seems to be related to RFC. Please suggest me the appropriate reason for the same.
Regards,
Rahul Muni
↧
MSMP doubt: Auto-Approve field
Hi all.
I have a doubt regarding transaction GRFNMW_CONFIGURE. If i access to see the stages of my path:
Then in the stage itself i see a button called Auto-Approve. Please see image below:
- What is the purpose of this? Auto-Approve this stage without any action from the Manager/Role owner (Agent).
- Do someone has further information?
Kind regards and thank you.
Sara.
↧
Prerequisites for GRCPINW add-on
Just reading through OSS note 1497971 to check pre-requisites for the GRC AC add-on for my R/3 4.7 system. I noticed it lists these minimum support pack levels:
| SAP_BASIS | SAPKB62063 | |
| SAP_ABA | SAPKA62063 |
Mine are, er, just a little below that (well, OK, quite a lot below that). Does anyone know if these are just recommended support pack levels, or are they actually required? Has anyone installed the addons on a system with a lower support pack? How low? Did it work?
Are there specific things needed that could be added independently of whole support packs?
We are going to be upgrading R/3 to ERP 6 later this year, but I wanted to get the GRC 5.3 -> 10.0 upgrade done first. Given the pending R/3 upgrade there's no point in going through the process up applying support packs to get them up to date, so if there's no way around this I'll just have to postpone the GRC upgrade.
Thanks,
Steve.
↧
↧
GRC AC 10.0 - MSMP Workflow is not sending email for Firefighter provisioning
Hi Gurus,
I have installed GRC - AC 10.0 and I want to configure EAM to allow automatically provisioning of Firefighter with following steps:
1. -In Access Management, AC Owners, FF ids, Controlles, Reason Codes are setup in advance
2. - I can create a manual Access Request for a Firefighter assignment and is functional without any issue
3. - Common workflow has been activated
4. - Email server has been configured and checked that can send emails
5. - In IMG -> GRC -> Access Control -> Workflow for Access Control -> Maintain MSMP Workflow I have activated SAP Process Id-s :
SAP_GRAC_ACCESS_REQUEST
using the default settings .
6. At Pct #5 Maintain Paths- Stage Definition- I have checked boxes - Approve by Email & Approve and I have Activated it.
Then, I create a access request again and no email is send it out to Owner.
In MSMP, in Pct #5, I have all for Process Id SAP_GRAC_ACCESS_REQUEST , I have left all 3 paths:
GRAC_MANAGER
GRAC_ROLEOWNER
GRAC_SECURITY
7. I have tried to activate other processes id-s:
SAP_GRAC_FIREFIGHTER_LOG_REPORT
SAP_GRAC_ROLE_APPR
however with the same result.
All my SPM Owners and FF-ids have email adress, how should I maintain their email in MSMP, as the documentation is confusing for me.
8. Then, at Point #3 - Maintain Agents - I have created a Z Rule where I have mapped directly the Account ID-s and I have assigned it in Pct 5 (Maintain Paths) and activated- without any result.
Thank You,
Marc
↧
New User Request cannot be submitted in GRC AC 10
Hello Gurus,
We have configured GRC AC 10 along with workflows and for all scenarios things are working fine , except for "New User".
When we select
Request Type : New Request
Request for: Others
User : XYZ (This user is not present in "HR system(ERP system)", which is our data source for User search, user details & authentication)
and we select certain roles to be assigned to the user.
Then when we click "Submit Button" , it gives us an error , XYZ is not a valid User
In SPRO under CUP --> Maintain Provisioning Settings
For Global Provisioning under
"Create User if does not exist"
i have selected both "check boxes" for
1) For Change User Action
2) For Assign Role Action
Also in System Provisioning, i have ticket the option "create User".
Note: Under Data Source Configuration i have selected "End User Verification" as Yes.
Will you please provide your inputs on what could be the reason for getting this error .
Regards,
Victor
↧
Using GRAC_RISK_ANALYSIS_WOUT_NO_WS...
Hi, We will be getting a request for risk analysis with a user id, single and/or multiple roles from a non-SAP system into GRC. To generate the risk analysis we are planning to use GRAC_RISK_ANALYSIS_WOUT_NO_WS service and activated it. In our testing in GRC system, the Endpoint function module GRAC_IDM_RISK_WOUT_NO_SERVICES for this service is not returning any data even though we are giving all the mandatory parameters as needed as per the documentation of the service. We tried executing it with OBJECT_TYPE = ‘USR’, OBJECT_ID = user id and the valid connector ID. It is not returning any values. We also tried executing it for Role, by giving OBJECT_TYPE = ‘ROL’, single and/or multiple valid roles in OBJECT_ID, with ROLE_TYPE = 1, 2 or 3 and a valid connector. Still it is not returning any values. It doesn’t give any error messages too. We also activated GRAC_RISK_ANALYSIS_WITH_NO_WS in GRC and created an access request in GRC system with the above values. The endpoint function module GRAC_IDM_RIS_WITH_NO_SERVICES returns the risk analysis correctly. We don’t want to create access request in the GRC system for the incoming request for the risk analysis from the non-SAP system. Hence decided to use GRAC_RISK_ANALYSIS_WOUT_NO_WS service. We want to use this service to get the risk analysis by user and role(s). Has anyone used this service? Any advice on what needs to be checked and how the input parameters to be passed to get the desired risk analysis data? Appreciate any help or direction. Thanks, Ram
↧
In ARM, while creating a new/change request, roles are not added.
Hello Gurus,
I am implementing SAP GRC 10.1, in which I have encountered this issue in ARM whenever I am creating a new/change request, the new user is been created but the assignment of the roles to this new user is not done. The roles for the new user is empty.
FYI, in MSMP i have defined an agent ID as pfcg user groups, so basically it means all the approvals will come to the users who belongs to the user group and as a approver i m going into the inbox and approving the request and the request has been successfully processed and the new user has been created but the role is not assigned to him.
Please help.
Thanks
↧
↧
GRC AC 10.0 - MSMP Workflow is not sending email for Firefighter provisioning
Hi Gurus,
I have installed GRC - AC 10.0 and I want to configure EAM to allow automatically provisioning of Firefighter with following steps:
1. -In Access Management, AC Owners, FF ids, Controlles, Reason Codes are setup in advance
2. - I can create a manual Access Request for a Firefighter assignment and is functional without any issue
3. - Common workflow has been activated
4. - Email server has been configured and checked that can send emails
5. - In IMG -> GRC -> Access Control -> Workflow for Access Control -> Maintain MSMP Workflow I have activated SAP Process Id-s :
SAP_GRAC_ACCESS_REQUEST
using the default settings .
6. At Pct #5 Maintain Paths- Stage Definition- I have checked boxes - Approve by Email & Approve and I have Activated it.
Then, I create a access request again and no email is send it out to Owner.
In MSMP, in Pct #5, I have all for Process Id SAP_GRAC_ACCESS_REQUEST , I have left all 3 paths:
GRAC_MANAGER
GRAC_ROLEOWNER
GRAC_SECURITY
7. I have tried to activate other processes id-s:
SAP_GRAC_FIREFIGHTER_LOG_REPORT
SAP_GRAC_ROLE_APPR
however with the same result.
All my SPM Owners and FF-ids have email adress, how should I maintain their email in MSMP, as the documentation is confusing for me.
8. Then, at Point #3 - Maintain Agents - I have created a Z Rule where I have mapped directly the Account ID-s and I have assigned it in Pct 5 (Maintain Paths) and activated- without any result.
Thank You,
Marc
↧
How to provision existing groups in Active Directory through GRC 10.1?
As per the requirment I have to provision the existing AD groups to users in AD through GRC10.1. The connection between AD(Microsoft) and GRC is already established through LDAP connector.
Apprecaite your quick response on the same.
Thanks,
Trinetra
↧
What is the t-code for firefighter logon?
Sorry for the triviel question. Thanks!
↧
