SCN : Document List - Governance, Risk and Compliance (SAP GRC)

Let me share my experience in the form of document,

May be topic (Portal Integration with GRC10.0) is not new but might be useful for others who are going for same assignments.

It is not a latest assignment for us to document all exact issues, but try to document whatever we faced majorly.

We have started with help of below links which are open to everybody

Enterprise Portal Integration with SAP GRC 10.0

We have gathered the information about plug ins from below NOTE

1603438 - GRC AC 10.0 EP Plug-In (JAVA), supported NW Versions

After creating the Connectors we have followed the below NOTE for configuration in SPRO

1607232 GRC 10.0 Enterprise Portal Configuration

Please make sure the below settings should be correct

Maintain the Logical port for WS connector
Attach both the connectors (WS and SPML) to AUTH, PROV and ROLMG scenario-Make sure connectors names are correct
Maintain group field mapping correctly
We need to give SPML RFC and schema as SAPprincipals.in Synchronization Jobs > Fetch IDM Schema.

We have faced some challenges while running synchronization jobs

Portal security created some roles with special characters for administrator purpose (easy identification) and user id’s with Zero, like 0Art1CZ, 0Bah4ST.

We have followed the below NOTEs

1841549 - Portal issue with special characters

1833649 - UAM: Portal Users Starting with ZERO (0*) are not synced up

We have faced performance issue while running Repository Object Sync, the below KBA solved issue

1848113 - How to increase the performance syncing objects from portal to GRC

Repository job completed but roles are not sync

The below KBA will also help us if NO DAT FOUND in SCHEMA UPDATE

1857609 - GRC10.0: Portal roles/profiles not syncing

We need to run sync job for SCHEMA,as mentioned in the NOTE

1607232 GRC 10.0 Enterprise Portal Configuration

We can check the status of imported schema by using table GRACIDMSCHEMABUF from SE16 in GRC system.

If any issues while fetching schema into GRC,then follow the below NOTEs

1848215 - Cannot fetch the IDM schema for the EP SPML connector.

2033753 - AC10.0: Unable to Fetch IDM Schema for EP

Mostly the issue will be with connector id, Please make sure to use Portal connector that ends with "_SPML" when running the Schema job.

If portal roles are not provisioning to user,though all configuration settings are correct then check the below Notes

1838692 - Portal role provisioning not happening

1825879 - UAM:Provisioning to mapped user is not working in portal UME

If groups are not getting assigned then follow the below NOTE

1840613 - Groups are not getting assigned to users on Portal

If any error occurs while running risk analysis for portal roles implement the NOTE

1852566 - Portal Roles Risk Analysis does not work properly

Some of the old threads for more information and issues::

GRC PC 10.0 Enterprise Portal Configuration Guide- http://scn.sap.com/thread/3230036

Compatible Portal Version for GRC 10: http://scn.sap.com/thread/2110735

GRC10 End User Front-end: http://scn.sap.com/thread/2059477

SAP GRC 10 - Integration with Enterprise Portal for User Access Assignment : http://scn.sap.com/thread/3682941

Enterprise Portal Integration with SAP GRC 10.0: http://scn.sap.com/docs/DOC-61262

Role Mapping For Portal Role Assignment and ABAP Role Assignment - GRC 10: http://scn.sap.com/thread/3678168

User sync and provisioning issue in EP - GRC 10: http://scn.sap.com/thread/3595488

GRC AC 10 (RAR/CUP/ERM) configuration for EP system: http://scn.sap.com/thread/2073635

SAP GRC 10 Integration with NW7.4 Portal: http://scn.sap.com/thread/3676056

Re: EP provisioning failure with error "Exception when creating user :USERID_CONTAINED_IN_PASSWORD"

Re: How to define SoD Master Data for WebDynpro Application or Enterprise Portal?

May be some more issues which are not able to re collect,if any i will add into same page.

if anyone faced issues,they could share and we can include in same page.

Regards

Baithi

Emergency Access Management (EAM) is basically designed to support ABAP based applications. Hence there are lot of limitations and issues if it is used for Webdynpro and Web based applications.

Please go through below SAP notes when trying to implement EAM for Webdynpro or Web-based applications to understand the GRC EAM limitations.

1796682 - 'User Type must be Dialog User' Dump comes when FFID tries to login to NWBC

1905295 - Launching firefighter application from NWBC not working

Object Services icon not available in Firefighter ID session

Important points to be considered

1. Firefighter approach will not work for Webdynpro and Web based applications if Firefighter ID is a service UserID. Please check the below SAP note for the same

1588075 - SSO fails for service type users in FF session.

2. Since SAP is not supporting SSO for service UserIDs, in GRC 10 SAP is suggesting a work around to convert Firefighter IDs from Service to Dialog user type to make them work properly.

3. When Firefighter ID is made as dialog user type, make sure that no password aging policy is implemented in that system.If you have password aging active in your system, then you will be requested to change the password at regular intervals.

4. Maintain some unknown password to the Firefighter ID after converting to dialog user type or generate the password and save it. Now this Firefighter ID can be used to login as Firefighter.

5. Once the above changes are made and when Firefighter user executes NWBC or CRM_UI transactions, web links shows a screen with Change password for Firefighter IDs. To avoid this issue implement the below SAP note.

1736116 - Password change window pops up after Firefighter ID launches NWBC

6. The log for the activities performed by Firefighter id are picked first from STAD and then from CDHDR. If the same details are not available in these 2 then activity details will not be picked at all. I believe that such information is not captured in above 2 if the firefighter id logs onto web applications and that is why it will not be picked.

Before gathering the above information, i have gone through lot of discussion on this forum regarding the same.

Does SPM (firefighter) support transactions CRM_UI, WUI, START_BSP using SSO?

Risk Analysis, SPM for CRM UI ( CRM 2007)

EAM Issue

Configure Emergency Access (EAM) in GRC 10 | SCN

There is a idea submitted in the Idea place requesting SAP to enhance GRC 10 to support EAM for CRM,SRM, TM etc which uses Web UI. Please check it out.

EAM - Firefighter not works for portal system such SRM - CRM , etc : View Idea

Hi All

If you are wondering what this document is all about then please refer to: Community Collaboration for GRC Blogs and Documents - you will find an overview of what this community collaboration is about and the rules on how you can contribute. You are still encouraged to write your own blogs and documents without participating in this process (it would be nice if you could update this document to let the community know you are working on something).

You are also welcome to be both the person who suggests the topic and the author. This can advertise you are working on the topic and hold yourself accountable to a deadline that the community is aware of.

Remember: Add a row below the 3rd row of the table to included your suggestion. Please do not change the first three heading rows as these rows indicate the title and a short summary of the content below. When including your name, please include your SCN profile as a hyperlink (easiest way to open your Profile in a new browser tab and copy the URL)

DateSuggested	Suggested By	Document Type	Idea	Author	Date Due	Assistance?	Link to item
Step 1: Requester to Complete				Step 2: Author to complete			Step 3: Author to Publish
DD/MM/YY	Your SCN Profile URL	blog or document	Title or topic idea	Your SCN Profile URL	DD/MM/YY	do you want any assistance? If yes, summarise (input, review, etc)	SCN document or blog link
27/05/14	S A	Document	EAM Audit Trail, Utilisation from a business point of view, high level	Alessandro Banzer	31/05/15		EAM Utilisation and Log Review Process
27/08/14	Alessandro Banzer / Colleen Lee	Document	Analysis of the SAP delivered rule-set - do you accept as it is? Do you build your own or do you do something in between?
13/09/14	Colleen Lee	Document	Business Role Management - overview and use of the methodology customisation
13/09/14	Colleen Lee	Blog	Business Role Manager - What are the benefits and issues with using BRM and integrating with ARA and ARQ?
02/10/14	S A	Document	PSS - Best practices, pitfalls to avoid and things to consider while enabling PSS?	Colleen Lee	12/10/14	Reviewed by S.A, Alessandro & Gretchen	Design Considerations to reduce Password Self Service (PSS) Intruder Risk
02/10/14	Colleen Lee	Blog	BRM - discussion use of profile generation to distribute role to different systems vs system transports	Alessandro Banzer	12/12/14	Input from Susanne Obrist-Niederer (Susanne is a highly experienced authorization consultant with several international projects in her backpack).
02/10/14	Colleen Lee	Document	Summary of the GRC Org structure - which sections apply to AC, PC and RM and any tips on integration with ERP
30/10/14	Darnell Suggs	Document	Link or Page to latest Configuration and Integration Documents for GRC AC 10.1 similar to SAP BOBJ AC 10.0
21/11/14	Alessandro Banzer	Document	Usage of EAM - appropriate and inappropriate usage and its dangers	Alessandro Banzer	30/11/14	Reviewed by Alessandro & Colleen	Usage of EAM
02/03/15	Alessandro Banzer	Document	Differences of direct and indirect role assignment	Alessandro Banzer	06/03/15		Direct vs. Indirect Role Assignment

Dear all,

the motivation to write this document comes because I have been asked several times by users on SCN and by Email to provide best-practice approach with synchronisation jobs. In every GRC implementation project synchronisation jobs need to be scheduled to ensure that the necessary data from the backend systems are present in the GRC system. In this document I would like to share my experience in setting up the ordering and the frequency of synchronisation jobs required for SAP Access Control.

Please note that the frequency can vary in your projects based on the requirements you have. From my experience the following listing is a good approach to start with.

Job	Description	Program	Full / Incremental	Frequency	System / Connectors
Authorization Data	This job synchronizes the PFCG master data (SU24 values) from the backend system.	GRAC_PFCG_AUTHORIZATION_SYNC	n/a	Weekly	Development and productive systems
Repository Objects	This job synchronizes users, roles and profile data to the repository in Access Control.	GRAC_REPOSITORY_OBJECT_SYNC	Full	Weekly	All connected systems
Repository Objects	This job synchronizes users, roles and profile data to the repository in Access Control.	GRAC_REPOSITORY_OBJECT_SYNC	Incremental	Hourly	All connected systems
Transaction Usage	This job retrieves the executed transactions and usage date from the backend system.	GRAC_ACTION_USAGE_SYNC	n/a	Daily	Productive systems
Role Usage	This job retrieves the role usage information from the backend system.	GRAC_ROLE_USAGE_SYNC	n/a	Daily	Productive systems
Batch Risk Analysis	This job updates the management reports used in NWBC.	GRAC_BATCH_RISK_ANALYSIS	Full	Monthly	Depending on rule set definition
Batch Risk Analysis	This job updates the management reports used in NWBC.	GRAC_BATCH_RISK_ANALYSIS	Incremental	Daily	Depending on rule set definition
EAM Master Data	This job synchronizes the master data on the backend system to the Access Control repository.	GRAC_SPM_SYNC	n/a	Hourly	All systems where FF is defined
EAM Logs	This job synchronizes the logs of firefighting activities from the backend system and store in Access Control repository.	GRAC_SPM_LOG_SYNC_UPDATE	n/a	Hourly	All systems where FF is utilized
Email Reminders	This job is used to send email reminders to an approver for pending access requests.	GRFNMW_BATCH_EMAIL_REMINDER	n/a	Daily	For MSMP processes in use

I recommend to run the jobs in the order as listed above. The repository object synchronisation job can also be run dedicated for users, roles and profiles. If run dedicately, also run in sequence as follows: users, roles and profiles.

In order to enable User Access Review (UAR) the following four jobs need to be run in its order:

Role synchronisation (is part of the job GRAC_REPOSITORY_OBJECT_SYNC, can also be run individually with program GRAC_ROLEREP_ROLE_SYNC).
User synchronisation (is part of the job GRAC_REPOSITORY_OBJECT_SYNC, can also be run individually with program GRAC_ROLEREP_USER_SYNC).
Action Usage synchronisation (program GRAC_ACTION_USAGE_SYNC).
Role Usage synchronisation (program GRAC_ROLE_USAGE_SYNC).

Please find detailed information regarding the repository jobs (authorization data, repository objects, transaction and role usage) on SAP Wiki: The Repository - GRC Access Control 10.0 - Governance, Risk and Compliance - SCN Wiki

Looking forward to your valuable feedback and your experience you have made in your projects. Other approaches can be implemented in this document.

Best regards,

Alessandro

Dear all,

This document contains some of the configuration settings and purpose of use with impact while working in GRC10 Risk Management.

I hope its useful.

1.Maintain configuration for Maintain Entity Role Assignment

SPRO->Governance, Risk and Compliance->General Settings-> Authorizations->Maintain Entity Role Assignment.
Maintain a new entry as:

Entity: G_AI

Role: SAP_GRC_FN_ADISSUE_PROCESS

Unique: Check this checkbox

Application: Process Control and Risk Management.

Purpose: 1.To avoid the dump ‘The ASSERT condition was violated’ when submitting created issue in risk and opportunity.

2.To avoid the dump 'CL_GRFN_ISSUE=================CP' while creating issue in Ad Hoc tasks

2.Filter settings for risk category

SPRO> Governance, Risk and Compliance >Reporting> Select Report GRRM_R1> for filter ID: RG_T, set value: Pattern match with child

Purpose: Risk category used as selection field in reports like Survey results for risk survey with risk category and heatmap.risk templates

3.Customizing for Case Management

SPRO (IMG) -> Governance Risk and Compliance -> Process Control -> Cases -> Check Customizing for Case Management.

And activate the Customizing for Case Management

Purpose: To avoid the exception WDR_ADAPTER_EXCEPTION error when creating response under Response and Enhancement Plan management.

4.Define responses for Policies

SPRO -> Governance, Risk and Compliance -> Risk Management -> Response and Enhancement Plan -> Responses for Policies

             Purpose: Once a policy is assigned to the risk, then the policy becomes response. From that moment the policy is handled as response.
                      If you open the assigned object, then response UI is opened not policy UI.
                     And the response statuses are Active/Draft not policy statuses.
                     Please note that the policy status is projected into response completeness/effectiveness. So if the policy status is changed, then                     response completeness/effectiveness is changed correspondingly.

5.Maintain Object category

SPRO>Governance, Risk and Compliance -> Risk Management -> Master Data Setup -> Maintain Objective Categories.

Maintain the categories there.

Purpose: we need to make objective categories as active otherwise we cannot find the objective categories in NWBC while creating under master data work center.

6.Configuration of Incident and/or a Loss attributes

SPRO >Governance, Risk and Compliance>Risk Management>Open Incident Loss database

Click the link Maintain Incident and Loss Attributes; Add the attributes as many as wanted and make sure to select the field Attribute Type as Internal Structure and field Attribute Relation as Both (Incident and Loss). The last field you define if you want to see the same attribute as incident and/or Loss.

After that, select each one of the attributes and click the left option Values and add possible values for the same;

Save your changes and move back to the SPRO Menu

Now add the same attributes to one specific Organization Unit

Select the option Assign Incident/Loss Attributes to Organizational Unit

Select the Organization Unit and add the attributes created the steps before, Save

Purpose: To create Incident reports in NWBC

7.Incident workflow tasks configuration

SPRO>Governance, Risk and Compliance -> General Settings -> Workflow -> Workflow E-mail Notifications -> Maintain Workflow Notifications.
The notification maintenance appears. Select the line for scenario GRCNOTIFICATION.
Run following entry in the left side tree menu Business Scenario -> Filter Basic Data -> Filter Settings.
Add following tasks into the filter TS45607923, TS45607924, TS76300066, TS76300062, TS45607926, TS76300067 and TS76300068.

Purpose: For notification workflows

8.Configuration of Response types

SPRO -> Governance, Risk and Compliance> Risk Management -> Response and Enhancement Plan ->

Maintain Response Types

Click on "New Entries" and enter a numeric value for the response type you want to set up.

In the second column, enter a descriptive text.

Save the entry.

Purpose: 1.To avoid the error Assert Condition was violated in creating any response catalog,

2.Response type drop down list is empty in Response creation screen.

9.Configure the Response purpose texts

SPRO -> Governance, Risk and Compliance -> Risk Management -> Response and Enhancement Plan

->Maintain Response and Enhancement Plan Purpose

Purpose: Response purpose texts are empty in response creation screen.

10.Define Activity types

SPRO -> Governance, Risk and Compliance -> Risk Management -> Master Data Setup ->

Maintain Activity Types.

Purpose: The Activity Type represents on hierarchy of the activities and used to group similar activity

categories under one activity type in the application.

11.Define Maintain Probability Levels

SPRO-> GRC Risk Management -> Risk and Opportunity Analysis -> Maintain Probability Levels

Purpose: 1.used to select Probability Reduction while creating the risk analysis.

2.Risk level cannot be calculated if probability levels are not maintained

12.Activate risk types

SPRO->Governance, Risk & Compliance-> Master Data Setup-> Activate Risk Type.

Select the Active Check box under Risk Type Activation.

Purpose: We cannot create Corporate/Operational Risks under Risks tab

NWBC>Assessments-> Risk Assessments-> Risks & Opportunities.Select the Risks tab->

Create a Risk

Regards

Baithi

Applies to:

SAP GRC Process Control 10.1.

Summary

This document covers “How to customize Workflow name for ‘Manual Test of Effectiveness’ in GRC Process Control 10.1”?

Author: Amit Saini

Created on: April 21st, 2015

Problem Statement: Business users perform ‘Manual Test of Effectiveness’ for manual controls. In turn, multiple issues are being created for same control. For example, business users create 5-6 issues for a single control.

When users go to inbox to manage the issues, they are not able to differentiate the issues from Workflow Task text. Since GRC PC inbox does not have “Issue name“as the personalized field.

The workflow task name ‘Remediate Issue: Manual Test’ is identical for all the Workflow Tasks. It is confusing to end users, as the user need to open each task separately and identify the corresponding issue, which he needs to Remediate. Suppose user needs to work on priority on 1 issue out of 6 issues created. So, the workflow name could be added to the workflow task and users could work on the task, according to their priority. They could differentiate the workflow tasks, if the issue name is merged with Workflow task text.

In the below screenshot, there are multiple workflow tasks, with same text :

Customization of the Workflow Task : Follow the below steps to personalize the text of Workflow Item.

1) Identifying the task name for ‘Remediate issue: Manual Test’.

This can be identified by using transaction ‘SPRO’ and following the path

Governance, Risk and Compliance-> General Settings->Workflow-> Workflow Task Names-> Maintain Custom Task Names.

The technical name could be found by selecting the Inbox Task at position 53 and double click on the sub folder ‘Task Business Object’.

The task name for the ‘Remediate Issue’ is ‘TS75900006’.

2) Personalizing the Workflow Task

Execute the transaction ‘PFTC’ and chose the ‘Task Type’ as ‘Standard Task’ and Task as ‘75900006’.

Choose ‘Edit ‘to personalize the Workflow task.

Variable '&_WI_OBJECT_ID.MS_CASE_ATTR.CASE_TITLE&’ has information about the case/issue title. Hence this can be merged with existing text variable. Use this variable with the existing variable used under field 'Work Item Text'. For example,

‘&_WI_OBJECT_ID.GET_MV_TEXT()& &_WI_OBJECT_ID.MS_CASE_ATTR.CASE_TITLE&’

As shown in the below screenshot:

Save this window.

Create a new issue for ‘Manual Test of Effectiveness’ related to control. The new workflow text would have enhanced text, which will include issue name.

For example, I created an issue ‘MTOE_ISSUE1’ for ‘Manual Test of Effectiveness’ related to control and the personalized workflow text
‘Remediate Issue: Manual Test MTOE_ISSUE1’ appears in the Inbox.

Applies to: SAP GRC Process Control 10.1.

Summary

This document provides information about the different Jobs that can be monitored in GRC Process Control 10.1 for replacement and signoff.

Author : Amit Saini

Created on: April 21, 2015

In this article, I have listed different jobs which can be activated and monitored in Process Control 10.1.

1 Transfer Work Items to replacement

In this activity you schedule the program GRPC_REPLACEMENT_MASS_ACTIVATE to transfer the work items from persons no
longer working on the specific work items to replacement persons entered in the system.

2 Maintain Workflow Notification

This job leverages workflow notification to ensure that the deadlines are met.

In this Customizing activity, you schedule the program SWN_SELSEN. The program:

1) checks whether or not there exist new work items for the scenario GRCNOTIFICATION, which is maintained in the Customizing activity Maintain Workflow Notifications.

2) Determines the e-mail addresses of the work item recipients .

It should be possible for customer to send the reminder to the receiver for the workflow tasks . For example, pre-define the reminder for Signoff workflow. Once signoff process started, send the reminder to the signoff performer.

1 Activate or deactivate the reminder for a specific workflow should be configurable. For example, customer should be able to choose to activate/deactivate the reminder for signoff workflow .

2 After the user receive the workflow task in the work inbox. Every a period of time send the reminder to the receiver. The "time period" of reminder is configurable. The "time period" could be a number of minutes/hours/days/weeks/months/years or even a specific date.

- It should be possible for customer to send the escalation to associated user for specific workflow tasks. For example, The issue owner receive a task in the work inbox for issue remediation with a due date to be April 30^th, 2015. Once the due date is expired, send an escalation to internal control manager to let him to know about it.

3 Carry forward Open Issues after Sign off

In this Customizing activity, you set up the background job 'GRPC_SAP_JOB_AFTER_SIGNOFF' that is executed once sign-off has been completed, to perform the carry forward of open issues. This allows the open issues to be processed after the sign-off data freeze for the applicable timeframe.

Once the background job is scheduled, it is executed every time the sign-off is completed. The issues that are carried forward include the assessment, testing and remediation plans.

The system automatically creates the carry forward case for the pending cases.

a) Close assessments without issue - When there is no issue for an assessment, the assessment will be closed directly.

b) Clone the open issues - Only open issue will (with corresponding assessment , testing , remediation plan if exists) be cloned. Closed issue is
kept as it was.

c) Workflow replacement - The old issue (and the corresponding remediation plan if exists) will be removed or from work inbox(logically deleted) , and general new work item for the new cloned case.

4 Copy Documents After Carry Forward

In this Customizing activity, you set up the background job 'GRPC_DOCUMENTS_CLONING_JOB' to carry forward cases' documents. This is executed after the carry forward of issues has been completed. This applies to assessment, testing, issue and remediation plan cases.

This process allows the document attachments from the cases to be available when the cases are carried forward. Once the background job is
scheduled, it is executed every time the background job to carry forward open issues has completed.

Applies to: GRC Process Control 10.0 / Process Control 10.1.

Summary

This document provides information “How to implement Enhancement for Custom defined field(s) in GRC Process Control 10.0 and 10.1.

Author: Amit Saini

Created on: April 2015

Prerequisite(s) Custom Defined Field(s) are already defined.

Audience

GRC Process Control consultants, partners.

Introduction

With SAP GRC Process Control 10.0/10.1, there is added flexibility in defining the customer-specific fields. You can define them as: ‘Single value’ or multiple values’ for either a HR entity, for example, “Organization” or a non-HR entity, for example, “Issue” In order to control the visibility of CDF fields on UI, for example to mark CDF fields as ‘Required’, ‘Hidden’, or ‘Read Only’, we need to implement the enhancement spot.

Implementing ‘Enhancement’ spot

Firstly, we need to define a class
[Transaction ‘Se24’] which implements the interface: ‘IF_GRFN_API_CUSTOMFIELD_BADI’.

There are changing attributes CT_CUSTOMFIELD_MDATA and CT_CUSTOMFIELD_DATA available in method AFTER_RETRIEVE that can be modified.

Table CT_CUSTOMFIELD_MDATA is used adjust the following fields:

HIDDEN can be used to hide the field on UI
READONLY can be used to set the field “Display only”.
REQUIRED can be used to make the field required.
VALUESET can be used to define text for dropdown.
FIELDLABEL can be used to adjust label of the field.

Table CT_CUSTOMFIELD_DATA is used to adjust following field: "VALUE" and can be used for value defaulting .

By the method BEFORE_UPDATE, we can modify the value entered by user or can implement the “input check” and raise the exception; in
case the user entry does not pass the check.

Secondly, we need to implement the new BADI using enhancement spot ‘GRFN_API_CUSTOMFIELD ‘.

This enhancement spot is called during the ‘Retrieve’ and ‘Update’ of Custom Defined fields for both HR and non-HR entities.

The transaction used is SE19.

Choose enhancement as ‘GRFN_API_CUSTOMFIELD’ and click on button ‘Create Implementation’.

Enter the name and text for ‘Implementation’, we want to create and do not select the option‘Composite Enhancement
Implementation’.

An "Enhancement Implementation" can only contain one type of "Enhancement Implementation Element". Therefore, for a project where
you must implement enhancements to both an Enhancement Point, and a Function Module Interface, you cannot group them in the same Enhancement Implementation. Instead, you must create two separate Enhancement Implementations, and in turn group those in a "Composite Enhancement Implementation". For our example, we require to implement BADI and hence did not select the option ‘Composite Enhancement Implementation’.

Enter the implementation class ‘ZBADI_USER_DEFINED” defined in first step and continue.

Save and activate the ‘Enhancement Implementation’.

Now we could define the IF_GRFN_API_CUSTOMFIELD_BADI~AFTER_RETRIEVE and IF_GRFN_API_CUSTOMFIELD_BADI~BEFORE_UPDATE in implemented class ZBADI_USER_DEFINED to control the CDF on UI.

Let us understood this, with an example .Execute program ‘GRFN_CHECK_CDF’ to know the metadata created.

I want to set field ‘ZTEST_VALUE’ defined for ‘Issue’ as mandatory using my enhancement point.

So I have implemented the methods IF_GRFN_API_CUSTOMFIELD_BADI~AFTER_RETRIEVE and IF_GRFN_API_CUSTOMFIELD_BADI~BEFORE_UPDATE in class ZBADI_USER_DEFINED.

Now I perform ‘Manual Test of effectiveness’ task for a manual control.

And create issue for the control.

Method ‘API_RETRIEVE_CUSTOMFIELD’ of class ‘CL_GRFN_UTIL_CDF’
is used to modify the CDF metadata. It further calls the enhancement point ‘GRFN_API_CUSTOMFIELD’.

If method IF_GRFN_API_CUSTOMFIELD_BADI~AFTER_RETRIEVE is implemented, it will modify the CDF metadata.

Once the source code highlighted, is executed, the metadata is changed.

CDF is enabled as mandatory with “Enhancement point’ implementation.

Now user submits data without entering mandatory custom defined fields.

A check has been implemented in IF_GRFN_API_CUSTOMFIELD_BADI~BEFORE_UPDATE of class

‘ZBADI_USER_DEFINED’ to check the input values for CDF. This has been called via ‘API_UPDATE_CUSTOMFIELD’ of class ‘CL_GRFN_UTIL_CDF’.

User is not able to submit data without entering the Custom Defined Field(s).

Emergency Access Management (EAM) is basically designed to support ABAP based applications. Hence there are lot of limitations and issues if it is used for Webdynpro and Web based applications.

Please go through below SAP notes when trying to implement EAM for Webdynpro or Web-based applications to understand the GRC EAM limitations.

1796682 - 'User Type must be Dialog User' Dump comes when FFID tries to login to NWBC

1905295 - Launching firefighter application from NWBC not working

Object Services icon not available in Firefighter ID session

Important points to be considered

1. Firefighter approach will not work for Webdynpro and Web based applications if Firefighter ID is a service UserID. Please check the below SAP note for the same

1588075 - SSO fails for service type users in FF session.

2. Since SAP is not supporting SSO for service UserIDs, in GRC 10 SAP is suggesting a work around to convert Firefighter IDs from Service to Dialog user type to make them work properly.

4. Maintain some unknown password to the Firefighter ID after converting to dialog user type or generate the password and save it. Now this Firefighter ID can be used to login as Firefighter.

1736116 - Password change window pops up after Firefighter ID launches NWBC

Before gathering the above information, i have gone through lot of discussion on this forum regarding the same.

Does SPM (firefighter) support transactions CRM_UI, WUI, START_BSP using SSO?

Risk Analysis, SPM for CRM UI ( CRM 2007)

EAM Issue

Configure Emergency Access (EAM) in GRC 10 | SCN

There is a idea submitted in the Idea place requesting SAP to enhance GRC 10 to support EAM for CRM,SRM, TM etc which uses Web UI. Please check it out.

EAM - Firefighter not works for portal system such SRM - CRM , etc : View Idea

Purpose of the document:

This document describes the UAR (User Access Review) configuration in GRC10 Access Control and some common issues. We have Wiki documents in SCN for configuration and troubleshoot UAR issues, along with existing information I have documented(collection of issues and notes) the common issues in UAR and related solution notes to keep everything in same page for easy search.

I hope it will be helpful for who are looking for UAR configuration and if any related issue occurs.

For UAR workflow configuration and troubleshoot refer the below WiKi links

User Access Review (UAR) Workflow Configuration and Description:

Wiki Document: http://wiki.scn.sap.com/wiki/x/foi-Eg

For Troubleshoot

Wiki Document: http://wiki.scn.sap.com/wiki/x/IYEcF

Make sure the below points/settings are mandatory for UAR (User Access Review)

(1) Prerequisite Jobs need to be executed, in sequence, as follows:

Repository Object Synch /GRAC_ROLEREP_ROLE_SYNC
Repository Object Synch /GRAC_ROLEREP_USER_SYNC
Action Usage Synch /GRAC_ACTION_USAGE_SYNC
Role Usage Synch / GRAC_ROLE_USAGE_SYNC

(2) Role Methodology verification:

Verify that all the roles have been assigned to a methodology in 'Business Role Management'.

(3) Reviewer Verification:

Verify that the role owners have been assigned to roles or role users have a manager assigned from the data source system.

(4) Verify Mandatory Configurations:

Verify that the following configuration parameters have been maintained in the IMG.

Run transaction SPRO, then go to IMG > SAP Reference IMG > Governance, Risk and Compliance-->Access Control-->Maintain Configuration Settings

parameter id = 2004 (Request Type for UAR)
parameter id = 2005 (Default Priority)
parameter id = 2006 (Who are the reviewers?)

(5) Verify Coordinator Assignments:

Verify that a coordinator has been assigned to the reviewers (role owner/manager). The coordinator assignment can be viewed from Coordinator and Reviewer Mapping screen.

Go to NWBC work center Access Management --> Compliance Certification Reviews --> Manage Coordinators

(6) User Access Review workflow job:

Verify that the task "Update Workflow for UAR request" has been executed from the background scheduler screen or the program GRAC_UAR_UPDATE_WORK FLOW has been executed.

If update workflow job does not trigger then check the below NOTE

1732890 - GRC 10.0 - Update Workflow for UAR request job does not trigger the workflow

(7) Verify Request Review:

Verify that all the requests are approved by the administrator from Request Review Screen.

Go to NWBC work center Access Management --> Compliance Certification Reviews --> Request Review.

Note: - This will only apply, when the 'Admin Review' is configured. (In IMG, Governance, Risk and Compliance-->Access Control-->Maintain Configuration Settings (parameter id = 2007))

Most common errors when using user access review, different dumps

1955397 - Background jobs fail with SYSTEM_NO_ROLL error message in ABAP dump

1620493 - GRC 10.0 UAR Background Job stuck

2062769 - UAR update workflow job dumps in case of huge data

1879104 - UAM: Getting dump while scheduling UAR request with huge data

1980305 - UAM: UAR report dumps when role usage data is huge

1780760 - Accessing the UAR request results in DUMP.

1977399 - UAM: UAR status report throwing dump.

2044946 - UAM: Dump is coming while forwarding UAR Request

If number of backend systems are connected to GRC system, not able to generate UAR request

2066113 - UAR requests not getting generated for some systems

While submitting UAR request if error occurs 'Submission failure of request“ or 'No active version exists for process SAP_GRAC_USER_ACCESS_REVIEW'

Then check below NOTE

1620495 - GRC 10.0 UAR - Submission failure of request

If created variant is not working for UAR review then check below NOTE

2042714 - UAM:Save variant not working for UAR request

If any error with“Incorrect Request Type configuration for UAR Request“then check below NOTE

2040454 - Unable to generate UAR due to Incorrect Request Type configuration for UAR Request

If UAR request screen is empty for approver to approve, then check below NOTE

1938863 - UAR Review - No content to approve when approver opens the UAR request from inbox

If the button 'Cancel Rejection' does not appear to approver, then check below NOTE

1768509 - The button 'Cancel Rejection' does not appear in User Access Review request

If error occurs while forward the request to a Reviewer with Return option, then check below NOTE

1988128 - UAM: Missing line items with forward and return in UAR

Sometimes users full details not shown in UAR request, it is basically issue with connector, check below NOTE

2053211 - Full name of some users is not shown in UAR request

If we are using two stages of approvals for UAR request then we need to maintain approval type as Complete request in both stages, otherwise approver cannot see details at second stage, check below NOTE

1907938 - UAR - User and Role details are not visible in request

We need to make it visible Escalation parameter in UAR request history report, otherwise we will get No record found message will appear in UAR request history report, check below NOTE

1805804 - UAR: No record found message in User Access Review History Report

Check the below NOTE for importance for View by field in UAR request screen

1867208 - How to understand what controls the “View By” field in the UAR Request Screen

Why Generate data for access request UAR review job status is “In Progress”, check below NOTE

2038346 - UAR/SOD jobs do not finish and keep 'In Progress' status

If only partial data in Audit log, then check below NOTE

2037408 - Audit log is showing partial data for UAR request

If no audit log for SAVE in UAR, then check below NOTE

1947373 - UAM:Unable to make comments mandatory & audit log for save in UAR

If request shows indirect roles and wrong usage count, check below NOTE

1910670 - UAR Request shows indirect roles and wrong usage count

Some of the old threads for more information on User Access Review:

UAR Review: http://scn.sap.com/thread/3719805

GRC10 - UAR using BRF+ Agent Rule: http://scn.sap.com/thread/2104971

GRC 10 UAR - Different UAR Approvers: http://scn.sap.com/thread/3297507.

Generates data for access request UAR review: http://scn.sap.com/thread/3276890.

User Access Review Workflow - GRC 10: http://scn.sap.com/thread/3535425

GRC AC V10 - UAR config steps: http://scn.sap.com/thread/2063607.

GRC 10.0 User Access Review-user details not showing in description: http://scn.sap.com/thread/3332003

SAP GRC10 - UAR Review: http://scn.sap.com/thread/2116399

GRC 10 UAR tables: http://scn.sap.com/thread/3721729

UAR cannot be generated for huge volume of data:2075604 - UAR Request not genrating with huge role data

Ex:Role or User starts with option

Please share or add if any new issues/errors occurs while working with UAR(User Access Review) ,so that we will include in the same page for easy availability.

Regards

Baithi

Hi All

DateSuggested	Suggested By	Document Type	Idea	Author	Date Due	Assistance?	Link to item
Step 1: Requester to Complete				Step 2: Author to complete			Step 3: Author to Publish
DD/MM/YY	Your SCN Profile URL	blog or document	Title or topic idea	Your SCN Profile URL	DD/MM/YY	do you want any assistance? If yes, summarise (input, review, etc)	SCN document or blog link
27/05/14	S A	Document	EAM Audit Trail, Utilisation from a business point of view, high level	Alessandro Banzer	31/05/15		EAM Utilisation and Log Review Process
27/08/14	Alessandro Banzer / Colleen Lee	Document	Analysis of the SAP delivered rule-set - do you accept as it is? Do you build your own or do you do something in between?
13/09/14	Colleen Lee	Document	Business Role Management - overview and use of the methodology customisation
13/09/14	Colleen Lee	Blog	Business Role Manager - What are the benefits and issues with using BRM and integrating with ARA and ARQ?
02/10/14	S A	Document	PSS - Best practices, pitfalls to avoid and things to consider while enabling PSS?	Colleen Lee	12/10/14	Reviewed by S.A, Alessandro & Gretchen	Design Considerations to reduce Password Self Service (PSS) Intruder Risk
02/10/14	Colleen Lee	Blog	BRM - discussion use of profile generation to distribute role to different systems vs system transports	Alessandro Banzer	12/12/14	Input from Susanne Obrist-Niederer (Susanne is a highly experienced authorization consultant with several international projects in her backpack).
02/10/14	Colleen Lee	Document	Summary of the GRC Org structure - which sections apply to AC, PC and RM and any tips on integration with ERP
30/10/14	Darnell Suggs	Document	Link or Page to latest Configuration and Integration Documents for GRC AC 10.1 similar to SAP BOBJ AC 10.0
21/11/14	Alessandro Banzer	Document	Usage of EAM - appropriate and inappropriate usage and its dangers	Alessandro Banzer	30/11/14	Reviewed by Alessandro & Colleen	Usage of EAM
02/03/15	Alessandro Banzer	Document	Differences of direct and indirect role assignment	Alessandro Banzer	06/03/15		Direct vs. Indirect Role Assignment

I have created this document in order to help the customer with one of many sub scenarios provided by Process Control Business Rules. My objective is to create one document for each sub scenario. This is the first one.

Before starting creating Data Sources and Business Rules, you need to check parameter for table logging in RZ11. You can specify specific clients for table logging or set the default option to ‘All’. Check SAP note 1653464 for further information on performance.

When setting continuous monitoring, you must create a Data Source.

Why creating a Data Source?

The data source created is usable for many business rules. The data source is where system is going to obtain monitored data.

Supported Sub-scenarios:

SAP Query
BW Query
Process Integration
SoD Integration
Configurable
Programmed
Event
ABAP report
External Parter

In this tutorial we only will see the Configurable Sub-Scenario (Highlighted in Gray).

Creating a Data Source:

Filling out the General Tab:

Object Field:

In this example, I selected to monitor changes in HRP1000. I have selected some tables Field to lookup.

I cannot find any information related to this table.

HR tables are not supported in a Configurable scenario. You can include HR tables in the configurable scenario at your own risk by There is a work around. You can maintain the HR/PA table name in the table /GRCPI/GRIASPEC and can be used in Configurable scenario. However SAP will not hold any responsibility for this work around and it is not recommended. Customer at their own risk can implement this work around. We need to check another table to lookup.

Chose LFA1.

LFA1 (Vendor master table) is a standard SAP Table.

Explanation of Related Table Lookup:

The Reference or Dependent tables option define the direction of the relationships.

Dependent tables are those which refer to (as foreign keys) the key fields of your main table (primary keys), while reference tables are the opposite — they hold the primary keys to which your main table refers as foreign keys. You can join multiple related tables together in such a compound data source, with the constraint that the join conditions are restricted to being equality relationships between like-type fields. For the most part, it is expected you will join primary keys to foreign keys. PC 10.0 looks up known relationships from the data dictionary and pre-populates the join conditions area as you go.

When creating a Join condition in data sources, you may consider the following:

If the join condition will make the result table retrieve data (according to the cause mentioned in KBA 2177348);
Maximum number of related tables is 5 (five);
Some fields in the join condition are not appearing (See the explanation in the resoltion section of KBA 1970160);
If duplicated tables are created when adding the related tables in the join condition, SAP note 1880242 must be implemented.

Next step is to perform an ad-hoc query to check whether the table data is being retrieved.

Retrieved results successful. Meaning that the connection is okay.

In the connectors tab, you can check the connectors assigned to this Data Source. You can have multiple Connectors assigned to one Data Source.

The Data Source must be active to be available in the Business Rule.

Creating a business rule:

Select the Data Source created and press start.

I chose the data I have selected in the Data Source. Here you can choose the fields you want to monitor:

In the filter criteria, I only included the Name of person who Created the Object:

For the filter values, I chose ZHAOBR (include this range). I just want to include changes made by this user.

In the deficiency criteria, a handler must be selected in order to get changes from the target system. The table responsible for transport changes is SCU3.

Once selected, the fields must be shown in the Field Description.

If the fields are not available user needs to check in the target system whether or not the table LFA1 (table used in this example) is active for log changes.

Go to SE11 and type the table in the Database table field:

Go to technical settings of the table:

Enable Log Data Changes:

Check whether SCU3 is logging LFA1 table after the changes:

After this procedure if you still cannot see the deficiency fields check your GRCPINW support package level. An enhancement was done for capturing table change log directly from SCU3. Apply SAP note 1796052 if you are under Support Package 10 of GRCPINW.

Now, if we return to the Business Rules, the field descriptions are activated.

Conditions and Calculations

In this steps you can insert additional conditions to the Business Rule (BRFPlus). You can totally customize the BR according to your company needs.

Output Format

In the output format you can defined how the business rule will be shown.

Technical settings:

These settings basically affect the execution and performance of monitoring. It is always a best practice to test the performance of rules before transporting to production.

1. Calculate deficiency -> Remotely

It is used in the same way as PC 3.0. The job will collect data and apply the rule only on the returning data which is defined as deficient by the ERP. When the data volume is huge, this method will help to reduce the retrieving data.

2. Calculate deficiency -> Locally

This is used for almost all the sub scenarios. It analyzes the data on Process Control side. Rules are applied on the Process Control side as well.

3. Communication mode -> A sync.

Process Control will perform a job steps (execution of a Business Rule) via RFC to the ERP system and it will be executed in background mode. When the execution is finished, RTA sends the result back via RFC to Process Control. It is a two way communication.

4. Communication mode -> sync

Most of the sub scenarios use this. It means that when a Job step is executed, the Work Process waits the result from the RFC call and processes it. In most of the cases, this is used to calculate deficiencies locally.

5. Change log type

Here you can include the change types you want business rule to capture.

Ad-hoc query

Here you will test your business rule against all the criteria you have established.

The message is not an error. It means that the information for that timeframe was not found for that connector. Changing the timeframe to 2012 for example, I can find results.

Based on my conditions and filters, the results are showing correct.

Checking SCU3:

I Can see the same results.

After these steps, rules must be assigned to controls.

The results will only be found according to the deficiency criteria. Other fields will not be taken into consideration.

If you are familiar with debugging, you can debug the ad-hoc query to check the results at code level by following the steps in the following wiki:

Debugging Business Rule Ad-Hoc Query

SAP governance, risk, and compliance (GRC) solutions provide organizations with a preventative, real-time approach to GRC across heterogeneous environments, enabling complete insight into risk and compliance initiatives, greater efficiency, and a faster response to changing business conditions.

The GRC area on the BPX Community aims at being a forum for business process experts who are using or intending to use SAP GRC solutions. It also introduces the best practices and methodology behind these solutions and demonstrates how they're being used in a variety of industries and business solution areas. SAP.com has a collection of customer successes, brochures, and whitepapers, as well as news and events.

The SAP BusinessObjects GRC solutions roadmap comprises several applications, including SAP Access Control, which enables all corporate compliance stakeholders to confidently control access and prevent fraud throughout the enterprise, and SAP Process Control, which allows organizations to drive confidence through continuous control monitoring.

The following image demonstrates where GRC solutions fit - the various industries and solution areas where they are applicable and currently being used:

SAP Solutions for Governance, Risk and Compliance

This document is a collection of the most useful SAP GRC Access Control documents, blogs, resources, links, etc. here in SCN.

Legend

	SAP SCN Documents
	SAP SCN Blogs
	SAP Wiki
	Newly added document (Contributors: please select from Emoticons )

Please help in updating the collection so that new users can get a well structured overview for their information.

Best regards,

Alessandro

In regard to my document about Rule Set / Business Risks I would like to give some detailed information about rules and rule types. As we learned rules (or risk rules) are possible combinations of transactions and permissions for a business risk.

Rules must be generated when ever risk contents change. This can be done in SPRO (GRC > Access Control > Access Risk Analysis > SOD Rules > Generate SoD Rules). Generally rules are combinations of actions and aren't maintained manually (done automatically by the program).

The number of rules defined from a risk is determined by

the number of action combinations, and
permission/field value combinations contained in each function of the risk.

The following graphic shows the rule structure in more detail:

Now let me give you a short overview of the different types of rules considered by GRC.

Transaction Rules

Rule components are as follows:

System
Conflicting Actions
Rule ID
Risk Level
Status

Example (from the graphic above):

F001001: Maintain fictitious GL account & hide activitiy via postings

F001001 - Risk ID

F001001 - Action code combination number (represents Conflicting Actions)

Permission Rules

Rule components are as follows:

System
Object
Field
Rule ID
Risk Level
Status

Example (from the grapic above):

F00100101: Maintain fictitious GL account & hide activity via postings

F00100101 - Risk ID

F00100101 - Action code combination number

F00100101 - Object combination number

Critical Action

List of actions considered critical. Option to run at both Action and/or Permission level. Critical Actions are created same way as Segregation of Duty risks, exept Risk Type = Critical Action, and can contain only 1 function (as shown above with SCC4).

Critical Permission

List of objects/permission considered critical. Created same way as Segregation of Duty Risks, exept Risk Type = Critical Permission, can contain only 1 function, and function cannot contain actions.

Critical Roles and Profiles

Roles and profiles considered critical. Critical roles and profiles will be excluded from analysis if the configuration parameter 1031 (Ignore Critical Roles & Profiles) is set to YES.

Organizational

Used to eliminate false positive SOD reporting based on organizational level restrictions for users. Organziational rules should not be created for mass org level reporting as it should only be enabled for functions that you specifically need to segregate. Most companies are controlling what data a user has access to via role assignment. There are only very few companies who have a business need to create org rules. Please find more detailed information in Organizational Rules in GRC Access Control.

Supplementary

Additional security parameters other than authorizations a user must have to enable access. First checks to see if the user exists in the supplementary table, then checks if conditions are met. Based on exclusion setting, it will include or exclude the user in the risk analysis.

Please share and contribute in this document to make it better.

Looking forward to hear from you.

Best regards,

Alessandro

Hello All,

When an access requested is submitted, the message that we like to read on the monitor is: Request submitted successfully with the following request number. But, sometimes we get to see errors when the request is submitted. In this document, Please find some of the common issues along with solutions here.

Error No: 1

When submitting an Access Request, if you get the following error:

Solution

Go to transaction (t-code) GRFNMW_GEN_VERSION
Enter MSMP Process ID SAP_GRAC_ACCESS_REQUEST
Reactivate the workflow

If still errors appears after reactivating then try deleting the existing BRFPLUS rule and test again.

Error No: 2

When submitting an Access Request, if you get the following error:

Solution

This error occurs due to Failure to complete configuration to set number ranges for provisioning requests.
Follow path from transaction SPRO > Governance, Risk and Compliance > Access Control > User Provisioning > Maintain Number Range Intervals for Provisioning Requests (Click on the clock icon to execute.)
Enter GRACREQNO in the field and click paper icon to create. Click on Number Ranges and add field to set range. (Be sure to save values before exiting.)
Next, click execute icon before Define Number Range for Provisioning Requests, and click on New Entries. (It may begin with the number one (1).)
After creating, go back to the previous screen. There should be a screen with the number range and a field labelled Active. The circle should be empty in this active field next to the line where the number range is displayed, but it is mandatory to click into the field to make it active (circle will fill with black dot). Save entries.
After creating workflow in MSMP, requests will now be created starting with the first number defined in the range.

Error No: 3

When submitting an Access Request, if you get the following error:

Solution

If a request type has ASSIGN OBJECT actions then, "Add atleast one role to the request" error message will be shown if no role is added

Error No: 4

When submitting an Access Request, if you get the following error:

Solution

If using mapped default roles, but they have not been set up in NWBC it will error because it adds an additional line item.
Please run simulation if using a BRF+ rule. Check the decision table for items expected and it should return a result. If it does not return expected results, please adjust the rule.
Check If SAP_ALL profile is assigned to the background user WF-BATCH.

Error No: 5

When submitting an Access Request, if you get the following error:

Solution

Check if the valid from and valid to dates are maintained properly or not.
Also check if the valid to date is later than the current date.

Error No: 6

When submitting an Access Request, if you get the following error:

ITEM 0002 resulted to cannot resolve path; check routing mapping
Request submit failed; error in MSMP submit method

Solution

Wrong BRF+ object ID for initiator rule copied to Rule ID under step 2, Maintain Rules.
Check the settings in the decision table.
Check if the Rule Result is maintained properly or not.
Additionally, verify that event linkage is active for starting workflow and access approval (Transaction SWE2).

Error No: 7

When submitting an Access Request, if you get the following error:

XYZ is not a valid User

Solution

This error could be due to Parameter 2051.

If set to YES, the application validates the UserID exists on the specified source system. If the user does not exist, the application does not allow the request to continue. The validation is performed when you choose Submit or press Enter. This has to be set to NO.

Everyone is free to correct the mistakes in this and

Add more issues of this type into the document.

Regards,

Deepak M

Applies to: GRC Process Control 10.0 / Process Control 10.1.

Summary

This document provides information “How to implement Enhancement for Custom defined field(s) in GRC Process Control 10.0 and 10.1.

Author: Amit Saini

Created on: April 2015

Prerequisite(s) Custom Defined Field(s) are already defined.

Audience

GRC Process Control consultants, partners.

Introduction

Implementing ‘Enhancement’ spot

Firstly, we need to define a class
[Transaction ‘Se24’] which implements the interface: ‘IF_GRFN_API_CUSTOMFIELD_BADI’.

There are changing attributes CT_CUSTOMFIELD_MDATA and CT_CUSTOMFIELD_DATA available in method AFTER_RETRIEVE that can be modified.

Table CT_CUSTOMFIELD_MDATA is used adjust the following fields:

HIDDEN can be used to hide the field on UI
READONLY can be used to set the field “Display only”.
REQUIRED can be used to make the field required.
VALUESET can be used to define text for dropdown.
FIELDLABEL can be used to adjust label of the field.