Dear all,

This document gives an overview to create different ways to create risk in Risk Management

We can create risk in risk management in two different ways

1. Risks and Opportunities
2. Activities

Risks and Opportunities

Click on Risk and Opportunities to create risk

Refer my previous blog on how to create risk Creation of Risk in Risk Management GRC V10.0

Click on Activities to create risk from third tab risk and opportunities

Click on Create

To create Activity, we need to maintain activity Categories

Activity Category is configured at Master data

Click on Activity Hierarchy

Click on Create and Provide Details

We need to select Allow Activity Assignment is YES, otherwise we cannot use in Activity

Go to Tabs Risk Classification and Opportunity Classification

Risk Classification and Opportunity Classification will be configured under

Risk classification will be part of Risk Category

Opportunity classification will be part of Opportunity Catalog

Note: Make too sure select Allow Assignment is “YES” and time frames are also important

Now go to Risk Classification and click on Assign to add

Now go to Opportunity Classification and click on Assign to add

Now click on SAVE, Created activity will be available in Activity hierarchy

Now we can use the created activity category in Activity

Provide Name, Select organization unit from F4 list and Select the Activity Category from F4 list (Which is created like above)

Now go to Roles Tab to assign the owners

Roles assignment can be maintained in SPRO

Now select the role and assign the user

Now go to Risks and opportunities,

Refer my previous blog on how to create risk Creation of Risk in Risk Management GRC V10.0

Regards

Baithi

How to generate HR trigger Request when SAP ID is stored in Customized infotype.

                     Table of Contents

1. General Information & Use
2. Issue 1:  ARA Role Risk Analysis: Connection time out: 500 connection time out. 2
3. Issue 2:  EAM: Firefighter doesn’t start for firefighter. 3
4. Issue 3: EAM: Firefighter Login status indicator not changed. 4
5. Issue 4: EAM: Firefighter email notification not generated by firefighter user. 5

1.     General Information & Use:

This document will be useful to fix some common issues during GRC AC10.1 configuration.

Below is the system version information.

GRC SYSTEM: 10.1

2.     Issue 1:  ARA Role Risk Analysis: Connection time out: 500

        connection time out.

While running the Risk Analysis for User and Roles below time out occurs in Foreground run.

  Error Screen in Attachment of Issue1

Resolution: Set the below Parameter Time out: 30 and Proctimeout: 600 as below to provide maximum process time to run the Risk Analysis in Foreground.

Parameter :icm/server_port_0 = PROT=HTTP,PORT=1080,TIMEOUT=30,PROCTIMEOUT=600

3.     Issue 2:  EAM: Firefighter doesn’t start for firefighter.

            Environment: GRC 10.1   Setup : Decentralized EAM

Issue: The firefighter assignment of firefighter id is visible on the Dashboard under transaction/GRCPI/GRIA_EAM. But while executing the Firefighter System is not starting new window session of Firefighter id executed.

Cause: This problem is caused due to lack of authorizations in firefighter id role in decentralized system firefighter.

Resolution : This problem resolved by assigning S_USER_GRP  with activity 05 to firefighter id role in Plugin System.

Note: Don’t give activity 02 first. First try with activity 03 and 05 and if that doesn’t resolve then give activity 02.

4.     Issue 3: EAM: Firefighter Login status indicator not changed

Issue: After Login to Firefighter Id the status indicator of Firefighter is not changed to Red.

Cause: This issue was because of missing authorization with Firefighter User roles.

Resolution: After Investigation and trace below is the missing authorization required by firefighter user.

Note this is for firefighter user not for firefighter id.

S_USER_GRP: Activity 03 and 05.

S_GUI : Activity 02,60 and 61

S_ALV_LAYO : Activity 23

S_DOKU_AUTH : MAINTAIN

Note: For More missing authorization trace the user after assigning the admin role and check all the t.code checked and compare with the existing one.

In my case it’s working fine.

5.     Issue 4: EAM: Firefighter email notification not generated by firefighter

        user.

Issue: After execution of Firefighter email notification not generated by firefighter for controller.

Resolution: Assign the below object to firefighter user.

S_OC_ROLE  =ADMINISTRATOR

                    Your thoughts, comments in order to improve this guide will be helpful.

                    Main motive of starting with this document is to cover all the issues for relevant solutions in one   

                    place and will cover more in my next version.

Hope this Document helps you in configuration and resolution.

Thanks!

            Cheers.

Pawan Sharma

Hi,

How to correct a skipped sequence in file name - in GTS application area- Search upload logs , after uploading Tariff codes in-Upload Tariff code numbers from xml.file.

Ex:- 29 and 30 is the file name sequence which is missed and the last uploaded file extension name is 31.

So how to make the file name sequence correct as 29,30,31.

Currently the sequence in system is 27,28,31( file names).

I don't see a option to delete and re-upload.

Thanks & Regards,

Shilpa

Hello ,

1) Are the Xml files placed properly in the share Location in a sequence?

2) Do the files get placed in the share location automatically from your Client's Data provider or one of your GTS consultants place those manually from customeinfo website ?

3) Are the Xml files Country specific or Language Specific in share location?

Thanks and Best Regards,

Vamsi Krishna. Mullapudi.

Shipa,

Even thought it is not a suggested appraoch, just uncheck nomenclature check active check box.

Once you do that you should be able to do it but be cautious about how do your uploads in production.Thanks.

Regards

Raj

Hi Rajesh,

I tried with uncheck nomenclature check active check box. It did upload, but it did not  upload in sequence.

so 29 # comes after 30, in this case.

Thanks,

Shilpa

Option 2..>one of your GTS consultants place those manually from customeinfo website.

Yes Shilpa, you need to start from where you missed the sequence.

Regards

Raj

Hi Shilpa,

Is there a solution for your question? can you upload further files in correct sequence ?

Thanks

Vamsi

Vamsi,

Yes  Uncheck the Nomenclature check active and start uploading the files where you see them went wrong. Thanks.

Regards

Raj

Hi Vamsi,

Uncheck - Nomenclature check active , works.

Regards,

Shilpa

This document was generated from the following discussion: Upload Tariff Code number from Xml. file, file name sequence rectification.

Dear all,

This document gives an overview to create different ways to create risk in Risk Management

We can create risk in risk management in two different ways

1. Risks and Opportunities
2. Activities

Risks and Opportunities

Click on Risk and Opportunities to create risk

Refer my previous blog on how to create risk Creation of Risk in Risk Management GRC V10.0

Click on Activities to create risk from third tab risk and opportunities

Click on Create

To create Activity, we need to maintain activity Categories

Activity Category is configured at Master data

Click on Activity Hierarchy

Click on Create and Provide Details

We need to select Allow Activity Assignment is YES, otherwise we cannot use in Activity

Go to Tabs Risk Classification and Opportunity Classification

Risk Classification and Opportunity Classification will be configured under

Risk classification will be part of Risk Category

Opportunity classification will be part of Opportunity Catalog

Note: Make too sure select Allow Assignment is “YES” and time frames are also important

Now go to Risk Classification and click on Assign to add

Now go to Opportunity Classification and click on Assign to add

Now click on SAVE, Created activity will be available in Activity hierarchy

Now we can use the created activity category in Activity

Provide Name, Select organization unit from F4 list and Select the Activity Category from F4 list (Which is created like above)

Now go to Roles Tab to assign the owners

Roles assignment can be maintained in SPRO

Now select the role and assign the user

Now go to Risks and opportunities,

Refer my previous blog on how to create risk Creation of Risk in Risk Management GRC V10.0

Regards

Baithi

Short description

A recent business scenario required to design an Access Request Workflow which determines whether the requested roles are assigned to any access risk ID with high risk level and route only roles to an additional path with further approval steps which meet this condition.

Checking the SCN i found the article AC10.0/10.1: Create Rule Based on Risk Violation in Request, Using BRF+ Procedure Calls from Amanjit Singh Bindra which provides the basic information on how to create a rule to route an access request.

As my own scneario did though absolutely require to route not the whole request but the single roles associated with high-leveled risks IDs the rule needed to be adjusted accordingly.

Please find as follows an illustrated step-by-step tutorial to recreate the rule on your own.

Let me know if there is any unclear or missing explanation in this tutorial.

Step-by-Step description

1. Create Rule ID / Application

Generate BRF+ Application calling transaction GRFNMW_DEV_RULES.

Here fill in the basic information:

MSMP Process ID
This routing rule is determined for the Access Request Workflow (SAP_GRAC_ACCESS_REQUEST).

Rule Kind
Routing rule (No explanation required)

Rule ID /Application Name
Fill in a reasonable name for the rule/application. It has been proven workable to use the same name for both fields.

Rule Type
Select the BRFplus Flat Rule as routing requires to be realized on item level (role level).

Generation of Options
Tick Generate Rule and Result. Also select any entry from the Header or Item to get the decision table created automatically.

After the rule has been created successfully you may copy the application ID for next step.

2. Open application

Open the BRF+ Workbench via calling either transaction BRF+ or BRFPLUS in SAP GUI.
Here you select Workbench > Open Object and put in the search field for Object ID the copied ID from previous step.

3. Create table object to store risk analysis result

Before we create the procedure call to run the analysis we have to create the associated table to hold the result data.

Therefor right-click the Application and select Create/Data Object/Table ...

The table created has to be of Binding Type DDIC Table and DDIC Type Name GRAC_T_WS_RA_OP_RISK_ANLYS_ID.

No further customization of the table is required.

Activate the data object.

4. Customize Function and assign new Ruleset

Change the Mode to “Event Mode” and save.
Also check whether result data object is: GRFN_MW_S_ROUTING

Afterwards switch to the Assigned Rulesets tab and create a new Ruleset.

Note: Following screen may appear at this and further stages. Always click on the Yes-Button to save the current state of the left object. Otherwise all changes have to be repeated from the current step.

5.      Add first Rule to Ruleset

Go to the newly created ruleset and insert a new rule. In the edit window we do want to run a new expression without any conditions. Thus we click on the Add-Button next to “Then” and select Process Expression/Create.

Select procedure call and define the previously created result table (Risk Analysis Result) as Result Data Object.

Within the procedure call select Function Module as Call Type and enter following name for the module respectively: GRAC_IDM_RISK_WITH_NO_SERVICES

Note: This module requires a request number as parameter and provides all associated violation data such as Risk IDs, risk level, roles, etc. To get a better understanding of this function execute it in transaction SE37 by selecting Function Module/Execute/In the test environment.

Add parameters REQUEST_NO and RISK_ANALYSIS_WITH_NO_RESULT
to the procedure call.

Click on both parameters and assign the corresponding values:

• “Req No” from the request header in the context à
• Table “Risk analysis result” à

Activate the expression and go back to the ruleset.

6. Add second rule to ruleset

Now we check whether the role from the Line Item (role from the access request sent to the routing rule) is associated with a high-leveled Risk IDs.

To do this a second rule has to be created in the same manner as the first one. This rule contains one loop which goes through the risk analysis table to determine entries with high-leveled risks (Risk IDs) and a second loop wandering through the table data object “ROLE” contained in the risk analysis table. Then for every Entry Role an expression of type table operation check whether the current entry matches the role name of the Line Item from the context.

Following picture demonstrates the procedure:

7. Create outer loop

Insert the basic information.

Following screenshot shows the required configuration for the first loop. As this outer loop just passes the result from the inner loop Return Value for Processing Mode and BOOLEAN (Default Objects) for Result Data Object have to be selected. Also we need the loop to perform another expression for each entry thus we select “For Each Entry in…”. Also you configure to select only rows with risk level high (high).

Finally we need to enable the loop to stop if a high risk role has been found within the table via adding an Exit Condition.

8. Create inner loop

Here we can define the inner loop going through the ROLE_LIST table of the high-leveled Risk ID and containing the associated roles.

Just like in the first loop we want to return a True/False value when looping through the ROLE_LIST table of the risk analysis table entry. Thus we select Return Value as Processing Mode and BOOLEAN (Default Objects) as Result Data Object. Also we can already filter the ROLE_LIST for entries which match the role name from the current context line item.

Now we need to create a Rule to initiate the Boolean returned.

Within the rule create a new expression which will be definied in the next step.

9. Create table operation

The customized table operation simply checks whether the filtered table of the outer look does contain any rows which determines that current role (Line Item Context) is assigned to the current Risk ID and return in this case TRUE.

Activate the expression and go back to the inner loop via entering the Back-Button.

Now select “Assign Value to Context” for the “Then” clause and define the Boolean-variable to be set to true if the table expression does return true.

After finishing the table operation go back to the inner loop and configure the Boolean to be changed to true if the table operation is successful.

10.  Create third rule in ruleset

Create the third rule in the ruleset which is responsible for the routing according to the finding of the second rule.

Here we can use the automatically created decision table.

11.  Add Condition Column to Decision Table

After adding the new rule, go to the decision table and make sure you are in edit mode.
Select the Table Settings-Button.

Replace any existing Condition columns with the outer loop LOOP_RISK_ANALYSIS_RESULT which returns the result of the role search.

12.  Add Business Logic to the Decision Table

Based on the result of “Table Operation,” which checks whether any “High” risk violations exist in request or not, the path of request is decided.

Save and activate the decision table.

13.  Add variables to ruleset

Finally check whether both variables RISK_ANALYSIS_RESULT and BOOLEAN are added to the ruleset.

Also check whether the order of the roles is correct and all elements/objects activated.

14. Finished

Now you should be able to register this rule in the MSMP configuration and use it as a routing rule.

In order to do this you need to refer to the function ID which can be found in the general tab of the BRF+ function.

Hello All,

I am presenting a consolidated document of common issues and solutions collected from the forum as well as few faced by me related to EUP along with information on few important tables and takeaways on EUP.

Anyone is free to make changes and update new issues here.

• The End user Personalization helps the administrators to set the parameters that define the behaviour of the fields and the pushbuttons on the Access Request screen.
• The default EUP Id is 999.
• The Pre-requisite is activating the BC Set

• EUP helps to:
  • Specify the number of visible rows
  • Set Fields to visible or hidden
  • Set fields as mandatory
  • Define Default values for the fields

Inspite of defining the Approve/Reject own request field as NO and Defining the field as not editable and not visible and maintain the EUP id under task settings in MSMP, the user is still able to approve his request

Implement the SAP NOTE: 2088522

EUP is set to not Editable for Manager field. Even then, Multi User Requests Manager field show as Editable.

In Single User Request, you can add any User which is valid GRC user. It will create a Request & you have full options to make any User a Manager.

Self & Others Requests works with EUP, whereas EUP is not supported for Multi-user Requests.

Is there any way to customize EUP ID 999? If a Functional area field is selected, then Manager Field should become mandatory.

There is no provision of doing any customization in EUP 999.  Only fields can be made visible/invisible, mandatory/optional & editable/non-editable.

The user is able to submit a second (duplicate) request while previous request is in the process of getting created. In a scenario where an access request takes a longer time to complete risk analysis on submission, the user is able to submit a second (duplicate) request for the same user.

To prevent the creation of a duplicate request, set the parameters below:

Configuration parameter1071                                                = Yes
EUP parameter One User per Request per System             = Yes (under the Mandatory column)

Why is there no Sub-Process field available in the EUP configuration section?

The sub-process field is not supportedin the EUP settings.

In Maintain EUP Fields, for few fields the user cannot change the settings for "Mandatory" field. For Example, the field mandatory and Visible is disabled from editing for Last name.

This behavior is by design for some fields as they are the minimum information required to be given in an access request.

How do you troubleshoot if the EUP Values are not getting transported completely?

Find the solution in the following SAP Notes: 2111894, 1884227

Creating a new EUP, click on 'Maintain EUP fields' does not populate any data, and in the Edit menu, the 'New entries' option is grayed out.

Activate the BC set "GRAC_ACCESS_REQUEST_EUP" from SCPR20

ARM Data not getting populated from EUP

EUP Default values are considered only, when it's New User or the value for Existing User is not maintained i.e. field value is blank.

If any value is maintained in Connector from which User Details has to be fetched, then the Value and Format will come from Backend System.

• The Default EUP id is 999.
• EUP Default values are considered only if the field values are blank.
• The sub-process field is not supported under business process in the EUP settings.
• There is no provision of doing any condition based customization in EUP ID 999. 
• In GRC 10.0 application, only EUP configuration for SELF and OTHER user request types is supported. On MULTIPLE user request types, EUP configuration is not supported. This functionality is available in GRC AC 10.1 release.
• For few fields the user cannot change the settings for "Mandatory" field as this behavior is by design for some fields as they are the minimum information required to be given in an access request.

Hope this document will be useful. Feel Free to make any corrections or updates.

Regards,

Deepak M

This document contains a common example, how to connect SAP GRC Access Control to Microsoft Active Directory. SAP note 1584110 and GRC SCN WIKI provides instructions on how to configure LDAP connector in Access Controls 10.X releases. The LDAP connector can be used as user data source in GRC and also for provisioning to AD. Let's explain group field and parameter mapping, when there is Active Directory behind the LDAP connector.

Key success factor is to be familiar with 'Find' operation in the LDAP transaction and know search filter syntax, LDAP attributes and the Active Directory Schema. Own customizing can be created following the guidelines below.

Leaving the requested attributes blank will retrieve all attributes of the filtered objects. Base entry should be the distinguished name of the root node of the directory tree. If there is no result in LDAP transaction, data cannot be fetched by GRC either. Check LDAPRC error codes in SAP note 511141.

Starting with group parameter mapping, it determines the corresponding objectclass to users and roles in the LDAP directory, as well as the member attribute of the groups. In Active Directory group is the counterpart of role in GRC and maintained as 'Roles:OC'. To search for users only in access request, map 'User:OC' to 'user' in group parameter mapping and assign a custom objectclass attribute to the LDAP connector, as attribute name 'OBJECTCLASS1' with attribute value '(OBJECTCATEGORY=PERSON)'. See also KBA note 2312009.

In group field mapping the AC field names are the standard including custom fields. Here you can assign the suitable LDAP attributes to fit any environment. Most of these AC field names are corresponding to fields of the user details tab in the access request, which can be also customized in EUP. See on the following screenshot:

Based on User Object User Interface Mapping of Microsoft Active Directory, following example is an ordinary group field mapping to be maintained in SAP GRC Access Control 10.X. Make sure field mapping is in upper case!

The AC field 'ROLE_NAME' has to be mapped to the attribute, which represents the name of the AD groups. It can be mapped ether to 'CN' meaning common-name or to 'NAME' meaning relative distinguished name in Active Directory. Mapping of 'DESCRIPTION' stands for role description in backend system, which is displayed in access request and existing assignments. With the objectclass maintained in Roles:OC these attributes will be used by role repository sync to retrieve roles (AD groups) from LDAP. 'MEMBER_OF' is mapped to 'MEMBEROF', this attribute is needed to fetch user - role relationships during repository object sync.

AC field 'VALIDTO' can be mapped to 'ACCOUNTEXPIRES' attribute, so the expiry date of the account will be considered in the access request adding systems, when LDAP connector is set as user detail data source. To get this correctly working SAP note 2275679 needs to be implemented in the GRC system.

When in Active Directory the users and/or groups reside in a particular organizational unit, 'USER PATH' and/or 'GROUP PATH' attribute can be assigned to the LDAP connector. This will improve performance also, as in this case not the whole domain will be searched. Attribute value is the distinguished name of the OU, if it is longer than 30 characters, refer to KBA note 1995382.

Before starting to provision groups in Active Directory with SAP GRC, it is recommended to test the 'Modify' operation in LDAP transaction. When both 'Add' and 'Delete' could be carried out successfully, then GRC Access Control will be able to provision AD groups.

After successful full repository object sync, Active Directory groups can be imported in GRC either as roles or as groups, depending on if they need to be subject to risk analysis. Being imported as roles, non-PFCG authorizations can be also imported. See example to set role or group type in RoleAttributesTemplate.txt:

Finally check the imported roles and groups in 'Role Maintenance'. These can be added in access request if the role status is set to production and provisioning is allowed.

Hope this document and the linked resources could bring SAP GRC AC and MS Active Directory closer to each other.

Best Regards,

Zoltan Galik

I wanted to get helpful howto guide when I started to work on GRC integration with LDAP (Windows AD). Unfortunately, for a man with poor or no knowledge of LDAP mechanism SAP documents not helpful, especially in case of specific customer needs. This document describes how we coped with the task of LDAP integration.

The purpose of this document is to give one more example and clarify some points of other documents.

Special thank to Neeraj Manocha who helped me to resolve the group assignment issue.

Part I. Connect GRC and LDAP

In all document the very first thing you have to do is creating connection.

Creating LDAP connection is a basis part well described here.

Go to SM59 and make the following settings

Create TCP/IP Connection (T type)

Make the following settings in tcode LDAP

To catch any problems with LDAP on first steps it's recommended to keep trace level switched on. In the example above it's set to 2.

Then you should maintain the user you will manage LDAP.

See further how we will use this user. Note that this user have to have all authorizations for managing users and groups.

Create server where LDAP is located.

In this example base entry is set for the root node and it should be defined in this manner:

DC=3rd level domain,DC=2nd level domain,DC=1st level domain. Note that you should use no spaces between values. For example: DC=WDF,DC=SAP,DC=COM.

If you have several connectors you can set one as a default.

The next step is defining mapping fields for managing in LDAP-GRC and GRC-LDAP directions.

Mapping subnode

At first you can use proposal mapping for the mapping (click appropriate button to do this operation).

In my example all SAP user ids are kept in the 'pager' field, so I select it as attribute for mapping and filtering. So that it's not obligatory to use the proposal field 'sapUsername' if you don't have it in AD.

In sum, we have determined in subnode 'mapping' first five fields that will be used for mapping.

Synchronization subnode

As you can see in picture above we ticked two values (pager and mail) for Import (the last two columns). This setting specifies that ticked attributes are to be imported into GRC tables. Note that no export values are ticked here, because in this example GRC should not write any data to AD, however you can tick any field for export in accordance with your needs.

In sum, we have opted those fields that will be synchronized from AD to GRC (LDAP-GRC direction).

Now everything looks prepared for the first test, click on 'Logon' button in tcode LDAP

Now we can use some LDAP functions, for instance, searching. Click on 'Find' button, determine your filter command and click 'Execute'.

Here we get the list of attribute of the user whose pager field is equal to 101DIT00037.

If you get any problem during connection or during execution of LDAP command, please look at the trace file. It's located in 'work' directory and named as 'dev_<your_LDAP_connector_name>.trc'

Part II. GRC customizing

If you are successful with with the previous customizing part go to the next step.

Make customizing in 'Maintain Connection Settings' point of SPRO.

Set previously maintained connector for both PROV and AUTH scenarios.

Ensure that class CL_GRAC_AD_ACCESS_MGMT_LDAP is determined for LDAP connection type.

Ensure that class CL_GRAC_AD_AUTH_MGMT_LDAP is determined for LDAP connection type.

After this go to SPRO and find 'Maintain Connectors and Connection Types'

Make the following settings

In sum, we have created logical group that will unite all our LDAP connectors.

Again go to SPRO and start 'Maintain Connector Settings'

Determine the role of the connector

Select the entry and click on the subnode of the dialog structure 'Assign attributes to the connector'

As it was in the Part I don't use space between values. In the example above I used variables 'User path1', 'User path' since the length of the value field is limited.

So, if you have a very long path for group/user search you can divide using this variables. Let's say, you have domain myldaporganization.ruscompany.com and you need to manage user in OU=SPB, OU=USERS and groups in OU=SPB, OU=SHAREDGROUPS for this connector.

Your setting will be looked as: USER PATH1 - DC=MYLDAPORGANIZATION,DC=RUSCOMPANY,DC=COM ; USER PATH - OU=USERS,OU=SP

Note that values are in upper case.

'Maintain Mapping for Actions and Connector Groups'

Here action 3 is provisioning and 4 is authorizations.

For provisioning we will use these fields.

On the left hand side there are GRC fields, on the right hand side - AD fields (letters are in upper case).

These settings are provided in the guide 'AC10_LDAP_Config_Guide', unfortunately, the guide doesn't say why we use them. On SCN you can find many examples of using another parameters, but not their purpose. It's understood that OC should mean Object Class, but it's not clear why then GROUPMEMBER is written without this suffix.

In order to use LDAP as user data source make the following setting

SPRO - 'Maintain Data Sources Configuration'

Don't confuse that LDAP connector has SU01 in the last column, it's was found on one scn thread when I was searching for a solution of user data source.

In this example, system PRD420 is used as CUA central system. So when you make search GRC first goes to LDAP, if the information is not found, the search will be carried out in CUA central system.

Similar settings may be done for the other nodes.

SPRO - 'Maintain Provisioning Settings'

You can use global setting for LDAP connector or specific

SPRO - 'Maintain Configuration Settings'

For further group management make settings in SPRO - 'Maintain Project and Product Release Name'

In the Part III will be described how to use what we customized.

Best regards,

Artem Ivashkin

This document continues the content of the previously created one.

Here we try to use settings that were done for LDAP user and group management.

Part III. Using the settings

User synchronization

Just to remind, we use our ldap field 'pager' as a field for keeping SAP user id.

Before we start you can check table GRACUSER whether it has any records for the connector. Normally, just before the very first synchronization it should not contain any records for the selected LDAP connector.

In the picture you can see that the table already contains 900 entries, that happened because after customizing we ran full synchronization.

Start tcode GRAC_USER_SYNC and select your LDAP connector. For the very first time select 'Full Synch mode', but execute it successfully just once. Full synch mode as I found worked in the following manner: it clear the table for the selected connector and fill it from scratch again. So we used the following

synchronization just once and then use only incremental synchronization on the regular basis.

Afer synchronization in dialog mode you get a log:

The number of entries in the table is changed

The incremental mode works in the following manner: it selects users who were changed since last synchronization. So, if you start it very often the table may not be updated with new entries.

LDAP trace log contains the selected period:

ldap_paged_search_sU(base="your_domain_base", filter="(&(ObjectClass=person)(whenChanged>=20160311132424.0Z)(whenChanged<=2016042814

0244.0Z))", scope=2, pagesize=200)

Role synchronization

AD groups in BRM part of GRC 10.x can be uploaded with files only.

File for uploading looks like this (see attached file)

Then make role import

chose the file location

Then perform role synchronization using tcode GRAC_ROLE_SYNC.

After this the system knows that the role exists in AD

Using the tools for AD management check the work of the group assignment functionality.

As you can see there is no users assigned to the group.

Create a request in AC for the group assignment

Check the group in AD again.

The group has the user among its members.

The only one moment that may confuse you is the information in SLG1 log.

Group assigned to Group. In fact, you can ignore this message if the required functional works.

It seems like a bug, but on the moment of writing the document no notes were released for this topic.

Regards,

Artem Ivashkin

1.       In standard GRC Access Control, workflows are not generated for blank Firefighter sessions.So, if system fails to recover the session details, the workflows will not be created as well. In order to generate workflows for sessions with no details, maintain configuration parameter ID 4020.

2.       The "Controller is Mandatory" scenario is designed only for GRC 10.1 release and it is not designed for the 10.0 version. This feature prevents a FF Id assignment to be assigned without a controller.  The SAP Note2039879 available only for GRC 10.1, cannot be down ported to GRC 10.0 release.

3. For centralized EAM configuration, the ECC plug-in can only connect to one GRC system at a time.

4.       The Reject option is not available for EAM Audit log review workflow. As the actions performed by the firefighter cannot be reverted back, the logs are always available for audit. The audit log workflow can be sent back to firefighter, if the controller wants to get any extra information regarding firefighter actions, but at end the audit for the session should completed by clicking on Submit button.

5.       The transaction description is not available in the consolidated report due to performance issue. As in 10.0 there are multiple systems and logs come from multiple systems of different basis release. Now for showing transaction description RFC calls have to be made for each system. So it was found that fetching the transaction description for each system is degrading the performance of the log report, hence as per the design the transaction description has not been supported in EAM reports.

6.       Critical action and critical permission type risks are not included in the ad-hoc analysis when the invalid mitigating controls report is run.  What this means is that ALL mitigations assigned to critical action or permission risks will show up as invalid which is not accurate.

7.       GRC Ruleset transport will not transport the deleted values from DEV to PRD. This is as per the Design. Transactions which are deleted in source system are removed from the GRC tables. Hence these will not be part of the transport.

8.       For reports at permission level to work, it is needed to type the authorization values correctly (values should be 01 instead of 1).

9. Access Control need not to have Source Connector, but only Process Control should have Source Connector in SPRO-> Governance, Risk and Compliance -> Common Component Settings-> Integration Framework -> Maintain Connectors and Connection types.

10.       When a risk is deleted, then entries will be deleted from GRACSODRISK only not from GRACACTRULE.

11.       For a full sync job, GRC will consider the date range from 1970 until today's date. For incremental sync jobs, the date range is from the last execution date of the incremental sync job to today's date.

12.       HANA is a Platform for Customer Applications and each Application may have separate set of Authorizations. So, it is impossible to give content for something SAP don’t know. Customer has to create & maintain their own HANA Ruleset as SAP doesn't support it.

13. Ad-hoc risk analysis are run with different fields’ selection criteria. One of the criteria 'Validity Date'as a field selection criteria should be taken only in case if you are running "Mitigation Analysis". For other normal ad-hoc risk analysis 'Validity Date' as filter should not be selected as this will not work.

14.       Business role will be displayed in existing assignments with ALL in provisioning environment, even if it has only been assigned in Development or only in Production provisioning environment because business role itself has no connector. Therefore, provisioning environment is hard-coded to 'All'.

15.       While importing the roles, if the authorization source was marked as SKIP, then the application will not import associated roles of composite roles. This is because as authorizations has to be skipped, it will not import single roles of the imported composite role because authorizations comes from single roles.

16.       Business Roles exist as independent entities in GRC only and NOT in ECC/ERP (plugin) systems. Using the concept of Business Roles, the role assignment to the users directly in the backend (plugin) systems should be avoided. This should be ensured to avoid any inconsistency in the role assignment relationship stored within GRC.

17.       HANA roles have to be either synced or imported into GRC AC and cannot be generated from GRC. HANA roles can be successfully imported to Access control.

18.       In order to provision roles without owners, in addition to the parameter 2038, set a detour when no role owners are found so that they route to a No Stage path. Other roles will then go to their respective role approvers.

19.       None of the EUP field customization is supported under Simplified Access Request page except ‘One User per Request per System’. Only ‘One User per Request per System’ of EUP is supported under Simplified Access Request approach.

20.       Simplified Access Request page is only available in the NWBC. It is not available on End User Page.

21.       The Simplified access request only makes use of the labels which are available in the section "Maintain Field Labels" under simplified access request in SPRO. If the BRF+ based initiator rule is making use of any other label for example "User type", the GRC system will not be able to route the request to the appropriate path and hence the error will be displayed. If the BRF+ based initiator consists of labels which are not part of "Maintain field Labels" under simplified access request, kindly use the tab "Access Request creation" to create the request.

22.       As Per the standard configuration, the Approver Not Found and Provisioning Failedescape conditions available at a global level, the functionality is not available at the stage level. This is per design.

23.       Access Request will allow users to assign the same role more than once, as long as the validity dates are different. Multiple assignments with the same validity dates will not be allowed. Multiple assignments for one same role are allowed because a role assignment can come from various sources: direct, via a composite role, organizational assignment and so on.

24.       EUP Default values are considered only, when it's New User or the value for Existing User is not maintained i.e. field value is blank. If any value is maintained in Connector from which User Details has to be fetched, then the Value and Format will come from Backend System.

25.       Rejected Email will not be sent when approver reject a user (line item) in UAR request. Reject notification in MSMP settings is for the request level reject event not line item level rejection. So, if approver reject the request, then you will receive the Reject notification.

26.       GRC pulls execution count for only single roles in role usage sync job and not for composite roles. Hence, role usage count will not be aggregated at composite role level.

27.       The ‘Add Comments’ button is no longer available in GRC 10.1 in UAR Request.  In case of copying comments for multiple line items, select the lines you want to add comments on, then write your comment. This will copy the comments to all the line items.

28.       The SOD Review/UAR workflowsdo not supportcustom BRF+ Initiator rules or custom BRF+ Agent rules, for both GRC10.0and10.1releases.

29. The Usage column in UAR will be blank/empty when no transactions executed for particular role.

30. The maximum value that can be set for parameterID “2008 - Number of line items per UAR request" in 'Maintain Configuration Settings' is 9999 since the field length of the parameter 2008 is 4. So, the parameter 2008 can have a value range from 1 to 9999.

Any Subtractions or additions to this document is most welcome.

Regards,

Rakesh Ram M

Password Self Service Configuration in SAP GRC AC 10.0 allows users to reset their passwords. This helps users to perform self service password reset and also employee can self-update  personal details.

Please find few common issues that are faced during configuration of PSS.

After submitting the PSS action, the error " Password reset failed: no valid Email-id maintained for user id" appears and nothing happens.

• Go to SPRO > SAP Reference IMG > Governance, Risk and Compliance > Access Control > Maintain Data Sources Configuration and make sure you have Connectors setup for each of the Data Sources.

• Execute the synch. Job GRAC_REPOSITORY_OBJECT_SYNC program again for the Connector you are using as your User Source and then attempt it again.

• GRACUSER is the right table to get the user's email if it is being populated correctly. Setting up this should fix it.

After using "Reset Password" option and Clicking on the Next button the following error is displayed "user is locked"

• In the PSS global configuration settings, you can define after how many failed attempts the user gets locked out from PSS. This setting can be configured in SPRO > SAP Reference IMG > Governance, Risk and Compliance > Access Control> User Provisioning > Maintain Password Self Service.

• Please see SAP Note: 2018010

When the end users access the "End User Logon Page" link in a new browser for resetting the passwords for their ids in the backend systems, freshly, it is asking for user id and password but not prompting for user ID and Password when the same is accessed through NWBC. How to troubleshoot this?

• Make sure that the guest user in configured in each of the 10 services in SICF for the EU Logon Pages to work.

Admin Registered Questions are not visible in PSS.

• Please make sure all the PSS questions are maintained in all the languages which are used by End Users including user default languages.

• PSS questions are visible with user default language from SP9 with configuration in IMG to maintain support language as in steps below: Go to SPRO > IMG > GRC > Access Control > General Settings->Maintain Supported Languages.

• Default language is maintained at first in the sequence. If no questions of default language are available then the next language in the sequence becomes the default language.  

While trying to Register Security Questions for Admin Registered Questions the following error message is displayed.

• The Field 'Number of Questions' is not maintained in the SPRO configuration. To Resolve this:

• Execute transaction code SPRO > IMG > Governance Risk and Compliance->Access Control->User Provisioning->Maintain Password Self Service

• Maintain the required value in field 'Number Of Questions’.

While trying to reset password, the user is receiving the error message 'You can change your password only once a day'

• Password parameter is not set in RZ11 on the system the user is attempting to change the password.

• On the plugin system please set the RZ11 password parameter in system as the password has to be changed for system where user actually exists.

• The parameter which needs to be checked is as below:
  login/password_max_reset_valid

The error message "User is not registered. Please register the user first"  is displayed in PSS after registering the security questions.

• Prior to SP10 of GRC 10.0 If the PSS authentication source is set to "challenge Response" then Questions were getting registered against user maintained in SICF web service grac_gaf_pwd_selfservice_eu", not against logged in user.

• Upgrade to SP 10 or above or Implement the note 1747265 to resolve the issue.

IMPORTANT TAKEAWAY ABOUT PSS

• Following password status are supported by GRC - Password Self Service (PSS) functionality.
  • Normal User having productive password
  • Productive password expired
  • Initial password expired
  • Incorrect Logon lock
  • Admin lock (user is locked by admin)

• Deactivated passwords arenot supportedby the password reset functionality.

• Standard delivered PSS notification is delivered under document 'GRAC_CUP_PSS_NOTIFY'.

• The NWBC Authorization used for managing Password Self Service are as follows:

• During the password reset phases, only those Plug-in systems would be shown in the list of systems for which the User Sync has been done and the logged-in user exists in GRC Box repository for that Plug-in system.

• The following parameters can be considered to control the system generated password:

       GEN_PSW_MAX_DIGITS

       GEN_PSW_MAX_LENGTH

       GEN_PSW_MAX_LETTERS

       GEN_PSW_MAX_SPECIALS

Any Subtractions or additions to the document is most welcome.

Regards,

Rakesh Ram M

In GRC Process Control 10.0/10.1,  Organization maintenance is decentralized from the  user ability to:

• Maintain role assignment for the Organization
• Ability to assign subprocess to the Organization.
  

It is possible to customize roles and model authorization, such that :

1) User is only  authorized to maintain the role assignments on ORGUNIT.

2) User has the ability to maintain only GENERAL DATA (in General tab) of ORGUNIT.

3) User has the ability to only maintain sub-process assignment on ORGUNIT.

With the decentralized model, SAVE button is enabled on ORGUNIT OIF and we can have segregation of authorization to multiple responsible users assigned to customized roles. Off course, we can have a combination of authorizations from 1),2) and 3) above.

Let us try to understand and model a role ZORG_MAINTAIN using the authorization object GRFN_API.

CASE 1 :Subprocess assignment on ORGUNIT

ACTIVITY : CREATE, CHANGE,DISPLAY

DATAPART : SUBPROCESS

ENTITY: ORGUNIT

SUBENTITY : *

Now we need to define this role for Corporate or OrgUnit via Entity Role assignment.

In transaction SPRO, execute:

GRC->General Settings->Authorizations->Maintain Entity Role Assignment

Now assign the test user(SAINIAM1) in this case for a CORPORATE/ORGUNIT to custom role ZORG_MAINTAIN.

HR table HRP1852 holds the user and role assignment,verify to see that assignment is done.

Execute NWBC with test user SAINIAM1 and verify that the user has the ability to assign sub-process to ORGUNIT.

The user has no ability to maintain the Roles for the ORGUNIT .

The user is not able to maintain the ORGUNIT general attributes as well.

Click on'Assign Subprocess' button.

There is no popup to select any subprocess. Well, that happens because the user is not authorized to display Central objects i.e.

Central Process, Central Subprocess. So let us re-generate our custom role with these required authorizations.

Now the user has the ability to maintain subprocess to ORGUNIT.

Let us re-generate custom role to tweak the authorization, such that user only has the authorization to maintain GENERAL attributes of the ORGUNIT.

CASE 2: General tab attributes maintenance on ORGUNIT

ACTIVITY : CREATE, CHANGE,DISPLAY

DATAPART : DATA

ENTITY: ORGUNIT

SUBENTITY : *

Execute NWBC to verify that user is only authorized to maintain the general attributes of ORGUNIT and not authorized to maintain role assignment or subprocess assignment for the ORGUNIT.

Now we can tweak authorization and regenerate role to have the user ability to maintain only 'Role' assignment for the ORGUNIT. In this case, user is not responsible for 'GENERAL' data maintenance or 'Subprocess' assignment for the ORGUNIT.

CASE 3 General tab attributes maintenance on ORGUNIT

ACTIVITY : CREATE, CHANGE,DISPLAY

DATAPART : ROLE

ENTITY: ORGUNIT

SUBENTITY : *

As a summary, we can tweak authorization in GRC Process Control 10.0/10.1 to have different users responsible for DATA, SUBPROCESS and ROLE assignments in single ORGUNIT.

SAP Process Control delivers workflow task to perform online/offline assessments. You can customize the  task name by configuring the task, at a given position, to use the new text for the task name.

A workflow task is comprised of the following elements:

- Task Name : This is displayed name of the workflow task.

- Task Business Object : This is mapping relationship between the task and the workflow business object

- Task Parameters : These are additional attributes available for each task that you can add to the task name, such as Org Unit name.

- Task Position on the task list : Each task occupies a specific position in the task list. The position of the task does not change. You need to know the task position in order to customize the task name.

As an example, user receives OWP  task ‘Update Manual Test’ in Inbox.

You  want to configure new task name  when the Test of control effectiveness evaluation is sent for review.

Execute transaction SPRO and follow the path:

Governance, Risk, and Compliance->General Settings->Workflow->Workflow Task Names->Maintain Custom Task Names

In this example, we want to customize the workflow task ‘Update Manual Test’. Determine the position of the task in the list, and determine the available parameters.

To determine the default task name, double click – ‘Default Task Name’.

The default message class is ‘GRFN_TASK_NAME’. Execute transaction Se91 and copy GRFN_TASK_NAME to ZGRFN_TASK_NAME  .

Change the task name at position 102 and save the data.

Workflow task name has been changed.

Execute transaction SPRO again  and follow the path:

Governance, Risk, and Compliance->General Settings->Workflow->Workflow Task Names->Maintain Custom Task Names.

Double click “New Task Name’.

Choose to create ‘New Entries’.

Enter the position as ‘102’ and task name as  ‘NAZGRFN_TASK_NAME102’ to customize the workflow task name and save the data.

This document is a collection of the most useful SAP GRC Access Control documents, blogs, resources, links, etc. here in SCN.

Overview

Getting Started with SAP Governance, Risk and Compliance Solutions (GRC)

GRC Processes, Lifecycles and Responsibilities

GRC Systems Compatibility

FAQ related to GRC Access Control 10.x Installation, Upgrade and Compatibility - Governance, Risk and Compliance - SCN W…

General opinion and thought-leadership

Are you ready to implement GRC 10?

A lot of help from my friends

If I had it to do all over: looking back on GRC 10 projects

Lessons learned from SAP GRC projects

Remediating Access Control SoD Risks

Internal Controls - a step towards strong controls

Defining Mitigating Controls / Compensating Controls

IT Control Testing - SOX Compliance

A #GRC tool is just part of the solution

It’s Just a Few GRC Ideas….Place

GRC General

Helpful transactions, tools, programs, tables, etc. for a SAP GRC Consultant

NWBC screen layout options for GRC

Customizing NWBC for New Menus with our own Transactions, Reports and Accessing SAP Backend Systems from NWBC

Configure LaunchPad for Menus

Customizing Access request and approval screens in GRC Access Control

Issues, Bugs in GRC SP13 - Related Fixes

General tips to help in troubleshooting scenarios

Access Control Debugging tips

SAP GRC AC 10.1 - Enhancements

How to delete roles, mitigation controls, users, and other informations from one connector

Product Support

GRC Product Support Monthly Newsletter

GRC Weekly News - Governance, Risk and Compliance - SCN Wiki

Top Ten - 2015 - Governance, Risk and Compliance - SCN Wiki

HR Triggers

Understanding HR Triggers in Access Control 10.0 - Governance, Risk and Compliance - SCN Wiki

GRC 10.0 - HR Trigger configuration - Governance, Risk and Compliance - SCN Wiki

Example of decision table for GRC 10 HR Trigger rule, using BRF+ tool

GRC Access Control - Compliant User Provisioning: HR Triggers

Debugging HR Trigger - GRAC_HR_TRIGGER_EVENT_RECIEVER

Debugging HR Trigger - Simulation

Debugging HR Trigger - PA40 changes to infotypes

MSMP Workflows

AC 10.0 - Customizing Workflows for Access Management

MSMP - Multi Step Multi Process – GRC’s answer to Workflow Configuration Flexibility

BRF+ Configuration

Determining the Logic behind Decision Tables

LDAP

Configuring LDAP Connector in Compliant User Provisioning of GRC Access Control

LDAP Group parameter mapping.. what does it mean?

Connecting SAP GRC AC 10.X to Microsoft Active Directory

GRC 10.x and LDAP management

GRC 10.x and LDAP management 2.

Mobile Apps in SAP GRC

Administrator guides for Access Approver, Policy Survey, etc.

Fiori apps in GRC – Install two applications in 5 easy steps

Access Control with Identity Management (IdM)

SAP BusinessObjects GRC 10.0 Integration Guide – Access Control 10.0 and NetWeaver Identity Management

SAP Access Control 10.0 Interface for Identity Management

SAP GRC with SAP BPC

How to Assign SAP Business Planning and Consolidation Authorizations via the SAP Governance, Risk, and Compliance (GRC) Access Control Compliance User Provisioning Product

Access Risk Analysis (ARA)

ARA - For the new kid on the block

Rule set - Rules & Rule Types

Business Risks / Rule Set

Download, Modify and Upload the Access Risk Analysis Rule Set in SAP Access Control 10.x.

How to set up a Configurable Business Rule

Online vs. Offline Risk Analysis

Creation of Mitigation Controls in GRC 10.0

Organizational Rules in GRC Access Control

Mass change of Mitigation Assignments

SAP GRC AC 10.0 Alerting

The Action Usage Sync job in technical details - GRC Access Control 10.0

The Repository - GRC Access Control 10.0 

Access Request Management (ARM)

ARM - For the new kid on the block

AC10.0/10.1: Create Rule Based on Risk Violation in Request, Using BRF+ Procedure Calls

Approve/Reject Own Requests

How to Change Subject Line in SAP GRC Email notification

Recommendations for using Business roles provisioning in access request

Configure Manager Look-Up in ARM for GRC 10

Role Search Screen Enhancement – GRC 10

Terminate Account - Request Process - GRC 10

Creating Access Request: Template Based Requests and Configuring End User Personalization forms for use with Access Requ…

GRC Request with both System and Role Line Items

Access Control 10 (ARM) – Risk Analysis Report Type is editable in Access Request.

Access Control: - Create Access Request Using Web Service in GRC10

Design Considerations to reduce Password Self Service (PSS) Intruder Risk

User Access Review(UAR) Workflow Configuration and Description - Governance, Risk and Compliance - SCN Wiki

Direct vs. Indirect Role Assignment

EUP - Common Issues and Solutions, Important tables and takeaways

PSS - Common Issues and Solutions, Important Take Aways

SNC Name in Access Request

Business Role Management (BRM)

BRM - For the new kid on the block

Maintain Default Roles in BRM GRC AC 10.1

Role Import - GRC 10

Import Role from ECC to GRC system

Business Roles concept and usability in GRC AC10

Enabling Business Role updates to existing assigned users

BRM Default Approvers via Condition Groups

BRM Role Methodology via Condition Groups

Emergency Access Management (EAM)

EAM - For the new kid on the block

Usage of EAM

EAM - Provisioning Strategies

EAM Utilisation and Log Review Process 

ID-Based Firefighting vs. Role-Based Firefighting

AC 10.0 - Centralized Emergency Access

Configure Emergency Access (EAM) in GRC 10

De-centralized EAM GRC 10.0

EAM - Approve through Wrokflow

Emergency Access Management Reporting

Analysis and Recommended Settings of the Security Audit Log (SM19 / SM20)

EAM: Requesting emergency access via access request workflow in SAP GRC - step by step.

See also

SAP Process Control - Useful Documents, Blogs, Resources, etc.

SAP Risk Management - Useful Documents, Blogs, Resources, etc.

SAP Fraud Management - Useful Documents, Blogs, Resources, etc.

Legend

	SAP SCN Documents
	SAP SCN Blogs
	SAP Wiki
	Newly added document (Contributors: please select from Emoticons )

Please help in updating the collection so that new users can get a well structured overview for their information.

Best regards,

Alessandro

Hello All,

Please find the purpose of each option in Modify Task Settings in MSMP in the tab

1.     Runtime Cnfg Chng Ok

If there are stage setting configuration changes after the workflow has been initiated, setting this action allows the workflow to use the new workflow settings.

2.     Path Reval New Role

When Request is going to Multiple Paths and the Approver wants to add the Roles at their Stage, the Path needs to be re-evaluated. This functionality 'Path Reval New Role' is useful in evaluating when the Request is going to Multiple Paths.

If the option Only New Rolesin Evaluation Path is selected, the request needs to be evaluated by the approver whenever new roles are added.

If the option No Path Revaluation for New Roles is selected, the request will not come back to the approver after approving.

If the option All Roles in Request (Re-Evaluate) is selected, the request needs to be re-evaluated by the approver for all the roles.

3.     Reroute

Reroute functionality is to send request to one of the previous stages in the workflow. If the request workflow has only one stage it cannot be rerouted as there is only one stage. The minimum number of stages required to reroute is at least two.

For action “Reroute” to be enabled for approvers, the following three conditions need to be met

• Stage level setting for reroute should be active
• The present stage cannot be first stage (e.g. first approver attempts to reroute after request is submitted)
• Request should not have multiple paths to follow (e.g. at runtime request can't take two different paths)

4.     Confirm Rejection

This functionality Provides the approver with an additional screen asking the approver to confirm whether the request has to be Rejected with YES or NO.

5.     Approve By Email

This Functionality Enables approval through E-Mail

6.     Approve Despite Risk

This setting will allow the approval of a request when there are unmitigated risks.

7.     Reaffirm Approve  

This functionality will prompt approver to supply user id and password while approving the request.

8.     Change Request Det

Change request Details is required to make the field’s editable/non-editable for an approver. If it is set to "NO" then the approver cannot change few fields like User validity start date, User validity end date etc while approving the request. If this parameter is set to "Yes", approver can change the fields’ value. So set this setting as per your company's requirements.

9.     Approval Level

In case of having Request line item, you can enable Approval at request level.

In case of having Role line item, you can enable Approval at role level. Approver can approve the role requested

In case of having System and Role line item together in one request and if Approver approves the System line item, application also approves the roles associated with that system automatically.

If the Approval Level is 'System and Role' or 'Request' the whole request gets forwarded and not just the specific role/s. If you want to forward roles in a request to different role approvers, then set the Approval Level to ‘Role’.

10. Comments Mandatory

The stage configuration parameter 'Comments Mandatory' is used to provide comments at the request level and not at line item level.

If it is set to Rejection, then the request will ask for comments if the request is rejected by the approver. It would not ask for comments in case the approver approves the request. Similarly if it is set to Approval, then it would ask the approver for comments if the approver approves the request and would not ask if the request is rejected. If it is set to Both, then it would ask for comments for both Approval and Rejection.

11. EUP ID

The End user Personalization helps theadministrators to set the parameters that define the behaviour of the fields and the pushbuttonson the Access Requestscreen.

EUP helps to:

• Specify the number of visible rows
• Set Fields to visible or hidden
• Set fields as mandatory
• Define Default values for the fields

12. Override Assign Type

This functionality is used when both direct and indirect provisioning is utilized. Enabling this setting allows the approver to decide whether a specific role should be assigned directly or indirectly

13.Add Assignment

'Add Assignment', will allow you to add assignments such as roles during runtime of the request i.e. while approval process. However, this will not allow removal of any assignments which have already been added to the request and for those assignments, you will find 'Remove' button as disabled.

14. Request Rejected

This Functionality Allows Approver to reject the request.

15. Confirm Approval

Provides the approver with an additional screen asking the approver to confirm whether the request has to be approved with YES or NO.

16. Reject By Email

Enables rejection through E-Mail

17. Forward Allowed

This functionality Allows approvers to forward requests to be reviewed by another approver.

18. Display Review Scrn

This functionality will Display a review screen prior to a final approval or rejection of the requestwhich would allow the final approver to see everything that has been approved.

19. Reaffirm Reject

This functionality will prompt approver to supply user id and password while rejecting the request.

20. RA Mandatory

The RA Mandatory will control whether the approvers need to perform risk analysis before approving of a request. It has three options.

YES      -           Risk Analysis is Mandatory    

YAC      -           Risk Analysis is mandatory if Access id changed or if Risk Analysis Failed (This setting will not allow a approver to approve a request when RA fails)

NO       -           Risk Analysis is not mandatory

21. Rejection Level

In case of having Request line item, you can enable Rejection at request level.

In case of having Role line item, you can enable Rejection at role level. Approver can reject the role requested

In case of having System and Role line item together in one request and if Approver rejects the System line item, application also rejects the roles associated with that system automatically.

22. EMail Group

This functionality is not supported.

23. Allow Manual Prov

This functionality will be used on last stage of the workflow path. If enabled, it displays an option for provisioning manually.

Any Additions or Subtractions to this document is most welcome.

Regards,

Rakesh Ram M

SAP EHP2 FOR SAP NETWEAVER 7.0

Release 702

SP-Level 0017

A requirement to extend existing standard functionality for PSS when users register questions and answers. User input validation is necessary when saving - it is not to be allowed for users to duplicate answers for different questions.

In order to achieve this enhancement, the WebDynpro component GRAC_UIBB_USER_REGISTER is to be modified as per SAP recommendation as there are no Notes available to accommodate this requirement.

First you need to open the component in transaction se80.

Then open the Methods tab on the Component Controller and open the 'Controller' menu item and choose 'Enhance' or Ctrl+F4 (shortcut)

Create the enhancement - this will create Pre Post and Overwrite Exit methods.

Because the table update method is called in the SAVE method, it is necessary to create the Overwrite exit method for the SAVE method.

Copy and paste the SAVE Method source code into the Overwrite Method and modify it as required.