Dear all,

 

This document will gives you overview about master data (ex:Controls) change workflow in GRC Process Controls

 

Central controls are created for sub processes under Business Processes

 

 

Once controls are created, if you open

 

 

If change master data workflow activated, SAVE button will disabled and Request change button will appear

 

 

SPRO configuration:

First activate master data object for which you required workflow

SPRO>GRC>Shared master data settings>Activate Workflow for Master Data Changes

 

 

 

 

If we do changes in central controls then workflow will trigger for change approval and notification

Now maintain Custom Agent Determination Rules for entity: XCONTROL

SPRO>GRC>General Settings>Workflow> maintain Custom Agent Determination Rules


 

 

 

NOTE: Correct role selection is very important for business event and map with correct entity id, select notification business event if notification required.

Now go and change for control in NWBC, once you click on Request Change button, you get error

 

 

Reason: Not maintained user in fallback receiver

SPRO>GRC>General Settings>Workflow> Maintain Fallback Receiver

 

 

 

Now try the same from NWBC

  Once you click on Request Change for control, it will ask for change request


 

Provide details and click OK, will get the below message.

 

 

Reference:Master Data Change Request Workflow - Governance, Risk and Compliance - SCN Wiki

 

pc:No Approver Found. Request Change is not possible.

 

Hope it helps for others.

 

Regards

Baithi

Dear all,

 

This document will give you overview of creation of regulations and how to assign to sub processes.

 

Regulations and Policies are provides visibility into your compliance framework and access to end-to-end policy management


Regulations are assigned to Sub process, controls, IELC (Indirect Entity-Level Controls), Policies and Ad-Hoc Issues, which are assigned to organizations.

Regulations will be part of master data

 

 

We can create Regulation group,Regulation and Regulation Requirement

 

 

 

Creation of Regulation Group

 

 

 

Provide the details and click on SAVE

 

 

Once regulation group has been created, then create Regulation

Select the regulation group and click on Regulation to create

 

 

 

Provide the regulation name, description and select the Assign regulation configuration from drop down.

Assign regulation configuration will be maintained in SPRO

SPRO>GRC>Process Controls>Multiple Compliance Framework>configure compliance Initiatives

 

 

 

 

 

 

Select the Assign regulation configuration from drop down, click on save


 

Now regulation will created under regulation group

 

 

 

Select the regulation and create regulation requirement

 

 

Provide the details and Save

 

 

Now select the sub process from Business Process to assign the created regulation

 

 

 

 

go  to regulations tab

 

click on Add to see and select the regulations and Save the sub process.

 

Regards

Baithi

Logos 10-1-2015 3-43-36 PM.png

SAP TechEd 2015 in Las Vegas is just two short weeks away. Have you created a personal agenda yet? Mine is still a work in progress, already jammed with double and triple- booked times, but there are some things that I can recommend with certainty. Most importantly, do create a personal agenda. No matter how busy you are, it is worth spending some time browsing the sessions both by the tracks and by some keyword searches. Every year I find some security-related  sessions in other tracks, so it is time well spent. It is also OK to double book your agenda, in case a session cancels or is not what you expected.

 

So what is in my personal agenda? First, let me back up to something not in my own agenda, but everyone should at least consider: the ASUG pre-conference sessions. Depending on the projects ahead at your organization, there could be something to give you a great deep-dive start to the week. Be sure to check them out in this post by Tammy Powlas :

Jump Start SAP TechEd Las Vegas with ASUG Pre-Conference Hands-on Sessions

 

OK, back to my own agenda. Here are some recommendations for you to consider adding to your own agenda:

 

1. GRC Access Control Sessions. I am so pleased to see such a variety of sessions on GRC Access Control at SAP TechEd this year. This has been a quest of mine for several years now, to get more content in this area into the program.  If Access Control is something you are implementing or already support, be sure to consider these presentations:

SEC110 - Upgrading SAP Access Control and other GRC solutions from 10.0 to 10.1. My organization has not yet upgraded to 10.1, so I am very much looking forward to the lessons learned and other content of this ASUG education session.

SEC208 - SAP Access Control Customer Connection: Co-Innovation for the Win. This is my own presentation, so of course I am excited about it. Come to this session to hear about the improvements to SAP Access Control,  some  already delivered and some still in progress, that came out of Customer Connection projects, and learn about what is ahead.

SEC160 Hands-On Lab: An Introduction to using Key Features of SAP Access Control. A hands-on session on GRC Access Control- woo hoo! I have been begging for this for years. Access Control 10 has so much functionality that you may not have implemented all of it yet. This is the perfect opportunity to get hands on-time in several areas. If you have not yet signed up for your Hands-On sessions, get going, they are filling up.

SEC807 Road Map Q&A SAP Access Control. This is our chance to hear about the road ahead for this solution and ask questions of the product owner.

 

2. Security sessions. The security track covers a lot of ground; depending on the solutions in use at your organization, some of these sessions are likely to be more applicable than others, so be sure to browse both sub tracks of the Security track. Some of the sessions in my agenda:

SEC107 "Access"ing Your SAP Security Data. This session includes an intro to SAP Security, so if you are just starting out in SAP security, this ASUG education session will be great for you. As for me, I am looking forward to hearing about using Microsoft Access to manage security data.

SEC206 Deploying SAP Fiori to meet the Needs of Your Current Security Model.  My organization is not yet using Fiori, but surely it is just a matter of time, so this is another ASUG education session on my list.

 

3. ASUG education sessions. The ASUG sessions already mentioned are just a sample of the TechEd content brought to you by ASUG's TechEd Design Team: Tammy Powlas, Kristen Dennis, Kevin Comegys, and me, along with our SAP Point of Contact Peter McNulty. We have been hard at work since before ASUG/ SAPPHIRE to bring you the best possible content from ASUG members. You can find it in the session catalogue under the Source filter. Some of the other ASUG sessions in my agenda are:

TEC122 Building the Business Case for SAP Business Suite powered by SAP HANA

INT110 Secure Integration to the Cloud: Connecting On-Prem and Cloud Applications

BA122 It Isn't Only Brain Surgery: SAP HANA and SAP BusinessObject BI Solutions.

 

4. Expert Networking sessions. These may be the hidden gems of SAP TechEd, your place to meet with SAP Mentors, presenters, product managers, and your peers.  I am hosting two Expert Networking sessions in the SAP Mentors Lounge, EXP 27263 on Tuesday at 1:30 PM, and EXP27262 on Thursday at 10:30 AM, and I hope to see a lot of the regulars from the GRC and Security spaces on SCN as well as ASUG members there. To find the Expert Networking sessions and add them to your personal agenda, do a search with a filter on Session Type> Networking session.

 

5. Evening Events. After a long day of lectures, labs, road maps, and chatting with the experts, it is great to kick back and network in a more informal way. Be sure to attend the Networking event on Wednesday, starting at 6:00 PM on the show floor. The SAP Fiori Jam Band will once again lead the way and rock out Las Vegas. Come and sing along with us! Photo courtesy of SAP photographers.

 

SAP_TECHED2014_05778[1].jpg

 

Hope to see you all there!

Hello GRC Community,

 

 

 

Some customers are facing a dump when trying to synchronize the authorizations between BRM and PFCG,

 

500.jpg

 

And if you check the st22 there is a dump like the one below:

 

 

----------------------------------------------------------------------------------------------------

Category                             ABAP Programming Error
Runtime Errors                   SAPSQL_ARRAY_INSERT_DUPREC
Except.                               CX_SY_OPEN_SQL_DB
Program ABAP                   CL_GRAC_MODEL_ROLE============CP
Application Component      GRC-AC
Date and Time                    XX.XX.XXXX XX:XX:XX
----------------------------------------------------------------------------------------------------

 

----------------------------------------------------------------------------------------------------
|Short Text                                                                                       |
|    The ABAP/4 Open SQL array insert results in duplicate database
records.

 

 

 

To solve this dumps please follow the steps:

 

 


For more information please access KBA 2214288

 

Thanks and Regards,

 

 

Rafael Guimbala

Scenario: HR Trigger requests make use of the same workflow notification as other Access Control requests. Customers may want to disable notifications when the request is created by HR Trigger, and all other requests should continue to generate notifications normally.

 

How can customers disable email notifications for HR Trigger requests only?

 

Solution: This can be achieved by following the steps below:

 

1) Create Enhancement Spot/BADi per Note 1589130 or per Note 1727135. You can also apply both notes and merge the code.

 

2) Thereafter, customized code can be done in method SEND_OVERRIDE of the BADi's implenting class. It is a stable solution and does not get overwritten by SP upgrades.

 

The customization code attached is a suggestion that has been tested in my internal system as works effectivelly.

 

In my sample code, I am suppressing e-mail notifications for HR Triggers that create request type 23.

 

23.PNG

 

Please note that you need to replace the request type 23 with your own number based on you HR actions maintained in SPRO.

 

Navigate to SPRO>...>Access Control>User Provisioning>Maintain Settings for HR Triggers,
.

 

If you would like to suppress e-mail for more than one action triggered by HR, then you need to slightly modify the sample code to achieve it.

 

Hope this is useful!

Scenario: all the workflow e-mail notifications should be sent in English, regardlless of the language of the users (approvers, requestors, etc).

 

If you have such requisite from your business, what is the easiest way to achieve it?

 

No, you do not need to translate each and every single document in SE63 to English to achieve it.

 

The easiest way is to customize one of the Enhancement Spot/BADis available for workflow notifications.

 

 

Steps:

 

1) Create Enhancement Spot/BADi per Notes 1589130 or per Note 1727135. You can also apply both Notes and merge the code.

 

2) Customize the method SEND_OVERRIDE by adding one line of code, demonstrated in the screen print below. In this example I am customizing the BADi for Delegees, but the customization can also be added to the BADi for Multiuser notification. If you have both BADIs created, you will customize the merged method SEND_OVERRIDE (which will have code for both BADis, merged).

 

send_override.PNG 

 

 

Now, all the GRC Access Control workflow e-mail notifications will be sent in English, regardless of the language of approvers, requestors, users, etc.

 

Hope this is useful!


Some little tips about Manual test Plans



There was a migration of info types during the transition of GRC support packages to enable multilingual test steps in the test plan.

 

 

I started the scenario using a system with the following configuration:

 

  • GRC 10.1 SP level 06.

 

 

The test steps are stored in table HRP5327:

 

HRP5327.PNG

 

The manual test Plan is stored like any other object in HRP1000:

 

HRP1000.PNG

 

A system upgrade was performed. Now my system configuration is like below:

 

  • GRC 10.1 SP level 09.

 

 

In NWBC, the test plan is created:

 

MTP.PNG

 

However, my test steps are not there anymore:

 

test steps.PNG

 

If I create manually a new test step, it will show up in the grid.

 

New test step added:

 

new test step.PNG

 

Checking again in table HRP5327, the object is not there. However, the object was stored in table HRP5355.

 

 

new test step.PNG

 

Do not add any new items manually before executing the program.

 

 

In this case, a copy from the old database must be performed to copy all existing test steps to the new database.

 

The program GRPC_UPLOAD_HRP5327_TO_HRP5355 must be executed.

 

SE38.PNG

 

The second step is to choose a language. You can run in simulation mode for the first time.

 

LANGUAGE.PNG

 

Execution was successful:

 

HRP5355.PNG

 

After the execution, the record was moved to table HRP5355.

 

HRP5355.PNG

 

 

The test steps are shown in the front-end again:

 

test plan after migration.PNG

 

 

The steps mentioned above can be found in SAP note 1949265 - GRC PC: How to enable multilingual test steps in test plan.

 

 

Summary:

 

After the GRC 10.0 SP-14 / 10.1 SP-07 implementation, the program GRPC_UPLOAD_HRP5327_TO_HRP5355 must be executed only once to copy all existing test steps from old database table HRP5327 to new database table HRP5355.


 


MDUG is uploading the objects into table HRP5327.



To resolve it, implement the note below:


 

- 2124607 to use MDUG to upload test step data after 10.0 SP-14 / 10.1 SP-07 upgrade.




Test Steps Missing in a Test of Control Effectiveness:



To resolve it, implement the note below:



2181730 - Test Step missing when user opens the workitem for test control effectiveness

Take a scenario: Where you have a requirement for

 

1) User Authentication data source is LDAP

2) User Details Data source is HR(for Manager)

3) SAP User ID is stored in physical attribute in LDAP.

4) HR system infotype 0105 subtype 0001 stores SAPID

5) HR system infotype 0105 subtype 9000 stores domain id

 

 

Whenever a user is authenticated in LDAP using SAMACCOUNTNAME the same is passed to HR for details data source information and it also gets validated against Infotype 0105 subtype 0001 to obtain manager and other details.

 

When SAMACCOUNT id is passed and SAP ID in infotype 0105 and subtype 0001 is stored, it will not match.

 

Hence a development on target system has to be made where it can validate against infotype 0105 subtype 0001 in /GRCPI/CL_GRIA_USR Method is GET_USR_DETAILS


Now the details can be fetched for access request.

 

Since the requirement is authentication data source is LDAP.

And SAP ID is stored in physical attribute and Manager should come from HR system.

You have to remove Manager mapping for LDAP in maintain mapping for connector and connector group.

And Enable below parameter.

 

Access request validations           5023            YES     Consider details from multiple data sources for missing user details in access request


In Data Source sequence for User details keep LDAP above HR.

 

It will fetch all details from LDAP and change the SAP User ID in Access Request form.

 

Fill other details from HR system including Manager.

 

Regards,

Prasant

Troubleshoot your issue at your own! - Try Component Specific Questions (CSQ) for faster resolution.

 

CSQs are the set of suggestions which put forward the latest KBA,Notes,WIKI docs, blogs and videos to serve you a quick resolution for the customer. The CSQ section appears right after business Impact section while creating the Incident with the heading 'Questions Specific to the selected application area'.
See below:

 

CSQ.png

 

When the customer attempts to create an incident at SAP Service Market Place or via Solman and selecting a component, a set of customized recommendations and specific questions are prompted. With this, you will be immediately led towards a potential solution without sending an incident to SAP Support. This way, it helps you finding the resolution of your issues faster minimizing the overall time and effort for both the parties. Therefore, we always encourage customers to ensure that they are mentioning the correct component to get with the right set of CSQs for the specific issue area, else you will not get appropriate results for resolution. These CSQs are specific to each GRC component and their sub-components i.e, Access Control CSQs are different from Process Control/Risk Management and so on, and further they are categorized by their sub-components – Access Request Creation(ARQ), Access

Risk Management(ARA), Business Role Management(BRM), Emergency Access Management(EAM).

 

qe.jpg

 

 

 

It is a generic text which is displayed for a particular component. Now, it becomes the action item for the customer to look for the most appropriate answer as per the business requirement. For example, CSQs for ARQ- there are categories like Notifications, workflow, provisioning, Password self service, Model user, dumps etc. Therefore, customer will have to check the particular area their issue belongs to. If they find a relevant solution and it resolves the issue, they can skip creating the Incident further and leave Incident wizard without saving. Otherwise, please continue with Incident description and add other related things to complete the Incident helping our engineers understand your issue more effectively.

 

Similarly, there are CSQs for process Control, Risk Management and Sustainability Performance Management. Going forward, Audit Management/Fraud Management CSQs will also be updated in their Incidents.

 

These CSQs are updated every quarter consisting the details of latest code corrections/hot fixes via Notes/KBAs, WIKI documents, blogs at SCN forum and additional quick updates. This is a really easy and quick way of troubleshooting your issues at your own prior to sending the Incident to SAP Support. This helps finding the solution at a very short span of time.

Dear All,

 

With continuous to how to create a risk in risk management Creation of Risk in Risk Management GRC V10.0

 

This document will gives you how to create/use key risk indicators tab in Risk

 

 

We can create two types of KRI

Standard KRI Instance

Manuel KRI Instance

 

 

 

Click in create standard KRI instance

It will ask for KRI instance Name and KRI Implementation

 

 

How to create KRI Implementations


KRI implementations can be created under Key Risk Indicators link

 

 

 

Click on KRI Implementations to create


 

To create KRI Implementation we need KRI template


How to create KRI template

 

 

 

 

 

Click on create button to create KRI template

 

 

Provide the KRI template name and select Value type from drop down

 

 

To select other details like system, Business process and Component

We need to go back to SPRO for maintenance

SPRO>GRC>Risk Management>Key Risk Indicators

 

 

 

 

 

Click Save to create KRI Template

Now created KRI template will be available in KRI template catalog like below

 

 

Now we can select the KRI template in creation KRI implementation

 

 

Provide KRI Implementation Name and select the created KRI template from F4

 

 

 

Select the connector type from drop down

Connector types are configured and maintained in SPRO

 

 

Maintain the connector names with system in Maintain Connectors and select connector type

 

 

 

Maintain the script for SAP table, where we need to provide the SAP table name.

 

 

Once we select the connector type, then connector and script field will be populated

 

 

Don’t save now, it will give error

 

 

Now go to Implementation details tab

In this tab we can select required fields for output value with options

 

 

Now Save

The created KRI implementation will be available in KRI Implementation catalog

 

 

 

Now we can use the created KRI implementation in Risk at Key Risk Indicators tab

 

 

 

Provide KRI Instance name and select the KRI implementation from F4 list

Select monitoring frequency, time frame then only Test Instance button will be enabled.

 

 

Now you can Activate KRI Instance, it will be available in Key Risk Indicators tab of Risk

 

 

 

We can create business rules for created KRI instance.

If you click on request localization of KRI instance then we cannot create business rules.

Status will become Localization Requested and Create button will be disabled.

 

 

Select the KRI Instance and Open

Click on Complete

 

 

Now status will change to Localized

 

 

Again Select the KRI Instance and Open

Click on Confirm

 

 

Now status will change to Active

 

 

 

 

Regards

Baithi

Dear all,

 

We are using GRC system as central system for access request to users from different entities with different composite roles (The roles are created based on Business process and entity)

 

Approvals based on Functional area, Business Process and Company

 

Access request type: New

 

FI (Business Process) - XXXXXXXXXXXXXX (Composite role)-ABC Specific to Company/Entity-Approver A

FI (Business Process) - XXXXXXXXXXXXXX (Composite role)-DEF Specific to Company/Entity-Approver B

 

Approver Agent rule is based on business process, Functional area and Company in access request

 

 

Execute

 

 

Go to BRF+, select the application click on Activate button

 

 

Now close the BRF+

Go back to Generate MSMP Rule for process screen and re execute the same.

Now open tcode BRF+

Select the application, right click on it and select COPY

 

 

 

Click on COPY

Now Application ZAPPROVER_BP_FA101232 is available for us to use which is in inactive status


 

Now create decision table from application by right click on application

 

 

 

Click on create and Navigate to object

 

Now select the Result data object as GRFN_MW_T_AGENT_ID

 

Where T indicates for table

 

Now go to Condition columns select from context data objects from insert columns

 

 

Select Functional area,Business Process and Company

 

Click on OK

 

 

 

Click on Insert row   to provide values for table contents

 

 

Select Direct Input value for Function Area

 

 

Select the value from F4 (It will show the values which are maintained in SPRO)

 

SPRO>GRC>Access Controls>Role Management>Maintain Functional Areas

 

 

 

 

Function are can be anything it is just for identification of role in BRF+

 

We can define the companies in SPRO

SPRO>GRC>Access Controls>Role Management>Define Companies

 

Now the maintained functional areas will be appear in BRF+ to provide direct value input for functional area.

 

 

Select the functional area, relevant business process and company with required approver in USER ID field

 

 

Now check, Save and activate the decision table.

 

Now go to Function and select the decision table in Top Expression

 

 

Now check, Save and Activate the Function.

Function rule id will used in MSMP for agent rule to approve

  Rule ID: 40A8F0333BE91ED58F82621E018D40D7


 

Now approval will be triggered based selection of Business Process, Functional area and company (under user details) in access request


 

Hope this is useful if anyone has same/Similar kind of requirement.

 

 

Regards

Baithi

Dear all,

 

The overview of this document is creation of risk in risk management with basics.

Hope it is helpful for others.

 

The prerequisites to create a risk we need to create required organization units and relevant risk categories

The organization units and Risk categories as created in master data work center

 

 

Risk can be created in Assessment work center.

Click on Risk and Opportunities

 

 

 

 

Click on Create to select type of risk

 

 

Where we can create different types of risks (Operational/Corporate) and Opportunity

 

 

We need to provide the risk name, select organization unit, risk category and select drivers and impacts for risk

To select the risk category from list we need to create required risk categories in master data work centers under

Risk and Responses at Risk Catalog

 

 

In master data work center we can create Risk Category and Risk Template, after creating, reflects under the classification hierarchy node and Risk Templates are created under risk category.

 

 

After providing required values we need to select Allow assignment is YES, then only we can select risk category while creating risk.

Now select the risk category for risk.

 

 

Now select, add the Impacts and Drivers

 

Drivers are nothing but events that could cause the risk to occur

Impacts are nothing but consequences if the risk event were to occur

 

We need to define Impacts and Drivers in SPRO:SPRO>GRC>Shared Master data Settings

 

 

 

 

Select Impacts and click on ADD

It will show the category and description which we maintained in SPRO

 


Repeat the same for drivers also.

We can assign multi drivers and impacts for Risk.

 

Now go to Roles tab in Risk

Initially roles tab does not show anything in role column to assign the owners

 

 

To assign role owner for risk in roles tab we need to maintain role assignment for entity in SPRO

SPRO>GRC>General Settings>Authorizations>Maintain entity role assignment

 

 

 

Click on Maintain entity role assignment, select the required entity with role

 

 

Now these role assignments will appear under roles tab of Risk

 

 

Now select the role and click on assign button to assign owners (we can assign single owners or multi owners also)


 

Now we can submit the risk

Once we click on Submit button then Risk status will be changed to active.

 

 

 

Regards

Baithi

Workflow configuration

 

1.Perform automatic workflow customization

SPRO->Governance, Risk and Compliance->General Settings->Workflow->Perform Automatic Workflow Customization

 

 

Select the node Maintain Runtime Environment and click on F9 as below

click on F9.png

2.SPRO->Governance, Risk and Compliance->General Settings->workflow->Perform Task-Specific Customization

 

Expand the GRC PC component and make sure you define General/Background task for entries as below through 'Attributes' button.The workflow item will not be received if the task is not maintained.

The final screen will look like:


perform tasks pecific.png

3.Activate the Event Linkage

Event Linkage.png

Make sure all the relevant events are activated under GRC and GRC PC folder as below

Activate-1.png

 

activate-2.png

4.Maintain the Event Queue

 

This is an optional setting. But its recommended to maintain , so the workflow run smoothly

 

SPRO->Governance, Risk and Compliance->General Settings->Workflow-> Maintain the event queue settings

Event Queue.png

Select the 'Switch on Event Queue' and click on Event Linkage as above

 

Verify the below events have 'Enable event linkage' selected. If any of the events have to be enabled, go to details button and enable the same

events.png

5. SPRO->Governance,Risk and Compliance->General Settings->Workflow->Maintain the event queue settings-> Click on Background job tab->Click on Schedule background job-> make sure the job is in Released status

 

background job.png

6.Enable event Trace- this is an optional setting but it is highly recommended to activate

Go to Transaction SWELS

Select Switch on

 

 

 

Workflow Troubleshoot tips:

 

1. Check the Planner log

Transaction SLG1

Object : GRPC

Subobject : PLANNER and enter the planner ID, in the external Id field along with the timeframe

 

The mesage associated with the log can give more information

 

2.Event Trace

From the Event Trace , you can determine if the workflow is triggered successfully or not

Transaction-  SWEL

Input the Case ID into the Creator Object instance (Get the case ID from the Planner log)

 

This will help to verify the receipt of the work item

 

3. In addition to these, make sure the relevant agent determination is in place

SPRO->Governance, Risk and compliance->General Settings->Workflow->Maintain Custom-Agent Determination Rules

 

4. Based on the Agent determination rules, check role assignment

 

5. Maintain the fallback receiver using

SPRO->Governance, Risk and Compliance->General Settings->Workflow->Maintain Fallback Receiver

If this is maintained, the workflow will get notified to the fallback user, making someone aware of these tasks

 

6.If there is an issue where there is no recipient for the task when the fallback receiver is not setup. In that case, the user can go to transaction SWPR

Based on the data, fix the role assignment

Purpose


The core functionality in SAP GRC is Risk and Impact Analysis which will help the organizations to achieve their motto "GET CLEAN and STAY CLEAN". During one of the implementations I am working for we noticed lot of issues/bugs with the risk analysis functionality and based on our findings decided to write a blog which can be useful for others to consider below scenarios during implementation

 

Mitigation Policy Configuration - To restrict approvers from approving requests with Unmitigated Risks


First enable configuration parameter 1072 - Mitigation of critical risk required before approving the request as YES. This is applicable for both Critical Action and Critical Permission Risks.


Mitigation Policy can be configured using BRF+ to enforce the approvers to mitigate the risks before approving an access request. Under the Application Mapping, there is the Application ID: 'Request Mitigation Policy'. The BRF+ Function for this App ID is maintained by default. The BRF+ rule is created to identify which risk requires mitigation and which risk does not require. If there is no BRF+ Rule created for Mitigation Policy, then please remove the entry from IMG.


 

Once this entry is deleted, kindly execute the scenario again. Now the Approver cannot approve the request if risks are not mitigated. This was the purpose of un-checking the Task Setting 'Approve Despite Risks', so that risks that are not mitigated, do not get approved.

Note: If maintaining the BRF+ Rules then it is necessary to maintain the entry in SPRO.


If you want to make use of BRF+ mitigation policy with corresponding decision table and it works as below


 

 

 

 

Reference SAP Notes

 

1614290 - Risk Analysis Mandatory for Access Request


Locked and Expired Users


When a user account is locked or expired and when the same user try to create an access request then Risk Analysis/Impact Analysis will not return any results and this is as per design.


We identified few issues where users already have some roles assigned to their user accounts and now when they raise new requests with the roles which conflict with the existing roles or the roles requested in the request itself have violations but since users are LOCKED or EXPIRED risk analysis didn't return any violations.


We identified during our weekly risk analysis report that few users have SOD conflicts with the roles assigned to them and up on investigation this is the issue with LOCKED or EXPIRED users.


We enabled the below configuration to fix our issue




One User Request Per System


Risk analysis functionality has one limitation in access requests but SAP addressed it with One User Request Per System functionality.


Eg: Approve Purchase Request(PR) and Release Blocked Invoices


Now we have defined a rule in the system that "Approve Purchase Request and Release Blocked Invoices" as a HIGH SOD risk violation. But a smart user can raise two GRC access requests as below:


Request 1 - With Approve Purchase Request Role - Individually this request is clean and has "No Risk Violations"

Request 2 - Release Invoices Role - Individually this request is clean and has "No Risk Violations"


But once both the requests get approved, user will get access to the roles which have HIGH risk violations. This issue can be addressed in different ways:


1. Role Owners should take the responsibility when approving the roles to verify whether user really require access to that role,but system wise it will not stop them from approving these requests.

2. Enabling the risk analysis as MANDATORY before approving the request at last stage of approval so that if one request is first approved and user got the role 1, at least request 2 now shows the violations when risk analysis is run again before approving, but still if both the requests approved at the same time then still this option will not stop the user getting access to these conflicting roles.


To address this issue, SAP has given an option in the configuration which allows the users to raise ONE USER REQUEST PER SYSTEM at a given time. So, the users cannot raise a second request when there is a pending request for the same system which will help to address the issue mentioned above.


Since these days most of the customers of GRC having business roles we have identified this configuration having issues with the way it is working for business roles. We are able to get it fixed by SAP and enabled the below configuration in our system which has helped to address kind of issues discussed above


In EUP configuration, you can enable below option as One User per Request per System is part of the end-user personalization customizing so it is mainly based on the screen elements on the request.



Also implement below note to fix One User per Request per System EUP configuration issue with Business Roles.


2168444 UAM: One request per system not working correctly with business role and for IDM


Simulation Button in ARQ Request/Approval Screen


There is a button called SIMULATION in access request creation/approval screen. Actually risk analysis in ARQ will perform both Risk Analysis and Impact Analysis for the user and SIMULATION button also gives the same option.



We have noticed few issues in the way SIMULATION button is working and how using this button approver/risk reviewer can wipe out risk violations in access request though the roles selected in the request have violations


Steps to Replicate lssue with SIMULATION button:

1. Create a access request which has RISK VIOLATIONS.

2. At approval stage you can see the risk violations under RISK VIOLATIONS tab

3. Now change the approval status for the role causing violations to REJECT and then click on SIMULATION button and run risk analysis and click on APPLY button in Simulation screen.

4. Now all violations will be removed from the request. Now again change back the role approval status to APPROVE and then click on SIMULATION button and without running risk analysis and click on APPLY button from SIMULATION screen.

5. System doesn't prompt to run risk analysis and violations are wiped out


We haven't reported this issue to SAP but since this button access can be controlled using risk analysis authorization objects, we have removed this button access to our Users and Approvers from Request Submission and Request Approval Screens.


In order to hide the SIMULATION button from the Access Request creation screen, remove the following permission from the role:

 

Authorization Object: GRAC_RA

ACTVT:  70 (Administer)


Risk Analysis behavior during business role removal


We have identified a different risk analysis behavior during business role removal.


Below are the sequence of events:


  1. User has already been assigned with a Business role. This business role has a composite role which actually caused Critical Action risk violations for the user.
  2. To remediate this, requester raised an access request for Business role removal so that as part of removal the role causing violation also gets removed.
  3. Since the role which is creating violations is being removed via business role removal, ideally the risk analysis shouldn't show any violations in the request. But request still shows risk violations with the same role which is being removed from the user.
  4. To validate the behavior, we have created another request for removing composite role creating violations directly than through the business role and now request shows NO VIOLATIONS.


With the above steps we confirmed that during business role removal risk analysis behavior is incorrect. We have raised this to SAP and working with SAP to get it fixed.


Please implement the fix 2213465 - AC 10.X ARA: Risk Analysis for Business Role Removal


Risk Violations bypassed at Approver Stage

We have setup the configuration in such a way that no unmitigated access can be provision to the user in our production system.

All seems to be working fine however we found one scenario where approvers managed to bypass the risk violations and managed to approve the requests despite having violations in the request.

 

 

 

 

 

 

 



This is a product bug where if you close the browser it doesn't save the approval status change however save the risk analysis result based on the approval status. SAP has acknowledged this issue as bug and are providing the fix I will update this blog with the fix details once we get it


SOD violations are removed after re-running the risk analysis

<To be Updated>


Risk violations are not shown due to the roles not being generated

<To be Updated>



BRM Impact Analysis - Behavior

BRM Role change process involves Risk Analysis and Impact Analysis


1. Risk Analysis - To make sure that the role being created/modified don't have any SOD violations.

2. Impact Analysis - To make sure that the role being created/modified doesn't create any SOD violations for the users already assigned to it or the Composite/Business roles using it.


Issue:

BRM User Impact analysis report shows the user level violations even though the assigned role validity is expired for the user.


Eg: User A has ROLE B. In BRM I am modifying role B and the changes being made will create SOD violations for user A with other roles assigned to user A. Then Impact analysis report should show those violations in the Impact analysis report which is the intended behavior.


But Role B assigned to user A is already expired validity. Even then Impact analysis shows that user will get violations with the role which is already expired.


In general, Risk/Impact analysis doesn't consider validity dates of the roles, but if Impact Analysis report gives the report with expired roles for the user then they are FALSE POSITIVES.


Raising this issue to SAP to understand from them the behavior as well Will update the blog with the details given by SAP


BRM Role Change and ARQ Request at the same time

This issue is one of the product limitation So, I wanted to understand from other consultants as well on how they are handling this scenario


1. Role Management Team is modifying a role using BRM in Development. As part of BRM process role changes are made and Risk/Impact analysis is done.


2. Risk analysis is done against the contents of the role in BRM and Impact analysis is done for Users assigned to this role and Roles (Composite or Business) using this role and Risk/Impact analysis shows no Violations (assume)


3. Now assume that there is a pending Access Request for the same role being modified through BRM and the user in the access request will get SOD violations because of  BRM role change but since the request is not yet completed and role is not yet assigned user will not be shown in Impact analysis report.


4. After Risk/Impact analysis phase in BRM there is certain time gap to finish approval and transport process and if the pending access requests with that role are approved during this time users will get that role but users will be shown in Risk analysis report after transporting the role modified through BRM.


So, there is a chance for risk violations to pass through because of this BRM role change and ARQ pending requests for the same role during that time.


Can the members of the community share their views on this scenario and how they are handling it as this is product limitation


Looking forward for all your inputs in improving this blog with all other additional details

 

Thanks for reading.

 

Best Regards,

Madhu Babu Sai




For the tips described below, I used a Process Control testing case.


 

 

A Control Test of Effectiveness was planned in my fresh GRC sandbox.

 

 

Note: These tips can be used in most of activities in GRC which use Extended Workflows.

 

 

System details:

 

GRCFND_A V1100 Support Package 06

 

GRCPINW V1100_731 Support Package 06

 

 

 

The objective is to check all the possible errors during the creation of a Control Test of Effectiveness.I am planning the task and correcting the issues as it comes.

 

 

First step is to create the central structure in NWBC -> Business Processes.

 

Central structure.PNG

 

After the central structure is created, the following must also be created:

 

  • Organization
  • Local Subprocess
  • Local Control

 

 

As soon as I created the objects, I try to open the local control and I receive an ASSERT_CONDITION VIOLATED.

 

 

Illegal case type – Case customizing was not configured in the system

 

 

Checking in table SCMGCASETYPE, the case types are not in the system.

 

 

This check is performed in Class and Method below:

 

ClassMethod
CL_SCMG_CASE_TYPE_CUSTGET_INSTANCE

 

 

This happened because I did not configured Case Management from client 000 into the copied client.

 

 

So it is mandatory after the client copy is performed to perform the Case Customizing.

 

 

To execute this task, the following KBA can be followed:

 

 

  • 2107509 - Transfer client-specific Customizing

 

 

How case customizing should look like:

 

Case Customizing.PNG

 

 

Now, we can create and display organization and local objects:

 

 

Hierarchy.PNG

 

 

Control tester is assigned:

 

 

first control.PNG

 

 

It is very important to compare the HR role assignments in table HRP1852 with SPRO -> 'Maintain Regulation Role Assignment':

 

 

I am working with SAP standard roles, however if customized roles are used, these configurations can lead to confusion.

 

 

As shown above, I have assigned my user CONTROL_OWN as the control tester.

 

 

SAP_GRC_SPC_SOX_PRC_TESTER is assigned to SOX regulation.

 

 

ROLE ASSIGNMENT.PNG

 

 

Checking this role in HRP1852, I can see my users there:

 

 

hrp1852.PNG

 

 

CONTROL_OWN has 2 entries as it is assigned to 2 different objects.

 

 

With authorizations set, it is time to schedule the plan.

 

 

Creating Plan in Planner Screen

 

 

First Step: Plan Activity: Test Control Effectiveness


 

Planner.PNG

Second Step: Choosing Regulation:


 

Note that there is no Regulation shown in the Drop Down list

 

regulation.PNG

 

Checks to know whether this is not a configuration issue:

 

 

  • Is Regulation created?

 

 

If not created, it must be added

 

regulation 4.PNG

 

 

Relate regulation to Plan usage in SPRO must be configured. Test Control of Effectiveness is configured to both regulations:

 

 

If not created, it must be added

 

 

regulation 2.PNG

 

 

Check whether ‘Need Regulation’ is selected in Plan activity for Process Control

 

 

If not created, it must be added

 

 

regulation 3.PNG

 


If all these steps were followed then, the following SAP note must be implemented:

 

 

  • 2072420 - Regulation is missing while creating test control effectiveness in the Planner Note After processing with these steps, the regulation is there:



Note After processing with these steps, the regulation is there:

 

SOX.PNG


Third Step:


The organization, which the plan will be triggered, needs to be selected.


Organizations available.PNG



Fourth Step:


The local object will appear for selection, unless you have already scheduled a plan for the same organization in the same time frame.


Control details.PNG


Fifth Step:


Checking recipients:


recipients.PNG

If the recipients column is empty, the work items will be addressed to the fallback receiver.

 

 

The fallback receiver will start to receive the notifications for three reasons:

  1. If the user is not assigned to a role in HRP1852
  2. If the role is not mapped in SPRO -> Maintain Regulation Role Assignment (when using role regulation specific)
  3. If the user does not exist anymore in the system

 

 

If you have users assigned in HRP1852 and not in Maintain Regulation Role assignment, it means that you are working with Cross Regulation roles.

 

 

There is one issue, which was introduced in Support Package 18 of GRC 10.0.

 


All the work items are forwarded to the fallback receiver when customer is using cross regulation roles.

 


This issue is corrected by the following SAP note:

 

  • 2154060 - CCM Owners not receiving Issues created by Automated Monitor



Plan Activation and Completion:



If you want to debug the activate Plan button, set a breakpoint in the following Webdynpro Component, View and Handler:


 

Webdynpro ComponentViewEvent Handler
GRFN_PLANNER_GAFGAF_IDENTONACTIONACTIVATE



After job activation, the planner monitor shows the jobs status as "With Exceptions":


with exceptions.PNG


This is because the workflow was not triggered.



If you check, no workflow items were created in transaction SWIA for the time frame the plan was activated:


swia.PNG



Configuring workflows according to SAP note 1621649:

 

  • Automatic workflow customizing
  • Perform Task-Specific Customizing

 

In my system, the task specific customizing was not configured. After configuring it:

 

Assign agents.PNG

 

Event Linkage also needs to be performed:

 

Linkage.PNG

 

The following objects must have the event linkage as well as event queue

 

  • CL_GRPC_WF_ASSESSMENT
  • CL_GRPC_WF_TESTING
  • GRPC_CASED
  • GRPC_CASES

 

 

If the event queue is activated, the event queue job must be enabled to handle situations where large events are triggered at the same time.

 

event queue.PNG

 

 

One good tip is to enable the workflow trace through transaction SWELS

 

 

even trace.PNG


The workflow trace can be seen through transaction SWEL.



Triggering the workflow again:




The logs can be seen because SWELS is activated:

 

logs.PNG

 

In transaction SWIA, all the workflows steps and workflow logs are available:

 

Workflow started.PNG

 

  • Workflow started – Plan was activated and workflow created
  • Workflow completed – background job GRFN_BP_SCHEDULER is completed
  • Sub Workflow handler started – WS75900005
  • READY – A task of the sub workflow that requires a dialog user to perform an activity



If you press shift + F8 on this screen, you can see workflow logs that present the historical path of the plan. In the workflow log, you can see the agents that are waiting for the work item:

 

agents.PNG

 

Clicking on the agents button, you can see:

 

SOX control owner.PNG

 

The symbol at the side of the user’s name means that the work intebox is going to the user’s inbox.



 

By pressing Shift + F9, you can access the workflow list with technical details

 

 

Workflow log.PNG

 

 

Checking agent's work inbox:


 

 

When logging with the agent and accessing his/her work inbox, the work item is there waiting for actions:

 

 

test of.PNG


The case is available also in table GRPCCASETL



The case reached user's inbox as the Agent is correctly assigned in SPRO -> Governance, Risk and Compliance -> General Settings -> Workflow -> Maintain Custom Agent Determination Rules:


SOX tester.PNG


If you pass the evaluation, you can check the table mentioned above to see detail (GRPCCASETL).



grpccasetl.PNG

 

 

 

To be continued ...


 

CLICK HERE for the Part II***




Actions

Filter Blog

By author:
By date:
By tag: