With the go-live of our Governance, Risk, and Compliance (GRC) version 10 Access Control finally past us (hallelujah!), I have been thinking about the learnings, from my previous GRC 10 projects as well as from this one. Last year at SAP TechEd, I hosted an Expert Networking session , discussed hereThe rest of the story: what else I learned at #SAPTechEd , where the most common response to my question about GRC 10 was that customers  were still thinking about it.  Maybe you, too, are still thinking about it, working on a roadmap, or planning your project. Even if your project is already underway, here are some readiness questions to consider.

 

What are the pain points of your current GRC related processes?

 

Be sure to get input from your key users. Pain points could include these:

  • Too many manual hand-offs in the access request process
  • User access reviews tedious due to manual processes, and not particularly value added besides
  • User interfaces for access requests confusing to requesters and approvers
  • Confusing/ inconsistent role names making it difficult to know what role to request
  • Roles not well aligned with either tasks or jobs, leading to a need  to make a big security change, such as complete security rewrite or implementation of Business Roles
  • Manual security team processes like maintaining organizational segregation with manual reviews and hit or miss efforts to manage critical sensitive authorizations
  • Confusing/ inadequate information in firefighter logs, so they are not reviewed timely

 

What is your long range plan?

 

If yours will be a brand new GRC implementation, do you have a company policy for Segregation of Duties and critical access rules that can be the basis of your new GRC rule sets, are you planning to start with the rules out of the box, or will you take the time to customize them? If you are on GRC 5.3 (or earlier release), have you been maintaining your ruleset all along with the updates from SAP and custom transactions? A “lift and shift” of your current rules can be fine if they have been maintained; otherwise, it is like bringing dirty, threadbare rugs from your old house into your brand new one. The sooner you get them cleaned up, the better.

 

Have you thought about your long term roadmap and identified which components you plan to implement? Some customers start out by just implementing Access Risk Analysis, to get the system up and running, and then take on Access Requests and more later. With all the shared master data across Access Control and Process Control, decisions you make early on could come back to haunt you later down the road. If you are planning to use your current GRC system as the model for the new one, has all the master data been maintained, or are there obsolete mitigation monitors who have left the organization, mitigations configured for risks that do not exist, and other bad data that will not work in the new, better integrated, system? It can be a real challenge if you have no “golden” client to use to validate the configuration of the new one.

 

Do you have the right resources for your project and enough of them?

 

Colleen Lee wrote an excellent blog about all the friends who helped her on her own GRC projects.

Depending on which components you plan to implement and the architecture, the resources needed for your project could include some who may not have come to mind. Of course you will need security, GRC, and Basis expertise, but you may also need LDAP expertise if your user master data resides there, or HR expertise if you plan to use your SAP HR as the user data source and/or implement HR triggers. But are all your users, including contractors, even in SAP HR? Are you sure? If you plan to use your LDAP, has it been properly maintained, or does it need clean up before you can rely on the data fetched? For implementing Access Request Management, workflow expertise including MSMP and BRF+  is a must , and if an Identity Management system performs your user creation, count those experts in, too.  How will the users access your system - Enterprise Portal, NWBC, something else? Whatever you plan to utilize, be sure to budget for skilled resources on your project team for that, too. If a new rule set is needed, expertise from the business and internal controls will be key.

 

Then there are the ABAP resources.  As I mentioned in a comment on Colleen’s blog, on my current project we badly underestimated the demands we would make on ABAP resources, needed for implementing the hundreds of corrections into our system. Better to budget for them and not need them than be wishing you had the funds.

 

And about those hundreds of corrections:  someone needs to stay on top of those issues.  If the people managing the fixes and corrections are also project managers, and also doing system configuration, configuring the workflows, migrating master data from the old GRC system, creating documentation, designing testing and training,  and leading the change management effort – well, good luck with that.  Yes, two resources can wear 8 or 10 different hats, but your project timeline will need to be adjusted accordingly.  If your project management tool tells you that your project’s resources are way over committed, a six month project could run on with slipped deadlines and missed go lives, possibly impacting other projects that they were expected to be working.

 

On top of that, the longer your GRC project drags on, the likelier that the systems connected to your GRC will be upgrading. If a connected sytem goes to a new NetWeaver release, you may have to install new plug-ins and start testing all over again.

 

I hope I have provided some food for thought for anyone considering or planning an implementation of GRC 10.  Time spent now in considering these questions will pay off in the long run.

Hi All,

 

We are currently on GRC SP13. I could see lot of community members also working on same SP. There are lot of issues in GRC SP13. I am just updating the issues with relevant SAP notes here just to make it easy for the guys who come across the issues just like mine

 

There are still lot of issues which we are working on and will update this blog regularly based on our issues and fixes.

 

Access Request (ARQ)


Password Self Service (PSS) - Issues


In Password Self Service (PSS) when the user clicks on “Register Security Questions”. Users can add questions using either Admin defined or User defined option.

 

As shown below “User Defined Questions” has spelling mistake where “DEFINED” is spelled as “DEFINDED” and this can be fixed using SAP note

1907848 - UAM: Incorrect text for User Defined Questions

 


 

1600374 - CUP: Admin and user questions option not configuration

 

EUP Issues


Below SAP notes are implemented for issues regarding EUP.

 

1897794 - UAM: Request for value not coming from EUP in model user

1842378 - Default roles are getting added though they don’t exist in BE


Role Mapping Issues


Below SAP notes are implemented for issues regarding role mapping.

 

1900076 - UAM: Role mapping not working based on parameter 2015

2014524 - Common mapped role deleted on removing one of parent

 

Provisioning Settings Issues


Below SAP notes are implemented for issues regarding provisioning settings.

 

1966404 - UAM: System level provisioning settings not considered correctly

 

Role and Function Approval Workflows


During Role and Function approvals, below SAP notes are implemented for resolving comments pop up issue.

 

2044309 - During role and function approval, Comments popup is opening in case of approval and rejection without checking the configuration

1906672: Removed Function apprear in Risk Approval Request

 

Risk Approval Workflow - Issues


In case of risk approval workflows, Title was not coming in header while opening the risk for approval as shown below.

 

Fix the issue using SAP note 1921318 - Risk Approval Screen - Title is not coming in header

2049421 - Forward with Return for Risk Approval WF issue


Mitigation Control Maintenance Workflow - Issues


In case of mitigation control workflows,no message is shown to the approver if one approver forwards the request to another approver.

 

Fix the issue using SAP note 2050047 MIC Upon Forward no successful message

 

Business Roles - Issues


Before discussing about business roles issues, please go through below SAP note on business roles which explains all Pros and Cons of business roles

 

1981001 - Recommendations: Using business role provisiong in access request

 

Business roles are not supported in GRC with “RETAIN” provisioning action. But in SP13 users are able to submit access requests with business roles having “RETAIN” provisioning action.

 

To fix this please implement the SAP note 1982339 - UAM: End user is able to submit request for business role with retain provisioning action


In case of Business roles having common technical roles, role de-provisioning is not happening correctly.

 

To fix this please implement the SAP note


1930923 - UAM:-Business role removal is not working correctly in Access Request
1922082    UAM: Rejected business roles are getting provisioned

1951749    UAM: Business role not provisioned correctly in language other than English


Role Import - Issues


Role Import in GRC SP13 is not showing all roles in the preview and as well as not importing all roles based on role range.


To fix this issue please implement the SAP note 1897975 - Role import does not show roles in the preview


Firefighter Login - Issues


When FF user is logging in with the assigned FF ID system is throwing dumps.


To fix this issue please implement the SAP note 1800347 - Short Dump on FF Login


Risk Analysis - Access Request - Issues


1938722 - Risk analysis icon incorrect in access request


Default Roles - Access Request - Issues


2056035 - UAM: Role descrip not displayed for default Roles

1842378 - Default roles are getting added though they dont

2061875 - UAM: Role description for default roles not displa


Mitigation Control – Issues

 

Create Mitigation control and assign Risk and Approver/ Monitor to that control.

Click on Save/Submit button.

Error comes: "Saving Note Failed"

 

To fix this issue please implement SAP note 1890058 - "Saving note failed" error comes while saving Mitigation Control


Create Mitigation control and assign Risk and Approver/ Monitor to that control. The AC Reports are not displayed in the "Reports" tab of a mitigation control

Error message Action is inconsistent with system is displayed when you add a new AC report to a mitigation control and save/submit.

 

To fix this issue please implement SAP note 1902129 - Unable to save Mitigation control after adding AC Report


Mitigation control assignments which are already deleted are still showing up in GRC system.

 

To fix this issue please implement SAP note 1873361 - Performance issue with GRAC_REPOSITORY_OBJECT_SYNC

 

LDAP Issues


2025895 - UAM: Users not searched from HR/LDAP connectors if real-time search parameter 2050 is YES

1867742 UAM: Manager information is missing in request submission

 

Access Request - MultiUser Request - Issues

 

1864399 and 1886411 - Incorrect Template - Multiuser Request


User Access Review (UAR) - Issues

UAR Requests are being generated for expired users or locked users though excluded in the filter criteria. Also UAR requests contains indirectly assigned roles like Child roles of Composite roles.

 

To fix this issue implement below SAP notes

 

GRC System

1970118 - UAM: Expired and locked Users and indirect role assignment are also display in UAR request

1988134 - UAM: Dump on executing UAR job for user group and indirect assignments displayed in UAR request

1917837 - UAM : Connector based brf + rule is not working

1997960 - Unable to generate request for UAR/SOD.

2103409 - UAR: UAR approved request shows in work inbox util refresh.

1988128 - UAM: Missing line items with forward and return in UAR

 

Issue

UAR Requests are still showing up even after approval in work inbox until click on refresh button


2103409 - UAR: UAR approved request shows in work inbox until refresh.

 

 


User Defaults - Issues


2020712 - UAM: User group not provisioned after approval


Delegated Approver - Mail Issues


1589130 - GRC AC 10.0 - MSMP Notification Override BADi - En

1915928 - Delegated approver is not visible in instance status

1887512 - Incorrect approver list shown in instance status


Enterprise Portal Integration with GRC - Issues


1889792 - UAM: Portal sync results in time out/ Portal Object



Synchronization Jobs – Issues


We are facing an issue related to the roles assigned to the users in the target system. When roles have been removed from users in the backend. They are still visible with existing assignments overview in GRC system (even after sync).

 

This results in provisioning error when requesting a "retain role" request. Plug-In system then gives error message that the role is invalid (because it was not assigned anymore to the user).

 

Once the roles are removed in the target system, they should not appear again under the existing assignments in GRC.

 

If this kind of issue is happening then the Synch jobs are not working fine and there is some issue with these.

 

To fix this issue implement below SAP notes

 

Target (Plug-In) System

 

1970532 - Audit log gives wrong information about role removal, the validity of the role is not getting changed in the backend systems

 

GRC System

 

1934813 - UAM: Incorrect audit log message for role assignment and provisioning error for multiuser request

 

Missing Notification Variables and Notifications Issues - GRC SP13


Notification variables like Request Reason, Comments, Approver First Name, Approver Last Name and Approver Full Name are missing.

 

To enable these variables please implement below SAP notes.

 

1971842 - Request reason notification variable is not available in Access Request workflow

1917639 - UAM: Adding Comments and approver name variables in Access Request approval mail

 

Symptom:

 

Symptom 1: Validity dates and user id are not shown in the submission notification for the system entry.

Symptom 2: In submission notification, some text available in English and not able to translate in any other language.

Symptom 3: Provisioning variable shown roles whose Allow Auto-provisioning value is No and which have not been provisioned to the user.

Symptom 4: Create an access request to assign roles to an existing user in CUA child system. The closing notification contains wrong message of user creation.

Symptom 5: Notification variable %submission% for EAM/FF access approval does not contain System level information and validity dates information like FF_XXX Superuser access added to the request for action assign.

 

To fix this issue implement below SAP notes

 

1907911 - UAM: Incorrect text in submission & provisioning variable

 

Email Notifications - Issues


SAP Note 2018395 - E-mail Notifications cannot use HTML


Unlock Account - Valid To Date Issue


2069094 - For Unlock Action type Valid To Date for user is coming from


Escalation Notifications - Role Owner Stage - Issues


2008881 - Approved request items are also escalated

2000779 - UAM: Escalation on roleowner stage not working

There are multiple issues related to this solution and in fact SAP has released a knowledge article to the topic that it is not allowed citing security reasons - SAP KBA: 1622881 - Approve by E-mail and Reject by E-mail functionality but there are certainly workarounds available.

 

The security issues, mainly, are:

• Validating correct approver and delegate approvers

• Emails could be sent with From option in mails making it even more difficult to validate

 

However, I did try to implement the process and succeeded in doing so with few (not recommended) workarounds.

 

My main motivation came from this link where a similar solution is suggested but for SAP Workflow:

http://www.****************/Tutorials/Workflow/offline/Index.htm

 

The BASIS configurations remain the same as given in the above link: The steps are as follows:

1) Create Offline User in SAP (It could be a new user if the approver will forward the mail to approve or reject requests, in case of reply back it has to be      WF-BATCH)

2) Configure the SAP-Connect node via SICF Transaction

3) Configure and activate the SMTP Service via SMICM transaction

4) Configure and set the Inbound E-Mail Exit Configuration

 

Even the next few steps remain the same, only the actual approval process has to be changed. In the 4th step, we need to provide a class name to process emails. In this example, I named the class as: Z_PROCESS_INBOUND_WORKFLOW. Add Interface to the class: IF_INBOUND_EXIT_BCS. You will see 2 methods added from the interface.

 

Add the code in the methods:

Z_PROCESS_INBOUND_WORKFLOW->IF_INBOUND_EXIT_BCS~CREATE_INSTANCE

Here, we need to create an instance of the class to be used for further processing.
Sample Code below:

  DATA: lo_ref TYPE REF TO z_process_inbound_workflow.

* check if the instance is initial

  IF lo_ref IS INITIAL.

    CREATE OBJECT lo_ref.

  ENDIF.

* Return the Instance

  ro_ref = lo_ref.

 

Z_PROCESS_INBOUND_WORKFLOW->IF_INBOUND_EXIT_BCS~PROCESS_INBOUND

This method will be called automatically for the processing the message when it is received by the SAP system.

Sample Code Below:

* Declare for Inbound E-Mail processing
  DATA: lo_document     TYPE REF TO if_document_bcs,
        l_mail_attr     TYPE bcss_dbpa,
        l_mail_content  TYPE bcss_dbpc,
        lv_reqno        TYPE grac_reqno,
        lv_approve_reject TYPE char1,
        lt_cont_text    TYPE soli_tab,
        ls_cont_text    TYPE soli,
        lo_reply        TYPE REF TO cl_send_request_bcs,
        sender          TYPE REF TO if_sender_bcs,
        sender_addr     TYPE string,
        lv_email        TYPE ad_smtpadr,
        send_request    TYPE REF TO cl_bcs,
        lo_approval     TYPE REF TO z_grac_approbation_by_email.
*--------------------------------------------------------------------*
*- Get a pointer to the reply email object -*
*--------------------------------------------------------------------*
  TRY.
      lo_reply = io_sreq->reply( ).
    CATCH cx_send_req_bcs.
  ENDTRY.
**** Check to make sure this is from an approved Sender
  sender = io_sreq->get_sender( ).
  sender_addr =  sender->address_string( ).
  lv_email = sender_addr.
  TRANSLATE sender_addr TO UPPER CASE.
**** Only reply if this message came from within our mail system or domain
**** SPAMMERS Beware, your e-mails will not be processed!!!
IF sender_addr CS '@xxx.COM'.
**** send reply and inbound processing
*--------------------------------------------------------------------*
*- Get email subject -*
*--------------------------------------------------------------------*
  TRY.
      lo_document = io_sreq->get_document( ).
      l_mail_attr = lo_document->get_body_part_attributes( '1' ).
*Get the request number from the desired position of the subject
      lv_reqno = l_mail_attr-subject+12(10).
    CATCH cx_document_bcs.
  ENDTRY.
*--------------------------------------------------------------------*
*- Get mail body-*
*--------------------------------------------------------------------*
  TRY.
      l_mail_content = lo_document->get_body_part_content( '1' ).
      lt_cont_text = l_mail_content-cont_text.
      DELETE lt_cont_text WHERE line IS INITIAL.
      READ TABLE lt_cont_text INTO ls_cont_text INDEX 1.
      IF sy-subrc EQ 0.
        TRANSLATE ls_cont_text-line TO UPPER CASE.
        IF ls_cont_text-line+0(7) = 'APPROVE'.
          lv_approve_reject = 'A'.
        ELSEIF ls_cont_text-line+0(6) = 'REJECT'.
          lv_approve_reject = 'R'.
        ENDIF.
      ENDIF.
    CATCH cx_document_bcs.
  ENDTRY.

  IF lv_approve_reject IS NOT INITIAL
    AND lv_reqno IS NOT INITIAL
    AND lv_email IS NOT INITIAL.

    CREATE OBJECT lo_approval
      EXPORTING
        i_reqno          = lv_reqno
        i_email          = lv_email
        i_approve_reject = lv_approve_reject.

    CALL METHOD lo_approval->process_request .

  ENDIF.

ENDIF.

 

Now, I have created another class to validate approvers from their email addresses, process emails in case of any errors and finally start the approval process which is being called from above class method - Z_GRAC_APPROBATION_BY_EMAIL

 

First save the values in attributes of this class in the CONSTRUCTOR method.

 

Create a method PROCESS_REQUEST to do the processing.

 

In this method, the steps followed are:

  • First get the SAP user ID for the email ID of the sender
  • Validate by the SAP user ID, if the sender is actually the approver from checking tables GRFNMWRTINSTWI, GRACREQUSER
  • If not, check if the sender is a delegate approver. You can user Function Module SAP_WAPI_SUBSTITUTIONS_GET
  • If validated, create a background job using FM JOB_OPEN

 

The reason we need a background job is because the SY-UNAME in the system will be either WF-BATCH or a new user created by BASIS in the 1st step and that user is not the actual approver. So we create a background job and then change the user ID with the actual approver.

So, after the JOB_OPEN is called:

  • Call FM BP_JOB_READ
  • Change the user ID in Job Head and call FM BP_JOB_MODIFY
  • We will have to create a new Report Program to approve or reject the request (Z_REP_APPROBATION_BY_EMAIL) and SUBMIT the program
  • Call FM JOB_CLOSE

 

Now, the main logic is in the report program Z_REP_APPROBATION_BY_EMAIL.

I added 3 selection screen parameters to accept Request Number, BNAME(SAP User ID) of the approver and a field to identify Approve or Reject (A or R)

  • First step is to fetch Request ID from Request Number from table GRACREQ. Concatenate 'ACCREQ/' and the Request ID togeather.
  • Next is to fetch Work Item IDs for the Request Number from the table GRFNMWRTINSTWI
  • After collecting data, we will call standard methods that GRC system uses to do the processing, Code Snippets are shown below:

  go_session  =  cl_grfn_api_session=>open_daily( ).

  TRY .

      go_api ?= go_session->get( gv_reqid ).

 

      gv_bname = p_bname.

 

      CALL METHOD go_api->if_grac_api_access_request~retrieve
        EXPORTING
          iv_editable      = abap_true
          it_wi_id         = gt_wi_id
          iv_admin_mode    = lv_bool
          iv_approver_user = gv_bname.

 


      IF p_aprj EQ 'A'.

 

        ls_user_range-sign = 'I'.
        ls_user_range-option = 'EQ'.
        ls_user_range-low = gv_bname.
        APPEND ls_user_range TO lt_user_range.

 

        lv_user = gv_bname.


        CALL METHOD cl_grac_user_rep=>retrieve_realtime_user
          EXPORTING
            iv_user          = lv_user
          IMPORTING
            es_real_userinfo = ls_real_userinfo.


        CALL METHOD cl_grac_user_rep=>retrieve_user_systems
          EXPORTING
            it_user      = lt_user_range
*           it_user_name =
*           iv_max_rows  = 1000
          RECEIVING
            rt_user      = lt_user.

 

        ls_val-val1 = ls_real_userinfo-department.
        ls_val-val2 = ls_real_userinfo-location.
        ls_val-val3 = ls_real_userinfo-company.
        ls_val-val4 = ls_real_userinfo-costcenter.
        ls_val1-val1 = ls_real_userinfo-userid.
        ls_val1-val2 = ls_real_userinfo-user_group.
        ls_val1-val3 = ls_real_userinfo-orgunit.

 

        IF lt_user IS NOT INITIAL.


          LOOP AT lt_user INTO ls_user.


            ls_val1-val4 = ls_user-connector.


            IF cl_grac_auth_engine=>authority_check(
                  iv_auth_obj   =  graca_c_emp-auth_obj
                  iv_field1     =  graca_c_actvt-actvt
                  iv_value1     =  graca_c_actvt-change
                  iv_field2     = graca_c_emp-dept
                  iv_value2     = ls_val-val1
                  iv_field3     =  graca_c_emp-location
                  iv_value3     =  ls_val-val2
                  iv_field4     =  graca_c_emp-company
                  iv_value4     =  ls_val-val3
                  iv_field5     =  graca_c_emp-cost_centre
                  iv_value5     =  ls_val-val4
              ) EQ abap_true AND
               cl_grac_auth_engine=>authority_check(
                     iv_auth_obj   =  graca_c_user-auth_obj
                     iv_field1     =  graca_c_actvt-actvt
                     iv_value1     =  graca_c_actvt-change
                     iv_field2     = graca_c_user-userid
                     iv_value2     =  ls_val1-val1
                     iv_field3     =  graca_c_user-usergroup
                     iv_value3     =  ls_val1-val2
                     iv_field4     =  graca_c_user-org_unit
                     iv_value4     =  ls_val1-val3
                     iv_field5     = graca_c_user-connector
                     iv_value5     = ls_val1-val4
                 ) EQ abap_true.
              lv_flg = 'X'.
              EXIT.
            ENDIF.
          ENDLOOP.
        ELSE.
          ls_val1-val4 = ls_user-connector.
          IF cl_grac_auth_engine=>authority_check(
                iv_auth_obj   =  graca_c_emp-auth_obj
                iv_field1     =  graca_c_actvt-actvt
                iv_value1     =  graca_c_actvt-create
                iv_field2     = graca_c_emp-dept
                iv_value2     = ls_val-val1
                iv_field3     =  graca_c_emp-location
                iv_value3     =  ls_val-val2
                iv_field4     =  graca_c_emp-company
                iv_value4     =  ls_val-val3
                iv_field5     =  graca_c_emp-cost_centre
                iv_value5     =  ls_val-val4
            ) EQ abap_true AND
             cl_grac_auth_engine=>authority_check(
                   iv_auth_obj   =  graca_c_user-auth_obj
                   iv_field1     =  graca_c_actvt-actvt
                   iv_value1     =  graca_c_actvt-create
                   iv_field2     = graca_c_user-userid
                   iv_value2     =  ls_val1-val1
                   iv_field3     =  graca_c_user-usergroup
                   iv_value3     =  ls_val1-val2
                   iv_field4     =  graca_c_user-org_unit
                   iv_value4     =  ls_val1-val3
                   iv_field5     = graca_c_user-connector
                   iv_value5     = ls_val1-val4
               ) EQ abap_true.
            lv_flg = 'X'.
          ENDIF.
        ENDIF.


        IF lv_flg = 'X'.

          PERFORM f_fill_approving_details CHANGING ls_req_data
                                                    lt_item
                                                    lt_requser
                                                    lt_reqsys.

          lo_api ?= go_session->get( gv_reqid ).

          CALL METHOD lo_api->if_grac_api_access_request~update
            EXPORTING
              is_request_data = ls_req_data
              it_requser      = lt_requser
              it_reqlineitm   = lt_item
              it_reqsys       = lt_reqsys.

          CALL METHOD go_session->save.

        ENDIF.
      ELSEIF p_aprj EQ 'R'.


        CALL METHOD go_api->if_grac_api_access_request~reject .

        CALL METHOD go_session->save.

      ENDIF.

    CATCH cx_grfn_exception INTO go_grfn_exp.
  ENDTRY.

 

*&---------------------------------------------------------------------*
*&      Form  f_fill_approving_details
*&---------------------------------------------------------------------*
*       text
*----------------------------------------------------------------------*
*      -->LS_REQ_DATA  text
*----------------------------------------------------------------------*
FORM f_fill_approving_details CHANGING   ps_req_data TYPE grac_s_api_req_data
                                        pt_item     TYPE grac_t_api_reqlineitem
                                        pt_requser  TYPE grac_t_api_user_info
                                        pt_reqsys   TYPE grac_t_api_reqsys.

  TYPES: BEGIN OF ty_gracreq,
          req_id          TYPE grfn_guid,
          req_created     TYPE grac_req_created,
          duedate         TYPE grac_duedate,
          reqtype         TYPE grac_reqtype,
          funcarea        TYPE grac_funarea,
          msmp_process_id TYPE grfn_mw_process_id,
        END OF ty_gracreq,

        BEGIN OF ty_gracitem,
          itemnum         TYPE grac_seq,
          connector       TYPE grac_reqsystem,
          prov_item_id    TYPE grfn_guid,
          prov_item_type  TYPE grac_prov_item_type,
          prov_action     TYPE grac_actiontype,
          prov_item_name  TYPE grac_prov_item_name,
          approval_status TYPE grac_approval_status,
          valid_from      TYPE grac_valid_from,
          valid_to        TYPE grac_valid_to,
          prov_type       TYPE grac_prov_type,
        END OF ty_gracitem,

        BEGIN OF ty_systems,
          systems TYPE grfn_connectorid,
        END OF ty_systems.

  DATA: lv_reqid TYPE grfn_guid,
        ls_gracreq TYPE ty_gracreq,
        lt_gracitem TYPE STANDARD TABLE OF ty_gracitem,
        ls_gracitem TYPE ty_gracitem,
        lt_gracuser TYPE STANDARD TABLE OF gracrequser,
        ls_gracuser TYPE gracrequser,
        ls_reqsys   TYPE grac_s_api_reqsys,
        lt_systems  TYPE STANDARD TABLE OF ty_systems,
        ls_systems  TYPE ty_systems,
        ls_requser  TYPE grac_s_api_user_info,
        ls_item     TYPE grac_s_api_reqlineitem.

  lv_reqid = gv_reqid+7.

  SELECT SINGLE  req_id
                 req_created
                 duedate
                 reqtype
                 funcarea
                 msmp_process_id
    FROM gracreq
    INTO ls_gracreq
    WHERE req_id = lv_reqid.
  IF sy-subrc EQ 0.
    ps_req_data-req_id = ls_gracreq-req_id.
    ps_req_data-req_created = ls_gracreq-req_created.
    ps_req_data-req_approved = ls_gracreq-duedate.
    ps_req_data-reqtype = ls_gracreq-reqtype.
    ps_req_data-msmp_process_id = ls_gracreq-msmp_process_id.
    ps_req_data-funcarea = ls_gracreq-funcarea.

    SELECT itemnum
           connector
           prov_item_id
           prov_item_type
           prov_action
           prov_item_name
           approval_status
           valid_from
           valid_to
           prov_type
      FROM gracreqprovitem
      INTO TABLE lt_gracitem
      WHERE req_id = lv_reqid.

    IF sy-subrc EQ 0.
      LOOP AT lt_gracitem INTO ls_gracitem.
        ls_item-itemnum   = ls_gracitem-itemnum.
        ls_item-item_name   = ls_gracitem-prov_item_name.
        ls_item-connector   = ls_gracitem-connector.
        ls_item-prov_item_id   = ls_gracitem-prov_item_id.
        ls_item-prov_item_type   = ls_gracitem-prov_item_type.
        ls_item-prov_action   = ls_gracitem-prov_action.
        ls_item-approval_status   = 'AP'.
        ls_item-valid_from   = ls_gracitem-valid_from.
        ls_item-valid_to   = ls_gracitem-valid_to.
        ls_item-prov_type   = ls_gracitem-prov_type.

        APPEND ls_item TO pt_item.
      ENDLOOP.
    ENDIF.

    SELECT * FROM gracrequser
      INTO TABLE lt_gracuser
      WHERE req_id = lv_reqid.

    IF sy-subrc EQ 0.
      LOOP AT lt_gracuser INTO ls_gracuser.
        ls_requser-userid = ls_gracuser-userid.
        ls_requser-provuser = ls_gracuser-provuser.
        ls_requser-snc_name = ls_gracuser-snc_name.
        ls_requser-unsec_snc = ls_gracuser-unsec_snc.
        ls_requser-accno = ls_gracuser-accno.
        ls_requser-empposition = ls_gracuser-empposition.
        ls_requser-empjob = ls_gracuser-empjob.
        ls_requser-personnelno = ls_gracuser-personnelno.
        ls_requser-personnelarea = ls_gracuser-personnelarea.
        ls_requser-email = ls_gracuser-email.
        ls_requser-emptype = ls_gracuser-emptype.
        ls_requser-logon_langu = ls_gracuser-logon_langu.
        ls_requser-dec_notation = ls_gracuser-dec_notation.
        ls_requser-date_format = ls_gracuser-date_format.
        ls_requser-time_zone = ls_gracuser-time_zone.
        ls_requser-manager = ls_gracuser-manager.
        APPEND ls_requser TO pt_requser.

      ENDLOOP.
    ENDIF.

    SELECT systems
      FROM gracrequsersys
      INTO TABLE lt_systems
      WHERE req_id = lv_reqid.

    IF sy-subrc EQ 0.
      LOOP AT lt_systems INTO ls_systems.
        ls_reqsys-systems = ls_systems-systems.
        APPEND ls_reqsys TO pt_reqsys.
      ENDLOOP.
    ENDIF.

  ENDIF.

ENDFORM.                    "f_fill_approving_details

 

Transport BRF+ Application from $Temp packge

 

 

 

I am not sure if you have already come across the phase associate with Copy the BRF+ application from $Temp package in order to make it transportable.

 

At the start of my implementaion project on GRC V:11 and SAP:04, I had created one BRF+ application and saved it to a $Temp package so as to avoid to capture it into a Transport Request, as I had to do some more configurations with the never ending requirements. So, when I completed all the configurations, I tried to put into TR which But couldn't fo that as I had saved it into $Temp so, got stucked.

 

So; to make an application transportable you have to follow these below steps:

 

1) Copy the application from $Temp package to SAP Development package

 

Execute BRF+ transaction code --> Navigate to the application which is saved into $Temp package

 

Application1.png

2) Right click on the application --> Copy

 

copy.png

3) On the new screen, enter the New-Application name (target application name), description and short text.

You need to make sure to uncheck the box for "Create Local Application". Missing in doing it, you would agai end up copying the targer application into $Temp package.

 

 

copy1.png

 

If you have created a package specifically for BRF+ then you can mention the package name under "Development package" . If not, then you can create with transaction code: SE21 as below:

PACKAGE.png

 

package1.png

 

Fill in all the required details and confirm.

 

Now, after putting the development package, mention the Softwarre component and make sure to confirm the check box for "include contained objects". Click Copy.

 

It will ask to enter the TR, but you would see the error screen as below:

 

transport.png

This is due to a bug within the GRC V:11 which would get resolved after implementin SAP Note# 2029700 http://service.sap.com/sap/support/notes/2029700

 

 

Thanks to SAP to provide this note, and now I am able to copy the application from $Temp package to SAP Development package to make it Transportable.

Thought of to share this experience with SCN-Community members to help them if they came across with this issue.

 

 

Cheers!!

Ameet

 

Hi GRC,

 

Here i would like to share my experience to Create Transportable BRF+ Rules in GRC AC 10.0. Please follow witha attached file.

 

 

 

Thanks & Regards,

 

Rajesh Srisailapu

This document talks about the challenges organizations face when upgrading Support pack/ Net weaver for SAP GRC 10.0. Organizations that upgrade support pack with Net weaver version for SAP GRC 10.0, might face many challenges at different stages of project. Here we are discussing some of the challenges faced in real time environment while upgrading GRC 10.0 to SP13 from existing SP07 and SAP Net Weaver 7.31 SPS 8 from existing SAP Net Weaver 7.02.

  • Backend Plugin Upgrade
    • If organization is planning to upgrading GRC 10.0 from SP level below SP10, they are require to plan and coordinate for GRC Plugin upgrade in backend systems also. GRC is normally connected to most of the system in any organization for user provisioning, risk analysis and emergency access…, which are at difference NW version and plugin level.
    • To avoid product compatibility issues, suggested to plan plugin upgrade before GRC system upgrade.
  • SU25 and Web dynpro components upgrade
    • It is tough for Security consultant to understand effect for authorization updates in SU25 steps 2a, 2b, 2c on GRC front end, as it don’t provide details for change in authorization check for  GRC front end application.
    • Suggested detail planning for testing strategy and scenario testing to cover all Authorization check changes and role charge requirement

 

  • Mass user locking
    • Normally in any ECC, BI… systems total number of user are in thousands, but in GRC system number of user is high, depending on number for systems connected to it and how user’s data is updated. While upgrade to avoid user to login, it is recommend to lock users.
    • In general SU10 is used for mass locking but for locking users in Lakhs via SU10 is not a suitable approach.

 

  • Agent not found access requests ending into error or completing without role owner approval
    • Post upgrade roles with approvers not defined in GRACOWNER table or not defined as owner in “Access control owner” in from end, will not be able to approve request. Post upgrade GRC started checking for approvers in GRACOWNER table. 
    • Before go live update all role approvers as Role Owners in Access control owner list.

 

  • Dumps in system while clicking on link in email received from GRC
    • Post NW and SP upgrade for GRC 10.0, users might start getting below ABAP dump in system

               ASSERTION FAILED

               Category           ABAP Programing Error

               Runtime Errors Assertion Failed

               ABAP Program  CL_GRFN_API_IDENT================CP

               Application Component GRC

    • Please check for OSS note 1888486 if applicable for your system to fix issue

On one of my first projects as the lead architect I needed to prototype GRC. I had supported GRC components before (albeit 5.3 version), attended the GRC300 training course and passed my certification. I was excited: finally a GRC 10.0 implementation. I was at a client and they had a need for it. I had the skill and enthusiasm to see it implemented. The client accepted my business case of lowering user administration and support cost, and I had the confidence to see this project through. Fantastic!! Woo-hoo GRC implementation here I come!!!!!!!!

 

Before I got my hands on the system, the business-process minded part of me had mapped out the strategy and approach. I put pen to paper and drew up my view of the access control processes: who would approve and what would they approve. My design integrated as much of Access Controls as possible.  I found my Internal Controls buddy to assist me in keeping this business orientated: yes I found my first friend. I realised at the beginning, this implementation would not be possible if my team did not include a business stakeholder who could define business requirements and help design what an unacceptable risk to the business is and what the business was prepared to do about it. This friend of mine came from an Audit background (yes, auditors are friends too!) and could provide valuable input on compliance requirements we needed to adhere to.

 

We were able to work together to not only define the process but identify the roles and responsibility (in the form of a RACI model). In doing this, we identified organisational changes which then led me to another group of friends known as the Change Managers.  We have not even got the system built and I am now spending more time with an ex-Auditor/Internal Controls expert and a Change Manager to properly define how the business would use GRC.  The Change Manager then asks ‘Will end users be impacted’? Well, of course they will be as we are trying to automate user access provisioning and we have segregation of duties and risk and so on. My next group of friends became the Trainers. Internal Controls, Change Managers and Trainers oh my! And still no system!

 

It came time to submit the high level design for approval. My awesome pretty crap process designs were too high level. What I thought was three or four business processes were rebuilt by my next friend: The Business Analyst. This friend knew how to model business processes and took my diagrams (really PowerPoint slides) and broke them down to a much lower level. The business analyst identified logical gaps and incorrect assumptions without even knowing what GRC is (that soon changed).  Had this friend not stepped in at the beginning I would have been in a world of pain with the workflow configuration and ultimately resulted in rework, project delay and additional cost.

 

Finally my system was built by my friend Basis. This team became my first-and-best-techy-friend (hey they always are). Until I started GRC, I had never raised a SAP message incident (I did not even know how to).  SAP Marketplace and SCN contained my answers so it was never necessary. However, solution to most of SAP incidents I raised was in the form of a heap of notes and support stacks to apply and Basis were there for every step of the way. In addition, I had them assist me with appropriate system settings: system parameter; RFC connections; trusted systems; LDAP connections and NWBC. Yes, I could go configure them myself but if this was an ERP system would a Functional Consultant be allowed to do the same?

 

As I started to prototype the solution and came across the business workflow I learned more about the flexibility and powerfulness of GRC. I was able to configure MSMP (I’m quite a fan of it) but then I realised, it would be great to make friends with the Workflow and ABAP Developers, especially if they have the BRF+ skills and pick their brains. These developers would know how best to configure the workflow rules (do I use a decision table or a case statement?); build new launch pads and customise screen layouts. They would have a great naming convention for custom objects. They would also allow me to sit and help debug to find why I am getting that short dump (i.e. confirm I need to raise a SAP incident).

 

I continued to prototype and refine some of the design as we all discovered what the system would be capable of. It then dawned on me how best to document the configuration and build. I reached out to a new group of friends and they were Functional Consultants who worked on the ERP system. My view was: we might be configuring different systems but we’re both doing configuration via IMG and maybe there is something I can leverage from them (via our Solution Architect).

 

So before I even go to the development system, I became friends with Internal Controls; Change Managers; Trainers; Basis; Workflow and ABAP developers; and Functional Consultants. Most of my friends were included on my project plan so that management knew up front the true effort and people necessary for a GRC implementation to be successful. Management knew that GRC was not a support tool but enabled business process. Internal Controls was my key business representative who had their own set of friends to determine business requirements that I could translate to technical deliverables.

 

My motivation in finding friends was a concern I had: if I relied only on my own skills we may deliver a workable solution but it may not be the most effective and efficient solution. Without calling on all friends here, I might have a solution that works for day one but what happens next year or the year after? What happens when business requirements change? What happens when support stack and enhancement packs are necessary?

 

I’m sure there are more friends. Had I continued on this project I would have met up with Change and Release Managers to migrate changes and thinking through planning for enhancement packs, system refreshes and overall landscape design in conjunction with Basis. Oh, and if you’re wondering why no security - I did not forget them as that was me.

 

My advice – depending on the size of your project you may not need all these friends. Consider them in your planning based on your own strengths and weaknesses. Leverage where you can as it will benefit your solution in the long term.

 

Do you have any recommendations for who’d you make friends with and leverage for a successful GRC implementation?  I would love to hear your thoughts in the comments below.

 

Regards

Colleen

 

P.S. I would like to make a special thank you to Gretchen Lindquist for all your valuable feedback and encouragement to me for this blog.

Customizing NWBC for New Menus with our own Transactions, Reports and Accessing SAP Backend Systems from NWBC


Since GRC 5.3 was on Java stack, customization of GRC screen was not possible on greater extend. As GRC 10.0 is on ABAP stack we have the flexibility of Customization of NWBC as the per the client requirement and you can customize the NWBC to provide access which are not delivered through SAP GRC ABAP Roles.

 

“Whatever you want see in NWBC choice is yours to enable it”

 

With this customization of NWBC launch pad we can do the followings provided for you:

 

  1. We can access all SAP systems
  2. Execute  all backend system reports ex: SUIM, SE16 reports
  3. Customize the GRC screens (SPRO) from NWBC itself, no need to login to ABAP and use SPRO T-code
  4. Create users & roles, develop and configure MSMP by using NWBC.
  5. BI related reports and queries  and many mores …….

 

Hence you might not need to use SAP GUI since we can customize the NWBC.

 

Below NWBC customization can be achieved from web based NWBC (internet explorer). You need to make sure that you have one alias name created for each SAP system (ECC/Portal) from SAP Enterprise Portal (SAP EP) as a portal administrator.

 

Below are  few examples of customization of NWBC:

 

  1. Accessing Backend systems
  2. Table Access
  3. MSMP Access
  4. BRF Plus Access
  5. Merging NWBC and SAP Login Screen in internet explorer

 

 

 

Step 1.


   Go to SPRO --> Governance, Risk and Compliance --> Configure LaunchPad for Menus


               Image 1.JPG


You can see below launch pad and GRC (AC, PC & RM) related Roles and Description. Before customizing, we need to decide in which work center we have to put customized menus/links in NWBC. I have chosen My Home work center in NWBC. For My Home work center choose GRACHOME role (see below).

 

Select GRACHOME Role and double click or choose edit button.


               Image 2.JPG


Step 2:

 

Select New Folder to create Main Menu in Work center and enter text which ever you need.
Here I have given the text My Company Access (showed in screen) and the same will show in NWBC as Main menu. System will provide default Icon for our customized menu. Save the screen.


Note: You can change the folder name whenever you wish to change.

              Image 3.JPG

               Image 4.JPG

 

Step 3:

 

Choose newly create Folder name (My Company Access) and select New Application button.

 

Provide the name of Menu/Link which can be execute from NWBC. Ex Table Access

 

Select any one of Application Category based on your requirement and find below few of SAP provided Application Categories

 

BEx Analyzer
BI Enterprise Report
BI Query
BI Webtemplete
Cristal Report
Infoset query
KM Document
Managers Desktop
Transaction
Portal Page
Webdynpro ABAP

 

I have selected Application Category as Transaction, once you select Application Category as Transaction, system will request for transaction code. See below:

 

Note: For one application, you can select only one transaction or one application category.

 

As mentioned above, please select System Alias and in this example System Alias is SAP-GRC-AC or Local.

 

               Image 5.JPG

Click on Advanced Parameters tab

 

GUI TYPE: This is optional and you can select which ever you need.

 

               Image 6.JPG

Step 4

Link to a Repository Application

 

To add existing SAP Repository objects to our newly created custom folder, kindly follow the process mentioned below:

 

Select My Company Access (newly created one) and click Link to a Repository Application, system will prompt a launch pad window (marked in green color) to select existing role. See below example where I have selected GRCIAREPOS.

 

Double click on Role GRCIAREPOS

 

Once you link your Custom folder with SAP Repository Application, you can also add SAP standard links to our Custom Folder.

               Image 7.JPG

Once you double click Role GRCIAREPOS, you can see below screen:

               Image 8.JPG

Drill down the GRC_AccessControl Menu and select the relevant role which you want to have in the customized screen and drag in into our custom folder “My Company Access”.

 

This option gives us to restrict the access from NWBC apart from authorizations.

               Image 9.JPG

 

Add Separator if you wish to differentiate Custom objects and SAP objects.

 

Select folder My Company Access and select button Add Separator. Now you can move the links/menu and separator wherever you need.

 

               Image 10.JPG

You can see the below screens for NWBC with customizing and without customizing

 

 

NWBC without Customizing


               Image 11.JPG

 

NWBC Customizing with custom menus

 

               Image 12.JPG

 

Example 1: Access SAP system from NWBC


Select newly created folder (My Company Access) and create new application
In Application Category choose Transaction, in Application parameter provide SESSION_MANAGER

 

               Image 13.JPG

 

  1. Save and execute NWBC. Go to My Home --> click link SAP Backend system

 

               Image 14.JPG

One new window will open for SAP backend system and click start SAP Easy Access. This SAP will open in internet explorer

 

               Image 15.JPG

 

You can see the SAP screen in Internet Explorer/NWBC

 

               Image 16.JPG

 

Example 2: Accessing SAP Backend Tables & Reports from NWBC

Same steps you need follow : Create New Application --> Provide link name as Table acces --> select Transaction in Application Category ---> Provide T-Code SE16


Save--> Refresh NWBC and execute

 

               Image 17.JPG

               Image 18.JPG    

 

Example 3: Opening MSMP from NWBC

 

Same Steps we need follow for this example also

               Image 19.JPG

    Example 4: Opening BRF + application from NWBC

               Image 20.JPG

 

               Image 21.JPG

               Image 22.JPG

 

If you select MSMP Configuration link you will redirect to below screen without any internet explorer link option

 

Most important customization: Merging NWBC and SAP Screen in internet explorer

 

Configuring SAP screen and NWBC in one page

 

As explained in above (already given in example 1)


Select newly created folder (My Company Access) and create new application
In Application Category choose Transaction, in Application parameter provide SESSION_MANAGER and System alias is               SAP-GRC-AC


               Image 13.JPG

Go to Advance Parameters


In advance parameters select GUI Type : SAP GUI for HTML

Select Initial Screen in Entries Once started Option

Portal parameter: select  INPLACE Inplace


               Image 23.JPG

Save and execute in NWBC

 

Once you refresh NWBC, you can see the link "SAP Backend system"

 

               Image 28.jpg

Click SAP Backend system link and you will find below screen:

Here you can execute all SAP transactions

 

               Image 24.JPG

Click Start SAP SAP Easy Access button


You will see below SAP screen similar to SAP GUI Screen.

In this screen every thing is same as SAP GUI however you can also see the NWBC menus. Both SAP screen and NWBC are merged in the same screen.

 

Even if we do not have SAP GUI, we can login to SAP backend system by using this customization. This customizing will be useful for small devices such as smart phones & Tablets. In soon we can able to execute SAP from small devices based on accessibility and Network (Already SAP launched Android App for FF ID approve)

               Image 25.JPG

Executing SAP transactions from NWBC.

In this example I have executed PFCG and whatever transactions you execute, you can able to see NWBC work centers in the same screen.

 

               Image 29.jpg

 

Conclusion

 

In this way we can customize the NWBC without any ABAP and Java knowledge and whenever we need, we can design and change the screens without taking much time

 

SAP has provided flexibility to do the customization of NWBC based on the client requirement.

A common problem for SAP Access Control customers migrating to Access Controls 10.1 is that they want to take advantage of rule set changes made since their last rule set update, but they don’t want to lose the customizations they’ve made to their existing rule set. The business may also require a copy of the rule set for review by an external auditing firm or for backup purposes.


These tasks can be accomplished via two (2) Access Control transactions: GRAC_DOWNLOAD_RULES and GRAC_UPLOAD_RULES.


This blog will define the contents of the GRC rule set and will demonstrate how to download/upload the Access Risk Analysis Rule Set. Once downloaded, the rule set can be modified using Excel and functions such as CONCATENATE, COUNTIF, and VLOOKUP to add rule sets>risks>functions to a new namespace, such as "Z_".


SAP delivers a canned SoD rule set to run Risk Analysis reports against users, roles, profiles and HR objects. Companies are encouraged to modify the base rule set to meet their unique needs. Rule Set customization is accomplished via three (3) means:


  1. Direct modification of functions and risks in NWBC via WorkCentre: Setup>Function/Access Risks/Rule Sets
  2. Mass modification of functions in NWBC via WorkCentre: Setup>Function>Mass maintenance.
  3. Mass modification of functions and risks via GRAC_DOWNLOAD_RULES and GRAC_UPLOAD_RULES.


The rule set is created during configuration, via BCSET activation using t_code SCPR20. This table lists the canned rules in SAP Access Control 10.x.

 

BC Set ID

BC Set description

GRAC_RA_RULESET_COMMON

Rule Set for Common rules

GRAC_RA_RULESET_JDE

BC Set for AC Rules for JDE

GRAC_RA_RULESET_ORACLE

BC Set for AC Rules for ORACLE

GRAC_RA_RULESET_PSOFT

BC Set for AC Rules for PeopleSoft

GRAC_RA_RULESET_SAP_APO

BC Set for AC Rules - SAP APO

GRAC_RA_RULESET_SAP_BASIS

BC Set for AC Rules - SAP BASIS

GRAC_RA_RULESET_SAP_CRM

BC Set for AC Rules for SAP CRM

GRAC_RA_RULESET_SAP_ECCS

BC Set for AC Rules for SAP ECCS

GRAC_RA_RULESET_SAP_HR

BC Set for AC Rules for SAP HR

GRAC_RA_RULESET_SAP_NHR

BC Set for AC Rules for SAP R3 less HR Basis

GRAC_RA_RULESET_SAP_R3

BC Set for AC Rules for SAP R3

GRAC_RA_RULESET_SAP_SRM

BC Set for AC Rules for SAP SRM


 

The only mandatory BC set for activation is GRAC_RA_RULESET_COMMON. GRAC_RA_RULESET_SAP_R3 contains both HR and BASIS rule sets (SAP note 1033326)

 

All BC sets listed above, once activated will be automatically combined into the “Global” rule set

BC Set Example.jpg

 

SAP provides download and upload functionality via two (2) transactions:


GRAC_DOWNLOAD_RULES and GRAC_UPLOAD_RULES.


grac_download.jpg


88.jpg

 

 

The rule set is exported and imported via nine (9) individual files. The files can be named anything; however naming the files after its contents is useful for organizational purposes.


 

The following section lists a brief description, the format of the file exports and the NWBC screens associated with the file.

 

 

 

 

09.jpg                     

Business Process:


Business Process defines the business process, language, and business process description.


business_process_1.jpg


NWBC Business Process correlation:


61.jpg


Function:


Function defines the function, language, function description and single or cross system reference.


function_2.jpg


NWBC Function correlation:


62.jpg


Function Business Process:


Function to Business Process associates functions to business processes.


3.jpg


NWBC Function to Business Process correlation:


63.jpg

Function Actions:


Function to Actions associate’s functions to t_codes and if the function is active or inactive.


4.jpg

NWBC Function to Actions correlation:


64.jpg


Function Permissions:


Function to Permissions associates functions to t_codes, the perspective authorization objects, field values, operators and active or in-active status.


5.jpg



NWBC Function to Permissions correlation:


65.jpg

Rule Set:


Rule Set defines the rule set, language and rule set description.


6.jpg


NWBC Rule Set correlation:


66.jpg


Risk:


Risk associates risks to functions, business processes, defines the priority of the risk, what type of risk, and active vs non-active status.


7.jpg


NWBC Risk correlation:


67.jpg


Risk Description:


Risk Description defines the risk, language and risk description.


99.jpg


NWBC Risk Description correlation:


68.jpg



Risk Rule Set Relationship:


Risk Rule Set Relationship associates risks to a rule set.


9.jpg


NWBC Risk Rule Set Relationship correlation:


69.jpg


Demo of how to download a rule set in SAP Access Control 10.1:


GRAC_DOWNLOAD_RULES


Downloading the Access Control Rule Set via GRAC_DOWNLOAD_RULES. Choose format and accept pop-ups.

 


Demo of how to upload a rule set in SAP Access Control 10.1:


GRAC_UPLOAD_RULES


Uploading the Access Control Rule Set via GRAC_UPLOAD_RULES. Choose format and accept pop-ups.

 


Merging Rule Sets:


I struggled with writing this section, because the details of the GRC rule set are proprietary SAP information. I would have loved to have done a demo here but any concrete examples shown merging rule sets could be  viewed as divulging this proprietary information.


That said, the Excel COUNTIF,CONCATENATE, and VLOOKUP functions are key to helping you identify records not contained in one of the rule sets you’re working on merging. Here are some key takeaways for those of you engaged in rule set merging:


Key takeaways for mass modification of rule set:



    1. When downloading the rule set, please note that function to actions and function to permissions are dependent on the logical group selected. Example:
      1. If you select the APO logical group. Only APO FUNCTION_ACTIONS and APO FUNCTION_PERMISSIONS are contained in the FUNCTION_ACTIONS and FUNCTION_PERMISSIONS downloaded file.
    2. When downloading the rule set, please note that selecting a connector i.e. (ECDCLNT100) FUNCTION_ACTIONS and FUNCTION_PERMISSIONS will have no data.
    3. Active and Non-Active status in RISK, FUNCTION_PERMISSIONS, and FUNCTION_ACTIONS key:

 

                                                   

Active

Non-Active

0

1



The primary method of updating the Access Control rule set is through NWBC and the Setup WorkCentre. Updating the Access Risk Analysis rule set via GRAC_DOWNLOAD_RULES and GRAC_UPLOAD_RULES is still viable and should be considered during migrations, mass maintenance or to meet business requirements.


In Offline Workflow Process, a generic dump happens when delivering the PDFs to the recipients. In ST22, we can see the following Short Dump:


ASEER.JPG


This short dump does not say what is the issue and how to resolve it. Below, I have separated the different issues I found for this generic message and how to resolve it:



Possible causes and solutions:

 

Valid E-mail address:

    • The users who receive the work items do not have a valid e-mail address in SU01. The e-mail is not delivered and the number of dumps in ST22 is huge.
    • More information on how to find the recipients or senders without e-mail address on the link: http://wiki.scn.sap.com/wiki/x/QwEjFg
    • SOLUTION: All the recipients and senders must have a valid e-mail address in SU01



Risk Management Inactive:

    • If you do not use Risk Management (you have disabled the application in SPRO), you can have an authorization issue when submitting the PDF to the users (a sub process assignment for example). The issue will not be visible so the same message will return (assertion_failed) in ST22.
    • SOLUTION: The following SAP note must be applied -> 1998579 - ASSERTION_FAILED in CL_GRFN_OWP_DELIVER

 

 

GRFN_OWP_SUB_JOB_SENDER is scheduled:

    • ABAP program name: GRFN_OWP_SENDER is scheduled with program name as GRFN_OWP_SUB_JOB_SENDER. The program will be cancelled as there is no Work Item to be delivered.
    • Error message is: Failed to load header of work item
    • More information on how to find this error message on the link: http://wiki.scn.sap.com/wiki/x/mYI5Fg
    • SOLUTION: cancel the background job GRFN_OWP_SUB_JOB_SENDER and leave just GRFN_OWP_SENDER

 

 

No Physical Content:

    • Physical content not found for document is the error message
    • It means that the file requested is not available or not found in the client.
    • SOLUTION: Users must check the file name and content in the system.

 

Adobe Services:


Failed to get OWP sender e-mail address:


 

                      1. Execute the transaction "SPRO".

                         2. Navigate through Governance, Risk and Compliance -> Process Control -> Offline Work Process -> Configure Email Inbound Process.

                         3. Insert a row with Communication Type as Internet mail.

                         4. Enter a valid Email Address in the recipient address column.

                         5. Enter the document class as "*".

                         6. Enter the Exit name - "CL_GRFN_OWP_DELIVER".

                         7. Enter the call sequence.

                         8. Save the settings.


GRC 10.0 - GRC Request with both System and Role Line Items

 

Most common question I have come across in this forum is how to handle the GRC requests with both System and Role LineItems. As system will not have any owner associated with it, SYSTEM lineitem should be moved to NO STAGE path and remaining roles should follow regular path.

 

 

End user logs on to GRC and will add both System and Role LineItems to the request.

 

1. Create an BRF+ Initiator decision table as shown below to separate System LineItem to NO STAGE path once the request is raised.

 

 

2. MSMP configuration should look as shown below.

 

 

 

 

Once above configuration is done. If a request has both system and role line items, System line item will go to a NO_ROLEOWNER_PATH and roles will go to regular path.

 

Recently, I came across with an unique issue where I was not able to transport the SoD rule set across the clients.

 

  • SoD transport issues with GRC AC10.0 SP14

While creating the Transport Request as Customized, the system was throwing an error and so asking to create the Transport Request as Workbench Request (I understand, you all would be amazed the same way as I got). It doesn't really require creating WB-TR to transport SoD across clients but just to give it a try, I created the same (WB-TR), then the system started behaving in strange way, It didn't even allow me to enter the WB-TR.

Transport issues.png

 

After a couple of try over the same and struggling for it and in absence of any supportive solutions over SDN/SCN/Google, decided to reach-out to SAP.

They provided the SAP Note: , but to the system version; GRCFND_A - SP14 and SAPNW 740 with version11 and as I was on version10, so couldn't apply the same and then requested SAP to provide the compatible note which I got today and in fact, released as of toady. The SAP Note: 1991730 - Not able to create transport for SoD Rules after upgrading to NW 740 SP04 AC 10.0 (http://service.sap.com/sap/support/notes/1991730) So, now fianlly able to rectify the original issue with the Transport SoD rule-sets.

 

 

  • SoD Transport issues with GRC AC 10.1 SP04/05

For those who are on AC 10.1 with SP04, I am sure they would encounter with the similar issues whilst transporting the SOD rule sets across clients/systems, as I did

With getting no solution from anywhere had decided to reach out to SAP seeking for the solution and it was so quick  and perfect solution. They recommended to implment http://service.sap.com/sap/support/notes/1968082

 

This note is applicable to GRC AC 10.1 with SP04 so is for SP04

 

I had almost forgotten to update this information until now when I saw a thread claiming to have encountered with the same issue.

Thinking of this could be new/helpful to others, I am sharing this to you.

 

Cheers,

Ameet Kumar

A high amount of time during a SAP GRC project will be spent on defining processes and responsibilities. My suggestion is to think in lifecycles for getting a better understanding of the processes and who is taking over the responsibilty.

 

In this post I would like to clarify the lifecycle of user assignments to firefighter IDs. I have grouped them into four steps Assign, Usage, Delete and Review. Please see for each step expected Tasks and who is involved. Please see also my blog post about Firefighter ID lifecycle if you are interested to get more information in this regard.


The RACI matrix shows who is Responsible, Accountable, Consulted and Informed for each step. Please be aware that this is very much depending on the point of view and can be different in your organization. My considerations are commonsense and pretty much of thinking in smooth processes throughout a global enterprise.

 

 

Assignment of User to Firefighter ID

 

Tasks

  • Request FF ID assignment
  • Define validity of assignment
  • Assign user to FF ID
  • Define FF controller and method of notification

 

Involved functions

  • Firefighter owner
  • SAP authorization team
  • SAP GRC responsible

RACI_FFID_User_Assign.png

 

 

Usage of Firefighter ID

 

Tasks

  • Usage of Firefighter
  • Check Firefighter logfiles

 

Involved functions

  • Firefighter ID user
  • Firefighter controller

RACI_FFID_User_Usage.png

 

 

Deletion of Firefighter ID assignment

 

Tasks

  • Delete Firefighter ID assignment

 

Involved functions

  • Firefighter owner
  • SAP GRC responsible

RACI_FFID_User_Delete.png

 

 

Review of Firefighter ID assignment

 

Tasks

  • Review if Firefighter ID assigment is still correct
  • Define actions if necessary

 

Involved functions

  • Firefighter owner
  • Firefighter controller
  • SAP authorization team
  • SAP GRC responsible

RACI_FFID_User_Review.png

 

Please contribute and share your opinion as comment to improve the quality of this document.

 

Thanks and regards,

Alessandro

Knowledge, Skill & Performance Assessments and Tests are more critical than ever, especially within such industries as Utilities, Financial Services, Public Sector, and High Tech where knowledge needs to be assessed through testing and certifications on a regular basis.

Regulatory bodies and their requirements on such testing and assessment vary by Industry and country - please see here some examples: FDA Compliance (21 CFR Part 11), SOX (Sarbanes-Oxley), OSHA (Occupational Safety and Health Administration), AGG (Allgemeines Gleichgestellunggesetz) or GMP (Good Manufacturing Practice).

 

SAP Education added recently the assessment technologies powerhouse Questionmark to its portfolio under the brand: SAP Assessment Manager - so I thought this might also be of interest for the GRC Space on SCN.

 

Please find here a selection of Infosources on the general background as well as on the SAP Assessment Manager

  • Intro Blog to SAP Assessment Manager with press-release, video etc. by Stewart Davis
  • Blogpost on "Making a business case for “testing out” of training/ Online assessments in compliance #1" by John Kleeman
  • If you want to see customer case studies, demos and further details please register to one of our webinars. The first one is german speaking - taking place this friday 14.00 and accessible here. Further englishspeaking webinars will follow.

 

Hope this info was useful. Please use the comments section to share your feedback and questions.

A high amount of time during a SAP GRC project will be spent on defining processes and responsibilities. My suggestion is to think in lifecycles for getting a better understanding of the processes and who is taking over the responsibilty.

 

In this post I would like to clarify the lifecycle of Firefighter IDs. I have grouped them into four steps Create, Change, Delete and Review. Please see for each step expected Tasks and who is involved.


I have additionally added the RACI matrix to see who is Responsible, Accountable, Consulted and Informed for each step. Please be aware that this is very much depending on the point of view and can be different in your organization. My considerations are commonsense and pretty much of thinking in smooth processes throughout a global enterprise.

Lifecycle_Mitigating_Control.png

 

Creation of Firefighter ID

Tasks

  • Define the necessary access rights of the FFID
  • Define the responsibilities (Ownership, Controller)
  • Create Firefighter ID

 

Involved functions

  • Firefighter owner
  • SAP authorization team
  • SAP GRC responsible
  • Business role owner

RACI_FFID_Create.png

 

Changing of Firefighter ID

 

Tasks

  • Define the necessary changes in access rights
  • Define changes in resonsibilities (Ownership, Controller)
  • Define changes of Firefighter ID (e.g. validity)

 

Involved functions

  • Firefighter owner
  • SAP authorization team
  • SAP GRC responsible
  • Business role owner

RACI_FFID_Change.png

 

Deletion of Firefighter ID

 

Tasks

  • Delete the Firefighter ID
  • Document the decision of the deletion
  • Archive belonging firefighter logfiles

 

Involved functions

  • Firefighter owner
  • SAP authorization team
  • SAP GRC responsible

RACI_FFID_Delete.png

 

Reviewing of Firefighter ID

 

Tasks

  • Review validity
  • Review firefighter ownership and controller
  • Check proper access rights

 

Involved functions

  • Firefighter owner
  • SAP authorization team
  • SAP GRC responsible
  • Business role owner

RACI_FFID_Review.png

 

If you want to have further information or contribute in this blog post do not hesitate to contact me or reply to this post directly.

Actions

Filter Blog

By author:
By date:
By tag: