Hello Diego,

I appreciate your quick response, but i did not understand this .

If the User does not exists in any SAP system(DEV, QA) & which means not even in HR system which again is an ERPsystem(Production System) , then if a New Personnel joins the company , how can his ID be created in SAP systems through CUP ??

Please note we do not intend to use LDAP as user data source !!

So i really wonder how can this request type : New User be of any use , if we have to create the user in Production system(which is also a HR data source) manually before going to CUP Access request Screen.

Please correct me if i have understood it wrong.

Thanks in advance.

Regards,

Victor

Hello Victor,

As per I understand, the problem described in the note is about the search functionality.

Anyway, Have you tried to use SAP datasource instead SAPHR??

Cheers,

Diego.

Hello Diego,

I did not understand your question

Have you tried to use SAP datasource instead SAPHR??

I did use the source as SU01, but here my question is what is the "prerequisite" to use the NEW USER request type??

The User-Id should exist somewhere either LDAP or SAP HR ??

Please provide me some clue !!

Regards,

Victor

Victor,

I dont use SAPHR as datasource, I'm using LDAP as datasource. Anyway if the user doesn't exist in the LDAP I fill al the requiered fields (names, user ID, etc.) and the user is created in the back-end without problems.

Create the user in the back-end before creating the request in ARQ doesn't make sense. I agree with you in this point. The note I mentioned is about the search functionality....I guess the only point to consider is that the user who conects to the back-end requieres authorization to create users.

Cheers,

Diego.

Hello Diego,

Yes that's what even i am expecting !! It should create a new User !!

Can you tell me what settings have you kept for following configuration points

1) SPRO>GRC>Maintain Data Source (End User Verification) ?? (Yes or No) (I have kept "YES")

2) SPRO>GRC>User Provisioing -->Maintain Provisioning Configuration

a) Maintain System Provisioning Configuration (Have you ticked "Create User" option ? )

b) Maintain Global Provisioning Settings --> Create User if does not exist when

(I)For Change User Action

(II) For Assign Role Action

I have maintained the above options !!

Also let me know on which SP of GRCFND_A are you on , i am on SP06.

I humbly request you to also have a look at my other Issue in BRM if possible

http://forums.sdn.sap.com/thread.jspa?threadID=2131605&tstart=0

Really appreciate your efforts and time !

Thanks in advance!

Regards,

Victor

Victor,

I've checked some configuratiosn and I think the error could be due to parameter 2051:

"If set to YES, the application validates the UserID exists on the specified source system. If the user does not exist, the application does not allow the request to continue. The validation is performed when you choose Submit or press Enter."

Have you set this to "NO" ??

Cheers,

Diego.

Dear Diego,

Good Morning !!

Your analysis was spot on !!

My issue is resolved , thanks a lot for your valuable inputs.

Regards,

Victor

Hi Victor and Diego,

We were facing the similar issue and it is resolved by changing the parameter ID to NO.

My question is that now no validation is taking place.

In change account, we are able to create request for a user ID which doesn't exist.

In new account, we are able to create a request for a User ID which already exists. It is not supposed to happen. The system should validate in both cases whether User ID exists or not. It was working fine in AC 5.3 later patches.

Let us know if you have found any solution for that.

Regards,

Sabita

Edited by: Sabita Das on Feb 7, 2012 7:41 AM

Hello Sabita!

The system should validate in both cases whether User ID exists or not. It was working fine in AC 5.3 later patches.

If you want to validate against LDAP, SAP or other datasource, you should set this parameter to "YES", but in this case you have to make sure that the user exist there. If the parameter is set to "no", no validation takes place. If you want to create the user if the user doesn't exist in the "change account" request, you have another option to do it: Maintain Global Provisioning Settings --> Create User if does not exist

> In new account, we are able to create a request for a User ID which already exists.

This is not documented as a controlled in the parameter 2051. Is it a missing functionality??

Cheers,

Diego.

Edited by: Diego I. Yaryura on Feb 8, 2012 12:23 AM

Edited by: Diego I. Yaryura on Feb 8, 2012 12:26 AM

Hi Diego,

We have checked what you have suggested.Our Search Data Source is the Main backend system ECC where all users should exist. If we keep this parameter to yes, New Account creation is not possible. If there is a new user, how can a user master exist in the system? That makes it impossible to keep it YES.

If parameter is set to NO, validation is not happening. How did you address this conflict?

Regards,

Sabita

Hello Sabita!

I do understand your point. I guess that's why LDAP is the recommended data source:

"Using LDAP as the user data source is highly preferable, because LDAP is normally the first point of entry for users accessing the enterprise system. LDAPs generally contain as much information about the user as the SAP business system."

If you use LDAP as data source, normally you can set the parameter 2051 to YES, because users exist there.

The point you mentioned is probably a missing functionality of GRC. Actually Uday reported the same problem yesterday:

http://forums.sdn.sap.com/thread.jspa?threadID=2132910&tstart=0

Cheers,

Dieog.

Hello Everyone !!

I completely agree Diego's point !!

We must have Data validation source as "LDAP" !!

Because the network/admin team will first create his inital Id & assign the email address in LDAP and then it follows the route of user getting created in SAP systems or Non-SAP Systems.

So in this case to resolve this conflict , one must set the Parameter to "Yes" in SPRO for parameter 2051 and set LDAP as Validation Source !!

Regards,

Victor

Hi Victor and Diego,

I understood what you are pointing. But my point is what if we don't have LDAP as datasource? In fact we didn't use LDAP in AC5.3 and in migration also, we don't expect that would be available. When I check datasource in SPRO, I only see two options - HR and Target connector SU01.

Whta if someone chooses other options? That would be a big trouble. I am talking to SAP regarding this(Message raised) but they are unable to give a satisfactory explanation. What they have been saying that it checks against datasource and not against target system. But what if the target system is defined as datasource?

In fact in AC5.3, this functionality was very much there. It validated in new account and if user ID existed it would throw error. It checked in change account and if user ID didn't exist, ti would throw error. Offcourse this validation came in later patches after many messages and reuests, but it was worth it.

Let us see what is the outcome.

Regards,

Sabita

Hello Sabita,

Right now we are currently under process of Integrating GRC with BMC remedy software(ticketing tool) .

And we are planning to fetch all information of "Users" first name , last name , details of his department manager etc..

It is under development and will take atleast 2 weeks from now to test the functionality !!

So i will disable the HR source or the LDAP source and check if this works or not and post back.

Regards,

Victor

I am glad you find your answer - but this would NOT work if you have CUA installed. I have CUA installed. User exists in ECC - the new request is to assign some role in BW landscape - since user is found in CUA, the request is created - BUT when all approved - takes ESCAPE route as user does not exist in BW system.

So, there is some issue there.