on 02-06-2012 10:38 AM
Hello Gurus,
We have configured GRC AC 10 along with workflows and for all scenarios things are working fine , except for "New User".
When we select
Request Type : New Request
Request for: Others
User : XYZ (This user is not present in "HR system(ERP system)", which is our data source for User search, user details & authentication)
and we select certain roles to be assigned to the user.
Then when we click "Submit Button" , it gives us an error , XYZ is not a valid User
In SPRO under CUP --> Maintain Provisioning Settings
For Global Provisioning under
"Create User if does not exist"
i have selected both "check boxes" for
1) For Change User Action
2) For Assign Role Action
Also in System Provisioning, i have ticket the option "create User".
Note: Under Data Source Configuration i have selected "End User Verification" as Yes.
Will you please provide your inputs on what could be the reason for getting this error .
Regards,
Victor
Hello Victor,
This note might be helpful for your issue:
Note 1607510 - Unable to search for user when HR system is user data source:
"User records must be created in SU01 to link with the HR user records in order for Access Request (previously called CUP) to find the user even though the user data source system is HR."
Cheers,
Diego.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Diego,
I appreciate your quick response, but i did not understand this .
If the User does not exists in any SAP system(DEV, QA) & which means not even in HR system which again is an ERPsystem(Production System) , then if a New Personnel joins the company , how can his ID be created in SAP systems through CUP ??
Please note we do not intend to use LDAP as user data source !!
So i really wonder how can this request type : New User be of any use , if we have to create the user in Production system(which is also a HR data source) manually before going to CUP Access request Screen.
Please correct me if i have understood it wrong.
Thanks in advance.
Regards,
Victor
Hello Diego,
I did not understand your question
Have you tried to use SAP datasource instead SAPHR??
I did use the source as SU01, but here my question is what is the "prerequisite" to use the NEW USER request type??
The User-Id should exist somewhere either LDAP or SAP HR ??
Please provide me some clue !!
Regards,
Victor
Victor,
I dont use SAPHR as datasource, I'm using LDAP as datasource. Anyway if the user doesn't exist in the LDAP I fill al the requiered fields (names, user ID, etc.) and the user is created in the back-end without problems.
Create the user in the back-end before creating the request in ARQ doesn't make sense. I agree with you in this point. The note I mentioned is about the search functionality....I guess the only point to consider is that the user who conects to the back-end requieres authorization to create users.
Cheers,
Diego.
Hello Diego,
Yes that's what even i am expecting !! It should create a new User !!
Can you tell me what settings have you kept for following configuration points
1) SPRO>GRC>Maintain Data Source (End User Verification) ?? (Yes or No) (I have kept "YES")
2) SPRO>GRC>User Provisioing -->Maintain Provisioning Configuration
a) Maintain System Provisioning Configuration (Have you ticked "Create User" option ? )
b) Maintain Global Provisioning Settings --> Create User if does not exist when
(I)For Change User Action
(II) For Assign Role Action
I have maintained the above options !!
Also let me know on which SP of GRCFND_A are you on , i am on SP06.
I humbly request you to also have a look at my other Issue in BRM if possible
http://forums.sdn.sap.com/thread.jspa?threadID=2131605&tstart=0
Really appreciate your efforts and time !
Thanks in advance!
Regards,
Victor
Victor,
I've checked some configuratiosn and I think the error could be due to parameter 2051:
"If set to YES, the application validates the UserID exists on the specified source system. If the user does not exist, the application does not allow the request to continue. The validation is performed when you choose Submit or press Enter."
Have you set this to "NO" ??
Cheers,
Diego.
Hi Victor and Diego,
We were facing the similar issue and it is resolved by changing the parameter ID to NO.
My question is that now no validation is taking place.
In change account, we are able to create request for a user ID which doesn't exist.
In new account, we are able to create a request for a User ID which already exists. It is not supposed to happen. The system should validate in both cases whether User ID exists or not. It was working fine in AC 5.3 later patches.
Let us know if you have found any solution for that.
Regards,
Sabita
Edited by: Sabita Das on Feb 7, 2012 7:41 AM
Hello Sabita!
The system should validate in both cases whether User ID exists or not. It was working fine in AC 5.3 later patches.
If you want to validate against LDAP, SAP or other datasource, you should set this parameter to "YES", but in this case you have to make sure that the user exist there. If the parameter is set to "no", no validation takes place. If you want to create the user if the user doesn't exist in the "change account" request, you have another option to do it: Maintain Global Provisioning Settings --> Create User if does not exist
> In new account, we are able to create a request for a User ID which already exists.
This is not documented as a controlled in the parameter 2051. Is it a missing functionality??
Cheers,
Diego.
Edited by: Diego I. Yaryura on Feb 8, 2012 12:23 AM
Edited by: Diego I. Yaryura on Feb 8, 2012 12:26 AM
Hi Diego,
We have checked what you have suggested.Our Search Data Source is the Main backend system ECC where all users should exist. If we keep this parameter to yes, New Account creation is not possible. If there is a new user, how can a user master exist in the system? That makes it impossible to keep it YES.
If parameter is set to NO, validation is not happening. How did you address this conflict?
Regards,
Sabita
Hello Sabita!
I do understand your point. I guess that's why LDAP is the recommended data source:
"Using LDAP as the user data source is highly preferable, because LDAP is normally the first point of entry for users accessing the enterprise system. LDAPs generally contain as much information about the user as the SAP business system."
If you use LDAP as data source, normally you can set the parameter 2051 to YES, because users exist there.
The point you mentioned is probably a missing functionality of GRC. Actually Uday reported the same problem yesterday:
http://forums.sdn.sap.com/thread.jspa?threadID=2132910&tstart=0
Cheers,
Dieog.
Hello Everyone !!
I completely agree Diego's point !!
We must have Data validation source as "LDAP" !!
Because the network/admin team will first create his inital Id & assign the email address in LDAP and then it follows the route of user getting created in SAP systems or Non-SAP Systems.
So in this case to resolve this conflict , one must set the Parameter to "Yes" in SPRO for parameter 2051 and set LDAP as Validation Source !!
Regards,
Victor
Hi Victor and Diego,
I understood what you are pointing. But my point is what if we don't have LDAP as datasource? In fact we didn't use LDAP in AC5.3 and in migration also, we don't expect that would be available. When I check datasource in SPRO, I only see two options - HR and Target connector SU01.
Whta if someone chooses other options? That would be a big trouble. I am talking to SAP regarding this(Message raised) but they are unable to give a satisfactory explanation. What they have been saying that it checks against datasource and not against target system. But what if the target system is defined as datasource?
In fact in AC5.3, this functionality was very much there. It validated in new account and if user ID existed it would throw error. It checked in change account and if user ID didn't exist, ti would throw error. Offcourse this validation came in later patches after many messages and reuests, but it was worth it.
Let us see what is the outcome.
Regards,
Sabita
Hello Sabita,
Right now we are currently under process of Integrating GRC with BMC remedy software(ticketing tool) .
And we are planning to fetch all information of "Users" first name , last name , details of his department manager etc..
It is under development and will take atleast 2 weeks from now to test the functionality !!
So i will disable the HR source or the LDAP source and check if this works or not and post back.
Regards,
Victor
I am glad you find your answer - but this would NOT work if you have CUA installed. I have CUA installed. User exists in ECC - the new request is to assign some role in BW landscape - since user is found in CUA, the request is created - BUT when all approved - takes ESCAPE route as user does not exist in BW system.
So, there is some issue there.
Dear all
Could you already find a solution for this?
We are currently setting up GRC 10.0 and facing the same issue. We do have to make sure that users are only created with a 'new account' request; this happens due to audit requirements. So we cannot allow the change request to create a user, but if we block it then we cannot create users anymore at all.
Kind Regards,
Sibylle
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Sibylle,
In that case there is a setting in Global provisioning
GRC->AC->user provisioning->Maintain provisioning setting-> Maintian global provisioning configuration-> Create user if does not exist. It has two check boxes. Kindly uncheck both of them. This is valid for change request. So if both of them are unchecked then new users cant be created with change request.
Regards,
Nidhi Mahajan
Hi Nidhi,
I believe the situation that Sibylle is experiencing is the same as Sabita had mentioned before.
I am on the same issue right now. The parameter 2051 don't allow new account if the user data source is the target system.
Despite this thread is answered, Sabita raised o good point. I don't know if it's for a new thread.
Regards,
Anderson
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.