cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRACUSER is showing incorrect data

Go to solution
Former Member

on ‎05-21-2014 3:36 PM

0 Kudos

Hello,

We have 2 data sources connected to GRC system suppose say as SOURCE1 and SOURCE2.

User details along with personal number present in both the source systems. We have configugred first source system is SOURCE1 and second is SOURCE2.

But after the synchronization, in the table GRACUSER is showing connector as SOURCE2 for some users instead details are present in SOURCE1.

Why the system has skipped the details in SOURCE1 and updated GRACUSER as SOURCE2.

Please advise ?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member136769
Employee
Employee
‎05-26-2014 11:40 PM
0 Kudos

Hi Abhi,

I ran the sync job for and the behaviour is as per the explanation below:

GRACUSER is a master table for user data. There is a setting in SPRO->Governance, Risk and Compliance->Access Control->Maintain Data Sources Configuration->User Search Data Source.

You can list the connectors here for which you want the master data to be updated from. Whenever a repository sync job is run for a connector, if the connector is present in the data source list, all

the users which are there in that system will be have a new entry for this connector (overwriting the previous entry for any user which existed in the table).

Table GRACUSERCONN will contain the connector specific entries i.e. if a user exists in two system there will be two entries in GRACUSERCONN. While GRACUSER will have only one entry for a user for which the sync was last run(provided the connector was in the search data source list).

Let me know if you need further help!

Luciana

Show replies
Show replies
Colleen
Advisor
Advisor
‎05-27-2014 12:24 AM
0 Kudos

Hey Luciana

This is great you confirmed the program and use of the Data Source.

Are you able to (pretty please) convert this into a SAP KB article in marketplace? This topic has come up a few times and would probably help everyone with SAP providing a clear explanation for user syncs

Regards

Colleen

former_member136769
Employee
Employee
‎05-27-2014 12:40 AM
0 Kudos

Hi Colleen,

I will do, sure, thanks for the heads up! so much information that can be put on WIKIs but problem is timeeeee! 🙂

Speak later,

Lu

Colleen
Advisor
Advisor
‎05-27-2014 12:45 AM
0 Kudos

For sure - happy to contribute to the Wiki. I tried a while back but was not authorised to create pages, etc. I'm finding quite a few documents in SCN community probably belong more in the Wiki space.

If SAP and/or Moderators have ideas for Wiki improvements, possible we could identify people in the community to contribute and focus on building it?

Regards

Colleen

Former Member
‎05-27-2014 11:37 AM
0 Kudos

Hello Luciana,

Yes, you are right and thanks a lot...!

former_member136769
Employee
Employee
‎05-27-2014 10:12 PM
0 Kudos

KBA and WIKI are underway.. soon will be available! Thanks for moderating helpful answers!

Former Member
‎06-02-2014 11:44 AM
0 Kudos

Hello Luciana,

In continuation to this as you said Sync Job updates the details from the last sync connector.

Suppose in this case SOURCE 1 has complete user details but SOURCE 2 has very limited details.

Last sync was done on SOURCE 2 and it updates the same in GRACUSER table. But we need to have this table update based on the complete data.

Please advise on this is it possible.

Thanks in advance.

Answers (4)

Answers (4)

Former Member
‎06-02-2014 11:44 AM
0 Kudos

Hello ,

In continuation to this as you said Sync Job updates the details from the last sync connector.

Suppose in this case SOURCE 1 has complete user details but SOURCE 2 has very limited details.

Last sync was done on SOURCE 2 and it updates the same in GRACUSER table. But we need to have this table update based on the complete data.

Please advise on this is it possible.

Thanks in advance.

Show replies
Show replies
former_member136769
Employee
Employee
‎06-03-2014 11:41 PM
0 Kudos


Let me check this scenario

former_member136769
Employee
Employee
‎06-04-2014 12:00 AM
0 Kudos

Here we go, will explain again, i think now it will be clearer to everyone:

How entries are being added in the GRACUSER and GRACUSERCONN:

The table GRACUSERCONN will have one entry for each combination of
user vs. connector.

Example: User A exists in connectors A11 and A12. Then GRACUSERCONN table
will have two entries:

User A for A11
User A for A12

But in case of GRACUSER table, this table contains one entry per user.

So with reference to the above example, if you execute sync for connector
A11, then you will have one entry in GRACUSER for user A and A11.

If you execute a subsequent sync job, now for connector A12, then the
existing entry for user A will be overwritten with user details from
connector A12.

So it means you will have only one entry in GRACUSER at a
time, that will reflect the last connector you have run the sync for.


Now it comes the role of the master user search source.

If you do not maintain anything in SPRO (.."Maintain data source
configuration") then it will work as above mentioned. The user A entry
will always be overwritten every time you run the sync for a different
connector/last connector.


But if you have maintained any of the connector like A11 or A12 in the
SPRO data source configuration, then the priority will be given based
on that. Note that there are sequences, so you may have one or more
data source connectors, and they will have priority among themselves
based on the sequence number they are assigned to.

Example: you have maintained A11 in SPRO then even if you will execute
sync job for A12, user A entry will not be overwritten. This is because
A12 does not have the priority.

The same applies if you have maintained A11 and A12 in data source
configuration. A11 with sequence 1, and A12 with sequence 2.

If you will execute sync job for A12, user A entry will not be
overwritten, because A11 has higher sequence priority.

How is that guys? better?

Thanks!

Colleen
Advisor
Advisor
‎06-04-2014 12:31 AM
0 Kudos

Hi Luciana

I think the key bit here is the assumption that you consistently manage the identity for your users and ensure their address data is current in all connected systems

If not, as you said, choose your primary data source and go from there.

Cheers

Colleen

former_member136769
Employee
Employee
‎06-04-2014 12:41 AM
0 Kudos

You rock!

Former Member
‎06-04-2014 3:48 PM
0 Kudos

Hello Luciana,


Its very clear now thanks a lot for the clear explanation.

Former Member
‎06-05-2014 11:02 AM
0 Kudos

Hello Luciana

When we are trying to create Access request in GRC 10.0 for an user it results as user  details not found.

Under SPRO - Maintain data source configuration we have configured 2 HR systems HR1 and HR2.

But the User details exits in HR1 system and lies in validity also. We have tried to run the Repository Object Sync also still unable to search the details.

But we observed even after the Sync job User details are not created in table GRACUSER and GRACUSERCONN. Is this could be the problem. Why its not updating even after the Sync job many times almost 10 times.

We have also configured parameter 5023 to YES.Please advise.


Thanks in advance

former_member136769
Employee
Employee
‎06-05-2014 5:28 PM
0 Kudos

Hi Adbi,

Is this question answered? if not, let me know,

With parameter 5023 to yes, it should go around first connector HR1, and for missing details it would go around for HR2.

I assume HR1 is the "master connector" for user details, if details are not in HR1 and are ion HR2, those should be collected. let me know what is your scenario, with examples of user details not coming.

What is the SP level of your GRCFND_A and GRCPINW and GRCPIERP?

Thanks

Luciana

Former Member
‎06-07-2014 8:20 AM
0 Kudos

Hi Luciana,

Why are there multiple sources for USER information? If I am not wrong then the query posted here states that information that is getting updated in the table "GRACUSER" via these sources are not about the privileges/authorizations that users have.

Pardon me if you find my question very simple as I am trying to understand what is going on here and how does it work in GRC AC.

Thank you,

Nagarajan

Colleen
Advisor
Advisor
‎06-07-2014 8:57 AM
0 Kudos

Hi Nagarajan

GRC allows you to connect many systems. However, your users may not exist in all the same systems and your end users are all unlikely to exist in GRC. For example

  • UserA - SYS1, SYS3
  • UserB - SYS3
  • UserC - SYS2

By having the data sources and connectors defined you can sync all users into the GRACUSER table and they will appear as one single group. You then sequence which order for GRC to check. you might set them up as SYS3, SYS1, SYS2. In each case the system will check the user to let them in

Your users would all exist in GRACUSER but then UserA would have another entry in GRACUSERCONN for the subsequent system (SYS1 most likely).

Regards

Colleen

Former Member
‎06-07-2014 11:43 AM
0 Kudos

Thank you for the prompt response Colleen. I am trying to understand why a user (UserA) may exist in multiple identity stores (SYS1 & SYS3) as per your above example, or are these (SYS1 & SYS3) not user identity stores?

Regards,

Nagarajan

Colleen
Advisor
Advisor
‎06-07-2014 11:48 AM
0 Kudos

HI Nagarajan

Yes in my example, the SYS* are all connected systems.

You could have:

SYS1 - SAP ECC/ERP

SYS2 - SAP SRM

SYS3 - SAP BI

So a user may have ECC and CRM access but not BI. Or a BI users may just report there but not have ECC/CRM.

Although most users would probably have ECC/ERP access you can't guarantee all users will belong in one system unless you have a specific identify management model for this. The multiple data sources provides the flexibility to tell GRC where you users exist.

Regards

colleen

Former Member
‎06-07-2014 11:56 AM
0 Kudos

Thank you for answering my question Colleen, but another question for you

So these systems are for the different modules of SAP (HR/FI/CO/MM...etc) and all of them have an identity store?

Nagarajan

Colleen
Advisor
Advisor
‎06-07-2014 12:02 PM
0 Kudos

HI Nagarajan

Do you understand the difference between a SAP Module and a SAP Component?

SAP ECC/ERP is a Component which contains the FI, CO, MM, PR, SD, etc modules.

SAP GRC, ECC, SRM, CRM, Solution Manager, APO, etc are Components. They are typically installed as standalone systems. Users get an SU01 account to each of them if they require access.

A user might have a SAP SRM account (that's one identity store) and also have a SAP ECC account (another identity store).

Two users may both have SAP ECC Account but one has authorisation to MM module whilst another has access to FI module. Both users, however, have SU01 accounts in SAP ECC.

If you do not understand component vs system, etc I recommend you read up on basic overview of SAP to understand these topics a bit better.

Regards

Colleen

Former Member
‎06-07-2014 12:18 PM
0 Kudos

Hi Colleen,

I have had discussions with people who are working on SAP Basis and a few on security, and I found that each had somewhat contradicting and confusion explanation. Some of them even included CUA and it got even more confusing. My query would have got you think in the direction that if I have a understanding of component vs system, I understand that but so many discussions and various explanations always kept me thinking about how is it different in SAP.

Nagarajan

Colleen
Advisor
Advisor
‎06-07-2014 12:25 PM
0 Kudos

Hi Nagarajan

Yes terminology can be used interchangeably. Also, some people refer to logical components as separate (i.e CUA - event though that is an ALE model - in some cases it is set up as own system, whilst others it is part of ERP).

Keeping it simple and back in line with this particular thread: You connect multiple systems to GRC. Each of those connections has it's own user repository. In the case of an ABAP system, the user repository are the SU01 User Accounts.

As users get access to different systems (which happen to be a specific component) they will have SU01 accounts existing in different places to each other. In GRC, we connect them all to maintain centrally and therefore, define our data source to look at all the places. So if a user was using End User Login screen, they could login with their SAP ECC or CRM password ,etc - assuming the data source was configured that way.

Does this clarify your questions or are you still unsure?

Regards

Colleen

Former Member
‎06-07-2014 12:29 PM
0 Kudos

Hi Colleen,

Your response has addressed my query clearly. My understanding from those discussions with other folks was pretty clear that either they themselves had confusion or didn't know how to explain.

Thank you,

Nagarajan

Former Member
‎09-19-2014 8:06 AM
0 Kudos

Hi Luciana,

this reply is a little late, but in simple words: GRACUSER contains unique entries(user ids), which can only be obtained after running Sync from all connectors. After the sync,sequencing should be done. Else the lower priority connectors, will not have their extra ids in GRACUSER.

Or , no matter the priority, the extra ids will be stored in GRACUSER. But the Common ids will not be overridden, which was already there from a higher priority  connector.

Could you  throw some light into this.

Former Member
‎05-22-2014 6:19 AM
0 Kudos

Hi Abhi,

You should use DB table GRACUSERCONN(Table to store connector specific user) which stores multiple entries of user id and RFC destination instead of GRACUSER(User Table) which stores only single entry.

Thanks

KH

Show replies
Show replies
Colleen
Advisor
Advisor
‎05-21-2014 11:58 PM
0 Kudos

Hi Abhi

Extending on Mangesh's comment, I tested the sync jobs a while back (came up on a discussion in SCN) and I got the impression GRACUSER will store the user information for the last system the job ran for.

Every unique user across your connectors will appear once in the GRACUSER table. All subsequent accounts for the user will then appear in the GRACUSERCONN table.

You can confirm this by locating a user with both SOURCE1 and SOURCE2 accounts then run the sync on the two systems and check in between each run to see what happens the entries for that user in the tables.

Regards

Colleen

Show replies
Show replies
Former Member
‎05-28-2014 4:07 PM
0 Kudos

Hello Colleen,

In continuation to this as you said Sync Job updates the details from the last sync connector.

Suppose in this case SOURCE 1 has complete user details but SOURCE 2 has very limited details.

Last sync was done on SOURCE 2 and it updates the same in GRACUSER table. But we need to have this table update based on the complete data.

Please advise on this is it possible.

Thanks in advance.

Former Member
‎09-22-2014 9:54 AM
0 Kudos

Hi Colleen,

My connectors update GRACUSER , in-spite of being on Sequence 2. Can you tell me, which is higher priority 1 or 2. I think it is 1.

Also, my FF ids from Plug-in systems, are not appearing , in-spite of Auth. Repository Sync, although they appear in GRACUSER

Colleen
Advisor
Advisor
‎09-23-2014 12:56 AM
0 Kudos

HI Plaban

I thought you have your own questions opened for these questions.

I did respond to your FF Id and the GRACUSER questions has been explained. Also, I think Prasant jumped in under your question and explained it as well.

Please do not hijack threads

Regards

Colleen

Former Member
‎05-21-2014 3:41 PM
0 Kudos

Have you set sequence for respective systems as per requirement? sequence will decide which system will be used as primary system for user data.

Please mention if you have same users available in both the systems, if this is the GRACUSER stores the data with the source system which has complete data with max details. GRACUSERCONN store all the entries/multiple entries in reference to connector.

Show replies
Show replies
Ask a Question