on 07-16-2014 6:52 PM
Hello,
Is it possible to provision user account and roles from GRC system when plug-in (ECC) is connected to CUA system. Currently, we have multiple systems and business units which we are planning on bringing them onto GRC in a phased approach. For this to happen, we need CUA working for ECC system until we bring all business units onto GRC. In short, is it possible to have dual provisioning from GRC and CUA to ECC at the same time?
Please help.
Thank you,
Pawan
Hi Pawan
It looks like the User ID is getting created but role are not getting assigned. This to me is a CUA issue and not GRC issue or repository synch issue. As I mentioned before, I am suprised that there was nothing that you found in the CUA trace. How about you setup your GRC as CUA box. I have that setup and it works fine.
Thanks
Anthony
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Anthony,
Here is what I see in the SLG1 log in GRD system.
Started provisioning for request number 9000000133
End request status for request no 9000000133 is X
Created user T-CUA_45 in system CUACHILD
S:/GRCPI/GRIA_MSG:005 T-CUA_45
S:/GRCPI/GRIA_MSG:005 T-CUA_45
Message from plugin for system CUASYSXX: T-CUA_45 User does not exist in target system CUASYSXX
Callback service, req system:
Thanks,
Pawan
Hi Pawan
Whats the error message in the provisioning logs?
Thanks
Anthony
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Anthony,
Here is the error message:
New User:T-CUA_41 created in System(s): ECXXXXXX
T-CUA_41 User does not exist in target system ECXXXXXX
Auto provisoning failed at Path ZBRF_TEST_PATH Stage GRAC_ROLEOWNER; escape path is not enabled
Auto provisoning failed at Path ZBRF_TEST_PATH Stage GRAC_ROLEOWNER; escape path is not enabled
Post-request activities reported problems; check logs for details
Approval path processing is finished, end of path reached
Request is closed.
I still did not create the escape path.
Thank you,
Pawan
HI,
Have you maintained the CUA to Child system relationship in CUA? Also what are your SCUM settings in CUA?
It might be a good idea to share your settings via screenshots.
await your response.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Harinam,
Yes, CUA settings are maintained in CUA settings. Please note that if I select roles from CUA and CUA Child System, everything works as expected. SCUM settings are all set to Global.
I am expecting GRC to create user id in both CUA(just account) and CUA child system if I need to provision a role in the CUA child system when user id does not exists.
Thanks,
Pawan
Yes, it is possible for GRC to provision to plugin systems connected to CUA. You need to setup CUA RFC in GRC and GRC RFC in CUA and maintain CUA plugin systems in GRC SPRO - Maintain CUA settings.
Thanks
Anthony
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Anthony,
Thank you for your reply. I have tried connecting CUA to GRC but was having issues with role import.
Here is the content of the post from few weeks back:
"I am trying to connect CUA to our GRC 10.1 system through the below steps and so far I have completed the below steps following SAP Notes 1680108 and 1616121:
1. Connected CUABOX to GRCBOX like a plug-in system.
2. Updated CUA Global System and CUA Model Distribution in Maintain CUA settings under User Provisioning.
3. Next I am trying to import the roles from CUA(CUABOX) into GRC(GRCBOX) to be able to provision roles in CUA Child Systems(ECCBOX).
After reading few discussions in SCN, I have figured that we have to download a template in Role Import and populate it accordingly to upload the CUA child system roles into GRC system for provisioning in CUA Child Systems.
Unfortunately, this template has multiple fields and I am unable to determine the fields that should be populated as CUA Global System and CUA Child System to import into GRC. Also, when we upload CUA Child System Roles template what selections should be made in Role Import window.
Any help in this regard is very helpful.
Thank you,
Pawan"
As I could not continue with the above I thought I would try provisioning directly from GRC to ECC Plug-in (without CUA) system while ECC was still connected to CUA. This way I can provision directly from CUA to ECC and from GRC to ECC. Is this possible?
Thank you!
Pawan
Hi Pawan
Here is where you are getting confused.
"3. Next I am trying to import the roles from CUA(CUABOX) into GRC(GRCBOX) to be able to provision roles in CUA Child Systems(ECCBOX)."
ECC roles don't exist in CUA system, therefore; you cannot import ECC roles from CUABOX to GRC. You need to import the ECC roles in GRC, and create an ARQ for ECC and it will assign access to ECC through CUA.
Hope this helps
Anthony
Hi Anthony,
Thank you for your response.
Sorry, I was not very clear, I am importing roles from plug-in systems through back end option.
When I try to provision new accounts from GRC through CUA to ECC plug-in system, it creates the id in ECC but does not assign the roles and it says the following:
Auto provisioning activity at end of request at Path GRAC_DEFAULT_PATH and Stage GRAC_SECURITY
New User:T-CUA_02 created in System(s): ECBCL020 (created without role assignments)
T-CUA_02 User does not exist in target system CUA
Is it possible to configure GRC in such a way that it creates the account in CUA if it does not exist in CUA system also?
I know we have this option for plug-in system and it works but I am not exactly sure where to set it for CUA system also.
Thank you,
Pawan
Hi Pawan
The issue seems to be related to your configuration. I would first check SLG1 logs to see if it gives additional details about the error. Verify SPRO config - Maintain Global provisioning settings and Maintain CUA settings are correct. Make sure the RFC UserID for CUA has access to create users and assign roles in CUA. You can trace the system user in CUA to see if it is missing access
In CUA, check your SCUM settings for roles tab (should be global). Also make sure if you have mandatory field in CUA SU01, then the fields are specified in your GRC access request. I have seen cases where SU01 company address or emails address format was wrong and roles were not assigned to user.
Hope this helps.
Thanks
Anthony
Hi Anthony,
Thank you again for your response.
Here is what I see in SLG1 which I have been ignoring:
Config Error,Function Module is not maintained for Plug-in
I have checked the Company Address and Email are consistent.
To rule out that it is not because of above attributes, I have imported a role from CUA into GRC and created a new account access request to assign a role in both CUA and ECC.
After approvals this request has created user in both CUA and ECC with the requested roles. So, now I have to figure out if there is way to assign system access (CUA) or role access (without approval) by default for new account request type.
Thank you,
Pawan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.