cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

User Provisioning from GRC to plug-in system when plug-in system is connected to CUA

Former Member

on ‎07-16-2014 6:52 PM

0 Kudos

Hello,

Is it possible to provision user account and roles from GRC system when plug-in (ECC) is connected to CUA system. Currently, we have multiple systems and business units which we are planning on bringing them onto GRC in a phased approach. For this to happen, we need CUA working for ECC system until we bring all business units onto GRC. In short, is it possible to have dual provisioning from GRC and CUA to ECC at the same time?

Please help.

Thank you,

Pawan

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

Former Member
‎07-31-2014 3:49 PM
0 Kudos

Hi Pawan

It looks like the User ID is getting created but role are not getting assigned. This to me is a CUA issue and not GRC issue or repository synch issue. As I mentioned before, I am suprised that there was nothing that you found in the CUA trace. How about you setup your GRC as CUA box. I have that setup and it works fine. 

Thanks

Anthony

Show replies
Show replies
Former Member
‎08-01-2014 5:56 PM
0 Kudos

Hello Anthony,

Here is what I see in the SLG1 log in GRD system.

Started provisioning for request number 9000000133

End request status for request no 9000000133 is X

Created user T-CUA_45 in system CUACHILD

S:/GRCPI/GRIA_MSG:005 T-CUA_45

S:/GRCPI/GRIA_MSG:005 T-CUA_45

Message from plugin for system CUASYSXX: T-CUA_45 User does not exist in target system CUASYSXX

Callback service, req system:

Thanks,

Pawan

Former Member
‎08-01-2014 7:37 PM
0 Kudos

Try performing an auth trace on the RFC user within CUA and the RFC called by the CUA to the child system. You maybe missing key authorisations. 

Former Member
‎08-04-2014 2:25 PM
0 Kudos

I did the whole system trace (in all app servers) in CUA, GRC and ECC but could not find any missing auths.

Thanks,

Pawan

Former Member
‎07-30-2014 7:17 PM
0 Kudos

Hi Pawan

Whats the error message in the provisioning logs?

Thanks

Anthony

Show replies
Show replies
Former Member
‎07-30-2014 9:54 PM
0 Kudos

Hi Anthony,


Here is the error message:


New User:T-CUA_41 created in System(s): ECXXXXXX

T-CUA_41 User does not exist in target system ECXXXXXX

Auto provisoning failed at Path ZBRF_TEST_PATH Stage GRAC_ROLEOWNER; escape path is not enabled

Auto provisoning failed at Path ZBRF_TEST_PATH Stage GRAC_ROLEOWNER; escape path is not enabled

Post-request activities reported problems; check logs for details

Approval path processing is finished, end of path reached

Request is closed.


I still did not create the escape path.


Thank you,

Pawan

Former Member
‎07-25-2014 9:58 PM
0 Kudos

HI,

Have you maintained the CUA to Child system relationship in CUA? Also what are your SCUM settings in CUA?

It might be a good idea to share your settings via screenshots.

await your response.

Show replies
Show replies
Former Member
‎07-29-2014 9:47 PM
0 Kudos

Hello Harinam,

Yes, CUA settings are maintained in CUA settings. Please note that if I select roles from CUA and CUA Child System, everything works as expected. SCUM settings are all set to Global.

I am expecting GRC to create user id in both CUA(just account) and CUA child system if I need to provision a role in the CUA child system when user id does not exists.

Thanks,

Pawan

Former Member
‎07-16-2014 7:45 PM
0 Kudos

Yes, it is possible for GRC to provision to plugin systems connected to CUA. You need to setup CUA RFC in GRC and GRC RFC in CUA and maintain CUA plugin systems in GRC SPRO - Maintain CUA settings.

Thanks
Anthony

Show replies
Show replies
Former Member
‎07-17-2014 2:43 PM
0 Kudos

Hello Anthony,

Thank you for your reply. I have tried connecting CUA to GRC but was having issues with role import.

Here is the content of the post from few weeks back:

"I am trying to connect CUA to our GRC 10.1 system through the below steps and so far I have completed the below steps following SAP Notes 1680108 and 1616121:

1. Connected CUABOX to GRCBOX like a plug-in system.

2. Updated CUA Global System and CUA Model Distribution in Maintain CUA settings under User Provisioning.

3. Next I am trying to import the roles from CUA(CUABOX) into GRC(GRCBOX) to be able to provision roles in CUA Child Systems(ECCBOX).

After reading few discussions in SCN, I have figured that we have to download a template in Role Import and populate it accordingly to upload the CUA child system roles into GRC system for provisioning in CUA Child Systems.

Unfortunately, this template has multiple fields and I am unable to determine the fields that should be populated as CUA Global System and CUA Child System to import into GRC. Also, when we upload CUA Child System Roles template what selections should be made in Role Import window.

Any help in this regard is very helpful.

Thank you,

Pawan"

As I could not continue with the above I thought I would try provisioning directly from GRC to ECC Plug-in (without CUA) system while ECC was still connected to CUA. This way I can provision directly from CUA to ECC and from GRC to ECC. Is this possible?

Thank you!

Pawan

Former Member
‎07-17-2014 3:27 PM
0 Kudos

Hi Pawan

Here is where you are getting confused.

"3. Next I am trying to import the roles from CUA(CUABOX) into GRC(GRCBOX) to be able to provision roles in CUA Child Systems(ECCBOX)."

ECC roles don't exist in CUA system, therefore; you cannot import ECC roles from CUABOX to GRC.  You need to import the ECC roles in GRC, and create an ARQ for ECC and it will assign access to ECC through CUA.

Hope this helps

Anthony

Former Member
‎07-17-2014 6:26 PM
0 Kudos

Hi Anthony,

Thank you for your response.

Sorry, I was not very clear, I am importing roles from plug-in systems through back end option.

When I try to provision new accounts from GRC through CUA to ECC plug-in system, it creates the id in ECC but does not assign the roles and it says the following:

Auto provisioning activity at end of request at Path GRAC_DEFAULT_PATH and Stage GRAC_SECURITY

New User:T-CUA_02 created in System(s): ECBCL020 (created without role assignments)

T-CUA_02 User does not exist in target system CUA


Is it possible to configure GRC in such a way that it creates the account in CUA if it does not exist in CUA system also?


I know we have this option for plug-in system and it works but I am not exactly sure where to set it for CUA system also.


Thank you,

Pawan

Former Member
‎07-17-2014 7:40 PM
0 Kudos

Hi Pawan

The issue seems to be related to your configuration. I would first check SLG1 logs to see if it gives additional details about the error. Verify SPRO config - Maintain Global provisioning settings and Maintain CUA settings are correct. Make sure the RFC UserID for CUA has access to create users and assign roles in CUA. You can trace the system user in CUA to see if it is missing access

In CUA, check your SCUM settings for roles tab (should be global). Also make sure if you have mandatory field in CUA SU01, then the fields are specified in your GRC access request.  I have seen cases where SU01 company address or emails address format was wrong and roles were not assigned to user.

Hope this helps.

Thanks

Anthony

Former Member
‎07-17-2014 8:29 PM
0 Kudos

Hi Anthony,

Thank you again for your response.

Here is what I see in SLG1 which I have been ignoring:

Config Error,Function Module is not maintained for Plug-in

I have checked the Company Address and Email are consistent.

To rule out that it is not because of above attributes, I have imported a role from CUA into GRC and created a new account access request to assign a role in both CUA and ECC.

After approvals this request has created user in both CUA and ECC with the requested roles. So, now I have to figure out if there is way to assign system access (CUA) or role access (without approval) by default for new account request type.

Thank you,

Pawan

Former Member
‎07-17-2014 9:10 PM
0 Kudos

Hi Pawan

Function Module not maintained means that you havent installed the correct GRC 10 software plugin in CUA (GRCPINW). Please confirm with your Basis team that you installed the GRC plugin in your CUA box

Thanks

Anthony

Former Member
‎07-17-2014 9:33 PM
0 Kudos

Hi Anthony,

We have the GRCPINW installed in both CUA and ECC systems.

GRCPINWV1100_7000003

Thank you,

Pawan

Former Member
‎07-18-2014 3:16 PM
0 Kudos

Hi Pawan

Based on the error, it looks like some FM is missing in CUA. Try and do an ST01 trace on the CUA RFC ID. You will be able to see what FM is missing.

Thanks

Anthony

Former Member
‎07-18-2014 7:56 PM
0 Kudos

Hi Anthony,

I have done both ST01 and ST05 tracing and could not find anything unusual. I have been ignoring this error intentionally because GRC does work the way it is supposed when I do not have CUA enabled.

Thanks,

Pawan

Ask a Question