cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

No password sent in GRC10 notification for new users

Former Member

on ‎08-20-2014 7:10 AM

0 Kudos

Hi,

I have a strange problem in our GRC10 system. 

We send email notifications to users on completion of user access requests after provisioning is complete.  The notification contains the PROVISIONING variable, so new users should be notified of their initial password in the message.  This works fine on tests against our development system.  The email contains the user ID, the roles assigned, and the password information.

However when the same process is followed in our Production system, the notification only contains the user ID and roles provisioned - no sign of any password information.

We're currently running GRC 10.0 SP13.  The plugins are all updated to the same level.  We have the global provisioning configuration set OK, and all SAP Notes that appear to be related to the problem have been applied - but I still can't get emails to be displayed in the email notifications to new users.

Can anyone offer any hints or suggestions to try?  I have even looked at password-related startup profile parameters as a last desperate straw.  I found 4 differences in settings between our Dev and Prod systems. would theses cause an issue?  the parameters were:

                                                                   Dev             Prod

login/min_password_digits                               0                  1

login/min_password_letters                              0                  1

login/password_downwards_compatibility          1                  3

login/password_max_reset_valid                     N/A                30

That 4th parameter doesn't exist in our Dev profile.

please help - I'm desperate on this one...

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
‎08-20-2014 11:13 PM
0 Kudos

HI La,

Please let us know if you found a resolution I have followed the recommendations but no luck..

Thanks all

Show replies
Show replies
Colleen
Advisor
Advisor
‎08-20-2014 7:55 AM
0 Kudos

Hi Ian

Do you have any differences in the table PRGN_CUST for GEN_PSW* entries? Attributes in this table control generated password proposals (the magic wand button in SU01) which is what GRC uses.

Are you able to temporarily switch DEV parameters to match PRD to rule out system parameters?

Also, you can use transaction SCU0 and compare your configuration for GRC between DEV and PRD to ensure you have no environment differences

Regards

Colleen

Show replies
Show replies
Former Member
‎08-20-2014 11:26 PM
0 Kudos

Hi Colleen,

My PRGN_CUST table entries are identical in Dev and Prod systems.

SCU0 comparisons show only expected differences for new config in Dev system not yet ready for Prod, and which is for different SAP ERP system connections.

The system parameter differences haven't been tested yet, and I have hopes...  but I need to coordinate that with our Basis team.

Colleen
Advisor
Advisor
‎08-21-2014 2:44 AM
0 Kudos

Sill questions... but are both systems on the same support pack level, etc? It seems strange that you mention some of the parameters do not exist in DEV

Former Member
‎08-21-2014 3:03 AM
0 Kudos

Hi Colleen

yes, we are on the same SP level on Dev and Prod ERP systems, for Basis and GRC plugin.  Also the same SP level for GRC and plugin on GRC Dev and Prod systems, although different Netweaver versions to that on our ERP systems.

The parameter login/password_max_reset_valid is an optional parameter that we only turned on in our Production system.  I don't know if that could impact the result, but I'm hoping not

Colleen
Advisor
Advisor
‎08-21-2014 3:17 AM
0 Kudos

Hi Ian

Ahh I misread your last line when you mentioned "4th parameter does not exist in our DEV profile".

Possibly another pointless question - do the change documents in the target system actually show the password being reset? Possibly it is the plug-in system and not the GRC notification that is the issue?

Regards

Colleen

Former Member
‎08-21-2014 4:16 AM
0 Kudos

Hi Colleen,

Probably nothing is pointless - but I checked change docs and yes, password is being created in the process by the connector, when user is created.

...also, a test changing system profile parameters in our Dev system to match Prod system had no effect - the notification email includes the password before and after the change.  It's only when a request is processed in our Prod system that no password is included in the email - somehow that information is either ignored or not passed back to the GRC system from the target Prod system.

looks like I'm running out of options to try now... 😞

Colleen
Advisor
Advisor
‎08-21-2014 4:32 AM
0 Kudos

Hi Ian

I'm starting to run out of suggestions for you.I would probably put a trace on the RFC back to the GRC to see what the system user does. AS well as that check ST22, SM21 and SLG1 logs to see if any error. Already you've confirmed configuration and system match each other so it's down to data and security or program issue.

In using the trace, may be able to identify the function module/RFC and then do a consistency check on the code to make sure nothing out of the ordinary there.  Depending on your background grabbing an ABAPer would help her.

Also, as it's your production system do you have multiple app servers and load balancing in play? It's one area where your DEV and PROD may vary. Possibly the password is "leaving" the plug-in but getting lost in the nether as it goes to your GRC. I'm taking a complete stab here and showing my deficiency in Basis and System Admin.

Otherwise, unless Marketplace has another correction not you probably need to raise an Incident.

Regards

Colleen

alessandr0
Active Contributor
‎08-20-2014 7:20 AM
0 Kudos

Dear Ian,

basic question: can you check your notification template if the correct variable is used in there? Can be either %PROVISIONING% or %PROVISIONING_WITHOUT_PASSWORD% (which does not include the password information).

Basically on SP13 it should work without any issue.

Regards,

Alessandro

Show replies
Show replies
Former Member
‎08-20-2014 7:31 AM
0 Kudos

Hi Alessandro,

Yes, we are using the %PASSWORD% variable, and exactly the same text in the notification message in both systems.  This is why I am searching desperately for some other odd setting that might have been missed... 

Former Member
‎08-20-2014 7:43 AM
0 Kudos

HI la,

Below are the basic steps to check the issue.

1. Check in Global provisioning setting whether you have set YES for the below status

2. In MSMP for the process ID, have you selected Manual provisioning in the Task setting for the specific stage.. and if you are not using this then uncheck it

3. Check the provisioning log in the access management, whether the user is provisioned in the satellite system, if yes then

4. Also check wheather any password parameters you have maintained in the connected systems

please check all this steps and let us know

Thanks,

Sriram

Former Member
‎08-20-2014 11:43 PM
0 Kudos

Hi Sriram,

the basic steps all match up fine...

1.  yes, the Email status Send Password setting is YES in our system.

2.  Manual Provisioning is not selected

3.  Users are provisioned fine in the target system, with an initial password set - I just don't have any information on what the password is.  The provisioning log shows all the correct information.

4.  The password parameters in the PRGN_CUST table match in both target systems.  Password parameters in the system profile differ.  That is being discussed with our Basis team to arrange a time to test with minimal conflicts

Former Member
‎08-21-2014 5:17 AM
0 Kudos

Hi Ian,

Hope you are doing good.

To isolate the issue between the GRC and the target systems you can do the below.,

- Hook the GRC prod to any other non prod

- Hook the GRC non prod to your prod target system

Also GRC stores the password from the target systems in the table GRACREQUSRPASS before sending it out in the email notification.

I'm guessing the issue is with your target system and the GRC is not receiving the password at all.

Thanks.

Regards,

Muthu

Ask a Question