on 09-30-2014 8:40 PM
We have started the configuration of GRAC 10.1, for the end user we have configured AD as the authentication to log in to the web application. As a default I only see the following options when I sign into the weblink. How do I get some of the available options I see within NWBC for our end users? I'm looking to add things like Risk Analysis, Work Inbox, Mitigating Controls and some Firefighter details.
Access Request Creation |
Create access assignments, accounts |
Quick Links |
Access Requests |
Model User |
Template Based Request |
Copy Request |
My Profile |
Manage and view personal access control information, assignments, and requests |
Quick Links |
My Profile |
Request Status |
Password Self-Service |
Name Change |
Register Self-Service Questions |
Thank You for your assistance.
Chris:
This is not possible as the End User Home page is to allow people not in GRC to execute provisioning type requests (i.e. Access Request, Password Reset). This page is an SAP service where a requestor can be authenticated by a connected system (i.e. LDAP/AD or SAP HR), and submit requests but does not need a User ID in the GRC system directly. In actuality, it will be the 'Guest User' that is on the Logon tab of the service that is processing the request from a technical point of view. The user is listed as the requestor for the item.
For ANY items that are beyond what is on the delivered page, the user MUST have an ID in the GRC system with a valid email address and use the 'normal' NWBC page which is controlled by which security roles you provide on their SU01 entry.
I hope this helps.
Kevin Tucholke
Principal Consultant
SAP America
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank You Kevin. This is not good news. Having to setup thousands of ID's and continuously maintain them is not what we really wanted.
Any way to configure the ABAP system with a SSO linked to AD and have those ID's setup with a setup of default roles? Would this then allow the users to use their AD accounts to log into NWBC directly?
Chris:
What you can do, and I have done this at another customer, is to do an ABAP LDAP sync with users from LDAP (this is native to NetWeaver and not just GRC). The transaction to use would be RSLDAPSYNC_USER. A Basis person in your company should be aware of this program.
I did this at a large Software company for 10K+ users as they did not want to use the End User Logon page. It works perfectly. I was able to add the needed items and the 'default roles' that everyone would get to make requests, and even created a new "End User Page" that was internal to the GRC system to make use of the SSO functionality. It is also important to note that the delivered End User Logon page does not support SSO because of the functionality of that service.
You would need to look at the options in this for managing changes in users and there different options that you can use in this program.
Cheers,
Kevin Tucholke
Principal Consultant
SAP America
Hello,
The end user logon has web service which is run by guest user as said by Kevin already.
if you maintain that that will be applicable for all users.
if it is for few user, you can create your own logon page and for that you need abap + workflow resource, as the person might have to use standard OIF component,that will enable to submit request as well for access request submission.
Regards,
Prasant
Thanks Kevin. If you look at the actual question, Chris is looking to assign options such as Risk analysis, mitigating controls and FF related options to the end users.
I don't think every user needs access to these options. Is there a possibility to differ a subset of users while using the ABAP program mentioned in your post?
@Chris - I infer that you need the access only to limited or a subset of users. Confirm?
Regards,
Raghu
Hello Raghu,
Yes, we would like to be able to have one link for all users (~28,000). We then have approximately 2,500 users that would be approvers within the workflow of the various tickets.
Our goal is to have the one link as I mentioned not to segregate the 2,500 role owners, business controls, managers, security teams. That 2,500 number changes daily within the organization due to attrition, new highers, promotions etc. We cannot physcially manage this within the abap.
This message was moderated.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.