cancel
Showing results for 
Search instead for 
Did you mean: 

configure EAM request

Former Member
0 Kudos

Hi Folks,

I am Security consultant and working on GRC 10.1. I would like to know how could we implement a change in EAM space of GRC.

The change i want to perform is - I want end users to log GRC request for Fire fighter access themselves.

As of now we have been doing this for other teams/end users but to ease the work i want end users itself to create GRC request to grant themselves the Fire fighter access.

The approval process remains same.

Your assistance would be appreciated.

Thanks,

Shashank.

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
0 Kudos

Thanks Allasandro.

I know end users can log on to GRC system and create FF request for themselves.

I do not want users to have access or log on to GRC system.

I have seen it in one of the projects, users could reach the log on window through a link and put id-password of the connected system( connected to GRC system) and create FF request through the same credentials.

But i do not know the functionality of it and want to implement in one of my project.

Please assist.

Thanks,

Shashank.

plaban_sahoo6
Contributor
0 Kudos

hi,

either the user has an id in GRC or not. So, as you do not want user to have id in GRC, you can use end user logon link.

Regards

Plaban

Former Member
0 Kudos

Hi Plaban,

Yes i do not want user to have id in GRC system.

I am new at it so please assist me and i feel this is only solution- to have end user logon link.

So could you please assist me , where i can find this link or how i can setup this link and how this works. Does user is prompted for id password through this link for the connected system where he need access thorugh GRC process.

Please assist.

Thanks

Shashank.

Former Member
0 Kudos

Hi Shashank,

Kindly refer the below link for detailed configuration of end user logon

Kindly note that the end user logon screen will be presented with a standard login screen for user authentication.

If you are using LDAP or SAP HR then this can be used as user authentication data source and integrated with GRC.

Let me know if you need any other details.

Regards,

Manju

Former Member
0 Kudos

Hi Manju,

thanks for your valuable assistance.

Unfortunately i am not able to proceed further.

When i am trying to maintain logon data for service GRAC_UIBB_END_USER_LOGIN in GRC system, it only accepts client of the local system itself. For connecting to external clients of diff system it says "invalid SAP Client".

Please assist me on this how to move ahead from here.

Thank you in advance.

Regards,

Shashank

plaban_sahoo6
Contributor
0 Kudos

Hi,

End user functionality belongs to GRC system only, and therefore client of the same system, should be used.

Regards

Plabam

Former Member
0 Kudos

Hi Shashank,

Please note that the Service User should exist in the GRC box only and the same needs to be maintained in the Logon Tab in SICF as Internet type user.

Follow the steps for configuring the end user logon as per link shared previously

Let me know if you have any other queries.

Regards,

Manju

Former Member
0 Kudos

Hi Manju,

I am referring the same doc you provided, i created a service user in GRC system with below roles:

Note: Create user with below roles and user type is service type


  • SAP_GRAC_SUPER_USER_MGMT_USER
  • SAP_GRAC_ACCESS_REQUESTER
  • SAP_GRAC_BASE
  • SAP_GRAC_END_USER
  • SAP_GRAC_NWBC
  • SAP_GRAC_SPM_FFID
  • SAP_GRC_FN_BASE
  • SAP_GRC_FN_BUSINESS_USER


And have the same id created in external system (name it for ex BD1) but with different . So i suppose i have to maintain the client of BD1 system in GRC system(name it as GD1) under logon data tab, so when i do this i get error of 'invalid sap client'.

Please assist.

I would repeat my requirement- I want users of BD1 system to raise GRC request for themsleves using their BD1 credentials only, to assign firefighter access in BD1 system.

I do not want users to have access in GD1 system.

Please let me know if any more info is required.

thanks

Shashank.


Former Member
0 Kudos

Hi Shashank,

First of all, there is no need to create the Service ID in the external system(BD1) for configuring end user logon.

You need to use only the Service ID created in the GRC system client in the Logon Tab for configuring the end user logon.

All the authorizations required for creating and submitting an access request in the end user logon screen comes from this service user once the authentication is successful.

If you have AD or SAP HR, I would recommend to have these as the user authentication source instead of authenticating via an external system(BD1).


If you are doing a test with BD1 as the authentication source, you need to maintain the entry of BD1 connector with SU01 as the user type in "User Authentication Data Sources" under SPRO-> Access Control -> Maintain Data Sources Configuration.

Let me know if you have any other questions.

Regards,

Manju

Former Member
0 Kudos

Hi Manju,

Sorry to get back on this after long time.

I tried maintaining services in GD1 system and saved them all.

And when i did test service with GRAC_UIBB_END_USER_LOGIN in GD1, the logon appeared was of GD1 system only and it is neither taking my GD1 credentials nor BD1 credentials.

My request is to have logon screen where user can put id password of BD1 system and process their request.

I have already saved-"f you are doing a test with BD1 as the authentication source, you need to maintain the entry of BD1 connector with SU01 as the user type in "User Authentication Data Sources" under SPRO-> Access Control -> Maintain Data Sources Configuration."

Please let me know if i need to do any further modification or did i do something wrong??

Thanks in advance.

Shashank.

Former Member
0 Kudos

Hi Shashank,

Have you maintained the user authentication data source to either GD1 or BD1 connector with SU01 as the user data type. If BD1 is an HR system you need to set as HR.

Also enable end user verification to YES.

Refer the below screenshots

Regards,

Manju

Former Member
0 Kudos

Hi Manju,

I have already maintained this in GD1 system for connector BD1 system:

.And when i test the service in GD1-GRAC_UIBB_END_USER_LOGIN i get prompt for id password for GD1 system only:

As per my understanding , while testing the service i should be prompted for login id and password for BD1 system.

Please help me to get through.

Regards

Shashank.

Former Member
0 Kudos

Hi Shashank,

Why have you maintained the sequence as 10 for one of the target connectors. Change it to 2.

Also the authentication screen you have shared is that of the approver and not the end user logon screen.

The end user screen looks as below

Try closing all the NWBC sessions when testing the service in SICF.

You can also directly enter the end user logon URL in the browser and check if you are able to get the above screen

Regards,

Manju

Former Member
0 Kudos

Hi Manju,

I have made that correction in SPRO now but no luck yet.

Please confirm few points:

1) The Services we have to maintain only in GRC system not the connector system ??

2) When i test the service in GRC system, it directly takes me to the same logon pad in above screenshot i gave earlier not any end user logon pad.

3)Is it something like we need to maintain the user under logon data tab who has to login this way?? i think we need to maintain only one user (system user) under logon data tab in both the systems for RFC connectivity.

Please advise.

Regards,

Shashank

Former Member
0 Kudos

Hi Plaban,

In reference to our above chat could you please help me out here.

I have maintained all the *_EU services in grc system,  maintained logon data tab details,made SPRO settings in GRC system accordingly.

But when i am trying to test the service in GRC system, it takes me to logon pad of GRC system only. I want to get redirected to end user logon pad where end user can put his id password and proceed further.

Please advise.

Regards,

Shashank

Former Member
0 Kudos

Hi Shashank,

1. Only GRC system

2. Have you maintained the guest user under Logon Data for all the 10 services in SICF. Procedure should be standard and Authentication as Internet user under Logon Data

3. We need to maintain only the Guest user which is of service user type. The user is not a system user. Do not club the RFC user here. EU logon uses service user type.

Regards,

Manju

alessandr0
Active Contributor
0 Kudos

Dear Shashank,

end users can log on to GRC and raise an access request of type Firefighter Access for their own user. Very straight forward. Approval process can remain the same.

Hope this helps.

Regards,

Alessandro