on 06-01-2016 10:03 PM
Hi Folks,
I am Security consultant and working on GRC 10.1. I would like to know how could we implement a change in EAM space of GRC.
The change i want to perform is - I want end users to log GRC request for Fire fighter access themselves.
As of now we have been doing this for other teams/end users but to ease the work i want end users itself to create GRC request to grant themselves the Fire fighter access.
The approval process remains same.
Your assistance would be appreciated.
Thanks,
Shashank.
Thanks Allasandro.
I know end users can log on to GRC system and create FF request for themselves.
I do not want users to have access or log on to GRC system.
I have seen it in one of the projects, users could reach the log on window through a link and put id-password of the connected system( connected to GRC system) and create FF request through the same credentials.
But i do not know the functionality of it and want to implement in one of my project.
Please assist.
Thanks,
Shashank.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Plaban,
Yes i do not want user to have id in GRC system.
I am new at it so please assist me and i feel this is only solution- to have end user logon link.
So could you please assist me , where i can find this link or how i can setup this link and how this works. Does user is prompted for id password through this link for the connected system where he need access thorugh GRC process.
Please assist.
Thanks
Shashank.
Hi Shashank,
Kindly refer the below link for detailed configuration of end user logon
Kindly note that the end user logon screen will be presented with a standard login screen for user authentication.
If you are using LDAP or SAP HR then this can be used as user authentication data source and integrated with GRC.
Let me know if you need any other details.
Regards,
Manju
Hi Manju,
thanks for your valuable assistance.
Unfortunately i am not able to proceed further.
When i am trying to maintain logon data for service GRAC_UIBB_END_USER_LOGIN in GRC system, it only accepts client of the local system itself. For connecting to external clients of diff system it says "invalid SAP Client".
Please assist me on this how to move ahead from here.
Thank you in advance.
Regards,
Shashank
Hi Shashank,
Please note that the Service User should exist in the GRC box only and the same needs to be maintained in the Logon Tab in SICF as Internet type user.
Follow the steps for configuring the end user logon as per link shared previously
Let me know if you have any other queries.
Regards,
Manju
Hi Manju,
I am referring the same doc you provided, i created a service user in GRC system with below roles:
Note: Create user with below roles and user type is service type
And have the same id created in external system (name it for ex BD1) but with different . So i suppose i have to maintain the client of BD1 system in GRC system(name it as GD1) under logon data tab, so when i do this i get error of 'invalid sap client'.
Please assist.
I would repeat my requirement- I want users of BD1 system to raise GRC request for themsleves using their BD1 credentials only, to assign firefighter access in BD1 system.
I do not want users to have access in GD1 system.
Please let me know if any more info is required.
thanks
Shashank.
Hi Shashank,
First of all, there is no need to create the Service ID in the external system(BD1) for configuring end user logon.
You need to use only the Service ID created in the GRC system client in the Logon Tab for configuring the end user logon.
All the authorizations required for creating and submitting an access request in the end user logon screen comes from this service user once the authentication is successful.
If you have AD or SAP HR, I would recommend to have these as the user authentication source instead of authenticating via an external system(BD1).
If you are doing a test with BD1 as the authentication source, you need to maintain the entry of BD1 connector with SU01 as the user type in "User Authentication Data Sources" under SPRO-> Access Control -> Maintain Data Sources Configuration.
Let me know if you have any other questions.
Regards,
Manju
Hi Manju,
Sorry to get back on this after long time.
I tried maintaining services in GD1 system and saved them all.
And when i did test service with GRAC_UIBB_END_USER_LOGIN in GD1, the logon appeared was of GD1 system only and it is neither taking my GD1 credentials nor BD1 credentials.
My request is to have logon screen where user can put id password of BD1 system and process their request.
I have already saved-"f you are doing a test with BD1 as the authentication source, you need to maintain the entry of BD1 connector with SU01 as the user type in "User Authentication Data Sources" under SPRO-> Access Control -> Maintain Data Sources Configuration."
Please let me know if i need to do any further modification or did i do something wrong??
Thanks in advance.
Shashank.
Hi Manju,
I have already maintained this in GD1 system for connector BD1 system:
.And when i test the service in GD1-GRAC_UIBB_END_USER_LOGIN i get prompt for id password for GD1 system only:
As per my understanding , while testing the service i should be prompted for login id and password for BD1 system.
Please help me to get through.
Regards
Shashank.
Hi Shashank,
Why have you maintained the sequence as 10 for one of the target connectors. Change it to 2.
Also the authentication screen you have shared is that of the approver and not the end user logon screen.
The end user screen looks as below
Try closing all the NWBC sessions when testing the service in SICF.
You can also directly enter the end user logon URL in the browser and check if you are able to get the above screen
Regards,
Manju
Hi Manju,
I have made that correction in SPRO now but no luck yet.
Please confirm few points:
1) The Services we have to maintain only in GRC system not the connector system ??
2) When i test the service in GRC system, it directly takes me to the same logon pad in above screenshot i gave earlier not any end user logon pad.
3)Is it something like we need to maintain the user under logon data tab who has to login this way?? i think we need to maintain only one user (system user) under logon data tab in both the systems for RFC connectivity.
Please advise.
Regards,
Shashank
Hi Plaban,
In reference to our above chat could you please help me out here.
I have maintained all the *_EU services in grc system, maintained logon data tab details,made SPRO settings in GRC system accordingly.
But when i am trying to test the service in GRC system, it takes me to logon pad of GRC system only. I want to get redirected to end user logon pad where end user can put his id password and proceed further.
Please advise.
Regards,
Shashank
Hi Shashank,
1. Only GRC system
2. Have you maintained the guest user under Logon Data for all the 10 services in SICF. Procedure should be standard and Authentication as Internet user under Logon Data
3. We need to maintain only the Guest user which is of service user type. The user is not a system user. Do not club the RFC user here. EU logon uses service user type.
Regards,
Manju
Dear Shashank,
end users can log on to GRC and raise an access request of type Firefighter Access for their own user. Very straight forward. Approval process can remain the same.
Hope this helps.
Regards,
Alessandro
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.