cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC AC 10.0: PFCG Authorisation Sync Fail - Please Help :)

Go to solution
Former Member

on ‎04-27-2013 9:50 PM

0 Kudos

Hello everyone,

We have GRC AC 10.0 installed with ECC 6.0 backend (SAP_BASIS 702  006 SAPKB70206).

I have an error as follows:

The RFC connector has been created and tested, with the connection working (but there may still a problem - I don't know).

I am trying to Sync the PFCG master data from the ECC back end system to the GRC box using the TCode: GRAC_AUTH_SYNC and I get the following error:

Starting authorization sync for connector RFCCon1 and language EN

Error: Scenario Link is not defined in grfnconnscnlk table for RFCCon1

PFCG authorization sync failed with errors


What is this Scenario Link ? and what is that table it referring to ?

If by Scenario Link, it is meant the Integration Scenarios specific to Access Control (AUTH, PROV, ROLMG, SUPMG) which is set via Maintain Connection Settings in IMG - I've done that (see p86 of GRC300 or P7 of AC 10.0 Pre-Implementation From Post-Installation to First Risk Analysis)

These are the documents that have been referred to get here - so any help would be greatly appreciated.

1.GRC 10.0 Pre-Installation Customer Solution Adoption April 4th 2011

2. Installation Guide SAP Access Control™ 10.0, Process Control™ 10.0, and Risk Management™ 10.0

3. Installation Checklist for Access Control 10.0

4. GRC 10.0 Post-Installation Customer Solution Adoption June 27th2011

5. AC 10.0 Pre-Implementation From Post-Installation to First Risk Analysis Customer Solution Adoption April 11th 2011

6. AC 10.0 Post-Installation Customer Solution Adoption April 6th2011

7.GRC300 SAP Business Objects Access Control Implementation and Configuration

There is one point of interest though, from the AC 10.0 Post-Installation file (No 6 above) from slide 15 of Set Connector Application Type, there is suppose to be an option of "set the "Active" checkbox for your connector" - which is also stated on P86 of GRC300 AC under 9. Maintain Connector Settings c) Check Active. My system doesn't have such a checkbox for Check Active.

Any help would be greatly appreciated to resolve this issue so that we can test the basic functions of ARA by doing an initial Risk Analysis in the test system.

Please once again, any help would be highly appreciated.

Best regards,

Paul

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Colleen
Advisor
Advisor
‎04-28-2013 11:45 PM
0 Kudos

Hi Paul

For your connectors you need to:

  1. Create the RFC Connection in SM59 and test that it works
  2. Create a Logical System for the Connector in transaction BD54 (same value as your connector)
  3. Complete the Integration Framework under IMG path: Governance, Risk and Compliance > Common Component Settings > Integration Framework
    1. Maintain Connectors and Connection Types -
      • Define Connectors: Add an entry for the Target Connector as Connection Type SAP and Logical Port is the BD54 entry
      • Define Connector Groups - you can create a new group of drill into the existing group to "Assign Connectors to Connector Groups" to add your SAP system connector as a target connector
    2. Maintain Connection Settings
      • For the four scenarios (not AM) you will need to repeat this step: AUTH, PROV, ROLMG and PROV you need to add your connector to the "Scenario-Connector Link"

Assuming the user running has sufficient synch, your auth synch should complete for the SAP system.

Show replies
Show replies
Former Member
‎04-29-2013 10:45 AM
0 Kudos

Hi Colleen,

Many thanks for taking the time to respond to my query - greatly appreciate it.

1. I have created a connector in SM59 and tested it. It works.

2. I am on BD54 BUT I don't understand what you mean by "(same value as your connector)" ? Could you kindly clarify please. Say, if my RFC connector was called: RFCCon1 should I make a new entry in BD54 under Logical System: RFCCon1 ..doesn't seem right. The Logical System entry, what should it exactly be? The name of the Connector ? The system name, host name, system ID or something else? I don't quiet understand what you mean by same value as your connector - what value might that be? The name value?

Thanks for the tip on BD54 to create a logical system - in AC 10.0 Post Installation (April2011) it doesn't mention that, just says "Maintain the Logical Port information with the same entry as the Target Connector (as defined in SM59)"...

Thanks once again Colleen, greatly appreciate your response and look forward to your clarification.

Best regards

Former Member
‎04-29-2013 11:49 AM
0 Kudos

I think I'm getting there....I've got a new error : Program for Authorisation data synchronisation:

"Unable to locate connector RFCCon1

PFCG authorisation sync failed with errors"

Brilliant stuff! hmmm...why can't it locate the connector.....I created in SM59 and it exists there but in table GRACCONNSTAT it's not an entry! ...yet all the other steps, including linking scenarios to connector was done and accepted ?

In table GRFNCONNSCNLK the four integration scenarios are linked to the above connector (thanks for the table Mohammad).

Any ideas ?

Many, many thanks to all who have replied and are looking at this.

Best regards,

Paul

NB: Not sure why my message prior to this is still being moderated ....

EDIT: I think I'm on my way to solving this....

Many thanks to Mohammad and Colleen - both of your answers were helpful and correct in getting to the bottom of this. At the moment, it's executing the Sync - expect it to take a lot of time.  I'll keep you posted if the sync is successful.

Colleen
Advisor
Advisor
‎04-29-2013 11:29 PM
0 Kudos

Hi Paul

Glad to hear you got your synch working an the Integration Framework complete

Reason why I had Logical System = Connector: I used the naming convention <SID>CLNT<Client> (eg PRDCLNT100) for my RFC Connection in SM59. I then used the same name for the BD54 Logical System and my Connector. This way it was easier to track my config through the system and easily identify the connection

Another bit I get caught out with the synch: the connector value is case sensitive. If you do not enter the connector in capitals (or however defined) you will get error message "Connector is not properly configured in common component settings"

Answers (3)

Answers (3)

Former Member
‎05-21-2013 1:01 PM
0 Kudos

Hi all,

Sorry to comeback to this thread but its more appropriate then to create a new thread or to spam !

Regarding Synchronization of Usage and Action Types  via the relevant T-Codes/Programs or via SE38 (GRAC_ACT_USAGE_SYNC & GRAC_ROLE_USAGE_SYNC) when executed and "completed" (?) I do not get a message confirming that the Sync has been successful, as I do with PFCG Authorisation and Repository sycn.

So my question is when executing Action and Role usage via the GRAC_ACT_USAGE_SYNC & GRAC_ROLE_USAGE_SYNC how do I know if the sync has been successful and is there any way to confirm via some sort of log or something else? Maybe a relevant table ?

Secondly, the PFCG Authorisation, is it possible to Sycn this in incremental mode ? Both the tcode/report and IMG option do not have an incremental mode, as repository does? Is it possible?

Many thanks once again,

Paul

Show replies
Show replies
Colleen
Advisor
Advisor
‎05-23-2013 4:03 AM
0 Kudos

Hi Paul

If I run the action usage (transaction GRAC_ACT_USAGE_SYNC) I get a popup message "Action Usage Sync successfully executed". You won't get a log of connector range, etc

The tables you can check are

GRACACTUSAGE  Action Usage

GRACROLEUSAGE Role Usage

You could possibly compare the table data against the STAD entries in the plug-in system

For the PFCG Authorization - it includes SU24 data,etc. some of this may not have date/time stamps to be able to perform delta. Alternatively, the size for the syn doesn't require a delta.

for incremental syncs, the program looks at table GRACTASKEXECSTMP to see when it was last run for the connector and usings this as the From Date/Time

Former Member
‎05-23-2013 1:10 PM
0 Kudos

Hi Colleen,

Thanks for your response.

1. Hmmmm still when executing GRAC_ACT_USAGE_SYNC - no response upon/after execution. No "Success" message or anything.

2. For table GRACACTUSAGE  I have about 847 enteries...so the Action sync must have worked ...

3. For table GRACROLEUSAGE I have 8,756 entries so that must have worked....

4. How would I use STAD exactly in this instance ?

5. What do you mean by "delta" or "perform delta" ? So are you confirming that PFCG Sync can NOT be executed in incremental mode like the other syncs ?

Many thanks again for your expert advice.

Paul

Colleen
Advisor
Advisor
‎05-24-2013 2:52 AM
0 Kudos

Hi Paul

Can you try executing the sync in background and then check SM37 logs. Also, how long are the logs retained in the satellite system before cleared - possibly sync is running after satellite has "emptied" the log - check with Basis

Delta/Perform Delta is incremental - I mean delta as the gap between now and when you last ran it. My view is - if the screen doesn't have make the button available, then you can do an incremental link.

Former Member
‎05-29-2013 8:15 PM
0 Kudos

Hi Colleen,

Thanks once again for your help and apologies for the very late response - bank holidays and other system tinkering ....

Anyhow, Sync has been FULLY successful these days ! I ran all the Auth, Repository and Action as a background job and then did Role Usage seperately (as it didn't allow me to do it with the others for some odd reason) and everything including role usage was successful this time ! Phew !

I checked logs via SM37 and all is well.

Thanks again

Colleen
Advisor
Advisor
‎05-31-2013 2:14 AM
0 Kudos

Great to hear!.... if only taking a holiday fixed all system issues

Former Member
‎01-16-2015 2:41 AM
0 Kudos

Colleen

My Integration Scenarios for all 4 are in place...yet the Repository Sync and Auth Sync, Action Usage Sync...they all fail with the error "Error: Scenario Link is not defined in GRFNCONNSCNLK table for QA system".

And the GRC box is connected to other systems and its working just fine.

Any ideas.

thanks

Rajiv.

Former Member
‎04-29-2013 4:31 PM
0 Kudos

Thank you once again to Mohammed and Collen - the SCN forum didn't allow me to choose your answers as Correct - the only option was the last reply - my reply, as to the correct answer.

So for anyone looking at this in the future - read the whole post from top to bottom and follow the advice by both Mohammad and Colleen and obviously trial and error.

Cheers,

Paul

Show replies
Show replies
Former Member
‎04-28-2013 10:02 AM
0 Kudos

Can you check the entries in the table GRFNCONNSCNLK and see if they are populated to the correct Integration Scenario. Also check if the Maintain Connector settings is mainatined

Mohammed

Show replies
Show replies
Former Member
‎04-28-2013 10:31 PM
0 Kudos

Hi Mohammed,

Thanks for your response.

I checked the table GRFNCONNSCNLK and your right, I get the response "No table entries found for the specified key" - so your right, it seems no integration scenario is linked BUT I have followed the GRC300 and Pre and Post implementation document as above and added the integration scenario

-AUTH

-PROV

-ROLMG

-SUPMG

as per se the instructions on Maintain Connections Settings. Is there anyway of inserting the integration scenarios directly in the table, other than via the IMG node?

I'm getting close to fixing it but haven't been able to put my hand on the problem just yet. It could be the actual RFC connection, it could be the connection type, grouping, assigning of them ect but I have not been able to determine what the precise problem is.

Any further help would be greatly appreciated and thanks again for your response.

Ask a Question