AC 10.0 Workshop Q&A

Former Member · ‎01-25-2011

Hi everyone,

I would like to share the following Q&A we collected during a workshop held last week. For those of you interested in more information on 10.0 please check service.sap.com/instguides and help.sap.com for more information. We will be publishing soon 10.0 accelerators in the BPX website.

Please notice that the solution is still in Ramp-Up and the functionality might slightly change once the solution is in General Availability, so we have done our best to collect the right answers at this point.

Luis

Edited by: Luis Bustamante on Jan 25, 2011 10:50 AM

Former Member · ‎01-27-2011

Luis -

Is it possible to delete a Rule once it's ben activated? I get the error that a rule is used in active version 002, but I don't want that rule to be active. Also, is it possible to delete the default initiator rules?

Thanks

Former Member · ‎01-27-2011

Hi Luis,

In MSPS setup, I had also asked about potential performance differences and considerations that could be made for configurators when strategically choosing between BRFRule, BRF Flat Rule, Function Module based rule, and ABAP class based rule for any particular situation. E.g. an agent rule that would have a decision table with tens of thousands of rows, but perhaps could have a simpler construction if using a function module or class based rule. Or also potentially performance differences between BRF+ rules and BRF+ Flat rules when the line item by line item request data is not necessary in determining a result.

Thanks,

Scott

luis_bustamante · ‎01-26-2011

Roberto,

In 10.0 you can chose a rule set when doing a risk analysis withing a request. Please refer to the Security Guide for a description on all available authorization objects. NetWeaver ID Mgmt Integration is still available via web services.

Luis

Former Member · ‎01-25-2011

Thank you for the quick reply and also for the precious information, Luis

There were some other questions related to

u2022 capabilities of configuring and choosing a specific risk matrix during the provisioning process in CUP (which was not possible to do in 5.3)

u2022 more detailed user authorization management capabilities in ac 10:

-Capabilities to use authorization object to decide which information a role/user can see or not see in the risk analysis and remediation.

-Capabilities to use authorization object to decide which system/role a user can see in the pickup list during the requesting process in CUP (in 5.3 any user could see the whole environment of systems connected to CUP and almost choose any role, even those created for system/country heu2019s not expected to work on) based on the company information and so on

u2022Capabilities of using role management to support an end-to-end process for role generation (also managing creation of role in the backend system and transport logic testing-quality-production)

u2022Capabilities of CUP to integrate with external sources (in ac 5.3 web service on SMPL standard were available)

Can you please provide an answers also for these?

Thank you very much and kind regards

luis_bustamante · ‎01-25-2011

Workshop Q&A - Week 3 (2/2)

Q: Does the ''Model useru201D request replace the role search ''model access by''?

A: Yes

Q: Model user request functionality will copy also the user parameters?

A: No, it will allow you to choose the roles a user has just like in 5.3.

Q: Can we map fields on the create request screen to different to data sources (e.g. Firstname from AD, Cost Center from HR)

A: No, this works just as in 5.3. For that you will need a virtual directory like the one provided by NetWeaver ID Mgmt.

Q: When I copy a request, is there any way to see more info than the ID from the request that is copied?

A: Yes, first you select the request ID, then you can change any of the user details if needed, last you will be able to modify the request details too before submitting the request.

Q: Will I need to generate again the MSMP Workflow after activating a change in a BRF+ Rule.

A: No, the BRF+ changes take effect immediately after activating in the BRF+workbench in any process ID using them.

Q: Can we limit the roles/systems shown to the user in the request form?

A: Yes. User can select any system but no roles will be returned when searching if this is restricted at authorization level. When the user select the right system and search for roles, he can find only roles in the name space the authorizations are assigned. (Authorization Object GRAC_ROLED)

Q: How can the public area for create request be accessed? Can it be customized just like the ''internal request screen''?

A: First you have to configure the authentication data source in "Maintain Data Sources". Then you can use this URL:

http://<host>:<port>/sap/bc/webdynpro/sap/grac_uibb_end_user_login?sap-client=<client>&sap-language=...

The EUP settings apply also to this URL.

Q: Do we require Adobe Document Services for using the "print" button?

A: Yes, the print version is a PDF and can only be generated using Adobe Document Services. This component can be shared with other applications and is not necessary to install it in the same AC system (note: ADS runs in NetWeaver Java, for AC only NetWeaver ABAP is required).

Q: Are custom fields available in BRF+ Workbench?

A: Yes. Custom Fields are configured in data structure: CI_GRAC_REQ_ATTR. Please notice the custom fields must be configured before creating the rule. Custom fields created will not be available to existing rules.

Q: If I want to use the SoD Violations detour along with the Risk Criticality level...then is this possible?

A: It is not possible with BRF+ as this information is not part of the request. This would require a custom development to be linked to the workflow.

luis_bustamante · ‎01-25-2011

Workshop Q&A - Week 3 (1/2)

Q: Does u201CMaintain Exclude Objects for Batch Risk Analysisu201D apply to other components or just batch risk analysis?

A: Exclude objects is only for batch risk analysis

Q: Can we trigger a workflow for creating mitigating controls (i.e. when approving a request)?

A: Yes, there are two processes IDs delivered: SAP_GRAC_CONTROL_MAINT (for creation/maintenance) and SAP_GRAC_CONTROL_ASGN (for assignment)

Q: Is LDAPS supported for connectors?

A: In some scenarios possible (Windows only), see note 456666. LDAP connection is supported by the underlying ABAP architecture, not by GRC.

Q: Can we easily create the email notification for password? We don't need a password if we log in to the backend using SNC-name.

A: Yes, it is possible using transaction SE61, use document class "General Text", you can link this template to a Notification Agent in IMG.

Q: User Title (Mr, Mrs) Is it populated automatically using HR as user data source?

A: Title = Academic title in AC. It is available as a standard field in the requests. You will need to use HR as the detail user data source to map the fields.

Q: Can the approver modify every field in a request?

A: Yes, with the appropriate stage level configuration (Change Request Details option at Stage Level)

Q: Is it possible to configure Alternate Approvers like in 5.3?

A: No, but this functionality can be implemented using BRF+ logic to select the approver and/or multiple stages and/or escalation options.

Q: Is there more log information available when errors appear during MSMP Workflow Generation?

A: Yes, run the generation in IMG under Workflow for AC, it will provide more information.

Q: How to clear locked queries in AC (Error: Query is running)?

A: Please use SM04 to close the session or alternatively current lock entries can be checked (and remove) in SM12.

Q: The clients only need a web browser to access AC via NWBC?

A: Yes

AC 10.0 Workshop Q&A

Accepted Solutions (0)

Answers (6)

Answers (6)

Re: ASEGURAMIENTO DE TABLAS

Re: Getting error while Creating role in BRM

Re: How to enable the add, delete,edit system on s...

Re: CJS-30252 Running priviledged function stop of...

Successfactors login issue.