- SAP Community
- Products and Technology
- Additional Q&A
- GRC AC 10 access provisioning query
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
GRC AC 10 access provisioning query
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 11-24-2011 6:52 AM
In Role Maintenance, I have managed to create a test role through GRC in my sandbox ERP system. The request is in complete status and the role is created in the ERP system.
I am trying to create an access request for a new user in that system. However, it does not allow me to add the role I just created for the same system.
When I click on Access Request Creation --> Access Request -> Request type new a/c
Request for Self
Business Process: Finance
User Access: Add System: (successfull)
add role : Here I'm not able to search for the role.
Can someone please help to know why is the role not showing up ?
Accepted Solutions (0)
Answers (2)
Answers (2)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi,
The role need to be generated.
Pl try this through NWBC and issue should get resolved.
regards
Hemant
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Jay,
You have to first create, Business Process, Sub-proceess , project release etc and then define default ones in Configuration Settings.
Then you need to import roles. I am not aware of how to map Business Process and roles, I have done a test import with default values. The tocde to import role is - GRAC_ROLE_MASS_IMPRT
Let me know how it goes and also, if you are able to find a way to map mass roles into different Business Process, Sub-Process.
Regards,
Sabira
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Jay,
>
> You have to first create, Business Process, Sub-proceess , project release etc and then define default ones in Configuration Settings.
>
> Then you need to import roles. I am not aware of how to map Business Process and roles, I have done a test import with default values. The tocde to import role is - GRAC_ROLE_MASS_IMPRT
>
> Let me know how it goes and also, if you are able to find a way to map mass roles into different Business Process, Sub-Process.
>
> Regards,
> Sabira
Thank you,
Business Process, Subprocess and project release have been set. Configuration settings are not changed as the default ones would be active.
Now While I try to execute GRAC_ROLE_MASS_IMPORT in GRC system, I am getting a weird error...
" <RFC> Enter the business process, Message no. GRAC_UTILITIES000"
I navigated to my role maintenance screen where the role is in completed status, I can see that role was assigned to the respective process / subprocess when created.
Any clue ?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi,
>
> In the configuration settings, it takes Technical name in default settings e.g. BS00 for Basis(SAP standard business process) and so on.
>
> Try if it works.
>
> Regards,
> Sabita
Hi
Thanks for replying.
Are you talking about IMG->GRC->AC->Maintain configuration settings. If so, please let me know the parameter group, param ID and Parameter Value ?
Also, can you please let me know the same for parameter ID 2021 and 2022 please ?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi,
We need to maintain configuration settings.
2021- Default Request Type for Role Reaffirm and 2022 - Default Priority for Role Reaffirm are related to Role reaffirm, we don't use it hence not maintained.
For role managment 3000 is for default business process, 3001 for default sub-process, 3002 for criticality level, 3003 for project release and 3004 for default role status. The value depends upon what you have configured in the system.
We are using sap standard so are taking sap delivered values. possible values will come in drop-down if applicable.
Regards,
Sabita
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Thanks...
This issue was resolved by GRC -> RM -> Maintain role status --> Select development. Thus, I've been able to successfully able to select / assign and approve roles. However, the provisioning fails for some workflow error. Any clue on the below:
1. Role Z.... in system SID is approved for action 'Assign' with validity 02.12.2011-31.12.9999 -- Updated by user
No agent found, cancelling path GRAC_DEFAULT_PATH (in stage no. 003 - GRAC_SECURITY) -- Updated by workflow system(WF-BATCH)
2. Also, any clue if we can re-trigger workflow for access request .. ?
3. While creating a new access request in AC 10, what options do we select from the create request screen
Request Type: New Account ?
Request for : Self Other Multiple ??
If we select Other in 'Request for' it allows to add only from the already available users in that system. Eventually this will lead to an error.
Any help ?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Jay,
Well, seems you take advantage of an error to solve your problem???
Note 1624035 - Roles with status dev show in CUP role search
So, check this:
In GRC 10.0, Business role Management and ARQ are tightly integrated. Only the roles that exist in BRM with the Role Status as Production, will be available in the Search while request creation in ARQ.
So you need to ensure that the status of the roles that you want to use while request creation is set to production.
Note 1602339 - No roles found while creating request
Cheers,
Diego.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Dear Diego
Thank you for replying. I am too simple to understand what you meant it 'seems' to be .. but I'll let you know what I have seen.
Only the roles that exist in BRM with the Role Status as Production, will be available in the Search..... unless you explicitly tell the system to allow assigning roles with development status... this is exactly what I have described above as I've done.
Please see if you'd be able to post your comments on the three queries I've listed above as I'm new to GRC (in simple terms)..
Thanks,
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Jay,
What I meant is you shouldn't use Dev Status roles for provisioning:
http://help.sap.com/saphelp_grcac10/helpdata/en/cc/036324250447c5874e67ae28f30a88/frameset.htm
"The application only performs provisioning for roles that are set as productive and is provisioning allowed. That is, if the role is set as productive, but both Provisioning Allowed and Allow Auto-provisioning are set as No, the application does not provision the role."
Cheers,
Diego.
- SAP CAP: Controller - Service - Repository architecture in Technology Blogs by Members
- 3 key steps to kick-start your migration to Stories in People Analytics in Human Capital Management Blogs by Members
- 1H 2024 - Release highlights of SuccessFactors Performance and Goals in Human Capital Management Blogs by Members
- Configure Custom SAP IAS tenant with SAP BTP Kyma runtime environment in Technology Blogs by SAP
- Access to sample datasets used in SAP Teched in Enterprise Resource Planning Q&A
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.