cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC AC-Password self service

Former Member

on ‎03-14-2013 11:52 AM

0 Kudos

Hi experts,

Looking for solution on how to implement PSS in GRC AC10 with the following option:

Steps are

1. User wants to reset his/her password.

2. Goes to NWBC Link

3. Put the user id

4. Clicks on < Forgot Password >

5. Security question is asked

6. User gets a mail in his/her mail box with a link to reset the password

Regards,

Sudha M

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎06-13-2014 7:21 PM
0 Kudos

Please,

I can´t see the systems when i try to do a Password self service. I only see the systems if i am a grc adminitrator. Common users cannot see any system. Do you know which roles a common user must have to see the systems?

Arnaldo

Show replies
Show replies
Former Member
‎06-25-2014 8:37 AM
0 Kudos

Hi Arnaldo,

make sure of the following:

1) In the maintain connector settings in Access Control Node the PSS checkbox is checked.

2) you need to do the Repository synch after that.

Thanks and Regards

Ankit sharma

Colleen
Advisor
Advisor
‎03-14-2013 11:49 PM
0 Kudos

I’m assuming you don’t want the user to enter a password in on logon screen. I’m also assuming you have completed the connector setup

These steps allow this

  • Maintain Connector Settings – for each applicable system tick the PSS System Box
  • Maintain Data Sources Configuration – choose which system you check for User Id to login
    • User Authentication Data Sources
    • User Search Data Sources
    • User Detail Data Sources
    • Maintain Data Sources Configuration – Choose NO to remove the need to enter a password on logon screen GRAC_UIBB_END_USER_LOGIN***
  • Maintain Password Self Service
    • PSS Global Configuration Values – Choose Challenge Response, Set Verification to Password Self Service; enter number of questions you want them to answer and number of attempts they receive
    • Challenge Response Questions – you can define a set of Global Template Questions for them to answer
    • PSS HR System – no action unless you happen to be using HR system for Authentication Source
  • Activate following Webservices and ensure you have a system user to complete the authentication for the web service login (transaction SICF)
    • GRAC_UIBB_END_USER_LOGIN
    • GRAC_GAF_PWD_SELFSERVICE_EU
    • GRAC_OIF_USER_REGISTER_EU
  • Activate End User Logon (you completed most of this with SICF), however the help documentation explains how you can configure the screens to remove links, etc from logon and launch pad (e.g. remove User Request Form, etc)

The End user will need to complete registration to provide the answers to the challenges. In the registration the user can answer the template questions and also add their own. The SAP user master will require the email address to send the password


***Setting Verification to No

If you set the verification to NO anyone can enter your account in the log in. The risk is they could complete the registration for another user and then use those questions to reset the password.

Again, the email is sent to the user’s inbox.


There may be a way to protect this a bit better if you don’t enter verification but I didn’t investigate. You would also need to consider any other impacts for Compliant User Provisioning Functionality (e.g. User Access Request).


I didn’t like that anyone could access the request. In my solution I have the SAP Id the same as the Network Id. On the login screen I have the users enter their network user id and password to authenticate (LDAP connection). Because I have done this my users are not required to register challenge response. Once they login with their network account they can choose the system and get password sent to inbox.

Show replies
Show replies
former_member208271
Participant
‎03-15-2013 7:28 AM
0 Kudos

Hi Colleen

I'm also busy setting up PSS on GRC.

I just wanted to know does the user have to exists on GRC System (SU01) to reset his/her Password for the Other (Plug-in) Systems?

Regards

Mustafa

Colleen
Advisor
Advisor
‎03-15-2013 7:39 AM
0 Kudos

No the data source configuration step sorts this out

You tell grc which systems to use for user verification and authentication

You then use system user to authenticate and have access for running the webservices

former_member208271
Participant
‎03-18-2013 10:36 AM
0 Kudos

Hi Colleen

We have users that log into GRC and use NWBC. These are Managers that need to approve the Access Requests.

So how does just a SAP User login to use PSS? They cant log into SAP GRC cos they don't exists there.

The Data source we have configured is for look up and search.

Please advise further..

Regards

Mustafa

Colleen
Advisor
Advisor
‎03-18-2013 10:51 AM
0 Kudos

Configure your data source for authentication

However, I suspect you create a catch 22 situation: the user would need their password to ask for a password

My solution was to verify against AD. The steps I posted up the top allow the user to enter username and no password. If this is what you want to do then set up authentication/verification for the ECC system as a data source. You can configure multiple data sources

former_member208271
Participant
‎03-18-2013 12:52 PM
0 Kudos

Currently we have End User Verification set to NO on Maintain Data Source Configuration.

We are not using End User Login (Not Activated - Will need guidance on this)

There is a Portal that we use for ESS (Employee Self Service) and we trying to have the GRC on the same portal. So once the user logins to this portal they will have a Tab for GRC and there will be PSS. This is already configured on our Dev Portal. If you open GRC on there is asks for a Login.

So thats why I will need advise if user really needs to be created on SU01 on GRC System?

Will activating End User resolve this issue?

Can I have End User Login Activated as well as other services or will it affect other logins?

Hope you can guide me in the right direction.

Regards

Mustafa

Former Member
‎07-01-2013 2:17 PM
0 Kudos

Hello Mustafa,

Did you find a solution? We have the same scenario and we cannot find any solution. In fact, we still have some doubts about if user has to loggin into GRC System by NWBC to use PSS tool.

Please, could you help us with that?

Thank you so much in advance.

former_member208271
Participant
‎07-02-2013 6:35 AM
0 Kudos

Hi Jebeni

We don't have a full solution yet, Still looking into different options.

Looks like we might have to create users on GRC System for them to use PSS Functionality.

If anyone has a solution for us please advise.

Regards

Mustafa

Colleen
Advisor
Advisor
‎07-02-2013 8:49 AM
0 Kudos

HI Mustafa and Jebeni

You should not need to create end users in GRC because of Portal Integration. It defeats the purpose of the GRACUSER concept and may impact your product licensing arrangements with SAP

If you have your data source for authentication pointing to the portal source, possible your can look at SSO to avoid need for password.

1733439 - How to auto forward to GRC Application after login into Portal using SSO

1733442 - Approaches to set SSO using Active Directory in AC 10.0

For your solution - what is the UME for Portal - is it the ERP system, AD or Portal? This may impact how you do your solution. End User Login is the functionality to avoid creating SU01 records in GRC for all users.

Former Member
‎10-10-2013 9:09 AM
0 Kudos

Hi Colleen ,

For me everything is working fine, but when i receive email with the link and when i click on the link,

It asks for the username and password for the GRC system. But i have set authentication as LDAP.

Could you please assist me with the same.

Thanks and Regards

Ankit sharma

former_member193066
Active Contributor
‎10-10-2013 9:22 AM
0 Kudos

they should give LDAP user id and password

Former Member
‎06-04-2014 9:51 AM
0 Kudos

Hi Colleen,

Did you maintained all of these 10 services for PSS to work as per note 1628287

1.)GRAC_OIF_MY_PROFILE_EU

2.)GRAC_GAF_NAME_CHANGE_SERV_EU

3.)GRAC_POWL_REQUEST_STATUS_EU

4.)GRAC_GAF_PWD_SELFSERVICE_EU

5.)GRAC_OIF_USER_REGISTER_EU

6.)GRAC_GAF_ACCREQ_WITH_REQREF_EU

7.)GRAC_OIF_REQUEST_SUBMISSION_EU

8.)GRAC_GAF_ACCREQ_WITH_TEMPL_EU

9.)GRAC_GAF_ACCREQ_WITH_USEREF_EU

10.)GRAC_UIBB_END_USER_LOGIN

My PSS is not working as I cannot see admin set questions while registering the user.

BR,

Mangesh

Former Member
‎06-04-2014 10:02 AM
0 Kudos

This is wrong answer unfortunately Prasant Paicchha, you need to maintain user credentials in PSS service.

Former Member
‎08-11-2014 4:06 PM
0 Kudos

Hello Colleen

We would like to do exactly what you describe here.

I didn’t like that anyone could access the request. In my solution I have the SAP Id the same as the Network Id. On the login screen I have the users enter their network user id and password to authenticate (LDAP connection). Because I have done this my users are not required to register challenge response. Once they login with their network account they can choose the system and get password sent to inbox.

Use AD as auth for PSS in GRC 10.1

Can you please post the steps that we need to do this?

SAP and Network user is the same (but not the same PW, but that is ok - or?)

That would be greatly appreciated 🙂

Thank you

Urs

Colleen
Advisor
Advisor
‎08-12-2014 2:20 AM
0 Kudos

Hi Urs

You just need to setup an LDAP connector (there is instruction in SCN or Marketplace already).

Next bit is to make the LDAP connector the primary data source (for the Maintain Data Sources) for Authentication and make the data sources configuratio set to yes so password is required. This will allow end users to login to the End User Login Screen with their network password.

I don't think there will be any difference with 10.1

In short, the detailed steps I wrote above pretty much cover all what you need to do except for the LDAP connector and switching authentication to yes.

Regards

Colleen

Former Member
‎08-13-2014 4:31 PM
0 Kudos

Hi Colleen

This is where we stand.

1) LDAP Connector setup

2) Primary Datasource for Authenticaion Data Sources = LDAP

3)  Authenticaion set to YES

4) PSS Global Configuration Values = Authentication Source is empty, we have only

    HR System and

    Callenge Response

So we don’t get the option to login with Windows User/Password.

Thanks

Urs

Colleen
Advisor
Advisor
‎08-14-2014 2:14 AM
0 Kudos

Hi Urs

What do you mean you don't get the option to login with Windows User/Password? You should activate the end user login screen and in that field you enter the user Id and password for network?

With defining LDAP connector did you map the LDAP fields to SAP field so that you link the CN (User Id) to BNAME fields?

Under Maintain Data Sources:

  • For folder user authentication data - enter the LDAP and leave the User Data Type (HR or SU01) blank
  • For number 3 did you mean "End User Verification" is set to yes as this will force a login

In relation to PSS Global Configuration Values, I had the PSS Disable verification set to All as I did not want challenge response or HR system. I did however select challenge response as I had to select a value. By choosing ALL, user would not need to register questions or receive a step in the password reset process to answer a question/be challenged.

It might help if you add some screen shots (minus company information if required)

Regards

Colleen

Former Member
‎09-19-2014 5:25 AM
0 Kudos

Hi Colleen, Can you confirm how we do this without setting up user in GRC System.

We just want to use ECC System as authentication without LDAP / AD .

How users can access the Reset password link without having set up in GRC ??

former_member193066
Active Contributor
‎09-23-2014 5:56 PM
0 Kudos

IN SPRO, Maintain data source, user authentication data source  use GRC system connector and user type SU01.

former_member737788
Explorer
‎10-19-2022 2:21 PM
0 Kudos

Hi Colleen Hebbert,

Good day, i am new to sap, could you please advice for below issue,

I used solution manager system as a data source system, solution manager system has SSO(single sign on) configuration, but when user clicking on PSS link it is prompting for user id and password, but it not suppose to be, my requirement is when user click on PSS link directly he/she should enter into password reset page without prompting user id and password, could you please advice on this ?

Thanks,

Mahesh Prathipati.

Ask a Question