on 03-14-2013 11:52 AM
Hi experts,
Looking for solution on how to implement PSS in GRC AC10 with the following option:
Steps are
1. User wants to reset his/her password.
2. Goes to NWBC Link
3. Put the user id
4. Clicks on < Forgot Password >
5. Security question is asked
6. User gets a mail in his/her mail box with a link to reset the password
Regards,
Sudha M
Please,
I can´t see the systems when i try to do a Password self service. I only see the systems if i am a grc adminitrator. Common users cannot see any system. Do you know which roles a common user must have to see the systems?
Arnaldo
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I’m assuming you don’t want the user to enter a password in on logon screen. I’m also assuming you have completed the connector setup
These steps allow this
The End user will need to complete registration to provide the answers to the challenges. In the registration the user can answer the template questions and also add their own. The SAP user master will require the email address to send the password
***Setting Verification to No
If you set the verification to NO anyone can enter your account in the log in. The risk is they could complete the registration for another user and then use those questions to reset the password.
Again, the email is sent to the user’s inbox.
There may be a way to protect this a bit better if you don’t enter verification but I didn’t investigate. You would also need to consider any other impacts for Compliant User Provisioning Functionality (e.g. User Access Request).
I didn’t like that anyone could access the request. In my solution I have the SAP Id the same as the Network Id. On the login screen I have the users enter their network user id and password to authenticate (LDAP connection). Because I have done this my users are not required to register challenge response. Once they login with their network account they can choose the system and get password sent to inbox.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Colleen
We have users that log into GRC and use NWBC. These are Managers that need to approve the Access Requests.
So how does just a SAP User login to use PSS? They cant log into SAP GRC cos they don't exists there.
The Data source we have configured is for look up and search.
Please advise further..
Regards
Mustafa
Configure your data source for authentication
However, I suspect you create a catch 22 situation: the user would need their password to ask for a password
My solution was to verify against AD. The steps I posted up the top allow the user to enter username and no password. If this is what you want to do then set up authentication/verification for the ECC system as a data source. You can configure multiple data sources
Currently we have End User Verification set to NO on Maintain Data Source Configuration.
We are not using End User Login (Not Activated - Will need guidance on this)
There is a Portal that we use for ESS (Employee Self Service) and we trying to have the GRC on the same portal. So once the user logins to this portal they will have a Tab for GRC and there will be PSS. This is already configured on our Dev Portal. If you open GRC on there is asks for a Login.
So thats why I will need advise if user really needs to be created on SU01 on GRC System?
Will activating End User resolve this issue?
Can I have End User Login Activated as well as other services or will it affect other logins?
Hope you can guide me in the right direction.
Regards
Mustafa
HI Mustafa and Jebeni
You should not need to create end users in GRC because of Portal Integration. It defeats the purpose of the GRACUSER concept and may impact your product licensing arrangements with SAP
If you have your data source for authentication pointing to the portal source, possible your can look at SSO to avoid need for password.
1733439 - How to auto forward to GRC Application after login into Portal using SSO
1733442 - Approaches to set SSO using Active Directory in AC 10.0
For your solution - what is the UME for Portal - is it the ERP system, AD or Portal? This may impact how you do your solution. End User Login is the functionality to avoid creating SU01 records in GRC for all users.
Hi Colleen,
Did you maintained all of these 10 services for PSS to work as per note 1628287
1.)GRAC_OIF_MY_PROFILE_EU
2.)GRAC_GAF_NAME_CHANGE_SERV_EU
3.)GRAC_POWL_REQUEST_STATUS_EU
4.)GRAC_GAF_PWD_SELFSERVICE_EU
5.)GRAC_OIF_USER_REGISTER_EU
6.)GRAC_GAF_ACCREQ_WITH_REQREF_EU
7.)GRAC_OIF_REQUEST_SUBMISSION_EU
8.)GRAC_GAF_ACCREQ_WITH_TEMPL_EU
9.)GRAC_GAF_ACCREQ_WITH_USEREF_EU
10.)GRAC_UIBB_END_USER_LOGIN
My PSS is not working as I cannot see admin set questions while registering the user.
BR,
Mangesh
Hello Colleen
We would like to do exactly what you describe here.
I didn’t like that anyone could access the request. In my solution I have the SAP Id the same as the Network Id. On the login screen I have the users enter their network user id and password to authenticate (LDAP connection). Because I have done this my users are not required to register challenge response. Once they login with their network account they can choose the system and get password sent to inbox.
Use AD as auth for PSS in GRC 10.1
Can you please post the steps that we need to do this?
SAP and Network user is the same (but not the same PW, but that is ok - or?)
That would be greatly appreciated 🙂
Thank you
Urs
Hi Urs
You just need to setup an LDAP connector (there is instruction in SCN or Marketplace already).
Next bit is to make the LDAP connector the primary data source (for the Maintain Data Sources) for Authentication and make the data sources configuratio set to yes so password is required. This will allow end users to login to the End User Login Screen with their network password.
I don't think there will be any difference with 10.1
In short, the detailed steps I wrote above pretty much cover all what you need to do except for the LDAP connector and switching authentication to yes.
Regards
Colleen
Hi Colleen
This is where we stand.
1) LDAP Connector setup
2) Primary Datasource for Authenticaion Data Sources = LDAP
3) Authenticaion set to YES
4) PSS Global Configuration Values = Authentication Source is empty, we have only
HR System and
Callenge Response
So we don’t get the option to login with Windows User/Password.
Thanks
Urs
Hi Urs
What do you mean you don't get the option to login with Windows User/Password? You should activate the end user login screen and in that field you enter the user Id and password for network?
With defining LDAP connector did you map the LDAP fields to SAP field so that you link the CN (User Id) to BNAME fields?
Under Maintain Data Sources:
In relation to PSS Global Configuration Values, I had the PSS Disable verification set to All as I did not want challenge response or HR system. I did however select challenge response as I had to select a value. By choosing ALL, user would not need to register questions or receive a step in the password reset process to answer a question/be challenged.
It might help if you add some screen shots (minus company information if required)
Regards
Colleen
Hi Colleen Hebbert,
Good day, i am new to sap, could you please advice for below issue,
I used solution manager system as a data source system, solution manager system has SSO(single sign on) configuration, but when user clicking on PSS link it is prompting for user id and password, but it not suppose to be, my requirement is when user click on PSS link directly he/she should enter into password reset page without prompting user id and password, could you please advice on this ?
Thanks,
Mahesh Prathipati.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.