cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC AC 10 - PSS: Password reset failed: no valid Email-id maintained for user id

Go to solution
Former Member

on ‎04-30-2013 3:56 PM

0 Kudos

Hello SAP-Experts,

i have some issues with the Password Self-Service (PSS).

I'm on GRC 10.0 SP12.

I have 2 Plugin/backens systems: the GRC box my himself and another ERP6.0, were GRCPINW SP12 is installed.

My issue:

I have registered the Security Questions.

In step 1 I answer the questions ->  in step 2 I select a backend system.

When I submit the PSS action, the error " Password reset failed: no valid Email-id maintained for user id" appears and nothing happens.

Thanks in advance for your help

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

freemann
Explorer
‎05-01-2013 9:43 AM
0 Kudos

Edgar

I found that the user has to have an email address in your main User Source. Once this is populated I then had to run the transaction GRAC_REP_OBJ_SYNC / program GRAC_REPOSITORY_OBJECT_SYNC to pull through the updated details and this fixed the issue.

A useful tip was using the End User Login feature if you log on with the user in question and click My Profile you could see the email address defined and found this a quicker option if you didn't know what tables to go trawling through.

Thanks

Nathan

Show replies
Show replies
Former Member
‎05-01-2013 10:08 AM
0 Kudos

Hi Nathan,

can u please tell me in detail, how u have fixed this issue?

Where have u defined the main User Source? which tables are the correct ones?

when i log in with the user i wanna test the PSS and go to 'My Profile' NO User data are displayed (see screenshot).

freemann
Explorer
‎05-01-2013 10:19 AM
0 Kudos

Hi Edgar

Go to SPRO > SAP Reference IMG > Governance, Risk and Compliance > Access Control > Maintain Data Sources Configuration and make sure you have Connectors setup for each of the Data Sources. I would then run the GRAC_REPOSITORY_OBJECT_SYNC program again for the Connector you are using as your User Source and then attempt it again.

GRACUSER is the right table to get the user's email if it's being populated correctly. Setting up this should fix it.

Thanks

Nathan

Former Member
‎05-01-2013 10:57 AM
0 Kudos

Hi Nathan,

you were 100% right.

defining the main user cource in SPRO > SAP Reference IMG > Governance, Risk and Compliance > Access Control > Maintain Data Sources Configuration + GRAC_REPOSITORY_OBJECT_SYNC fixed this issue!!!!

This customizing step seems to missed in the configuration guides!

Thank you 🙂

Former Member
‎05-03-2015 3:09 PM
0 Kudos

Hi,

Your helpful is very useful, What if I am reading from legacy files, what should I set as "User Data Type"?

Thanks,

Kind regards,

Answers (2)

Answers (2)

former_member184114
Active Contributor
‎04-11-2016 6:59 AM
0 Kudos

Dear Edgar,

I am facing the same problem and did couple of things as suggested but could not get the result. What I did is below:

1. maintained LDAP as: User Search/Detail/Authentication Data Sources

2. Changed User Detail Data Sources to GRC System and synched fully. I could see the email id maintained in SU01 for all the users. But still got the same error.

When I tried to synch from LDAP, I got below error:

Cannot perform read operation on the LDAP System

I assigned below objects with full value to my ID and again tried to sync, but still got the same error.

  1. S_LDAP
  2. S_ICF
  3. S_RFC

Can you suggest further?

Regards,

Faisal

Show replies
Show replies
former_member184114
Active Contributor
‎04-11-2016 7:27 AM
0 Kudos

Now tried to sync with LDAP with a user id having full authorization (SAP_ALL) but still got the same error:

Cannot perform read operation on the LDAP System

can anybody please help me?

Regards,

Faisal

Colleen
Advisor
Advisor
‎04-11-2016 7:36 AM
0 Kudos

Faisal

Check that the connection to AD (network) is not being blocked

former_member184114
Active Contributor
‎04-11-2016 7:48 AM
0 Kudos

Colleen,

In LDAP transaction code, I can search the user for which I am trying to reset the password. Connection is active in here and believe, it is working fine. Please suggest otherwise.

I an unable to understand what is that stopping synching from LDAP connector. Secondly, do I need to sync from LDAP connector for this email ids to be recognized?

I also tried to change the User Data source to GRC system (kept User Data Source as LDAP) where I got the email id maintained in SU01. But still did not work.

Do you think this combination of Data Sources is not working?

Regard,

Faisal

Colleen
Advisor
Advisor
‎04-13-2016 7:03 AM
0 Kudos

Hi Faisal

The only things I can think to rule out are:

  • ABAP auths (S_LDAP)
  • connectivity (port numbers, user with access) which you've implied is working via LDAP transaction. Possibly making sure the connection remains opened (I recall my Basis team scheduling a program to run but I can't remember it)
  • Mapping of User attributes for the LDAP connector

Possibly check Marketplace to see if any related notes?

Regards

Colleen

former_member184114
Active Contributor
‎04-13-2016 7:33 AM
0 Kudos

Hi Colleen,

Thanks for your reply.

  1. S_LDAP authorization is assigned with appropriate LDAP connector
  2. Yes, connection remains open. As of now I keep that session open
  3. I accepted default proposal for this and did no modifications.

I see a problem while syncing from LDAP (I opened another thread). The user synchronization is getting completed successfully but it is not pulling any users.

Regards,

Faisal

Former Member
‎04-30-2013 4:02 PM
0 Kudos

additional info:

Although the Sync-Jobs don't bring any errors in SLG1, none role from the bachend systems are displayed e.g. in the access request workflow or Role Maintenance...

So maybe the Sync-Jobs could be a reason... but on the other hand there are no errors in SLG1...?!

Show replies
Show replies
Former Member
‎04-30-2013 5:45 PM
0 Kudos

Edgar,

Check in Backend system whether you have maintained Email for Users in SU01.

Thanks,

Sathish Reddy Dandala.

Colleen
Advisor
Advisor
‎04-30-2013 11:11 PM
0 Kudos

HI Edgard

Does your WF-BATCH user have an email?

Also, check out the GRACUSER table for the user to see if there is an entry for email address for that user. The user synch will populate GRACUSER and GRACUSERCONN

if the user is not in GRACUSER table with a valid email you need to run the synch again.

Former Member
‎05-01-2013 9:45 AM
0 Kudos

Hi Colleen,

yes, the WF-BATCH user have an email and the Firefifhter Email Notifications work fine.

thats why i can not understand why the PSS doesnt work and bring the error "Password reset failed: no valid Email-id maintained for user id"?!

I checked the GRACUSER table and every user in this table has an email in fileds EMAIL and EMAIL SH. Only in field USER HR EMAIL is no entry, but i dont wanna use HR anyway.

any other suggesstions?

Ask a Question