cancel
Showing results for 
Search instead for 
Did you mean: 

GRC 10 - issue importing role for new system

Former Member
0 Kudos

We have a 3 backend system landscape.  We have imported the roles correctly through"role import" option for QA system. Than we have setup the Production system and imported the role for productions system.

The problem is when we are trying to raise the GRC access request and try to add roles, they are only available for the QA sytem.  When I try to search and add roles for Production system they are not avialable.

Roles are not listed for the multiple systems when I am trying to add and search roles.

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
0 Kudos

Running full sync jobs resolved the issue.

0 Kudos

Hi Sameer,

Go Through the below link it will definitely resolve your issue.

http://scn.sap.com/thread/3320514

Best Regards,

Ravi Kumar

Former Member
0 Kudos

Thanks for both the replies. To be simple, I need the role to become "yes" in the role exist section in BRM -> ADDITIONAL DETAILS-> PROVISIONING ->ROLE EXIST section. Curerently its showing "yes" for only one system.

How to upload role for multiple system? I think I am doing something wrong.

System validity period as solution mentioned in the above post is not defined in our landscape. I also dont think its madatory to define.

former_member193066
Active Contributor
0 Kudos

In NWBC . Acccess Managent . Role Import.. download template ..fille for all systems and upload it.

you will have for all system.  you dont need to do it for each and individual system.

Regards,

Prasant

Former Member
0 Kudos

Thanks Prasant for the reply.  I already upload the attribute based template with the role.  But in the excel template I do not see the system column to be mentioned.  It just upload for one system.

former_member193066
Active Contributor
0 Kudos

did you check on right hand side.. where you maintain allow auto provision to YES(Y).. check a column before it called as system give connector name there you can upload for multiple system.

Former Member
0 Kudos

I am unable to find any option for provisioning or connector name in the role upload standard template.  I download the template available during the role import process.

First column in the role name and the last column is the company name as per the template. Please could you suggest.

I need to find out, where actually the system name is mentioned when uploading the role or how the GRC system will recogzine the roles system.

0 Kudos

"System [ Alphanumeric(32)]" tab is available just before tab of "Provisioning Allowed".
As Prasant Paichha suggested, maintained connector name here.

For roles to be included for additional system, add duplicate entry with different connector name.

former_member193066
Active Contributor
0 Kudos

it will identify based on connector. open that in Excel.

Role Name
  [ Alphanumeric(100) ]  [ Mandatory ]
Overwrite [ Alphanumeric(1) ]
  [Y/N]
Role Type [SIN / DRD / COM / BUS /
  PRF / PDP / GRP / TPL] [Mandatory]
Description [ Alphanumeric(100) ]Business Process Name [
  Alphanumeric(10) ]  [ Mandatory ]
Subprocess Name [ Alphanumeric(10)
  ]  [ Mandatory ]
Project/Release Name [
  Alphanumeric(10) ]  [ Mandatory ]
Role Status [ Alphanumeric(3) ]Critical Level [ Alphanumeric(3) ]Sensitivity [ Alphanumeric(3) ]Cerification Period in Days [
  Numeric(5) ]
Reaffirm Period in Days [
  Numeric(5) ]
Functional Area [ Alphanumeric(10)
  ]
Custom Field Name [
  Alphanumeric(12) ]
Custom Field Value [
  Alphanumeric(100) ]
Approver [ Alphanumeric(12) ]Alternate Approver [
  Alphanumeric(12) ]
Assignment Approver [
  Alphanumeric(1) ] [Y/N]
Role Content Approver [
  Alphanumeric(1) ] [Y/N]
Master Role [ Alphanumeric(100) ][
  Only for Derived Roles ] [ Mandatory ]
Leading Organizational Level [
  Alphanumeric(50) ][ Only for Derived Roles ] [ Mandatory ]
Organizational Level From Value [
  Alphanumeric(50) ][ Only for Derived Roles ] [ Mandatory ]
Organizational Level To Value [
  Alphanumeric(50) ][ Only for Derived Roles ]
Associated Roles [
  Alphanumeric(100) ] [Only for Composite / Business Roles]
Associated Role Landscape [
  Alphanumeric(10) ][ Only for Business Roles ]
Associated Systems [
  Alphanumeric(32) ][ Only for CUA Composite Roles ]
Custom Profile URL [
  Alphanumeric(100)] [Only for Template Role]
Custom Profile BAPI [
  Alphanumeric(100)] [Only for Template Role]
Methodology Status [I - Initial /
  C - Complete]
Company [ Alphanumeric(10) ]

System [ Alphanumeric(32) ]

here is the one

Provisioning Allowed  [ Alphanumeric(1)] [Y/N]Allow Auto Provisioning  [ Alphanumeric(1)] [Y/N]System Validity [ Alphanumeric(50)
  ] [yyyy/mm/dd or Y,M,D]
Source System [ Alphanumeric(32) ]Target System [ Alphanumeric(32) ]Role
  Name [ Alphanumeric(100) ]  [ Mandatory
  ]
madhusap
Active Contributor
0 Kudos

Importing Single/ Composite roles in to BRM in GRC 10.0

  • Role has to exist in the backend system
  • Role sync job has to be performed. [Very Important step]
  • Roles from backend system - Tcode N /GRCPI/AC_ROLE_DNLD downloaded files (attribute and authorization source)
  • Role Attribute Source - "File on desktop"
    Role Authorization Source - "File on Desktop/Backend System" [Note:  Role Authorization Source can be skipped if you do not want to maintain authorizations in BRM and just want to use roles for provisioning purposes only]
  • Maintain parameters 3021 path, 3003 value and download roles with .txt file (file location) and .xls (Role Info file)
  • Role Info file: Maintained Business Process, Sub process and Project names.
  • Logon to GRC frontend application (either using Portal or NWBC)
  • Go to "Access Management"
  • Choose option 'Role Import' under 'Role Mass Maintenance'.

     Choose the role status as production and then import the role.

  • Import roles in to BRM. 
  • - Maintain the PRODUCTION status, and in order to do that
  • - Go to IMG => Governance Risk and Compliance => Access control => Role Management => Maintain Role Status
  • - Make sure to check the PRODUCTION STATUS checkbox for the status (Recommended is PRD, but DEV and TST can be checked as production status based on the testing environment)
  • - Based on PRODUCTION STATUS settings configured, make sure each role status is set accordingly
  • - Go to Access Management => Role Management => Role Maintenance
  • - Search and Open the role, click on Additional Tab and then select Provisioning
  • - Make sure that the Role Status is set to Production or other status based on the settings done earlier.
  • - Provisioning Allowed flag should be set to “Yes” for that system
  • - Role Validity Period on the system should be current (valid) or should not be maintained
  • - To change the Validity period or Update it. Select the system, Click  on "Set Default Period" button
  • - Change or update your Validity period
  • - Make sure PROV scenario has been maintained for the system. [Best practice is to link all the integration scenarios to every connector to avoid any discrepancies]

Maintain below configuration parameters in the configuration settings.

Regards,

Madhu.