Dear Alessandro,

Thanks for your reply.

Regarding :

I understand your concern regarding correct/wrong mangers. But in case that manager information is wrong in LDAP/HR from which source should GRC get the correct managers?

I would share on thing and that is, for contractors (for example) some how manager details are not maintained in LDAP (as in SAP HR only permanent employees' HR data is maintained).

I could not get the first 3 lines of next paragraph and I think this is not the issue

Basically you can say who ever is a manager can also be a manager from someone else. But it is possible that someone who is not yet a manager can be a new manager and has to be defined as manager in ARQ. 

The issue that, for some type of employees (contractors), manager details are not maintained neither in LDAP nor in SAP HR system. Therefore, in such cases, manager field is empty. But let me tell you there are managers for even contractors, but not maintained in LDAP due to the maintenance responsibility and gathering this information from different department is assumed to be a big and painful task.

But these managers (for contractors) are definitely available in GRC system as approvers. Therefore, for users (contractors) whose manager is not maintained, manually it is to be selected from the search option. If we start searching for a "suitable" manager, then it displays all the users available in GRC system (because they are created in SU01).

Also, we might face similar problem at the time of forwarding a request! Actually, a manager should only see the list of other managers, not all users!

Similarly, a role owner will intend to forward his responsibility to another role owner only!

Therefore, we should only see the relevant users from the search, but not all!

Please share your valuable inputs.

Regards,

Faisal

Hi Faisal,

what you described is standard SAP GRC logic. I agree to some extent this does not satisfy all (audit) requirements.

What we did was - we created a separate client (on GRC System) with the list of all managers which are not maintained in LDAP (this is our first source of information), but are required for cases like contractors / external audit etc.

Why we did use a dedicated mandant instead of the same GRC system, we wanted to limit the capabilities of user selection (F4) while looping for a manager.

Thank you,

Filip

Filip,

Thanks for your reply.

Yes, I am looking for the same solution. Now we are considering to modify the code. However, I think I can consider your suggestion.

But if you recall, for F4 to select manager id, as soon as you press F4, it simply pulls all GRC system users! Though I have maintained LDAP as only the user search source system.

Ideally, whenever I call F4 for users' search across GRC applications, whatever user search data source I have set in my configuration, system should users from that only.

But in request submission form, if any user tries to search for a manager id manually, it is not showing users from LDAP, but from local GRC system database.

Any idea how I can control this?

Also, while forwarding a request, I experience the same problem.

Please advise.

Regards,

Faisal

Hi Faisal,

what you can see after F4 on Manager field depends what you have setup in configuration (GRC?AC/Configuration of user source and then "User Details"), so in this sense this population can be limited to the dedicated client.

Changing code is risky, as you will struggle with every new release service pack -  which in case of GRC is happening quite often and also not patching the system is risky as some bugs can only be fixed via SP.

You have to setup user details to LDAP if you want your users to browse LDAP data. Of course LDAP connection have to be setup, and LDAP data properly updated. Otherwise you will get empty results or from GRC if the system is setup as second source of data.

Hope this helps,

FIlip

Dear Filip,

Yes, I have set up user search data source as LDAP. In spite of this, system is showing local GRC users! I am unable to understand this behavior of system.

It should show the users from LDAP, since the user search source is LDAP. But I dont know why this is showing local GRC system' users.

The configuration pretty straight forward and simple.

Can you advise?

Regards,

Faisal

Hi Faisal,

strange behavior! This means your LDAP connection is not working.

Did you setup your ldap connection in a correct way?

Please check sm59 and test LDAP connection, did you register LDAP program at app server (check with Basis guys), did you create ldap connection group with action 3&4? Did you prepared mapping?

More details are required to solve the issue:)

Filip

Filip,

Yes. These things have been done and fortunately, they are working fine at the time of search a user for which a request is being created.

I face this strange behavior at the time of searching a manager id, if has to be filled manually. I do think that we need to configure something separately for searching manager id from LDAP or so separately. I dont know if I missed anything.

I only cant search manager id from LDAP, though the user search is set to LDAP only!

Can you please advise?

Regards,

Faisal

Hi Claudio,

Thanks for your reply.

I checked this parameter and it is set to "NO". Still I am getting the users from SU01 for GRC system.

Can you please advise further?

Regards,

Faisal

Dear Faisal,

parameter 5021 enables validation on access requests to make sure the given information is accurate. Whenever you submit an access request without a valid manager the access request will run on "error". In 5021 you can enable that the given manager will be checked against the user id's in the current GRC system (so that a request can be approved) and not against LDAP or other data sources.

Unfortunately, I do also not have a solution to get your problem working.

Regards,

Alessandro

Hi Alessandro,

If we set t his parameter to "YES", then what ever manager id is available (either manually/automatically filled) will be checked if this user id is available in GRC system (which is created in SU01). This is ok.

However, what I was wondering is that, there could be scenario where a requester can also enter it manually (for some x reason). In that case, it should pull all users from LDAP (or whatever is the user search data source system) and show the list to requester (as we search a user id). But it doest not happen in this way and simply SU01 users from GRC system are shown and this is wierd!

I am not able to get the logic behind this system behavior. Any suggestion/discussion is welcomed.

Regards,

Faisal

Hi Faisal,

if you can search users but you cannot managers this means problem is on LDAP side.

As otherwise it would not work at all.

Please go to LDAP transaction code and execute find. Search for user and make sure field manger id is maintained and filed with correct information (DN USER ID), make sure your field mapping is setup in correct way.

Filip

I could not find any solution to select manager id manually from LDAP. If a manager is selected manually, system will eventually pull local GRC users created in SU01. This is quite strange and was not the expectation.

I made some customization in standard program as there is no bADI also for this. This could put some validations for my business requirements. However, this has not completely met the expectations!

Regards,

Faisal

Hi Faisal

If a manager is selected manually, system will eventually pull local GRC users created in SU01

Part of this would be because the GRAC_MANAGER for MSMP workflow field would require an SU01 master to route to for approval. So clicking the match code looks in GRC system instead of ldap

it comes back to whole issue that approvers must have SU01 account - came up a bit last year (e.g.

You might want to promote and contribute to the follow idea, however, this needs to be extended to allow workflow for non-sap accounts somehow (no idea how that could be possible at the moment).

Approvers authentication to be based on a data source instead of GRC SU01 : View Idea

Regards

Colleen

Hi Colleen,

I totally agree that all approvers must have their accounts in GRC system via SU01. There is no escape from this.This implies that, whoever is available in GRC system through SU01 should also be present in LDAP, for sure!

This is be default that all approvers will be created in GRC system through SU01. And there is no scenario where a user is created in SU01 in GRC system and not available in LDAP. I dont think this would happen (except some system users or so which do not need to be created in LDAP and they are local to GRC system).

I think it makes sense to display all LDAP (or whatever user search source I define) even if I try to select manually. This such user does not exist in GRC, for example, this can be controlled by escape condition or so.

Regards,

Faisal