- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- Integrate GRC 10.1 with CUA and how to import role...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Integrate GRC 10.1 with CUA and how to import roles from CUA & Child systems into GRC for provisioning
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-30-2014 1:05 AM
Hello,
I am trying to integrate CUA into our GRC 10.1 system through the below steps and so far I have completed the below steps following SAP Notes 1680108 and 1616121:
1. Connected CUABOX to GRCBOX like a plug-in system.
2. Updated CUA Global System and CUA Model Distribution in Maintain CUA settings under User Provisioning.
3. Next I am trying to import the roles from CUA(CUABOX) into GRC(GRCBOX) to be able to provision roles in CUA Child Systems(ECCBOX).
After reading few discussions in SCN, I have figured that we have to download a template in Role Import and populate it accordingly to upload the CUA child system roles into GRC system for provisioning in CUA Child Systems.
Unfortunately, this template has multiple fields and I am unable to determine the fields that should be populated as CUA Global System and CUA Child System to import into GRC. Also, when we upload CUA Child System Roles template what selections should be made in Role Import window.
Any help in this regard is very helpful.
Thank you,
Pawan
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-17-2014 3:30 PM
Hello,
Could someone please take a look at this and advise.
Thank you,
Pawan
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-17-2014 3:40 PM
Dear Pawan,
sorry didn't see this post earlier.
Basically you have to prepare the role import template for single and composite roles. The template also tells you which fields are mandatory and need to be filled up.
Alternatively you can also import the roles directly from backend without a template. Best to check the wiki how role import works in general: AC 10.0 Role Import - Governance, Risk and Compliance - SCN Wiki
Please let me know if you have a specific question or if you face any issue/error while importing.
Thanks a lot and regards,
Alessandro
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-17-2014 6:29 PM
Hi Alessandro,
Thank you for your response.
I am now importing directly from backend system.
However, when I try to provision new accounts from GRC through CUA to ECC plug-in system, it creates the id in ECC but does not assign the roles and it says the following:
Auto provisioning activity at end of request at Path GRAC_DEFAULT_PATH and Stage GRAC_SECURITY
New User:T-CUA_02 created in System(s): ECBCL020 (created without role assignments)
T-CUA_02 User does not exist in target system CUA
Is it possible to configure GRC in such a way that it creates the account in CUA if it does not exist in CUA system also?
I know we have this option for plug-in system and it works but I am not exactly sure where to set it for CUA system also.
Thank you,
Pawan
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2014 9:39 AM
Dear Pawan,
in the global provisioning configuration you can set up such things like user creation if a user doesnt exist in the system.
SPRO > GRC > AC > User Provisioning > Maintain Provisioning Settings
Does this answer your question?
Regards,
Alessandro
- SAP Managed Tags:
- Security
_900%20Change%20View%20_Maintain%20Global%20Provisioning%20Configuration__%20Details.png){kind=link}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2014 3:16 PM
Hi Alessandro,
I have "Create user if does not exist" setting checked for both change action and assign role action and also have CUA enabled. Here is the list of steps that I am performing:
- 1. Create an access request for new account, T-CUA_CHILD and select a role from a child system ECC Z_ECC_ROLE_IN_CHILD_SYSTEM.
- 2. Approvals provided to assign the ECC role.
- 3. I see the following in GRFNMW_DBGMONITOR_WD.
Auto provisioning activity at end of request at Path GRAC_DEFAULT_PATH and Stage GRAC_SECURITY
New User:T-CUA_CHILD created in System(s): ECC (created without role assignments)
T-CUA_CHILD User does not exist in target system CUA
GRC created an account without role assignment in ECC but also throwed me an error that the user does not exist in CUA.
However, if I select roles from both CUA and ECC it creates the account in both systems with the selected role assignments.
So I am wondering if there is way to provide CUA access to users by default for new account requests types. I have tried setting up default roles for CUA but it does not assign the roles by default until I select the CUA system.
Thank you for your help!
Pawan
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-20-2014 11:15 AM
Pawan,
can you check note:
http://service.sap.com/sap/support/notes/1859038
Please let me know if it does solve your problem.
Regards,
Alessandro
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-21-2014 2:36 PM
Hi Alessandro,
Unfortunately, this note cannot be implemented in our system. We are currently on GRC 10.1 SP05.
I would like thank you for taking your time to find a note for our issue.
Thank you,
Pawan
- SAP Managed Tags:
- Security
