on 06-27-2014 9:40 AM
Hi Gurus,
We are on GRC SP13.
I am testing User Access Review (UAR) workflows.
I can see that UAR requests are being generated based on the GRACROLEUSAGE table.
In the target system a user had 2 composite roles and 2 single roles assigned.
I have raised GRC change account request to get one composite and one single role removed from the user.
Workflow completed succesfully.
Once this is done, I ran all synch jobs.
I checked GRACROLEUSAGE table. This table now shows target system user has one composite role and one single role.
I have raised another change account request to remove another composite role and single role.
Workflow complete succesfully and all roles are removed.
Now user in target system don't have any roles assigned.
I have re-ran all synch jobs.
Now when i checked GRACROLEUSAGE table, it still shows single roles which are part of composite role are assigned to the user.
I am not sure based on which tables this UAR workflows gathers data.
But when I see GRACROLEUSAGE table it is not getting updated correctly.
Anyone had come across this issue?
Please suggest
Regards,
Sai.
HI Sai,
we come accross similar issue and we raise SAP OSS note. Our particular cases happens in situation when on UAR request we have in one request a user who has assigned Composite role and another user who has assigned Single role being a part of that specific Composite role, in this case UAR request is not showing the Single role being assigned to user.
We went for SP14 and the problem was solved.
I also recommend patching your GRC system SP13 with SP14 as there are other bugs - for example - forwarding does not work as expected (Problem occurs when reviewing UAR request in SAP GRC Access Control with FORWARD request functionality . After saving request by “SAVE” button (draft decisions) and when user is trying to forward (FORWARD button) particular line item to another person - > application is confirming (“SELECTING ASSIGNEMNT HAS BEEN FORWARD”) but still this line item exist on the user review list. )
Hope this helps,
Filip
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Padmavathi,
Did you run the Full sycn on the Object Repository (GRAC_REPOSITORY_OBJECT_SYNC) for roles, profiles and users?
Thanks,
Karthik.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Filip/Karthik,Harinam,
Below is my observation with the Synch jobs in SP13.
User has one composite role and one single role assigned through GRC.
GRACROLEUSAGE table has entries for user with one composite and one single role correctly.
I raised a GRC request to get this composite role removed and role was removed and request is closed.
Now I ran the Synch jobs in below sequence:
Authorization Data Synch
Repository Object Synch (both Incremental and Full synch modes)
Action Usage Synch
Role Usage Synch
I checked GRACROLEUSAGE table now for same user. Now the table has wrong entries. Single roles which are part of removed composite role are showing up in the GRACROLEUSAGE table.
This is because the Synch jobs are not properly updating the data to GRC tables.
Since now GRACROLEUSAGE table has incorrect entries, UAR job creating requests with these entries and hence UAR data also wrong.
I have raised a OSS message to SAP with all these details.
I assume there should be some notes which need to be applied in target system and some in GRC system for fixing this issue.
Let me know if you know any details about this issue.
Meanwhile I will keep you posted with resolution from SAP.
Thanks & Regards,
Sai.
Hi,
What date range did you run the Role Usage Report with?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.