on 07-03-2014 7:41 PM
Hi,
On GRC10.0 SP12, we are able to configure Risk Terminator for PFCG role creation scenario, to check for violations against the GRC system and against the configured ruleset. In the plug-in system, the profile generation process would stop when the role is built to include two conflicting business functions thus alerting the Role administrator.
Please share your inputs on the following questions:
1) I was also hoping that it would interrupt the processing of role assignment, via SU01/SU10 on a role assignment with conflicting functions, but it did not. What could I be missing?
2)Is it possible to configure Alerts so that the role owner knows about the role assignment if it is a critical role (instead of a role with an SOD conflict)? A possible MSMP workflow that already exists on Risk Terminator?
Thanks, Pawan.
I have now learnt that CUA configuration is not supported for Risk Terminator scenario.
When I chose to save user assignment directly from PFCG though, I found that RT would invoke the GRC FM GRAC_API_RISK_ANALYSIS right after the plug-in system call to /GRCPI/GRIA_EXIT_USERS_SAVE.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Pawan,
seems that you are missing some configuration. Did you also take care about the plug-in system? You have to maintain some parameters there as well. Important are:
1000 Plug-In Connector
1001 GRC connector
1081 Enable Risk Terminator for PFCG Role Generation
1082 Enable Risk Terminator for PFCG User Assignment
1083 Enable Risk Terminator for SU01 Role Assignemnt
1082 Enable Risk Terminator for SU10 multiple user assignments
1085 stop role generation process
1087 send notification in case of violations
Best if you show us your configuration from GRC and the plug-in.
Best regards,
Alessandro
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Pawan,
see also the very helpful document from Madhu
Alessandro,
Only after maintaining all these params in the GRC and plug-in systems, I got it working for pfcg role generator step, where it showed conflict. That part is working (according to param 1085)
Specifically, the SU01/SU10 role assignments are not getting flagged, as per the param settings in 1082, 1083.
And regarding the parameter setup, I followed the GRC&Plug-in system setup similar to the post
Thanks!
Yes, I did maintain all 4 user exists in the plug-in system including the following:
/GRCPI/GRIA_EXIT_USERS_SAVE -- i believe this one gets triggered on SU10 saving action
/GRCPI/GRIA_SINGLE_USERPROFS -- on SU01 action
And param 1000 is created in the plug-in system to point to the plug-in system itself, as loopback connection
I appreciate the quick response!
Pawan.
It is not registering any shortdumps in either GRC or plug-in clients.
I am not finding any other option to troubleshoot, except to debug the activity by setting a breakpoint in one of the above user exists. please share if you are aware of other troubleshooting steps.
I did perform a search on SAP Notes for this behavior in RT, but I could not find any relevant results that apply to our GRC 10 SP12 install running on NW 7.02
Parameter 1087 should take care of the alert notification.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Enable parameter ID 1083 and 1084 to YES
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.