cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Risk Terminator

Former Member

on ‎07-03-2014 7:41 PM

0 Kudos

Hi,

On GRC10.0 SP12, we are able to configure Risk Terminator for PFCG role creation scenario, to check for violations against the GRC system and against the configured ruleset. In the plug-in system, the profile generation process would stop when the role is built to include two conflicting business functions thus alerting the Role administrator.

Please share your inputs on the following questions:

1) I was also hoping that it would interrupt the processing of role assignment, via SU01/SU10 on a role assignment with conflicting functions, but it did not. What could I be missing?

2)Is it possible to configure Alerts so that  the role owner knows about the role assignment if it is a critical role (instead of a role with an SOD conflict)? A possible MSMP workflow that already exists on Risk Terminator?

Thanks, Pawan.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

Former Member
‎07-04-2014 6:20 PM
0 Kudos

I have now learnt that CUA configuration is not supported for Risk Terminator scenario.

When I chose to save user assignment directly from PFCG though, I found that RT would invoke the GRC FM GRAC_API_RISK_ANALYSIS right after the plug-in system call to /GRCPI/GRIA_EXIT_USERS_SAVE.

Show replies
Show replies
alessandr0
Active Contributor
‎07-04-2014 7:07 AM
0 Kudos

Dear Pawan,

seems that you are missing some configuration. Did you also take care about the plug-in system? You have to maintain some parameters there as well. Important are:

1000 Plug-In Connector

1001 GRC connector

1081 Enable Risk Terminator for PFCG Role Generation

1082 Enable Risk Terminator for PFCG User Assignment

1083 Enable Risk Terminator for SU01 Role Assignemnt

1082 Enable Risk Terminator for SU10 multiple user assignments

1085 stop role generation process

1087 send notification in case of violations

Best if you show us your configuration from GRC and the plug-in.

Best regards,

Alessandro


Show replies
Show replies
alessandr0
Active Contributor
‎07-04-2014 8:12 AM
0 Kudos

Pawan,

see also the very helpful document from Madhu

Former Member
‎07-04-2014 12:59 PM
0 Kudos

Alessandro,

Only after maintaining all these params in the GRC and plug-in systems, I got it working for pfcg role generator step, where it showed conflict. That part is working (according to param 1085)

Specifically, the SU01/SU10 role assignments are not getting flagged, as per the param settings in 1082, 1083.

And regarding the parameter setup, I followed the GRC&Plug-in system setup similar to the post

Thanks!

Former Member
‎07-04-2014 1:00 PM
0 Kudos

I cannot get to the link, it says unauthorized content..

alessandr0
Active Contributor
‎07-04-2014 1:04 PM
0 Kudos

okay - did you maintain the user exits? In total are four user exits to configure?

alessandr0
Active Contributor
‎07-04-2014 1:05 PM
0 Kudos

also keep an eye on parameter 1000 in the plug-in system. You have to manually configure in each system, as when you transport the parameter it has the wrong value. e.g. DEV > TEST > PROD, you have to adjust for each system.

Former Member
‎07-04-2014 1:12 PM
0 Kudos

Yes, I did maintain all 4 user exists in the plug-in system including the following:

/GRCPI/GRIA_EXIT_USERS_SAVE  -- i believe this one gets triggered on SU10 saving action

/GRCPI/GRIA_SINGLE_USERPROFS -- on SU01 action

And param 1000 is created in the plug-in system to point to the plug-in system itself, as loopback connection

I appreciate the quick response!

Pawan.

Former Member
‎07-04-2014 1:19 PM
0 Kudos

It is not registering any shortdumps in either GRC or plug-in clients.

I am not finding any other option to troubleshoot, except to debug the activity by setting a breakpoint in one of the above user exists. please share if you are aware of other troubleshooting steps.

I did perform a search on SAP Notes for this behavior in RT, but I could not find any relevant results that apply to our GRC 10 SP12 install running on NW 7.02

alessandr0
Active Contributor
‎07-04-2014 1:54 PM
0 Kudos

I've also checked the notes and cannot find the issue or a resolution. There is note 1770325 which seems to be similar than your issue. Also 1666294 is similar..

Former Member
‎07-04-2014 3:04 PM
0 Kudos

Thanks Alessandro for pointing them out and where applicable, I see that all configuration steps relevant for component GRC-ACP GRC Access Control Plug-In are already put in.

If it matters or not, I should mention that our plug-in system is V1000_731 SP03.

Former Member
‎07-03-2014 10:58 PM
0 Kudos

Parameter 1087 should take care of the alert notification.

Show replies
Show replies
Former Member
‎07-03-2014 10:51 PM
0 Kudos

Enable parameter ID 1083 and 1084 to YES

Show replies
Show replies
Former Member
‎07-04-2014 1:55 AM
0 Kudos

Thanks for the response, but those params are already set to YES

Ask a Question