cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Problem with deleting role assignments over Workflow

Go to solution
Former Member

on ‎07-16-2014 3:47 PM

0 Kudos

Hello experts,

we face a strange problem, which until today i could not find the solution.

We are using GRC10 with SP 15 and we have several systems added.

I create a request for another user and i am choosing from existing role assignments one role from a backend system.

Role goes to approver, approver approves the role deletion and request is completed.

But when i check the user roles in the system the role is still assigned. In the provision logs, it says the role was succesfully removed.

In ST01 traces not errors.

Only error i see is in the SLG1 --> role XXXXXXX is not assigned to user XXXXXX

When i perform a deletion in the GRC system and want to remove a role from GRC itself, provision is working fine. When i add roles to user, it is working for all systems, no problems here.

So i am guessing something in the workflow is not working. any suggestions?

thanks

cheerz,david

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎09-25-2014 2:04 PM
0 Kudos

The solution to the Problem is the Note 2036236

Cheerz,

david

Show replies
Show replies

Answers (2)

Answers (2)

alessandr0
Active Contributor
‎07-17-2014 2:42 PM
0 Kudos

Hi David,

did you check whether GRC synced correctly? Please see table GRACUSERROLE if the assignments are correct for user and connector. The USERROLEID field can be linked with ROLEID from table GRACROLE.

Just for my information: do you use business roles or technical roles? There are several notes regarding deprovisioning of business roles which doesn't work properly.

Regards

Alessandro

Show replies
Show replies
Former Member
‎07-17-2014 4:14 PM
0 Kudos

Hi Alessandro,

we are using technical roles and i thing we have a problem with the data in the grac tables based on your answer for checking the GRAC tables.

I could not find a link between the tables, but i could find somethiing else which is interesting: IN the GRAC_User Table i have not an entry for my test user.. but i have an entry of him in the tables: GRACUSERROLE and CRACUSERPROFILE.

I performed a full sync and i could solve the inconsistent data in the GRAC_USER but the provisioning still not working..

thanks for your answer!

cheerz

alessandr0
Active Contributor
‎07-17-2014 4:36 PM
0 Kudos

Hi David,

very strange and I don't know how to fix yet. Did you try to change the assignment instead of removing the role? Actually I mean set provisioning action to retain and change the validity date. This shouldn't work either.

I have also checked some sap notes but don't find your case. Maybe you can check the following:

http://service.sap.com/sap/support/notes/2034986

Regards,

Alessandro

Former Member
‎07-18-2014 9:48 AM
0 Kudos

Hi Alessandro,

i tried with changing the date of the validity of the role and it worked...

Strange case..

Anyway, i am working on it and let you know when i found the error

Thanks,

david

FilipGRC
Contributor
‎07-17-2014 9:52 AM
0 Kudos

Hi David,

we had similar issue, and reason for it was very simple - the user had the same role assigned twice.

This happens as users are often using action asign for roles which are currently asigned to them instead of 'retain' in order to extend the validity period.

Check if this was a case in your situation.

Filip

Show replies
Show replies
Former Member
‎07-17-2014 10:03 AM
0 Kudos

hi Filip

thanks for your answer. We have faced also this issue in the past with the dates and double roles.. unfortunately this is not our case here.

thanks anyway!

cheerz,david

alessandr0
Active Contributor
‎07-17-2014 2:27 PM
0 Kudos

Filip,

to remove double assignments and also to remove expired roles from a user you can use the program PRGN_COMPRESS_TIMES. The program offers simulation functionality where you can check the output before perfoming.

Regards,

Alesssndro

Ask a Question