cancel
Showing results for 
Search instead for 
Did you mean: 

Run-time error DBIF_RSQL_INVALID_RSQL during search request, after create / assigment of a new created role

former_member225180
Participant
0 Kudos

Dear all,

I have created a new role to create GRC access request.

The requirement was, the not all request types should be created by a group of users.

I have copied the content of SAP standard role SAP_GRAC_ACCESS_APPROVER to a new role S:N:AC:RC_APPROVER:00000.

I've removed only the request type 'Exception Approval'.

SAP_GRAC_ACCESS_APPROVER:

New role S:N:AC:RC_APPROVER:00000:

The change was successful. The request type can not be selected during the creation of a new AR.

But if a user - which has the new role - tries to search for access request, the system shows an error message after pressing the "Search" button.

I have

checked

  • ST22

  • SM21

But it doesn't help me to solve the problem.

I think I have to execute further settings, but I did not now which one?

Can some one help me, please?

BR

Melanie

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Just a thought,

Should the restriction not be applied on a "Requester" role rather than a "Approver" role? The approver would usually be determined by the workflow (AC Owner types or your custom Agents).

Also, would you be able to double check if the authorisations are causing issues by performing a ST01 Auth trace against the user ID and see what authorisation checks comes back with a RC=4?

Also let us know what version of GRC you are using and what Support Pack Level.

former_member225180
Participant
0 Kudos

Hi Harinam,

From my logic your are right.

The restriction is in two new roles (Requestor and Approver role).

But ->

If I assign my approver role the selection possiblities of the request types during the AR creation is restricted and the AR search function does not work.

If I assign my requestor role the restriction of the request type is not there, but the AR search function works again. 😞

If I assign the original approver role of sap I have the same behavoiur for the AR search.

Both new roles are a 1:1 copy of the SAP standard roles - > Exception, ristriction on request type 'Execption Approval' is not displ.

I have execute ST01 now. If I try to open the log, the system syst "No records that correspond to these search criteria".

But I have found something else.

The problem appears only if I search for Process ID "Access Request Approval Workflow".

If I select other Process ID such as "Control Assignment Approval Workflow" or "Fire Fighter Log Report Review Workflow", everything works fine.

Very strange!

BR

Melanie

Former Member
0 Kudos

Hi Melanie,

Maybe there are a few things to try here. It is still a challenge at times to fully master and understand the different GRC authorisation object combinations to achieve the restrictions you wish to impose, but could try the following.

Have you tried restricting the authorisations in object GRAC_ROLEP. I am wondering if you could have the ACTVT = 78 (assign) only in the requester role and not the approver role. This could mean that the assignment of the role into a request can only be performed by the requester.

Secondly, I would have assumed that access to the Access Request Admin functionality would not be provided to the normal end users, therefore is there a specific reason as to why you require the approver or requester to be accessing the search functionality from this screen? Administrators would require access to all request types in the first place.

former_member225180
Participant
0 Kudos

Hi Harinam,

meanwhile I have solved the issue.

I have add the authorization object twice.

I have seperated the change / creation from the display authorizations in my approver role.

- Create / change of AR should only allowed for defined access request types.ö

- Search / display AR is generally assigned.

Now it works!

Thank you for the support!

BR

Melanie


Former Member
0 Kudos

I was going to mention the fix you done, but got busy with work I am glad that worked. Good old Authorisation double entries with different values

Answers (0)