on 09-04-2014 7:55 AM
G'day All,
I would like your help/input in regards to the relevance/significance of the following user exit settings for Risk Terminator please:
Name Value to be set
SAP_AFTER_PROF_GEN /GRCPI/GRIA_AFTER_PROF_GEN
SAP_BEFORE_PROF_GEN /GRCPI/GRIA_BEFORE_PROF_GEN
SAP_EXIT_USERS_SAVE /GRCPI/GRIA_EXIT_USERS_SAVE
SAP_SINGLE_USERPROF /GRCPI/GRIA_SINGLE_USERPROFS
If it is easier, you can point me to the relevant documentation and I will find out for myself.
Thanks,
Leo..
Hi Leo
Did you read the IMG help for the Risk Terminator Step or look at the PRGN_CUST table information for those parameters?
Regards
Colleen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Colleen,
I did check out the IMG help section for RT and that is where I got those parameters from. However it does not elaborate/specify what they are for.
I did not look at the 'PRGN_CUST' table as I wasn't aware of it but I will check it out now.
Thanks for your suggestions. Appreciate it.
Regards,
Leo..
Leo,
what exactly do you want to know? Beside the user exits you have to configure the config parameters so that RT works as expected.
Param ID | Description |
1081 | Enable Risk Terminator for PFCG Role Generation |
1082 | Enable Risk Terminator for PFCG User Assignment |
1083 | Enable Risk Terminator for SU01 Role Assignment |
1084 | Enable Risk Terminator for SU10 multiple User Assignments |
1085 | Stop role generation if violation exist |
1086 | Comments are required in case of violations |
1087 | Send Notification in case of violations |
1088 | Default report type for Risk Terminator |
Please be aware that you have to configure your plug-in system as well as the GRC system.
Let us know what exactly you need to know.
Regards,
Alessandro
Hello Alessandro,
Thanks for you response. My RT is working fine and its all good thanks to your answer in an earlier question (Risk Terminator Configuration - AC10). So this isn't about that.
I am just curious as to know what the relevance/significance of the afore mentioned parameters(or whatever you call them) is in respect to user exits. I mean what are they meant to be doing?
Please excuse my ignorance and I apologise if it is rather silly.
Regards,
Leo..
To extend on Alessandro's comment on user exits...
Because you have activated Risk Terminator, when the program hits a part of the code for PFCG (Role build) or SU01/SU10 (Users) the user exit with tell SAP that Risk Analysis needs to be checked. Depending on your configuration parameters, if there is unmitigated risk the profile for the role cannot be generated or the access cannot be assigned to the user.
I mentioned the table PRGN_CUST before as some PFCG exits are configured there. I must have incorrectly though the GRC plug-in step for those parameters was to that table. Sorry.
Regards
Colleen
Thanks Alessandro. That was a good read and it helped to an extent what User Exits are meant to be doing. I vaguely had an idea of its functionality.
When the RT config specifies to enable something, for example:
SAP_AFTER_PROF_GEN /GRCPI/GRIA_AFTER_PROF_GEN
All I wanted to know is, what this particular sentence does in the background by me enabling. Maybe I am thinking more than I should but that's just me.
Regards,
Leo..
Thanks Colleen. To extend what I mentioned in Ale's reply. I kinda knew that is what it is supposed to be doing but the reason why I asked the question is, lets say instead of the afore mentioned four parameters, I only add 2 or 3, what would be the consequences. What is the missing parameter meant to be doing etc.So that was the reason why I raised a question. Maybe there is no point in going that deep. Thought I'll just ask.
Thanks for you input guys. I'll close this post now.
Regards,
Leo..
Hi Leo
Can you please check if the values you entered are actually SSM_CUST table? I think I mixed the two up before
The /GRCPI/* is executed after profile generation. You are telling SAP to perform some extra steps in the system. I don't have access to SAP but I think it is a function module. You could verify where this comes into play but running ST05 trace (SQL) against replicating
If you only put some of them in then it would depend on configuration parameters and the scenario. You could enable risk terminator for PFCG role build only but not Users. This configuration is necessary to know what to go execute
Regards
Colleen
Thanks Colleen. You did get mixed up with your tables as SSM_CUST seems to hold those values. So good on ya for redeeming yourself However it doesn't go into detail. But thanks anyway as I learned few new things because of this 'question'.
"The /GRCPI/* is executed after profile generation. You are telling SAP to perform some extra steps in the system."
"You could verify where this comes into play but running ST05 trace (SQL) against replicating".
Thanks Colleen. Appreciate it.
Regards,
Leo..
Hi Leo
Yes take Gretchen's advise on this and do a little research first. ST05 uses the same trace file as ST01 but has different layout. ST01, ST05 and STAUTHTRACE transactions are all pretty much self explanatory. ST05 will get you more into the SQL part (i.e. trace the risk terminator step and then search for the SQL call to the SSM_CUST table).
I recommend you also research (especially if you are trying to learn security as well) the SSM_CUST and PRGN_CUST tables in relation to SU01 and PFCG. If you look at table SSM_CID you will see the key for the two tables. If you have Marketplace access some of these values provide the note for further details.
Running the trace (or even teaching yourself how to debug code) will help you find where the user exit is for PFCG and then you can see how it goes to the SSM_CUST table to find what to exit to
Regards
Colleen
Thank you so much Colleen. Appreciate all the advice and suggestions.
I did find a thread about it and gave it a quick read. Its a bit confusing as to what to do after I activated the trace("i.e. trace the risk terminator step and then search for the SQL call to the SSM_CUST table"). But I'll read it again in detail to try and get my head around it.
I will also look into SSM_CUST and PRGN_CUST tables in relation to SU01 and PFCG.
Regards,
Leo..
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.