cancel
Showing results for 
Search instead for 
Did you mean: 

Risk Terminator user exit settings - AC10

leos
Active Participant
0 Kudos

G'day All,

I would like your help/input in regards to the relevance/significance of the following user exit settings for Risk Terminator please:

Name  Value to be set

SAP_AFTER_PROF_GEN         /GRCPI/GRIA_AFTER_PROF_GEN

SAP_BEFORE_PROF_GEN      /GRCPI/GRIA_BEFORE_PROF_GEN

SAP_EXIT_USERS_SAVE         /GRCPI/GRIA_EXIT_USERS_SAVE

SAP_SINGLE_USERPROF       /GRCPI/GRIA_SINGLE_USERPROFS

If it is easier, you can point me to the relevant documentation and I will find out for myself.

Thanks,

Leo..

Accepted Solutions (0)

Answers (1)

Answers (1)

Colleen
Advisor
Advisor
0 Kudos

Hi Leo

Did you read the IMG help for the Risk Terminator Step or look at the PRGN_CUST table information for those parameters?

Regards

Colleen

leos
Active Participant
0 Kudos

Hi Colleen,

I did check out the IMG help section for RT and that is where I got those parameters from. However it does not elaborate/specify what they are for.

I did not look at the 'PRGN_CUST' table as I wasn't aware of it but I will check it out now.


Thanks for your suggestions. Appreciate it.

Regards,

Leo..

leos
Active Participant
0 Kudos

Sorry! no luck with that table Colleen but thanks anyway.

The table you mentioned is something to do with the default behavior of various security transactions.

Regards,

Leo..

alessandr0
Active Contributor
0 Kudos

Leo,

what exactly do you want to know? Beside the user exits you have to configure the config parameters so that RT works as expected.

Param IDDescription
1081Enable Risk Terminator for PFCG Role Generation
1082Enable Risk Terminator for PFCG User Assignment
1083Enable Risk Terminator for SU01 Role Assignment
1084Enable Risk Terminator for SU10 multiple User Assignments
1085Stop role generation if violation exist
1086Comments are required in case of violations
1087Send Notification in case of violations
1088Default report type for Risk Terminator

Please be aware that you have to configure your plug-in system as well as the GRC system.

Let us know what exactly you need to know.

Regards,

Alessandro

leos
Active Participant
0 Kudos

Hello Alessandro,

Thanks for you response. My RT is working fine and its all good thanks to your answer in an earlier question (Risk Terminator Configuration - AC10). So this isn't about that.

I am just curious as to know what the relevance/significance of the afore mentioned parameters(or whatever you call them) is in respect to user exits. I mean what are they meant to be doing?


Please excuse my ignorance and I apologise if it is rather silly.


Regards,

Leo..

alessandr0
Active Contributor
0 Kudos

Hi Leo,

did you have a read about what are user exits?

That might be helpful to understand why to use user exits.

Regards,

Alessandro

Colleen
Advisor
Advisor
0 Kudos

To extend on Alessandro's comment on user exits...

Because you have activated Risk Terminator, when the program hits a part of the code for PFCG (Role build) or SU01/SU10 (Users) the user exit with tell SAP that Risk Analysis needs to be checked. Depending on your configuration parameters, if there is unmitigated risk the profile for the role cannot be generated or the access cannot be assigned to the user.

I mentioned the table PRGN_CUST before as some PFCG exits are configured there. I must have incorrectly though the GRC plug-in step for those parameters was to that table. Sorry.

Regards

Colleen

leos
Active Participant
0 Kudos

Thanks Alessandro. That was a good read and it helped to an extent what User Exits are meant to be doing. I vaguely had an idea of its functionality.

When the RT config specifies to enable something, for example:

SAP_AFTER_PROF_GEN         /GRCPI/GRIA_AFTER_PROF_GEN


All I wanted to know is, what this particular sentence does in the background by me enabling. Maybe I am thinking more than I should but that's just me.


Regards,

Leo..

leos
Active Participant
0 Kudos

Thanks Colleen. To extend what I mentioned in Ale's reply. I kinda knew that is what it is supposed to be doing but the reason why I asked the question is, lets say instead of the afore mentioned four parameters, I only add 2 or 3, what would be the consequences. What is the missing parameter meant to be doing etc.So that was the reason why I raised a question. Maybe there is no point in going that deep. Thought I'll just ask.

Thanks for you input guys. I'll close this post now.

Regards,

Leo..

Colleen
Advisor
Advisor
0 Kudos

Hi Leo

Can you please check if the values you entered are actually SSM_CUST table? I think I mixed the two up before

The /GRCPI/* is executed after profile generation. You are telling SAP to perform some extra steps in the system. I don't have access to SAP but I think it is a function module. You could verify where this comes into play but running ST05 trace (SQL) against replicating

If you only put some of them in then it would depend on configuration parameters and the scenario. You could enable risk terminator for PFCG role build only but not Users. This configuration is necessary to know what to go execute

Regards

Colleen

leos
Active Participant
0 Kudos

Thanks Colleen. You did get mixed up with your tables as SSM_CUST seems to hold those values. So good on ya for redeeming yourself   However it doesn't go into detail. But thanks anyway as I learned few new things because of this 'question'.

"The /GRCPI/* is executed after profile generation. You are telling SAP to perform some extra steps in the system."

  • I gathered that much from the 'AFTER_PROF' bit .

"You could verify where this comes into play but running ST05 trace (SQL) against replicating".

  • This is new to me. I know about ST01 and I've used it but never this one. Would you be terribly kind enough to explain how to go about it please. However I do not want to use you guys as my personal consultant as Gretchen pointed out in one of the blogs somewhere. I'll do a search on ST05.

Thanks Colleen. Appreciate it.


Regards,

Leo..

Colleen
Advisor
Advisor
0 Kudos

Hi Leo

Yes take Gretchen's advise on this and do a little research first. ST05 uses the same trace file as ST01 but has different layout. ST01, ST05 and STAUTHTRACE transactions are all pretty much self explanatory. ST05 will get you more into the SQL part (i.e. trace the risk terminator step and then search for the SQL call to the SSM_CUST table).

I recommend you also research (especially if you are trying to learn security as well) the SSM_CUST and PRGN_CUST tables in relation to SU01 and PFCG. If you look at table SSM_CID you will see the key for the two tables. If you have Marketplace access some of these values provide the note for further details.

Running the trace (or even teaching yourself how to debug code) will help you find where the user exit is for PFCG and then you can see how it goes to the SSM_CUST table to find what to exit to

Regards

Colleen

leos
Active Participant
0 Kudos

Thank you so much Colleen. Appreciate all the advice and suggestions.

I did find a thread about it and gave it a quick read. Its a bit confusing as to what to do after I activated the trace("i.e. trace the risk terminator step and then search for the SQL call to the SSM_CUST table"). But I'll read it again in detail to try and get my head around it.

I will also look into SSM_CUST and PRGN_CUST tables in relation to SU01 and PFCG.


Regards,

Leo..