cancel
Showing results for 
Search instead for 
Did you mean: 

GRC AC - HCM as user search data source

Former Member
0 Kudos

Hello all,

I´ve configured GRC AC to user HCM as user search data source and also user details data source. During my user change tests through the "Access Request" function, I noticed that only existent users at SU01 and HCM (checked through PA30) appear in the access request User Selection. Existent users at HCM but not at SU01 doesn´t appear.

Someone can tell me why? I mean, if I configured the user search to use HCM as data source, shoudn´t it bring all HCM users regardless of his existence at SU01?

Thanks in advance,

Pedro

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
0 Kudos

Hi All,

I am also facing same issue while searching the User Details in access request form but there is slight change the User ID and user details are populated in access request form but when we search user by first or last name then no data is populated for the search result.

Please assist !


Thanks in advance!

Regards,

Shivani

Former Member
0 Kudos

Shivani,

Per the SCN Rules of Engagement, please do not tag onto an old discussion thread, particularly when the details are different. Also per the minimum information required in this space, when you start your new discussion, be sure to include the GRC release and SP you are on and  Notes/ corrections applied to address the issue if any.

Thanks,

Gretchen Lindquist

Space Moderator

santosh_krishnan2
Participant
0 Kudos

This sounds like an authorization issue. Have you checked that?

alessandr0
Active Contributor
0 Kudos

Hi Pedro,

have you installed the plug-in GRCPIERP? It's required to gather HR information.

Regards,

Alessandro

Former Member
0 Kudos

Hi Alessandro,

Yes, I´ve installed the plug-in. The information from HCM is correctly gathered, but only for users existing in HCM and SU01.

At the user details tab information like the Manager is correctly displayed (once again, only for users at HCM and SU01).

Thanks,

Pedro

former_member193066
Active Contributor
0 Kudos

hello,

your user search is HCM , so only HCM users will be shown.

Regards

Prasant

Former Member
0 Kudos

The problem is exactly this. I have 10+ users at HCM, only two of them are displayed during the search. This two users are created at SU01 also, the other 8+ users not.

At the other side, we have 50+ users registered at SU01, this users are not displayed (as expected).

The question here is:

Why GRC AC is showing only users created at HCM and SU01 if I´m using only the HCM search option?

Regards,

Pedro

Former Member
0 Kudos

Hi Pedro,

The details are coming/not-coming as per the configurations done for the data source and user detail date source.

Could you please paste the snap shots of ""Maintain data source configuration" under SPRO

Then it would be easier to help you understand.

Regards,

Ameet

former_member193066
Active Contributor
0 Kudos

Hello Pedro,

yes , who are at SU01 they will be displayed.

when you say 50+ users on other side if you mean another system , then maintain that connector as user search data source in sequence 2, then do a repository object sync.

check in GRACUSER table in GRC system.

filter by connector name look how many are actually getting synced.

Regards,

Prasant

Former Member
0 Kudos

Hi Ameet,

Bellow the configuration.

Former Member
0 Kudos

Prasant,

When I talked about the 10+ users at HCM and 50+ users at SU01 I was talking about the same system.

Example: ECC/HCM contains 10 users registered at HCM em 50 at SU01.

I´ve configured GRC AC to search users only at HCM. And only two from 10 users were found. Then I discovered this two users are created at SU01 also, the other 8 not.

The question is why? I´m not able to understand what´s happening.

Regards,

Pedro

former_member193066
Active Contributor
0 Kudos

user search is su01 and user details data source is HR.

try this.

Regards,

Prasant

Former Member
0 Kudos

Hi Pedro,

As per your snap shots, you are using HR details for user search data sources. So users maintained at HR details with PA30 will only appear in Access requests with the details.

But in case of user detail data source, if you maintain at SU01 then all the users defined at SU01 will popped up in the access requests.

With respect to your last reply about 2 users, those accounts would've been maintained at SU01 manually that is the reason you are able to see these user details with SU01 level and HCM level as well.

Regards,

Ameet

Former Member
0 Kudos

But at user search I want the users created at HCM not SU01.

When a new employee is hired he will be created at HCM. Then an Access Request will be created to grant access at the systems.

Regards,

Pedro

former_member193066
Active Contributor
0 Kudos

first of all whats your landscape?

what you need is HR trigger for new user creation.

Regards,

Prasant

Former Member
0 Kudos

Hi Pedro,

You only have confirmed that 2 accounts are maintained in HCM and in SU01 as well, so you would be able to see these accounts' details both ways.

Yes, you are right about user account maintenance first in HCM at the time of new hire, then you can manually raise the access request to grant them access to various SAP systems. Or in order to automate this process as Prasahant suggested, you can take help from HR Triggers.

You can refer: GRC 10.0 - HR Trigger configuration - Governance, Risk and Compliance - SCN Wiki

But responding to your original discussion, whatever user accounts are maintained in HCM you would see those details provided you define HR for the "user search data source" AND from SU01 for "user detail data source"

In your case you have 2 accounts which have been maintained in HCM as well as SU01, so that is what creating confusion for you.

Let us know if you need any more clarifications.

Regards,

Ameet

Former Member
0 Kudos

Hello Ameet,

I think we are not understanding each other. Please let me explain in another way:

1 - We have two systems, GRC AC, SID = GRC and ECC/HCM, SID = ECD.

2 - HCM (ECD) have users, Paul and John registered.

3 - SU01 (ECD) have only Paul created.

4 - GRC is configured to use HCM as User Data Source for Search and User Details.

5 - When we do a Change Account, only user Paul appears at the Search User functionality.

6 - All Users Details from Paul appear at User Details.

7 - User John is not found.

Conclusion:

This means HCM can be used for User Search and User Details.

Question:

Why John is not appearing at the user search? What are the possible causes?

Regards,

Pedro

former_member193066
Active Contributor
0 Kudos

Hello Pedro,

please make User search can be SU01 or LDAP(which is blank) .even though ECC and HCM are same system.

User details data source is your HR,

User are searched from SU01 attribute and their details are from relationship either A002 or B012.

ensure use id is maintained in infotype 0105 , field 0001, ID/ SAP user id.

Regards,

Prasant

santosh_krishnan2
Participant
0 Kudos

Hi Prashant,

I'm not sure the question was answered, but I am seeing this same problem and could use some input.

1. GRC DEV user data sources has one entry for each (search, Details and Authentication) - QAS.  QAS hosts HR.  It has been set to HR and not SU01.

2. When I open an access request form, the users who are pulled up ALL have SU01 user master records.  However, users who do not have a user master record from HR are not pulled up.

There is a user in HR that needs to be setup in ECC.  Since I am unable to pull up his name, I can't create an access request.

This seems to be the same issue in this thread.  It also seems that you have the answer but it's not clear to me.  If you don't mind, please let me know.

Thanks,
Santosh

santosh_krishnan2
Participant
0 Kudos

Ameet,

Your answer almost answered this issue, as I am having it as well. 

In the first part of your answer, you conclude that you can raise the request manually, or use HR triggers. 

Now my case is the same as Pedro's.  I have users in HR, who do not exist in SU01.  I need to submit an access request for them but they do not appear when I search for them.  For example, take Mr. Walters.  He exists in HR, but not in SU01. 

Data sources point to HR, for search, detail and authentication.

When I open a request and search for Mr. Walters, his name doesn't come up.

Now what setting am I missing that would allow his name to appear in a new user request?

Thanks,

Santosh

former_member193066
Active Contributor
0 Kudos

Hello Santosh,

When you set user search data source as HR systems,

It will always look for user in HR master data, not SU01, as per my understanding.

on top of it, when you sync user, depending upon you HR org structure it will sync.

IF you have relation A002, you will see the users in GRC tables, not for relation B012.

In B012, when u sync u will see user in SU01 only.

if you want to search that user, look for Users communication type and check if its value is maintained it infotype 0105 and  subtype 0001.

Regards,

Prasant