cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

End User Home Configuration

Go to solution
chris_hall2
Participant

on ‎09-30-2014 8:40 PM

0 Kudos


We have started the configuration of GRAC 10.1, for the end user we have configured AD as the authentication to log in to the web application.  As a default I only see the following options when I sign into the weblink.  How do I get some of the available options I see within NWBC for our end users?  I'm looking to add things like Risk Analysis, Work Inbox, Mitigating Controls and some Firefighter details.

http://XXXXXXXXXXXXXXX:XXXX/sap/bc/webdynpro/sap/grac_uibb_end_user_login?sap-client=500&sap-languag...

Access Request Creation

Create access assignments, accounts

Quick Links
Access Requests
Model User
Template Based
Request
Copy Request

My Profile

Manage and view personal access control information, assignments, and
requests

Quick Links
My Profile
Request Status
Password
Self-Service
Name Change
Register
Self-Service Questions

Thank You for your assistance.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

kevin_tucholke1
Contributor
‎09-30-2014 9:01 PM
0 Kudos

Chris:

This is not possible as the End User Home page is to allow people not in GRC to execute provisioning type requests (i.e. Access Request, Password Reset).  This page is an SAP service where a requestor can be authenticated by a connected system (i.e. LDAP/AD or SAP HR), and submit requests but does not need a User ID in the GRC system directly.  In actuality, it will be the 'Guest User' that is on the Logon tab of the service that is processing the request from a technical point of view.  The user is listed as the requestor for the item.

For ANY items that are beyond what is on the delivered page, the user MUST have an ID in the GRC system with a valid email address and use the 'normal' NWBC page which is controlled by which security roles you provide on their SU01 entry.

I hope this helps.

Kevin Tucholke

Principal Consultant

SAP America

Show replies
Show replies
chris_hall2
Participant
‎09-30-2014 10:10 PM
0 Kudos

Thank You Kevin.  This is not good news.  Having to setup thousands of ID's and continuously maintain them is not what we really wanted.

Any way to configure the ABAP system with a SSO linked to AD and have those ID's setup with a setup of default roles?  Would this then allow the users to use their AD accounts to log into NWBC directly?

kevin_tucholke1
Contributor
‎09-30-2014 11:57 PM
0 Kudos

Chris:

What you can do, and I have done this at another customer, is to do an ABAP LDAP sync with users from LDAP (this is native to NetWeaver and not just GRC).  The transaction to use would be RSLDAPSYNC_USER.  A Basis person in your company should be aware of this program.

I did this at a large Software company for 10K+ users as they did not want to use the End User Logon page.  It works perfectly.  I was able to add the needed items and the 'default roles' that everyone would get to make requests, and even created a new "End User Page" that was internal to the GRC system to make use of the SSO functionality.  It is also important to note that the delivered End User Logon page does not support SSO because of the functionality of that service.

You would need to look at the options in this for managing changes in users and there different options that you can use in this program.

Cheers,

Kevin Tucholke

Principal Consultant

SAP America

chris_hall2
Participant
‎10-01-2014 12:47 AM
0 Kudos

Ok perfect Thank You again !  I will look into this further and discuss with our team.

former_member193066
Active Contributor
‎10-01-2014 3:53 AM
0 Kudos

Hello,

The end user logon has web service which is run by guest user as said by Kevin already.

if you maintain that that will be applicable for all users.

if it is for few user, you can create your own logon page and for that you need abap + workflow  resource, as the person might have to use standard OIF component,that will enable to submit request as well for access request submission.

Regards,

Prasant

Former Member
‎10-01-2014 4:32 AM
0 Kudos

Hi Kevin,

Thanks for the insight. From your post, I infer that the RSLDAPSYNC_USER program creates the users automatically in the GRC box with the default roles that needs to be assigned? Is my understanding correct?

Regards,

Raghu

former_member193066
Active Contributor
‎10-01-2014 4:42 AM
0 Kudos

This message was moderated.

kevin_tucholke1
Contributor
‎10-01-2014 7:42 PM
0 Kudos

You can assign the BASE roles in your LDAP USER Sync.  You would just need to configure the job to do so.

Former Member
‎10-05-2014 2:23 AM
0 Kudos

Thanks Kevin. If you look at the actual question, Chris is looking to assign options such as Risk analysis, mitigating controls and FF related options to the end users.

I don't think every user needs access to these options. Is there a possibility to differ a subset of users while using the ABAP program mentioned in your post?

@Chris - I infer that you need the access only to limited or a subset of users. Confirm?

Regards,

Raghu

chris_hall2
Participant
‎10-07-2014 4:26 PM
0 Kudos

Hello Raghu,

Yes, we would like to be able to have one link for all users (~28,000).  We then have approximately 2,500 users that would be approvers within the workflow of the various tickets.

Our goal is to have the one link as I mentioned not to segregate the 2,500 role owners, business controls, managers, security teams.  That 2,500 number changes daily within the organization due to attrition, new highers, promotions etc.  We cannot physcially manage this within the abap.

Answers (1)

Answers (1)

Trinetra_Bhusha
Active Participant
‎03-16-2015 7:32 PM
0 Kudos

This message was moderated.

Show replies
Show replies
Ask a Question