cancel
Showing results for 
Search instead for 
Did you mean: 

Role Usage Sync Job and UAR Request Generation Job - Lock Codes

Former Member
0 Kudos

Hello SAP Experts,

I remember in GRC 5.3, Role usage synchronization job can be run by excluding the Locked users with different lock codes.

In GRC 10.0, do we have the same option available? I couldn't find this option. Also I wanted to know that during UAR request generation job, we will have an option to exclude Locked users. What lock code is considered with that option? Is it Admin lock or Lock due to incorrect logons?

Please help if anyone aware of this.

Thanks in advance


~ Madan

Accepted Solutions (1)

Accepted Solutions (1)

alessandr0
Active Contributor
0 Kudos

Dear Madan,

you can use the filter criterias to filter locked and expired users.


Based on your SP level check also the following note: http://service.sap.com/sap/support/notes/1970118

Let us know if you need furhter details.

Best regards,

Alessandro

Former Member
0 Kudos

Dear Alessandro,

Thanks for the details.

I know that I can select these options for excluding the locked and expired users from UAR request generation job.

But my query is more on which lock codes are considered while executing Role Usage synchronization Job as well as during execution of UAR request generation job. Is it Admin lock or Lock due to incorrect logons?

~Madan


Colleen
Advisor
Advisor
0 Kudos

Hi Madan

Isn't this something you could quickly test yourself and report back to the community? I would assume that it is System Admin Lock. However, why not set up four users -

  1. one user with zero lock
  2. one with incorrect password (128)
  3. one with system admin lock (64)
  4. one with combination (128 +64)

Ensure they all have the same roles to cause the same risk. Run your report and see what results come up.

Questions like these are great but it's also an opportunity for you to verify yourself instead of being told.

Also, I think there are some configuration parameters (probably more batch risk analysis) that allows you to exclude certain user scenarios.

Regards

Colleen

Former Member
0 Kudos

Hi Madan,

Adding up to Colleen's comments, for UAR sync jobs it  will include all locked users' types.

You can do a test run for role usage sync jobs, not so sure about this.

These concerns are not technical where you would need anyone's help but a bit of effort will do.

Regards,

Ameet

madhusap
Active Contributor
0 Kudos

Hi Madan,

Adding to Colleen and Ameet.

As far as I know, there are no parameters to exclude locked users based on specific lock codes for both Role Usage Synch job and UAR request generation job.

Role Usage Synch Job - Will pull all the users locked and stores in GRACROLEUSAGE table.

UAR Request generation Job - Reads data from GRACROLEUSAGE table along with various other tables, since role usage job doesn't restrict pulling of users based on lock codes. This Job will not consider any lock codes and will consider all lock users.

Regards,

Madhu.

Former Member
0 Kudos

Hi Colleen,

Thanks for the details and I have tried it in the system and below is my observation.

Role Usage Synchronization Job - Synching all the users irrespective of lock codes

UAR Request Generation Job - Generating request for all the users irrespective of lock codes

In GRC 5.3 we had an option to exclude locked users from Role Usage Synchronization Job based on lock codes. But in GRC 10.0 couldn't find any parameter to control this.

Locked users as part of user termination should not be fetched as part of UAR Request Generation Job as they will be no longer existing in the company.

I will raise this to SAP and keep you guys updated if they provide any solution for the same.

Regards,

Madan.

Answers (0)