on 10-24-2014 12:27 PM
Hello SAP Experts,
I remember in GRC 5.3, Role usage synchronization job can be run by excluding the Locked users with different lock codes.
In GRC 10.0, do we have the same option available? I couldn't find this option. Also I wanted to know that during UAR request generation job, we will have an option to exclude Locked users. What lock code is considered with that option? Is it Admin lock or Lock due to incorrect logons?
Please help if anyone aware of this.
Thanks in advance
~ Madan
Dear Madan,
you can use the filter criterias to filter locked and expired users.
Based on your SP level check also the following note: http://service.sap.com/sap/support/notes/1970118
Let us know if you need furhter details.
Best regards,
Alessandro
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Alessandro,
Thanks for the details.
I know that I can select these options for excluding the locked and expired users from UAR request generation job.
But my query is more on which lock codes are considered while executing Role Usage synchronization Job as well as during execution of UAR request generation job. Is it Admin lock or Lock due to incorrect logons?
~Madan
Hi Madan
Isn't this something you could quickly test yourself and report back to the community? I would assume that it is System Admin Lock. However, why not set up four users -
Ensure they all have the same roles to cause the same risk. Run your report and see what results come up.
Questions like these are great but it's also an opportunity for you to verify yourself instead of being told.
Also, I think there are some configuration parameters (probably more batch risk analysis) that allows you to exclude certain user scenarios.
Regards
Colleen
Hi Madan,
Adding to Colleen and Ameet.
As far as I know, there are no parameters to exclude locked users based on specific lock codes for both Role Usage Synch job and UAR request generation job.
Role Usage Synch Job - Will pull all the users locked and stores in GRACROLEUSAGE table.
UAR Request generation Job - Reads data from GRACROLEUSAGE table along with various other tables, since role usage job doesn't restrict pulling of users based on lock codes. This Job will not consider any lock codes and will consider all lock users.
Regards,
Madhu.
Hi Colleen,
Thanks for the details and I have tried it in the system and below is my observation.
Role Usage Synchronization Job - Synching all the users irrespective of lock codes
UAR Request Generation Job - Generating request for all the users irrespective of lock codes
In GRC 5.3 we had an option to exclude locked users from Role Usage Synchronization Job based on lock codes. But in GRC 10.0 couldn't find any parameter to control this.
Locked users as part of user termination should not be fetched as part of UAR Request Generation Job as they will be no longer existing in the company.
I will raise this to SAP and keep you guys updated if they provide any solution for the same.
Regards,
Madan.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.