cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to provision existing groups in Active Directory through GRC 10.1?

Go to solution
Trinetra_Bhusha
Active Participant

on ‎02-25-2015 4:31 PM

0 Kudos

As per the requirment I have to provision the existing AD groups to users in AD through GRC10.1. The connection between AD(Microsoft) and GRC is already established through LDAP connector.

Apprecaite your quick response on the same.

Thanks,

Trinetra

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Trinetra_Bhusha
Active Participant
‎02-25-2015 5:21 PM
0 Kudos

Hi Madhu,

Thanks for the info.

While trying to Import role but not getting the option as suggested by you.

I ahve attcahed screen print please suggest how to approach.

Thanks,

Trinetra

Show replies
Show replies
madhusap
Active Contributor
‎02-25-2015 5:44 PM
0 Kudos

Hi Trinetra,

Please prepare role attribute template file with options as I suggested earlier and then import the AD group into GRC as shown below. Please find attached file.

Regards,

Madhu.

Roles.xls.zip
Trinetra_Bhusha
Active Participant
‎02-25-2015 8:06 PM
0 Kudos

Hi Madhu,

Thanks.

I am able to upload the group into GRC using the methodology suggetsed by you.

But when I am tring to search the group for provisioning not able to get the role in serach criteria.

I have run the Repos Sync job with AD and it was succesfull.

former_member204479
Active Participant
‎02-26-2015 5:39 AM
0 Kudos

Hi Trinetra,

The role status is in "Define Role" phase. When you import the role ensure the "Methodology Status" at the end is set to "Complete", see Madhu's screen shot for reference. Also verify that the role is set to status "Production" and is allowed for provisioning.

Thanks

Sammukh

madhusap
Active Contributor
‎02-26-2015 1:45 PM
0 Kudos

Hi Trinetra,

Please first follow the additional steps as mentioned by Sammukh.

Even our AD group was showing as"Not Exists" after running LDAP synch successfully. So, we manually synched the LDAP group using program GRAC_OBJ_MANUAL_SYNC as shown below and then it started working properly You can try this approach.

Regards,

Madhu.

Trinetra_Bhusha
Active Participant
‎02-26-2015 3:50 PM
0 Kudos

Hey Madhu,

Thanks a lot for the suggestion fiunally it worked by running the manual job apprecaite your help on this.

Answers (2)

Answers (2)

Former Member
‎03-29-2016 12:43 PM
0 Kudos

Hello !

I am not able to assign LDAP group to user through GRC. Getting the below SLG1 log..

Started provisioning for request number 429

End request status for request no 429 is X

Message from plugin for system LDAP_***100: Other Error

Error in changing user  in system

Message from plugin for system LDAP_***100: Could not assign Role: g.ZSA_***_XX_*** to us

Error in assgning gRole: g.ZSA_***_XX_*** to user Role: g.ZSA_***_XX_*** in system

Callback service, req system:

I have followed steps mentioned above.

Can any one please help here?

Thank you!
Akshat

Show replies
Show replies
Trinetra_Bhusha
Active Participant
‎03-30-2016 4:02 AM
0 Kudos

Hi Akshat,

Please complete the above mentioned steps carefully.

If still the group assignmnet is not woking then check below:

1. LDAP Connector is assiginged to PROV scenario.

2. The file path/use group o ldap is defined in LDAP connetor attribute where you are trying to do group assigmnet.

Thanks,

Trinetra

Former Member
‎04-29-2016 12:33 PM
0 Kudos

Hello Trintra,

Sorry for the late reply -

yes, LDAP is set for PROV.

Can you please explain the point 2?

What is happening right now is, I am using port 389 in LDAP server and as soon as I do this, my GRC is not able to read any data from LDAP but working perfectly ( able to read ) when we put port - 3268, but the drawback is - 3268 cannot be used to provision.

I am able to provision AD group from Tcode -LDAP, but as soon as I create Access Request it fails.

Request to please guide

Just want to confirm, is provisioning from GRC 10.1 working for you?

Thanks a lot !

Akshat

Trinetra_Bhusha
Active Participant
‎04-29-2016 2:40 PM
0 Kudos

Hi Akshat,

The port info you need to work with your LDAP/Basis team.

If you make sure the LDAP connector attributes are defined and sync job is completed this will work.

My second point is the LDAP user created for LDAP RFC must exist in right folder in the AD.

Thanks,

Trinetra

Former Member
‎04-29-2016 2:45 PM
0 Kudos

Can you please specify the port you are using for your provisioning?

Out goal is not to create users in AD, but just to assign " AD groups" to user.

Also, when you say "LDAP user created for LDAP RFC must exist in right folder in the AD." what does that actually refer to.

Thank you!
Akshat

Trinetra_Bhusha
Active Participant
‎04-29-2016 2:52 PM
0 Kudos

I am using port 389 only. What I am trying to say the RFC user which you have maintained in AD for LDAP connectivity must have all the required access and set as password never expires.

Attach screen print of your LDAP Configuration and RFC user details in AD so I can look.

Former Member
‎04-30-2016 7:11 AM
0 Kudos

Hello Trinetra,

I assume my RFC iD for LDAP is maintained correctly, as when I user Tcode - LDAP,

For the screens shots, can you please provide me your email id, I can send the doc there, sorry unable to load file.. attaching few..

Let me know if you see anything unusual.

Trinetra_Bhusha
Active Participant
‎04-30-2016 5:43 PM
0 Kudos

Hi ,

I can see you are using two LDAP connectors and then adding them in group.

To narrow down the issues please do the following:

1. Use only one connector(User should have Admin access in AD-Read/Write).

2. Define Attribute for this connector.

3. Define Prov/Auth scenraio for the same.

4. Upload the AD group in GRC using Import.

5. Run the manual Sync job to make sure the Group is visible for provisionong.

6. Assign using GRC.

Send all docs to trinetra.bhushan@gmail.com

Thanks,

Trinetra

madhusap
Active Contributor
‎02-25-2015 4:42 PM
0 Kudos

Hi Trinetra,

You can upload your AD group into GRC system with below options:

Role Name: AD Group Name

Role Type: GRP

System: LDAP connector

Business Process, Sub Process, Approvers etc same as how you maintain for all other roles.

Once you have imported this AD group into GRC run Repository Object Sync for your LDAP connector and once completed your AD group is selectable in Access request and will be provisioned to users.

Regards,

Madhu.

Show replies
Show replies
Ask a Question