on 03-07-2015 1:16 AM
Hi experts
Please could you assist me with this issue. The customer is testing provisioning composite roles through GRC AC 10.0 and is getting the below
error. The design is that PRIVs are added in IdM 7.2 to identities and provisioning occurs from GRC AC10.0.
All GRC AC access requests are set to be auto approved.
Please could you let me know what "Illegal destination type 'H'" in the below screenshot means and how it can be fixed to allow auto provisioning of composite roles from GRC AC. What config changes are required (if any) for this?
Please advise.
Thanks
Ranjit
Hi All .... Please could someone assist with this issue.
Thanks
Ranjit
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ranjit,
What is your target system?
Is it IDM system or different system?
Check you RFC Connection and Connection Type ... if it is working properly as this error is related to connection issue.
Regards,
Madhu.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi All sorry for my late response. Have been testing this further. On further testing I found that when the composite role name starts with Z it works perfectly and provisions the composite role to the user in the backend SAP system. However, if the composite role name starts with Y the role still provisions to the backend SAP system (because auto approval is on for all roles) but the GRC access request audit log status has "Decision Pending". Idm has status pending for the assignment.
I looked at the SLG1 log in GRC and this is what I found
Does this mean that when Y* roles are used another RFC connection type is being used?
What can I check and change to make sure that Y* roles also provision the same as Z* roles?
Please advise.
Thanks
Ranjit
Hi Prasant
I understand what you are saying but what confuses me is that when a composite role which starts with Z is assigned to a user it works perfectly but if it is a role that starts with Y or C I get the RFC error I have provided. I thought it would be using the same RFC connection for both Z roles and Y roles. How does the system differentiate this? Where can I check to understand why the system uses a different RFC connection for Y roles? This will possibly help me fix the issue.
Sorry I am new to GRC 10.0 so I may be asking some basic questions. Please bear with me,
Thanks
Ranjit
Hi Prasant
here it is. Please let me know if you need anything else.
1. Audit log of the Access request in GRC
2. From SLG1
3. Role provisioning setting. For testing purposes the role was created in Test system and imported into GRC.
4. SM59 connection to test system from GRC is
I also wanted to know if the following should be enabled for composite roles in config in GRC
There seems to be no naming convention for composite roles here.
Please advise. I'm new to GRC so all the questions.
Thanks
Ranjit
Hi Prasant
Yes trying to provision to QE system. I checked the trace for the RFC users and there were no failures. Also the RFC user has SAP_ALL.
The funny thing is that although I get errors as noted in points 1 and 2 in my previous response above, GRC does provision the composite role to the backend SAP system (QE). But in IdM the assignment shows as pending.
I don't have this issue when provisioning roles starting with a "Z".
Thanks
Ranjit
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.