Hi Ranjit,

Can you please share your RFC connector screenshot?

ABAP system connection type should be 3

Regards,

Madhu.

Hi All sorry for my late response. Have been testing this further. On further testing I found that when the composite role name starts with Z it works perfectly and provisions the composite role to the user in the backend SAP system. However, if the composite role name starts with Y the role still provisions to the backend SAP system (because auto approval is on for all roles) but the GRC access request audit log status has "Decision Pending". Idm has status pending for the assignment. 

I looked at the SLG1 log in GRC and this is what I found

Does this mean that when Y* roles are used another RFC connection type is being used?

What can I check and change to make sure that Y* roles also provision the same as Z* roles?

Please advise.

Thanks

Ranjit

The reason for getting error is

The RFC connection you are using is HTTP connection to ABAP systems.

use connection type 3(connection to ABAP system as stated by Madhu babu earlier

Regards,

Prasant

Hi Prasant

I understand what you are saying but what confuses me is that when a composite role which starts with Z is assigned to a user it works perfectly but if it is a role that starts with Y or C I get the RFC error I have provided. I thought it would be using the same RFC connection for both Z roles and Y roles. How does the system differentiate this? Where can I check to understand why the system uses a different RFC connection for Y roles? This will possibly help me fix the issue.

Sorry I am new to GRC 10.0 so I may be asking some basic questions. Please bear with me,

Thanks

Ranjit

Hello, i am not sure of you config, i would like few screenshots.

1) SM59.

2)rome details whether provision allowed or not for role which are not getting provision

3)Audit log

4)Provision settings.

Regards,

Prasant

Hi Prasant

here it is. Please let me know if you need anything else.

1. Audit log of the Access request in GRC

2. From SLG1

3. Role provisioning setting. For testing purposes the role was created in Test system and imported into GRC.

4. SM59 connection to test system from GRC is

I also wanted to know if the following should be enabled for composite roles in config in GRC

There seems to be no naming convention for composite roles here.

Please advise. I'm new to GRC so all the questions.

Thanks

Ranjit

Hello ,

If  i assume correct you are trying to provision to QE SYSTEM .

could you please attach ST01 trace for RFC user in target system

connection type H is used for your IDM , but as you said GRC will be used for provision

Regards,

Prasant

Hi Fazil

I'm provisioning only to QE1 where role exists.

Thanks

Ran

Hi Prasant

Yes trying to provision to QE system. I checked the trace for the RFC users and there were no failures. Also the RFC user has SAP_ALL.

The funny thing is that although I get errors as noted in points 1 and 2 in my previous response above, GRC does provision the composite role to the backend SAP system (QE). But in IdM the assignment shows as pending.

I don't have this issue when provisioning roles starting with a "Z".

Thanks

Ranjit

Hi All

Still struggling with this issue. Please could someone give me some tips.

Thanks

Ranjit