- SAP Community
- Products and Technology
- Additional Q&A
- GRAC_INITIATOR_SOD_VIOLATIONS Function Module?
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
GRAC_INITIATOR_SOD_VIOLATIONS Function Module?
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 07-09-2015 9:09 PM
Hi -
We are on GRC AC 10.1 SP08
I am trying to find out if anyone is very familiar with the Function Module: GRAC_INITIATOR_SOD_VIOLATIONS per SAP NOTE: 1783157 - Routing at Request Submission in case of SOD Violations?
We are in need of establishing an initiator that runs an SOD Check on a request passed from SAP IdM to GRC, but we want to route the request based on whether or not an SOD is triggered from the roles passed in the request.
I found aforementioned SAP Note but I am unable to locate the Function Module initiator under the "Defined Workflow-Related MSMP Rules" in SPRO--> GRC --> AC --> Workflow for Access Control. The SAP Note reads as if it is a standard Function Module, but it does not show up as an initiator under the MSMP Process ID: SAP_GRAC_ACCESS_REQUEST.
In a previous GRC 5.3 version we were able to leverage the 'No Stage' approver on our initial CUP workflow stage, but not it does not look like that functionality is available in GRC 10. I'm hoping that this initiator will allow us to perform a similar process by running this check at the time that it hits the GRC system so that we can route it accordingly via a decision table.
If anyone has any experience or ideas in this regard, it would be very much appreciated.
Thanks,
Darnell
Accepted Solutions (1)
Accepted Solutions (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi,
(Sorry if i am late in replying!)
GRAC_INITIATOR_SOD_VIOLATIONS is a standard ABAP based initiator rule but this does not eixist in MSMP(grc front-end). So, we added it manually - Under list of Rules - Add button.
Once the rule is added to the list, modify the rule and go to Rule Results and add-
1.SOD_VIOLATIONS
2.NO_SOD_VIOLATIONS (ignore the z* rule result in the screenshot)
Then we can use this rule in our workflow like any other rule in MSMP.
-------------------------------------------------------------
Details of this Function Module (FM) can be checked in ABAP grc system from table GRFNMWCNRULEID:
and rule results can be checked in function module source code in SE37
Do tell where you are stuck.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Thanks for the feedback Smriti,
I will try to add this to see if we get the same result. I was hoping to copy this function module and modify it to add additional criteria to the initial check such as a 'Company' attribute for example. We are receiving our requests via IdM integration and the manager and role approver stages are performed in IdM, so ideally we'd like to check whether the request; when it gets to GRC has an SoD violation 'AND' which company the business role attribute is associated with in order to pass it to the appropriate stage for SoD approval.
Based on your feedback, it seems like once we add this rule manually in MSMP, it will show up in the GRFNMWCNRULEID table and be associated with the SAP_GRAC_AR process type?
Thanks,
Darnell
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Darnell/Smriti,
Please let me know how it goes if you create one successfully.
A question regarding the case to re-activate a user ID in your approach to check SoD violation:
is this initiator rule able to recognize risk violation when user ID is the only input parameter without any role information? Given that in a request to reactivate IDs, roles are already assigned in the profile.
Another question is that GRAC_INITIATOR_SOD_VIOLATIONS is stage level mode, which means you are not able to process requests on line item level, I'm very interested in the way how you manage user request in this circumstance such as only one role has SoD violation, are you going to reject the entire request? Please kindly advise.
Thanks,
Yui
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Yui,
We are still testing. I was able to add the initiator per smriti's instructions in the MSMP workflow, however we are integrating GRC with IdM so requests are being passed to GRC for an SoD check specifically. I do not know if the use case we are setting up would be beneficial to your question of whether or not the line item level would be processed for this initiator, but if we are able to test that I will let you know.
Your best solution may be to create the BRF+ custom initiator via DOC-45753 which should allow you to configure down at the line item level I believe. To run the simulations and testing that you are requesting, you'll need a access request number that has been submitted with the testing scenarios that you've mentioned (i.e. user request with no roles or role with inherent SoD violation). The simulation of your initiator should allow the rule result to show the routing per your decision table.
Hopefully this help,
Darnell
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi All,
How do you then handle Firefighter and Role Assignment type of requests. I mean how to separate request type Firefighter and request type Role Assignment. GRAC_INITIATOR_SOD_VIOLATIONS return values are for role assignments. How to make sure that both request types will go to own MSMP path?
Br Timo
Answers (2)
Answers (2)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
That is correct, table GRFNMWCNRULEID only contains entries maintained in MSMP i.e. GRC frontend.
Once you add it to your MSMP in front-end, back-end table will get updated with new initiator rule. However, the function module GRAC_INITIATOR_SOD_VIOLATIONS needs to be there in GRC ABAP system - you can check it in SE37.
For the requirement of modifying this function module to add another condition, refer to the blog:
It is a little complex BRF+ rule to achieve same requirement as yours. We have not tried it yet but planning to implement this.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Yui,
Thanks for the feedback. I have seen that article and it seems a bit convoluted in the steps it would take to achieve the expected result. This issue seems to be fairly common based on functional need in a process design that requires an up front SoD Check on a submitted access request.
I am not opposed to implementing the solution in the article, I am just curious as to whether or not SAP has provided a standard Function Module to achieve this as suggested in the SAP Note that I referenced. This would be preferable over creating my own.
Also many of the comments in the article you've suggested indicate that many of the people who have tried to implement the solution have run into issues trying to follow the recommended steps.
I am just wondering if this is the only solution and if the ' GRAC_INITIATOR_SOD_VIOLATIONS' function module exists in the current version or if it was removed by SAP for some reason?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Darnell,
the solution suggested in the link the works perfectly, but it calls a different function module
the function module GRAC_INITIATOR_SOD_VIOLATIONS' exists, but the note mentions it as a Initiator rule. But after activation of MSMP BC set, the same does not appear, in the list of default Rule ids. So, could you try adding the same, in GRRFNMW_CONFIGURE_WD/GRFNMW_CONFIGURE, and then assign it to Process type: SAP_GRAC_ACCESS_REQUEST
Regards
Plaban
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Plaban -
Thank you for the feedback. For clarification, are you saying that the GRAC_INITIATOR_SOD_VIOLATIONS initiator rule gets deleted or removed after the MSMP BC set gets activated?
It would be preferred to use any of the standard SAP delivered rules if it is possible vs. creating custom rules through BRF+. We are not opposed to doing that if it is the only option, but it seemed like from the SAP note that this SoD initiator rule would be a viable option.
For your second option, can you give more details on what you are suggesting through the GRFNMW_CONFIGURE transaction for the assignment to process type? I'm not very familiar with this transaction so any details you can provide would be greatly appreciated.
Darnell
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Darnell,
We have implemented initiator rule - GRAC_INITIATOR_SOD_VIOLATIONS and it is working fine in GRC 10.1 SP08.
The initiator rule needs to be manually added in Maintain Rules. It has two rule results in its ABAP logic: NO_SOD_VIOLATIONS and SOD_VIOLATIONS.
So, these need to be maintained as it is under Rule Results. Then you can use these two rule results under Maintain Route Mapping to map to correct paths e.g. SOD_VIOLATIONS can be mapped to the path where request goes to SOD approver and NO_SOD_VIOLATIONS is mapped to path for role owner's approval or auto-provisioning.
Try this and do tell if this works.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Thank you Smriti -
This is exactly what we are trying to do. Can you provide more details on how this is manually added the the Rules? We are also on 10.1 SP08 currently so I assume the steps will be the same.
I also found that the rule does not show up in our rule results for process type SAP_GRAC_AR as an initiator which is what I assume needed to be mapped.
Any detailed feedback you could provide would be greatly appreciated.
Darnell
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Plaban -
I have still been unable to locate the object ID and have opened a message with SAP. Here is there response:
"I checked the issue and I found that the function module exists in your system, however,
it is not mapped or generated. I was able to access your system and create the initiator (as the function module exists) but I was not able to add Rule Results.
I found that this mapping is stored in table GRFNMWCNRULEID. In your system you do not have an entry for this function module.
I actually forced it when inserting the in MSMP. I found that no validation takes place until you generate a version. So it does not changed any data in the system.
I will need to send the incident to development to check why the initiator was not delivered."
I will provide an update on this once it is resolved. In the meantime, I will try to implement the custom solution per http://scn.sap.com/docs/DOC-45753
Thanks,
Darnell
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Plaban,
I am still awaiting feedback from SAP regarding our SoD Initiator and why it is not showing up in our GRFNMWCNRULEID table for us to be able to leverage it in our design.
In the meantime, I have implemented the custom BRF+ solution per DOC-45753 as everyone has mentioned. You mentioned that you'd also implemented this solution in your system and it works perfectly.
I believe that I have defined all of the decision tables, Procedure Calls and Table Operations appropriately, but I am not sure how to Simulate this Function Module now that it has been built. I am able to successfully retrieve the results of inputs that do not cause an SoD violation, but how would I go about running a simulation in BRF+ that triggers an SoD violation?
There does not seem to be a field that would allow me to include a risk ID or value or status flag that would show that the incoming request has an SoD violation.
Any feedback you could provide would be appreciated!
Darnell
- Python RAG sample for beginners using SAP HANA Cloud and SAP AI Core in Technology Blogs by SAP
- PPE tcode in Enterprise Resource Planning Q&A
- Message_Type_X error when using BAPI in Enterprise Resource Planning Q&A
- How to use AI services to translate Picklists in SAP SuccessFactors - An example in Technology Blogs by SAP
- Mistral gagnant. Mistral AI and SAP Kyma serverless. in Technology Blogs by SAP
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.