cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP GRC 10.1 - Firefighter Provisioning (EAM)

pedro_carvalho2097
Explorer

on ‎11-10-2015 8:33 AM

0 Kudos

Hi,

I´m in GRC AC 10.1 SP7 and we are implementing a centralized firefighter process.

In this case we are using a Approval Required for the provisioning strategy (kindly check EAM - Provisioning Strategies).

In this case we already had a firefighter request (with request type Emergency Access) and a workflow approval working like in EAM: Requesting emergency access via access request workflow in SAP GRC - step by step.

The problem occurs after the end of firefighter request approval. In this moment any provisioning are generated.

In this case I except that an association between firefighter ID and the Firefighter appears in the link option "Firefighters" (NWBC).

What step or configuration still be missing?

Thanks in advance.

Regards

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

alessandr0
Active Contributor
‎11-10-2015 10:07 AM

Dear Pedro,

can you please share the audit log of the access request.

Thanks and regards,

Alessandro

Show replies
Show replies
pedro_carvalho2097
Explorer
‎11-10-2015 11:19 AM
0 Kudos

Hi Alessandro,

This is the audit log for the access request:

Thanks in advance.

Regards

plaban_sahoo6
Contributor
‎11-10-2015 1:25 PM
0 Kudos

Hi ,

Could you check if FF id is assigned to user, after request got closed. Also check in Access Management>..>Provisioning logs, for any entry for this request.

you have to first set up in the order Owners,  Firefighter ids, Firefighters, Controllers and Reason codes

Regards

Plaban

alessandr0
Active Contributor
‎11-10-2015 2:19 PM
0 Kudos

Dear Pedro,

the audit log says that provisioning did not take place and hence the Firefighter has not been assigned. Provisioning log, as mentioned by Plaban, is empty (as stated in the audit log).

I suggest to check SLG1 application log for user WF-BATCH with the time of provisoning. Check if there is an error message or share with us.

Also I recommend to activate escape handling for "Auto Provisioning Failure" in case an error occurs.

Hope this helps.

Regards,

Alessandro

pedro_carvalho2097
Explorer
‎11-10-2015 3:55 PM
0 Kudos

Thanks for the reply,

I check SLG1 and can see the follow message: "Auto-provisioning is switched off in system XXXX; skipping operations";

Is necessary any configuration in SPRO > Access Control > User Provisioning > Maintain Provisioning Settings? In my understanding this is only required for users and roles.

Is necessary any configuration in backend system?

Thanks

alessandr0
Active Contributor
‎11-10-2015 4:08 PM
0 Kudos

Dear Pedro,

sure - this needs to be set. You are on the correct path:

Auto provisioning can either be set globally (for all systems) or for each system independendly.

Please keep us posted.

Regards,

Alessandro

pedro_carvalho2097
Explorer
‎11-10-2015 4:56 PM
0 Kudos

Thanks Alessandro,

I will try that. But I have one doubt about this: can I limit the provisioning only for the emergency access request?

Because I have user and role request but I don´t wanted provisioning this actions in back end system

Thanks

Best Regards

alessandr0
Active Contributor
‎11-10-2015 6:19 PM
0 Kudos

Dear Pedro,

that's another requirement then. For role provisioning you can set the provisioning flag for particular systems to NO, so that roles are not selectable. Another idea that comes into my mind, but never tested if it works, you can try to remove integration scenario PROV from a particular connector and only go with SUPMG for Firefighters. As mentioned never tested..

Regards,

Alessandro

former_member316191
Explorer
‎12-10-2015 5:57 PM
0 Kudos

Hi Alessandro,

I'm facing a similar Issue for my client, but in our scenario we have maintained the Provisioning settings as recommended i.e. 'Auto Provisioning at the End of the request' .

But even tough the provisioning of the request is failing with the message 'Auto-provisioning is switched off in system PC1CLNT500; skipping operations' and this happening only when new roles are added to the request at any stage during the processing and the '


Does anyone face the similar issue, is their any specific setting that needs to be done when we have the capability to add new roles to the request that are in processing?


Thanks

Narsimha R Katipally



Ask a Question