cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Authorization issue

Go to solution
former_member182655
Contributor

on ‎11-12-2015 1:46 PM

0 Kudos

Hello experts!

No hope to find the reason by my own, so I would like to ask you to help me a bit.

I'm configuring user screens in nwbc and I'm trying to make visible "Approver Delegation" link in "My delegation" section.

Like here

I see that Menu Item ID 0GRACCUPDELEGATN contains two authorization objects:

0GRACCUPDELEGATN    1    GRAC_REP    ACTVT    16

0GRACCUPDELEGATN    2    GRAC_REP    GRAC_REPID    GRAC_CUP_DELGATN_RPT

I provide a user with such permissions, role contains

But user is not able to see mentioned link.

Only if I assign SAP_ALL to a user the link is showed.

Trace didn't show any related to the link objects.

I've tried to find notes and discussions but nothing useful was not found.

Could anyone give me a clue where the problem can be?

Regards,

Artem

System level:

SAP_BASIS    702    0017    SAPKB70217    SAP Basis Component

SAP_ABA    702    0017    SAPKA70217    Cross-Application Component

PI_BASIS    702    0017    SAPK-70217INPIBASIS    Basis Plug-In

ST-PI    2008_1_700    0012    SAPKITLRDL    SAP Solution Tools Plug-In

SAP_BW    702    0017    SAPKW70217    SAP Business Warehouse

GRCFND_A    V1000    0020    SAPK-V1020INGRCFNDA    GRC Foundation ABAP

ST-A/PI    01Q_700    0002    SAPKITAB7L    Servicetools for other App./Netweaver 04

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

alessandr0
Active Contributor
‎11-12-2015 2:14 PM
0 Kudos

you need to have GRAC_REQ with activitiy 03. Then try again.

Regards,

Alessandro

Show replies
Show replies
former_member182655
Contributor
‎11-12-2015 2:50 PM
0 Kudos

Hi Alesssandro,

And these permissions are assigned to user's role

Regards,

Artem

former_member182655
Contributor
‎11-12-2015 2:59 PM
0 Kudos

Alessandro,

seems you are close to the solution.

I've given 02 for GRAC_REQ and the link appears. But I don't understand why... This menu item is not bent on this object.

Any ideas?

Is it a bug or "works as designed"?

Regards,

Artem

Former Member
‎11-12-2015 3:17 PM
0 Kudos

Artem,

I cannot speak to your particular issue, but I can tell you that security in GRC Access Control is quite "quirky"  and has a lot of room for improvement. When we applied SP19 we had to give our request submitters and role approvers ACTVT=78 (Assign) for GRAC_SYS just so that they could continue to do Search Requests. When I asked SAP about it, they said that they thought that only GRC admins would be doing searches. Wrong! So the authorization requirements are not always logical to us out in the real world.

Good luck,

Gretchen

former_member182655
Contributor
‎11-13-2015 7:57 AM
0 Kudos

Hi Gretchen,

Thank you for your sharing.

I think situations like yours and mine are not normal, so I would like to know whether you requested an improvement using customer message or idea place.

If you did use one of the option I could walk through the same procedure to put my two cents in.

Let's make GRC better together!

Regards,

Artem

alessandr0
Active Contributor
‎11-13-2015 8:47 AM
0 Kudos

Artem,

if you go to SM34 and check view cluster GRFNVC_ITEMAUTH you will see why this authorization objects are required 🙂 I was wrong with activity 03, it's 02 as you said sorry about that...

Regards,

Alessandro

former_member182655
Contributor
‎11-13-2015 10:58 AM
0 Kudos

Hi Alessandro,

Sorry, but I don't see that the menu item contains activity 02 for GRAC_REQ object.

Maybe you previously defined this object?

Or your SP is higher/lower and this is the problem?

I check in the system that I haven't changed yet.

Regards,

Artem

former_member197694
Active Contributor
‎11-13-2015 11:08 AM
0 Kudos

Hello Artem,

This object GRAC_REQ is comes under menu item id:0GRACCUPAPPROVDELE

Regards

Baithi

former_member182655
Contributor
‎11-13-2015 11:47 AM
0 Kudos

Hi Baithi,

Thank you for the solution! Seems that I chose a wrong menu item

Regards,

Artem

plaban_sahoo6
Contributor
‎11-14-2015 2:53 AM
0 Kudos

Hi,

Please provide correct inf., so as to save everyone's time. Many people are giving effort, only to know that, inf. given was wrong

Regards

Plaban

Former Member
‎11-16-2015 1:52 PM
0 Kudos

Artem,

I already *do* work together with other customers to improve Access Control, via participating in the three Customer Connection projects on Access Control 10.x since 2012, which I have mentioned here on SCN from time to time and I presented on at TechEd just last month. The 2015 project is, unfortunately well past the improvement idea collection phase; my own security complaint was discovered after that phase closed, so it will probably wait for the next such project or ASUG Influence Council, whichever comes first. There is often so much noise in Idea Place that it can be difficult for improvement ideas to get enough traction; the improvement ideas suggested in Customer Connection projects and user group influence councils  have a better chance of being developed and delivered.

Regards,

Gretchen

Answers (1)

Answers (1)

former_member197694
Active Contributor
‎11-12-2015 2:14 PM
0 Kudos

Hello Artem,

Please check this access for user

Regards

Baithi

Show replies
Show replies
former_member182655
Contributor
‎11-12-2015 2:48 PM
0 Kudos

Hi Baithi,

Thanks for reply, but I have these permissions.

Regards,

Artem

Ask a Question