cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

UAR Provisioning action gets duplicated

Go to solution
Former Member

on ‎04-18-2016 11:36 AM

0 Kudos

Hi GRC-experts,

I am currently facing an strange behavior, when performing access requests:

we are on GRC10.1 SP12 (incl. plugin).

I executed a user creation request for our Dev-box (Testuser-ID Z_DUP) , where the workflow gets auto-approved as no stages are maintained.

I can verify the user creation  in the dev-box via SU01, so everything seems ok.

However when checking the provisioning logs it looks like the provisioning action "Create user" was performed two times ??

When I take a look at SLG1 I can see the same as the user was created and afterwards the user should be created a second time and goes into error.

I checked the request via Runtime monitor in the application, activated the debug log, but was not able to find the root cause

Also the SAP Standard T-codes for workflows (SW**) didn't show me any hint for this behavior. Everything related to the workflow itself seems to work properly, is just that the provisioning engine performs the request 2 times;

Has anyone encountered the same or can someone give me some hints, what to check additionally to resolve this issue.

regards

Johannes

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎07-29-2016 11:26 AM
0 Kudos

Thanks Johannes.

SAP has suggested to implement this note 2230213 - UAM: Incorrect message displaying in audit log while creating a request for new user and existing user for request type New and Delete account. And its working fine.

Show replies
Show replies
Former Member
‎08-03-2016 10:26 AM
0 Kudos

Hi Jill - Ann,

that's good news. I also noticed that this note is included in GRC10.1 SP13;

Regarding the wording of the OSS I see a little blur as the duplicates were also created with "CHANGE ACCOUNT" requests as far as I remember, but this is rather insignificant;


regards

Johannes


Answers (4)

Answers (4)

Former Member
‎07-26-2016 4:02 PM
0 Kudos

Hello Johannes,

Checking on the Provisioning class, the piece of code you added do already exist in the program. Our version is GRC 10.1 SP12.

Are there any available methods where we could eliminate the duplicate entries in the provisioning logs.

Regards,

Jill

Show replies
Show replies
Former Member
‎07-27-2016 10:35 AM
0 Kudos

Hi Jill - Ann ,

perhaps a misunderstanding : this piece of code was implemented originally with the SAP OSS Note 2140254;

however in your GRC environment and also at the customer project I was working, it created these duplicates.

So what I did was simply modifying these SAP standard coding , so that the "APPEND" statement, which causes the duplicate entries will no longer be processed .

SAP modifications require an S -user and the object key for this method, which can be retrieved from SAP OSS .

An ABAP developer in your team can then change the coding on your dev-box and you can verify if it also works for your SAP GRC environment. But keep in mind that this can only be a temporary workaround as it changes SAP Standard coding

I currently do not have access to a GRC 10.1 System , and it seems that there is no OSS Note published so far dealing with this problem.

So I would additionally suggest that you create an OSS message explaining this behavior to SAP so they can examine this bug and publish an official note which fixes this issue.

regards

Johannes

Former Member
‎07-26-2016 10:19 AM
0 Kudos

Hello Johannes,

Thanks for your help again.

Kindly also confirm if you are adding the system line item in the access request submission.

Regards,

Jill

Show replies
Show replies
Former Member
‎07-26-2016 10:33 AM
0 Kudos

Hi Jill-Ann,

this was occuring with system line  and/ or role line item and also with both together in one request..

regards

Johannes


Former Member
‎05-04-2016 12:37 PM
0 Kudos

This message was moderated.

Show replies
Show replies
Former Member
‎04-18-2016 3:18 PM
0 Kudos

did you check the "maintain provisioning setting" for the system.

Thanks

Shaik

Show replies
Show replies
Former Member
‎04-28-2016 10:18 AM
0 Kudos

Hi Shaik,

after further analysis I was able to re-solve this issue.

we found a SAP bug in the coding of the provisioning engine, which was implemented with SAP Note 2140254.

The request line-item will get duplicated with the following statement in classCL_GRAC_PROVISIONING_ENGINE in method PROVISION

....

*****************************************************************************************************************

**For CUA -COMPOSITE ROLE the itemtype is CUA

*****************************************************************************************************************

data:lt_reqline_item_temp TYPE GRAC_T_API_REQLINEITEM,

     ls_reqline_item_temp TYPE GRAC_S_API_REQLINEITEM.

lt_reqline_item_temp[] = ls_access_request-reqlineitm[].

LOOP AT lt_reqline_item_temp into ls_reqline_item_temp.

     IF ls_reqline_item_temp-prov_item_type = grac0_role_type-CUA.

        ls_reqline_item_temp-prov_item_type = grac0_role_profile_type-role.

     ENDIF.

                                      1

APPEND ls_reqline_item_temp TO ls_access_request-reqlineitm.

CLEAR:ls_reqline_item_temp.

ENDLOOP.

During processing and without using CUA the line items of the requests get simply duplicated.

(>>> Append statement)

Consequently the provisioning action is performed 2 times, as shown in the SLG1 log.

With Change/create request this doesn't has much impact, but for delete requests you get a provisioning failure as the "second" processing of the line item to delete the user will tell you that the user does not exist anymore, which is correct as the user was already deleted with the first line item....

regards

Johannes

Former Member
‎07-22-2016 3:24 PM
0 Kudos

Hello Johannes,

We are also encountering duplicate entries for Provisioning Logs. Kindly confirm if how the issue has been resolved. Appreciate your help.

Regards,

Jill

Former Member
‎07-26-2016 9:50 AM
0 Kudos

Hi Jill-Ann,

I detected this issue at customer project site; as the issue was very critical for them I modified the ABAP coding in advance;

I did not have a directly assigned S-User to report this to SAP OSS, but told the customer to create an incident and send to SAP.

I assume this might be still in progress and there is not a official note released yet.

Therefore  I made a simple modification as a workaround and marked the APPEND-Statement in the coding of class CL_GRAC_PROVISIONING_ENGINE in method PROVISION as a comment:

.....

....

. LOOP AT lt_reqline_item_temp into ls_reqline_item_temp.

IF ls_reqline_item_temp-prov_item_type = grac0_role_type-CUA.

ls_reqline_item_temp-prov_item_type = grac0_role_profile_type-role.

ENDIF.

***APPEND ls_reqline_item_temp TO ls_access_request-reqlineitm.

CLEAR:ls_reqline_item_temp.

ENDLOOP.

The root cause seems to be something related with CUA-usage as this coding was implemented with SAP Note 2140254.

But I didn't go into further details, because after several debugging sessions on the customer GRC system it was obvious that the line item gets wrongly duplicated.

If you are still on a project or have a S-User from the customer, perhaps you may create a OSS message for SAP and inform them about this bug.

regards

Johannes

Ask a Question