It may be difficult to believe that 2015 is flying by so quickly, but planning is already underway for SAP TechEd 2015 in Las Vegas.

The design team for the ASUG education sessions this year is Tammy Powlas, ASUG volunteer Kristen Dennis, and myself, along with our SAP Point of Contact Peter McNulty. Tammy posted a very informative blog in the Business Intelligence space to entice BI people to start thinking about presenting.,Plan Now for Call for ASUG Speakers for SAP TechEd Las Vegas . I am not going to repeat everything she already said so well, but I do want to encourage you to review her post and to consider presenting.

You might be thinking, I don't see a GRC track at TechEd, and if you are thinking that, you are right: there is not a track solely dedicated to GRC. However, the Security, Secure Development, and Configuration track covers SAP security products as well as standard features, capabilities and recommendations. In this track we welcome and encourage customers to present on SAP Access Control, SAP Identity Management, SAP Threat Detection, SAP Single Sign-on, security redesign projects, secure development and configuration - really, just about anything related to the security function in your SAP landscape. Lessons learned from implementations and upgrades, tips and tricks, believe me when I say that ASUG's Design Team wants to offer more than just SAP HANA all the time. Certainly, if you have a SAP HANA security success story, we welcome it, too, but think bigger. We have a lot of education slots to fill, and the feedback we have received is that customer presentations are highly desired. So put on your thinking cap now and get ready for the call to open on April 20.

Here is the expected timeline  (Source: SAP):

ASUG members who are not customers are also welcome to submit an abstract; just keep in mind that customer presentations are preferred. If you are a consultant who had a successful security or GRC project, perhaps you can persuade one of the customers on the team to present and tell your mutual success story. I hope to see many abstracts submitted on security, IdM, GRC, and other related topics.

Hi Team

During GRC Access Control Implementation ,the most of the concerns of the business is towards the access risks present in the landscape and how is it addressable from GRC AC perspective. I have tried to cover all aspects of the implementation of ARQ Workflow .As the per the business we had some requirements which i guess many of our colleagues will have during Access Request Workflow Implementation.

Requirement:

1) Risk analysis should happen automatically on access request submission

2) Role Owner should approve all the assignment of roles to user and in case of SOD voilations it request should route to SOD Owner stage

3) SOD owner should address all the SOD access risks and mitigate it and finally approve the request.The request should not be approved without mitigating SOD risks.They need HARD STOP on approval.

4) For access removal there should not be any approval but the request needs to be validated by Security Admin before its implementation.

Solutioning:

For requirement 1, We need to enable to below parameter in SPRO in GRC system.

SPRO->Governance Risk and Compliance->Access Control->Maintain Configuration Parameters

For requirement 2 ,the Workflow(Account Creation/modification) needs to be created in MSMP with stage approval on GRAC_ROLEOWNER stage with routing rule enabled for rule id  GRAC_MSMP_DETOUR_SODVIOL and therafter maintain route mapping

.

For requirement 3,We need to enable to below parameter in SPRO in GRC system.

SPRO->Governance Risk and Compliance->Access Control->Maintain Configuration Parameters

Now,maintain the SOD routing in MSMP

For requirement 4

Create a Delete Request Path in MSMP with any stage for Security Admin(Agent id: GRAC_Security) so that when user or his/her manager raises delete request it gets validated by security admin and after validation security admin should submit the access request for it.

The Delete request will lock the user in backend(System  can be chosen by requestor) and also it can set the validity dates. For roles removal, Requestor needs to select all the roles by clicking on existing assignment and chose remove actionfor the Roles.

The actions to be maintained for Delete Request-

1) Change and Lock user

2) Remove

Issues: 1) SOD owner was able to mitigate the SOD access risks and approve the request but also SOD Owner was able to approve the request without mitigating the Risk.The HARD BLOCK is not working.

Go to below path

Governance, Risk and Compliance > Access Control > Maintain AC Applications and BRFplus Function Mapping. Within the transaction SPRO follow the path “Governance, Risk and Compliance” > “Access Control” > “Maintain AC Applications and BRFplus Function Mapping” and click the execute button.

Request Mitigation Policy application id is deleted from the screen to enable hard stop of approval of access request form in SOD owner stage with SOD access risks.

Issue 2: Access Request in Editable mode for Approver i.e.Approver has an option to deselect the risk analysis in Permission level and approve the request.This may dilute the Requirment 1.

The Webdynpro GRAC_OIF_REQUEST_APPROVAL  needs to customized to change the risk analysis in Read only mode for the approver.

In SE80, open the web dynpro in test-admin mode and copy the link which was opened and added the HIGHLIGHTED string to it. The REQ ID can be fetched from GRACREQ table

http://sapXXX.lvs.XXXX.com:XXXX/sap/bc/webdynpro/sap/grac_oif_request_approval?sap-language=EN&sap-config-mode=X&SAP-CONFIG-MODE=X&OBJECT_ID=ACCREQ/REQID

After hitting the above link, the request will open in customize mode and then we can go to go risk violations tab and right click on Permission level level and go to settings configuration and make the tabs in Read only mode and save it.

I hope the document will help everyone here.

Appreciate your feedback.

Best Regards

Nitesh

As a foreword I would like to use popular Rolling Stones’ song adopted to the topic of the article.

When I'm customizin' my GRC

And that support comes in the message

It's tellin' me more and more

About some useless information

Supposed to fire my imagination

I can't get no, oh no, no, no

Hey hey hey, that's what I say

Here on SCN and on SAP promo materials everybody can read about the powerful tool – BRF+ and very flexible workflow of the new GRC. So, I will not be arguing with those promises, but I would like to share my experience. Now we are reimplementing GRC, we just try to make the same settings in GRC 10 that we have in GRC 5.3. During the reimplementation we have faced with the non-resolving issues and I hope that this article “fire your imagination”.

The first issue

Really we don’t have so many issue, but they stuck our project. The first thing is CUA setting. I don’t know for what purpose SAP made “Maintain CUA Settings” in SPRO. In fact, it doesn’t work. Why have I decided so?

I have CUA with 3 systems (SSDCLNT001 – CUA central system, SSDCLNT200 – CUA managed system, GRDCLNT200 – CUA managed system), it configured in (I call it) Mix mode. Mix means that we use many parameters (such as name, user type, format…) set as global, and the others (such as roles, profiles, user parameters…) set as local.

We were surprised when had known that this configuration is not supported by the new GRC.

Quote from the message

Hi Artem,

I had discussions with our architect and other technical experts on

this. Currently it is not possible to consider the mixed settings and

hence would request you to maintain them as globally in the SCUM

settings in order to resolve your issue.

Of course, during the correspondence, we tried to use “Maintain CUA Settings”, but I was advised to not use it at all. Even if use global or local settings. Here is the question for experts: what is the purpose of this setting?! More over if I set here CUA-manager system and CUA-managed system and not activate “CUA Global System”, I get the dump: OBJECTS_OBJREF_NOT_ASSIGNED_NO CX_SY_REF_IS_INITIAL CL_WDR_INTERNAL_WINDOW========CP

The second issue

BRF+ is really great thing and MSMP too! But… it is not flexible for logically standard scenario. When we started to implement new GRC I see that systems go as independent items in the request and should be approved as roles. Finally, systems go not just as an attribute of the request (like it was in 5.3), but they have owners. However, to customize simple workflow is not possible:

1^st stage - Manager selects systems and roles.

2^nd stage – Systems should be approved/rejected by the owners.

3^rd stage – Roles should be approved/rejected by the owners, and the roles assigned to the rejected systems should be rejected automatically.

Doesn’t it seem logically simple?

In fact, it’s not possible using the standard tools to realize this scenario. You may say: Use ABAP. But for what we need ‘flexible’ BRF and MSMP then?

I should thank Madhu Babu for his helpful blog http://scn.sap.com/community/grc/blog/2014/03/24/grc-request-with-both-system-and-role-line-items

He does a great work, and I see that he is one the most active contributor on scn! Unfortunately, the above configuration doesn’t resolve the issue. Imagine that you are a role owner, you get a request with, say, 20 roles. You analyse them, wright some comment, in common, waste your time to process the roles. In parallel, some system owner doesn’t think that the user of the request must have the access to the system and reject system assignment. In the result, user will not get the access to the system and the roles (for which you and the other owners have wasted the time!).

I should also thank Marina Volynets, because she tried to help me find out that the issue cannot be resolved with the standard tools.

Need an idea to resolve split procedure

The third issue

BRF+ in its decision table must have approvers for each item in the request, otherwise we get “No agent found” on the workflow level. There no option in MSMP to send all line items without approvers to the next stage. Previously (in 5.3), all orphaned roles go to the next stage. Yes, it might be a breach in the security area, but why 10.x doesn’t have an option (check box, for example) to pass forward orphaned items?

From my point of view, we get a new GRC that is neither better nor worse than the previous. They are the same with slight differences.

I hope that my article will raise a wave of indignation and experts provide their view on the issues. Maybe someone points me that I'm wrong or points me on the idea place… If someone has issues to add to the article, you are welcome!

Best regards,

Artem

Overview

In GRC Access control as part of Workflow approvals and reviews Managers, Role Owners, FF ID Owners and Controllers, Function/Risk/Mitigation Approvers, Monitors, Users, Requestors etc. receive various Email notifications. Based on the client’s requirements these Email notifications are enhanced and maintained. This blog is to discuss about various customizing options available for GRC notifications as well as notification variables and their limitations and scope

For beginners below document gives details on how to customize email notifications templates in GRC

AC 10.0 - How to Customize Notification Templates for AC Workflow

Email Notification Templates - HTML Tags

1. HREF (For Email ID and URLs)

Below are the few notification variables which gets converted to URLs in the notification emails. Basically when the URL is not maintained as HREF using HTML tags, in most of the cases Emails get routed to JUNK folder in mailbox because of various special characters in the URL.

LINK_APPROVE_REJECT    Link to Approve/Reject by Email

LINK_GET_APPROVERS    Link to get Approvers

LINK_GET_REQ_STATUS    Link to get Request Status

Eg: To make URL a HTML link use, "Click <A href="%LINK_GET_REQ_STATUS%">here</A> to view request status"

For Email ID to appear as HTML Link use, <A href="mailto:Test@test.com">Test@test.com</A>

2. BOLD and UNDERLINE

Eg: <STRONG><span style="text-decoration: underline;">GRC Notifications</span></STRONG>

3. ITALICIZE

Eg: <span style="font-style: italic;"> TEXT</span>

How to insert Company Logo in Email Notification Templates

First you need to store the Logo which you want to use in Email notifications in GRC MIME repository

Go to SE80 Tcode and click on MIME REPOSITORY. Import the Logo which you wanted to use into MIME objects repository as shown below:

Once the above activities are completed, the next step is to use the LOGO in Email notification Templates.

Note: URL for logo is no transportable and need to be individually changed in each system when notification template is transported.

Use the image source tag as shown below:

<img src = "http://my_server.my_domain/sap/public/bc/ur/MyLogo.png">

How to create New Message Class for Notification Templates

How to create new Message Class for any workflow in GRC ?

Very common requirement is customers request to have specific Email notifications at each stage individually and for such scenarios it might require creation of Custom message classes to be used at various stages in workflow and you can follow below process for creating new message classes

Example: For EAM Log Review Workflow there are no FORWARD and RETURN Message Class available.

Execute Tcode SM30

Open table GRFNVNOTIFYMSG and click on Maintain button and then click on "NEW ENTRIES" and maintain as below and once done click on SAVE button

Execute Tcode SM30

Open table GRFNVNOTIFYMSGC and click on Maintain button and then click on "NEW ENTRIES" and maintain as below and once done click on SAVE button

Once the above mentioned activities are completed, now the newly created Message Class can be added to your MSMP Variables & Templates Notification Templates section as shown below

Notification Variables in GRC

Each workflow process comes with a number of notification variables that are available to all notification templates that belong to it. They are displayed on the bottom of the screen in step 4, ”Variables & Templates”, in the customizing activity Maintain MSMP Workflows.

Few queries regarding Notification Variables customization especially %PROVISIONING% and %PROVISIONING_WITHOUT_PASSWORD%

For ARQ provisioning there are 2 variables which are sent along with END OF REQUEST notification( with Roles and Password details) PROVISIONING and PROVISIONING_WITHOUT_PASSWORD

These variables are standard variables which are calculated run-time.. if you are not happy with the formatting, please raise a CSS message and let SAP developer fix that for you.. there is no customizing available for it..

Other option can be to have your own custom variable created, but again that require development

2012041 - Is it possible to suppress the role details in the variable %PROVISIONING%

1854408 - Potential information disclosure relating to user password

How to create custom notification variables in GRC

In the MSMP configuration, Select the process ID and goto Step 4 Variables & Templates kindly add a Z variable.

Now in the backend GRC system goto transaction SE37 and enter the function module GRAC_NOTIF_VAR_RULE_AR. and copy this function module and

create a custom Z Function Module and add the logic for the Z variable in the function module.

Once done activate the Function Module

Open the MSMP configuration and goto Step 2. Maintain Rules. Add this newly create Z function module as a Notification Variables Rule. Also maintain this Z Function Module in the Notification Rule under Global Rules in Step 2.

Save and Activate the MSMP workflow configuration.

Now you can use the custom Z variable in the document objects.

How to modify URL shown in GRC notification variables to enable SSO

First setup Single Sing On (SSO) between Enterprise Portal and GRC system.

Once done, create a Portal iView in Content Adminstration -> Portal Content Management using standard GRC Access Control iView Template.

In the template, Application Name, Configuration Name, System, Location etc fields are maintained and once the template is maintained then PERMISSIONS need to be maintained for iView.

Once the above steps for creation of portal iview are completed, modify the URL used in the notification variables by creating a Custom Notification Variable Function module and replace the URL with Portal iView which you can work with ABAPer and Portal guys to get the details.

Once all above steps are done even the approvers can access all Approval Links in Email notifications via SSO without entering UserID and Password

Note:Deactivate password for all users in GRC System including approvers UserIDs

Looking forward for all your inputs in improving this blog with all other additional details

Thanks for reading.

Best Regards,

Madhu Babu Sai

Hello Friends--

For past so many years i have been taking GRC interviews and  some important aspect i would like to share for all those who are willing to pursue the career in GRC --

There are 2 aspects to look into this :

On the Functional Point of view :

1 - Firstly understand why an Organisation needs SAP GRC, and what are the benefits of implementing the complete Kit.
2 - Understand the various compliance structure around the Globe and how they are mapped to the organisations internal process.
3- Design a Standard Roadmap for various sectors of the Industry and align it to the organizational need.

On the Technical Point :

1 - Those who are from SAP Security background, who understand SAP Authorizations, believe me, GRC will be a smooth ride, you just need to understand what are the different functionality in SAP GRC and need to know when and how to use this functionality.-- Technically its a cake walk.

2 - Those with Support experience of SAP GRC - In your job, the work is restricted to certain tabs of GRC, but with the help of social media you can explore lot of learning. Utilise your time in understanding various functionality, learn the subject well, when you get an opportunity learn in the demo servers, Implementation is not the only means of having expertise in GRC, its ones commitment and learning skills which will help in understanding the concepts.

3 - Those who want to learn SAP GRC - Please go through the GRC training material, and seek help in the social media, i am sure our fellow colleagues will come forward and help in training.

Whenever you prepare for an interview, make sure you have known the subject well, even without experience, what the recruiters will look for is how good are you with the concepts and how well you can explain those functionalities. It clicksss..

And yes, i am waiting for all those who are willing to be an GRC expert to work along

All the Best--

Sandeep Poojary

Business Scenario

In one of the GRC projects I have worked for, the client's requirement is to send the User Access Review Workflow to User for review at First Stage and then to Manager for review. Since there is no standard User agent provided by SAP we developed a custom user agent by making use of BRF+ functionality

BRF+ Agent Design

As per User Access Review process, first UAR request generation job is scheduled which will generate the requests and then UAR Workflow update job is scheduled which will push all UAR requests into workflow and then they go to corresponding workflow path and stages

Since "User Agent" is requested by the client, now "User" also becomes one of the GRC Approvers and hence "User" should exist in Target system and GRC System as well

Once the requests are generated by "UAR Request Generation" job, these requests will be stored in GRC table "GRACREVITEM - Review Request Related Items"

In our UAR User Agent design we used DBLOOKUP functionality to the table GRACREVITEM to get the result as UserID based on the UAR Request ID.

BRF+ Agent Configuration

You have to generate the BRF Rule via Transaction SPRO in GRC system. Follow the below steps in your GRC system.

Run the transaction SPRO, Go to IMG => Governance, Risk and Compliance =>Access Control =>Workflow for Access Control  => Define Workflow related MSMP rules.

Or

Directly execute Tcode GRFNMW_DEV_RULES

• Fill generation criteria (Process ID, Rule type, etc.)
• Specify Generation options
• Generate rule shell (Execute button)

Click Execute or Press F8. This now generates a successful message for BRFPlus Rule with name and ID. You can run BRF+ Tcode and can check the newly created BRF+ application there.

Functions Signature Update

In BRF+ function, change the mode to “Event Mode” and activate the function as shown below.

• Since Function mode has been changed to “Event mode,” the result data object has changed automatically, so it has to be reset manually
• In “Signature” tab of BRF Function, change the result data object to GRFN_MW_T_AGENT_ID

Create Ruleset in BRF+ Application

Create Ruleset in your BRF+ application by clicking on “Create Ruleset” button under “ASSIGNED RULESETS” tab of function. Ruleset is a combination of business rules that can only be assigned to a function in the BRFPlus framework.

Create Rule within Ruleset - Create Expression of Type “Loop”

1. Click on “Insert Rule” button to create new rule
2. From within rule, click on “Add” -> “Process Expression” -> “Create” to create a new expression
3. Create expression of type “Loop” and provide suitable name and description.
4. Loop gets created as shown below. Processing Mode and Loop Mode maintain as mentioned below.

Create Rules within Loop Expression

First Rule

a. Request ID field which we use in this particular agent rule is sent with prefix as "ACCREQ/REQ_ID". Before doing DBLOOKUP the prefix has to be removed and only "REQ_ID" should be sent to DBLOOKUP. To achieve this, I used "FORMULA" expression with SUBSTRING function.

b. Once the Request ID field is trimmed, then this Request ID field is used in DBLOOKUP and gets the UserID. The second rule is to create DBLOOKUP for tables GRACREVITEM

C. Each LineItem in BRF+ need to be assigned to context parameter ITEMNUM as we didn't initialize the LineItem key.

Second Rule

Second rule is used to assign value to context as shown below. This rule will be included in your loop for inserting the values into Agent ID table after processing each LineItem.

Finally Loop expression will have all required rules as shown below.

Once above rules creation is done, activate your expressions REMOVE STRING, DBLOOKUP, LOOP, FUNCTION and then check by simulating your function by adding Line Items rows and enter any Request_ID from table GRACREVITEM and check if your agent is returning correct results.

After verification this BRF+ agent can be used in MSMP UAR workflow and your UAR requests can be routed to User's for Approval/Notifications

Looking forward for all your feedback

Thanks for reading.

Best Regards,

Madhu Babu Sai

As companies grow and expand globally, there is an increasing number of enterprise application users, and with this growth, an ever increasing risk of security breaches and violations. As enterprises are becoming more susceptible to security risks and violations from internal users, businesses are moving towards implementing more preventative measures rather than staying in reactive mode.

SAP GRC enables organizations to establish effective internal controls, along with processes to make sure these controls remain consistent, updated and cost-effective to manage. Administrators can now use a single SAP GRC framework to monitor and enforce business, compliance and security policies across the enterprise. SAP has enhanced the GRC offering to include the SAP Dynamic Authorization Management by NextLabs to ensure that companies can quickly adapt to changing policies and streamline enforcement and administration of those policies.

GRC customers can now integrate more fine-grained contextual information about the user. This information can include location, project, cross-departmental access, territory, and real-time segregation of duties attributes. The tight integration provides real-time risk enforcement to prevent misappropriation of information before it happens. Customers can monitor and track all activity.

USE CASE:

Segregation of duties violation example:

• Charles can maintain a vendor master and post a vendor invoice payment.

Risk:

• Charles can maintain his own vendors and transfer money to the vendors at any time without external authorization.It poses a huge financial risk for business.

With SAP Dynamic Authorization Management implementation:

Case #2.1 - There are no mitigating controls in place in GRC rule set for SOD Violation:

• When Charles performs the action of paying the vendor he created, he is blocked.

Case #2.2 - There are mitigating controls in place in GRC rule set for SOD Violation:

• When Charles performs the action of paying vendor he created, Charles has an option to move forward by signing an NDA (SAP DAM self attestation feature).

In all the use cases discussed above, the activity performed by Charles is recorded and reported back to SAP DAM Analytical Dashboard.

Anand Kotti

HR Triggers business logic getting too complex?

Why not make use the entire world of ABAP to code the business logic for HR Triggers?

Business Rule Framework plus (BRFplus) provides a comprehensive application programming interface (API) and user interface (UI) for defining and processing business rules. However the tool can be complex to users that have limited knowledge and experience working with it.

BRFPlus applications can become very complex, and it may come to a point where the business logic for some HR Trigger scenarios are better off being created in pure ABAP procedure instead. Of course, for those who are BRFPlus developers, this blog does not make sense, but I would like to address here those users with very limited knowledge on the tool.

BRFPlus Application that calls an ABAP procedure, is all you need

Follow the three videos below, to create a BRFPlus application from scratch, which in turn calls an ABAP procedure where you can use your ABAP skills to create any logic you desire. As long as your business logic for HR Triggers can be coded using ABAP, you should be okay!

	BRFPlus - Part 1 - Create Function Module This video demonstrates how to create the Function Module to be used in the BRFPlus rule with a Procedure Call, for Access Control HR Triggers functionality.
	BRFPlus - Part 2 - Create BRF Application This video demostrates how to create and configure the BRFPlus Application with Procedure Call, to be used in HR Triggers.
	BRFPlus - Part 3 - Map the BRFPlus Function ID in SPRO This video demostrates how to map the newly created BRFPlus rule into SPRO configuration

More info on WIKIS:

Below are the steps to create the first HR Triggers BRF+ Rule, the simplest and basic way to create it.

Creating the objects

The order in which you create the objects may vary according to your preference.

My suggestion is to create the objects in the following order, and SAVE it throughout. Only ACTIVATE the objects at the end once all is created.

1- Data object of type Table, called HR_TRIGGER_TABLE, with binding to GRAC_T_HR_TRIGGER_TABLE_BRFP

2- Data object of type Table, called ACTION_ID, with binding to GRAC_T_HR_ACTION_ID_BRFP

3- Function, assigning the context in Signature

4- Decision Table

5- Rule2

6- Loop

7- Rule1

8- Ruleset

9- Assign the Ruleset to the Function

Function

Assign the context in the function signature, as follows:

Data Objects

1- Data object of type Table, called HR_TRIGGER_TABLE, with binding to GRAC_T_HR_TRIGGER_TABLE_BRFP

2- Data object of type Table, called ACTION_ID, with binding to GRAC_T_HR_ACTION_ID_BRFP

Once you create them, automatically the correspondent Structure and Elements will appear.

Decision Table

Rule_2 object

To add operartion (1): in Edit mode, go to Add->Process Expression->Decision Table and select the decision table object.

To add operartion (2): in Edit mode, go to Add->Assign Value to Context->Table type for Action ID.

Click on Change, and select "Select Context Parameter", choose "Action ID" (text type).

In addition, click on Change, and set it to "Insert", once you complete, it should look like below:

Save.

LOOP object

In Edit mode, go to Options>Add Rule->Select an Existing Rule. 

And select Rule_2 object.

Save.

Rule_1 object

In Edit mode, go to Add->Process Expression->and select LOOP_1 object.

Save.

Ruleset_1 object

In Edit mode, go to Options>Add Rule->Select an Existing Rule.

And select Rule_1 object.

Save it.

Assign the ruleset in the function:

I decided to create this blog to gather the issues of not having the GRC object created in SE75.

First of all, a brief explanation about the transaction:

SE75 – Long text (SAPScript texts)

"Long Texts (also referred as SapScript texts or text objects) are the containers for containing long texts in SAP systems, and they are usually attached to business objects, that users can enter free comments.

Long Texts were initially created for SapScript tool because old database systems had text columns limited around 255 characters. The "new" database systems do not have this restriction any more, but Long Texts remain."

Source: http://wiki.scn.sap.com/wiki/x/1YRMB

The GRC object in SE75

Main issues:

If GRC text object ID is not in SE75 list, the following issues may occur in the system. The notes listed below are In chronological order:

1895324               Role Import ends with an error "LONG_TEX failed"

2156904               Access Request Creation Error

2151993               Description and Control Objectives Blank After Access Risk Save

1983201               Error while saving comment in Notes section of ad hoc issue

1982125               Reason code and Activity description is missing in reports

1801435               'Error Inserting Records' error on request submission

1847877               Risk ID detail Description not getting saved

1800347               Short Dump on FF Login

1890058               "Saving note failed" error comes while saving Mitigation Control

1793111               Error 'Creating TEXT/LONG TEXT failed"

1843287               Submitting a request there is an error while inserting request reason

1791799               GRC 10.0 - Error while inserting the request reason

All the notes above present the same solution.

Object GRC must be created in SE75.

KBA 2156904 shows the manual steps on how to do it.

You can also use the following SAP note to run a script to update the text tables directly into the database:

2058516 - Creating entries in TTXOB,TTXOT,TTXID and TTXID Table

When choosing the background option in Risk Analysis, some users are facing a dump, this is relative to duplicates parameters, one example is one risk analysis with two roles or two kinds of risk,

This is how the error presents in front end

500 Sap Internal Server Error

ERROR: Open SQL  array insert produces duplicate records in the database. (Termination: RABAX_STATE)

And this is the error in ST22

SAPSQL_ARRAY_INSERT_DUPREC

CL_GRAC_SOD_RISK_ANALYSIS_BG

The error line in >>>>insert gracbrange from table mt_range_table.

For more information to solve this issue view SAP Note 2183633 - Background Batch Risk Analysis raising
SAPSQL_ARRAY_INSERT_DUPREC dump.

When a user has to delete one Connector/System from GRC the syncs jobs will not remove from the tables the data from this connector,

but there is a report GRAC_DELETE_ACCESS_RULES that do the job, if you select the last check box as you can see in image:

You will delete data from the selected connector for the following GRC tables, *Noticed that all this tables has connector field and if this field is equal the connector that was choose the data will be erased.*

1. gracactionsyst 
2. gracactpermsys 
3. gracactusage 
4. gracauthpmsyst
5. gracclasssyst 
6. gracfldsys 
7. gracfldsyst 
8. gracfldvalsys       
9. gracmgmtactusage 
10. gracobjectauth 
11. gracpdprofiles
12. gracpermclssys 
13. gracpermfldsys 
14. gracpermfldval 
15. gracprofile 
16. gracprofilet 
17. gracrlconn
18. gracroleorg 
19. gracroleusage 
20. gractaskexecstmp 
21. gracuser 
22. gracuserconn 
23. gracusermap 
24. gracuserorg 
25. gracuserprofile   
26. gracuserrole      
27. gracusrpdprofile 
28. gracclasssyst 
29. gracfldsyst 
30. gracfldvalsys 
31. gracprofile 
32. gracroleorg 
33. gracroleusage 
34. gracusermap    
35. gracuserorg 
36. gracactionsyst 
37. gracactpermsys

Hello folks,

You may have the requirement in your company, that you only want to create new hires/terminations from HR Triggers for users that belong to a certain Company Code (BUKRS).

How can you do that?

My suggestion is to create a Procedure Call that executes a function module to get the user BUKRS. Then you add BUKRS to the condition columns of your Decision Table, and it is done!

Okay, you will ask me.. why not use a DBLookup instead of a Procedure Call? Answer is, BUKRS field is stored in HR System table PA0001. If I was wanting to retrieve field value from any table sititng in the GRC Foundation system itself, I could have used a DBLookup - no problem. But the table I need to access is on another system, the HR System. Therefore, by using a Function Module tied to a BRF+ Procedure Call expression, I can make use of SAP Standard Function Module RFC_READ_TABLE to complete this task.

Below are the steps suggested to achieve it.

CREATE a FUNCTION MODULE in the GRC FOUNDATION system

Code for the Function Module:

NOTE: this code is a sample, and IS NOT standard application code. It is merely a suggestion on how to create the Z Function Module in order to get Company Code (BUKRS) for the PERNR user triggered by HR Triggers.

NOTE2: I made this sample in the most basic form, you will need to add treatment for Exceptions, etc.

IMPORT parameter:

EXPORT parameter:

My FM is called "Z_HR_TRIGGER_GET_BUKRS", and you may call it whatever you like.

Also you may use it for any other HR info type information that you would want to add to your Decision Table. In this scenario, the data I want is BUKRS, but you may want to use WERKS, Personnel Area, etc. As long as the data is stored in a HR Table related to the employee PERNR number, you can map it following this blog.

The suggested code is:

FUNCTION Z_HR_TRIGGER_GET_BUKRS.
*"----------------------------------------------------------------------
*"*"Local Interface:
*"  IMPORTING
*"     VALUE(IT_HR_DATA) TYPE  GRAC_T_HR_TRIGGER_BRFP
*"  EXPORTING
*"     VALUE(ET_BUKRS) TYPE  BUKRS
*"----------------------------------------------------------------------

  DATA:   lv_pernr      TYPE string,

          ls_hr_data    TYPE GRAC_S_HR_TRIGGER_BRFP,

          lv_connector  TYPE GRFN_CONNECTORID.



  DATA:   lv_data       TYPE string,

          lt_data       TYPE STANDARD TABLE OF tab512,

          lv_table      TYPE TABNAME,

          lv_fields     TYPE string,

          lt_fields     TYPE STANDARD TABLE OF rfc_db_fld,

          lv_options    TYPE string,

          lt_options    TYPE STANDARD TABLE OF rfc_db_opt.



  FIELD-SYMBOLS <fs_hr_data> LIKE LINE OF it_hr_data.

  FIELD-SYMBOLS <fs_lt_data> LIKE LINE OF lt_data.





  CLEAR lv_connector.

  CLEAR lv_pernr.





  LOOP AT it_hr_data INTO ls_hr_data WHERE field_name = 'PERNR'.



    lv_connector = ls_hr_data-CONNECTOR.

    lv_pernr = ls_hr_data-NEW_FIELD_VALUE.



    EXIT.



  ENDLOOP.



  IF lv_connector IS NOT INITIAL AND lv_pernr IS NOT INITIAL.



    CLEAR lt_data.

    CLEAR lv_options.

    CLEAR lt_options.

    CLEAR lt_fields.



    lv_fields = 'BUKRS'.

    APPEND lv_fields TO lt_fields.



    CONCATENATE 'PERNR EQ' lv_pernr 'AND ENDDA GE "' sy-datum '"' INTO lv_options SEPARATED BY ' '.



    REPLACE ALL OCCURENCES OF '"' IN lv_options WITH ''''.



    APPEND lv_options TO lt_options.

    WRITE: lv_options.



    lv_table = 'PA0001'.



    CALL FUNCTION 'RFC_READ_TABLE'

      DESTINATION lv_connector

      EXPORTING

        query_table          = lv_table

        rowcount             = 1

      TABLES

        options              = lt_options

        fields               = lt_fields

        data                 = lt_data

      EXCEPTIONS

        table_not_available  = 1

        table_without_data   = 2

        option_not_valid     = 3

        field_not_valid      = 4

        not_authorized       = 5

        data_buffer_exceeded = 6

        OTHERS               = 7.



    CASE sy-subrc.

      WHEN 0.

        " fine, do nothing



      WHEN 1.

        "lv_msgno = '082'.



      WHEN 2.

        "lv_msgno = '083'.



      WHEN 3.

        "lv_msgno = '084'.



      WHEN 5.

        "lv_msgno = '085'.



      WHEN 6.

        "lv_msgno = '086'.



      WHEN OTHERS.

        "lv_msgno = '087'.



    ENDCASE.



    "Only one line must be in lt_data, only one Active BUKRS per PERNR is expected in PA0001.

    IF lines( lt_data ) = 1.

      READ TABLE lt_data ASSIGNING <fs_lt_data> INDEX 1.

      lv_data = <fs_lt_data>.

      MOVE lv_data TO et_bukrs.

      WRITE: lv_data.

    ELSE.

      CLEAR lv_data.

      "WRITE: 'Error'.

    ENDIF.



  ENDIF.




ENDFUNCTION.

BRFPlus APPLICATION changes

Assuming your BRFPlus HR Triggers rule is created according to blog:

Creating your first HR Triggers BRFPlus - BASIC

we will make the below modifications:

1) Create two Data Elements. Type: TEXT, Length: 4

- BUKRS

- DT_BUKRS

2) Add the newly created Element "DT_BUKRS" to the Function context:

3) Create an Expression of type "Procedure Call", I am calling it "GET_BUKRS".

In my sample, I have created a Function Module in the GRC Foundation system, called Z_HR_TRIGGER_GET_BUKRS.

Below I mapped the FM parameters for Import and Export.

4) Create an Expression of type "Formula". I called it "FORMULA".

Assign "Result Data Object" to Element "DT_BUKRS".

To add the GET_BUKRS to the formula, right-click anywhere in the formula area (white box), choose "Insert Expression" and select the existing "GET_BUKRS".

5) Now go to Rule 1 (if you have named them differently, go to the Rule that has the LOOP.

Add below expression and make it the first expression (1).

6) Open Decision Table, and add DT_BUKRS to the "Condition Columns"

SIMULATE

Lets simulate the scenario.

1) In my test HR system called GH7CLNT600, I have PERNR 3, with BUKRS "US01".

Note that there are two rows for the PERNR 3, the Function Module must take the valid entry, and ignore the expired entries.

2) My decision table has below conditions, for New Hire (0105 0001):

3) Simulating the FUNCTION:

Click Start Simulation.

I have entered two lines in my simulation.

The first line is to match the New Hire condition.

The second entry  always comes within HR Trigger data from HR system, which is the PERNR number.

If PERNR is not coming, it will fail. In real scenario, it will always come along with the changed info types.

What must happen: in Rule 1, the BUKRS will be collected for the PERNR 3, and my New HIre condition will meet only if all
columns are matched, including DT_BUKRS.

GRC Access Control

2094723 -Consolidated Note for SAP Access Control 10.0 Master Notes

2096196 -Consolidated Note for SAP Access Control 10.1 Master Notes

2150899 -Consolidated Note for Access Control Org Rules - 10.1, 10.0 and Plugin Issues

2113778 -Consolidated Note for EAM workflow in GRC Access Control 10.1

2157603 -Consolidated Note for all BUSINESS ROLE related issues in GRC 10.1

2150961 -Consolidated Note for Access Control - Dashboard 10.1 & 10.0 Issues

2150954 -Consolidated Note for Access Control - Mitigation Control 10.1 Fixes

2163107 -Consolidated Note for UAR Review: Master Note 10.1

2105778 -Consolidated Note for UAR Review: Master Note

1967403 - EAM:Key note for Firefighter Log and Review Workflow issues

2150850 - Key note for Access Risk Analysis, Batch Risk Analysis Access Risks,Function & WorkFlow issues

GRC Process Control

2126446 -Consolidated Note for Process Control 10.0 Manual Test Plan

2126494 -Consolidated SAP Note for Process Control 10.1 Manual Test Plan

2105791 -Consolidated Note for Process Control 10.1 Master Data

2104086 -Consolidated Note for Process Control 10.0 Master Data

2179893 -Consolidated Note for Process Control 10.0 Assessments

2126644 -Consolidated Note for Process Control 10.0 Automated Control

2170668 -Consolidated Account Balances Screen -Text cannot be entered in the 'Reason' field

2169236 -Consolidated Note for SAP Process Control 10.1 Performance

Risk Management

2118405 -Consolidated Note for SAP Risk Management 10.1 Master Notes

GRC Generic

2133498 - New Functionalities added in GRC 10.1 and their code corrections: Consolidated Note

2185282 -Consolidated Note: TSV_TNEW_PAGE_ALLOC_FAILED

Access control decisions for business are no longer about permission to allow and deny. When Roles were introduced way back in 90’s, there was nothing like internet of things and the whole technology advancements we see in todays world. In 90’s Business operated in silo’s, there was minimal collaboration. Now in 2015 in a globalized world, if you are still sticking to the role based model, It is about the time you might want to rethink.

An access control decision is made based on multiple factors.

How can you apply the above contextual information to make access control decisions, JUST byusing Role Based model?

This is a typical question that I pose for most of our prospect customers.  The answer I hear back from them often is  #1 Customization  #2 More Roles ….

More … More Roles

Solution:

With SAP GRC new product offering SAP Dynamic Authorization management (SAP DAM), customers now have an option to choose from Customization, More Roles…More Roles/ SAP DAM.

SAP DAM access control model is a Hybrid of RBAC+ABAC.

• RBAC stands for Role based access control model
• ABAC stands for Attribute based access control model

In an RBAC model the PRIMARY roles defined would allow or deny the users at Transaction Code level.Inan ABAC model we take the subject, environment, resource and action performed as attributes to make access control decisions at Org level.

A combination of RBAC+ABAC, becomes a very powerful access control tool for security administrators. The reason being  business can now make Fine GrainedDynamic attributes based access control decisions without any customization/ adding more and more roles. This is how the hybrid model works

With SAP DAM offering,SAP GRC gave a new dimension to streamline how we traditionally have been making access control decisions.

Anand KottiDo

Hello GRC Mates,

When Roles are imported into BRM, the message that we like to read on the monitor is: All Roles are imported successfully.

But, sometimes we get to see errors when the Roles are imported into BRM. In this document, Please find some of the common issues along with solutions here.

Error No: 1

While uploading roles through the NWBC via Role Import in Role Mass Maintenance, you receive the following error:

Solution

You need to increase the Max Length for Single (SIN) and Derived (DRD) roles at the following path: SPRO -> IMG -> Governance, Risk and Compliance ->Access Control ->Role Management >Maintain Role Type Settings >Specify Maximum Length for Role Type.

Set the Max Length to the desired value and then try to import the roles.

Error No: 2

While Importing roles through the NWBC via Role Import, if you receive the following error:

Solution

• This error occurs due to missing Text ID for SAP Script Object 'GRC' in the transaction SE75
• To Solve this kind of issue:
  1. 1. Go to transaction SE75.
  2. 2. Select "Text objects and IDs"
  3. 3. Click on Display button
  4. 4. Select 'GRC' as Object and then click on 'Text IDs'.
  5. 5. There should be an entry for 'Text ID' as 'LTXT' with description as 'LONG TEXT'.

Error No: 3

While Importing Composite roles through the NWBC via Role Import, if you receive the following error:

Solution

• In order to Import the Composite Roles in BRM, you need to ensure that its Child Roles (Single Roles) exists in the system.
• First, import all the Child roles and then try Re-Importing the Composite Role in the system which will remove the error message and upload the Composite role successfully.

Error No: 4

While Importing roles through the NWBC via Role Import, if you receive the following error:

Solution

• Ensure that the Single master roles exist in the system.
• Try importing the single master roles first
• Also ensure the parent/child role relation is entered within the import sheet correctly.

Error No: 5

While Importing roles through the NWBC via Role Import, if you receive the following error:

Solution

• This error is due to uploading roles with t-code which does not exist in dictionary
• Remove the t-code from role before import, otherwise validation will not allow for import.

Error No: 6

• While uploading roles through the NWBC via Role Import in Role Mass Maintenance, if you receive the following error:

Solution

• Implement the SAP Note No :1741807 - BRM Role Import error LONG_TEX does not exist

Everyone is free to correct the mistakes in this and

Add more issues of this type into the document.

Regards,

Deepak M

Dear all,

Find the information on dumps and errors in process controls,mainly these issues with missing configuration,missing authorization.

Hope its helpful.

1.Case Management

     SPRO->Governance, Risk and Compliance->Process Control->Cases->Check Customizing for Case Management

    Types of errors:

1. Throws a dump “ASSERTION_FAILED CL_GRFN_API_IDENT=============CP”when opening controls in organization under master data
2. We cannot open any Ad-Hoc Issues from My Homework center.
3. Throws a error with “GRFN_ENTITY_API:102” when schedule automated monitoring job

     Solution: The entries should be green for case management, if not transport them

     SPRO->SAP Net Weaver->Application Server->Basis Services->Case Management->Set Status Administration->Create Status Profile and

     SPRO->SAP Net Weaver->Application Server->Basis Services->Case Management->Define Case Types

     Check Note 1526732 - Transfer client-specific Customizing

2.Configure Email Inbound Process

     SPRO->Governance, Risk and Compliance->Process Control-> Offline Work Process -> Configure Email Inbound Process

     Type of error:Job GRFN_OWP_SUB_JOB_SENDER for Offline Working Process throws error

                    “Assertion failed" dump in class  CL_GRFN_OWP_Deliver”

Solution: SPRO->Governance, Risk and Compliance->Process Control-> Offline Work Process -> Configure Email Inbound Process

Insert a row with Communication Type as Internet mail.

Enter a valid Email Address in the recipient address column.

Enter the document class as "*".

Enter the Exit name - "CL_GRFN_OWP_DELIVER".

Enter the call sequence.Save the settings.

Note: Assign email id to all users who will be receiving notifications.

               Check Notes 1866809, 455140

3.Maintain Entity Role Assignment

          SPRO->Governance, Risk and Compliance-> General Settings -> Authorizations -> Maintain Entity Role Assignment

          Type of error: While submitting Ad Hoc issues, throws dump “The ASSERT condition was violated”

          Solution: SPRO->Governance, Risk and Compliance-> General Settings -> Authorizations -> Maintain Entity Role Assignment

                    Click "New Entries"

                    Select the Entity " G_AI"

                    Select the Role "SAP_GRC_FN_ADISSUE_PROCESS"

                    Select check box "Unique"

4.Scoping

          SPRO->Governance, Risk and Compliance->Process Control-> Scoping

          Type of error: 1.Throws dump “CL_GRFN_API_TIMEFRAME=========CP”while creating account group in master data

                                 2.Throws dump “CL_GRFN_API_TIMEFRAME=========CP”while running the MDUG (Master Data Upload Generator)

                                   in order to upload a template

          Solution: SPRO->Governance, Risk and Compliance->Process Control-> Scoping-> Maintain Scoping Materiality Analysis Frequency

5.Missing authorization

Type of error: Throws dumps “CL_GRFN_API_IDENT=============CP“for master data change reviewer in work inbox

Solution: Approver should have DISPLAY Authorization to the entity CONTROL and XCONTROL

6.In Programs

               Type of error: Execution of program GRFN_CHECK_CDF ends with dump “ASSERTION_FAILED”

Solution: T code: SM30;

Inform T7771 as the Table/View and click on Maintain;

Select the custom info type used in the CDFs;

Click on Time Constraint on the Left Side Panel;

Make sure that Time Constraint field has value 2 or 3. Value 1 cannot be used in GRC;

If necessary, change the value of Time Constraint and save.

               Type of error: program GRPC_MASS_PROCESS_ASSIGNMENT throws dump

               Solution: While executing the program GRPC_MASS_PROCESS_ASSSIGNMENT, make sure

               that the organization unit used here is not locked.

Regards

Baithi

To exclude objects from Batch risk analysis (Dashboards) choose option Maintain excluded objects under :

Batch Risk Analysis >> Access Risk Analysis >> Access Control >> Governance, Risk and Compliance >> SPRO

There is this options:

To exclude one role (example role: Z_TEST):

If you want to exclude a range there is two ways:

Please Noticed the using of " * " the second line will not exclude any objects:

This is a minor tip to check some access parameter is SPRO,

In “AC Configuration Settings” screen in SPRO as you can see it is not possible to use CRTL + F  (this was really annoying me)

But if you click in Printing button (CRTL + P)  the screen reorganize and you can use the CTRL + F

I know it's a little tip , but every colleague I showed liked

Regard

Rafael Guimbala

When we execute the log report in EAM, we would like to see the report based on which we can take a decision.

But, sometimes we get to see errors when we execute the log report in EAM. In this document, Please find some of the common issues along with solutions here.

Error No: 1

When we are executing consolidated log report under reports and analytics tab, we could able to see only transaction information not able to see descriptions of those transactions

Solution

• The transaction description is not available in the consolidated report due to performance issue.
• As in 10.0 there are multiple systems and logs come from multiple systems of different basis release.
• Now for showing transaction description RFC calls have to be made for each system.
• So it was found that fetching the transaction description for each system is degrading the performance of the log report, hence as per the design the transaction description has not been supported in EAM reports.
• This can be found in SAP NOTE : 2010385

Error No: 2

Transactional logs are not giving any data

Solution

• This error occurs due to missing authorization issue.

1. Assign the authorization S_TOOLS_EX to your RFC user in the target connector

2. Along with the Authorization issue, This SAP NOTE will help you: 1775432

Error No: 3

When the Consolidated Log Report is executed, the following error is displayed.

Solution

• This kind of error occurs if the Service is deactivated. To solve this error:
• Go to transaction SICF > Default host > SAP > BC> webdynpro > SAP > GRAC_UIBB_SPM_Tcode_REPORTS to check the service status.
• Right click on this and activate it.  Now you will be able to open the "Transaction and session details" page without any error.

Error No: 4

Consolidated Log report is giving the error showing the following error:

Solution

• There kind of error occurs due to large volume of data or due to some other reason the extended memory is used up and so the TSV_NEW_PAGE_ALLOC_FAILED exception is coming.

• For resolving that problem, it is necessary to configure the memory parameters correctly. Refer to SAP Notes 146289 and 425207 to check the parameters to be maintained. This memory utilizing issue is caused by too much of data selected. So, If changing the parameters cannot solve the problem, then reduce the data selection by creating variants for log display.

Error No: 5

Reason code and Activity description is missing in reports

Solution

• This error is due to missing of the text entry in T-code SE75 for object 'GRC'.
• To Resolve this issue: Refer to SAP Note No: 1982125

Error No: 6

Audit Log Report is not displaying any data

Solution

• The following reasons could be the cause:
  1. 1. Firefighter log sync job has not been run.
  2. 2. There are no records in the plug-in system for the transactions: SM20, SM21 and SM49

Everyone is free to correct the mistakes in this and

Add more issues of this type into the document.

Regards,

Deepak M