Hi Salman,
Thanks for your response.
That pathway you've mentioned: Access Management -> Emergency Access Management -> Owners -> Assign .......... does not exist in my setup.
There is no Emergency Acces Management under the Access Management tab in NWBC !
However Owners do exist and have been assigned as mentioned in the first post via Setup>Superuser Assignment > Owners....so an owner is assigned to the FF ID.
Thanks
Hi Paul,
I'm using role SAP_GRC_NWBC and that allows me to view Access Management -> Emergency Access Management -> Owners -> Assign.
However, I created Firefighter ID's in backend (ECC system) and Owners/Controllers in GRC box.
Then,
1. Assigned Owners to Firefighter id's
2. Assigned Firefighter id to Firefighter user id
3. Logged into GRC box and executed GRAC_SPM or GRAC_EAM and fighter id exist.
Not sure, if this help you.
Regards,
Salman
Hi Japneet,
Thank you for your help.
I have set the task setting for "Approval level" & "Rejectinon Level " at the Stage Level (Role Owner Stage) is Role only but it doesn't work.
FYI, I'm using only stage "GRAC_ROLEOWNER" in path GRAC_DEFAULT_PATH.
I also tried by setting approval/rejection comment madatory to both and now, I'm getting error while rejecting/submit as "Enter notes for approval/rejection" Where do I need to enter the comments as I'm not able to locate those sections in the Role Owner screen.
Basically, Same Role Owner should be able to approve Role A and reject Role B within the same request.
Please advise if I need to select anything else ?
Regards,
Salman
Paul,
Yes, what Salman says seems to be correct.
I have noticed in your very first post that you have created all the ids: FireFighter, FireFighter ID, Controller and Owner in ERP system. Rather, as suggested by Salman. you need to create FireFighter ID ONLY in ERP (back end system) and rest of the users need to be created in GRC box.
Please check this.
Faisal
Hi Paul,
As you said "
2. Yes and the user who will do the firefighting (i.e Firefighter) has been assigned the SAP_GRAC_SPM_FFID which is also set in parameter is 4010. "
Where is this user ID created? If Firefighter is centralized, this user(end user to use Firefighter ID) should be existing in GRC and this role will not be available in GRC box.
Check your Users assignment. As Salman said, Only FFID should be in backend, other users should be in GRC box.
Check the parameter of centralize firefighter which system it is pointing and ask user to login to that system.
Regards,
Sabita
Hi Paul,
I just noticed you have mentioned that your system is at Patch 07. The decentralized firefighter will not be in this case. Login to GRC and check there itself.
Regards,
Sabita
Within NWBC, the AC Owners table has been configured correctly (as far as I can tell - it's how I've done it in the past and it's worked properly).
On the backend, the owners, controllers and firefighters have been assigned the appropriate roles, and the user role sync program has been run.
The users show up in the appropriate lists for owners, controllers, firefighters, etc. No errors in any of the assignments.
I have one firefighter ID assigned to an owner.
That firefighter ID has two controllers, one of whom is set up as email and another as workflow.
Both receive emails when the firefighter logs in.
HOWEVER NOTE: the emails with the URL for the log hasn't been going out, instead an email has been going out informing the controller that there are items to review. Today, however, one of my test controllers on the workflow said that he got the URL email. Since we have 4 test requests, I'd expect 4 emails notifying the controller that the logs should be reviewed.
Is there a PDF that specifically discussed configuring MSMP for the Firefighter workflow? I have the PDF that covers general MSMP config and MSMP config for user provisioning.
Thanks,
Santosh
Hi Paul!
Have you checked for authorizations problems using SU53 or ST01 after executing GRAC_SPM??
How did you set up the RFC connection?
Cheers,
Diego.
Hi Paul,
Check security on the role you mentioned having assigned to the FF User:
SAP_GRAC_SUPER_USER_MGMT_USER
There are certain authorizations that need to be there for the FFIDs to show up on the dashboard (GRFN_CONN & GRAC_USER). I recall having to look into this at one point, although I do not remember if it had to do with standard role.
You could do a quick test on security by assigning your FF User SAP_ALL and/or the GRC ALL roles to eliminate or validate an authorization issue.
Hi Rajeshwari,
Thanks for your quick answer. I checked SAP note 1844600 but the value is still missing. I add the columns using trx SM34 in cluster VC_GRFNREPCUST. The problem is that i don't understand how the value in the custom field is linked to the column in the report. I have debugged and see the custom field has the value but then it is missing in the result of the report.
Thanks a lot for your help.
KR,
Gonzalo
Hi Nathan,
As you rightly mentioned apart from GRACROLE, roles need to exist in GRACRLCONN table for them to be available for selection on Access Requests.
For Legacy file system type connectors only option to sync roles into repository is by configuring Logical file path, names through tcode FILE and maintaining the logical file path against Connector in AUTH scenario.
I have done this before for demonstration at one of my customer. You would need to setup periodic process for keeping the roles in GRC repository (ARA) / (BRM) synced with Legacy application.
Regards,
Amol
Hi All,
Can anyone please help me in resolving this issue please ?
Regards,
Salman
Hi Salman,
Have you generated new version after changing stage level seting . Also you will have to create new
request to see the changes .
Best Regards,
Aman
Hi Gonzalo,
Can you please additionally check the two documents attached with the SAP note - 1655539.
They have all the required steps.
Hope it helps.
Regards,
Silky Sharma
Thank you Amanjit!
I did generated new version and raised new request but still facing the same issue.
I checked the task setting to "All Approvers" too but still not able to locate the option where it shows "Roles" and approval/rejection on Roles rather than complete request.
Please see the attached screen and help me where I can locate the tab for approve/reject just Role A and Role B.
Appreciate your time.
Regards,
Salman
Hi,
Did you find the root cause for this ? If yes please share, since we do have same issue in SP18.
Regards
Venkat
Hi Gurus,
We have got one GRC DEV/QA system and it is connected to one back end SAP System/client - XYZ client 100
We are having one more client 200 in the system and we want to integrate to GRC CUP and RAR.
SAP GRC version - 5.3
Please let us know if this is feasible.
Thanks,
Jagadish.
Hi All,
I'm trying to migrate the Process Controls Master Data into a QA system using CLM.
I have configured the settings as per the user guide and am able to extract a content group which appears to have the correct records included (c.400 records). When I view the content group on the CLM screens all the records are there!
However, when I try to deploy the content, 0 records are processed (I have unticked test mode).
Also, when I try to Download to Excel, I also get a blank template.
Is there a troubleshooting guide available or has anyone got any ideas about why this might be the case?
Simon
Hi Simon,
Kindly check the SAP notes - 1621571, 1748095, 1707211, 1691003.
Regards,
Silky Sharma
Yes it is possible. There should be an individual connector for each unique system-client. There is a client field when setting up a connector that can be used to distinguish multiple clients of the same system.
You can use logical systems for your ruleset if you would like to have your SoD rules applicable for multiple clients/systems with minimal maintenance.