Recently, I came across with an unique issue where I was not able to transport the SoD rule set across the clients.

While creating the Transport Request as Customized, the system was throwing an error and so asking to create the Transport Request as Workbench Request (I understand, you all would be amazed the same way as I got). It doesn't really require creating WB-TR to transport SoD across clients but just to give it a try, I created the same (WB-TR), then the system started behaving in strange way, It didn't even allow me to enter the WB-TR.

After a couple of try over the same and struggling for it and in absence of any supportive solutions over SDN/SCN/Google, decided to reach-out to SAP.

They provided the SAP Note: , but this was applicable to the system version; GRCFND_A - SP14 and SAPNW 740 with version11 and as I was on version10, so couldn't apply the same and then requested SAP to provide the compatible note which I got today and in fact, released as of toady. The SAP Note: 1991730 - Not able to create transport for SoD Rules after upgrading to NW 740 SP04 AC 10.0 (https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/sno/ui_entry/entry.htm?param=69765F6D6F64653D3030312669765F7361…). So, now fianlly able to rectify the original issue with the Transport SoD rule-sets.

Thinking of this could be new/helpful to others, I am sharing this to you.

Cheers,

Ameet Kumar

GRC 10.0 - GRC Request with both System and Role Line Items

Most common question I have come across in this forum is how to handle the GRC requests with both System and Role LineItems. As system will not have any owner associated with it, SYSTEM lineitem should be moved to NO STAGE path and remaining roles should follow regular path.

End user logs on to GRC and will add both System and Role LineItems to the request.

1. Create an BRF+ Initiator decision table as shown below to separate System LineItem to NO STAGE path once the request is raised.

2. MSMP configuration should look as shown below.

Once above configuration is done. If a request has both system and role line items, System line item will go to a NO_ROLEOWNER_PATH and roles will go to regular path.

In Offline Workflow Process, a generic dump happens when delivering the PDFs to the recipients. In ST22, we can see the following Short Dump:

This short dump does not say what is the issue and how to resolve it. Below, I have separated the different issues I found for this generic message and how to resolve it:

Possible causes and solutions:

Valid E-mail address:

• The users who receive the work items do not have a valid e-mail address in SU01. The e-mail is not delivered and the number of dumps in ST22 is huge.

• More information on how to find the recipients or senders without e-mail address on the link: http://wiki.scn.sap.com/wiki/x/QwEjFg
• SOLUTION: All the recipients and senders must have a valid e-mail address in SU01

Risk Management Inactive:

• If you do not use Risk Management (you have disabled the application in SPRO), you can have an authorization issue when submitting the PDF to the users (a sub process assignment for example). The issue will not be visible so the same message will return (assertion_failed) in ST22.
• SOLUTION: The following SAP note must be applied -> 1998579 - ASSERTION_FAILED in CL_GRFN_OWP_DELIVER

GRFN_OWP_SUB_JOB_SENDER is scheduled:

• ABAP program name: GRFN_OWP_SENDER is scheduled with program name as GRFN_OWP_SUB_JOB_SENDER. The program will be cancelled as there is no Work Item to be delivered.
• Error message is: Failed to load header of work item
• More information on how to find this error message on the link: http://wiki.scn.sap.com/wiki/x/mYI5Fg
• SOLUTION: cancel the background job GRFN_OWP_SUB_JOB_SENDER and leave just GRFN_OWP_SENDER
  

No Physical Content:

• Physical content not found for document is the error message
• It means that the file requested is not available or not found in the client.
• SOLUTION: Users must check the file name and content in the system.
  

Adobe Services:

• ADS Error. Return code is fehler SOAP Framework: SOAP runtime Exception
• ADS service is not correct configured.
• More information on how to find this error message on the link: ADS Error - SOAP Runtime Exception - Governance, Risk and Compliance - SCN Wiki
• SOLUTION: SAP note 944221 must be followed.

Missing Configuration (inbound processes):

• Missing configuration of e-mail inbound Process. If you missed the configuration of inbound e-mail addresses in SPRO, please, follow SAP note below in order to configure it.
• SOLUTION: Maintain the settings by following the path:

                      1. Execute the transaction "SPRO".

                         2. Navigate through Governance, Risk and Compliance -> Process Control -> Offline Work Process -> Configure Email Inbound Process.

                         3. Insert a row with Communication Type as Internet mail.

                         4. Enter a valid Email Address in the recipient address column.

                         5. Enter the document class as "*".

                         6. Enter the Exit name - "CL_GRFN_OWP_DELIVER".

                         7. Enter the call sequence.

                         8. Save the settings.

A common problem for SAP Access Control customers migrating to Access Controls 10.1 is that they want to take advantage of rule set changes made since their last rule set update, but they don’t want to lose the customizations they’ve made to their existing rule set. The business may also require a copy of the rule set for review by an external auditing firm or for backup purposes.

These tasks can be accomplished via two (2) Access Control transactions: GRAC_DOWNLOAD_RULES and GRAC_UPLOAD_RULES.

This blog will define the contents of the GRC rule set and will demonstrate how to download/upload the Access Risk Analysis Rule Set. Once downloaded, the rule set can be modified using Excel and functions such as CONCATENATE, COUNTIF, and VLOOKUP to add rule sets>risks>functions to a new namespace, such as "Z_".

SAP delivers a canned SoD rule set to run Risk Analysis reports against users, roles, profiles and HR objects. Companies are encouraged to modify the base rule set to meet their unique needs. Rule Set customization is accomplished via three (3) means:

1. Direct modification of functions and risks in NWBC via WorkCentre: Setup>Function/Access Risks/Rule Sets
2. Mass modification of functions in NWBC via WorkCentre: Setup>Function>Mass maintenance.
3. Mass modification of functions and risks via GRAC_DOWNLOAD_RULES and GRAC_UPLOAD_RULES.

The rule set is created during configuration, via BCSET activation using t_code SCPR20. This table lists the canned rules in SAP Access Control 10.x.

The only mandatory BC set for activation is GRAC_RA_RULESET_COMMON. GRAC_RA_RULESET_SAP_R3 contains both HR and BASIS rule sets (SAP note 1033326)

All BC sets listed above, once activated will be automatically combined into the “Global” rule set

SAP provides download and upload functionality via two (2) transactions:

GRAC_DOWNLOAD_RULES and GRAC_UPLOAD_RULES.

The rule set is exported and imported via nine (9) individual files. The files can be named anything; however naming the files after its contents is useful for organizational purposes.

The following section lists a brief description, the format of the file exports and the NWBC screens associated with the file.

Business Process:

Business Process defines the business process, language, and business process description.

NWBC Business Process correlation:

Function:

Function defines the function, language, function description and single or cross system reference.

NWBC Function correlation:

Function Business Process:

Function to Business Process associates functions to business processes.

NWBC Function to Business Process correlation:

Function Actions:

Function to Actions associate’s functions to t_codes and if the function is active or inactive.

NWBC Function to Actions correlation:

Function Permissions:

Function to Permissions associates functions to t_codes, the perspective authorization objects, field values, operators and active or in-active status.

NWBC Function to Permissions correlation:

Rule Set:

Rule Set defines the rule set, language and rule set description.

NWBC Rule Set correlation:

Risk:

Risk associates risks to functions, business processes, defines the priority of the risk, what type of risk, and active vs non-active status.

NWBC Risk correlation:

Risk Description:

Risk Description defines the risk, language and risk description.

NWBC Risk Description correlation:

Risk Rule Set Relationship:

Risk Rule Set Relationship associates risks to a rule set.

NWBC Risk Rule Set Relationship correlation:

Demo of how to download a rule set in SAP Access Control 10.1:

GRAC_DOWNLOAD_RULES

Downloading the Access Control Rule Set via GRAC_DOWNLOAD_RULES. Choose format and accept pop-ups.

Demo of how to upload a rule set in SAP Access Control 10.1:

GRAC_UPLOAD_RULES

Uploading the Access Control Rule Set via GRAC_UPLOAD_RULES. Choose format and accept pop-ups.

I struggled with writing this section, because the details of the GRC rule set are proprietary SAP information. I would have loved to have done a demo here but any concrete examples shown merging rule sets could be  viewed as divulging this proprietary information.

That said, the Excel COUNTIF,CONCATENATE, and VLOOKUP functions are key to helping you identify records not contained in one of the rule sets you’re working on merging. Here are some key takeaways for those of you engaged in rule set merging:

Key takeaways for mass modification of rule set:

1. When downloading the rule set, please note that function to actions and function to permissions are dependent on the logical group selected. Example:
   1. If you select the APO logical group. Only APO FUNCTION_ACTIONS and APO FUNCTION_PERMISSIONS are contained in the FUNCTION_ACTIONS and FUNCTION_PERMISSIONS downloaded file.
2. When downloading the rule set, please note that selecting a connector i.e. (ECDCLNT100) FUNCTION_ACTIONS and FUNCTION_PERMISSIONS will have no data.
3. Active and Non-Active status in RISK, FUNCTION_PERMISSIONS, and FUNCTION_ACTIONS key:

The primary method of updating the Access Control rule set is through NWBC and the Setup WorkCentre. Updating the Access Risk Analysis rule set via GRAC_DOWNLOAD_RULES and GRAC_UPLOAD_RULES is still viable and should be considered during migrations, mass maintenance or to meet business requirements.

Customizing NWBC for New Menus with our own Transactions, Reports and Accessing SAP Backend Systems from NWBC

Since GRC 5.3 was on Java stack, customization of GRC screen was not possible on greater extend. As GRC 10.0 is on ABAP stack we have the flexibility of Customization of NWBC as the per the client requirement and you can customize the NWBC to provide access which are not delivered through SAP GRC ABAP Roles.

“Whatever you want see in NWBC choice is yours to enable it”

With this customization of NWBC launch pad we can do the followings provided for you:

1. We can access all SAP systems
2. Execute  all backend system reports ex: SUIM, SE16 reports
3. Customize the GRC screens (SPRO) from NWBC itself, no need to login to ABAP and use SPRO T-code
4. Create users & roles, develop and configure MSMP by using NWBC.
5. BI related reports and queries  and many mores …….

Hence you might not need to use SAP GUI since we can customize the NWBC.

Below NWBC customization can be achieved from web based NWBC (internet explorer). You need to make sure that you have one alias name created for each SAP system (ECC/Portal) from SAP Enterprise Portal (SAP EP) as a portal administrator.

Below are  few examples of customization of NWBC:

1. Accessing Backend systems
2. Table Access
3. MSMP Access
4. BRF Plus Access
5. Merging NWBC and SAP Login Screen in internet explorer

Step 1.

   Go to SPRO --> Governance, Risk and Compliance --> Configure LaunchPad for Menus

You can see below launch pad and GRC (AC, PC & RM) related Roles and Description. Before customizing, we need to decide in which work center we have to put customized menus/links in NWBC. I have chosen My Home work center in NWBC. For My Home work center choose GRACHOME role (see below).

Select GRACHOME Role and double click or choose edit button.

Step 2:

Select New Folder to create Main Menu in Work center and enter text which ever you need.
Here I have given the text My Company Access (showed in screen) and the same will show in NWBC as Main menu. System will provide default Icon for our customized menu. Save the screen.

Note: You can change the folder name whenever you wish to change.

Step 3:

Choose newly create Folder name (My Company Access) and select New Application button.

Provide the name of Menu/Link which can be execute from NWBC. Ex Table Access

Select any one of Application Category based on your requirement and find below few of SAP provided Application Categories

BEx Analyzer
BI Enterprise Report
BI Query
BI Webtemplete
Cristal Report
Infoset query
KM Document
Managers Desktop
Transaction
Portal Page
Webdynpro ABAP

I have selected Application Category as Transaction, once you select Application Category as Transaction, system will request for transaction code. See below:

Note: For one application, you can select only one transaction or one application category.

As mentioned above, please select System Alias and in this example System Alias is SAP-GRC-AC or Local.

Click on Advanced Parameters tab

GUI TYPE: This is optional and you can select which ever you need.

Step 4

Link to a Repository Application

To add existing SAP Repository objects to our newly created custom folder, kindly follow the process mentioned below:

Select My Company Access (newly created one) and click Link to a Repository Application, system will prompt a launch pad window (marked in green color) to select existing role. See below example where I have selected GRCIAREPOS.

Double click on Role GRCIAREPOS

Once you link your Custom folder with SAP Repository Application, you can also add SAP standard links to our Custom Folder.

Once you double click Role GRCIAREPOS, you can see below screen:

Drill down the GRC_AccessControl Menu and select the relevant role which you want to have in the customized screen and drag in into our custom folder “My Company Access”.

This option gives us to restrict the access from NWBC apart from authorizations.

Add Separator if you wish to differentiate Custom objects and SAP objects.

Select folder My Company Access and select button Add Separator. Now you can move the links/menu and separator wherever you need.

You can see the below screens for NWBC with customizing and without customizing

NWBC without Customizing

NWBC Customizing with custom menus

Example 1: Access SAP system from NWBC

Select newly created folder (My Company Access) and create new application
In Application Category choose Transaction, in Application parameter provide SESSION_MANAGER

1. Save and execute NWBC. Go to My Home --> click link SAP Backend system

One new window will open for SAP backend system and click start SAP Easy Access. This SAP will open in internet explorer

You can see the SAP screen in Internet Explorer/NWBC

Example 2: Accessing SAP Backend Tables & Reports from NWBC

Same steps you need follow : Create New Application --> Provide link name as Table acces --> select Transaction in Application Category ---> Provide T-Code SE16

Save--> Refresh NWBC and execute

Example 3: Opening MSMP from NWBC

Same Steps we need follow for this example also

    Example 4: Opening BRF + application from NWBC

If you select MSMP Configuration link you will redirect to below screen without any internet explorer link option

Most important customization: Merging NWBC and SAP Screen in internet explorer

Configuring SAP screen and NWBC in one page

As explained in above (already given in example 1)

Select newly created folder (My Company Access) and create new application
In Application Category choose Transaction, in Application parameter provide SESSION_MANAGER and System alias is               SAP-GRC-AC

Go to Advance Parameters

In advance parameters select GUI Type : SAP GUI for HTML

Select Initial Screen in Entries Once started Option

Portal parameter: select  INPLACE Inplace

Save and execute in NWBC

Once you refresh NWBC, you can see the link "SAP Backend system"

Click SAP Backend system link and you will find below screen:

Here you can execute all SAP transactions

Click Start SAP SAP Easy Access button

You will see below SAP screen similar to SAP GUI Screen.

In this screen every thing is same as SAP GUI however you can also see the NWBC menus. Both SAP screen and NWBC are merged in the same screen.

Even if we do not have SAP GUI, we can login to SAP backend system by using this customization. This customizing will be useful for small devices such as smart phones & Tablets. In soon we can able to execute SAP from small devices based on accessibility and Network (Already SAP launched Android App for FF ID approve)

Executing SAP transactions from NWBC.

In this example I have executed PFCG and whatever transactions you execute, you can able to see NWBC work centers in the same screen.

Conclusion

In this way we can customize the NWBC without any ABAP and Java knowledge and whenever we need, we can design and change the screens without taking much time

SAP has provided flexibility to do the customization of NWBC based on the client requirement.

On one of my first projects as the lead architect I needed to prototype GRC. I had supported GRC components before (albeit 5.3 version), attended the GRC300 training course and passed my certification. I was excited: finally a GRC 10.0 implementation. I was at a client and they had a need for it. I had the skill and enthusiasm to see it implemented. The client accepted my business case of lowering user administration and support cost, and I had the confidence to see this project through. Fantastic!! Woo-hoo GRC implementation here I come!!!!!!!!

Before I got my hands on the system, the business-process minded part of me had mapped out the strategy and approach. I put pen to paper and drew up my view of the access control processes: who would approve and what would they approve. My design integrated as much of Access Controls as possible.  I found my Internal Controls buddy to assist me in keeping this business orientated: yes I found my first friend. I realised at the beginning, this implementation would not be possible if my team did not include a business stakeholder who could define business requirements and help design what an unacceptable risk to the business is and what the business was prepared to do about it. This friend of mine came from an Audit background (yes, auditors are friends too!) and could provide valuable input on compliance requirements we needed to adhere to.

We were able to work together to not only define the process but identify the roles and responsibility (in the form of a RACI model). In doing this, we identified organisational changes which then led me to another group of friends known as the Change Managers.  We have not even got the system built and I am now spending more time with an ex-Auditor/Internal Controls expert and a Change Manager to properly define how the business would use GRC.  The Change Manager then asks ‘Will end users be impacted’? Well, of course they will be as we are trying to automate user access provisioning and we have segregation of duties and risk and so on. My next group of friends became the Trainers. Internal Controls, Change Managers and Trainers oh my! And still no system!

It came time to submit the high level design for approval. My awesome pretty crap process designs were too high level. What I thought was three or four business processes were rebuilt by my next friend: The Business Analyst. This friend knew how to model business processes and took my diagrams (really PowerPoint slides) and broke them down to a much lower level. The business analyst identified logical gaps and incorrect assumptions without even knowing what GRC is (that soon changed).  Had this friend not stepped in at the beginning I would have been in a world of pain with the workflow configuration and ultimately resulted in rework, project delay and additional cost.

Finally my system was built by my friend Basis. This team became my first-and-best-techy-friend (hey they always are). Until I started GRC, I had never raised a SAP message incident (I did not even know how to).  SAP Marketplace and SCN contained my answers so it was never necessary. However, solution to most of SAP incidents I raised was in the form of a heap of notes and support stacks to apply and Basis were there for every step of the way. In addition, I had them assist me with appropriate system settings: system parameter; RFC connections; trusted systems; LDAP connections and NWBC. Yes, I could go configure them myself but if this was an ERP system would a Functional Consultant be allowed to do the same?

As I started to prototype the solution and came across the business workflow I learned more about the flexibility and powerfulness of GRC. I was able to configure MSMP (I’m quite a fan of it) but then I realised, it would be great to make friends with the Workflow and ABAP Developers, especially if they have the BRF+ skills and pick their brains. These developers would know how best to configure the workflow rules (do I use a decision table or a case statement?); build new launch pads and customise screen layouts. They would have a great naming convention for custom objects. They would also allow me to sit and help debug to find why I am getting that short dump (i.e. confirm I need to raise a SAP incident).

I continued to prototype and refine some of the design as we all discovered what the system would be capable of. It then dawned on me how best to document the configuration and build. I reached out to a new group of friends and they were Functional Consultants who worked on the ERP system. My view was: we might be configuring different systems but we’re both doing configuration via IMG and maybe there is something I can leverage from them (via our Solution Architect).

So before I even go to the development system, I became friends with Internal Controls; Change Managers; Trainers; Basis; Workflow and ABAP developers; and Functional Consultants. Most of my friends were included on my project plan so that management knew up front the true effort and people necessary for a GRC implementation to be successful. Management knew that GRC was not a support tool but enabled business process. Internal Controls was my key business representative who had their own set of friends to determine business requirements that I could translate to technical deliverables.

My motivation in finding friends was a concern I had: if I relied only on my own skills we may deliver a workable solution but it may not be the most effective and efficient solution. Without calling on all friends here, I might have a solution that works for day one but what happens next year or the year after? What happens when business requirements change? What happens when support stack and enhancement packs are necessary?

I’m sure there are more friends. Had I continued on this project I would have met up with Change and Release Managers to migrate changes and thinking through planning for enhancement packs, system refreshes and overall landscape design in conjunction with Basis. Oh, and if you’re wondering why no security - I did not forget them as that was me.

My advice – depending on the size of your project you may not need all these friends. Consider them in your planning based on your own strengths and weaknesses. Leverage where you can as it will benefit your solution in the long term.

Do you have any recommendations for who’d you make friends with and leverage for a successful GRC implementation?  I would love to hear your thoughts in the comments below.

Regards

Colleen

P.S. I would like to make a special thank you to Gretchen Lindquist for all your valuable feedback and encouragement to me for this blog.

This document talks about the challenges organizations face when upgrading Support pack/ Net weaver for SAP GRC 10.0. Organizations that upgrade support pack with Net weaver version for SAP GRC 10.0, might face many challenges at different stages of project. Here we are discussing some of the challenges faced in real time environment while upgrading GRC 10.0 to SP13 from existing SP07and SAP Net Weaver 7.31 SPS 8 from existing SAP Net Weaver 7.02.

• Backend Plugin Upgrade
  • If organization is planning to upgrading GRC 10.0 from SP level below SP10, they are require to plan and coordinate for GRC Plugin upgrade in backend systems also. GRC is normally connected to most of the system in any organization for user provisioning, risk analysis and emergency access…, which are at difference NW version and plugin level.
  • To avoid product compatibility issues, suggested to plan plugin upgrade before GRC system upgrade.
• SU25 and Web dynpro components upgrade
  • It is tough for Security consultant to understand effect for authorization updates in SU25 steps 2a, 2b, 2c on GRC front end, as it don’t provide details for change in authorization check for  GRC front end application.
  • Suggested detail planning for testing strategy and scenario testing to cover all Authorization check changes and role charge requirement

• Mass user locking
  • Normally in any ECC, BI… systems total number of user are in thousands, but in GRC system number of user is high, depending on number for systems connected to it and how user’s data is updated. While upgrade to avoid user to login, it is recommend to lock users.
  • In general SU10 is used for mass locking but for locking users in Lakhs via SU10 is not a suitable approach.

• Agent not found access requests ending into error or completing without role owner approval
  • Post upgrade roles with approvers not defined in GRACOWNER table or not defined as owner in “Access control owner” in from end, will not be able to approve request. Post upgrade GRC started checking for approvers in GRACOWNER table. 
  • Before go live update all role approvers as Role Owners in Access control owner list.

• Dumps in system while clicking on link in email received from GRC
  • Post NW and SP upgrade for GRC 10.0, users might start getting below ABAP dump in system

               ASSERTION FAILED

               Category           ABAP Programing Error

               Runtime Errors Assertion Failed

               ABAP Program  CL_GRFN_API_IDENT================CP

               Application Component GRC

• Please check for OSS note 1888486 if applicable for your system to fix issue

Hi GRC,

Here i would like to share my experience to Create Transportable BRF+ Rules in GRC AC 10.0. Please follow witha attached file.

Thanks & Regards,

Rajesh Srisailapu

Transport BRF+ Application from $Temp packge

I am not sure if you have already come across the phase associate with Copy the BRF+ application from $Temp package in order to make it transportable.

At the start of my implementaion project on GRC V:11 and SAP:04, I had created one BRF+ application and saved it to a $Temp package so as to avoid to capture it into a Transport Request, as I had to do some more configurations with the never ending requirements. So, when I completed all the configurations, I tried to put into TR which But couldn't fo that as I had saved it into $Temp so, got stucked.

So; to make an application transportable you have to follow these below steps:

1) Copy the application from $Temp package to SAP Development package

Execute BRF+ transaction code --> Navigate to the application which is saved into $Temp package

2) Right click on the application --> Copy

3) On the new screen, enter the New-Application name (target application name), description and short text.

You need to make sure to uncheck the box for "Create Local Application". Missing in doing it, you would agai end up copying the targer application into $Temp package.

If you have created a package specifically for BRF+ then you can mention the package name under "Development package" . If not, then you can create with transaction code: SE21 as below:

Fill in all the required details and confirm.

Now, after putting the development package, mention the Softwarre component and make sure to confirm the check box for "include contained objects". Click Copy.

It will ask to enter the TR, but you would see the error screen as below:

This is due to a bug within the GRC V:11 which would get resolved after implementin SAP Note# 2029700 http://service.sap.com/sap/support/notes/2029700

Thanks to SAP to provide this note, and now I am able to copy the application from $Temp package to SAP Development package to make it Transportable.

Thought of to share this experience with SCN-Community members to help them if they came across with this issue.

Cheers!!

Ameet

There are multiple issues related to this solution and in fact SAP has released a knowledge article to the topic that it is not allowed citing security reasons - SAP KBA: 1622881 - Approve by E-mail and Reject by E-mail functionality but there are certainly workarounds available.

The security issues, mainly, are:

• Validating correct approver and delegate approvers

• Emails could be sent with From option in mails making it even more difficult to validate

However, I did try to implement the process and succeeded in doing so with few (not recommended) workarounds.

My main motivation came from this link where a similar solution is suggested but for SAP Workflow:

http://www.****************/Tutorials/Workflow/offline/Index.htm

The BASIS configurations remain the same as given in the above link: The steps are as follows:

1) Create Offline User in SAP (It could be a new user if the approver will forward the mail to approve or reject requests, in case of reply back it has to be      WF-BATCH)

2) Configure the SAP-Connect node via SICF Transaction

3) Configure and activate the SMTP Service via SMICM transaction

4) Configure and set the Inbound E-Mail Exit Configuration

Even the next few steps remain the same, only the actual approval process has to be changed. In the 4th step, we need to provide a class name to process emails. In this example, I named the class as: Z_PROCESS_INBOUND_WORKFLOW. Add Interface to the class: IF_INBOUND_EXIT_BCS. You will see 2 methods added from the interface.

Add the code in the methods:

Z_PROCESS_INBOUND_WORKFLOW->IF_INBOUND_EXIT_BCS~CREATE_INSTANCE

Here, we need to create an instance of the class to be used for further processing.
Sample Code below:

  DATA: lo_ref TYPE REF TO z_process_inbound_workflow.

* check if the instance is initial

  IF lo_ref IS INITIAL.

    CREATE OBJECT lo_ref.

  ENDIF.

* Return the Instance

  ro_ref = lo_ref.

Z_PROCESS_INBOUND_WORKFLOW->IF_INBOUND_EXIT_BCS~PROCESS_INBOUND

This method will be called automatically for the processing the message when it is received by the SAP system.

Sample Code Below:

* Declare for Inbound E-Mail processing
  DATA: lo_document     TYPE REF TO if_document_bcs,
        l_mail_attr     TYPE bcss_dbpa,
        l_mail_content  TYPE bcss_dbpc,
        lv_reqno        TYPE grac_reqno,
        lv_approve_reject TYPE char1,
        lt_cont_text    TYPE soli_tab,
        ls_cont_text    TYPE soli,
        lo_reply        TYPE REF TO cl_send_request_bcs,
        sender          TYPE REF TO if_sender_bcs,
        sender_addr     TYPE string,
        lv_email        TYPE ad_smtpadr,
        send_request    TYPE REF TO cl_bcs,
        lo_approval     TYPE REF TO z_grac_approbation_by_email.
*--------------------------------------------------------------------*
*- Get a pointer to the reply email object -*
*--------------------------------------------------------------------*
  TRY.
      lo_reply = io_sreq->reply( ).
    CATCH cx_send_req_bcs.
  ENDTRY.
**** Check to make sure this is from an approved Sender
  sender = io_sreq->get_sender( ).
  sender_addr =  sender->address_string( ).
  lv_email = sender_addr.
  TRANSLATE sender_addr TO UPPER CASE.
**** Only reply if this message came from within our mail system or domain
**** SPAMMERS Beware, your e-mails will not be processed!!!
IF sender_addr CS '@xxx.COM'.
**** send reply and inbound processing
*--------------------------------------------------------------------*
*- Get email subject -*
*--------------------------------------------------------------------*
  TRY.
      lo_document = io_sreq->get_document( ).
      l_mail_attr = lo_document->get_body_part_attributes( '1' ).
*Get the request number from the desired position of the subject
      lv_reqno = l_mail_attr-subject+12(10).
    CATCH cx_document_bcs.
  ENDTRY.
*--------------------------------------------------------------------*
*- Get mail body-*
*--------------------------------------------------------------------*
  TRY.
      l_mail_content = lo_document->get_body_part_content( '1' ).
      lt_cont_text = l_mail_content-cont_text.
      DELETE lt_cont_text WHERE line IS INITIAL.
      READ TABLE lt_cont_text INTO ls_cont_text INDEX 1.
      IF sy-subrc EQ 0.
        TRANSLATE ls_cont_text-line TO UPPER CASE.
        IF ls_cont_text-line+0(7) = 'APPROVE'.
          lv_approve_reject = 'A'.
        ELSEIF ls_cont_text-line+0(6) = 'REJECT'.
          lv_approve_reject = 'R'.
        ENDIF.
      ENDIF.
    CATCH cx_document_bcs.
  ENDTRY.

  IF lv_approve_reject IS NOT INITIAL
    AND lv_reqno IS NOT INITIAL
    AND lv_email IS NOT INITIAL.

    CREATE OBJECT lo_approval
      EXPORTING
        i_reqno          = lv_reqno
        i_email          = lv_email
        i_approve_reject = lv_approve_reject.

    CALL METHOD lo_approval->process_request .

  ENDIF.

ENDIF.

Now, I have created another class to validate approvers from their email addresses, process emails in case of any errors and finally start the approval process which is being called from above class method - Z_GRAC_APPROBATION_BY_EMAIL

First save the values in attributes of this class in the CONSTRUCTOR method.

Create a method PROCESS_REQUEST to do the processing.

In this method, the steps followed are:

• First get the SAP user ID for the email ID of the sender
• Validate by the SAP user ID, if the sender is actually the approver from checking tables GRFNMWRTINSTWI, GRACREQUSER
• If not, check if the sender is a delegate approver. You can user Function Module SAP_WAPI_SUBSTITUTIONS_GET
• If validated, create a background job using FM JOB_OPEN

The reason we need a background job is because the SY-UNAME in the system will be either WF-BATCH or a new user created by BASIS in the 1st step and that user is not the actual approver. So we create a background job and then change the user ID with the actual approver.

So, after the JOB_OPEN is called:

• Call FM BP_JOB_READ
• Change the user ID in Job Head and call FM BP_JOB_MODIFY
• We will have to create a new Report Program to approve or reject the request (Z_REP_APPROBATION_BY_EMAIL) and SUBMIT the program
• Call FM JOB_CLOSE

Now, the main logic is in the report program Z_REP_APPROBATION_BY_EMAIL.

I added 3 selection screen parameters to accept Request Number, BNAME(SAP User ID) of the approver and a field to identify Approve or Reject (A or R)

• First step is to fetch Request ID from Request Number from table GRACREQ. Concatenate 'ACCREQ/' and the Request ID togeather.
• Next is to fetch Work Item IDs for the Request Number from the table GRFNMWRTINSTWI
• After collecting data, we will call standard methods that GRC system uses to do the processing, Code Snippets are shown below:

  go_session  =  cl_grfn_api_session=>open_daily( ).

  TRY .

      go_api ?= go_session->get( gv_reqid ).

 

      gv_bname = p_bname.

 

      CALL METHOD go_api->if_grac_api_access_request~retrieve
        EXPORTING
          iv_editable      = abap_true
          it_wi_id         = gt_wi_id
          iv_admin_mode    = lv_bool
          iv_approver_user = gv_bname.

 

      IF p_aprj EQ 'A'.

 

        ls_user_range-sign = 'I'.
        ls_user_range-option = 'EQ'.
        ls_user_range-low = gv_bname.
        APPEND ls_user_range TO lt_user_range.

 

        lv_user = gv_bname.

        CALL METHOD cl_grac_user_rep=>retrieve_realtime_user
          EXPORTING
            iv_user          = lv_user
          IMPORTING
            es_real_userinfo = ls_real_userinfo.

        CALL METHOD cl_grac_user_rep=>retrieve_user_systems
          EXPORTING
            it_user      = lt_user_range
*           it_user_name =
*           iv_max_rows  = 1000
          RECEIVING
            rt_user      = lt_user.

 

        ls_val-val1 = ls_real_userinfo-department.
        ls_val-val2 = ls_real_userinfo-location.
        ls_val-val3 = ls_real_userinfo-company.
        ls_val-val4 = ls_real_userinfo-costcenter.
        ls_val1-val1 = ls_real_userinfo-userid.
        ls_val1-val2 = ls_real_userinfo-user_group.
        ls_val1-val3 = ls_real_userinfo-orgunit.

 

        IF lt_user IS NOT INITIAL.

          LOOP AT lt_user INTO ls_user.

            ls_val1-val4 = ls_user-connector.

            IF cl_grac_auth_engine=>authority_check(
                  iv_auth_obj   =  graca_c_emp-auth_obj
                  iv_field1     =  graca_c_actvt-actvt
                  iv_value1     =  graca_c_actvt-change
                  iv_field2     = graca_c_emp-dept
                  iv_value2     = ls_val-val1
                  iv_field3     =  graca_c_emp-location
                  iv_value3     =  ls_val-val2
                  iv_field4     =  graca_c_emp-company
                  iv_value4     =  ls_val-val3
                  iv_field5     =  graca_c_emp-cost_centre
                  iv_value5     =  ls_val-val4
              ) EQ abap_true AND
               cl_grac_auth_engine=>authority_check(
                     iv_auth_obj   =  graca_c_user-auth_obj
                     iv_field1     =  graca_c_actvt-actvt
                     iv_value1     =  graca_c_actvt-change
                     iv_field2     = graca_c_user-userid
                     iv_value2     =  ls_val1-val1
                     iv_field3     =  graca_c_user-usergroup
                     iv_value3     =  ls_val1-val2
                     iv_field4     =  graca_c_user-org_unit
                     iv_value4     =  ls_val1-val3
                     iv_field5     = graca_c_user-connector
                     iv_value5     = ls_val1-val4
                 ) EQ abap_true.
              lv_flg = 'X'.
              EXIT.
            ENDIF.
          ENDLOOP.
        ELSE.
          ls_val1-val4 = ls_user-connector.
          IF cl_grac_auth_engine=>authority_check(
                iv_auth_obj   =  graca_c_emp-auth_obj
                iv_field1     =  graca_c_actvt-actvt
                iv_value1     =  graca_c_actvt-create
                iv_field2     = graca_c_emp-dept
                iv_value2     = ls_val-val1
                iv_field3     =  graca_c_emp-location
                iv_value3     =  ls_val-val2
                iv_field4     =  graca_c_emp-company
                iv_value4     =  ls_val-val3
                iv_field5     =  graca_c_emp-cost_centre
                iv_value5     =  ls_val-val4
            ) EQ abap_true AND
             cl_grac_auth_engine=>authority_check(
                   iv_auth_obj   =  graca_c_user-auth_obj
                   iv_field1     =  graca_c_actvt-actvt
                   iv_value1     =  graca_c_actvt-create
                   iv_field2     = graca_c_user-userid
                   iv_value2     =  ls_val1-val1
                   iv_field3     =  graca_c_user-usergroup
                   iv_value3     =  ls_val1-val2
                   iv_field4     =  graca_c_user-org_unit
                   iv_value4     =  ls_val1-val3
                   iv_field5     = graca_c_user-connector
                   iv_value5     = ls_val1-val4
               ) EQ abap_true.
            lv_flg = 'X'.
          ENDIF.
        ENDIF.

        IF lv_flg = 'X'.

          PERFORM f_fill_approving_details CHANGING ls_req_data
                                                    lt_item
                                                    lt_requser
                                                    lt_reqsys.

          lo_api ?= go_session->get( gv_reqid ).

          CALL METHOD lo_api->if_grac_api_access_request~update
            EXPORTING
              is_request_data = ls_req_data
              it_requser      = lt_requser
              it_reqlineitm   = lt_item
              it_reqsys       = lt_reqsys.

          CALL METHOD go_session->save.

        ENDIF.
      ELSEIF p_aprj EQ 'R'.

        CALL METHOD go_api->if_grac_api_access_request~reject .

        CALL METHOD go_session->save.

      ENDIF.

    CATCH cx_grfn_exception INTO go_grfn_exp.
  ENDTRY.

 

*&---------------------------------------------------------------------*
*&      Form  f_fill_approving_details
*&---------------------------------------------------------------------*
*       text
*----------------------------------------------------------------------*
*      -->LS_REQ_DATA  text
*----------------------------------------------------------------------*
FORM f_fill_approving_details CHANGING   ps_req_data TYPE grac_s_api_req_data
                                        pt_item     TYPE grac_t_api_reqlineitem
                                        pt_requser  TYPE grac_t_api_user_info
                                        pt_reqsys   TYPE grac_t_api_reqsys.

  TYPES: BEGIN OF ty_gracreq,
          req_id          TYPE grfn_guid,
          req_created     TYPE grac_req_created,
          duedate         TYPE grac_duedate,
          reqtype         TYPE grac_reqtype,
          funcarea        TYPE grac_funarea,
          msmp_process_id TYPE grfn_mw_process_id,
        END OF ty_gracreq,

        BEGIN OF ty_gracitem,
          itemnum         TYPE grac_seq,
          connector       TYPE grac_reqsystem,
          prov_item_id    TYPE grfn_guid,
          prov_item_type  TYPE grac_prov_item_type,
          prov_action     TYPE grac_actiontype,
          prov_item_name  TYPE grac_prov_item_name,
          approval_status TYPE grac_approval_status,
          valid_from      TYPE grac_valid_from,
          valid_to        TYPE grac_valid_to,
          prov_type       TYPE grac_prov_type,
        END OF ty_gracitem,

        BEGIN OF ty_systems,
          systems TYPE grfn_connectorid,
        END OF ty_systems.

  DATA: lv_reqid TYPE grfn_guid,
        ls_gracreq TYPE ty_gracreq,
        lt_gracitem TYPE STANDARD TABLE OF ty_gracitem,
        ls_gracitem TYPE ty_gracitem,
        lt_gracuser TYPE STANDARD TABLE OF gracrequser,
        ls_gracuser TYPE gracrequser,
        ls_reqsys   TYPE grac_s_api_reqsys,
        lt_systems  TYPE STANDARD TABLE OF ty_systems,
        ls_systems  TYPE ty_systems,
        ls_requser  TYPE grac_s_api_user_info,
        ls_item     TYPE grac_s_api_reqlineitem.

  lv_reqid = gv_reqid+7.

  SELECT SINGLE  req_id
                 req_created
                 duedate
                 reqtype
                 funcarea
                 msmp_process_id
    FROM gracreq
    INTO ls_gracreq
    WHERE req_id = lv_reqid.
  IF sy-subrc EQ 0.
    ps_req_data-req_id = ls_gracreq-req_id.
    ps_req_data-req_created = ls_gracreq-req_created.
    ps_req_data-req_approved = ls_gracreq-duedate.
    ps_req_data-reqtype = ls_gracreq-reqtype.
    ps_req_data-msmp_process_id = ls_gracreq-msmp_process_id.
    ps_req_data-funcarea = ls_gracreq-funcarea.

    SELECT itemnum
           connector
           prov_item_id
           prov_item_type
           prov_action
           prov_item_name
           approval_status
           valid_from
           valid_to
           prov_type
      FROM gracreqprovitem
      INTO TABLE lt_gracitem
      WHERE req_id = lv_reqid.

    IF sy-subrc EQ 0.
      LOOP AT lt_gracitem INTO ls_gracitem.
        ls_item-itemnum   = ls_gracitem-itemnum.
        ls_item-item_name   = ls_gracitem-prov_item_name.
        ls_item-connector   = ls_gracitem-connector.
        ls_item-prov_item_id   = ls_gracitem-prov_item_id.
        ls_item-prov_item_type   = ls_gracitem-prov_item_type.
        ls_item-prov_action   = ls_gracitem-prov_action.
        ls_item-approval_status   = 'AP'.
        ls_item-valid_from   = ls_gracitem-valid_from.
        ls_item-valid_to   = ls_gracitem-valid_to.
        ls_item-prov_type   = ls_gracitem-prov_type.

        APPEND ls_item TO pt_item.
      ENDLOOP.
    ENDIF.

    SELECT * FROM gracrequser
      INTO TABLE lt_gracuser
      WHERE req_id = lv_reqid.

    IF sy-subrc EQ 0.
      LOOP AT lt_gracuser INTO ls_gracuser.
        ls_requser-userid = ls_gracuser-userid.
        ls_requser-provuser = ls_gracuser-provuser.
        ls_requser-snc_name = ls_gracuser-snc_name.
        ls_requser-unsec_snc = ls_gracuser-unsec_snc.
        ls_requser-accno = ls_gracuser-accno.
        ls_requser-empposition = ls_gracuser-empposition.
        ls_requser-empjob = ls_gracuser-empjob.
        ls_requser-personnelno = ls_gracuser-personnelno.
        ls_requser-personnelarea = ls_gracuser-personnelarea.
        ls_requser-email = ls_gracuser-email.
        ls_requser-emptype = ls_gracuser-emptype.
        ls_requser-logon_langu = ls_gracuser-logon_langu.
        ls_requser-dec_notation = ls_gracuser-dec_notation.
        ls_requser-date_format = ls_gracuser-date_format.
        ls_requser-time_zone = ls_gracuser-time_zone.
        ls_requser-manager = ls_gracuser-manager.
        APPEND ls_requser TO pt_requser.

      ENDLOOP.
    ENDIF.

    SELECT systems
      FROM gracrequsersys
      INTO TABLE lt_systems
      WHERE req_id = lv_reqid.

    IF sy-subrc EQ 0.
      LOOP AT lt_systems INTO ls_systems.
        ls_reqsys-systems = ls_systems-systems.
        APPEND ls_reqsys TO pt_reqsys.
      ENDLOOP.
    ENDIF.

  ENDIF.

ENDFORM.                    "f_fill_approving_details

 

Hi All,

We are currently on GRC SP13. I could see lot of community members also working on same SP. There are lot of issues in GRC SP13. I am just updating the issues with relevant SAP notes here just to make it easy for the guys who come across the issues just like mine

There are still lot of issues which we are working on and will update this blog regularly based on our issues and fixes.

Access Request (ARQ)

Password Self Service (PSS) - Issues

In Password Self Service (PSS) when the user clicks on “Register Security Questions”. Users can add questions using either Admin defined or User defined option.

As shown below “User Defined Questions” has spelling mistake where “DEFINED” is spelled as “DEFINDED” and this can be fixed using SAP note 1907848 - UAM: Incorrect text for User Defined Questions

EUP Issues

Below SAP notes are implemented for issues regarding EUP.

1897794 - UAM: Request for value not coming from EUP in model user

1842378 - Default roles are getting added though they don’t exist in BE

Role Mapping Issues

Below SAP notes are implemented for issues regarding role mapping.

1900076 - UAM: Role mapping not working based on parameter 2015

Provisioning Settings Issues

Below SAP notes are implemented for issues regarding provisioning settings.

1966404 - UAM: System level provisioning settings not considered correctly

Risk Approval Workflow - Issues

In case of risk approval workflows, Title was not coming in header while opening the risk for approval as shown below.

Fix the issue using SAP note 1921318 - Risk Approval Screen - Title is not coming in header

Business Roles - Issues

Before discussing about business roles issues, please go through below SAP note on business roles which explains all Pros and Cons of business roles

1981001 - Recommendations: Using business role provisiong in access request

Business roles are not supported in GRC with “RETAIN” provisioning action. But in SP13 users are able to submit access requests with business roles having “RETAIN” provisioning action.

To fix this please implement the SAP note 1982339 - UAM: End user is able to submit request for business role with retain provisioning action

In case of Business roles having common technical roles, role de-provisioning is not happening correctly.

To fix this please implement the SAP note

1930923 - UAM:-Business role removal is not working correctly in Access Request
1922082    UAM: Rejected business roles are getting provisioned

1951749    UAM: Business role not provisioned correctly in language other than English

Role Import - Issues

Role Import in GRC SP13 is not showing all roles in the preview and as well as not importing all roles based on role range.

To fix this issue please implement the SAP note 1897975 - Role import does not show roles in the preview

Firefighter Login - Issues

When FF user is logging in with the assigned FF ID system is throwing dumps.

To fix this issue please implement the SAP note 1800347 - Short Dump on FF Login

Mitigation Control – Issues

Create Mitigation control and assign Risk and Approver/ Monitor to that control.

Click on Save/Submit button.

Error comes: "Saving Note Failed"

To fix this issue please implement SAP note 1890058 - "Saving note failed" error comes while saving Mitigation Control

Create Mitigation control and assign Risk and Approver/ Monitor to that control. The AC Reports are not displayed in the "Reports" tab of a mitigation control

Error message Action is inconsistent with system is displayed when you add a new AC report to a mitigation control and save/submit.

To fix this issue please implement SAP note 1902129 - Unable to save Mitigation control after adding AC Report

Mitigation control assignments which are already deleted are still showing up in GRC system.

To fix this issue please implement SAP note 1873361 - Performance issue with GRAC_REPOSITORY_OBJECT_SYNC

LDAP Issues

2025895 - UAM: Users not searched from HR/LDAP connectors if real-time search parameter 2050 is YES

User Access Review (UAR) - Issues

UAR Requests are being generated for expired users or locked users though excluded in the filter criteria. Also UAR requests contains indirectly assigned roles like Child roles of Composite roles.

To fix this issue implement below SAP notes

GRC System

1970118 - UAM: Expired and locked Users and indirect role assignment are also display in UAR request

1988134 - UAM: Dump on executing UAR job for user group and indirect assignments displayed in UAR request

Synchronization Jobs – Issues

We are facing an issue related to the roles assigned to the users in the target system. When roles have been removed from users in the backend. They are still visible with existing assignments overview in GRC system (even after sync).

This results in provisioning error when requesting a "retain role" request. Plug-In system then gives error message that the role is invalid (because it was not assigned anymore to the user).

Once the roles are removed in the target system, they should not appear again under the existing assignments in GRC.

If this kind of issue is happening then the Synch jobs are not working fine and there is some issue with these.

To fix this issue implement below SAP notes

Target (Plug-In) System

1970532 - Audit log gives wrong information about role removal, the validity of the role is not getting changed in the backend systems

GRC System

1934813 - UAM: Incorrect audit log message for role assignment and provisioning error for multiuser request

Missing Notification Variables and Notifications Issues - GRC SP13

Notification variables like Request Reason, Comments, Approver First Name, Approver Last Name and Approver Full Name are missing.

To enable these variables please implement below SAP notes.

1971842 - Request reason notification variable is not available in Access Request workflow

1917639 - UAM: Adding Comments and approver name variables in Access Request approval mail

Symptom:

Symptom 1: Validity dates and user id are not shown in the submission notification for the system entry.

Symptom 2: In submission notification, some text available in English and not able to translate in any other language.

Symptom 3: Provisioning variable shown roles whose Allow Auto-provisioning value is No and which have not been provisioned to the user.

Symptom 4: Create an access request to assign roles to an existing user in CUA child system. The closing notification contains wrong message of user creation.

Symptom 5: Notification variable %submission% for EAM/FF access approval does not contain System level information and validity dates information like FF_XXX Superuser access added to the request for action assign.

To fix this issue implement below SAP notes

1907911 - UAM: Incorrect text in submission & provisioning variable

With the go-live of our Governance, Risk, and Compliance (GRC) version 10 Access Control finally past us (hallelujah!), I have been thinking about the learnings, from my previous GRC 10 projects as well as from this one. Last year at SAP TechEd, I hosted an Expert Networking session , discussed hereThe rest of the story: what else I learned at #SAPTechEd , where the most common response to my question about GRC 10 was that customers  were still thinking about it.  Maybe you, too, are still thinking about it, working on a roadmap, or planning your project. Even if your project is already underway, here are some readiness questions to consider.

What are the pain points of your current GRC related processes?

Be sure to get input from your key users. Pain points could include these:

• Too many manual hand-offs in the access request process
• User access reviews tedious due to manual processes, and not particularly value added besides
• User interfaces for access requests confusing to requesters and approvers
• Confusing/ inconsistent role names making it difficult to know what role to request
• Roles not well aligned with either tasks or jobs, leading to a need  to make a big security change, such as complete security rewrite or implementation of Business Roles
• Manual security team processes like maintaining organizational segregation with manual reviews and hit or miss efforts to manage critical sensitive authorizations
• Confusing/ inadequate information in firefighter logs, so they are not reviewed timely

What is your long range plan?

If yours will be a brand new GRC implementation, do you have a company policy for Segregation of Duties and critical access rules that can be the basis of your new GRC rule sets, are you planning to start with the rules out of the box, or will you take the time to customize them? If you are on GRC 5.3 (or earlier release), have you been maintaining your ruleset all along with the updates from SAP and custom transactions? A “lift and shift” of your current rules can be fine if they have been maintained; otherwise, it is like bringing dirty, threadbare rugs from your old house into your brand new one. The sooner you get them cleaned up, the better.

Have you thought about your long term roadmap and identified which components you plan to implement? Some customers start out by just implementing Access Risk Analysis, to get the system up and running, and then take on Access Requests and more later. With all the shared master data across Access Control and Process Control, decisions you make early on could come back to haunt you later down the road. If you are planning to use your current GRC system as the model for the new one, has all the master data been maintained, or are there obsolete mitigation monitors who have left the organization, mitigations configured for risks that do not exist, and other bad data that will not work in the new, better integrated, system? It can be a real challenge if you have no “golden” client to use to validate the configuration of the new one.

Do you have the right resources for your project and enough of them?

Colleen Lee wrote an excellent blog about all the friends who helped her on her own GRC projects.

Depending on which components you plan to implement and the architecture, the resources needed for your project could include some who may not have come to mind. Of course you will need security, GRC, and Basis expertise, but you may also need LDAP expertise if your user master data resides there, or HR expertise if you plan to use your SAP HR as the user data source and/or implement HR triggers. But are all your users, including contractors, even in SAP HR? Are you sure? If you plan to use your LDAP, has it been properly maintained, or does it need clean up before you can rely on the data fetched? For implementing Access Request Management, workflow expertise including MSMP and BRF+  is a must , and if an Identity Management system performs your user creation, count those experts in, too.  How will the users access your system - Enterprise Portal, NWBC, something else? Whatever you plan to utilize, be sure to budget for skilled resources on your project team for that, too. If a new rule set is needed, expertise from the business and internal controls will be key.

Then there are the ABAP resources.  As I mentioned in a comment on Colleen’s blog, on my current project we badly underestimated the demands we would make on ABAP resources, needed for implementing the hundreds of corrections into our system. Better to budget for them and not need them than be wishing you had the funds.

And about those hundreds of corrections:  someone needs to stay on top of those issues.  If the people managing the fixes and corrections are also project managers, and also doing system configuration, configuring the workflows, migrating master data from the old GRC system, creating documentation, designing testing and training,  and leading the change management effort – well, good luck with that.  Yes, two resources can wear 8 or 10 different hats, but your project timeline will need to be adjusted accordingly.  If your project management tool tells you that your project’s resources are way over committed, a six month project could run on with slipped deadlines and missed go lives, possibly impacting other projects that they were expected to be working.

On top of that, the longer your GRC project drags on, the likelier that the systems connected to your GRC will be upgrading. If a connected sytem goes to a new NetWeaver release, you may have to install new plug-ins and start testing all over again.

I hope I have provided some food for thought for anyone considering or planning an implementation of GRC 10.  Time spent now in considering these questions will pay off in the long run.

Dear all,

I am wondering if one of you join the SAPinsider GRC conference in Singapore from October 13th till October 15th. As I am travelling to Singapore around that date I might attend.

For more information please visit the homepage: BI 2014, HANA 2014, GRC 2014, and Financials 2014

Looking forward to meet you there

Best regards,

Alessandro

Sign Up Now To Summer Training - Partner Workshop on SAP Fraud Management

August 26-28th, 2014 SAP Campus – Walldorf, Germany

With the continuing momentum around SAP Fraud Management, we will be offering partners the opportunity to attend another Partner workshop on SAP Fraud
Management in August.  It will take place from Tuesday, August 26 to Thursday, August 28, 2014 at the SAP Campus in Walldorf. This workshop is free of charge and for selected partners and SAP employees, however, you will need to cover your own travel costs.

Objective of the workshopThis workshop offers deep-dive training into SAP Fraud Management and would enable attendees to be able to take customer data and build customer-specific rules with the solution. 

• Day 1: Business Overview for Fraud Investigators & Deep Dive Detection
• Day 2: Programming of Detection Rules & Overview of Predictive Capabilities
• Day 3: Self-Guided Programming
• Optional: Day 4: (Self-Guided Programming)

Note: There may also be an option for attendees to continue their programming on the SAP Fraud Management development system after
the workshop until the end of the training week.  Subject to availability.

Workshop Pre-requisite & Commitment

In order to maximize the value for you please be prepared to:

• Bring a data model and data sample from either a customer or industry, plus a set of rules that can be implemented in the development system during the training.
• Send a mixture of both technical and functional people (HANA and solid SQL knowledge, together with forensic or fraud knowledge).

What should I do now?

Please let us know that you will be attending as soon as possible as space is limited. To reserve your place click REGISTER to confirm your registration (first come first serve).

For each attendee, please include:

• Name
• Job Title
• Full Company Address
• E-mail Address
• Contact Phone Number

We look forward to seeing you in Walldorf.

In the last 9 months, more than 250 consultants from partners attended the Fraud Management Partner Workshops to receive training on how to develop rules for SAP Fraud Management. Since then, many partners have decided to develop content for SAP Fraud Management for such industries as utilities, insurance or banking.

For SAP and its customers, this is a perfect match as it complements SAP’s offering with specific domain expertise and helps customers to implement faster and with lower effort, based on predefined content.

With the SAP HANA market place, SAP now provides a simple way for partners to list and sell content for SAP Fraud Management. The SAP HANA market place is the one-stop location to learn, try out, and buy SAP HANA applications. After a certification, partners can load any kind of collaterals and can then launch their content via the SAP HANA marketplace.

For more details, please see contact Narayan Sundareswaran or see the materials on the SAP Fraud Management wiki page.

If you attended Alan Jackson's performance at the 2013 ASUG/ SAPPHIRE Now Celebration Night, or if you are a fan of his, you might be familiar with his hit ballad "I'd love you all over again."

https://www.youtube.com/watch?v=D0tbfh-Arb8

Now that we have gone live with our Governance, Risk and Compliance (GRC) 10 system, I thought I might look back over several years of such projects to ask myself, if I had it to do all over, which choices would I love all over again.

Pilot or big bang?

One choice, to do an Access Control pilot, was the option selected by one of my previous GRC 10 projects. It allowed us to get the system configured, build the Business Roles, and do a pilot of the custom request workflows, in a few short months. The downside to that choice is that everyone else stayed on the 5.3 system, so both systems had to be maintained, and presumably audited, until all the business units were brought onboard the 10.0. It was a trade-off, but they were willing to make that choice.

On the other hand, my recent project took the "big bang" approach, bringing all the systems connected to our 5.3 GRC over and going live with everyone at once. The upside was that we were able to shut down our 5.3 system soon after the go-live, reducing the dual maintenance period. The downside was that testing identified many issues, particularly with provisioning to the SAP Portal, many corrections were implemented, one connection never did work and had to be taken out of scope, and it all took much longer than planned. Now, just a few weeks after go-live, we are already living on borrowed time: the APO system was upgraded to a NetWeaver release requiring a plug-in higher than our SP level. Everything is working for now, but sooner or later, another connected system upgrade will force us to upgrade, too.

Business roles or technical roles?

The GRC 10 project I was on back in early 2012 included implementation of Business Role Management (BRM), and I blogged about that here. BRM was, unfortunately, still pretty buggy back then. I think it was a good choice given their technical role design and their access request process, but waiting for a later support pack might have made it easier.

In that client's process, anyone could submit an access request; in contrast, the process at my current organization has access requests submitted by key users  trained on SAP security reporting and other tools. In theory, these folks are knowledgeable enough of the business processes at their location for the users they support, and with the tools and training, can make informed role choices. While Business Roles would probably add value to our process, we chose to continue with requesting technical roles for now, with some role mapping to ease the process, and consider implementing BRM later.

Another option is to do a security re-write- concurrently, before, or after the GRC project? If you decide to do it concurrently, be sure you have enough resources for the multiple work streams. My first GRC 10 project went that path; in my view, having a small army of experienced internal and external resources was one of the good decisions, along with ensuring good executive support.

If your rule set is in good shape, maybe you want to do your security rewrite ahead of the migration to GRC 10, either with a pilot or big bang. If you lean towards a pilot, be certain that your pilot group is onboard with the project approach; trust me, you don't want to be in the position of having the business unit for the pilot getting cold feet midway through the project, leaving you in a tough spot.

Change management decisions

How much of a change is GRC 10? It all depends. If you are implementing Access Request Management, does your current access request process have a lot of manual hand-offs and detours to be automated in the new process? It may delight your users, but they still have to be trained on the new user interface and get used to the automation. On the other hand, if you are just going live with Access Risk Analysis, you probably have a smaller user community to train.

The big project I mentioned above included a team of experienced change management consultants, and I think that was a smart choice for such a huge undertaking. My much smaller recent project had excellent internal support for communications and our web page, but we were pretty much on our own for developing and delivering training. We offered live training, step-by-step video recordings, and Quick Reference Cards that were jointly produced. All were well received; however, by business decision the training was not mandatory, so you can probably guess the outcome: the users who took the training are doing pretty well and are happy with the new system, especially the new request templates and more efficient workflows, and those who opted out of training.... Enough said.

Now we are working on resolving non-showstopper issues, problems identified during testing that were not urgent enough to risk breaking something else with a possibly buggy correction before go-live. It never really ends, does it?

And what about you? If you are already live on GRC 10, what would you do all over again and what might you do differently? I invite you to share your perspectives.

SAP recently conducted a survey on transforming internal audit management at the Institute of Internal Auditors International Conference 2014 held at London. The purpose of this survey was to explore the current status, business impact and potential future of technology in transforming internal audit. Around 150 respondents provided their inputs to this survey providing some key insights:

• 81% consider Integration with Risk and Control management systems and/or the underlying ERM as the key capability needed in the future
• Only 15% use integrated audit management solutions with analytical capabilities and only 14% say that current audit management/analysis tools meet all/most needs
• 54% believe that Technology will fundamentally change how audit services are performed and how the value of those services is measured

Here is the link to a blog post as well as an infographic depicting the key findings.

What I like best about SAP TechEd && d-code is the variety of learning experiences available to attendees. SAP Security and GRC professionals might be surprised to learn that there is a good variety of sessions for us if you look for them.

My location: definitely Las Vegas. Not that I am a huge fan of Vegas excess, but the ASUG customer-driven content makes that the right choice for me, besides the travel time and expense being much less.

My plan: I like to fill my personal agenda with as much security and GRC Access Control content as possible, then fill in the blanks with samplings of other topics. I also plan to attend Demo Jam and do lots of networking. My agenda is still a work in progress, but here are some highlights:

ITM113 Overview of Security Features, Functions, and Services in SAP Products. You can't go wrong with a session presented by Gerlinde Zibulski , who leads the Security Product Management team at SAP. This session covers both security *and* GRC Access Control, making it a winner for me.

SEC104 Security Notes, System Recommendations, and Business Process Change Analyzer. Speaker Frank Buchholz has been presenting an excellent web cast series for ASUG on topics related to security patching, so I know he is expert on this topic, and I look forward to learning about BPCA.

SEC260 Security Control Center by SAP Active Global Support. This session is related to SEC104. We have not yet used the Configuration Validation application at my current organization, so I hope to be able to give it a test drive in this hands-on session.

SEC834 Road Map Q&A SAP Product Security, Strategy, Features, and Functions. This road map and Q&A session is a follow up to ITM113, and Gerlinde can be counted on to answer questions with frankness and expertise, so don't miss this session for the real scoop on security, GRC Access Control and more.

SEC200 Security in Different SAP HANA Scenarios. I attended speaker Mark Hourani 's  overview presentation on SAP HANA Security at the ASUG Annual Conference, and I look forward to this more technical dive into it.

SEC107 SAP Access Control On Going Management and Lessons Learned. The speaker, my SAP Mentor colleague Greg Capps has been working on GRC 10 Access Control since his organization was in ramp-up, so he already has years of lessons learned to share. This ASUG education session is a don't miss whether you have already implemented GRC Access Control or are still thinking about it.

SEC201 Implementing LDAP within SAP Access Control. Greg is also presenting this session, which will give you some ideas for improving your GRC Access Control user experience. We have already implemented LDAP with Access control, but Greg's real-world tips for making our users' experience even better will be worth hearing.

SEC203 SAP HANA Security - How Newell Rubbermaid Simplified Security Administration. Speaker Gautam Patel is Newell Rubbermaid's SAP Lead Technical Architect, and his lessons learned and leading practices are sure to be informative.

Advice to first-timers: Plan a personal agenda, but don't worry if it has scheduling conflicts. In fact, that can be a good thing: if a session you are attending is not what you expected, you can slip out quietly and head over to your alternate session. If a session is offered twice, put both of them into your agenda. Be sure to visit the Community Clubhouse and the evening events; even if you are not a developer, Demo Jam is great fun. If attending in Las Vegas, be sure to include some ASUG content in your agenda for real world case studies and lessons learned. Try to eat healthy foods and stay hydrated; it is easy to get run down with the hectic schedule and late nights, and you don't want to be so exhausted by Thursday that you miss the Huey Lewis and the News concert. You might spot some people in SAP Mentors shirts, leading networking sessions, assisting in hands-on workshops, and just chatting in the Community Clubhouse; don't be shy, come up and join the conversation. Most of us are SAP customers or partners, dealing with the same challenges at work as you are. We don't necessarily have all the answers but we look forward to meeting you and sharing your TechEd && d-code experience.

Summary

With the availability of defining Business roles within GRC AC 10.0, provisioning initial access to users across multiple landscapes with a single combined role is possible.

However, there have been questions raised by many in regards to how you update/synchronise actual technical role assignments embedded within the Business Role assigned to users via GRC.

For example;  If a new R/3 role has been added to the Business role definition, how do you update the assignment to the 55 users already assigned to the Business role? It is impractical to raise a new change request via Access Request Management for all the assigned users for the same role again, as it would create unnecessary requests (and maybe agitate the approvers involved).

Thankfully, within GRC 10.0/1, it is possible to synchronise the technical role assignments via the Role Maintenance screen in NWBC, but it requires a few tweaks within the GRC system.

Part 1 Enable the hidden Methodology step “Provisioning”

Note - These steps needs to be done on both 10.0 and 10.1, as the SAP BC-set delivered Default Methodology is missing the required Step definition.

1. Go to SPRO and open the following node menu: Governance, Risk and Compliance > Access Control > Role Management > Define Methodology Processes and Steps

2. Click “Define Steps” and then “New Entries” – By default, the BC set delivered methodology steps is missing “Provisioning” from the defined list.

3. Select the action “Provisioning” and enter is as “Active” and enter the Phase text details “Provisioning”

4. Save any transport prompt

5. Under “Define Methodology”, select the methodology to update and then click “Methodology Process Step”

6. Ensure the final step “Provisioning” is added to the methodology

7. The new methodology step should be visible now within the “Role Maintenance” functionality of BRM (on NWBC side)

The button will be enabled when:

     • The Business role has already been provisioned at least once
      • The Business role has changed and technical roles have been added or removed

The button will be disabled when:
      • The Business role has not been provisioned via request yet
      • The Business role has already been provisioned at least once, but there are no users currently assigned (the Business role has been later removed from     the users)

Part 2 Updating Cluster class

A runtime error has been  observed within GRC AC 10.0 (not 10.1, as it seems the cluster class has been delivered correctly) when clicking the “Update Assignment” button. The error appears as follows: Parameter has invalid value: Parameter SYST_DATE/SYST_TIME has invalid value 00000000/000000.

The cause of the issue is that the correct configuration is missing in the view cluster: GRFNVC_PLUSG for the provisioning background job.

To fix this, implement the steps provided in SAP note 1837416 (described below)

1. Go to transaction code SE54

2. Click on the button “Edit view Cluster”, followed by “Test”

3. Enter the Table/view “GRFNVC_PLUSG” and click "Test"

4. Select the Node “Plan Activity for Access Management”  under the  Dialogue structure

5. Select Plan Usage GRAC_BRLP and double click on it.

6. Enter the correct ABAP class as "CL_GRAC_ERM_BROLE_BG". (This value may have been set up/delivered incorrectly before, hence the error).

NOTE: If the entry “GRAC_BRLP” does not exist, you can create it as per SAP note 1837416

1. Click on New Entries
2. Enter the following fields and save:

     Plan Usage: GRAC_BRLP

     Activity Name: Access Control Business Role Provisioning Background Job

     App-component: GRC-AC.

     ABAP class: CL_GRAC_ERM_BROLE_BG (note SAP note 1837416 mentions CL_GRAC_BROLE_BG, but this does not work)

With this fix, you should now be able to successfully maintain and provision Business role updates to all users via the Role Maintenance screen.

Risks:

Risks are the core objects that identify the potential access issues which your enterprise may encounter. The elements that make up a risk are its attributes. Risk management uses the attribute descriptions to generate rules. Risk management is the set of processes through which management identifies, analyzes, and, where necessary, responds appropriately by mitigation or remediation to risks that might adversely affect realization of the organization's business objectives. The response to risks typically depends on their perceived gravity, and involves controlling, avoiding, accepting or transferring them to a third party. Whereas organizations routinely manage a wide range of risks (e.g. technological risks, commercial/financial risks, information security risks etc.), external legal and regulatory compliance risks are arguably the key issue in GRC.

Critical Permission Risk:

Defining a critical permission risk ensures that risk analysis identifies any employee who has been assigned a potentially risky permission. You can use this feature if the permission has been enabled but has no actions. This risk can have only one function.

SAP delivered SoD doesn't contain any Critical Risk ID specific to Critical actions or Critical permissions. So, if you run the access risk violation reports either at user or role level and if you select any option among Action level, Permission level, Critical action level et al. but Critical Permission level, you would see the risk reports as expected out of the selected rule sets. But once you select only Critical Permission level, you wouldn't see any violations. Reason being is that SAP standard SoD doesn’t contain any critical risk ID either at action or permission levels.

So, in order to customize the rule set and to create Critical risk at permission level, first we need to create a Function ID which would contain the permission (authorization object) and no action (transaction code) in it.

// Verion of GRC used: GRC AC 10.1 and SP 06 //

Go to create Functions as per the path defined below and don't add any action in this function.

Now, we will go to Permission tab to enter the required permission to be treated as Critical Permission.

Now, this Function ID (CF01) has to be added to a new Risk ID (CR02), map this risk ID with the Rule set and assign the risk owner as below:

Then generate this newly created Risk ID; either via NWBC or via SPRO (IMG -->GRC --> Access control --> Access risk analysis --> SoD rules --> Generate SoD rules; and mention the lately created Risk ID and execute).

We would see the risk violations at critical permission as below:

Your inputs/suggestions are always welcome

Courtesy & Regards,

Ameet kumar& Fernando Bassuino