Total Pageviews

Thursday, 22 January 2015

GRC 10.1/10 - Configure LDAP Connector

This section will provide you detailed steps to configure LDAP connector, its Data Source and End User Verification.

Create LDAP Connector

Go to transaction SM59 and create a connector for LDAP by selecting connection type TCIP/IP.
 

Maintain also the Gateway Host and Gateway Server in this tab. When you successfully started the connector in the next step do a Unicode test (Utilities -> Test -> Unicode Test) and according to it's result set the Unicode flag.

LDAP Transaction Setup

Click on LDAP Connector button and enter following details. Click on Activate Button to activate the LDAP Connector.
Please note CONNECTOR NAME is same as RFC Program ID and APPLICATION SERVER will be the GRC server hostname with SID and Instance number (this can
be selected by pressing F4 in Application Server field)

Configure LDAP Server Setup using following values


.
Use Transaction LDAPMAP and go to change mode and press F6 (Proposal) to get default mapping.
IMG5
Go to SPRO transaction and GRC node

And define a connector for LDAP

and a logical group for ALL LDAP connectors:

Assign all LDAP connectors to this connection group

Assign the LDAP connection to all the scenarios: At least AUTH and PROV:


Assign the adaptor LDAP implementation class for both AUTH and PROV scenarios

Now maintain the Mappings of LDAP attributes:
Go to IMG node

First add LDAP connection group with app type as LDAP and active

Now assign the default connector for Provisioning and Authorization for that connection group:

Now maintain the group field mapping for PROV and AUTH actions one by one:
PROV Action Mapping:

AUTH Action Mapping:


NOTE: Please make sure field mapping is in upper case
And also maintain the group parameter mapping for PROV and AUTH actions one by one:
PROV Action Mapping:

AUTH Action Mapping:

Now maintain connector settings:


Assign Attribute to LDAP connection:

Group path can also be maintained here with GROUP PATH parameter
Maintain search data source:

Add the LDAP connector and sequence as search data source

Setting LDAP user search as realtime:
Under SPRO go to Maintain Configuration Settings as shown below:

Set the realtime LDAP search parameter to YES

NOTE: If LDAP realtime search is kept to YES then multiple user search data source will only search in LDAP systems only.
Setting LDAP as end user authentication system:

Set the setting “End User Verification” required to YES/NO

 

Sunday, 18 January 2015

GRC 10.1 Issues and relevant OSS Notes

There are lot of issues in GRC 10.1 SP05 which we came across. I am just updating the issues with relevant SAP notes here just to make it easy for the guys who come across these issues just like mine.

 
NOTE: There can be few SAP notes which SAP might have released specific to us, but if the issue is relevant in your system you can request the same from SAP
101 Blog.png

Access Request Module (ARQ)


Issue 1
Work Inbox – Simplified Not Working
When launching the Work Inbox - Simplified from IE8, it generate the following error messages and it will only display the "Work Inbox" header but the rest of the body are blank.
The following are the error messages:

1. Error
 


2. ExceptionTypeError: Access is denied.


Replicate the Scenario using below steps
  1. From GRC, execute Tcode NWBC. It will launch IE8 to display Business Client for HTML.
  2. From the Work Inbox section click on Work Inbox - Simplified link. It will launch another IE8 browser for Work Inbox.
 
Related SAP Note for fix
UI5 libraries which were used for Simplified Access Request have recommendations for IE9 and above, hence it don’t work properly in IE8, so customers using this functionality should upgrade to IE9 and above.
1974672 - Keyword Search in simplified access request/ Approver in Box not opening


Issue 2
We are getting the error "Text 265 Not Found" every time we click the "View Provisioning Logs".
In ST22, it shows some ABAP dump. I have attached the ABAP dump for your analysis.
  
Steps for Reconstruction 
NWBC->My Home->My Profile->Request Status-> Select a Request -> click on View Provisioning Logs


Related fix
You have missed some Text elements in your system due to which this error is being thrown. For the resolution of this issue, kindly follow the steps mentioned below:


a. Go to Transaction SE24.
b. Enter CL_GRAC_UIBB_ACCESS_REQ_ASSIST and click on display.
c. Click on Goto and select Text elements.
d. Click on edit icon (Ctrl+F1).
e. Enter '265' in Sym and 'Request Key' in Text field.
f. Save and Activate.
 
Issue 3
This is more of a query. We are trying to configure the system that it automatically perform the risk analysis while submitting an access request. We have configure this and this with config parameter 1071. We found that this functionality is running risk analysis only for one type of risks (Action level, Permission, Critical Action or Critical Permission) based on config parameter 1023, which means it shows incomplete risk analysis results. We want to configure it to run risk analysis for all type of risks.


Related Solution
In that case, you can either remove 1023 parameter from Configuration Parameter list (as mentioned in SAP Note 1733984).
OR
You can maintain multiple values under 1023 parameter (as mentioned in SAP Note 1776542).
This would resolve the issue.


Issue 4
The ABAP program GRAC_REPOSITORY_OBJECT_SYNC didn’t sync the data properly of an EP Connector (X PORTAL). It only properly sync the roles but it didn’t sync the users properly.
It work for other EP Connector (Y PORTAL). They belong to the same connector group (PORTAL_GRP).
The X_PORTAL is a SAP NW 7.4 Portal while Y PORTAL is an SAP NW 7.0 Portal.
We have configured our EP Connector using the instruction in SAP Note 1977781 - GRC 10.1 Enterprise Portal Configuration
We have also applied the instruction in SAP Note 1647157 - How to Setup Access to the SPML Service on AS Java


Replicate the Scenario using below steps
Tcode SE38
Program Name: GRAC_REPOSITORY_OBJECT_SYNC
Select Profile, Role, User and Role Search check box.
Connector: <Portal Connector>
Run it in foreground.


Related fix
1889792 - UAM: Portal sync results in time out/ Portal Object not getting synched
2008685 - Portal sync in GRC 10.0 is not working
1940769 - Timeout problem in GRAC_REP_OBJ_SYNC


Issue 5
We are always getting ABAP dump every time we run the program GRAC_REPOSITORY_OBJECT_SYNC.
We are consistently getting the error 'SQL error "SQL code: 3135" occurred while accessing table "GRACRLCONN"


Related fix
Jobs are terminated because of the huge Database space Usage and that’s why it is giving dump. So we advised you to schedule a job by selecting option which is really required. If the requirement is related to user only then you should select only user option rest you can uncheck. In this way, you can execute parallel jobs as much as you can. But if you really want to schedule a batch job with all the options then you should schedule one at a time. This is not the application issue it’s all because database usage.
This is a known limitation of any database that can't handle big SQL statements and you can experiment the same issue when you select the data for a particular table in standard ABAP transaction SE11/SE16.

Ex:  Table USR02 and you can put high volume of users into the selection criteria and you will see the same issue.
You may also check Note - 1847034 - Runtime error for very large OpenSQL statements, for additional details.


Issue 6
Currently the GRC system allows all kinds of file types to be attached in the GRC system (Eg. on the BRM and ARQ screens). These file types includes .html or .exe which could contain malicious scripts. If the system is able to prevent certain file types from being uploaded, then the risk is minimized.
Please refer to SAP note 1232736 for the same functionality in SAP GRC Access Control 5.3.
Since it was there in 5.3 our customer is expecting the same in latest version as well


Related fix
Please implement note 2058231 (manual and automatic corrections) in your system. After implementing this note you will have to implement a BADI as shown in the document attached to the note. Then you can maintain configuration parameter 2401 in IMG for the allowed types of files.


Issue 7
We have enabled mitigation control assignment workflow based on the client’s requirement. Workflow is configured to have first level of approver by supervisor who will perform risk analysis and mitigate the risk at this stage.
Based on the GRC 10.1 behavior we have noted below shortfalls:
  1. On request level, access request approver in this case supervisor does not get confirmation on the mitigation control approval submission. There is a submit button and after clicking that the request does not show the mitigation control workflow number.
  2. Mitigation Control assignment number does not match with the access request number and hence the mitigation control approver have no idea about which access request is this approval for. This is major short fall for client which are expected to have high volume of mitigation control assignments.
 
Related SAP Suggestion
Request number of Control Assignment workflow is generated separately and it would be considered as a separate workflow. Normal Access Request workflow has different request number and flow and control assignment workflow has different request number and flow. These cannot be merged.
However, as far as the linkage is concerned, you can submit this idea on SAP Idea Place and let our Product Management team consider based upon the feedback/voting from the globe or if possible.


Issue 8
We have configured stage level approval and rejection level to "Request" which mean the approver on the stage allowed to approve the whole request or reject whole request. In the above configuration we should not be shown approve and reject button at line item level near user access tab. We have observed that approve and Reject button are still visible and they are non-functional.


Related SAP Fix
2057413 - UAM: Approve/Reject button at Line Item Level not working according to stage level setting
Fix for visibility of reject button under other options after fixing the issue of APPROVE/REJECT buttons at Line Item Level
2066115 - UAM: Reject option not displayed while request approval


Issue 9
For Screens like Model User, Existing Assignment and My Profile there was not feature to filter the records in the upper table


Related SAP Fix
1984995 - Missing Filter for Model User, Existing Assignment and My Profile


Issue 10
We want to achieve that user can only select role from his business process in access request.
The business process field is getting populated from LDAP. We have configured the role selection that business process field is mandatory and non-editable in role selection screen. This works fine that user can only select role from his business process.
We noticed that user cannot edit the auto populated business process field but he can add another business process field on role selection screen and the role search works as 'OR' between both of the business process. This means user can select the roles from both business processes. This system behavior defeats the purpose of having a field as mandatory and Non-Editable in role search. This is a product bug.


Related SAP Fix
2068938   UAM: Duplicate actions shown in the ACTION OVS in access request role search and role search restriction not working in access request


Issue 11
There is no authorization control available to control user as such that they can administer their own jobs. The users should not be allowed to view, delete the result of background job scheduled by other users.
We have run the trace for the back ground jobs and found it doesn't check any authorization object so we can control. This is very basic behavior which should be implemented.
No authorization control for the user to view and adminster his own’s job
The role only has object GRAC_BGJOB with 70. The users will need to adminster their own job and not others job.


Based on the trace enabled only GRAC_BGJOB
User able to delete and administer all jobs in GRC system

Related SAP Fix
Need to put this in GRC Ideas place

Issue 12
We are facing an issue while searching for users from LDAP. If we type a user ID and press ENTER then User details are populated correctly from LDAP. However if we click on button to search user from pop-up screen then system doesn't shows any search result from LDAP.
This was working fine before we implemented a SAP Note 1982896. This functionality is broken by this note.

Related SAP Fix
Kindly implement the note 2025895 after implementing the note 1982896 to resolve the issue
1982896 - UAM: Fuzzy Search is not working on User ID and copy request is not copying line items.
2025895 - UAM: Users not searched from HR/LDAP connectors if Realtime search parameter 2050 is YES

Issue 13
We are facing issue while downloading the default role template to upload default roles. Once we click on default role template button there is no action from system.


Related SAP Fix
2044932 - FPM Search GUIBB: dump or empty screen
2018804 - UAM: Dump in default roles while clicking the Import from file button
2067320 - Default role file import does not support connector group with space


Issue 14
We noticed that in unlock account users are able to add role via existing account option. This should be not allowed. We have given only existing "Unlock Account" action to the unlock request type. This is a bug in system functionality.


Related SAP Fix
2101596 - UAM: In Existing assignment, systems are selectable though request doesn't have any system action.
2048988 - System are selectable in existing assignments for Assign ob


Remarks
After applying the above notes everything was working fine and then we found out that Business roles are being added from existing assignments when creating unlock account request. Waiting for update from SAP for this issue

Issue 15
We have mapped the business role as default role in our configuration with other single and composite roles. If a user submit the request and this request fulfills the default role criteria, however only single and composite roles are auto populated in request. The configured business roles are not populated in request.
We have already implemented SAP Note “2030797 - Default role is not getting populated in Access Request in case of Business Role”


Related SAP Fix
2077121 - UAM: Business Role as default role is not working for Request level


Issue 16
We are using this GRC End User Login services for all new users to request access to the SAP system. The new users have an LDAP account. We are using SiteMinder to authenticate the user to its LDAP before calling the SAP Webdynpro application. We have enabled the parameter SAP SSO parameter login/accept_sso2_ticket=1 to accept an SSO ticket.
We are having problem on the GRC End User Logon services (Webdynpro application grac_uibb_end_user_login) to authenticate from SiteMinder. The Webdynpro application doesn’t recognize that the user have already been authenticated by SiteMinder. It still show the screen asking for UserId and password.
Is there a configuration that we need to do for the Webdynpro application to authenticate to it?


Related SAP Suggestion
SiteMinder validation is not supported in GRC End user login. Kindly refer the note 1575897 and create an enhancement request in the Idea Place
1575897 - Logging Enhancement Request - Business Objects Access Control


Issue 17
While raising the access request the user selects business role and its validity date for business role is not set automatically. Valid to date is cleared in case of Business Roles. Business Roles doesn’t have validity date.


Related SAP Fix
2095046 - UAM: Business Role Valid to date is blank


Issue 18
We noticed that the drop downs on access request page are not sorted based on description. For Example while selecting the roles the dropdown for Functional Area, Business Process, and Company. These drop downs are not sorted based on the description. These are sorted based on ID which is not visible to the user in drop down. This causes a confusion to the user as they need to browse through the whole list which may go up to 100 line items.


Related SAP Fix
2061817 - UAM: Access Request field values are not sorted with short description


Issue 19
We have configured our LDAP server as a user data source. Our LDAP server has 2 fields (Mail, Mid Mail) which stores the Email ID. System is able to pull the mail information correctly if it is available in any of these fields.
The issue happens when we try to search for users by using Email ID. The search with email ID doesn't work. It simply doesn't return the result.


Related SAP Fix
2102827 - Search LDAP User Using ID and Email Address


Issue 21
We have created an ABAP Webdynpro iView for the GRC application grac_oif_request_approval. This is to ensure that the link will use SSO automatically when clicked inside an email. Everything is working fine except when the user start clicking any link inside the ABAP Webdynpro application. All of the sudden, the link being generated is using a Portal NavigationTarget instead of the usual link generated when launch from SAP ABAP ICM. Because it generated a different link, it doesn't call the correct ABAP service to display the content.
May we know how to force the Portal to use the link generated will follow the link when it is being launch from SAP ABAP ICM.


Related SAP Fix
Waiting for SAP to help with this issue



Issue 22
Every time the user is creating an access request to lock a user in Portal, the following message are generated in the access request log:
Could not update user Attribute "lockreason" on namespace "com.sap.security.core.usermanagement" of principal "UACC.R3.DATASOURCE.S8".
Object class name does not exist in IDM.
By the way, our Portal UME is using a Backend SAP ABAP.



Related SAP Fix
Waiting for SAP to help with this issue


Issue 23
The default role upload is not working if we include business roles as part of default role. It checks for the system of the role however the system is not applicable in case of business role. This is causing the issue.
We compared the behavior by leaving the system field blank and found that in back-end it stores as "ALL SYSTEM", however if set the business role manually(Without upload) it stores as "BUSINESS_ROLE". Could you check this functionality and provide a fix for us.


Related SAP Fix
2084889 - Default role file import is not working for business role


Issue 24
We noticed that if an Approver (A) delegate his rights to another approver (B). The approver (B) gets the request in their work inbox however they don't get the notification. This cause that delegated approver (B) will not be aware of any new access request routed for his approval.


Related SAP Fix
1589130 - GRC AC 10.0 - MSMP Notification Override BADi - Enabling
1734548 - Delegated Approver is not receiving the Email
2028411 - Workflow delegation BADI not executed during delegation in Access Controls
 
Business Role Management (BRM)


Issue 1
When risk analysis is performed at the Critical permission level for certain roles with inactive Authorization objects through BRM, the risk is flagged by the system. However, this behavior is not consistent for all roles. In some cases, the roles with the same inactive authorization objects are not flagged.


Related SAP Fix
2036645 - Role Risk Analysis shows inactive authorization objects


Issue 2
We found that Role Search while creating an access request is not correct. The search result is impacted by parameter max no. of result row. It seems system is considering the parameter
"Max no. of result row" to look into the list of role.
For example:
If this parameter is set to 100 then system look for roles only in first 100 roles and shows only 3 roles as result.
If we set this parameter to 50 then system look only in first 50 roles and returns only 2 roles.


Related SAP Fix
2059283 - Role Search is not accurate


Issue 3
Unable to search Business role based on action maintained in single role on role search screen when business role having composite role and that composite role having single role.


Related SAP Fix
2093026 - Unable to search Business role based on action maintained in single role on role search screen


Issue 4
We are facing an issue while importing Composite roles in BRM. System does not import any of composite roles in BRM. We are trying to import the roles from back-end and selecting the role parameters during import process. With the same steps we managed to import all the single roles however not able to import any of the composite role. We have already run authority sync and repository sync job. We have also imported all the single roles associated with composite role.

Related SAP Fix
2027477 - Composite role import is not working


Issue 5
The issue is that when role owner is approving the role changes then he should be aware what all mitigation controls are applied to the role. This can only be possible if include mitigated risk is by default checked while system auto trigger the risk analysis before generating the role.
Risks were not displayed in the Analyze Risks - Role Generation Phase even though risks were displayed in Risk Analysis Phase
Our methodology is as follow:
Define --> Maintain Authorization --> Risk Analysis --> Generate --> Maintain test case --> Approval --> Complete


Related SAP Fix
2075894 - BRM: Risks are not displayed in the Role Generation Phase


Issue 6
We are facing issue in role certification. When user click on the link from role certification. The user is able to view the define tab of role in display mode however if he try to navigate to maintain authorization or risk analysis process step. System gives a dump "Assert Condition violated"
The role owner is not able to see the list of approvers and company mapped with the role. This information is required to certify the role. This information should be available to the role owner in display mode.


Related SAP Fix
2061588 - Assertion failed dump with no edit authorization in role methodology


Issue 7
We found that role prerequisites are not available in Role Parameter import template. These are also a role parameter same like functional area, Company, Business Process. Please rectify the problem and provide a fix to us. We need to upload prerequisite for 6000+ roles. This parameter should be part of Role Import Template.


Related SAP Fix
SAP has provided a Z program and related step by step document. Anyone has the same requirement let us know, I can share the program details here


Issue 8
We found that Role Owner search under "Define Role" Methodology step is working correctly. There are 2 fields (Owner & User ID) to search. If we put user ID (S80*) in user ID field it gives no result. However if we put user ID (S80*) in Owner field we get the search result. If we put user name (MADHU) in Owner field then there is no result and if we put user name in User ID then we can get the result.
The search is not working correctly as per the parameter provided. If we provide Owner it looks in User ID and if we provide User ID it looks into role owner name.


Related SAP Fix
2092209 - Text for user name in approver search help during role definition is ambiguous
 
Access Risk Analysis (ARA)


Issue 1
We are trying to transport the ruleset from SPRO but it gives error.


Related SAP Fix
1968082 - Not able to create transport for SoD Rules after upgrading to NW 740 SP04


Emergency Access Management (EAM)


Issue 1
We have noticed that some Notification variable for Firefighter log review doesn't get filled in the notification template. Following are the parameters which are nor working.
 
LINK_WORKITEM
 
Related SAP Fix
1983997 - LINK_WORKITEM variable not filled for FF Log Review Report Workflow


Issue 2
We noticed that the FF Log Review report doesn't have any option to relate the logs with the Original Access Request. We want to see this mapping in log review request so that reviewers will be able to match the request justification raised by firefighter and match the activities performed by him.
As we understand this is not available in standard product but this is very critical requirement for Log Review. Could you please let us know any possible workaround to achieve this requirement.
 
Related SAP Fix
Waiting for SAP update
 
Issue 3
We are running the GRAC_SPM_LOG_SYNC_UPDATE as a background job in our GRC system to extract GRC SPM log from our ECC Production system. We noticed that we need to increase the parameter rdisp/max_wprun_time considerably high (around 43200 secs) in the ECC system, otherwise the background job will fail in GRC. Our policy is that that the rdisp/max_wprun_time should only be set to 3600 secs (1 hour). This is to ensure that the work process are not block which will lead to system standstill.
 
If we reset the rdisp/max_wprun_time to 3600 secs, the GRAC_SPM_LOG_SYNC_UPDATE job will fail and the SPM logs that is not sync will also grow, which will make the job runtime even longer.
 
Is there a way to optimize the GRAC_SPM_LOG_SYNC_UPDATE job performance so that it will fit in the rdisp/max_wprun_time of 3600 secs? Can it have the same behaviour as BW extraction job which is not affected by the parameter rdisp/max_wprun_time even though it runs longer than 3600 secs?
 
Related SAP Fix
Please check this Notes. It describes the ways of optimizing the performance of EAM sync job.
1617529 - Best Practices For Improving Performance of EAM Log Sync job
1741151 - GRC 10.0 Indexing on CDHDR table in case of time out issue due to huge data
2047097 - Communication failure with remote system (SAP Query)


Reports and Analytics


Issue 1
The access rule library auto pop out once the group rule level is changed.
Please follow flowing steps for reproduction and refer to the attached screenshot.
1. Click on the “Reports and Analytics”
2. Click on Dashboard report “Access Rule Library”
3. Click on the pie chart with high violations and close the window
4. Now change the group level to “Critical Permission”
5. The window is auto populated without users actions
This behavior is an irritant and need to be resolved as this is bug.


Related SAP Fix
2061888 - In Access Rule library report, popup gets open without user action


Issue 2
The report "User to Role relationship" is not working as expected. If there is a role which doesn't have a profile then this report doesn't pick the role in output.
The expected output for this report is to include all the roles which are assigned to the user irrespective of profile of the role as this report is to show the relation between role and user instead of user and profile.


Related SAP Fix
2093024 - User to Role Relationship report not showing roles that does not have any profile generated
2107567 - User to role relationship shows empty profile even for generated roles


Issue 3
Change log report does not show results when the search criteria is in lower case. The report does not have option to save the file in excel.
Reports and Analytics -> Audit Reports -> Change Log Report


Related SAP Fix
2061392 - Role name is case sensitive while executing the change log report


Issue 4
As a part of the UAT phase following issue was noticed in the GRC 10.1 with SP Level 5. The role library dashboard does not have export option in the drill down list.


Related SAP Fix
2062839 - Export option not visible in the drill down of role library report


Issue 5
We noticed that that some reports are giving results in foreground mode however if we schedule the same job in background then it doesn't give any result.
List of Reports which are failing.


1. Role Relationship with User Group (No Output)
 
Related SAP Fix
2073736 - Role Relationship with user/user group is not working in background option


Issue 6
We have seen incorrect data being populated in the SAP standard dashboard report “Access Requests”. The numbers shown in access request pie chart and shown in request by types for similar period and similar filter criteria are not shown correctly.



Related SAP Fix
2064801 - UAM: Incorrect values displayed in access request report and drill down doesn't display data in provisioning report

Issue 7
We noticed that that some reports are giving results in foreground mode however if we schedule the same job in background then it doesn't give any result.
List of Reports which are failing.

Approver Delegation (Dump)


Related SAP Fix
2083663 - UAM: Approver Delegation report is generating short dump when it is run in background


Issue 8
We noticed that user group filter for the report (List Expired and Expiring roles) is not working. The User group is a very good criteria to list out the appropriate report to consume by user administrator.


Related SAP Fix
2066074 - List Expired and Expiring Roles for Users Report not working