on 02-18-2014 6:45 PM
Hello GRC gurus!
I know that this error enough discussed on the forum, however, I would like to ask you how to kill the error.
First of all, I should notice that I have reviewed the configuration guides many times and as I can see everything is done according with them.
Also, I have reviewed many notes including 1584110 and 1562760 (with attachments), have visited lots pages that were searched with Google. Unfortunately, the result is the same.
What was done.
1) SM59. Connectors GRDSSD001 (CUA system) and GRDSSD200 (CUA-managed system) are created. Authorization check performed well (S_RFC+SAP_ALL are assigned to be sure)
2) SPRO -> Governance, Risk and Compliance -> Common Component Settings -> Integration Framework -> Maintain Connectors and Connection Types
Connection type definition = SAP system predefined by the BCSet.
Define Connectors
Assign both connectors to SAP_CRM_LG group
3) SPRO -> Governance, Risk and Compliance -> Common Component Settings -> Integration Framework -> Maintain Connection Settings.
Assign connectors to 4 scenarious (as recommended in the note)
AUTH
PROV
ROLMG
SUPMG
4) SPRO -> Governance, Risk and Compliance ->Access Control -> Maintain Connector Settings
Assign for the connectors type 1 (SAP Application). No attributes were assigned.
5) SPRO -> Governance, Risk and Compliance ->Access Control -> Maintain Mapping for Actions and Connector Groups
Activate group SAP_CRM_LG with type 1.
Defaults valid only for GRDSSD200
By the way, here I found not correct recommendations for ABAP connector
"Logical Port - Not relevant" I would say that it is relevant!
I can select roles , which I made before, in AC request, but I cannot select system.
Looking forward to hearing from someone soon.
BR,
Artem
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Artem, could you please attach the screenshot for the roles assigned to your user, moreover, if possible, create a new user with only 3 roles - SAP_GRAC_BASE, SAP_GRC_NWBC,SAP_GRAC_ACCESS_REQUESTER and check if the new user is getting the systems or not, this way we will be sure that its not an authorization issue but some other issue.
Regards,
Sanju
Hi Artem,
Please follow the steps and check if it works:
1) In the step -> Assign both connectors to SAP_CRM_LG group....Maintain the Connection Type for the Connector Group as "SAP"
2) For integration scenario "PROV" in "GRC->Integration Framework->Maintain Connection Setting": check for the connectors under Scenario Connector Link.
Best regards,
Sanju
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Artem,
Check if the Request Type that you are using has "Create User" or "Change User" as actions assigned to it.
Although if these actions are not assigned then the option to Add ->System should be unavailable but its worth checking it once.
GRC->Access Control->User Provisioning->Define Request Type
Regards,
Sanju
HI
what does the BRM role set up look like for the role? What systems does it exist in?
are all your synch jobs scheduled?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hell Colleen,
Thank you for response!
I don't get your question, what do you mean "BRM role set up"?
Role has the following attributes:
Role maintenance is finished, it exists in SSD200 system. Function Area is defined for the role (BS_ALL), Owners/Approvers too. The other sections have empty fields (no company, no custom fields etc.)
Syncronization jobs were done with Incremental option. I will start them again in both modes (full and inc).
Just out of curiosity, could you tell me why you assume to check BRM and role part? I don't have such a big experience as you, but I supposed that the problem is in AC (CUP) part, particularly in sections related to connectors.
Regards,
Artem
Message was edited by: Artem Ivashkin Synchronization jobs finished without any errors (slg1 checked )
Hi Artem
Just out of curiosity, could you tell me why you assume to check BRM and role part?
I find with GRC that it's all integrated and a few of the CUP role issues were due to the BRM configuration for the role. For example, with BRM integration when someone can't understand why the role isn't appearing as an option to select in CUP we can see in BRM that the role may not be in Production Status.
I also interpreted your screen shot that maybe you wanted that role but for a different system. The BRM screen shot shows that the role only exists in the system already selected.
This is my approach to troubleshooting and learning the system but sometimes may not actually be related to your issue. In attempting to find the cause I have a tenancy to look for all possibilities before discounting them.
I don't have such a big experience as you,
You would be surprised - don't let my ranking in this community be mistaken for how much experience I have. Really, I'm just curious and like to understand the why so I took to debugging (I am not a developer) the code/testing scenarios and theories to figure out the answer. It just happened that others have asked the same question in SCN and threw a few points my way.
Back on topic: What do you mean by you can't select system?
Regards
Colleen
Hi Colleen,
Thank you so much for detailed answer!
In my phrase "I cannot select system", I meant that during creation of an Access Request for a new account no system is available for the selection.
The reasons why I'm trying to cope with the problem are the following. As I understand, if I select only system (or a role and a system) I don't need to set "Create User For Role Assignment" (SPRO -> AC -> Maintain Provisioning Settings). And the second one is we need to select CUA system for further processing, but it's more administrative issue than technical.
Regards,
Artem
Hi Artem
Only other things I can think of is checking if there is authorisation restriction (doubt it if you could assign roles) or check the Request Type configuration Actions for the option you chose on the form. Finally (I don't have access to a GRC system at the moment, check if the EUP - End User Provisioning - configuration has system field as a configurable setting)
If you have been able to assign a role and it provisions, then is it unlikely the connector setup is an issue.
Regards
Colleen
Hi Colleen,
Unfortunately, I do my experiments with SAP_ALL and all GRC AC standard roles. Trace showed that everything is ok.
The configuration of Request type is quite wide, I can see only Assign Object action, but I don't have possibility to determine what exactly I need, or do I?
EUP configuration doesn't include system field.
I will try once again to assign a role without system.
Regards,
Artem
Hi Colleen,
I've chosen "New Account" type. I tried to select also the other types, such as
New Account, Change Account and Lock Account, but it was in vain. Also I tried to create request for "self" and "other". I've posted a message to SAP, but I think that they can help me within months... So that assistance of the community could help me efficiently.
Regards,
Artem
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.