Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Su01 Valid Through date auto update through user defaults (BRF+) / GRC 10.0

Go to solution
former_member692917
Participant

on ‎2020 Sep 18 11:30 AM

0 Likes
3,153

GRC gurus,

Requirement :- Updating User group, Valid through date and Lock accounts for leaving users. All are works good except Valid through date auto update.

I configured the User Defaults BRF+ and working as expected for Change & Lock user condition through Initiator rule. I also want to automatically update request (current) date as Valid through date in SU01 once access request submitted (without manual input in request form). Need your guidance on how to achieve this requirement, whether through BRF+ or anything else to be done. Your valuable suggestion would be much appreciated.

Thanks

Mahendran R

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (1)

Accepted Solutions (1)

Monsores
Active Participant
‎2020 Oct 02 6:20 PM
0 Likes

Hi Mahendran.

As far as I know there isn't a way for automatically setting the user "valid to" date as it is retrieved from the backend system (if your user already exists there) or else set to 31.12.9999. If you want to have this "valid to" date adjusted still in your access request before it is approved (to make it visible for approvers, for example) you will need to do it through a Web Dynpro enhancement.

In our case we solved it also with a bit of development, bit a less intrusive one. We created a BRF+ Function and assigned it to the "User Defaults" rule (SPRO > GRC > Access Control > Maintain AC Applications and BRFplus Function Mapping > User Defaults) and also a new request type named Leavers.

On the Decision Table of this BRF+ Function we have triggered for this Leavers request type a call to a Function Module (custom, developed by ourselves) which performs some steps for the concerned user on the requested systems (allways calling standard BAPI_USER* BAPIs):

1. Removes all his roles and profiles.
2. Changes his user group to LEAVERS.
3. Expires the user by setting his "valid to" to the current date (ignoring the "valid to" set on the access request). <== I believe this is the one you are in search for
4. Locks the user.

I don't know if there is an easier way of achieving this, but this one works fine for us.

Regards,

Marcelo Monsores

Show replies
Show replies
former_member692917
Participant
‎2020 Oct 03 8:07 PM
0 Likes

Marcelo,

Thanks for the update, do you have any steps on BRF+ configuration with decision table to take it as an example for this (on your below comments)?

"On the Decision Table of this BRF+ Function we have triggered for this Leavers request type a call to a Function Module (custom, developed by ourselves) which performs some steps for the concerned user on the requested systems (allways calling standard BAPI_USER* BAPIs):"

Regards,

Mahendran R

Monsores
Active Participant
‎2020 Oct 08 1:17 AM

Hi Mahendran.

In this link you can find a summarized version of what we did here:
https://blogs.sap.com/2014/10/07/user-defaults-grc-100/

Regarding what we are discussing, I just created a separate "Leavers" request type and added an "Action" column to BRF+ right after the "User Default ID" one in which (just for this request type) I call my function module besides returning a "User Defaults" value.

Regards,

Marcelo Monsores

former_member692917
Participant
‎2020 Oct 09 7:18 PM
0 Likes

Marcelo,

Thanks for the input, through HR Trigger I was able achieve on updating User group and End Validity (including future date) but Lock user does not seems to be work as per SAP design in GRC 10.0. We will need to look on customized ABAP program for lock alone.

Regards,

Mahendran R

Monsores
Active Participant
‎2020 Oct 13 7:18 PM
0 Likes

Hi Mahendran,

As described, our setup is almost the same of the link I mentioned, but we added also an "Actions" column to our Decision table and then defined an action to be called for our Leavers ReqType..

In this action we call the Function Module which performs the actions we need (removing all roles/profiles, expiring and locking the concerned user).

Currently we are planning to expand this Function Module to also remove delegations and role ownerships related to these leaver users.

Regards,

Marcelo Monsores

Answers (2)

Answers (2)

former_member625914
Explorer
‎2020 Oct 06 6:09 PM
0 Likes

Hello,

We had a similar issue and it´s solved (AC 12). We add the delete user action in the request type (even if we lock user - not delete).

It has no much logic but in our case works (we raise an oss message)

regards,

Show replies
Show replies
vijayakumarsuth
Product and Topic Expert
Product and Topic Expert
‎2020 Sep 18 6:14 PM
0 Likes

Hi Mahendran,

For new user the valid from date will take as current data because user not exists in datasource system (configured in spro) where as for change user request, the user already having valid from date and to date hence, GRC access request will consider the values returned from data source system always.

I would suggest if ok for your requirement to override the datasource data then, you can try to keep empty values in valid from date and valid to date under End User Persionalization setting under SPRO which might enable access request to always go with current date

Show replies
Show replies
former_member692917
Participant
‎2020 Sep 21 12:43 PM
0 Likes

Vijayakumar,

Thanks for the update, I do not see any validity specific fields in EUP to make it empty. However when submitting access request it picks up the valid from date as current date, and valid to date as 31.12.9999. I want this valid to date to be updated automatically with current date. If you have any idea which can be achieved with BRF+ config. please share.

Thanks,

Mahendran R

Ask a Question