Password Self Service Configuration in SAP GRC AC 10.0 allows users to reset their passwords. This helps users to perform self service password reset and also employee can self-update personal details.
Please find few common issues that are faced during configuration of PSS.
After submitting the PSS action, the error " Password reset failed: no valid Email-id maintained for user id" appears and nothing happens.
Go to SPRO > SAP Reference IMG > Governance, Risk and Compliance > Access Control > Maintain Data Sources Configuration and make sure you have Connectors setup for each of the Data Sources.
Execute the synch. Job GRAC_REPOSITORY_OBJECT_SYNC program again for the Connector you are using as your User Source and then attempt it again.
GRACUSER is the right table to get the user's email if it is being populated correctly. Setting up this should fix it.
After using "Reset Password" option and Clicking on the Next button the following error is displayed "user is locked"
In the PSS global configuration settings, you can define after how many failed attempts the user gets locked out from PSS. This setting can be configured in SPRO > SAP Reference IMG > Governance, Risk and Compliance > Access Control > User Provisioning > Maintain Password Self Service.
Please see SAP Note: 2018010
When the end users access the "End User Logon Page" link in a new browser for resetting the passwords for their ids in the backend systems, freshly, it is asking for user id and password but not prompting for user ID and Password when the same is accessed through NWBC. How to troubleshoot this?
Make sure that the guest user in configured in each of the 10 services in SICF for the EU Logon Pages to work.
Admin Registered Questions are not visible in PSS.
Please make sure all the PSS questions are maintained in all the languages which are used by End Users including user default languages.
PSS questions are visible with user default language from SP9 with configuration in IMG to maintain support language as in steps below: Go to SPRO > IMG > GRC > Access Control > General Settings->Maintain Supported Languages.
Default language is maintained at first in the sequence. If no questions of default language are available then the next language in the sequence becomes the default language.
While trying to Register Security Questions for Admin Registered Questions the following error message is displayed.
The Field 'Number of Questions' is not maintained in the SPRO configuration. To Resolve this:
Execute transaction code SPRO > IMG > Governance Risk and Compliance->Access Control->User Provisioning->Maintain Password Self Service
Maintain the required value in field 'Number Of Questions’.
While trying to reset password, the user is receiving the error message 'You can change your password only once a day'
Password parameter is not set in RZ11 on the system the user is attempting to change the password.
On the plugin system please set the RZ11 password parameter in system as the password has to be changed for system where user actually exists.
The parameter which needs to be checked is as below: login/password_max_reset_valid
The error message "User is not registered. Please register the user first" is displayed in PSS after registering the security questions.
Prior to SP10 of GRC 10.0 If the PSS authentication source is set to "challenge Response" then Questions were getting registered against user maintained in SICF web service grac_gaf_pwd_selfservice_eu", not against logged in user.
Upgrade to SP 10 or above or Implement the note 1747265 to resolve the issue.
IMPORTANT TAKEAWAY ABOUT PSS
Following password status are supported by GRC - Password Self Service (PSS) functionality.
Normal User having productive password
Productive password expired
Initial password expired
Incorrect Logon lock
Password Self Service (PSS) functionality is not supported for
Admin Lock(User is locked by Admin)
Standard delivered PSS notification is delivered under document 'GRAC_CUP_PSS_NOTIFY'.
The NWBC Authorization used for managing Password Self Service are as follows:
During the password reset phases, only those Plug-in systems would be shown in the list of systems for which the User Sync has been done and the logged-in user exists in GRC Box repository for that Plug-in system.
The following parameters can be considered to control the system generated password:
Any Subtractions or additions to the document is most welcome.