cancel
Showing results for 
Search instead for 
Did you mean: 

SAP Account termination through GRC AC 10.1

former_member692917
Participant

Dear Experts,

I am looking for BRF+ configuration steps for the below actions.

1. Update usergroup

2. End validity - current date

3. Lock user

Please help me.

Regards,

Mahendran R

Accepted Solutions (0)

Answers (5)

Answers (5)

manukapur
Active Participant
0 Kudos

Hi,

I am looking to call the Terminate process using a custom program. Is there a way in which I can call the MSMP Process ID using a custom program?

Regards,
Manu

former_member692917
Participant
0 Kudos

Marcelo,

Below are the screen shots of my initiator rule (BRF+ configuration) which is mapped in MSMP as process initiator.

Decision table

Function


My previous post images related to User default rule id - 80E0ED08B0561DDFA5ADCADA787E1EDA which is SAP delivered. Above rule which i created new initiator rule. Wants to know how to correlate these to meet my requirement. Please suggest.

former_member692917
Participant
0 Kudos

Hi Marcelo,

Small thing that I missed to add action type 8.User defaults along with 23.Change and Lock users in SPRO-->AC-->User provisioning --> Define request type --> under Change & Lock users (Request type). Now I can see that User defaults works fine with initiator rule. thanks for your solutions so far.

Looking on how to update the Valid through date as current date while user provisioning (Leaving user). Please let me know if you have some ideas on this.

Monsores
Active Participant
0 Kudos

Hi Mahendran.

The error you are getting doesn't seem to be related to the Default User Settings you have implemented but to your Initiator.

Have you created an initiator rule for your new request type (125)?

If so, you can also try to add a "catch all" rule to the end of your initiator rule list to throw unrecognized requests to a default workflow. This one would allow you to be sure that none of the previous rules were met by your access request.

Regards,

Marcelo Monsores

former_member692917
Participant
0 Kudos

Please suggest how do we maintain the "catch all" in MSMP? is it on Path or Routing or Result values? I never tried that...if you have some screen shot please do upload or let me know steps to configure that.

Thanks,

Mahendran R

Monsores
Active Participant
0 Kudos

Hi Mahendran.

Unfortunatelly I don have a screenshot for the "catch all" rule right now. But it is mainly done in BRF+, under the Decision Table of your Initiator function. You just need to add an additional line bellow all others with a generic condition like "System ID is not initial" or "Role name is not initial" and then assign a result value to this line. Of course if you assign a result value which is still not mapped in MSMP you will also need to do it.

If you paste here a screenshot of your initiator Decision Table I can try to guide you with it.

Regards,

Marcelo Monsores

Monsores
Active Participant
0 Kudos

Hi Mahendran.

Sorry for the delay. I didn't receive a notification about your response as it came in a separate thread. I'll keep answering from this one to have everything in the same answer.

Regarding the 'Catch All' rule, you just need to add an extra line to the your Decision Table right bellow the single one you have. In that one you are saying that the Z_LOCK_RESULT will be returned to any access requests of type 125 (Not sure about how your Line Item column was filled for this one). In the new one you can add a rule saying Req Type <> 125 and keep Line Column blank. With this, any request items that don't match you 1st rule will for sure match this 2nd one. Then you can assign a result to it different from Z_LOCK_RESULT and map it in MSMP to a different path (usually your escape path).
It will help you to be sure that your BRF+ rules are working and taking you to your expected path in MSMP.

Regards,

Marcelo Monsores

former_member692917
Participant
0 Kudos

Thanks Marcelo, thanks for your response, We have GRC 10.0

Requirement is when submitting access request, automatically User group and End validity (current date) should update in user profile and Lock the user.

I followed the configuration steps from - https://blogs.sap.com/2014/10/07/user-defaults-grc-100/, but i changed request type as custom one as Change and Lock User as below in BRF+ decision table.

Function:-

Decision table:-

Ruleset:-

Loop & Rules: (Note- i added one additional exit condition rule as highlighted below)

BRF+ Simulation working fine, but i am getting below error when submitting access request.

I need help on below points:

1. Whether BRF+ configuration is correct or need any change?

2. Not sure why access request submission getting this error?

3. For user defaults, do we need to configure this Rule id in MSMP process?

As of now I am trying to test with one connector system, future i will need to add more connectors.

Thanks,

Mahendran R

Monsores
Active Participant
0 Kudos

Hi Mahendran.

The mentioned actions are performed through Access Requests.

Can you please explain better how you expect BRF+ to help you with it?

Regards,

Marcelo Monsores