Skip to Content
Author's profile photo Dilip Jaiswal

Access Control 10 (ARM) – Risk Analysis Report Type is editable in Access Request.

Hi,

In  GRC10 – ARM  Access Request approver have the choice to do Risk analysis at “Action Level”, “Permission Level”, “Critical Action”, “Critical Permission” and “Critical Role/Profile”.  But In 5.3, Approver didn’t have choice to decide while using from CUP.

When approver open access request in AC10 under Risk Violation tab Permission Level is always selected .Selection is fine as this is configured this way (Parameter in SPRO 1023 -Default Report Type for Risk Analysis).  But the approver also has an option to deselect “Permission Level”.

If you want to ensure that approver always keep “Permission Level” as an option, in other words option should be grayed out with permanent tick mark. This is to make sure that CUP enforce “Permission Level” check, otherwise if approver deselect then they can always skip the risk analysis by clicking different report types. Also possibility at times all the approver doesn’t understand the meaning of each option.  Both accidental / intentional ways skipping Risk Analysis is possible.

As you can see Permission level is always selected but editable. Approver can deselect and submit the request with no violation. This way unmitigated risks can be submitted.


/wp-content/uploads/2014/02/1_377781.png


We have achieved this by deploying SAP NOTE 1796838 – UAM Risk analysis at permission level set to non editable and following below steps.

1. Go to transaction se80.

Select Package as ‘GRAC_ACCESS_REQUEST’.

Click on Web Dynpro -> Web Dynpro Application

/wp-content/uploads/2014/02/2_377782.png


2  .Drill down to application ‘GRAC_OIF_REQUEST_APPROVAL’. Right click on it and click Test.


/wp-content/uploads/2014/02/3_377846.png


3. Now, the following screen will appear.


/wp-content/uploads/2014/02/4_377855.png

Go to the URL of the above screen and add the following string to it.


Go to Transaction  SE16 and Enter table name as GRACREQ, enter any request number in REQ_ID field.

Click execute button and copy the value of field REQ_ID

Below is String to add in URL-

&SAP-CONFIG-MODE=X&OBJECT_ID=ACCREQ/<REQ_ID  checked from above step>

Below is example for string to add in above screen dump URL..

&SAP-CONFIG-MODE=X&OBJECT_ID=ACCREQ/984BE163CDB81EE2B79233F7361518D9

/wp-content/uploads/2014/02/5_377848.png

Observe that the dump will now get removed and an access request will be opened.


4. Go to the Risk Violation Tab and right click on the Type check boxes and choose ‘Settings for Current Configuration’

/wp-content/uploads/2014/02/6_377849.png


5. Now, the following pop up window will appear.


/wp-content/uploads/2014/02/7_377850.png

In this, you can go to each of the type of result options and click on ‘read only access’ check box.

/wp-content/uploads/2014/02/8_377851.png


6 For example, If you click on Permission Level and set Read-Only Access as ‘Yes’, permission level will appear as non editable on approval screens for all requests.


/wp-content/uploads/2014/02/9_377852.png


Click on ‘Save and Close’.

Please see that the Permission level check box is now disabled.

/wp-content/uploads/2014/02/10_377853.png

Hope this will help you if you meet such a kind of requirement. and prevent from submit unmitigated Risk.

Regards

Dilip Jaiswal.

GRC – IDM Consultant.

Assigned tags

      27 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Good Work Dilip..!!

      Really very useful blog.

      Author's profile photo Former Member
      Former Member

      Helpful documentation. Thanks for sharing.

      Cheers,

      Sabitha

      Author's profile photo Former Member
      Former Member

      Very thoughtful and helpful . Thanks for sharing.

      Author's profile photo Former Member
      Former Member

      Very nice article and hoping some more good blogs like this quickly.

      Author's profile photo Former Member
      Former Member

      very helpful in understanding the concept.

      Author's profile photo Former Member
      Former Member

      Hi Dilip,

      Thanks for posting this. I tried this in my system, it didn't work as given in your post. Firstly when I added the string you mentioned it opened the page but still it gave an error ("error occurred during processing)

      When right clicked its doesn't gave me option for "Settings for Current Configuration"

      My question.,

      - Is the string to add, the same for all the systems

      - is there a way to find the string for each of the web dynpro application

      Thanks again.

      Regards,

      Muthu

      Author's profile photo Dilip Jaiswal
      Dilip Jaiswal
      Blog Post Author

      Hi,

      I got this string from developer who helped me in debugging. I updated the document how you can create string.

      "Settings for Current Configuration"  - this may be some system specific setting. it was enabled in my system.

      Regards

      Dilip

      Author's profile photo Former Member
      Former Member

      Hi Dilip,

      I replaced the request number and it works like a charm. I really appreciate you helping others.

      Keep up the good work.

      Regards,

      Muthu

      Author's profile photo Dilip Jaiswal
      Dilip Jaiswal
      Blog Post Author

      Thanks that it worked for you.

      Author's profile photo Former Member
      Former Member

      nice article Great................

      Author's profile photo Former Member
      Former Member

      very useful document

      Author's profile photo Former Member
      Former Member

      Thanks for sharing this document sir

      Author's profile photo Former Member
      Former Member

      Hi,

      I have a question.

      I need to do the same for the step of risk analysis in the maintain role.

      How can I do?

      Regards!!!!

      Author's profile photo Dilip Jaiswal
      Dilip Jaiswal
      Blog Post Author

      Hi,

      Please check for relevant webdynpro and try if this work.

      Regards Dilip

      Author's profile photo Pranjal Garg
      Pranjal Garg

      Hey ,

      Great source of Info...I have some doubt is their any way to display the email address of the user in the user level analysis report.

      Author's profile photo Dilip Jaiswal
      Dilip Jaiswal
      Blog Post Author

      HI Pranjal ,

      -- i think email will no be available . but i seen you have posted in common forum so if any one come accross this will update you soon.

      Reg, Dilip

      Author's profile photo Pranjal Garg
      Pranjal Garg

      Thanks Dilip,

      Ok we can wait for it..??

      I have one more question to ask..??

      Is their any way to download the files form the dashboard as in my case i have around 20000 users and out of which only 8 having risk but as the data comes in pie chart so its tough to download i mean not able to find in the pie chart where to click as for this small amount is users is invisible to see in the pie chart.

      Author's profile photo Suvonkar Bashak
      Suvonkar Bashak

      Hi Dilip,

      The article is well written and explained in a simple way along with visual/snapshots.

      Great work here.

      Regards,

      Suvonkar

      Author's profile photo Former Member
      Former Member

      Hi Dilip

      Firstly, your article is an excellent step by step demonstration of Risk Analysis.

      Secondly, Please do keep up this great job and I am looking forward to learn a lot from you

      Rgds

      Mansoor

      Author's profile photo Former Member
      Former Member

      Very helpful docment

      Author's profile photo Former Member
      Former Member

      Superb informative and helpful blog.

      Thanks

      Katrice

      Author's profile photo Former Member
      Former Member

      Very nice & informative blog ! Pretty helpful.

      Author's profile photo S A
      S A

      G'Day Dilip,

      Thank you for taking the time to post this blog. After reading the following blog:

      Customizing Access request and approval screens in GRC Access Control

      I thought I could do the same for the rest however as you pointed out here, the web pages used to throw a dummy fit. Well thanks for clearing it up that I have to append something to the end of the URL link.

      I do have a couple of queries though and I would appreciate it if you could answer them.

      1) Why does it show the error in the first place and why only for some links?

      2) How do we know what needs to be added to the URL?

      • In your example, we had to add the REQ_ID, so what about the rest? lets say for template based etc

      Regards,

      Leo..

      Author's profile photo Girish Almiya
      Girish Almiya

      Hi Dilip,

      I appreciate that you have share such good information.It's helpfull for all community members.

      Regards

      Girish Almiya

      Author's profile photo Former Member
      Former Member

      really helpful. thx

      Author's profile photo Former Member
      Former Member

      Dilip

      many thanks. the doc is more informative .

      Author's profile photo Former Member
      Former Member

      Hello,

      I'm trying to do something similar with checkbox "offline data" but it doesn't work. After refreshing the screen it remains grayed but unchecked.

      Has anyone tried this? Any ideas?

      Thanks!

      Regards,

      Fernando