Technical Articles
SAP GRC 10.0/10.1/12.0 – Automated Assignment of User Defaults & Parameters
Purpose of User Defaults:
When a new user is being created in the target system, all users of that system might require few common user defaults like Logon Language, Time Zone, Decimal Notation, Date Format, Parameters etc. Hence when a user is getting created through GRC, based on the request type these user defaults can be assigned to the users.
By including user defaults as part of request type (mostly New Account), user gets created with required user defaults in the target system.
Important SAP notes regarding User Defaults to refer before configuring User Defaults:
1615552 – GRC 10.0 How to set User Default
1665585 – User Defaults BRF+ rule not working correctly
2020712 – UAM: User group not provisioned after request provisioning
Steps to Implement User Defaults:
Step 1: Maintain “User Defaults “action as part of your Request Type. My Request Type 36 is for “New Account” and I have assigned “User Defaults” as shown below.
SPRO =>Governance, Risk and Compliance =>Access Control =>User Provisioning =>Define Request Type
Step 2: Go to SPRO -> IMG -> GRC -> Access Control -> User Provisioning -> Maintain User Defaults
Define User defaults for different connectors connected to your GRC system. One example as shown below:
You can assign default User Group and default Parameters based on the connector by using options “Set the User Group” and “Set Parameter ID” in the above screen as per your requirement.
Now map the BRF+ Application for user defaults under the IMG configuration shown below:
Go to IMG->Governance, Risk and Compliance->Access Control->Maintain AC Applications and BRFPlus Function Mapping
Step 4: Add Decision Table and Loop expression to BRF+ User Defaults function as shown below:
Decision Table: In the decision table maintain entries as shown below
Loop: For using “System” as one of the fields in setting the conditions for User Defaults, SAP suggested for implementing a LOOP in BRF+ Rule. This might be needed since “System” field is not available under Request Header attributes, rather it is available as Role Attributes which are called as line-item fields while calling the BRF Rule. So, in such cases LOOP is a suggested solution, rather than using the Decision Table directly. Though within the LOOP, we can still call the Decision Table or implement IF/ELSE conditions.
Step 1:
Change the Mode of the BRF+ User Defaults Function from “Functional and Event Mode” to “Event Mode”
Now click on “Assigned Rule sets” tab in Function and click on “Create Ruleset”
Ruleset gets created as shown below. Now click on the Ruleset and navigate to Ruleset screen
Click on “Insert Rule” and select “Create” option as shown below
In the Rules screen, fill in the role description and click on “Add” button and select the options as shown below
Once the above step is completed LOOP is created. Now navigate to LOOP by clicking on LOOP_CONNECTOR_ITEMS and you will see below screen.
Once you click on “Create Rule”, you will get the below screen.
Select the decision table as you want to LOOP on the entries in your decision table. Once done click on “OK” button.
Once all above things are done, activate the Decision table, Loop, Ruleset, Function and Application.
Step 5: Now Create an Access request to test the User defaults and once the User is created please cross check the User Defaults in SU01 to check if everything is fine. If all the above steps are followed properly, User defaults will get updated properly as below in SU01.
Reference Links: http://wiki.scn.sap.com/wiki/display/GRC/Setting+up+User+Defaults
Hi Madhu.
Is it possible to assign roles instead of user attributes (printer, parameters, etc...) throughs the User Defautl functionality?
Regards and thank you.
Hi Sara,
As far as I know few actions like Sending Mail, Starting ABAP workflows etc can be done from BRF+. I am not sure whether role assignment can be done through an action in BRF+ 😯
May be you can check in BRF+ space for more details.
Regards,
Madhu.
Hi Madhu,
Really nice document. We were going up and down with the loop implementation 🙂 Your document helped!!!
Thanks
Sammukh
Hi Madhu,
Very helpful document!
Can you please help on detailed steps to create Rules under Loop expression. Your screenshot is at very high level and i'm facing hard time to get these rules created under loop.
Regards,
Yuvaraj
Hi Madhu,
This is a great document and it might address the issue we're trying to solve.
Please note in this screenshot the field User Group. All we want to do is to have this be retrieved from our user data source, instead of from the target system.
The above method seems to be overkill for what we want to achieve.
Thanks,
Santosh
Helpful document!
Took me about an hour to replicate therefore: screenshots on steps to create Rules under Loop expression:
next
next
next
next
next
finally (change is equal to: isnotinitially)
Hi Madhu,
Really appreciate your generosity in sharing this document. But could you also let know, how to include values(create rules), as shown in loop and Ruleset.
Regards
Plaban
Hi Plaban,
Please check comment prior to you where George has posted the screenshots which i didn't mention in blog. I will update the blog with missing screenshots but for time being you can follow as mentioned by George
Regards,
Madhu.
Hello Madhu,
Hope you are doing good. Thanks a lot for all the time you are investing to share tons on knowledge on GRC AC 10.0
Can you explain this? Not able to understand
Loop: For using "System" as one of the fields in setting the conditions for User Defaults, SAP suggested for implementing a LOOP in BRF+ Rule. This might be needed since "System" field is not available under Request Header attributes, rather it is available as Role Attributes which are called as line-item fields while calling the BRF Rule. So, in such cases LOOP is a suggested solution, rather than using the Decision Table directly. Though within the LOOP, we can still call the Decision Table or implement IF/ELSE conditions.
Thanks in advance.
Regards,
Deepak M
Hi Deepak,
Basically the concept is if you use only decision table it returns the matching value 🙂
For example if your request has roles from 3 different systems then for each system you will have different User Default IDs, then your User Defaults should return 3 default IDs. So, you need to loop through all entries and return all matching values.
Regards,
Madhu.
Hello Madhu,
As always the issue and the doubt is resolved and am clear when LOOP will be used.
Regards,
Deepak M
Hi Madhu,
i tried, but could not understand. So, could you please clarify my doubt:
- Function USER_DEFAULT_FUNCTION is calling Ruleset,and Ruleset has the operation " Change USER_DEFAULT_ID after processing expression LOOP_CONNECTOR_ITEMS.
So, could you say to which value will USER_DEFAULT_ID be changed to, and what is meant by "after processing expression LOOP_CONNECTOR_ITEMS. "
- I could not understand the logic of the loop.
- Also George's screenshots are not in sequence. He first adds condition 'then'. why not 'if'
Could you please suggest, as i have to review a User default setting.
Regards
Plaban
Hi Madhu,
Using the above concept i was able to achieve User defaults for 3 test connectors.
How is this possible when there are 15 different time zones(so 15 User default Ids) and 44 different connectors?
Do we need to maintain 15 X 44 = 660 entries at both places i) SPRO -->GRC --> AC --> User Provisioning--> User defaults
ii) BRF+ decision table
I see that we can have asterix(*) in Connector column in Decision table but not in SPRO.
Is there any other alternative for this?
Please advise.
Regards
Sri
Excellent document Madhu.
Regards,
Venu
Thank you for the document Madhu.
I need the user group in user system details tab given in ARM request to be reflected in SU01 after provisioning, not the usergroup maintained in the Userdefaults in SPRO for that connector. How can i proceed on this,?
Kind regards,
Trilok Kola
FYI...
I maintained... 15 X 44 = 660 entries at both places i) SPRO -->GRC --> AC --> User Provisioning--> User defaults
ii) BRF+ decision table
works perfectly fine..
Thanks Madhu 🙂
Hi Madhu,
It's great document.
I am a new learner and getting it tough to implement the rule set and loop part?
Can you kindly help with some step details here?
FYI.
Learned today from sap support that desired outcome is not working when CUA is used and where note 1983814 thus is relevant. (Tested on 10.1 SP6)
At some of my clients there is a need to provision certain (child system) connector specific SU01 user parameters depending on business roles in the request. Whilst debugging found out that the CUA connector that is to be set mandatory to note mentioned above, is 1 on 1 taken over by the ABAP provisioning engine and that the corresponding CUA child systems connectors (to be derived from decision table as for example mentioned high up above) are not considered. Meaning all child systems being derived from the request's line items get the same user default value assigned (which is the first one the loop routine finds). The function involved is therefore not taking into account the sub-systems from the request ( indirectly GRC masterdata) . A missed oportunity i would say.
SAP support is now in the process of deciding whether this is 'as designed' or 'to be fixed'.
Will update once their decision is known.
May the force be with you.
Rgds,
George
-------------------------------------------------------------------------------------------------------
OK, got feedback from the SAP Support guys:
and
I just hoped 10.1 architectured classes would cover this requirement, which is not that exotic I feel. But hey, nobody is perfect so I'll open an SAP influence request for this that you may want to vote on. (remember: Don't vote = Don't complain 🙂
Vote, just click this 'tinyurl':
https://ideas.sap.com/D30205?status_id_filter=335897B6-05D7-4568-8804-3F55E3B39025¤t_tab=Recent&row_num=1&getparameters=1
Cheers,
George
I have a question as well. When adding the user defaults master data through SPRO; is there a way to do a mass change or upload? I have 50 systems being provisioned from GRC and one of the user defaults is based on the user's country so I have a lot of entries that need to be added.
Jeanne: I don't know of a mass upload, but you can copy. Please see note 2203962 before you do this as there was an issue in the number incrementation for them.
Kevin Tucholke
Hi Jeanne
I used GUI scripting to maintain 660 Userdefault IDs and associated user default entries to table GRACUSERDEFAULT (SPRO -->GRC --> AC --> User Provisioning--> User defaults).
Each system have 15 user defaults ids(one for each Time zone) and had 44 connectors and based on the company code(location of the company) of the employee the respective user defaults get assigned to the user.
Dear experts,
I am having some issues regarding to steps in this document. I would really appreciate if one of the experts could help me.
Firstly, I am not able to activate ruleset.
Secondly, I could not see status and execution tabs under function "USER_DEFAULT_FUNCTION"
My decision table as follows;
my loop as follows;
Hi Madhu ,
This is a good article on how to achieve the user group provisioning using GRC and really helps in understanding the concept of looping and ruleset too.
I do have one query though, I executed all the steps as mentioned but still the user groups are not getting provisioned, whereas the normal Access request is going through and user created.
Is there anything that I am missing with the set up as below :
Please advise.
Regards,
Akhil