Skip to Content

Purpose of User Defaults:


When a new user is being created in the target system, all users of that system might require few common user defaults like Logon Language, Time Zone, Decimal Notation, Date Format, Parameters etc. Hence when a user is getting created through GRC, based on the request type these user defaults can be assigned to the users.

By including user defaults as part of request type (mostly New Account), user gets created with required user defaults in the target system.

Important SAP notes regarding User Defaults to refer before configuring User Defaults:


1615552 – GRC 10.0 How to set User Default


1665585 – User Defaults BRF+ rule not working correctly


2020712 – UAM: User group not provisioned after request provisioning

Steps to Implement User Defaults:


Step 1: Maintain “User Defaults “action as part of your Request Type. My Request Type 36 is for “New Account” and I have assigned “User Defaults” as shown below.

SPRO =>Governance, Risk and Compliance =>Access Control =>User Provisioning =>Define Request Type

Step 2: Go to SPRO -> IMG -> GRC -> Access Control -> User Provisioning -> Maintain User Defaults

Define User defaults for different connectors connected to your GRC system. One example as shown below:

You can assign default User Group and default Parameters based on the connector by using options “Set the User Group” and “Set Parameter ID” in the above screen as per your requirement.

Once you define the User Defaults as mentioned above and save it, a unique “Default-Id” gets created as shown below. This is the User Default Id which will be used in BRF+ decision table while configuring User Defaults.

Step 3: Existing BRF+ User Defaults application “GRAC_BRFP_USER_DEFAULTS” provided by SAP will be used during configuration of user defaults.

Copy the Function Id of USER_DEFAULT_FUNCTION from BRF+ application.

Now map the BRF+ Application for user defaults under the IMG configuration shown below:

Go to IMG->Governance, Risk and Compliance->Access Control->Maintain AC Applications and BRFPlus Function Mapping

Step 4: Add Decision Table and Loop expression to BRF+ User Defaults function as shown below:

Decision Table: In the decision table maintain entries as shown below

Loop: For using “System” as one of the fields in setting the conditions for User Defaults, SAP suggested for implementing a LOOP in BRF+ Rule. This might be needed since “System” field is not available under Request Header attributes, rather it is available as Role Attributes which are called as line-item fields while calling the BRF Rule. So, in such cases LOOP is a suggested solution, rather than using the Decision Table directly. Though within the LOOP, we can still call the Decision Table or implement IF/ELSE conditions.

Step 1:

Change the Mode of the BRF+ User Defaults Function from “Functional and Event Mode” to “Event Mode”


Now click on “Assigned Rule sets” tab in Function and click on “Create Ruleset”


Ruleset gets created as shown below. Now click on the Ruleset and navigate to Ruleset screen

Click on “Insert Rule” and select “Create” option as shown below


In the Rules screen, fill in the role description and click on “Add” button and select the options as shown below


Once the above step is completed LOOP is created. Now navigate to LOOP by clicking on LOOP_CONNECTOR_ITEMS and you will see below screen.


Once you click on “Create Rule”, you will get the below screen.


Select the decision table as you want to LOOP on the entries in your decision table. Once done click on “OK” button.



Ruleset: When a Function is in event mode, it looks for additional logic execution depending on the Rule-set defined.


Once all above things are done, activate the Decision table, Loop, Ruleset, Function and Application.

Step 5:  Now Create an Access request to test the User defaults and once the User is created please cross check the User Defaults in SU01 to check if everything is fine. If all the above steps are followed properly, User defaults will get updated properly as below in SU01.

Reference Links: http://wiki.scn.sap.com/wiki/display/GRC/Setting+up+User+Defaults

To report this post you need to login first.

23 Comments

You must be Logged on to comment or reply to a post.

  1. Sara G

    Hi Madhu.

    Is it possible to assign roles instead of user attributes (printer, parameters, etc…) throughs the User Defautl functionality?

    Regards and thank you.

    (0) 
    1. Madhu Babu Sai #MJ Post author

      Hi Sara,

      As far as I know few actions like Sending Mail, Starting ABAP workflows etc can be done from BRF+. I am not sure whether role assignment can be done through an action in BRF+ 😯

      May be you can check in BRF+ space for more details.

      Regards,

      Madhu.

      (0) 
  2. Yuvaraj Y

    Hi Madhu,

    Very helpful document!

    Can you please help on detailed steps to create Rules under Loop expression. Your screenshot is at very high level and i’m facing hard time to get these rules created under loop.

    loop.JPG

    Regards,

    Yuvaraj

    (0) 
  3. Santosh Krishnan

    Hi Madhu,

    This is a great document and it might address the issue we’re trying to solve. 

    Please note in this screenshot the field User Group.  All we want to do is to have this be retrieved from our user data source, instead of from the target system.

    The above method seems to be overkill for what we want to achieve.

    Capture.PNG

    Thanks,

    Santosh

    (0) 
  4. George Borghouts

    Helpful document!

    Took me about an hour to replicate therefore: screenshots on steps to create Rules under Loop expression:

    /wp-content/uploads/2015/01/loop_1_633271.jpg

    next

    /wp-content/uploads/2015/01/loop_2_633296.jpg

    next

    /wp-content/uploads/2015/01/loop_3_633297.jpg

    next

    /wp-content/uploads/2015/01/loop_4_633298.jpg

    next

    /wp-content/uploads/2015/01/loop_5_633299.jpg

    next

    /wp-content/uploads/2015/01/loop_6_633300.jpg

    finally (change is equal to: isnotinitially)

    /wp-content/uploads/2015/01/loop_7_633301.jpg

    (0) 
  5. Plaban Sahoo

    Hi Madhu,

    Really appreciate your generosity in sharing this document. But could you also let know, how to include values(create rules), as shown in loop and Ruleset.

    Regards

    Plaban

    (0) 
    1. Madhu Babu Sai #MJ Post author

      Hi Plaban,

      Please check comment prior to you where George has posted the screenshots which i didn’t mention in blog. I will update the blog with missing screenshots but for time being you can follow as mentioned by George

      Regards,

      Madhu.

      (0) 
      1. Rakesh Ram

        Hello Madhu,

        Hope you are doing good. Thanks a lot for all the time you are investing to share tons on knowledge on GRC AC 10.0

        Can you explain this? Not able to understand

        Loop: For using “System” as one of the fields in setting the conditions for User Defaults, SAP suggested for implementing a LOOP in BRF+ Rule. This might be needed since “System” field is not available under Request Header attributes, rather it is available as Role Attributes which are called as line-item fields while calling the BRF Rule. So, in such cases LOOP is a suggested solution, rather than using the Decision Table directly. Though within the LOOP, we can still call the Decision Table or implement IF/ELSE conditions.



        Thanks in advance.


        Regards,

        Deepak M

        (0) 
        1. Madhu Babu Sai #MJ Post author

          Hi Deepak,

          Basically the concept is if you use only decision table it returns the matching value 🙂

          For example if your request has roles from 3 different systems then for each system you will have different User Default IDs, then your User Defaults should return 3 default IDs. So, you need to loop through all entries and return all matching values.

          Regards,

          Madhu.

          (0) 
      2. Plaban Sahoo

        Hi Madhu,

        i tried, but could not understand. So, could you please clarify my doubt:

        – Function USER_DEFAULT_FUNCTION is calling Ruleset,and Ruleset has the operation ” Change USER_DEFAULT_ID after processing expression LOOP_CONNECTOR_ITEMS.

        So, could you say to which value will USER_DEFAULT_ID be changed to, and what is meant by “after processing expression LOOP_CONNECTOR_ITEMS. “

        – I could not understand the logic of the loop.

        /wp-content/uploads/2015/05/as_696993.png

        – Also George’s screenshots are not in sequence. He first adds condition ‘then’. why not ‘if’

        Could you please suggest, as i have to review a User default setting.

        Regards

        Plaban

        (0) 
  6. srikanth kandy

    Hi Madhu,

    Using the above concept i was able to achieve User defaults for 3 test connectors.

    How is this possible when there are 15 different time zones(so 15 User default Ids) and 44 different connectors?

    Do we need to maintain 15 X 44 = 660 entries at both places i) SPRO –>GRC –> AC –> User Provisioning–> User defaults

    ii) BRF+ decision table

    I see that we can have asterix(*) in Connector column in Decision table but not in SPRO.

    Is there any other alternative for this?

    Please advise.

    Regards

    Sri

    (0) 
  7. Trilok kola

    Thank you for the document Madhu.


    I need the user group in user system details tab given in ARM request to be reflected in SU01 after provisioning, not the usergroup maintained in the Userdefaults in SPRO for that connector. How can i proceed on this,?



    Kind regards,

    Trilok Kola

    (0) 
  8. srikanth kandy

    FYI…

    I maintained… 15 X 44 = 660 entries at both places i) SPRO –>GRC –> AC –> User Provisioning–> User defaults

    ii) BRF+ decision table

    works perfectly fine..

    Thanks Madhu 🙂

    (0) 
  9. Somik Bose

    Hi Madhu,

    It’s great document.

    I am a new learner and getting it tough to implement the rule set and loop part?

    Can you kindly help with some step details here?

    (0) 
  10. George Borghouts

    FYI.

    Learned today from sap support that desired outcome is not working when CUA is used and where note 1983814 thus is relevant. (Tested on 10.1 SP6)

    At some of my clients there is a need to provision certain (child system) connector specific SU01 user parameters depending on business roles in the request. Whilst debugging found out that the CUA connector that is to be set mandatory to note mentioned above, is 1 on 1 taken over by the ABAP provisioning engine and that the corresponding CUA child systems connectors (to be derived from decision table as for example mentioned high up above) are not considered. Meaning all child systems being derived from the request’s line items get the same user default value assigned (which is the first one the loop routine finds). The function involved is therefore not taking into account the sub-systems from  the request ( indirectly GRC masterdata) . A missed oportunity i would say.

    SAP support is now in the process of deciding whether this is ‘as designed’ or ‘to be fixed’.

    Will update once their decision is known.

    May the force be with you.

    Rgds,

    George

    ——————————————————————————————————-

    OK, got feedback from the SAP Support guys:

    CUA_USER_DEFAULTS_PER_ROLE.jpg

    and

    2_CUA_USER_DEFAULTS_PER_ROLE.jpg

    I just hoped 10.1 architectured classes would cover this requirement, which is not that exotic I feel. But hey, nobody is perfect so I’ll open an SAP influence request for this that you may want to vote on. (remember: Don’t vote = Don’t complain 🙂

    Vote, just click this ‘tinyurl’:

    https://ideas.sap.com/D30205?status_id_filter=335897B6-05D7-4568-8804-3F55E3B39025&current_tab=Recent&row_num=1&getparameters=1

    Cheers,

    George

    (0) 
  11. Jeanne Grimes

    I have a question as well.  When adding the user defaults master data through SPRO; is there a way to do a mass change or upload?  I have 50 systems being provisioned from GRC and one of the user defaults is based on the user’s country so I have a lot of entries that need to be added.

    (0) 
    1. Kevin Tucholke

      Jeanne:  I don’t know of a mass upload, but you can copy.  Please see note 2203962 before you do this as there was an issue in the number incrementation for them.

      Kevin Tucholke

      (0) 
    2. srikanth kandy

      Hi Jeanne

      I used GUI scripting to maintain 660 Userdefault IDs and associated user default entries to table GRACUSERDEFAULT (SPRO –>GRC –> AC –> User Provisioning–> User defaults).

      Each system have 15 user defaults ids(one for each Time zone) and had 44 connectors and based on the company code(location of the company) of the employee the respective user defaults get assigned to the user.

      (0) 
  12. Saket godbole

    Dear experts,

    I am having some issues regarding to steps in this document. I would really appreciate if one of the experts could help me.

    Firstly, I am not able to activate ruleset. 

    Secondly, I could not see status and execution tabs under function “USER_DEFAULT_FUNCTION”

    My decision table as follows;

    my loop as follows;

    (0) 
  13. Akhil Venugopal

    Hi Madhu ,

    This is a good article on how to achieve the user group provisioning using GRC and really helps in understanding the concept of looping and ruleset too.

    I do have one query though, I executed all the steps as mentioned but still the user groups are not getting provisioned, whereas the normal Access request is going through and user created.

    Is there anything that I am missing with the set up as below :

    • Created user defaults ( group) for each connector and generated the default ID.
    • Ensured Request type ‘Create user’ has ‘User defaults’ mentioned in its actions.
    • Ensured that the ‘User Defaults’ Application ID is mapped to the access req. process ID.
    • Created a decision table providing the output to User_default_ID associated with the application. Our logic is based on Business process and Sub process selections (Decision table simulations are providing us with as expected results).
    • Created loop for condition to process multiple line items that maybe part of a request – We do have multiple systems provisioning through a single request.
    • Created Ruleset with the rule to change USER_DEFAULT_ID after processing the loop… also ensured that the function has the ruleset associated and the result data object mentioned.
    • ——————————-
    • ———————————

     

    Please advise.

     

    Regards,

    Akhil

    (0) 

Leave a Reply