Technical Articles
SAP GRC User Access Review – Issues and Fixes – SP13
User Access Review – Nightmare in GRC SP13 I will update this regularly with all our issues and fixes.
Customize Review Instructions
For customizing the UAR review instructions in the UAR request approval screen, please implement the below SAP notes:
Below note is for creating a program and then creating a SE61 template for maintaining the customized instructions for UAR
1926795 – Not possible to customize UAR review instructions
Below is note is to format the instructions in the same way as maintained in SE61 in request approval screen:
1946444 – UAR Review Instruction Format in Access Request
BRF+ Fields for UAR requests
During UAR implementation, in BRF+ rule use ROLE_CONNECTOR and however your BRF+ rule doesn’t work. To fix this issue and to route your UAR requests based on System implelment below SAP note:
1917837 – UAM : Connector based brf + rule is not working
Basic UAR Issues
In the UAR request approval screen, we observed some below mentioned issues.
1. User Name is not coming
2. Individual Role can be forwarded to another approver
3. Sometimes only UserID shows up and no role details
We fixed all above issues mentioned using below SAP note:
1868950 – UAM: UAR request display, print and forward assignment issue
UAR Jobs – Issues
When we schedule UAR jobs, although they are completed, they are still shown with In-process status. For this SAP has provided a note specific to few customers only.
1997960 – UAM: Unable to generate request for UAR/SOD.
UAR Reports – Issues
When UAR request is forwarded to another approver, in the UAR status report Approver ID is showing wrong. To correct this we implemented below SAP note:
1895571 – UAM: User Access Review status report not working
We have raised a OSS message to SAP as there is no connector based search available for UAR status reports. Below is the note provided to us which is not yet released to all customers.
2072384 Connector Criteria available in UAR Status report
Attachment of this note also attached in this post. Please check.
Symptom:
1. UAR history and status reports dump due to huge data.
2. No system/connector criteria availabe in user review status report.
Reason and Prerequisites
All data for all request was being stored in an internal table
Solution
Implement attached correction instructions
Add connector in User review status report
1. Go to T-code SE 11 and select View radio button.
2. Enter V_GRFNREPFILTER and click on display button.
3. Click on highlighted icon.
4. Enter report name ‘GRAC_CUP_USR_RVW_RPT”.
5. Click on edit icon, a window will pop up and press enter.
6. Click on new entry and enter as new entry for connector as mentioned below.
7. Save and activate the view.
Other terms
UAR history, UAR status, reports, dump, memory overflow, connector
————————————————————————
|Manual Pre-Implement. |
————————————————————————
|VALID FOR |
|Software Component GRCFND_A GRCFND_A |
| Release V1000 SAPK-V1004INGRCFNDA – SAPK-V1017INGRCFNDA |
————————————————————————
Kindly follow the steps as mentioned in attached file
(Connector_add.docx)
________________________________________________________________________
Valid Releases
GRCFND_A
V1000
V1100
________________________________________________________________________
After implementing the SAP note 2072384, we got another issue in the UAR status report where Stage column in the report is showing the same stage for all requests. For this SAP has released another note for us which is not yet released to all customers. Below is the SAP note:
2096437 – UAM: User review status report showing Incorrect Stage details
Symptom
UAR- User Review status report shows incorrect stage details.
Reason and Prerequisites
Wrong value is passed.
Solution
Implement the correction instruction.
Other terms
GRC, AC, UAR, Stage, User Review Status, Report.
Madhu,
do you also have problems that the manager is wrongly picked? I am using HR as data source and I have the problem that when the manager is manager it picks himself.
Regards,
Alessandro
Dear Alessandro,
We are using LDAP as data source, may be that's the reason we didn't had that issue. You can include the details of your issue in this post, I have opened it for collaboration.
Thanks,
Madhu.
Hi Madhu,
I have an interesting problem. The UAR job ran correctly, and produced entries that were reviewed by an Admin and then they were assigned coordinators, and then the workflow was updated.
Managers got their emails, went into their work inboxes and removed roles, which were auto provisioned correctly, and rejected users, and in other cases approved.
For rejected users, I went to manage rejections and then set the users to "Generate Requests".
According to the UAR guide, there should be a background job called UAR Review Process Rejected.
However I am unable to find this in my background sheduler.
Am I looking in the wrong place?
Thanks,
Santosh
Hi Madhu,
I have an strange issue. The UAR jobs scheduled are completed successfully. The request created went for manager approval, once the manager mark the roles for removal and approve the request. The request is completed and path is finished but in the Audit log it says user does not exist in target system. Even though the user exist, i still get that error
I have ran all the required repo, action, role, auth sync jobs on the connector.
Provision setting is selected as at the end of request with no validation.
Even parameter 2051 i set it to no but no success.
Have you faced this issue.
Hi Shuvam,
I am also facing the same issue during UAR implementation and getting the same error message. Did you resolve the issue, if yes how?
Would appreciate all your help.
Thanks,
Varun Jain
Hi Varun,
Yes the issue was fixed for me.
Issue: The repository system was marked as CUA in spro, hence after the request approval the workflow was unable to find the user since the GRC system was marked as parent system.
Solution: Navigate to path SPRO-->GRC-->-->ACCESS CONTROL -->USER PROVISINING -->MAINTAIN CUA SETTINGS.
Uncheck the active button if already marked.
Another issue might be due to RFC connection not working. If above not solve the issue, try this as well.
Let me know if solution works for you as well.
Regards
Shuvam