Issues, Bugs and Related Fixes – GRC 10.1 – SP05
Purpose
I am currently working on GRC 10.1 SP05. I could see lot of customers also working on same SP or upgraded to same SP. There are lot of issues in GRC 10.1 SP05 which we came across. I am just updating the issues with relevant SAP notes here just to make it easy for the guys who come across the issues just like mine. Also I am requesting others to contribute by adding in the details which we might had missed out.
There are still lot of issues which we are working on and will update this blog regularly based on our issues and fixes.
NOTE: There can be few SAP notes which SAP might have released specific to us, but if the issue is relevant in your system you can request the same from SAP 🙂
2. ExceptionTypeError: Access is denied.
User able to delete and administer all jobs in GRC system
Related SAP Fix
Need to put this in GRC Ideas place
Issue 12
We are facing an issue while searching for users from LDAP. If we type a user ID and press ENTER then User details are populated correctly from LDAP. However if we click on button to search user from pop-up screen then system doesn’t shows any search result from LDAP.
This was working fine before we implemented a SAP Note 1982896. This functionality is broken by this note.
Related SAP Fix
Kindly implement the note 2025895 after implementing the note 1982896 to resolve the issue
1982896 – UAM: Fuzzy Search is not working on User ID and copy request is not copying line items.
2025895 – UAM: Users not searched from HR/LDAP connectors if Realtime search parameter 2050 is YES
Issue 13
We are facing issue while downloading the default role template to upload default roles. Once we click on default role template button there is no action from system.
Related SAP Fix
2044932 – FPM Search GUIBB: dump or empty screen
2018804 – UAM: Dump in default roles while clicking the Import from file button
2067320 – Default role file import does not support connector group with space
Issue 14
We noticed that in unlock account users are able to add role via existing account option. This should be not allowed. We have given only existing “Unlock Account” action to the unlock request type. This is a bug in system functionality.
Related SAP Fix
2101596 – UAM: In Existing assignment, systems are selectable though request doesn’t have any system action.
2048988 – System are selectable in existing assignments for Assign ob
Remarks
After applying the above notes everything was working fine and then we found out that Business roles are being added from existing assignments when creating unlock account request. Waiting for update from SAP for this issue 😯
Issue 15
We have mapped the business role as default role in our configuration with other single and composite roles. If a user submit the request and this request fulfills the default role criteria, however only single and composite roles are auto populated in request. The configured business roles are not populated in request.
We have already implemented SAP Note “2030797 – Default role is not getting populated in Access Request in case of Business Role”
Related SAP Fix
2077121 – UAM: Business Role as default role is not working for Request level
Issue 16
We are using this GRC End User Login services for all new users to request access to the SAP system. The new users have an LDAP account. We are using SiteMinder to authenticate the user to its LDAP before calling the SAP Webdynpro application. We have enabled the parameter SAP SSO parameter login/accept_sso2_ticket=1 to accept an SSO ticket.
We are having problem on the GRC End User Logon services (Webdynpro application grac_uibb_end_user_login) to authenticate from SiteMinder. The Webdynpro application doesn’t recognize that the user have already been authenticated by SiteMinder. It still show the screen asking for UserId and password.
Is there a configuration that we need to do for the Webdynpro application to authenticate to it?
Related SAP Suggestion
SiteMinder validation is not supported in GRC End user login. Kindly refer the note 1575897 and create an enhancement request in the Idea Place
1575897 – Logging Enhancement Request – Business Objects Access Control
Issue 17
While raising the access request the user selects business role and its validity date for business role is not set automatically. Valid to date is cleared in case of Business Roles. Business Roles doesn’t have validity date.
Related SAP Fix
2095046 – UAM: Business Role Valid to date is blank
Issue 18
We noticed that the drop downs on access request page are not sorted based on description. For Example while selecting the roles the dropdown for Functional Area, Business Process, and Company. These drop downs are not sorted based on the description. These are sorted based on ID which is not visible to the user in drop down. This causes a confusion to the user as they need to browse through the whole list which may go up to 100 line items.
Related SAP Fix
2061817 – UAM: Access Request field values are not sorted with short description
Issue 19
We have configured our LDAP server as a user data source. Our LDAP server has 2 fields (Mail, Mid Mail) which stores the Email ID. System is able to pull the mail information correctly if it is available in any of these fields.
The issue happens when we try to search for users by using Email ID. The search with email ID doesn’t work. It simply doesn’t return the result.
Related SAP Fix
2102827 – Search LDAP User Using ID and Email Address
Issue 21
We have created an ABAP Webdynpro iView for the GRC application grac_oif_request_approval. This is to ensure that the link will use SSO automatically when clicked inside an email. Everything is working fine except when the user start clicking any link inside the ABAP Webdynpro application. All of the sudden, the link being generated is using a Portal NavigationTarget instead of the usual link generated when launch from SAP ABAP ICM. Because it generated a different link, it doesn’t call the correct ABAP service to display the content.
May we know how to force the Portal to use the link generated will follow the link when it is being launch from SAP ABAP ICM.
Related SAP Fix
Waiting for SAP to help with this issue
Issue 22
Every time the user is creating an access request to lock a user in Portal, the following message are generated in the access request log:
Could not update user Attribute “lockreason” on namespace “com.sap.security.core.usermanagement” of principal “UACC.R3.DATASOURCE.S8”.
Object class name does not exist in IDM.
By the way, our Portal UME is using a Backend SAP ABAP.
Related SAP Fix
Waiting for SAP to help with this issue
Issue 23
The default role upload is not working if we include business roles as part of default role. It checks for the system of the role however the system is not applicable in case of business role. This is causing the issue.
We compared the behavior by leaving the system field blank and found that in back-end it stores as “ALL SYSTEM”, however if set the business role manually(Without upload) it stores as “BUSINESS_ROLE”. Could you check this functionality and provide a fix for us.
Related SAP Fix
2084889 – Default role file import is not working for business role
Issue 24
We noticed that if an Approver (A) delegate his rights to another approver (B). The approver (B) gets the request in their work inbox however they don’t get the notification. This cause that delegated approver (B) will not be aware of any new access request routed for his approval.
Related SAP Fix
1589130 – GRC AC 10.0 – MSMP Notification Override BADi – Enabling
1734548 – Delegated Approver is not receiving the Email
2028411 – Workflow delegation BADI not executed during delegation in Access Controls
Business Role Management (BRM)
Issue 1
When risk analysis is performed at the Critical permission level for certain roles with inactive Authorization objects through BRM, the risk is flagged by the system. However, this behavior is not consistent for all roles. In some cases, the roles with the same inactive authorization objects are not flagged.
Related SAP Fix
2036645 – Role Risk Analysis shows inactive authorization objects
Issue 2
We found that Role Search while creating an access request is not correct. The search result is impacted by parameter max no. of result row. It seems system is considering the parameter
“Max no. of result row” to look into the list of role.
For example:
If this parameter is set to 100 then system look for roles only in first 100 roles and shows only 3 roles as result.
If we set this parameter to 50 then system look only in first 50 roles and returns only 2 roles.
Related SAP Fix
2059283 – Role Search is not accurate
Issue 3
Unable to search Business role based on action maintained in single role on role search screen when business role having composite role and that composite role having single role.
Related SAP Fix
2093026 – Unable to search Business role based on action maintained in single role on role search screen
Issue 4
We are facing an issue while importing Composite roles in BRM. System does not import any of composite roles in BRM. We are trying to import the roles from back-end and selecting the role parameters during import process. With the same steps we managed to import all the single roles however not able to import any of the composite role. We have already run authority sync and repository sync job. We have also imported all the single roles associated with composite role.
Related SAP Fix
2027477 – Composite role import is not working
Issue 5
The issue is that when role owner is approving the role changes then he should be aware what all mitigation controls are applied to the role. This can only be possible if include mitigated risk is by default checked while system auto trigger the risk analysis before generating the role.
Risks were not displayed in the Analyze Risks – Role Generation Phase even though risks were displayed in Risk Analysis Phase
Our methodology is as follow:
Define –> Maintain Authorization –> Risk Analysis –> Generate –> Maintain test case –> Approval –> Complete
Related SAP Fix
2075894 – BRM: Risks are not displayed in the Role Generation Phase
Issue 6
We are facing issue in role certification. When user click on the link from role certification. The user is able to view the define tab of role in display mode however if he try to navigate to maintain authorization or risk analysis process step. System gives a dump “Assert Condition violated”
The role owner is not able to see the list of approvers and company mapped with the role. This information is required to certify the role. This information should be available to the role owner in display mode.
Related SAP Fix
2061588 – Assertion failed dump with no edit authorization in role methodology
Issue 7
We found that role prerequisites are not available in Role Parameter import template. These are also a role parameter same like functional area, Company, Business Process. Please rectify the problem and provide a fix to us. We need to upload prerequisite for 6000+ roles. This parameter should be part of Role Import Template.
Related SAP Fix
SAP has provided a Z program and related step by step document. Anyone has the same requirement let us know, I can share the program details here 🙂
Issue 8
We found that Role Owner search under “Define Role” Methodology step is working correctly. There are 2 fields (Owner & User ID) to search. If we put user ID (S80*) in user ID field it gives no result. However if we put user ID (S80*) in Owner field we get the search result. If we put user name (MADHU) in Owner field then there is no result and if we put user name in User ID then we can get the result.
The search is not working correctly as per the parameter provided. If we provide Owner it looks in User ID and if we provide User ID it looks into role owner name.
Related SAP Fix
2092209 – Text for user name in approver search help during role definition is ambiguous
Access Risk Analysis (ARA)
Issue 1
We are trying to transport the ruleset from SPRO but it gives error.
Related SAP Fix
1968082 – Not able to create transport for SoD Rules after upgrading to NW 740 SP04
Emergency Access Management (EAM)
Issue 1
We have noticed that some Notification variable for Firefighter log review doesn’t get filled in the notification template. Following are the parameters which are nor working.
LINK_WORKITEM
Related SAP Fix
1983997 – LINK_WORKITEM variable not filled for FF Log Review Report Workflow
Issue 2
We noticed that the FF Log Review report doesn’t have any option to relate the logs with the Original Access Request. We want to see this mapping in log review request so that reviewers will be able to match the request justification raised by firefighter and match the activities performed by him.
As we understand this is not available in standard product but this is very critical requirement for Log Review. Could you please let us know any possible workaround to achieve this requirement.
Related SAP Fix
Waiting for SAP update
Issue 3
We are running the GRAC_SPM_LOG_SYNC_UPDATE as a background job in our GRC system to extract GRC SPM log from our ECC Production system. We noticed that we need to increase the parameter rdisp/max_wprun_time considerably high (around 43200 secs) in the ECC system, otherwise the background job will fail in GRC. Our policy is that that the rdisp/max_wprun_time should only be set to 3600 secs (1 hour). This is to ensure that the work process are not block which will lead to system standstill.
If we reset the rdisp/max_wprun_time to 3600 secs, the GRAC_SPM_LOG_SYNC_UPDATE job will fail and the SPM logs that is not sync will also grow, which will make the job runtime even longer.
Is there a way to optimize the GRAC_SPM_LOG_SYNC_UPDATE job performance so that it will fit in the rdisp/max_wprun_time of 3600 secs? Can it have the same behaviour as BW extraction job which is not affected by the parameter rdisp/max_wprun_time even though it runs longer than 3600 secs?
Related SAP Fix
Please check this Notes. It describes the ways of optimizing the performance of EAM sync job.
1617529 – Best Practices For Improving Performance of EAM Log Sync job
1741151 – GRC 10.0 Indexing on CDHDR table in case of time out issue due to huge data
2047097 – Communication failure with remote system (SAP Query)
Reports and Analytics
Issue 1
The access rule library auto pop out once the group rule level is changed.
Please follow flowing steps for reproduction and refer to the attached screenshot.
1. Click on the “Reports and Analytics”
2. Click on Dashboard report “Access Rule Library”
3. Click on the pie chart with high violations and close the window
4. Now change the group level to “Critical Permission”
5. The window is auto populated without users actions
This behavior is an irritant and need to be resolved as this is bug.
Related SAP Fix
2061888 – In Access Rule library report, popup gets open without user action
Issue 2
The report “User to Role relationship” is not working as expected. If there is a role which doesn’t have a profile then this report doesn’t pick the role in output.
The expected output for this report is to include all the roles which are assigned to the user irrespective of profile of the role as this report is to show the relation between role and user instead of user and profile.
Related SAP Fix
2093024 – User to Role Relationship report not showing roles that does not have any profile generated
2107567 – User to role relationship shows empty profile even for generated roles
Issue 3
Change log report does not show results when the search criteria is in lower case. The report does not have option to save the file in excel.
Reports and Analytics -> Audit Reports -> Change Log Report
Related SAP Fix
2061392 – Role name is case sensitive while executing the change log report
Issue 4
As a part of the UAT phase following issue was noticed in the GRC 10.1 with SP Level 5. The role library dashboard does not have export option in the drill down list.
Related SAP Fix
2062839 – Export option not visible in the drill down of role library report
Issue 5
We noticed that that some reports are giving results in foreground mode however if we schedule the same job in background then it doesn’t give any result.
List of Reports which are failing.
1. Role Relationship with User Group (No Output)
Related SAP Fix
2073736 – Role Relationship with user/user group is not working in background option
Issue 6
We have seen incorrect data being populated in the SAP standard dashboard report “Access Requests”. The numbers shown in access request pie chart and shown in request by types for similar period and similar filter criteria are not shown correctly.
Related SAP Fix
2064801 – UAM: Incorrect values displayed in access request report and drill down doesn’t display data in provisioning report
Issue 7
We noticed that that some reports are giving results in foreground mode however if we schedule the same job in background then it doesn’t give any result.
List of Reports which are failing.
Approver Delegation (Dump)
Related SAP Fix
2083663 – UAM: Approver Delegation report is generating short dump when it is run in background
Issue 8
We noticed that user group filter for the report (List Expired and Expiring roles) is not working. The User group is a very good criteria to list out the appropriate report to consume by user administrator.
Related SAP Fix
2066074 – List Expired and Expiring Roles for Users Report not working
*** Anyone interested to collaborate with the details which can add more value to this blog post, please let me know ***
Hello Madhu babu,
Searching for a word better than EXCELLENT to describe this doc.
Where do you get all the time to share this huge and useful doc? Please Share the Secret.
Thanks a lot in advance.
Regards
Deepak M
Hi Deepak,
There is nothing as such Secret 🙂
I have the habit of documenting things whenever I learn something and this is one such document..
Regards,
Madhu.
Really good document Madhu. Thanks for keeping lot of efforts. 🙂
Hello Madhu babu,
In topic "Access Request Module (ARQ) - Issue 2"
not have correction note ?
Regards,
Inacio
Hi Inacio,
I remember SAP shared this solution with us on OSS message and not through SAP note.
Regards,
Madhu.
fantastic analysis and solutions.
Well done Madhu
Muthu
Dear Madhu,
Excellent and useful document
Thanks for sharing your efforts!!!
Regards
Baithi
Hi Madhu,
Im getting below mentioned error while assigning roles to any of the users in one of our HR systems.
Pls help me out/throw some lights on how to resolve this error.
Note : User has all authorizations.
Thanks
KH
Hi Madhu
Excellent work and thanks for sharing your experience.
With Regards
Trinadh Bokka
I can only echo the other comments - thank you for putting this together. An excellent resource.
Regards,
Shannon O'Bryan
Hi Madhu,
Excellent Work - Appreciate your time and effort in Putting together this Document.
Regards,
Meena Chandhrabose.
Thanks a lot for sharing this document
Hi Madhu,
Very good documentation indeed. I am also facing same problem as described in Issue 22. Did you get solution for it ? I have enabled SSO between portal and GRC system and want that approvers get portal link to approve the access control requests.
Default Action of function is not getting populated in Access Request while executing NWBC- setup-access rule maintenance --function--default only can see HANA'S function Id (ideally it should visible all function id)--under the function and then click on open must be see Action. but unfortunately I am unable to see Action. i have execute/generate all Rule set and BC set too.
can you please help..??