Issues, Bugs and Related Fixes – GRC 10.1 – SP05

Purpose

I am currently working on GRC 10.1 SP05. I could see lot of customers also working on same SP or upgraded to same SP. There are lot of issues in GRC 10.1 SP05 which we came across. I am just updating the issues with relevant SAP notes here just to make it easy for the guys who come across the issues just like mine. Also I am requesting others to contribute by adding in the details which we might had missed out.

There are still lot of issues which we are working on and will update this blog regularly based on our issues and fixes.

NOTE: There can be few SAP notes which SAP might have released specific to us, but if the issue is relevant in your system you can request the same from SAP 🙂

 

2. ExceptionTypeError: Access is denied.

 

User able to delete and administer all jobs in GRC system

 

Related SAP Fix

Need to put this in GRC Ideas place

 

Issue 12

We are facing an issue while searching for users from LDAP. If we type a user ID and press ENTER then User details are populated correctly from LDAP. However if we click on button to search user from pop-up screen then system doesn’t shows any search result from LDAP.

This was working fine before we implemented a SAP Note 1982896. This functionality is broken by this note.

 

Related SAP Fix

Kindly implement the note 2025895 after implementing the note 1982896 to resolve the issue

1982896 – UAM: Fuzzy Search is not working on User ID and copy request is not copying line items.

2025895 – UAM: Users not searched from HR/LDAP connectors if Realtime search parameter 2050 is YES

 

Issue 13

We are facing issue while downloading the default role template to upload default roles. Once we click on default role template button there is no action from system.

 

Related SAP Fix

2044932 – FPM Search GUIBB: dump or empty screen

2018804 – UAM: Dump in default roles while clicking the Import from file button

2067320 – Default role file import does not support connector group with space

 

Issue 14

We noticed that in unlock account users are able to add role via existing account option. This should be not allowed. We have given only existing “Unlock Account” action to the unlock request type. This is a bug in system functionality.

 

Related SAP Fix

2101596 – UAM: In Existing assignment, systems are selectable though request doesn’t have any system action.

2048988 – System are selectable in existing assignments for Assign ob

 

Remarks

After applying the above notes everything was working fine and then we found out that Business roles are being added from existing assignments when creating unlock account request. Waiting for update from SAP for this issue 😯

 

Issue 15

We have mapped the business role as default role in our configuration with other single and composite roles. If a user submit the request and this request fulfills the default role criteria, however only single and composite roles are auto populated in request. The configured business roles are not populated in request.

We have already implemented SAP Note “2030797 – Default role is not getting populated in Access Request in case of Business Role”

 

Related SAP Fix

2077121 – UAM: Business Role as default role is not working for Request level

 

Issue 16

We are using this GRC End User Login services for all new users to request access to the SAP system. The new users have an LDAP account. We are using SiteMinder to authenticate the user to its LDAP before calling the SAP Webdynpro application. We have enabled the parameter SAP SSO parameter login/accept_sso2_ticket=1 to accept an SSO ticket.

We are having problem on the GRC End User Logon services (Webdynpro application grac_uibb_end_user_login) to authenticate from SiteMinder. The Webdynpro application doesn’t recognize that the user have already been authenticated by SiteMinder. It still show the screen asking for UserId and password.

Is there a configuration that we need to do for the Webdynpro application to authenticate to it?

 

Related SAP Suggestion

SiteMinder validation is not supported in GRC End user login. Kindly refer the note 1575897 and create an enhancement request in the Idea Place

1575897 – Logging Enhancement Request – Business Objects Access Control

 

Issue 17

While raising the access request the user selects business role and its validity date for business role is not set automatically. Valid to date is cleared in case of Business Roles. Business Roles doesn’t have validity date.

 

Related SAP Fix

2095046 – UAM: Business Role Valid to date is blank

 

Issue 18

We noticed that the drop downs on access request page are not sorted based on description. For Example while selecting the roles the dropdown for Functional Area, Business Process, and Company. These drop downs are not sorted based on the description. These are sorted based on ID which is not visible to the user in drop down. This causes a confusion to the user as they need to browse through the whole list which may go up to 100 line items.

 

Related SAP Fix

2061817 – UAM: Access Request field values are not sorted with short description

 

Issue 19

We have configured our LDAP server as a user data source. Our LDAP server has 2 fields (Mail, Mid Mail) which stores the Email ID. System is able to pull the mail information correctly if it is available in any of these fields.

The issue happens when we try to search for users by using Email ID. The search with email ID doesn’t work. It simply doesn’t return the result.

 

Related SAP Fix

2102827 – Search LDAP User Using ID and Email Address

 

Issue 21

We have created an ABAP Webdynpro iView for the GRC application grac_oif_request_approval. This is to ensure that the link will use SSO automatically when clicked inside an email. Everything is working fine except when the user start clicking any link inside the ABAP Webdynpro application. All of the sudden, the link being generated is using a Portal NavigationTarget instead of the usual link generated when launch from SAP ABAP ICM. Because it generated a different link, it doesn’t call the correct ABAP service to display the content.

May we know how to force the Portal to use the link generated will follow the link when it is being launch from SAP ABAP ICM.

 

Related SAP Fix

Waiting for SAP to help with this issue

 

Issue 22

Every time the user is creating an access request to lock a user in Portal, the following message are generated in the access request log:
Could not update user Attribute “lockreason” on namespace “com.sap.security.core.usermanagement” of principal “UACC.R3.DATASOURCE.S8”.
Object class name does not exist in IDM.
By the way, our Portal UME is using a Backend SAP ABAP.

 

Related SAP Fix

Waiting for SAP to help with this issue

 

Issue 23

The default role upload is not working if we include business roles as part of default role. It checks for the system of the role however the system is not applicable in case of business role. This is causing the issue.

We compared the behavior by leaving the system field blank and found that in back-end it stores as “ALL SYSTEM”, however if set the business role manually(Without upload) it stores as “BUSINESS_ROLE”. Could you check this functionality and provide a fix for us.

 

Related SAP Fix

2084889 – Default role file import is not working for business role

 

Issue 24

We noticed that if an Approver (A) delegate his rights to another approver (B). The approver (B) gets the request in their work inbox however they don’t get the notification. This cause that delegated approver (B) will not be aware of any new access request routed for his approval.

 

Related SAP Fix

1589130 – GRC AC 10.0 – MSMP Notification Override BADi – Enabling

1734548 – Delegated Approver is not receiving the Email

2028411 – Workflow delegation BADI not executed during delegation in Access Controls

Business Role Management (BRM)

 

Issue 1

When risk analysis is performed at the Critical permission level for certain roles with inactive Authorization objects through BRM, the risk is flagged by the system. However, this behavior is not consistent for all roles. In some cases, the roles with the same inactive authorization objects are not flagged.

 

Related SAP Fix

2036645 – Role Risk Analysis shows inactive authorization objects

 

Issue 2

We found that Role Search while creating an access request is not correct. The search result is impacted by parameter max no. of result row. It seems system is considering the parameter

“Max no. of result row” to look into the list of role.

For example:

If this parameter is set to 100 then system look for roles only in first 100 roles and shows only 3 roles as result.

If we set this parameter to 50 then system look only in first 50 roles and returns only 2 roles.

 

Related SAP Fix

2059283 – Role Search is not accurate

 

Issue 3

Unable to search Business role based on action maintained in single role on role search screen when business role having composite role and that composite role having single role.

 

Related SAP Fix

2093026 – Unable to search Business role based on action maintained in single role on role search screen

 

Issue 4

We are facing an issue while importing Composite roles in BRM. System does not import any of composite roles in BRM. We are trying to import the roles from back-end and selecting the role parameters during import process. With the same steps we managed to import all the single roles however not able to import any of the composite role. We have already run authority sync and repository sync job. We have also imported all the single roles associated with composite role.

 

Related SAP Fix

2027477 – Composite role import is not working

 

Issue 5

The issue is that when role owner is approving the role changes then he should be aware what all mitigation controls are applied to the role. This can only be possible if include mitigated risk is by default checked while system auto trigger the risk analysis before generating the role.

Risks were not displayed in the Analyze Risks – Role Generation Phase even though risks were displayed in Risk Analysis Phase

Our methodology is as follow:

Define –> Maintain Authorization –> Risk Analysis –> Generate –> Maintain test case –> Approval –> Complete

 

Related SAP Fix

2075894 – BRM: Risks are not displayed in the Role Generation Phase

 

Issue 6

We are facing issue in role certification. When user click on the link from role certification. The user is able to view the define tab of role in display mode however if he try to navigate to maintain authorization or risk analysis process step. System gives a dump “Assert Condition violated”

The role owner is not able to see the list of approvers and company mapped with the role. This information is required to certify the role. This information should be available to the role owner in display mode.

 

Related SAP Fix

2061588 – Assertion failed dump with no edit authorization in role methodology

 

Issue 7

We found that role prerequisites are not available in Role Parameter import template. These are also a role parameter same like functional area, Company, Business Process. Please rectify the problem and provide a fix to us. We need to upload prerequisite for 6000+ roles. This parameter should be part of Role Import Template.

 

Related SAP Fix

SAP has provided a Z program and related step by step document. Anyone has the same requirement let us know, I can share the program details here 🙂

 

Issue 8

We found that Role Owner search under “Define Role” Methodology step is working correctly. There are 2 fields (Owner & User ID) to search. If we put user ID (S80*) in user ID field it gives no result. However if we put user ID (S80*) in Owner field we get the search result. If we put user name (MADHU) in Owner field then there is no result and if we put user name in User ID then we can get the result.

The search is not working correctly as per the parameter provided. If we provide Owner it looks in User ID and if we provide User ID it looks into role owner name.

 

Related SAP Fix

2092209 – Text for user name in approver search help during role definition is ambiguous

Access Risk Analysis (ARA)

 

Issue 1

We are trying to transport the ruleset from SPRO but it gives error.

 

Related SAP Fix

1968082 – Not able to create transport for SoD Rules after upgrading to NW 740 SP04

 

Emergency Access Management (EAM)

 

Issue 1

We have noticed that some Notification variable for Firefighter log review doesn’t get filled in the notification template. Following are the parameters which are nor working.

LINK_WORKITEM

Related SAP Fix

1983997 – LINK_WORKITEM variable not filled for FF Log Review Report Workflow

 

Issue 2

We noticed that the FF Log Review report doesn’t have any option to relate the logs with the Original Access Request. We want to see this mapping in log review request so that reviewers will be able to match the request justification raised by firefighter and match the activities performed by him.

As we understand this is not available in standard product but this is very critical requirement for Log Review. Could you please let us know any possible workaround to achieve this requirement.

Related SAP Fix

Waiting for SAP update

Issue 3

We are running the GRAC_SPM_LOG_SYNC_UPDATE as a background job in our GRC system to extract GRC SPM log from our ECC Production system. We noticed that we need to increase the parameter rdisp/max_wprun_time considerably high (around 43200 secs) in the ECC system, otherwise the background job will fail in GRC. Our policy is that that the rdisp/max_wprun_time should only be set to 3600 secs (1 hour). This is to ensure that the work process are not block which will lead to system standstill.

If we reset the rdisp/max_wprun_time to 3600 secs, the GRAC_SPM_LOG_SYNC_UPDATE job will fail and the SPM logs that is not sync will also grow, which will make the job runtime even longer.

Is there a way to optimize the GRAC_SPM_LOG_SYNC_UPDATE job performance so that it will fit in the rdisp/max_wprun_time of 3600 secs? Can it have the same behaviour as BW extraction job which is not affected by the parameter rdisp/max_wprun_time even though it runs longer than 3600 secs?

Related SAP Fix

Please check this Notes. It describes the ways of optimizing the performance of EAM sync job.

1617529 – Best Practices For Improving Performance of EAM Log Sync job

1741151 – GRC 10.0 Indexing on CDHDR table in case of time out issue due to huge data

2047097 – Communication failure with remote system (SAP Query)

 

Reports and Analytics

 

Issue 1

The access rule library auto pop out once the group rule level is changed.

Please follow flowing steps for reproduction and refer to the attached screenshot.

1. Click on the “Reports and Analytics”

2. Click on Dashboard report “Access Rule Library”

3. Click on the pie chart with high violations and close the window

4. Now change the group level to “Critical Permission”

5. The window is auto populated without users actions

This behavior is an irritant and need to be resolved as this is bug.

 

Related SAP Fix

2061888 – In Access Rule library report, popup gets open without user action

 

Issue 2

The report “User to Role relationship” is not working as expected. If there is a role which doesn’t have a profile then this report doesn’t pick the role in output.

The expected output for this report is to include all the roles which are assigned to the user irrespective of profile of the role as this report is to show the relation between role and user instead of user and profile.

 

Related SAP Fix

2093024 – User to Role Relationship report not showing roles that does not have any profile generated

2107567 – User to role relationship shows empty profile even for generated roles

 

Issue 3

Change log report does not show results when the search criteria is in lower case. The report does not have option to save the file in excel.

Reports and Analytics -> Audit Reports -> Change Log Report

 

Related SAP Fix

2061392 – Role name is case sensitive while executing the change log report

 

Issue 4

As a part of the UAT phase following issue was noticed in the GRC 10.1 with SP Level 5. The role library dashboard does not have export option in the drill down list.

 

Related SAP Fix

2062839 – Export option not visible in the drill down of role library report

 

Issue 5

We noticed that that some reports are giving results in foreground mode however if we schedule the same job in background then it doesn’t give any result.

List of Reports which are failing.

 

1. Role Relationship with User Group (No Output)

Related SAP Fix

2073736 – Role Relationship with user/user group is not working in background option

 

Issue 6

We have seen incorrect data being populated in the SAP standard dashboard report “Access Requests”. The numbers shown in access request pie chart and shown in request by types for similar period and similar filter criteria are not shown correctly.

 

 

Related SAP Fix

2064801 – UAM: Incorrect values displayed in access request report and drill down doesn’t display data in provisioning report

 

Issue 7

We noticed that that some reports are giving results in foreground mode however if we schedule the same job in background then it doesn’t give any result.

List of Reports which are failing.

 

Approver Delegation (Dump)

 

Related SAP Fix

2083663 – UAM: Approver Delegation report is generating short dump when it is run in background

 

Issue 8

We noticed that user group filter for the report (List Expired and Expiring roles) is not working. The User group is a very good criteria to list out the appropriate report to consume by user administrator.

 

Related SAP Fix

2066074 – List Expired and Expiring Roles for Users Report not working

 

*** Anyone interested to collaborate with the details which can add more value to this blog post, please let me know ***