Skip to Content

Purpose of the document:

This document describes the UAR (User Access Review) configuration in GRC10 Access Control and some common issues. We have Wiki documents in SCN for configuration and troubleshoot UAR issues, along with existing information I have documented(collection of issues and notes) the common issues in UAR and related solution notes to keep everything in same page for easy search.


I hope it will be helpful for who are looking for UAR configuration and if any related issue occurs.


For UAR workflow configuration and troubleshoot refer the below WiKi links


User Access Review (UAR) Workflow Configuration and Description:

Wiki Document: http://wiki.scn.sap.com/wiki/x/foi-Eg

For Troubleshoot

Wiki Document: http://wiki.scn.sap.com/wiki/x/IYEcF

Make sure the below points/settings are mandatory for UAR (User Access Review)


(1) Prerequisite Jobs need to be executed, in sequence, as follows:

  • Repository Object Synch /GRAC_ROLEREP_ROLE_SYNC
  • Repository Object Synch /GRAC_ROLEREP_USER_SYNC
  • Action Usage Synch /GRAC_ACTION_USAGE_SYNC
  • Role Usage Synch / GRAC_ROLE_USAGE_SYNC

(2) Role Methodology verification: 

  • Verify that all the roles have been assigned to a methodology in ‘Business Role Management’.


(3) Reviewer Verification:

  • Verify that the role owners have been assigned to roles or role users have a manager assigned from the data source system.


(4) Verify Mandatory Configurations: 

  • Verify that the following configuration parameters have been maintained in the IMG.

         Run transaction SPRO, then go to IMG > SAP Reference IMG > Governance, Risk and Compliance–>Access Control–>Maintain Configuration Settings

    1. parameter id = 2004 (Request Type for UAR)
    2. parameter id = 2005 (Default Priority)
    3. parameter id = 2006  (Who are the reviewers?)

(5) Verify Coordinator Assignments: 

  • Verify that a coordinator has been assigned to the reviewers (role owner/manager). The coordinator assignment can be viewed from Coordinator and Reviewer Mapping screen.

Go to NWBC work center Access Management –> Compliance Certification Reviews –> Manage Coordinators


(6) User Access Review workflow job:

  • Verify that the task “Update Workflow for UAR request” has been executed from the background scheduler screen or the program GRAC_UAR_UPDATE_WORK FLOW has been executed.

  If update workflow job does not trigger then check the below NOTE 

1732890 – GRC 10.0 – Update Workflow for UAR request job does not trigger the workflow


(7) Verify Request Review:

  • Verify that all the requests are approved by the administrator from Request Review Screen.

Go to NWBC work center Access Management –> Compliance Certification Reviews –> Request Review.

Note: – This will only apply, when the ‘Admin Review’ is configured. (In IMG, Governance, Risk and Compliance–>Access Control–>Maintain Configuration Settings (parameter id = 2007))


Most common errors when using user access review, different dumps

1955397 – Background jobs fail with SYSTEM_NO_ROLL error message in ABAP dump

1620493 – GRC 10.0 UAR Background Job stuck

2062769 – UAR update workflow job dumps in case of huge data

1879104 – UAM: Getting dump while scheduling UAR request with huge data 

1980305 – UAM: UAR report dumps when role usage data is huge

1780760 – Accessing the UAR request results in DUMP.

1977399 – UAM: UAR status report throwing dump.

2044946 – UAM: Dump is coming while forwarding UAR Request


If number of backend systems are connected to GRC system, not able to generate UAR request

2066113 – UAR requests not getting generated for some systems

While submitting UAR request if error occurs ‘Submission failure of request“  or ‘No active version exists for process SAP_GRAC_USER_ACCESS_REVIEW’

Then check below NOTE

1620495 – GRC 10.0 UAR – Submission failure of request


If created variant is not working for UAR review then check below NOTE

2042714 – UAM:Save variant not working for UAR request


If any error with“Incorrect Request Type configuration for UAR Request“then check below NOTE

2040454 – Unable to generate UAR due to Incorrect Request Type configuration for UAR Request


If UAR request screen is empty for approver to approve, then check below NOTE

1938863 – UAR Review – No content to approve when approver opens the UAR request from inbox


If the button ‘Cancel Rejection’ does not appear to approver, then check below NOTE

1768509 – The button ‘Cancel Rejection’ does not appear in User Access Review request

If error occurs while forward the request to a Reviewer with Return option, then check below NOTE

1988128 – UAM: Missing line items with forward and return in UAR

Sometimes users full details not shown in UAR request, it is basically issue with connector, check below NOTE

2053211 – Full name of some users is not shown in UAR request

If we are using two stages of approvals for UAR request then we need to maintain approval type as Complete request in both stages, otherwise approver cannot see details at second stage, check below NOTE

1907938 – UAR – User and Role details are not visible in request


We need to make it visible Escalation parameter in UAR request history report, otherwise we will get No record found message will appear in UAR request history report, check below NOTE

1805804 – UAR: No record found message in User Access Review History Report


Check the below NOTE for importance for View by field in UAR request screen

1867208 – How to understand what controls the “View By” field in the UAR Request Screen


Why Generate data for access request UAR review job status is “In Progress”, check below NOTE

2038346 – UAR/SOD jobs do not finish and keep ‘In Progress’ status


If only partial data in Audit log, then check below NOTE

2037408 – Audit log is showing partial data for UAR request


If no audit log for SAVE in UAR, then check below NOTE

1947373 – UAM:Unable to make comments mandatory & audit log for save in UAR


If request shows indirect roles and wrong usage count, check below NOTE

1910670 – UAR Request shows indirect roles and wrong usage count

Some of the old threads for more information on User Access Review:


UAR Review: http://scn.sap.com/thread/3719805


GRC10 – UAR using BRF+ Agent Rule: http://scn.sap.com/thread/2104971


GRC 10 UAR – Different UAR Approvers: http://scn.sap.com/thread/3297507.


Generates data for access request UAR review: http://scn.sap.com/thread/3276890.


User Access Review Workflow – GRC 10: http://scn.sap.com/thread/3535425


GRC AC V10 – UAR config steps: http://scn.sap.com/thread/2063607.


GRC 10.0 User Access Review-user details not showing in description: http://scn.sap.com/thread/3332003


SAP GRC10 – UAR Review: http://scn.sap.com/thread/2116399


GRC 10 UAR tables: http://scn.sap.com/thread/3721729


UAR cannot be generated for huge volume of data:2075604 – UAR Request not genrating with huge role data

Ex:Role or User starts with option

Please share or add if any new issues/errors occurs while working with UAR(User Access Review) ,so that we will include in the same page for easy availability.


Regards

Baithi

To report this post you need to login first.

5 Comments

You must be Logged on to comment or reply to a post.

Leave a Reply