UAR(User Access Review) in GRC10 Access Control:Common issues,Notes
Purpose of the document:
This document describes the UAR (User Access Review) configuration in GRC10 Access Control and some common issues. We have Wiki documents in SCN for configuration and troubleshoot UAR issues, along with existing information I have documented(collection of issues and notes) the common issues in UAR and related solution notes to keep everything in same page for easy search.
I hope it will be helpful for who are looking for UAR configuration and if any related issue occurs.
For UAR workflow configuration and troubleshoot refer the below WiKi links
User Access Review (UAR) Workflow Configuration and Description:
Make sure the below points/settings are mandatory for UAR (User Access Review)
(1) Prerequisite Jobs need to be executed, in sequence, as follows:
- Repository Object Synch /GRAC_ROLEREP_ROLE_SYNC
- Repository Object Synch /GRAC_ROLEREP_USER_SYNC
- Action Usage Synch /GRAC_ACTION_USAGE_SYNC
- Role Usage Synch / GRAC_ROLE_USAGE_SYNC
(2) Role Methodology verification:
- Verify that all the roles have been assigned to a methodology in ‘Business Role Management’.
(3) Reviewer Verification:
- Verify that the role owners have been assigned to roles or role users have a manager assigned from the data source system.
(4) Verify Mandatory Configurations:
- Verify that the following configuration parameters have been maintained in the IMG.
Run transaction SPRO, then go to IMG > SAP Reference IMG > Governance, Risk and Compliance–>Access Control–>Maintain Configuration Settings
- parameter id = 2004 (Request Type for UAR)
- parameter id = 2005 (Default Priority)
- parameter id = 2006 (Who are the reviewers?)
(5) Verify Coordinator Assignments:
- Verify that a coordinator has been assigned to the reviewers (role owner/manager). The coordinator assignment can be viewed from Coordinator and Reviewer Mapping screen.
Go to NWBC work center Access Management –> Compliance Certification Reviews –> Manage Coordinators
(6) User Access Review workflow job:
- Verify that the task “Update Workflow for UAR request” has been executed from the background scheduler screen or the program GRAC_UAR_UPDATE_WORK FLOW has been executed.
If update workflow job does not trigger then check the below NOTE
1732890 – GRC 10.0 – Update Workflow for UAR request job does not trigger the workflow
(7) Verify Request Review:
- Verify that all the requests are approved by the administrator from Request Review Screen.
Go to NWBC work center Access Management –> Compliance Certification Reviews –> Request Review.
Note: – This will only apply, when the ‘Admin Review’ is configured. (In IMG, Governance, Risk and Compliance–>Access Control–>Maintain Configuration Settings (parameter id = 2007))
Most common errors when using user access review, different dumps
1955397 – Background jobs fail with SYSTEM_NO_ROLL error message in ABAP dump
1620493 – GRC 10.0 UAR Background Job stuck
2062769 – UAR update workflow job dumps in case of huge data
1879104 – UAM: Getting dump while scheduling UAR request with huge data
1980305 – UAM: UAR report dumps when role usage data is huge
1780760 – Accessing the UAR request results in DUMP.
1977399 – UAM: UAR status report throwing dump.
2044946 – UAM: Dump is coming while forwarding UAR Request
If number of backend systems are connected to GRC system, not able to generate UAR request
While submitting UAR request if error occurs ‘Submission failure of request“ or ‘No active version exists for process SAP_GRAC_USER_ACCESS_REVIEW’
Then check below NOTE
1620495 – GRC 10.0 UAR – Submission failure of request
If created variant is not working for UAR review then check below NOTE
2042714 – UAM:Save variant not working for UAR request
If any error with“Incorrect Request Type configuration for UAR Request“then check below NOTE
2040454 – Unable to generate UAR due to Incorrect Request Type configuration for UAR Request
If UAR request screen is empty for approver to approve, then check below NOTE
1938863 – UAR Review – No content to approve when approver opens the UAR request from inbox
If the button ‘Cancel Rejection’ does not appear to approver, then check below NOTE
1768509 – The button ‘Cancel Rejection’ does not appear in User Access Review request
If error occurs while forward the request to a Reviewer with Return option, then check below NOTE
1988128 – UAM: Missing line items with forward and return in UAR
Sometimes users full details not shown in UAR request, it is basically issue with connector, check below NOTE
If we are using two stages of approvals for UAR request then we need to maintain approval type as Complete request in both stages, otherwise approver cannot see details at second stage, check below NOTE
1907938 – UAR – User and Role details are not visible in request
We need to make it visible Escalation parameter in UAR request history report, otherwise we will get No record found message will appear in UAR request history report, check below NOTE
1805804 – UAR: No record found message in User Access Review History Report
Check the below NOTE for importance for View by field in UAR request screen
Why Generate data for access request UAR review job status is “In Progress”, check below NOTE
2038346 – UAR/SOD jobs do not finish and keep ‘In Progress’ status
If only partial data in Audit log, then check below NOTE
2037408 – Audit log is showing partial data for UAR request
If no audit log for SAVE in UAR, then check below NOTE
1947373 – UAM:Unable to make comments mandatory & audit log for save in UAR
If request shows indirect roles and wrong usage count, check below NOTE
1910670 – UAR Request shows indirect roles and wrong usage count
Some of the old threads for more information on User Access Review:
UAR cannot be generated for huge volume of data:2075604 – UAR Request not genrating with huge role data
Ex:Role or User starts with option
Please share or add if any new issues/errors occurs while working with UAR(User Access Review) ,so that we will include in the same page for easy availability.