30 Tips on the fly for busy GRC AC 10.x Consultants
1. In standard GRC Access Control, workflows are not generated for blank Firefighter sessions. So, if system fails to recover the session details, the workflows will not be created as well. In order to generate workflows for sessions with no details, maintain configuration parameter ID 4020.
2. The “Controller is Mandatory” scenario is designed only for GRC 10.1 release and it is not designed for the 10.0 version. This feature prevents a FF Id assignment to be assigned without a controller. The SAP Note 2039879 available only for GRC 10.1, cannot be down ported to GRC 10.0 release.
3. For centralized EAM configuration, the ECC plug-in can only connect to one GRC system at a time.
4. The Reject option is not available for EAM Audit log review workflow. As the actions performed by the firefighter cannot be reverted back, the logs are always available for audit. The audit log workflow can be sent back to firefighter, if the controller wants to get any extra information regarding firefighter actions, but at end the audit for the session should completed by clicking on Submit button.
5. The transaction description is not available in the consolidated report due to performance issue. As in 10.0 there are multiple systems and logs come from multiple systems of different basis release. Now for showing transaction description RFC calls have to be made for each system. So it was found that fetching the transaction description for each system is degrading the performance of the log report, hence as per the design the transaction description has not been supported in EAM reports.
6. Critical action and critical permission type risks are not included in the ad-hoc analysis when the invalid mitigating controls report is run. What this means is that ALL mitigations assigned to critical action or permission risks will show up as invalid which is not accurate.
7. GRC Ruleset transport will not transport the deleted values from DEV to PRD. This is as per the Design. Transactions which are deleted in source system are removed from the GRC tables. Hence these will not be part of the transport.
8. For reports at permission level to work, it is needed to type the authorization values correctly (values should be 01 instead of 1).
9. Access Control need not to have Source Connector, but only Process Control should have Source Connector in SPRO-> Governance, Risk and Compliance -> Common Component Settings-> Integration Framework -> Maintain Connectors and Connection types.
10. When a risk is deleted, then entries will be deleted from GRACSODRISK only not from GRACACTRULE.
11. For a full sync job, GRC will consider the date range from 1970 until today’s date. For incremental sync jobs, the date range is from the last execution date of the incremental sync job to today’s date.
12. HANA is a Platform for Customer Applications and each Application may have separate set of Authorizations. So, it is impossible to give content for something SAP don’t know. Customer has to create & maintain their own HANA Ruleset as SAP doesn’t support it.
13. Ad-hoc risk analysis are run with different fields’ selection criteria. One of the criteria ‘Validity Date‘ as a field selection criteria should be taken only in case if you are running “Mitigation Analysis”. For other normal ad-hoc risk analysis ‘Validity Date’ as filter should not be selected as this will not work.
14. Business role will be displayed in existing assignments with ALL in provisioning environment, even if it has only been assigned in Development or only in Production provisioning environment because business role itself has no connector. Therefore, provisioning environment is hard-coded to ‘All’.
15. While importing the roles, if the authorization source was marked as SKIP, then the application will not import associated roles of composite roles. This is because as authorizations has to be skipped, it will not import single roles of the imported composite role because authorizations comes from single roles.
16. Business Roles exist as independent entities in GRC only and NOT in ECC/ERP (plugin) systems. Using the concept of Business Roles, the role assignment to the users directly in the backend (plugin) systems should be avoided. This should be ensured to avoid any inconsistency in the role assignment relationship stored within GRC.
17. HANA roles have to be either synced or imported into GRC AC and cannot be generated from GRC. HANA roles can be successfully imported to Access control.
18. In order to provision roles without owners, in addition to the parameter 2038, set a detour when no role owners are found so that they route to a No Stage path. Other roles will then go to their respective role approvers.
19. None of the EUP field customization is supported under Simplified Access Request page except ‘One User per Request per System’. Only ‘One User per Request per System’ of EUP is supported under Simplified Access Request approach.
20. Simplified Access Request page is only available in the NWBC. It is not available on End User Page.
21. The Simplified access request only makes use of the labels which are available in the section “Maintain Field Labels” under simplified access request in SPRO. If the BRF+ based initiator rule is making use of any other label for example “User type”, the GRC system will not be able to route the request to the appropriate path and hence the error will be displayed. If the BRF+ based initiator consists of labels which are not part of “Maintain field Labels” under simplified access request, kindly use the tab “Access Request creation” to create the request.
22. As Per the standard configuration, the Approver Not Found and Provisioning Failed escape conditions available at a global level, the functionality is not available at the stage level. This is per design.
23. Access Request will allow users to assign the same role more than once, as long as the validity dates are different. Multiple assignments with the same validity dates will not be allowed. Multiple assignments for one same role are allowed because a role assignment can come from various sources: direct, via a composite role, organizational assignment and so on.
24. EUP Default values are considered only, when it’s New User or the value for Existing User is not maintained i.e. field value is blank. If any value is maintained in Connector from which User Details has to be fetched, then the Value and Format will come from Backend System.
25. Rejected Email will not be sent when approver reject a user (line item) in UAR request. Reject notification in MSMP settings is for the request level reject event not line item level rejection. So, if approver reject the request, then you will receive the Reject notification.
26. GRC pulls execution count for only single roles in role usage sync job and not for composite roles. Hence, role usage count will not be aggregated at composite role level.
27. The ‘Add Comments’ button is no longer available in GRC 10.1 in UAR Request. In case of copying comments for multiple line items, select the lines you want to add comments on, then write your comment. This will copy the comments to all the line items.
28. The SOD Review/UAR workflows do not support custom BRF+ Initiator rules or custom BRF+ Agent rules, for both GRC 10.0 and 10.1 releases.
29. The Usage column in UAR will be blank/empty when no transactions executed for particular role.
30. The maximum value that can be set for parameter ID “2008 – Number of line items per UAR request” in ‘Maintain Configuration Settings’ is 9999 since the field length of the parameter 2008 is 4. So, the parameter 2008 can have a value range from 1 to 9999.
Any Subtractions or additions to this document is most welcome.
Rakesh Ram M
Excellent Rakesh. Thanks for sharing