SAP GRC Access Control is the top application on the market in its category, it has great features. But like any other application, it brings its share of issues with every new support package upgrade or new release.
When looking for upgrading or applying a corrective note, it is always good to be aware of common issues you may encounter along the way. Watch out for these issues so you can be well prepared to identify and address them before you realize you are in short deadlines, go-live dates coming up, production downs situations, driving you crazy. You will be glad you did!
As I have been supporting GRC Access Control over the last 5 years, several issues seem to surface over and over. With this blog article, I will try to collect these case scenarios, as well as suggest some workarounds. If this sounds like the beginnings of a Wiki, you would be right. At present, there is not enough material for one, so I will use this blog for the time being. I do expect to post new case scenarios as soon as I am aware of them, so if you wish to bookmark it for future reference, please do so.
Read on for a list of common issues that surface for many customers after upgrading or applying corrective notes.
To help with your navigation, below is an index of the topics:
- 13-Apr-2017: INITIATOR logic to send system line items to a “No Stage” path
- 13-Apr-2017: Check errors returned from HANA DB when provisioning access requests
- 13-Apr-2017: Request Multiple Rule Set – BRFPlus creation step by step
- 19-Mar-2017: Verify Context of a BRFPlus Function
- 14-Jan-2017: Risk Analysis for Business role is no longer returning results
- 14-Jan-2017: Role Search not working after SP upgrade
- 14-Dec-2016: NW750 Search Request dump
- 13-Dec-2016: Workflow triggering issues with NW740 and NW750
- 13-Dec-2016: LOGOFF_TIME for Firefighter session explained
- 18-Nov-2016: UAR History and Status reports not showing all results
- 08-Aug-2016: Manager information not populating in GRACUSER from LDAP
- 04-Aug-2016: EAM log sync does not show error if one of the connectors is down, no logs are collecting
- 28-Jul-2016: “Error in RFC; ‘Syntax error in program /GRCPI/SAPLGRIA_USR'” and table SRT_WHITE_LIST
- 26-Jul-2016: Search Request link dumps with “500 Internal server error” after upgrade
- 19-Jul-2016: ERM reports – some authorization changes to System drop down list
- 19-Jul-2016: HR Trigger termination issues
- 18-Jul-2016: Upgrading to NW75 – System->Status, Data Component has misleading GRC information
- 18-Jul-2016: Upgrading to NW75 – Any link in Access Risk Analysis generates dump
- 18-Jul-2016: After upgrading GRC 10.1 to SP13, dump in Access Risk Analysis links
- 18-Jul-2016: Repository sync job taking all available space for log files, all of a sudden
- 18-Jul-2016: Batch risk analysis is suddenly running for 10+ hours
- 18-Jul-2016: Integrating GRC to LDAP with multiple domains
- 18-Jul-2016: Portal sync errors – correction to provide detailed logs
- 18-Jul-2016: “Error when trying to complete/forward work item 0000004567”
13-Apr-2017: INITIATOR logic to send system line items to a No Stage path
Check out this WIKI: INITIATOR logic to send system line items to a No Stage path
13-Apr-2017: Check errors returned from HANA DB when provisioning access requests
Check out this WIKI: Check errors returned from HANA DB when provisioning access requests
13-Apr-2017: Request Multiple Rule Set – BRFPlus creation step by step
Check out this WIKI: Request Multiple Rule Set – BRFPlus creation step by step
19-Mar-2017: Verify Context of a BRFPlus Function
Check out this brand new article! 2444520
14-Jan-2017: Risk Analysis for Business role is no longer returning results
Known issues have now been fixed, and Business role versioning and role search changes introduced recently makes it mandatory to populate a new column in table GRACROLE, which may be still initial in customer system.
Follow solution in KBA below:
2428757 – Risk Analysis for Business role is no longer returning results
14-Jan-2017: Role Search not working after SP upgrade
Role Search not working after upgrading GRC 10.0 to SP24, or equally upgrading GRC 10.1 to SP15.
Roles search based on role name criteria is now being executed against a new field called ROLE_NAME_SH, recently added to table GRACROLE as part of role search performance improvements.
This field may not be populated yet in customer system.
In order to mass populate the new field ROLE_NAME_SH, please execute the Z report provided in the following SAP Note
2329234 – GRC UAM – Performance issues during Role Search in Access Request Creation
14-Dec-2016: NW750 Search Request dump
“LS_SEARCH_MSMP” and the line of “LS_SEARCH_RANGE-CUSTOM_FIELD_RANGE” are incompatible. Review the solution given in KBA 2394708.
13-Dec-2016: Workflow triggering issues with NW740 and NW750
Check out the new KBA containing crucial corrections for workflows in NW740/750: KBA 2376900 .
13-Dec-2016: LOGOFF_TIME for Firefighter session explained
Check out the new KBA explaining how the LOGOFF_TIME column in table GRACFFLOG (or /GRCPI/GRIAFFLOG) is populated: KBA 2402925.
18-Nov-2016: UAR History and Status reports not showing all results
The UAR reports have a condition to only show in the results, the UAR requests that have both Reviewer and Coordinator.
It seems an issue with the Coordinator ID entry missing in table GRACREQOWNER for UAR requests, for which the correction Note is 2289690..
However, as part of the solution, you need to run the Z report attached to the Note 2289690 in order to populate the Coordinator IDs for old requests, so make sure you have run the Z report.
08-Aug-2016: Manager information not populating in GRACUSER from LDAP
If you are experiencing this issue, please make sure the following notes are applied to your system:
04-Aug-2016: EAM log sync does not show error if one of the connectors is down, no logs are collecting
For customers that upgraded 10.1 to SP12, please apply correction delivered in SP13 that throws an error message in case one of the plugin connectors is down, logs are not collecting for this connector. Otherwise you do not get any errors, log collection is Zero, and you will find out when you realize logs are missing for this connector.
Note is 2301784.
28-Jul-2016: “Error in RFC; ‘Syntax error in program /GRCPI/SAPLGRIA_USR'” and table SRT_WHITE_LIST
After upgrading to Support Package 12 (GRC release 10.1 and NW 7.40), a dump is observed in ST22 when:
1) Running user sync:
Short Text: “Error in RFC; ‘Syntax error in program /GRCPI/SAPLGRIA_USR'”
Error message: “SRT_WHITE_LIST is not defined in the ABAP Dictionary as a table, pro”
2) when creating a new access request. In addition to ST22 errors above, the following error is also shown in webdynpro message area of the screen:
“Error in RFC; ‘00024rabax during sap for connector <plugin_connector>’
The syntax error occurs in program /GRCPI/SAPLGRIA_USR because there is a reference to table SRT_WHITE_LIST that does not exist in the system.
Please follow the solution proposed by KBA 2102825.
26-Jul-2016: Search Request link dumps with “500 Internal server error” after upgrade
After customers upgraded to GRC 10.1 SP11, it stopped working. This is because there is a variable undeclared in web dympro GRAC_UIBB_REQUEST_SEARCH. The variable is FIORI_DONT_SHOW_IN_FILTERBAR of method process event. Note 2184361 fixes this issue.
19-Jul-2016: ERM reports – some authorization changes to System drop down list
I have been seeing this issue quite often lately, and I want to write something about it.
For ERM reports, many customers report that after upgrading 10.0 release to SP22 or higher, the system drop down in the ERM reports is empty.
It seems the object GRAC_SYS with ACTVT 16 is no longer being checked, and GRAC_SYST with ACTVT 16 is the new object checked.
Also, customer that upgraded to 10.1 release experience the same issue. In 10.1 release, this changed slightly and a new authorization object is needed: GRAC_SYSTM with field GRACSYSID and value <connector> is checked, along with GRAC_SYSTM with field GRACSYSACT with value E1.
***Object GRAC_SYSTM is only available for 10.1 release, and comes in role SAP_GRAC_REPORTS.
The 10.1 security guide also mentions this object:
For technical consultants, debugging can be performed to validate the logic:
methods SEL_SCREEN_ACT_USAGE, GET_CONNECTORS
methods SEL_SCREEN_ACT_USAGE, GET_CONNECTORS, FILTER_CCI_CONNECTORLIST_DD
The SAP KBA 2195080 will be amended with this information, soon.
19-Jul-2016: HR Trigger termination issues
I just created a new KBA with a compilation of MUST APPLY notes if you are having issues with HR trigger termination (dates, etc).
KBA is 2344832.
18-Jul-2016: Upgrading to NW75 – System->Status, Data Component has misleading GRC information
According to note 2156130, GRC 10.0 is compatible with NW75. However, customers that upgraded to NW75 having GRC 10.0 are experiencing issues such as the System->Status->Data Component (Installed software component version) showing misleading GRC versioning information such as showing GRCFND_A V1100 without support package level information, when the GRC 10.0 current installation was untouched (only NW was upgraded). The SPAM tcode is showing correctly the current release and SP level, it was not impacted by the NW upgrade.
As of today the NW75 is only compatible with GRC 10.1 release.
18-Jul-2016: Upgrading to NW75 – Any link in Access Risk Analysis generates dump
Any of the links for risk analysis in NWBC (Access Management) is generating dump (ASSERT condition was violated) and the page shows 500 SAP Internal Server Error. A collection of notes must be applied: note 2331111 and KBA 2299562 (which has a list of notes to be applied).
This issue affects screens that include search elements, such as any link Access Request creation. The correction is over class CL_FPM_GUIBB_SEARCH_DATA_MGR, dump is “ASSERT io_config_context_root_node IS BOUND” and
As of today the NW75 is only compatible with GRC 10.1 release.
18-Jul-2016: After upgrading GRC 10.1 to SP13, dump in Access Risk Analysis links
After upgrading GRC 10.1 release to SP 13, customers are getting following error when starting the Access Risk Analysis links: 500 Internal SAP Server Error. Also a dump is produced:
Dump error: Subnode COMPONENTCONTROLLER.1.SEARCH.SEARCH does not exist (termination: RABAX_STATE). It looks like the io_config_context_root_node parameter in lo_config_api_creation call is supposed to be CONPONENTCONTROLLER node, not the SEARCH node. Chages are in class CL_FPM_GUIBB_SEARCH_CONFIG.
18-Jul-2016: Repository sync job taking all available space for log files, all of a sudden
Repository sync started to fail for both incremental and full modes, no changes done recently. This is explained in note 1743367. When syncing users, every user expired/locked/deleted in the back-end connector will have its violations deleted from tables GRACUSERPRMVL / GRACUSERACTVL / GRACUSERCRPVL (based on parameters 1028 and 1029).
This mass deletion (in case mass users got deleted/expired/locked) may cause the dumps, although it has been running okay for most of the cases. If this is happening in your environment, make sure to execute the Z program attached to the mentioned note 1743367 in order to delete the violations for these users.
You may think: okay every time my sync job fails, I will run this Z report.. it was not meant to be used regularly as part of the synchronization jobs… best advice is to follow recommendation in note 1580877 (special attention to section C.1). Also if you decrease the value for the batch user size (1121) the application will commit more frequently.
18-Jul-2016: Batch risk analysis is suddenly running for 10+ hours
This issue has been very common lately. It happens that there was an issue with the last execution date not getting updated correctly for Role analysis if the batch risk analysis was scheduled for technical and business roles. The note 2138558 addresses this issue.
18-Jul-2016: Integrating GRC to LDAP with multiple domains
I have seen so many questions regarding this matter, that I compiled some Q&A and created this KBA 2344229.
18-Jul-2016: Portal sync errors – correction to provide detailed logs
We have now a note 2267646 which introduces some more detailed logs into the portal sync. The note corrections are not meant to resolve any specific issue, but we will be able to know more details of the errors coming from portal server, which will help in troubleshooting the issue.
This note is very useful, so apply it when you can. Even for portal syncs issues where there are no dumps or errors and simply the sync is not bringing any users, this note should help.
18-Jul-2016: “Error when trying to complete/forward work item 0000004567”
This error is tricky to troubleshoot, as it is generic and many possible root causes could be discussed here. To have more details on what happened to the workflow, I recommend to take a trace using tcode SWF_TRC, where you should be able to see more meaningful messages. There is a note with more information on how to start this trace: note 2344265.