Skip to Content

SAP GRC Access Control is the top application on the market in its category, it has great features. But like any other application, it brings its share of issues with every new support package upgrade or new release.

When looking for upgrading or applying a corrective note, it is always good to be aware of common issues you may encounter along the way. Watch out for these issues so you can be well prepared to identify and address them before you realize you are in short deadlines, go-live dates coming up, production downs situations, driving you crazy. You will be glad you did!

As I have been supporting GRC Access Control over the last 5 years, several issues seem to surface over and over. With this blog article, I will try to collect these case scenarios, as well as suggest some workarounds. If this sounds like the beginnings of a Wiki, you would be right. At present, there is not enough material for one, so I will use this blog for the time being. I do expect to post new case scenarios as soon as I am aware of them, so if you wish to bookmark it for future reference, please do so.

Read on for a list of common issues that surface for many customers after upgrading or applying corrective notes.

To help with your navigation, below is an index of the topics:

 

______________________

13-Apr-2017: INITIATOR logic to send system line items to a No Stage path

Check out this WIKI: INITIATOR logic to send system line items to a No Stage path

______________________

13-Apr-2017: Check errors returned from HANA DB when provisioning access requests

Check out this WIKI: Check errors returned from HANA DB when provisioning access requests

______________________

13-Apr-2017: Request Multiple Rule Set – BRFPlus creation step by step

Check out this WIKI: Request Multiple Rule Set – BRFPlus creation step by step

______________________

19-Mar-2017: Verify Context of a BRFPlus Function

Check out this brand new article! 2444520

______________________

14-Jan-2017: Risk Analysis for Business role is no longer returning results

Known issues have now been fixed, and Business role versioning and role search changes introduced recently makes it mandatory to populate a new column in table GRACROLE, which may be still initial in customer system.

 

Follow solution in KBA below:

2428757 – Risk Analysis for Business role is no longer returning results

______________________ 

14-Jan-2017: Role Search not working after SP upgrade

Role Search not working after upgrading GRC 10.0 to SP24, or equally upgrading GRC 10.1 to SP15.

Roles search based on role name criteria is now being executed against a new field called ROLE_NAME_SH, recently added to table GRACROLE as part of role search performance improvements.

This field may not be populated yet in customer system.

In order to mass populate the new field ROLE_NAME_SH, please execute the Z report provided in the following SAP Note

2329234 – GRC UAM – Performance issues during Role Search in Access Request Creation

______________________

14-Dec-2016: NW750 Search Request dump

“LS_SEARCH_MSMP” and the line of “LS_SEARCH_RANGE-CUSTOM_FIELD_RANGE” are incompatible. Review the solution given in KBA 2394708.

______________________

13-Dec-2016: Workflow triggering issues with NW740 and NW750

Check out the new KBA containing crucial corrections for workflows in NW740/750: KBA 2376900 .

______________________

13-Dec-2016: LOGOFF_TIME for Firefighter session explained

Check out the new KBA explaining how the LOGOFF_TIME column in table GRACFFLOG (or /GRCPI/GRIAFFLOG) is populated: KBA 2402925.

______________________

18-Nov-2016: UAR History and Status reports not showing all results

The UAR reports have a condition to only show in the results, the UAR requests that have both Reviewer and Coordinator.
It seems an issue with the Coordinator ID entry missing in table GRACREQOWNER for UAR requests, for which the correction Note is 2289690..

However, as part of the solution, you need to run the Z report attached to the Note 2289690 in order to populate the Coordinator IDs for old requests, so make sure you have run the Z report.

______________________

08-Aug-2016: Manager information not populating in GRACUSER from LDAP

If you are experiencing this issue, please make sure the following notes are applied to your system:

Note 2301753, Note 2325452 and Note 2297757.

______________________

04-Aug-2016: EAM log sync does not show error if one of the connectors is down, no logs are collecting

For customers that upgraded 10.1 to SP12, please apply correction delivered in SP13 that throws an error message in case one of the plugin connectors is down, logs are not collecting for this connector. Otherwise you do not get any errors, log collection is Zero, and you will find out when you realize logs are missing for this connector.

Note is 2301784.

______________________

 

28-Jul-2016: “Error in RFC; ‘Syntax error in program /GRCPI/SAPLGRIA_USR'” and table SRT_WHITE_LIST

After upgrading to Support Package 12 (GRC release 10.1 and NW 7.40), a dump is observed in ST22 when:

1) Running user sync:

Short Text: “Error in RFC; ‘Syntax error in program /GRCPI/SAPLGRIA_USR'”

Error message: “SRT_WHITE_LIST is not defined in the ABAP Dictionary as a table, pro”

2) when creating a new access request. In addition to ST22 errors above, the following error is also shown in webdynpro message area of the screen:

“Error in RFC; ‘00024rabax during sap for connector <plugin_connector>’

 

The syntax error occurs in program /GRCPI/SAPLGRIA_USR because there is a reference to table SRT_WHITE_LIST that does not exist in the system.

Please follow the solution proposed by KBA 2102825.

______________________

26-Jul-2016: Search Request link dumps with “500 Internal server error” after upgrade

After customers upgraded to GRC 10.1 SP11, it stopped working. This is because there is a variable undeclared in web dympro GRAC_UIBB_REQUEST_SEARCH. The variable is FIORI_DONT_SHOW_IN_FILTERBAR of method process event. Note 2184361 fixes this issue.

______________________

19-Jul-2016: ERM reports – some authorization changes to System drop down list

I have been seeing this issue quite often lately, and I want to write something about it.

For ERM reports, many customers report that after upgrading 10.0 release to SP22 or higher, the system drop down in the ERM reports is empty.

It seems the object GRAC_SYS with ACTVT 16 is no longer being checked, and GRAC_SYST with ACTVT 16 is the new object checked.

Also, customer that upgraded to 10.1 release experience the same issue. In 10.1 release, this changed slightly and a new authorization object is needed: GRAC_SYSTM with field GRACSYSID and value <connector> is checked, along with GRAC_SYSTM with field GRACSYSACT with value E1.

***Object GRAC_SYSTM is only available for 10.1 release, and comes in role SAP_GRAC_REPORTS.

The 10.1 security guide also mentions this object:

https://websmp202.sap-ag.de/~sapidb/011000358700000596352013E/ACPCRM_Security_Guide_SP11.PDF

For technical consultants, debugging can be performed to validate the logic:

10.0:

class CL_GRAC_FEEDER_ERM_REPORTS

methods SEL_SCREEN_ACT_USAGE, GET_CONNECTORS

10.1:

class CL_GRAC_FEEDER_ERM_REPORTS

methods SEL_SCREEN_ACT_USAGE, GET_CONNECTORS, FILTER_CCI_CONNECTORLIST_DD

The SAP KBA 2195080 will be amended with this information, soon.

______________________

19-Jul-2016: HR Trigger termination issues

I just created a new KBA with a compilation of MUST APPLY notes if you are having issues with HR trigger termination (dates, etc).

KBA is 2344832.

______________________

18-Jul-2016: Upgrading to NW75 – System->Status, Data Component has misleading GRC information

According to note 2156130, GRC 10.0 is compatible with NW75. However, customers that upgraded to NW75 having GRC 10.0 are experiencing issues such as the System->Status->Data Component (Installed software component version) showing misleading GRC versioning information such as showing GRCFND_A V1100 without support package level information, when the GRC 10.0 current installation was untouched (only NW was upgraded). The SPAM tcode is showing correctly the current release and SP level, it was not impacted by the NW upgrade.

As of today the NW75 is only compatible with GRC 10.1 release.

______________________

18-Jul-2016: Upgrading to NW75 – Any link in Access Risk Analysis generates dump

Any of the links for risk analysis in NWBC (Access Management) is generating dump (ASSERT condition was violated) and the page shows 500 SAP Internal Server Error. A collection of notes must be applied: note 2331111 and KBA 2299562 (which has a list of notes to be applied).

This issue affects screens that include search elements, such as any link Access Request creation. The correction is over class CL_FPM_GUIBB_SEARCH_DATA_MGR, dump is “ASSERT io_config_context_root_node IS BOUND” and

As of today the NW75 is only compatible with GRC 10.1 release.

______________________

18-Jul-2016: After upgrading GRC 10.1 to SP13, dump in Access Risk Analysis links

After upgrading GRC 10.1 release to SP 13, customers are getting following error when starting the Access Risk Analysis links: 500 Internal SAP Server Error. Also a dump is produced:

Dump error: Subnode COMPONENTCONTROLLER.1.SEARCH.SEARCH does not exist (termination: RABAX_STATE). It looks like the io_config_context_root_node parameter in lo_config_api_creation call is supposed to be CONPONENTCONTROLLER node, not the SEARCH node. Chages are in class CL_FPM_GUIBB_SEARCH_CONFIG.

A collection of notes must be applied: note 2331111 and KBA 2299562 (which has a list of notes to be applied).

______________________

18-Jul-2016: Repository sync job taking all available space for log files, all of a sudden

Repository sync started to fail for both incremental and full modes, no changes done recently. This is explained in note 1743367. When syncing users, every user expired/locked/deleted in the back-end connector will have its violations deleted from tables GRACUSERPRMVL / GRACUSERACTVL / GRACUSERCRPVL (based on parameters 1028 and 1029).

This mass deletion (in case mass users got deleted/expired/locked) may cause the dumps, although it has been running okay for most of the cases. If this is happening in your environment, make sure to execute the Z program attached to the mentioned note 1743367 in order to delete the violations for these users.

You may think: okay every time my sync job fails, I will run this Z report.. it was not meant to be used regularly as part of the synchronization jobs… best advice is to follow recommendation in note 1580877 (special attention to section C.1). Also if you decrease the value for the batch user size (1121) the application will commit more frequently.

______________________

18-Jul-2016: Batch risk analysis is suddenly running for 10+ hours

This issue has been very common lately. It happens that there was an issue with the last execution date not getting updated correctly for Role analysis if the batch risk analysis was scheduled for technical and business roles. The note 2138558 addresses this issue.

______________________

18-Jul-2016: Integrating GRC to LDAP with multiple domains

I have seen so many questions regarding this matter, that I compiled some Q&A and created this KBA 2344229.

______________________

18-Jul-2016: Portal sync errors – correction to provide detailed logs

We have now a note 2267646 which introduces some more detailed logs into the portal sync. The note corrections are not meant to resolve any specific issue, but we will be able to know more details of the errors coming from portal server, which will help in troubleshooting the issue.

This note is very useful, so apply it when you can. Even for portal syncs issues where there are no dumps or errors and simply the sync is not bringing any users, this note should help.

______________________

18-Jul-2016: “Error when trying to complete/forward work item 0000004567”

This error is tricky to troubleshoot, as it is generic and many possible root causes could be discussed here. To have more details on what happened to the workflow, I recommend to take a trace using tcode SWF_TRC, where you should be able to see more meaningful messages. There is a note with more information on how to start this trace: note 2344265.

______________________

To report this post you need to login first.

1 Comment

You must be Logged on to comment or reply to a post.

Leave a Reply