Errors / Issues while Implementing GRC AC 10.1 .

Common Errors during GRC 10.1 Implementation.

Greetings,

To ease the day-to-day security activities and to simplify the day-to-day reports for managers and auditors we have SAP GRC in place, this document is intended to explain about the common issues/errors faced during implementation of GRC Access Control 10.1 version.

Firstly, I would brief the Landscape and the versions to get a clear overview.

Front End System:

Front end is equipped with GRC 10.1, Support pack 17.

Plug-in System:

Based on the client requirement, back end system is equipped with Enterprise Core Component (ECC) so far.

In the process of implementing the n-1 version of GRC AC (as latest version is 12.0 in the market), we have faced many issues & errors. Few were corrected by adjusting the configuration settings (because of human errors), while others were rectified through SAP Notes.

The errors/issues are not limited to the ones highlighted in this blog, as errors are identified depending on the software versions configured on both the front end and back end systems. They are also based on the software/hardware requirements.

             “Minor configuration issues might lead to major impact”.

Errors/Issues faced:

1. Authorization Sync failed with errors Unable to locate connector.
2. “500 internal server Error”, while performing User Level Risk Analysis &Role level Risk Analysis.
3. Short dump on FF Login – Cancel SAP Application.
4. Simplified Access Request Application link is not visible in NWBC in My Home screen.
5. Role not available for access request even after successful role import.
6. User ID is not a valid user.
7. In MSMP – “Warning when trying to activate version: “No data is maintained in table GRFNMWCNGLBESR for process SAP_GRAC_ACCESS_REQUEST.”
8. In MSMP – “Warning when trying to activate version: “No data is maintained in table GRFNMWNOTIFRECPT for process SAP_GRAC_ACCESS_REQUEST”.
9. .Path Status Unknown, Request unable to deliver in Manger’s Work Inbox.
10. Error in Process Global Settings while Adding assignment in MSMP.

1. Authorization Sync failed with errors Unable to Locate Connector

While running Authorization sync for the first time during Post installation activities, once the Connectors are configured while performing Authorization Sync Job, below error occurs:

“Unable to locate CONNECTOR <Connector name>”.

Resolution:

Once Connector is set up, Connector details has to be maintained under

Access control à Maintain Connector Settings

Maintain the Target Connector details and Save. Once saved, Customizing Request is generated for the changes made.

2. 500 internal server Error

While performing User Level and Role level Risk Analysis an error with “500 Internal Server Error” occurs.

Resolution:

By Implementing SAP Note: 2409294, this issue can be resolved.

2409294 – ARA – Batch Risk analysis Job getting failed due to SAPSQL_WHERE_PARENTHESES dump.

3. Short dump on FF Login – Cancel SAP Application

While trying to logging in with Fire-fighter ID in EAM, below screen pops up “Cancel SAP Application” which results in an ABAP dump because of missing SAP Script Object ‘GRC’ in the transaction SE75.

Dump in ST22:

Resolution:

This issue can be resolved by creating the SAP Script Object ‘GRC’ and the Text ID ‘LTXT’ in the transaction SE75.

Please refer to the SAP Note: 1800347 – “Short Dump on FF Login”

4. Simplified Access Request is not visible in NWBC

NWBC screen does not show up “Access Request” Application Link in My Home or in Access Management to raise a request. This issue is caused due to Launchpad issue in GRC System.

Resolution:

Please refer to SAP Note: 2062134 – Simplified Access Request Link not visible in NWBC.

It provides information on Launchpad customizing.

5. Role not available for access request even after successful role import

Even after the role is imported in to GRC box, roles are not available for request in Access request.

Resolution:

Refer to the SAP Note: 1700936 – Roles after successful import are not available for access request.

By running a full sync job, the roles will be available for access request, so the roles get updated for access risk analysis.

6. User ID is not a valid user

Below error is populated while submitting an access request for a new User in Access request screen “User ID is not a valid user”.

Resolution:

Please refer to the SAP Note: 2514574 – User ID is not a valid user.

This error occurs because the User VALIDATION is against available Data Sources. Adjust the Parameter 2051 in Configuration settings (Enable User ID Validation in Access Request against Search Data Sources). This issue can also be rectified through ‘Maintain Data Sources Configuration’.

7. In MSMP – “Warning when trying to activate version: “No data is maintained in table GRFNMWCNGLBESR for process SAP_GRAC_ACCESS_REQUEST.”

Resolution:

This warning message can be ignored, as it is not mandatory for the version to be generated, but this error can be fixed by referring to the SAP Note: 2611058.  

8. In MSMP – “Warning when trying to activate version: “No data is maintained in table GRFNMWNOTIFRECPT for process SAP_GRAC_ACCESS_REQUEST.

Resolution:

This warning message can be rectified by maintaining the Notification Recipients in SE61 or can be ignored, as it is not mandatory for the version to be generated. However, this error can be fixed by referring to the SAP Note: 1801446 – Warning while MSMP – Generate Version.

The above information/solutions to the errors/issues provided may vary from System to System or Version to Version, as the SAP Notes provided may have dependencies on SAP Notes/Software versions/Support Packs.

9. Path Status Unknown, Request unable to deliver in Manager’s Work Inbox.

While submitting a request through Access Request, Request does not deliver in to Manager’s Work Inbox and issue ends up as “Path Status Unknown” (below mentioned screenshot).

Resolution:

This issue can be occurred due to the necessary configurations might not carried out, check if you have Performed task-specific workflow customizing activities in GRC system.

Refer 1804111 – Perform Task-Specific Customizing – Assign Agent (check for the attachments “Assign Agents.docx”)

10. Error in Process Global Settings while Adding assignment in MSMP.

In MSMP Step 5, while Modifying a path by allowing Approver to add new assignments to the request by selecting Add Assignment, we face below error. “Error in Process Global Settings”

Resolution:  Select the check box for both “Change Request Det” & “Add Assignment“, then you should be able to save and Activate the MSMP Version.

Refer: 2698689

Suggestions & Modifications to this blog are greatly appreciated.