GRC AC ARM- Access Request issues
In last few weeks I have had to troubleshoot several access request related issues for my clients. I thought I share these with you. I have detailed 3 issues and solutions below.
Issue #1: When you submit a Change or New Request to add roles with more than 300 line items, you get an error message 466 saying ‘Request contains more line items than the maximum allowed (300)’. Here’s a screenshot of error message:
The reason for the error message is that 300 is maximum number of line items that can be added to a request. 300 is default value.
Solution: The default maximum value for line items in a request can be modified. This is configured through MSMP configuration (Expert) transaction code GRFNMW_CONFIGURE. Here are steps:
a. Execute GRFNMW_CONFIGURE t-code in change mode
b. Double click on ‘Maintain Process Global Settings (Not Version)’ under Folder ‘Processes’ and then select ‘SAP_GRAC_ACCESS_REQUEST Access Request Approval Workflow’ from the pop-up selection
c. This will bring up following screen. As you can see ‘Max LI per Request’ field is set to 0. This is default value which means the limit is 300.
d. You can change this field to a higher number. Highest number you can enter is 99999.
Next time you submit a request with more than 300 line items, it will be successfully submitted with no issues.
Issue #2: This error occurred with Request type ‘New Account’ that is tied to create user ID. When you enter a user ID that does not exist yet, you get an error message saying that ‘… ID is not a valid user’. It’s a brand-new user and error message does not make sense.
Solution: The reason you get this error is because the access request is configured to validate user ID. This is done through Configuration parameter ‘2051 – Enable User validation Access Request against search data source’ is set to ‘Yes’ as shown below.
a. The search Data Source is configured from SPRO –> Governance, Risk, and Compliance –> Access Control –> Maintain Data Sources Configuration
This is where you maintain connector information to retrieve user and authentication information from the data sources.
b. Please set config parameters 2051 to ‘No’.
Now the request for new account will accept user ID that doesn’t exist yet as shown below:
Issue #3: You are requesting role for new user that does not exist yet. You get following error message saying that User id does not exist yet in target connector.
Solution: This appears to be like issue we saw above. This is not the same issue, though. Error message appears because User provisioning settings configured to validate Account as shown below.
If we want to be able to create a user with new request, then we should set configuration as following:
a. Uncheck Account Validation check box
b. And then check boxes for ‘Create user for Role assign Action’ and ‘Create user for Change User Action’ for both Global provisioning and System specific provisioning:
SPRO –> Governance, Risk, and Compliance –> Access Control –>User Provisioning –> Maintain Provisioning Settings
I will be happy to answer any queries and will appreciate your feedback.
SAP note 1719101 – Submission of more than ##### line-items not allowed: Limitation to number of roles per request