Monday 8 December 2014

Function Creation Without Action-Note 1744355

Symptom
Uploading a Function-Permission file in the Upload Rules program

Other Terms
Upload Rules

Reason and Prerequisites
The Function-Permission file does not have any Action value entered for a rule without an Action

Solution
In the Function-Permission file you cannot leave the coulmn for Actions (Tcodes) as empty. For such each permission where there is no Action (Tcode), you need to enter any name upto 48 characheters long (may be some meaningful for that permission) and prefix it with these two special characters  ^!  . So update this file for each empty Action(Tcode).

Friday 1 August 2014

GRC 10 Background Jobs Scheduling



1. The auth sync, user/role/profile (object) sync, and the usage sync jobs are scheduled like below:
GRAC_ACTION_USAGE_SYNC Daily Action Usage Job
GRAC_PFCG_AUTHORIZATION_SYNC Weekly Profile Generator (PFCG) roles authorization      synchronization
GRAC_ROLE_USAGE_SYNC  Daily Role usage synchronization
GRAC_ROLEREP_PROFILE_SYNC Daily Role repository profile synchronization
GRAC_ROLEREP_ROLE_SYNC Daily Role repository role synchronization
GRAC_ROLEREP_USER_SYNC Daily Role repository user synchronization
GRAC_SPM_AUDIT_LOG_SYNC Weekly Emergency Access Management (EAM) audit      log synchronization
GRAC_SPM_LOG_SYNC_UPDATE Weekly Emergency Access Management (EAM) log      synchronization
GRAC_SPM_WORKFLOW_SYNC Weekly Emergency Access Management (EAM)      workflow synchronization
Batch Risk Analysis Job  Daily Risk Analysis Job
Schedule the jobs so they are running at separate times.  Be sure the database is sized sufficiently.
Run the jobs for one connector at a time, create variants to run the jobs, use incremental when possible.
2. The Batch risk analysis job is the most intensive job.  I run this using parallel processes and make sure the rule set is cleaned up for only the needed risks, and the filter for the roles and profiles is properly setup.  Monitoring of this job is necessary.
3. Action Usage Sync:
This job will take a long time to finish when the job is scheduled for the first time or it has been a while since the last job was run.
Sometimes it may take up to a few hours to complete.
This job may be doing a full scan of table GRACACTUSAGE and get a large amount of data, which may take a very long time to complete.
The best practice for scheduling this job is after the very first job is completed -- immediately schedule a next period job that runs  ;every 4 hours, so that each job will select a much smaller amount of data and complete much quicker.

Tuesday 21 January 2014

HR Triggers in Access Control 10.0





Understanding HR Triggers in Access Control 10.0

Purpose

The Purpose of this document is to help user in understanding the details of the HR Trigger functionality provided by Access Control 10.0. This document also talks about the various configurations and settings that the user needs to make use of this functionality as per the business requirements.

Overview

HR Triggers is used in Access Control 10.0 to automatically create an access request whenever an info type is changed in the HR Plug-in system. This helps the organization to set specific rules for a new user automatically when the user is hired in the organization. There are many other functionalities that are achieved using the HR Trigger process and are explained in detail in the following sections.

How is HR Trigger Initiated

HR Trigger gets initiated as soon as there is a change in any of the info types in the HR system. This change in HR Info types may be due to the creation of a new User ID because of a new hire or due to change in Position of an employee or due to change in the validity of an employee or due to termination of an employee or due to any other info type change of an existing employee. All this process happens at the Plug-in system used for the HR processes. There are a few IMG setting that are required to be set to initiate this HR Trigger process properly.
IMG setting required at the HR Plug-in system
Goto IMG->Governance, Risk and Compliance (Plug-In->Access Control->Maintain Plug-In Configuration Settings.
Maintain the following parameters as shown below.
Param ID Parameter Value Short Description
1000 ERDCLNT300 Please maintain Plug-in Connector
1001 GRDCLNT100 Please maintain GRC connector
1003 YES Enable HR Trigger
A reference screenshot for this configuration setting is shown below:
 

How is this change transferred to the GRC System

As soon as any of the changes stated above occur in the HR system, a BADI is triggered in the plug-in system which makes an internal table containing the info types that have been changed along with their old and new values. This table is then passed to the GRC system via a system call to the GRC function module which receives this change event and takes over the control. This call is made using a qRFC to make sure that the data is not lost in case the GRC system is down or not available at that moment.

How GRC system handles this change

Now, the control is passed on from the HR Plug-in system to the GRC system along with the info type data that has changed. The GRC system now tries to make use of the BRF+ Application for HR Triggers to find out which type of request has to be created. This is done by using the decision table in BRF+ application whose each row returns an Action ID based upon the info type that has been changed. As an example, change in the info type 0105 and Subtype 0001 (User ID) would indicate that a new user has been created and hence this row would return the Action ID as Create. Based upon this Action ID, the request type is chosen and the request is created using this request type.

BRF+ Application to choose the request type

The BRF+ Application is required for the purpose of selecting the Request Type that would be used to create the request. The BRF+ Application that is used for HR Triggers must be mapped under the following IMG setting.
Goto IMG->Governance, Risk and Compliance->Access Control->Maintain AC Applications and BRFplus Function Mapping.
Add a new entry using the BRF Function ID used in the BRF+.
Appl ID BRF Function ID MSMP Process ID
HR Triggers XXXXXXXXXXXXXXXX SAP_GRAC_ACCESS_REQUEST
A reference screenshot showing this configuration is shown below:
 
You can create the BRF+ Application by following the steps mentioned under the following link: GRC 10.0 - HR Trigger BRF+ configuration
Now, the Action ID that is returned by this BRF+ application is used to fetch the information on the request type to be used for the newly created request.

Setting up the Request Type

To set the Request Types based upon the Action_ID, set the IMG as shown below:
Goto IMG->Governance, Risk and Compliance->Access Control->User Provisioning->Maintain Settings for HR Trigger
The screen here would looks as shown in the below screenshot:

Select and double click on the Action ID for which you need to set the respective Request Type.
You can also set the systems for which the request is to be created along with the validity dates of the user over these systems. To do this, you can select the Action ID and then click over the 'Maintain Systems' link in the left panel. A reference screenshot for the screen that would appear is shown below:
 


Overview

HR Triggers rules can configured in the GRC 10.0, either via BRF+ rules or via complex Procedure Call via Function Module.
This document contains the step-by-step approach to build the BRF+ rules for configuring the HR Trigger rules to be used to enable the automatic request creation into the GRC system, whenever there is an activity carried out in the connected HR system.

Steps to configure the HR Triggers:

1. On GRC 10.0 system open transaction SPRO and go to node Governance, Risk and Compliance =>Access Control =>Maintain AC Applications and BRFplus Function Mapping.
2. Copy the pre-delivered BRFplus rule, mentioned against Appl Id 'HR Triggers'.
3. On GRC 10.0 system open transaction brfplus or fdt_workbench. In BRF+ menu choose Workbench =>Open Object and paste the ID copied in step 2.

Creating BRF Rule with conditions

4.   Go to ‘Assigned Rule sets’ tab and click on ‘Create Rule set’ button.

5.   Enter the details as shown below and click on ‘Create and Navigate to Object’ button.

6.   Save the Object. Press Yes, when the pop-up "Do you want to Save before exit" comes.
7.   Enable the Ruleset by clicking on ‘Enable Ruleset’ button as shown below.

8.   Assign the priority to the ruleset as shown below.

9.   Enter the priority and click on ‘OK’ button.

10. Save the Object.

11. Create the Rule as shown below. Right click on the HR_Trigger application and go to Create ->Rule.

12. Enter the details as shown below and click on ‘Create And Navigate To Object’ button.

13. Save the Rule.

14. Now Insert the Rule in the Ruleset.

15. Select the rule RULE_1.


16. Save the Ruleset.

17. Go to Rule_1 and create the Process Expression as shown below.


18. Select the Type as ‘Loop’.

19. Enter the details as shown below and click on ‘Create And Navigate To Object’ button.


20. Click on Loop_1 as shown below.

21. Save the object Rule_1.


22. Select ‘Perform Action’ value in Result Type as shown below.

23. Select Loop Mode as ‘For Each Entry in…’ as shown below.



24. Select the table by clicking on ‘Select…’ as shown below.

25. Select the ‘HR_TRIGGER_TABLE”.

26. Save the loop ‘Loop_1’.

27. Now create one more rule as shown below.


28. Enter the details as shown below and click on ‘Create And Navigate To Object’ button.

29. Save the rule ‘Rule_2’.


30. Now add the Rule_2 as shown below.


31. Click on ‘Search’ button.


32. select the ‘RULE_2’ object.


33. Save the loop ‘Loop_1’.


Creating Decision Table for conditions

34. Create the Decision Table as shown below. 


35. Enter the details as shown below and click on ‘Create And Navigate To Object’ button.



36. Click on ‘Insert Column -> From Context Data Objects’ as shown below.


37. Select the objects in the table and click on ‘Select’ button. 

38. The selected objects are displayed in the table as shown below. Now click on ‘Insert Column from Data Object’ button in the Result Columns table as shown below.


39. Click on ‘Search’ button.


40. Select the object and click on ‘Select’ button.


41. The selected objects are displayed in the table. Now click on ‘OK’ button.


42. Now we can find the columns in the table.

43. Click on ‘Insert New Row’ button to add the contents to the decision table.


44. Enter the value for the Connecter column as shown below.


45. Enter the connecter value and click on ‘OK’ button.



46. In the same way add then values to the necessary columns as shown below.



 






47. Select the row and click on ‘Copy Row’ button.


48. Now click on ‘Insert Copied Row’ button as shown below.






49. Save the Decision table.


50. Activate the Decision table.


51. Click on ‘Activate’ button.

52. Add a Process Expression as shown below.


53. Select the Object ‘DECISION_TABLE’.




54. Now assign the value to the ‘Action ID’ Result data table as shown below.




55. Select ‘Insert’ as shown below.


56. Select the Context parameter as shown below.

57. Select ‘ACTION_ID’ object.




58. Save and activate the rule ‘Rule_2’.


59. Click on ‘Activate’ button as shown below.



60. Now activate the loop ‘Loop_1’.


61. Click on ‘Activate’ button as shown below.



62. Now activate the rule ‘Rule_1’.

63. Click on ‘Activate’ button as shown below.



64. Now activate the ruleset ‘Ruleset_1’.


65. Click on ‘Activate’ button as shown below.



 A. Decision table Conditions for New Hire, Terminitation and Position Change