Skip to Content
avatar image
Former Member

GRC 10 - issue importing role for new system

We have a 3 backend system landscape.  We have imported the roles correctly through"role import" option for QA system. Than we have setup the Production system and imported the role for productions system.

The problem is when we are trying to raise the GRC access request and try to add roles, they are only available for the QA sytem.  When I try to search and add roles for Production system they are not avialable.

Roles are not listed for the multiple systems when I am trying to add and search roles.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • avatar image
    Former Member
    Dec 23, 2013 at 07:06 AM

    Hi Sameer,

    Go Through the below link it will definitely resolve your issue.

    http://scn.sap.com/thread/3320514

    Best Regards,

    Ravi Kumar

    Add comment
    10|10000 characters needed characters exceeded

    • it will identify based on connector. open that in Excel.

      Role Name
        [ Alphanumeric(100) ]  [ Mandatory ]Overwrite [ Alphanumeric(1) ]
        [Y/N]Role Type [SIN / DRD / COM / BUS /
        PRF / PDP / GRP / TPL] [Mandatory]Description [ Alphanumeric(100) ]Business Process Name [
        Alphanumeric(10) ]  [ Mandatory ]Subprocess Name [ Alphanumeric(10)
        ]  [ Mandatory ]Project/Release Name [
        Alphanumeric(10) ]  [ Mandatory ]Role Status [ Alphanumeric(3) ]Critical Level [ Alphanumeric(3) ]Sensitivity [ Alphanumeric(3) ]Cerification Period in Days [
        Numeric(5) ]Reaffirm Period in Days [
        Numeric(5) ]Functional Area [ Alphanumeric(10)
        ]Custom Field Name [
        Alphanumeric(12) ]Custom Field Value [
        Alphanumeric(100) ]Approver [ Alphanumeric(12) ]Alternate Approver [
        Alphanumeric(12) ]Assignment Approver [
        Alphanumeric(1) ] [Y/N]Role Content Approver [
        Alphanumeric(1) ] [Y/N]Master Role [ Alphanumeric(100) ][
        Only for Derived Roles ] [ Mandatory ]Leading Organizational Level [
        Alphanumeric(50) ][ Only for Derived Roles ] [ Mandatory ]Organizational Level From Value [
        Alphanumeric(50) ][ Only for Derived Roles ] [ Mandatory ]Organizational Level To Value [
        Alphanumeric(50) ][ Only for Derived Roles ]Associated Roles [
        Alphanumeric(100) ] [Only for Composite / Business Roles]Associated Role Landscape [
        Alphanumeric(10) ][ Only for Business Roles ]Associated Systems [
        Alphanumeric(32) ][ Only for CUA Composite Roles ]Custom Profile URL [
        Alphanumeric(100)] [Only for Template Role]Custom Profile BAPI [
        Alphanumeric(100)] [Only for Template Role]Methodology Status [I - Initial /
        C - Complete]Company [ Alphanumeric(10) ]

      System [ Alphanumeric(32) ]

      here is the one

      Provisioning Allowed  [ Alphanumeric(1)] [Y/N]Allow Auto Provisioning  [ Alphanumeric(1)] [Y/N]System Validity [ Alphanumeric(50)
        ] [yyyy/mm/dd or Y,M,D]Source System [ Alphanumeric(32) ]Target System [ Alphanumeric(32) ]Role
        Name [ Alphanumeric(100) ]  [ Mandatory
        ]
  • Dec 23, 2013 at 02:49 AM

    Importing Single/ Composite roles in to BRM in GRC 10.0

    • Role has to exist in the backend system
    • Role sync job has to be performed. [Very Important step]
    • Roles from backend system - Tcode N /GRCPI/AC_ROLE_DNLD downloaded files (attribute and authorization source)
    • Role Attribute Source - "File on desktop"
      Role Authorization Source - "File on Desktop/Backend System" [Note:  Role Authorization Source can be skipped if you do not want to maintain authorizations in BRM and just want to use roles for provisioning purposes only]
    • Maintain parameters 3021 path, 3003 value and download roles with .txt file (file location) and .xls (Role Info file)
    • Role Info file: Maintained Business Process, Sub process and Project names.
    • Logon to GRC frontend application (either using Portal or NWBC)
    • Go to "Access Management"
    • Choose option 'Role Import' under 'Role Mass Maintenance'.

         Choose the role status as production and then import the role.

    • Import roles in to BRM. 
    • - Maintain the PRODUCTION status, and in order to do that
    • - Go to IMG => Governance Risk and Compliance => Access control => Role Management => Maintain Role Status
    • - Make sure to check the PRODUCTION STATUS checkbox for the status (Recommended is PRD, but DEV and TST can be checked as production status based on the testing environment)
    • - Based on PRODUCTION STATUS settings configured, make sure each role status is set accordingly
    • - Go to Access Management => Role Management => Role Maintenance
    • - Search and Open the role, click on Additional Tab and then select Provisioning
    • - Make sure that the Role Status is set to Production or other status based on the settings done earlier.
    • - Provisioning Allowed flag should be set to “Yes” for that system
    • - Role Validity Period on the system should be current (valid) or should not be maintained
    • - To change the Validity period or Update it. Select the system, Click  on "Set Default Period" button
    • - Change or update your Validity period
    • - Make sure PROV scenario has been maintained for the system. [Best practice is to link all the integration scenarios to every connector to avoid any discrepancies]

    Maintain below configuration parameters in the configuration settings.

    Regards,

    Madhu.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jan 20, 2014 at 11:06 AM

    Running full sync jobs resolved the issue.

    Add comment
    10|10000 characters needed characters exceeded