on 06-30-2016 6:28 PM
Hello Experts,
I am able to upload/import the roles in GRC 10.1(SP12) from the ECC production system. All the Single roles are getting imported successfully but some of the roles say it does not exists. I did all the below steps but still its not working.
1. Generated the roles.
2. REP obj Sync Full/ Incremental.
3. Role status production/ PRD and complete.
4. Import file does not have any problem because 99% of the other roles got uploaded correctly and have no issues.
5. Role system validity is checked.
6. Role exists in the ECC prod. system, its picking up the profile name/description correctly.
Even after all these step still there are some roles which are under role exists status as 'No'.
Please can someone help me in resolving this issue.
Thanks,
The issue is resolved. Thanks Manju for the table pointers.
This GUID mismatch occurred because the connector and the source system selected while importing the roles first time was different than what i was selecting for new connector group. There were several business roles which had these roles.
When i imported this with the new connector group and new source. GRC was unable to find the role in table GRACRLCONN. As there is only one entry per system for the role.
1. I had to delete all the associated business roles first then Derived roles and then Master role.
2. Run REP sync.
3. Import the single task(both Master and derived roles).
4. Import the business role and then the issue would be fixed.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ram,
If the roles exist in the back end system and the import is successful, running a repository object sync in full mode for the correct connector should change the Role exists status from NO to YES in BRM.
Try the following
1. Re-import the roles with no white spaces and Overwrite existing Role as Y
2. If you do not wish to maintain authorizations in BRM and use the role only for selection in access request then use Skip as the role authorization source while doing the role import
3. Once imported successfully run a full repository object sync for the correct connector and check if the role exists status changes from NO to YES.
4. Check whether the role exists in GRACROLE and GRACRLCONN tables.
Regards,
Manju
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Manju,
Thanks for the pointers.
The role exists in GRACROLE and GRACRLCONN. But the GUIDs are not matching.
Scenario:Here ECCPRD is my connector common to both the connector groups 1 & 2
Table GRACROLE
Role 1 [GUID(XX)] -> (ECCPRD) ConnectorGrp1
Role 1 [GUID(YY)] -> (ECCPRD) ConnectorGrp2
Table GRACRLCONN
Role 1 [AC_REF_ROLEID(XX)] -> ECCPRD
As there is only one entry in the table GRACRLCONN for GUID(XX) for Connector Grp1
then role exists field is 'Yes' for Connector Grp1 and 'No' for ConnectorGrp 2
Problem:
I want to remove the role from connector group 1. Please let me know if i can do this, without deleting the PFCG role in the backend.
Hi Ram,
For removing the role from connector group 1, Go to NWBC -> Access Management -> Role Maintanence -> Role Search
Search for "Role 1" and you should see 2 results.
Select the Role with landscape Connector group 1 and Delete.
In the confirmation dialog select NO to delete the role only in BRM(front end) and not in PFCG.
Hope this helps.
Regards,
Manju
P.S : Can you also let us know the purpose of assigning connector(ECCPRD) to 2 different groups.
Hi,
The GUIDs will match for 1 connector and not across Connectors, for the same role.i understand that removal of role was not the original requirement. Is the original problem resolved.
Does 'Role exists' appear as 'Yes', when role is removed for one of the connectors.
Could you check your GRCPINW SP level on ECC. Does it have the required version/patch for GRC 10.1 SP12
Regards
plaban
Hi Manju,
Thanks for the help.
There were 3 systems in the scope before, for Connector Grp 1 and now it was reduce to only 2 systems. But i dont want to delete the connector grp 1 as there are still some users/roles using connector grp 1. Is there a possiblity that the GUID/role id can be changed like below
I want the GUID (XXXB4812E)of the row 2 from the table GRACRLCONN to be reflected in the row 2 of the table GRACROLE
For grp2 it says the role does not exists. For grp 1 it says the role exists, as the GUID matches.
I re-imported role 1 for GRP2 with connector QTY but still the role id in table GRACROLE has some other value. It should be (XXXB4812E) in order for it to show role exists as 'Yes'.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.