Skip to Content

GRC 10.1 single role not assigned

I have seen this question asked a number of times but no one seems to have an answer so I will ask again.

Tech Spec:

GRC 10.1 SP 16

GRCPINW V1100_731 SP18 Plug -in system

NOT a CUA environment.

I have gotten provisioning of a user to a single role to work but when Run the Repository synch job after the update and then try to remove the role that I just added to my test user I gett the dreaded "Single Role Z**** is not assigned to a user in System XXXXXX. The Remove action cannot be performed"

Again I have run the repository synch job and it allows me to see the role on the user and select it to be removed but I still get the error.

I have given my RFC ID's SAP_ALL/NEW just to ensure it is not a rights issue.

I am not getting any errors in SLG1

I have defined my "Change" 02 request type and maintained the below actions.

I do not think it is an MSMP issue as I am not even able to get past the initial start of the selection process to initiate the Workflow.

All previous searches on this topic (which there are a few) refer to notes that have already been implemented in my environment as I am as the latest service pack level.

Any help at all would be appreciated.


remove-request.jpg (79.2 kB)
request-type.jpg (21.2 kB)
Add comment
10|10000 characters needed characters exceeded


    I have also confirmed that the Role_ID in teh GRACRLCONN table is assigned to the user for that connector in the GRACUSERROLE table.

    So even though in NWBC the chance user screen is stating that the role is not assigned, the tables specifically show that this is not the case. It would seem to me that this is a program bug.

    I have also run the comparison report that shows that the role is assigned to the user.

    role-match.jpg (209.1 kB)
  • Follow
  • Get RSS Feed

3 Answers

  • Best Answer
    Jun 27, 2017 at 08:11 PM

    Ramesh, thank you for the comments but this was resolved by another issue.

    I was following a combination of notes from Class and the online community on how to set up AD LDAP for GRC requests and in one of those documents it stated you needed to maintain the User Data Type as "SU01" in the "User Search Data Sources".

    This is in correct because SU01 refers to the ABAP system which states that all entries in the Table are upper case. When I typed in the users ID in the Access request in Upper Case this issue went away.

    The problem is that all of the users Active Directory ID's are in lower case or mixed case.

    The resolution from SAP was to remove the "SU01" from the User Data Type entry so that it would not convert to upper case and use what came out of LDAP.

    This resolved the issue and I am now able to removed/add/update role assignments.

    grc10.jpg (42.9 kB)
    Add comment
    10|10000 characters needed characters exceeded

  • Jun 27, 2017 at 06:12 PM

    Hi Michael,

    Can you delete the action 09 - remove for the request type 2 (change account).



    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Feb 15, 2018 at 10:02 PM

    Hi Michael

    Thank you for your notes above!!

    I had a similar issue where I was not able to submit a "Role Removal " Request wherein the user had the role assigned in back end SAP and it as well was synced through synchronization jobs . I could pull up the assignment in "Access request" screen ,however, was not able to remove it.

    I entered user ID in upper case and I was able to submit the role removal request

    However, when I check my settings " User Search Data Sources" , the entry for data type is already "blank".


    I will keep searching for answer but let me know if you have any inputs. Thank you!!- Bharati

    setting.jpg (41.9 kB)
    Add comment
    10|10000 characters needed characters exceeded

    • sorry for the late response. Bharati, make sure that, that User Data Type is empty in all of those Dialog Structures and that the End user verification is set to "YES"

      IF that does not work then also make sure your LDAP entry 2052 is set to YES and also that your Param ID 2050 is set to YES.

      You also have to ensure that the "Risk Analysis" Paramater 1046 has your LDAP connection entered in the parameter value.