cancel
Showing results for 
Search instead for 
Did you mean: 

GRC AC 5.3 SP06 UME Logon Issue

Former Member
0 Kudos

Hi Guys,

A few people have found that when they try to login to the Access Controls Landing page (https://<server>:<port>/webdynpro/dispatcher/sap.com/grc~acappcomp/ac) on GRC AC5.3 SP 06, the user cannot login properly.

No error messages are shown at all. The user and password is just removed and the logon screen is just refreshed as if waiting for a user to login.

It seems to be the case that this is related to a password change requirement as if the user logs into the associated back end (abap stack) they are able to change the password. They are then able to login to the Java side without issue!

I have looked at a few notes (eg 980646) but this does not seem to be appropriate for the Access Controls Landing Page

Simon

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

This has also been an issue with the direct Compliance Calibrator (RAR) link too!

https://<Server>:<port>/webdynpro/dispatcher/sap.com/grc~ccappcomp/ComplianceCalibrator

koehntopp
Product and Topic Expert
Product and Topic Expert
0 Kudos

It seems you're using a dual stack installation with user source ABAP.

Have you configured that as read-only? There are two ways to do that, which determines whether UME changes can propagate back to ABAP or not.

Sorry, don't have an exact pointer right now, I'm on the road...

Frank.

Former Member
0 Kudos

Hi Frank,

That sounds plausible. Any ideas on how to check the config and confirm if this is actually the case? I've logged into the NW Administrator area but the config looks correct. I cannot see anything in the Identity Mgt (UME) config area which suggests that Passwords cannot be changed from the web front end but if you have any further information on where this setting is stored, that would be great!

Thanks,

Simon

koehntopp
Product and Topic Expert
Product and Topic Expert
0 Kudos

Look here:

http://help.sap.com/saphelp_nw2004s/helpdata/en/4a/e06f429c789041e10000000a1550b0/frameset.htm

User ID: We recommend that you use the logon ID SAPJSF_. You can use any password.

· User Type: The user must be of type system.

· Authorization: The user requires authorizations for read access to user data, for authenticating remote users, and RFC authorizations.

As of release 6.20, the AS is shipped with two roles that provide the required authorizations. The role you use depends on whether changes to administrative data or creation of new users from the UME are required or not.

○ SAP_BC_JSF_COMMUNICATION_RO provides all authorizations for read access to user data, for authenticating remote users, and several low-level RFC authorizations. For example, users can still change their own password. This role provides sufficient authorization if you do not want to perform administrative changes from the UME: for example, add a new user or change a last name.

¡ SAP_BC_JSF_COMMUNICATION is the same as the above role, but additionally provides authorization to modify and delete all user-related data.

Former Member
0 Kudos

Cheers Frank!

I've looked through the help files and checked the connecting user (SAPJSF...) and it is setup as a Service user with the required authorisations.

However, once a password change is required, this must still be done on the ABAP system when accessing the GRC AC homepage or the RAR direct link.

The help files seem to provide all of the information on how to configure the UME in general including setting the security policies for passwords but doesn't mention this particular constraint or issue!

Weird!

Simon

Former Member
0 Kudos

Hi Simon,

For a dual stack system, I too observed that password can't be changed directly through GRC Launchpad or specific application component URL. However apart from changing the password in ABAP, user can also change the password through UME link or any other n/w component link which forces user to enter password.

ex. If user accesses specific link (Http://<server url>/useradmin) at that time it prompts them to enter new password if it is expired.

Regards,

Amol

Answers (0)