View
315
Download
1
Category
Preview:
Citation preview
8/10/2019 Access Request Management (ARQ) Debugging Scenarios - Governance, Risk and Compliance - SCN Wiki
1/26
Welcome, Guest Login Register
Products Services & Support About SCN Downloads
Industries Training & Education Partnership Developer Center
Lines of Business University Alliances Events & Webinars Innovation
Added by Luciana Ullmann, last edited by Luciana Ullmann on Oct 08, 2014
Governance, Risk and Compliance / / Access Control Debugging tips
Access Request Management (ARQ) Debugging scenarios
Purpose
The purpose of this page is to provide inumerous debugging points , and analysis on case scenarios whenever possible.
Overview
General tips to help in troubleshooting incidents
Access Request - custom fields
Access Request - Other Actions
Access Request - Reject
Access Request - retrieve user details
Access Request - role validity date
Access Request - user ID search via: OVS, F4, or pressing ENTER
Custom fields - properties
Default roles - REQUEST LEVEL
Default roles - ROLE LEVEL
End User Logon - authentication ds
End User Logon - get user email for notification
End User Logon - select systems
GRAC_MSMP_DETOUR_SODVIOL
LDAP - Check user detailsMitigation Control - get mit assignments
Mitigation Control - system list
MSMP Versioning - checking
Provisioning - engine
Provisioning - to UME Portal
Provisioning - Assign objects in plugin
PSS - select System dropdown
Template Management - saving
User Defaults
Search Request criterias
Field mapped for Action 5 (HR Trigger) - check if mapping is correct
Content
Access Request - custom fields
To troubleshoot custom fields, why they are not coming from user details data source, or why they are not populating in access request field:
1) Verify if the customer field mapping is okay:
Check notes 1736168 and 1676224 (just to verify if custom field is created correctly)
Spro>GRC>Access Control>Maintain actions for connector groups>Maintain group field mapping, custom field should be mapped.
2) Verify if custom field is coming from detail data source see Internal wiki: retrieve User details
ess Request Management (ARQ) Debugging scenarios - Governance... http://wiki.scn.sap.com/wiki/display/GRC/Access+Request+Manageme...
26 07-01-2015 6:15 PM
8/10/2019 Access Request Management (ARQ) Debugging Scenarios - Governance, Risk and Compliance - SCN Wiki
2/26
Access Request - custom fields
3) Verify if custom field is getting filled in the request screen breakpoint at:
CL_GRAC_AD_ACCESS_MGMT_LDAP (if LDAP data source)
CL_GRAC_AD_ACCESS_MGMT_RFC (if su01 data source)
CL_GRAC_AD_ACCESS_MGMT_WS (if webservices)
Method: FILL_ADSTRUCTURE
Access Request - Other Actions
Debug this piece of code to check "Other Actions" sub-menu, for instance, why FORWARD is not appearing, or why REJECT REQUEST option is not ap
SE80
Webdynpro component: GRAC_UIBB_ACCREQ_APPROVAL
Method: SET_UI_ACTION
ess Request Management (ARQ) Debugging scenarios - Governance... http://wiki.scn.sap.com/wiki/display/GRC/Access+Request+Manageme...
26 07-01-2015 6:15 PM
8/10/2019 Access Request Management (ARQ) Debugging Scenarios - Governance, Risk and Compliance - SCN Wiki
3/26
Access Request - Other Actions
After checking which ac tions are allowed, now setting the button "Other Actions" and the submenu of actions allowed:
SE80
Webdynpro component: GRAC_UIBB_ACCREQ_APPROVAL
Method: SET_BUTTON_STATE
Access Request - Reject
Debug action REJECT from access request:
ess Request Management (ARQ) Debugging scenarios - Governance... http://wiki.scn.sap.com/wiki/display/GRC/Access+Request+Manageme...
26 07-01-2015 6:15 PM
8/10/2019 Access Request Management (ARQ) Debugging Scenarios - Governance, Risk and Compliance - SCN Wiki
4/26
Access Request - Reject
Webdynpro Component: GRAC_UIBB_ACCREQ_APPROVAL
Method: SET_UI_ACTION
ess Request Management (ARQ) Debugging scenarios - Governance... http://wiki.scn.sap.com/wiki/display/GRC/Access+Request+Manageme...
26 07-01-2015 6:15 PM
8/10/2019 Access Request Management (ARQ) Debugging Scenarios - Governance, Risk and Compliance - SCN Wiki
5/26
Access Request - retrieve user details
In Access Request screen, after the user is searched, the details are brought to the screen:
SE80
Webdynpro component: GRAC_UIBB_ACCESS_REQUEST
Class: FILL_USER_DETAILS
If parameter 5023 is set to YES then call is for
cl_grac_user_rep=>retrieve_realtime_user_all
if parameter 5023 is set to NO then the call is for
cl_grac_user_rep=>retrieve_realtime_user
Once in the desired method (according to 5023), press F8 to run it, and provide user ID to check what are the details being collected from data sources:
ess Request Management (ARQ) Debugging scenarios - Governance... http://wiki.scn.sap.com/wiki/display/GRC/Access+Request+Manageme...
26 07-01-2015 6:15 PM
8/10/2019 Access Request Management (ARQ) Debugging Scenarios - Governance, Risk and Compliance - SCN Wiki
6/26
Access Request - role validity date
Debug how the role validity dates are populated in access request line item:
Webdynpro component: GRAC_UIBB_ACCESS_REQUEST
Method: ON_ROLE_BROWSE_COLLECT_SELECT
Access Request - user ID search via: OVS, F4, or pressing ENTER
If you enter userID and press ENTER, the application will perform a real user search based on the search data sources and their corresponding sequ
If you press F4 or click on the OVS icon, the application will perform a search directly in the repository tables (GRACUSER and GRACUSERCONN).
Parameter 2050 will force F4/OVS to perform a real time search, whenever set to YES.
Important classes:
CL_GRAC_USER_REP=>RETRIEVE_USER_REALTIME
CL_GRAC_USER_REP=>RETRIEVE_USER_REALTIME_ALL (if details must be fetch from multiple sources)
cl_grac_user_rep=>retrieve_user
Check parameter 2050 (Enable Realtime LDAP Search for Access Request User)
ess Request Management (ARQ) Debugging scenarios - Governance... http://wiki.scn.sap.com/wiki/display/GRC/Access+Request+Manageme...
26 07-01-2015 6:15 PM
8/10/2019 Access Request Management (ARQ) Debugging Scenarios - Governance, Risk and Compliance - SCN Wiki
7/26
Access Request - user ID search via: OVS, F4, or pressing ENTER
To get Data sources:
cl_grac_ad_util=>get_data_source_connector
Get user List:
cl_grac_ad_auth_mgm=get_user_list
Custom fields - properties
To debug behavior of properties (visilibly, mandatory, editable) in custom fields:
Class: CL_GRFN_UTIL_CDF
Method: API_RETRIEVE_CUSTOMFIELD
Default roles - REQUEST LEVEL
ess Request Management (ARQ) Debugging scenarios - Governance... http://wiki.scn.sap.com/wiki/display/GRC/Access+Request+Manageme...
26 07-01-2015 6:15 PM
8/10/2019 Access Request Management (ARQ) Debugging Scenarios - Governance, Risk and Compliance - SCN Wiki
8/26
Default roles - REQUEST LEVEL
Default roles - REQUEST LEVEL
Parameter 2009 is YES
Parameter 2011 is REQUEST
Parameter 2013 has the attribute
Default roles - ROLE LEVEL
Default roles - ROLE LEVEL
Parameter 2009 is YES
Parameter 2011 is ROLE
Parameter 2013 has the attribute
example, default role at role level should show at the time you select roles
ess Request Management (ARQ) Debugging scenarios - Governance... http://wiki.scn.sap.com/wiki/display/GRC/Access+Request+Manageme...
26 07-01-2015 6:15 PM
8/10/2019 Access Request Management (ARQ) Debugging Scenarios - Governance, Risk and Compliance - SCN Wiki
9/26
Default roles - ROLE LEVEL
End User Logon - authentication ds
The authentication ds is checked upon logon via the End User logon:
GF2:
https://ldai1gf2.wdf.sap.corp:44332/sap/bc/webdynpro/sap/grac_uibb_end_user_login?sap-client=200&sap-language=EN
then
ess Request Management (ARQ) Debugging scenarios - Governance... http://wiki.scn.sap.com/wiki/display/GRC/Access+Request+Manageme...
26 07-01-2015 6:15 PM
8/10/2019 Access Request Management (ARQ) Debugging Scenarios - Governance, Risk and Compliance - SCN Wiki
10/26
End User Logon - authentication ds
then
End User Logon - get user email for notification
to start of metadata
ess Request Management (ARQ) Debugging scenarios - Governance... http://wiki.scn.sap.com/wiki/display/GRC/Access+Request+Manageme...
f 26 07-01-2015 6:15 PM
8/10/2019 Access Request Management (ARQ) Debugging Scenarios - Governance, Risk and Compliance - SCN Wiki
11/26
End User Logon - get user email for notification
then
ess Request Management (ARQ) Debugging scenarios - Governance... http://wiki.scn.sap.com/wiki/display/GRC/Access+Request+Manageme...
f 26 07-01-2015 6:15 PM
8/10/2019 Access Request Management (ARQ) Debugging Scenarios - Governance, Risk and Compliance - SCN Wiki
12/26
End User Logon - get user email for notification
then
End User Logon - select systems
ess Request Management (ARQ) Debugging scenarios - Governance... http://wiki.scn.sap.com/wiki/display/GRC/Access+Request+Manageme...
f 26 07-01-2015 6:15 PM
8/10/2019 Access Request Management (ARQ) Debugging Scenarios - Governance, Risk and Compliance - SCN Wiki
13/26
End User Logon - select systems
GRAC_MSMP_DETOUR_SODVIOL
Debugging detour rule GRAC_MSMP_DETOUR_SODVIOL
Searching for lineitems in request that violate risks, and put in the below:
Now look in every line item and check if the item that violates the risk . if yes it sets result to DETOUR, it not it leaves empty to be continued in same path
lv_detour.
ess Request Management (ARQ) Debugging scenarios - Governance... http://wiki.scn.sap.com/wiki/display/GRC/Access+Request+Manageme...
f 26 07-01-2015 6:15 PM
8/10/2019 Access Request Management (ARQ) Debugging Scenarios - Governance, Risk and Compliance - SCN Wiki
14/26
GRAC_MSMP_DETOUR_SODVIOL
The check has different treatment for business roles, composite roles, or when 1073 is YES.
ess Request Management (ARQ) Debugging scenarios - Governance... http://wiki.scn.sap.com/wiki/display/GRC/Access+Request+Manageme...
f 26 07-01-2015 6:15 PM
8/10/2019 Access Request Management (ARQ) Debugging Scenarios - Governance, Risk and Compliance - SCN Wiki
15/26
GRAC_MSMP_DETOUR_SODVIOL
Here will start the new event for the detour path/stage. The agent in the detour stage is evaluated
ess Request Management (ARQ) Debugging scenarios - Governance... http://wiki.scn.sap.com/wiki/display/GRC/Access+Request+Manageme...
f 26 07-01-2015 6:15 PM
8/10/2019 Access Request Management (ARQ) Debugging Scenarios - Governance, Risk and Compliance - SCN Wiki
16/26
GRAC_MSMP_DETOUR_SODVIOL
In parallel, my breakpoint in the agent code for the detour stage triggers
It has different treatment if line item thatviolates is a comp role
Getting risk owners for the line items that violate (that took the detour)
ess Request Management (ARQ) Debugging scenarios - Governance... http://wiki.scn.sap.com/wiki/display/GRC/Access+Request+Manageme...
f 26 07-01-2015 6:15 PM
8/10/2019 Access Request Management (ARQ) Debugging Scenarios - Governance, Risk and Compliance - SCN Wiki
17/26
GRAC_MSMP_DETOUR_SODVIOL
Rule agent executed
LDAP - Check user details
Execute se24
enter class: CL_GRAC_AD_ACCESS_MGMT_LDAP
method: IF_GRAC_AD_ACCESS_MGMT~GET_USER_DETAIL
ess Request Management (ARQ) Debugging scenarios - Governance... http://wiki.scn.sap.com/wiki/display/GRC/Access+Request+Manageme...
f 26 07-01-2015 6:15 PM
8/10/2019 Access Request Management (ARQ) Debugging Scenarios - Governance, Risk and Compliance - SCN Wiki
18/26
LDAP - Check user details
Line : 255 shows the attributes mapped for LDAP
Line 68: shows the mapping of fields between GRC and LDAP
This can be crosschecked by executing transaction LDAP:
enter the user ID for search:
replace SAMACCOUNTNAME for the correct userid identifier that is used by customer, normally SAMACCOUNTNAME is used:
in the example below>: I am checking only attribute "TITLE", but leave attributes empty to see complete user LDAP record.
ess Request Management (ARQ) Debugging scenarios - Governance... http://wiki.scn.sap.com/wiki/display/GRC/Access+Request+Manageme...
f 26 07-01-2015 6:15 PM
8/10/2019 Access Request Management (ARQ) Debugging Scenarios - Governance, Risk and Compliance - SCN Wiki
19/26
LDAP - Check user details
Mitigation Control - get mit assignments
To get a list of mitigation controls shown in Risk Analysis inside Access Request.
Used to troubleshoot issues as why certain mitigation controls are not appearing
Class: CL_GRAC_SOD_MITIGATION
Method: GET_OBJ_MIT_ASSIGNMENT
Mitigation Control - system list
ess Request Management (ARQ) Debugging scenarios - Governance... http://wiki.scn.sap.com/wiki/display/GRC/Access+Request+Manageme...
f 26 07-01-2015 6:15 PM
8/10/2019 Access Request Management (ARQ) Debugging Scenarios - Governance, Risk and Compliance - SCN Wiki
20/26
Mitigation Control - system list
Open access request
Run risk analysis
Click button "Mitigate Risk"
The "Assign Mitigation Controls" screen has the System column. That list of systems comes from:
SE80
Webdynpro component: GRAC_MASS_MITIGATION
Method: WDDOINIT
Here it loads attribute MT_CONNECTORSwith list of systems from class cl_grac_api_cci_wrapper, method get_system_list.
MSMP Versioning - checking
A way to check versioning of an existing request, compared against the latest version generated is below:
Example: I have request 66. I will check version used when this request was created, by opening "Runtime Monitor" (tcode GRFNMW_DBGMONITOR_W
in above case scenario, request 66 was created using version 33.
Now, open tcode SE16, and check table called GRACMWCNSACRQV:
Enter the stage ID, and compare both versions:
Example: stage ID is "ZSECCOORDASSIGN" (stage name)
ess Request Management (ARQ) Debugging scenarios - Governance... http://wiki.scn.sap.com/wiki/display/GRC/Access+Request+Manageme...
f 26 07-01-2015 6:15 PM
8/10/2019 Access Request Management (ARQ) Debugging Scenarios - Governance, Risk and Compliance - SCN Wiki
21/26
MSMP Versioning - checking
search, and compare configuration for the desired versions!
Provisioning - engine
Get global and system provisioning config:
cl_grac_access_request_util->get_global_prov_config
cl_grac_access_request_util->GET_SYSTEM_PROV_CONFIG
Determine agents and update status of line items:
cl_grfn_msmp_wf_template_base->_determine_agents
cl_grfn_msmp_wf_template_base->update_li_status_pending
Perform request actions (create_user, change_user, etc)
CL_GRAC_PROVISIONING_ENGINE->PERFORM_REQ_ACTION
Provisioning action:
CL_GRAC_PROVISIONING_ENGINE->ASSIGN_ROLES
CL_GRAC_PROVISIONING_ENGINE->PROVISION
CL_GRAC_PROVISIONING_ENGINE->CREATE_USER
CL_GRAC_PROVISIONING_ENGINE->CHANGE_USER
CL_GRAC_PROVISIONING_ENGINE->ASSIGN_OBJECT
CL_GRAC_PROVISIONING_ENGINE->CHANGE_ELSE_CREATE_USER
ess Request Management (ARQ) Debugging scenarios - Governance... http://wiki.scn.sap.com/wiki/display/GRC/Access+Request+Manageme...
f 26 07-01-2015 6:15 PM
8/10/2019 Access Request Management (ARQ) Debugging Scenarios - Governance, Risk and Compliance - SCN Wiki
22/26
Provisioning - to UME Portal
CL_GRAC_AD_ACCESS_MGMT_IDM_OB=>IF_GRAC_AD_ACCESS_MGMT~RESET_USR_PWD
CL_GRAC_AD_ACCESS_MGMT_IDM_OB=>IF_GRAC_AD_ACCESS_MGMT~CHANGE_USER
CL_GRAC_AD_ACCESS_MGMT_IDM_OB=>IF_GRAC_AD_ACCESS_MGMT~CREATE_USER
CL_GRAC_AD_ACCESS_MGMT_IDM_OB=>ASSIGN_OBJECT_TO_USER
together with
CL_GRAC_PROVISIONING_ENGINE=>CHANGE_ELSE_CREATE_USER
CL_GRAC_PROVISIONING_ENGINE=>CREATE_USER
CL_GRAC_PROVISIONING_ENGINE=>CHANGE_USER
Provisioning - Assign object in Plugin
When Provisioning objects to the plugins, the application will take either one of these actions: add, keep (no actual provisioning is done) or remove the ob
The following methods are the top ones, used in the Plugin systems to take the respective action above:
Non HR plugin Systems:
/GRCPI/CL_GRIA_NHROBJ->ASSIGN_OBJECT_NH
/GRCPI/CL_GRIA_NHROBJ->ADD_ROLE_USER
/GRCPI/CL_GRIA_NHROBJ->DEL_ROLE_USER
In HR Plugin Systems:
/GRCPI/CL_GRIA_HR->ASSIGN_OBJECT_HR
/GRCPI/CL_GRIA_HR->GET_INFOTYPE_TABLE
/GRCPI/CL_GRIA_HR->GET_POS_ROLE
/GRCPI/CL_GRIA_HR->GET_ORG_VALUES
/GRCPI/CL_GRIA_HR->GET_USERS_FOR_OBJECTS
/GRCPI/CL_GRIA_HR->GET_USER_PERNR_COMP_HR
PSS - select System dropdown
Select System drop down in PSS, step 3:
CL_GRAC_PWD_SELFSERVICE->GETUSR_SYSINFO
Authorization check: GRAC_SYS where:
GRAC_SYSID is the connector being passed
ACTVT is 78
GRAC_APPTY is 001
GRAC_ENVRM is the environment of the connector from connector details
ess Request Management (ARQ) Debugging scenarios - Governance... http://wiki.scn.sap.com/wiki/display/GRC/Access+Request+Manageme...
f 26 07-01-2015 6:15 PM
8/10/2019 Access Request Management (ARQ) Debugging Scenarios - Governance, Risk and Compliance - SCN Wiki
23/26
PSS - select System dropdown
Template Management - saving
Issues saving templates:
Itens not saved properly:
check this:
ess Request Management (ARQ) Debugging scenarios - Governance... http://wiki.scn.sap.com/wiki/display/GRC/Access+Request+Manageme...
f 26 07-01-2015 6:15 PM
8/10/2019 Access Request Management (ARQ) Debugging Scenarios - Governance, Risk and Compliance - SCN Wiki
24/26
Template Management - saving
checking XML content:
CL_GRAC_ACCESS_REQUEST_UTIL->SERIALIZE_TO_XML
double click variable in line 32:
R_XML
change View to "Text in Browser"
"The XML page cannot be displayed" message appears. Right-click on page content (anywhere basically) and choose "View Source"
User Defaults
CL_GRAC_PROVISIONING_ENGINE=>CREATE_USER
then
cl_grac_rules=>process_user_default_rules
and
cl_grac_access_req_userdefault=>get_user_defaults
Search Request criterias
ess Request Management (ARQ) Debugging scenarios - Governance... http://wiki.scn.sap.com/wiki/display/GRC/Access+Request+Manageme...
f 26 07-01-2015 6:15 PM
8/10/2019 Access Request Management (ARQ) Debugging Scenarios - Governance, Risk and Compliance - SCN Wiki
25/26
Search Request criterias
Class: CL_GRAC_FEEDER_REQUEST_SEARCH
Method: IF_FPM_GUIBB_SEARCH~GET_DEFINITION
Each MSMP process ID (below) has a related SE11 structure. For current details of what criteria fields are available to be used in the search request scr
respective structure. If a field is not present in one of the structures and you wish to have that field available, please create an enhancement request, as p
User Access Review
Structure: GRAC_S_UAR_SEARCH_PARAM
SOD Review
Structure: GRAC_S_SOD_SEARCH_PARAM
Access Request and Access Request HR
Structure: GRAC_S_REQUEST_SEARCH_PARAM
Default: Structure
GRAC_S_BASE_SEARCH_PARAM
Field mapped for Action 5 (HR Trigger) - check if mapping is correct
Useful breakpoints:
Class: CL_GRAC_AD_FIELD_MAP_UTIL
Method: GET_GROUP_FLD_MAP
and
Class: CL_GRAC_AD_ACCESS_MGMT_RFC
Method: IF_GRAC_AD_ACCESS_MGMT~GET_EMPLOYEE_DETAILS
Look for call to plugin:
CALL FUNCTION if_grac_ad_out_grcpi_types=>c_gria_get_employee_details
and review IMPORT variable called et_infty_fld_value, to see if mapped field is being interpreted correctly.
Related Content
ess Request Management (ARQ) Debugging scenarios - Governance... http://wiki.scn.sap.com/wiki/display/GRC/Access+Request+Manageme...
f 26 07-01-2015 6:15 PM
8/10/2019 Access Request Management (ARQ) Debugging Scenarios - Governance, Risk and Compliance - SCN Wiki
26/26
Related Documents
Related Notes
2 Child Pages
Code check: User Details not retrieved on Access Request submissionHow to fetch details from non-standard Infotype ->Subtype from SAP HR system
2 Comments
jayasimha chandra
Amazing wiki, great job.
Luciana Ullmann
Thank you for the appreciation. Let us know of any scenario you would like to know how to debug, and we will add it here. Regards,
Contact Us SAP Help Portal
Privacy Terms of Use Legal Disclosure Copyright
ess Request Management (ARQ) Debugging scenarios - Governance... http://wiki.scn.sap.com/wiki/display/GRC/Access+Request+Manageme...
Recommended