How to archive in GRC Access Control 10.

Customer would like to archive requests or logs in GRC Access Control 10.0

Resolution

Use Transaction SARA to archive Access Control 10.0 objects. The following are
objects to archive

GRFNMSMP - Archiving for GRC AC 2010 Requests

SPM_AU_LOG - SPM Audit Log Archive
SPM_CH_LOG - Change Log Archive
SPM_OC_LOG - SPM OS Command Log Archiving
SPM_SY_LOG - SPM System Log Archival

Steps to archive:

1. Select the archiving object you want to archive in SARA

2. Clicked on Write
3. Create variant
4. Select "Maintain"
5. Specify the dates from which you want to archive the data
6. Click on the start date
7. Specify as immediate
8. Specify the spool parameter and check (possible to leave spool field empty)
9. Execute
10. Archiving job has started

Read archived file by select the read option in SARA Transaction

How are lines and columns linked in a BRFplus initiator decision table?
A column to a column through a logical AND

Your customer has created a custom transaction code ZFB10N by copying transaction
FB10 and implementing a user exit.
How can you incorporate the customer enhancement into the global rule set so that it will
be available for Risk Analysis?

Update all relevant functions with ZFB10N, maintain the permission values for all relevant
authorization objects, and generate the access rules
How to upload Rule files in Access Control 10.0 and 10.1

There are two options to upload Rule files in AC 10.0 and 10.1:

1. Via transaction GRAC_UPLOAD_RULES or

2. Via IMG in SPRO.

Resolution

There are two methods to upload rules into GRC 10.0 and 10.1 systems:
Method #1: Using GRAC_UPLOAD_RULES Transaction code:
1. Execute transaction "GRAC_UPLOAD_RULES".
2. Specify "System" name in System Selection.
3. In the Rule Set field, browse for rule set file name and click on open.
4. For Options, select "Append" if you have already imported some rule files and you want to
append new rules with existing one.
Select "Overwrite" if you want to overwrite the existing rules.
NOTE: Recommend to select "Append" option even if there are no prior rule files imported.
5. Click on Execute (F8).

Method #2: Using SPRO > IMG

1. Go to SPRO >SAP Reference IMG >Governance, Risk and Compliance >Access Control
>Access Risk Analysis >SoD Rules
2. Select Upload Rules.
3. Follow the above steps to upload the Rule files.

How to remove the unwanted Work Items from Work Inbox

You want to remove the old/dumping work items to be removed from the Work Inbox
of the Approver.
Some Work Items exist in the Work Inbox, which return Dump when the Approver
tries to open them. Now, the approver wants to delete such
Dumping Work Items.

Reproducing the Issue

Login to GRC 10.0 NWBC, as an Approver.
Goto My Home =>Work Inbox.
Click on any work item, you get a Dump (for some issue which has now been
resolved).
Now, you want to delete such dumping Work Items, so that they should not show
any further in the Approver's Work Inbox.
Cause
When the request was created, or Work item generated, there was an issue with the
Workflow, which returned the dump into the request.
Approver doesn't want to see any such request in Work Inbox, as these requests
cause confusion and are Obsolete.

Resolution

You would have to manually cancel all the dumping Work Items using their "External
Key Displ." or "External Key" (this is usually the request number Shown for Work
Item in Work Inbox), and cancel via program
"GRFNMW_MANUAL_INSTANCE_CANCEL" in transaction SE38 in the GRC 10.0
System. This has to be performed in the backend GRC Box as Administrator.

Once the particular Work Item is cancelled as above procedure, the Work Item will
be removed from the Work Inbox of the Approver.

Cancelling the requests stuck due to Workflow error

How to CANCEL the requests which are stuck in the Workflow in order to continue
the request building for the same Workflow type.
Program to cancel the requests.

Reproducing the Issue

Requests are stuck in the Workflow due to some error while processing. Instance
Status might be "Decision Pending" but once you open the request, it further shows
the Stage Status as "Error".

Resolution

There are two ways to cancel the requests:

1. Cancel Instance by searching the requests as Administrator from Access
Management tab in NWBC.
2. Another way is to use the program "GRFNMW_MANUAL_INSTANCE_CANCEL". This
is a supplement program to the CANCEL Instance functionality in above step. This
program will cancel the request and it will go into "Aborted" status, and you would
be able to raise a new request for the same Workflow type.
Use this program via transaction SE38 in GRC Box and provide the reference of the
MSMP Instance ID which you want to cancel.

Cross System SOD Analysis in AC 10.0

How to configure cross system SOD analysis in AC 10.0.

Resolution
1. Create a new connector group
SPRO => SAP Reference IMG=>Governance Risk and Compliance => Common
Component settings =>

Integration Framework => Maintain Connectors and Connection Type

Click Define Connector Groups section and then choose the New Entries pushbutton.
Enter Connection Group ID and Text
Select the Connection Type
Click Save then Back to return to Define Connector Groups screen
2. The types of Connector Groups are
SOD-LOG Logical Group
SOD-CROSS Cross System Group
AMF Automated Monitoring Framework
3. Click the New Entries pushbutton to assign a connector group type.
Repeat the above steps for section Assign Connectors to Connector Groups and
save your entry.
4. Assign the group type as Cross system.
5. Assign Connector Group to Group Types.
6. Click Define Connector Groups, Select the desired connector group to assign.
Double Click a connector group from the list and select the Assign Connector Groups
to Group Types section.
Click New Entries.
7. Select the Connector Group type(s) to assign
SOD-LOG Logical Group
SOD-CROSS Cross System Group
AMF Automated Monitoring Framework
Click the Save then Back to return to main screen.
8. Then assign those two connectors to group.
Assign Connectors to Connector Groups
Click Define Connector Groups, Select the desired connector group to assign.
9. Double click a connector group from the list and select the Assign Connectors to
Connector Groups section.
Click New Entries.
Enter Target Connectors to belong to the Group. The connection type will be filled in
if you hit enter to confirm.

10. Click the Save.

Maximum number of rules that can be generated

There is still a limit to the number of rules, but it's much larger than 46,655.
The way version 10.0 does the rule ID creation there can be a maximum of
1,679,616 rules per risk.
26 alpha characters + 10 numeric characters = 36 possible characters per field.
There are 4 fields
for the rule ID (the Risk ID is static).
In conclusion, the maximum number of rules for version 10.0 is 36*36*36*36 =
1,679,616.