Access Request Management (ARQ) Debugging Scenarios - Governance, Risk and Compliance - SCN Wiki

8/10/2019 Access Request Management (ARQ) Debugging Scenarios - Governance, Risk and Compliance - SCN Wiki

1/26

Welcome, Guest Login Register

Products Services & Support About SCN Downloads

Industries Training & Education Partnership Developer Center

Lines of Business University Alliances Events & Webinars Innovation

Added by Luciana Ullmann, last edited by Luciana Ullmann on Oct 08, 2014

Governance, Risk and Compliance / / Access Control Debugging tips

Access Request Management (ARQ) Debugging scenarios

Purpose

The purpose of this page is to provide inumerous debugging points , and analysis on case scenarios whenever possible.

Overview

General tips to help in troubleshooting incidents

Access Request - custom fields

Access Request - Other Actions

Access Request - Reject

Access Request - retrieve user details

Access Request - role validity date

Access Request - user ID search via: OVS, F4, or pressing ENTER

Custom fields - properties

Default roles - REQUEST LEVEL

Default roles - ROLE LEVEL

End User Logon - authentication ds

End User Logon - get user email for notification

End User Logon - select systems

GRAC_MSMP_DETOUR_SODVIOL

LDAP - Check user detailsMitigation Control - get mit assignments

Mitigation Control - system list

MSMP Versioning - checking

Provisioning - engine

Provisioning - to UME Portal

Provisioning - Assign objects in plugin

PSS - select System dropdown

Template Management - saving

User Defaults

Search Request criterias

Field mapped for Action 5 (HR Trigger) - check if mapping is correct

Content


To troubleshoot custom fields, why they are not coming from user details data source, or why they are not populating in access request field:

1) Verify if the customer field mapping is okay:

Check notes 1736168 and 1676224 (just to verify if custom field is created correctly)

Spro>GRC>Access Control>Maintain actions for connector groups>Maintain group field mapping, custom field should be mapped.

2) Verify if custom field is coming from detail data source see Internal wiki: retrieve User details

ess Request Management (ARQ) Debugging scenarios - Governance... http://wiki.scn.sap.com/wiki/display/GRC/Access+Request+Manageme...

26 07-01-2015 6:15 PM


2/26


3) Verify if custom field is getting filled in the request screen breakpoint at:

CL_GRAC_AD_ACCESS_MGMT_LDAP (if LDAP data source)

CL_GRAC_AD_ACCESS_MGMT_RFC (if su01 data source)

CL_GRAC_AD_ACCESS_MGMT_WS (if webservices)

Method: FILL_ADSTRUCTURE


Debug this piece of code to check "Other Actions" sub-menu, for instance, why FORWARD is not appearing, or why REJECT REQUEST option is not ap

SE80

Webdynpro component: GRAC_UIBB_ACCREQ_APPROVAL

Method: SET_UI_ACTION


26 07-01-2015 6:15 PM


3/26


After checking which ac tions are allowed, now setting the button "Other Actions" and the submenu of actions allowed:

SE80

Webdynpro component: GRAC_UIBB_ACCREQ_APPROVAL

Method: SET_BUTTON_STATE


Debug action REJECT from access request:


26 07-01-2015 6:15 PM


4/26


Webdynpro Component: GRAC_UIBB_ACCREQ_APPROVAL

Method: SET_UI_ACTION


26 07-01-2015 6:15 PM


5/26

Access Request - retrieve user details

In Access Request screen, after the user is searched, the details are brought to the screen:

SE80

Webdynpro component: GRAC_UIBB_ACCESS_REQUEST

Class: FILL_USER_DETAILS

If parameter 5023 is set to YES then call is for

cl_grac_user_rep=>retrieve_realtime_user_all

if parameter 5023 is set to NO then the call is for

cl_grac_user_rep=>retrieve_realtime_user

Once in the desired method (according to 5023), press F8 to run it, and provide user ID to check what are the details being collected from data sources:


26 07-01-2015 6:15 PM


6/26

Access Request - role validity date

Debug how the role validity dates are populated in access request line item:

Webdynpro component: GRAC_UIBB_ACCESS_REQUEST

Method: ON_ROLE_BROWSE_COLLECT_SELECT


If you enter userID and press ENTER, the application will perform a real user search based on the search data sources and their corresponding sequ

If you press F4 or click on the OVS icon, the application will perform a search directly in the repository tables (GRACUSER and GRACUSERCONN).

Parameter 2050 will force F4/OVS to perform a real time search, whenever set to YES.

Important classes:

CL_GRAC_USER_REP=>RETRIEVE_USER_REALTIME

CL_GRAC_USER_REP=>RETRIEVE_USER_REALTIME_ALL (if details must be fetch from multiple sources)

cl_grac_user_rep=>retrieve_user

Check parameter 2050 (Enable Realtime LDAP Search for Access Request User)


26 07-01-2015 6:15 PM


7/26


To get Data sources:

cl_grac_ad_util=>get_data_source_connector

Get user List:

cl_grac_ad_auth_mgm=get_user_list

Custom fields - properties

To debug behavior of properties (visilibly, mandatory, editable) in custom fields:

Class: CL_GRFN_UTIL_CDF

Method: API_RETRIEVE_CUSTOMFIELD



26 07-01-2015 6:15 PM


8/26



Parameter 2009 is YES

Parameter 2011 is REQUEST

Parameter 2013 has the attribute



Parameter 2009 is YES

Parameter 2011 is ROLE

Parameter 2013 has the attribute

example, default role at role level should show at the time you select roles


26 07-01-2015 6:15 PM


9/26



The authentication ds is checked upon logon via the End User logon:

GF2:

https://ldai1gf2.wdf.sap.corp:44332/sap/bc/webdynpro/sap/grac_uibb_end_user_login?sap-client=200&sap-language=EN

then


26 07-01-2015 6:15 PM


10/26


then


to start of metadata


f 26 07-01-2015 6:15 PM


11/26


then


f 26 07-01-2015 6:15 PM


12/26


then



f 26 07-01-2015 6:15 PM


13/26



Debugging detour rule GRAC_MSMP_DETOUR_SODVIOL

Searching for lineitems in request that violate risks, and put in the below:

Now look in every line item and check if the item that violates the risk . if yes it sets result to DETOUR, it not it leaves empty to be continued in same path

lv_detour.


f 26 07-01-2015 6:15 PM


14/26


The check has different treatment for business roles, composite roles, or when 1073 is YES.


f 26 07-01-2015 6:15 PM


15/26


Here will start the new event for the detour path/stage. The agent in the detour stage is evaluated


f 26 07-01-2015 6:15 PM


16/26


In parallel, my breakpoint in the agent code for the detour stage triggers

It has different treatment if line item thatviolates is a comp role

Getting risk owners for the line items that violate (that took the detour)


f 26 07-01-2015 6:15 PM


17/26


Rule agent executed

LDAP - Check user details

Execute se24

enter class: CL_GRAC_AD_ACCESS_MGMT_LDAP

method: IF_GRAC_AD_ACCESS_MGMT~GET_USER_DETAIL


f 26 07-01-2015 6:15 PM


18/26


Line : 255 shows the attributes mapped for LDAP

Line 68: shows the mapping of fields between GRC and LDAP

This can be crosschecked by executing transaction LDAP:

enter the user ID for search:

replace SAMACCOUNTNAME for the correct userid identifier that is used by customer, normally SAMACCOUNTNAME is used:

in the example below>: I am checking only attribute "TITLE", but leave attributes empty to see complete user LDAP record.


f 26 07-01-2015 6:15 PM


19/26


Mitigation Control - get mit assignments

To get a list of mitigation controls shown in Risk Analysis inside Access Request.

Used to troubleshoot issues as why certain mitigation controls are not appearing

Class: CL_GRAC_SOD_MITIGATION

Method: GET_OBJ_MIT_ASSIGNMENT



f 26 07-01-2015 6:15 PM


20/26


Open access request

Run risk analysis

Click button "Mitigate Risk"

The "Assign Mitigation Controls" screen has the System column. That list of systems comes from:

SE80

Webdynpro component: GRAC_MASS_MITIGATION

Method: WDDOINIT

Here it loads attribute MT_CONNECTORSwith list of systems from class cl_grac_api_cci_wrapper, method get_system_list.


A way to check versioning of an existing request, compared against the latest version generated is below:

Example: I have request 66. I will check version used when this request was created, by opening "Runtime Monitor" (tcode GRFNMW_DBGMONITOR_W

in above case scenario, request 66 was created using version 33.

Now, open tcode SE16, and check table called GRACMWCNSACRQV:

Enter the stage ID, and compare both versions:

Example: stage ID is "ZSECCOORDASSIGN" (stage name)


f 26 07-01-2015 6:15 PM


21/26


search, and compare configuration for the desired versions!

Provisioning - engine

Get global and system provisioning config:

cl_grac_access_request_util->get_global_prov_config

cl_grac_access_request_util->GET_SYSTEM_PROV_CONFIG

Determine agents and update status of line items:

cl_grfn_msmp_wf_template_base->_determine_agents

cl_grfn_msmp_wf_template_base->update_li_status_pending

Perform request actions (create_user, change_user, etc)

CL_GRAC_PROVISIONING_ENGINE->PERFORM_REQ_ACTION

Provisioning action:

CL_GRAC_PROVISIONING_ENGINE->ASSIGN_ROLES

CL_GRAC_PROVISIONING_ENGINE->PROVISION

CL_GRAC_PROVISIONING_ENGINE->CREATE_USER

CL_GRAC_PROVISIONING_ENGINE->CHANGE_USER

CL_GRAC_PROVISIONING_ENGINE->ASSIGN_OBJECT

CL_GRAC_PROVISIONING_ENGINE->CHANGE_ELSE_CREATE_USER


f 26 07-01-2015 6:15 PM


22/26

Provisioning - to UME Portal

CL_GRAC_AD_ACCESS_MGMT_IDM_OB=>IF_GRAC_AD_ACCESS_MGMT~RESET_USR_PWD

CL_GRAC_AD_ACCESS_MGMT_IDM_OB=>IF_GRAC_AD_ACCESS_MGMT~CHANGE_USER

CL_GRAC_AD_ACCESS_MGMT_IDM_OB=>IF_GRAC_AD_ACCESS_MGMT~CREATE_USER

CL_GRAC_AD_ACCESS_MGMT_IDM_OB=>ASSIGN_OBJECT_TO_USER

together with

CL_GRAC_PROVISIONING_ENGINE=>CHANGE_ELSE_CREATE_USER

CL_GRAC_PROVISIONING_ENGINE=>CREATE_USER

CL_GRAC_PROVISIONING_ENGINE=>CHANGE_USER

Provisioning - Assign object in Plugin

When Provisioning objects to the plugins, the application will take either one of these actions: add, keep (no actual provisioning is done) or remove the ob

The following methods are the top ones, used in the Plugin systems to take the respective action above:

Non HR plugin Systems:

/GRCPI/CL_GRIA_NHROBJ->ASSIGN_OBJECT_NH

/GRCPI/CL_GRIA_NHROBJ->ADD_ROLE_USER

/GRCPI/CL_GRIA_NHROBJ->DEL_ROLE_USER

In HR Plugin Systems:

/GRCPI/CL_GRIA_HR->ASSIGN_OBJECT_HR

/GRCPI/CL_GRIA_HR->GET_INFOTYPE_TABLE

/GRCPI/CL_GRIA_HR->GET_POS_ROLE

/GRCPI/CL_GRIA_HR->GET_ORG_VALUES

/GRCPI/CL_GRIA_HR->GET_USERS_FOR_OBJECTS

/GRCPI/CL_GRIA_HR->GET_USER_PERNR_COMP_HR


Select System drop down in PSS, step 3:

CL_GRAC_PWD_SELFSERVICE->GETUSR_SYSINFO

Authorization check: GRAC_SYS where:

GRAC_SYSID is the connector being passed

ACTVT is 78

GRAC_APPTY is 001

GRAC_ENVRM is the environment of the connector from connector details


f 26 07-01-2015 6:15 PM


23/26



Issues saving templates:

Itens not saved properly:

check this:


f 26 07-01-2015 6:15 PM


24/26


checking XML content:

CL_GRAC_ACCESS_REQUEST_UTIL->SERIALIZE_TO_XML

double click variable in line 32:

R_XML

change View to "Text in Browser"

"The XML page cannot be displayed" message appears. Right-click on page content (anywhere basically) and choose "View Source"

User Defaults

CL_GRAC_PROVISIONING_ENGINE=>CREATE_USER

then

cl_grac_rules=>process_user_default_rules

and

cl_grac_access_req_userdefault=>get_user_defaults



f 26 07-01-2015 6:15 PM


25/26


Class: CL_GRAC_FEEDER_REQUEST_SEARCH

Method: IF_FPM_GUIBB_SEARCH~GET_DEFINITION

Each MSMP process ID (below) has a related SE11 structure. For current details of what criteria fields are available to be used in the search request scr

respective structure. If a field is not present in one of the structures and you wish to have that field available, please create an enhancement request, as p

User Access Review

Structure: GRAC_S_UAR_SEARCH_PARAM

SOD Review

Structure: GRAC_S_SOD_SEARCH_PARAM

Access Request and Access Request HR

Structure: GRAC_S_REQUEST_SEARCH_PARAM

Default: Structure

GRAC_S_BASE_SEARCH_PARAM

Field mapped for Action 5 (HR Trigger) - check if mapping is correct

Useful breakpoints:

Class: CL_GRAC_AD_FIELD_MAP_UTIL

Method: GET_GROUP_FLD_MAP

and

Class: CL_GRAC_AD_ACCESS_MGMT_RFC

Method: IF_GRAC_AD_ACCESS_MGMT~GET_EMPLOYEE_DETAILS

Look for call to plugin:

CALL FUNCTION if_grac_ad_out_grcpi_types=>c_gria_get_employee_details

and review IMPORT variable called et_infty_fld_value, to see if mapped field is being interpreted correctly.

Related Content


f 26 07-01-2015 6:15 PM


26/26

Related Documents

Related Notes

2 Child Pages

Code check: User Details not retrieved on Access Request submissionHow to fetch details from non-standard Infotype ->Subtype from SAP HR system

2 Comments

jayasimha chandra

Amazing wiki, great job.

Luciana Ullmann

Thank you for the appreciation. Let us know of any scenario you would like to know how to debug, and we will add it here. Regards,

Contact Us SAP Help Portal

Privacy Terms of Use Legal Disclosure Copyright


Access Request Management (ARQ) Debugging Scenarios - Governance, Risk and Compliance - SCN Wiki

Documents

Transcript of Access Request Management (ARQ) Debugging Scenarios - Governance, Risk and Compliance - SCN Wiki