User Defaults - GRC 10.0

28/05/2018 User Defaults – GRC 10.
0 | SAP Blogs
Products
Products Industries
Industries Support
Support Training
Training Community
Community Developer
Developer Partner
Partner
About
About
 
Home / Community / Blogs + Actions
User Defaults – GRC 10.0

October 7, 2014 | 5,293 Views |
Former Member
Retagging required
governance risk and compliance sap grc
share
0 share
0 tweet share
0
Follow RSS
Purpose of User Defaults:
https://blogs.sap.com/2014/10/07/user-defaults-grc-100/ 1/31
28/05/2018 User Defaults – GRC 10.0 | SAP Blogs
When a new user is being created in the target system, all users of that
system might require few common user defaults like Logon Language, Time
Zone, Decimal Notation, Date Format, Parameters etc. Hence when a user is
getting created through GRC, based on the request type these user defaults
can be assigned to the users.
By including user defaults as part of request type (mostly New Account), user
gets created with required user defaults in the target system.
Important SAP notes regarding User Defaults to refer before con guring
User Defaults:
1615552 – GRC 10.0 How to set User Default
1665585 – User Defaults BRF+ rule not working correctly
2020712 – UAM: User group not provisioned after request provisioning
Steps to Implement User Defaults:
Step 1: Maintain “User Defaults “action as part of your Request Type. My

Request Type 36 is for “New Account” and I have assigned “User Defaults” as
shown below.
SPRO =>Governance, Risk and Compliance =>Access Control =>User

Provisioning =>Define Request Type
Step 2: Go to SPRO -> IMG -> GRC -> Access Control -> User Provisioning -
> Maintain User Defaults
Define User defaults for different connectors connected to your GRC system.
One example as shown below:
You can assign default User Group and default Parameters based on the
connector by using options “Set the User Group” and “Set Parameter ID” in
the above screen as per your requirement.
Once you define the User Defaults as mentioned above and save it, a unique
“Default-Id” gets created as shown below. This is the User Default Id which will
be used in BRF+ decision table while configuring User Defaults.
Step 3: Existing BRF+ User Defaults application

“GRAC_BRFP_USER_DEFAULTS” provided by SAP will be used during
configuration of user defaults.
Copy the Function Id of USER_DEFAULT_FUNCTION from BRF+ application.
Now map the BRF+ Application for user defaults under the IMG configuration
shown below:
Go to IMG->Governance, Risk and Compliance->Access Control->Maintain

AC Applications and BRFPlus Function Mapping
Step 4: Add Decision Table and Loop expression to BRF+ User Defaults
function as shown below:
Decision Table: In the decision table maintain entries as shown below
Loop: For using “System” as one of the fields in se ng the condi ons for User
Defaults, SAP suggested for implemen ng a LOOP in BRF+ Rule. This might be
needed since “System” field is not available under Request Header a ributes,
rather it is available as Role A ributes which are called as line-item fields while
calling the BRF Rule. So, in such cases LOOP is a suggested solu on, rather than
using the Decision Table directly. Though within the LOOP, we can s ll call the
Decision Table or implement IF/ELSE condi ons.
Step 1:
Change the Mode of the BRF+ User Defaults Function from “Functional and Event
Mode” to “Event Mode”
Now click on “Assigned Rule sets” tab in Function and click on “Create Ruleset”
Ruleset gets created as shown below. Now click on the Ruleset and navigate to
Ruleset screen
Click on “Insert Rule” and select “Create” option as shown below
In the Rules screen, fill in the role description and click on “Add” button and select
the options as shown below
Once the above step is completed LOOP is created. Now navigate to LOOP by
clicking on LOOP_CONNECTOR_ITEMS and you will see below screen.
Once you click on “Create Rule”, you will get the below screen.
Select the decision table as you want to LOOP on the entries in your
decision table. Once done click on “OK” bu on.
Ruleset: When a Function is in event mode, it looks for additional logic

execution depending on the Rule-set defined.
Once all above things are done, activate the Decision table, Loop, Ruleset,
Function and Application.
Step 5: Now Create an Access request to test the User defaults and once the
User is created please cross check the User Defaults in SU01 to check if
everything is fine. If all the above steps are followed properly, User defaults
will get updated properly as below in SU01.
Reference Links:
http://wiki.scn.sap.com/wiki/display/GRC/Setting+up+User+Defaults
Alert Moderator
23 Comments
You must be Logged on to comment or reply to a post.
Former Member
October 7, 2014 at 10:43 am
Hi Madhu.
Is it possible to assign roles instead of user attributes (printer, parameters, etc…)

throughs the User Defautl functionality?
Regards and thank you.
Former Member Post author
October 13, 2014 at 4:09 am
Hi Sara,
As far as I know few actions like Sending Mail, Starting ABAP workflows etc
can be done from BRF+. I am not sure whether role assignment can be
done through an action in BRF+
May be you can check in BRF+ space for more details.
Regards,
Madhu.
Former Member
October 13, 2014 at 3:14 pm
Hi Madhu,
Really nice document. We were going up and down with the loop implementation
Your document helped!!!
Thanks
Sammukh
Former Member
November 21, 2014 at 6:25 am
Hi Madhu,
Very helpful document!
Can you please help on detailed steps to create Rules under Loop expression. Your
screenshot is at very high level and i’m facing hard time to get these rules created under
loop.
loop.JPG
Regards,
Yuvaraj
Former Member
January 19, 2015 at 5:09 pm
Hi Madhu,
This is a great document and it might address the issue we’re trying to solve.
Please note in this screenshot the field User Group. All we want to do is to have this be
retrieved from our user data source, instead of from the target system.
The above method seems to be overkill for what we want to achieve.
Capture.PNG
Thanks,
Santosh
Former Member
January 28, 2015 at 1:51 pm
Helpful document!
Took me about an hour to replicate therefore: screenshots on steps to create Rules

under Loop expression:
/wp-content/uploads/2015/01/loop_1_633271.jpg
next
next
next
next
next
finally (change is equal to: isnotinitially)
Former Member
February 23, 2015 at 4:53 am
Hi Madhu,
Really appreciate your generosity in sharing this document. But could you also let know,
how to include values(create rules), as shown in loop and Ruleset.
Regards
Plaban
February 23, 2015 at 12:12 pm
Hi Plaban,
Please check comment prior to you where George has posted the
screenshots which i didn’t mention in blog. I will update the blog with
missing screenshots but for time being you can follow as mentioned by
George
Regards,
Madhu.
Former Member
March 14, 2015 at 1:46 am
Hello Madhu,
Hope you are doing good. Thanks a lot for all the time you are
investing to share tons on knowledge on GRC AC 10.0
Can you explain this? Not able to understand
Loop: For using “System” as one of the fields in setting

the conditions for User Defaults, SAP suggested for
implementing a LOOP in BRF+ Rule. This might be
needed since “System” field is not available under
Request Header attributes, rather it is available as Role
Attributes which are called as line-item fields while
calling the BRF Rule. So, in such cases LOOP is a
suggested solution, rather than using the Decision Table
directly. Though within the LOOP, we can still call the
Decision Table or implement IF/ELSE conditions.
Thanks in advance.
Regards,
Deepak M
March 14, 2015 at 5:26 am
Hi Deepak,
Basically the concept is if you use only decision

table it returns the matching value
For example if your request has roles from 3

different systems then for each system you will
have different User Default IDs, then your User
Defaults should return 3 default IDs. So, you need
to loop through all entries and return all matching
values.
Regards,
Madhu.
Former Member
March 18, 2015 at 10:29 am
Hello Madhu,
As always the issue and the doubt is

resolved and am clear when LOOP
will be used.
Regards,
Deepak M
Former Member
May 3, 2015 at 9:33 am
Hi Madhu,
i tried, but could not understand. So, could you please clarify
my doubt:
– Function USER_DEFAULT_FUNCTION is calling

Ruleset,and Ruleset has the operation ” Change
USER_DEFAULT_ID after processing expression
LOOP_CONNECTOR_ITEMS.
So, could you say to which value will USER_DEFAULT_ID be

changed to, and what is meant by “after processing expression
LOOP_CONNECTOR_ITEMS. “
– I could not understand the logic of the loop.
/wp-content/uploads/2015/05/as_696993.png
– Also George’s screenshots are not in sequence. He first

adds condition ‘then’. why not ‘if’
Could you please suggest, as i have to review a User default

setting.
Regards
Plaban
Former Member
June 15, 2015 at 4:38 pm
Hi Madhu,
Using the above concept i was able to achieve User defaults for 3 test connectors.
How is this possible when there are 15 different time zones(so 15 User default Ids) and
44 different connectors?
Do we need to maintain 15 X 44 = 660 entries at both places i) SPRO –>GRC –> AC –>
User Provisioning–> User defaults
ii) BRF+ decision table
I see that we can have asterix(*) in Connector column in Decision table but not in SPRO.
Is there any other alternative for this?
Please advise.
Regards
Sri
Former Member
July 13, 2015 at 8:43 am
Excellent document Madhu.
Regards,
Venu
Former Member
July 13, 2015 at 11:34 am
Thank you for the document Madhu.
I need the user group in user system details tab given in ARM request to be reflected in
SU01 after provisioning, not the usergroup maintained in the Userdefaults in SPRO for that
connector. How can i proceed on this,?
Kind regards,
Trilok Kola
Former Member
July 31, 2015 at 3:11 pm
FYI…
I maintained… 15 X 44 = 660 entries at both places i) SPRO –>GRC –> AC –> User Provisioning–>
User defaults
ii) BRF+ decision table
works perfectly fine..
Thanks Madhu
Former Member
August 2, 2015 at 10:49 am
Hi Madhu,
It’s great document.
I am a new learner and getting it tough to implement the rule set and loop part?
Can you kindly help with some step details here?
Former Member
September 9, 2015 at 6:11 am
FYI.
Learned today from sap support that desired outcome is not working when CUA is used
and where note 1983814 thus is relevant. (Tested on 10.1 SP6)
At some of my clients there is a need to provision certain (child system) connector

specific SU01 user parameters depending on business roles in the request. Whilst
debugging found out that the CUA connector that is to be set mandatory to note
mentioned above, is 1 on 1 taken over by the ABAP provisioning engine and that the
corresponding CUA child systems connectors (to be derived from decision table as for
example mentioned high up above) are not considered. Meaning all child systems being
derived from the request’s line items get the same user default value assigned (which is
the first one the loop routine finds). The function involved is therefore not taking into
account the sub-systems from the request ( indirectly GRC masterdata) . A missed
oportunity i would say.
SAP support is now in the process of deciding whether this is ‘as designed’ or ‘to be
fixed’.
Will update once their decision is known.
May the force be with you.
Rgds,
George
——————————————————————————————————-
OK, got feedback from the SAP Support guys:
CUA_USER_DEFAULTS_PER_ROLE.jpg
and
2_CUA_USER_DEFAULTS_PER_ROLE.jpg
I just hoped 10.1 architectured classes would cover this requirement, which is not that
exotic I feel. But hey, nobody is perfect so I’ll open an SAP influence request for this that
you may want to vote on. (remember: Don’t vote = Don’t complain
Vote, just click this ‘tinyurl’:
https://ideas.sap.com/D30205?status_id_filter=335897B6-05D7-4568-8804-
3F55E3B39025&current_tab=Recent&row_num=1&getparameters=1
Cheers,
George
Jeanne Grimes
November 13, 2015 at 3:04 pm
I have a question as well. When adding the user defaults master data through SPRO; is
there a way to do a mass change or upload? I have 50 systems being provisioned from
GRC and one of the user defaults is based on the user’s country so I have a lot of
entries that need to be added.
Kevin Tucholke
November 13, 2015 at 4:39 pm
Jeanne: I don’t know of a mass upload, but you can copy. Please see note
2203962 before you do this as there was an issue in the number
incrementation for them.
Kevin Tucholke
Former Member
November 16, 2015 at 11:02 am
Hi Jeanne
I used GUI scripting to maintain 660 Userdefault IDs and associated user default entries
to table GRACUSERDEFAULT (SPRO –>GRC –> AC –> User Provisioning–> User
defaults).
Each system have 15 user defaults ids(one for each Time zone) and had 44 connectors
and based on the company code(location of the company) of the employee the
respective user defaults get assigned to the user.
Former Member
January 12, 2017 at 7:16 am
Dear experts,
I am having some issues regarding to steps in this document. I would really appreciate if
one of the experts could help me.
Firstly, I am not able to activate ruleset.
Secondly, I could not see status and execution tabs under function
“USER_DEFAULT_FUNCTION”
My decision table as follows;
my loop as follows;
Former Member
March 1, 2017 at 1:57 pm
Hi Madhu ,
This is a good article on how to achieve the user group provisioning using GRC and
really helps in understanding the concept of looping and ruleset too.
I do have one query though, I executed all the steps as mentioned but still the user
groups are not getting provisioned, whereas the normal Access request is going
through and user created.
Is there anything that I am missing with the set up as below :
Created user defaults ( group) for each connector and generated the default ID.
Ensured Request type ‘Create user’ has ‘User defaults’ mentioned in its actions.
Ensured that the ‘User Defaults’ Application ID is mapped to the access req. process
ID.
Created a decision table providing the output to User_default_ID associated with the
application. Our logic is based on Business process and Sub process selections
(Decision table simulations are providing us with as expected results).
Created loop for condition to process multiple line items that maybe part of a request –
We do have multiple systems provisioning through a single request.
Created Ruleset with the rule to change USER_DEFAULT_ID after processing the
loop… also ensured that the function has the ruleset associated and the result data
object mentioned.
——————————-
———————————
Please advise.
Regards,
Akhil
Share & Follow

Privacy Terms of Use Legal Disclosure Copyright Trademark Sitemap Newsletter

User Defaults - GRC 10.0

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

User Defaults - GRC 10.0

Загружено:

Авторское право:

Доступные форматы

28/05/2018 User Defaults – GRC 10.

User Defaults – GRC 10.0

Purpose of User Defaults:

1615552 – GRC 10.0 How to set User Default

1665585 – User Defaults BRF+ rule not working correctly

2020712 – UAM: User group not provisioned after request provisioning

Steps to Implement User Defaults:

Step 1: Maintain “User Defaults “action as part of your Request Type. My

SPRO =>Governance, Risk and Compliance =>Access Control =>User

Step 3: Existing BRF+ User Defaults application

Copy the Function Id of USER_DEFAULT_FUNCTION from BRF+ application.

Go to IMG->Governance, Risk and Compliance->Access Control->Maintain

Decision Table: In the decision table maintain entries as shown below

Click on “Insert Rule” and select “Create” option as shown below

clicking on LOOP_CONNECTOR_ITEMS and you will see below screen.

Ruleset: When a Function is in event mode, it looks for additional logic

October 7, 2014 at 10:43 am

Is it possible to assign roles instead of user attributes (printer, parameters, etc…)

Regards and thank you.

Former Member Post author

October 13, 2014 at 4:09 am

May be you can check in BRF+ space for more details.

October 13, 2014 at 3:14 pm

November 21, 2014 at 6:25 am

Very helpful document!

January 19, 2015 at 5:09 pm

The above method seems to be overkill for what we want to achieve.

January 28, 2015 at 1:51 pm

Took me about an hour to replicate therefore: screenshots on steps to create Rules

finally (change is equal to: isnotinitially)

February 23, 2015 at 4:53 am

Former Member Post author

February 23, 2015 at 12:12 pm

March 14, 2015 at 1:46 am

Can you explain this? Not able to understand

Loop: For using “System” as one of the ﬁelds in setting

Former Member Post author

March 14, 2015 at 5:26 am

Basically the concept is if you use only decision

For example if your request has roles from 3

March 18, 2015 at 10:29 am

As always the issue and the doubt is

May 3, 2015 at 9:33 am

– Function USER_DEFAULT_FUNCTION is calling

So, could you say to which value will USER_DEFAULT_ID be

– I could not understand the logic of the loop.

– Also George’s screenshots are not in sequence. He first

Could you please suggest, as i have to review a User default

June 15, 2015 at 4:38 pm

ii) BRF+ decision table

Is there any other alternative for this?

July 13, 2015 at 8:43 am

Excellent document Madhu.

July 13, 2015 at 11:34 am

Thank you for the document Madhu.

July 31, 2015 at 3:11 pm

ii) BRF+ decision table

works perfectly fine..

August 2, 2015 at 10:49 am

It’s great document.

Can you kindly help with some step details here?

September 9, 2015 at 6:11 am

At some of my clients there is a need to provision certain (child system) connector