sapnote_0001168508[1]

26.06.2012 Page 1 of 76

SAP Note 1168508 - Compliant User Provisioning 5.3 SupportPackage (VIRAE)

Note Language: English Version: 111 Validity: Valid Since25.06.2012

Summary

SymptomThis note provides information about the issues resolved in Compliant UserProvisioning 5.3 Support Packages

Other termsVIRAE, Access Enforcer, Access Controls, Compliant User Provisioning

Reason and PrerequisitesCompliant User Provisioning 5.3 version is installed

SolutionThis note is updated on a regular basis. Review the currentversion of this note before you start the installation.

Contents 1. Change History 2. General Information 3. Resolved Issues

1. Change HistoryDate Short Description09 May 2008 Created note for Support Package 130 June 2008 Updated note for Support Package 216 July 2008 Updated note for Support Package 2 Patch 115 Aug 2008 Updated note for Support Package 301 Sep 2008 Updated note for Support Package 3 Patch 123 Sep 2008 Updated note for Support Package 411 Nov 2008 Updated note for Support Package 512 Jan 2009 Updated note for Support Package 620 Feb 2009 Updated note for Support Package 6 Patch 111 March 2009 Updated note for Support Package 6 Patch 215 March 2009 Updated note for Support Package 716 April 2009 Updated note for Support Package 7 Patch 120 May 2009 Updated note for Support Package 804 July 2009 Updated note for Support Package 8 Patch 130 Sep 2009 Updated note for Support Package 903 Nov 2009 Updated note for Support Package 9 Patch 101 Dec 2009 Updated note for Support Package 9 Patch 207 Dec 2009 Updated note for Support Package 1028 Jan 2010 Updated note for Support Package 10 Patch 117 Feb 2010 Updated note for Support Package 10 Patch 222 Feb 2010 Updated note for Support Package 1108 Mar 2010 Updated note for Support Package 11 Patch 124 Mar 2010 Updated note for Support Package 11 Patch 224 May 2010 Updated note for Support Package 11 Patch 301 Jun 2010 Updated note for Support Package 1208 Aug 2010 Updated note for Support Package 12 Patch 127 Aug 2010 Updated note for Support Package 1322 Oct 2010 Updated note for Support Package 13 Patch 122 Nov 2010 Updated note for Support Package 13 Patch 221 Jun 2011 Updated note for Support Package 13 Patch 316 Dec 2010 Updated note for Support Package 14

26.06.2012 Page 2 of 76


04 Feb 2011 Updated note for Support Package 14 Patch 128 Feb 2011 Updated note for Support Package 14 Patch 202 Mar 2011 Updated note for Support Package 14 Patch 326 Apr 2011 Updated note for Support Package 14 Patch 5

15 Mar 2011 Updated note for Support Package 1518 Apr 2011 Updated note for Support Package 15 Patch 220 Apr 2011 Updated note for Support Package 15 Patch 324 Apr 2011 Updated note for Support Package 15 Patch 406 May 2011 Updated note for Support Package 15 Patch 521 Jun 2011 Updated note for Support Package 15 Patch 605 Jul 2011 Updated note for Support Package 15 Patch 727 Jul 2011 Updated note for Support Package 15 Patch 808 sep 2011 Updated note for Support Package 15 Patch 902 Nov 2011 Updated note for Support Package 15 Patch 1201 Mar 2012 Updated note for Support Package 15 Patch 1522 Mar 2012 Updated note for Support Package 15 Patch 16

16 Jun 2011 Updated note for Support Package 1614 Jul 2011 Updated note for Support Package 16 Patch 120 Jul 2011 Updated note for Support Package 16 Patch 217 Aug 2011 Updated note for Support Package 16 Patch 315 Sep 2011 Updated note for Support Package 16 Patch 426 Sep 2011 Updated note for Support Package 16 Patch 507 Oct 2011 Updated note for Support Package 16 Patch 613 Dec 2011 Updated note for Support Package 16 Patch 707 Feb 2012 Updated note for Support Package 16 Patch 817 Feb 2012 Updated note for Support Package 16 Patch 905 Mar 2012 Updated note for Support Package 16 Patch 1022 Mar 2012 Updated note for Support Package 16 Patch 1128 Mar 2012 Updated note for Support Package 16 Patch 1213 Apr 2012 Updated note for Support Package 16 Patch 13

19 Sep 2011 Updated note for Support Package 1710 Oct 2011 Updated note for Support Package 17 Patch 114 Nov 2011 Updated note for Support Package 17 Patch 213 Dec 2011 Updated note for Support Package 17 Patch 306 Feb 2012 Updated note for Support Package 17 Patch 423 Mar 2012 Updated note for Support Package 17 Patch 616 Apr 2012 Updated note for Support Package 17 Patch 8

02 Dec 2011 Updated note for Support Package 1803 Jan 2012 Updated note for Support Package 18 Patch 116 Feb 2012 Updated note for Support Package 18 Patch 205 Mar 2012 Updated note for Support Package 18 Patch 319 Mar 2012 Updated note for Support Package 18 Patch 429 Mar 2012 Updated note for Support Package 18 Patch 519 Apr 2012 Updated note for Support Package 18 Patch 626 Apr 2012 Updated note for Support Package 18 Patch 730 Apr 2012 Updated note for Support Package 18 Patch 807 May 2012 Updated note for Support Package 18 Patch 915 May 2012 Updated note for Support Package 18 Patch 1024 May 2012 Updated note for Support Package 18 Patch 11

26.06.2012 Page 3 of 76


15 Jun 2012 Updated note for Support Package 18 Patch 1222 Jun 2012 Updated note for Support Package 18 Patch 13

2. General Information

o These support packages are not automatically sent to all customers.If you want to perform this installation, download the appropriatepackages from the SAP Service Marketplace.

o To install this support pack, please follow steps of the 'VirsaAccess Controls for SAP 5.3' install guide.

o After installing the support pack, please make sure you click onthe Upgrade button in Configuration >> Upgrade screen to completethe installation. This step can be ignored if the button isdisabled.

3. Resolved Issues

Support Package 1

The following issues are resolved as part of Support Package 1:

o LDAP Deep Hierarchy is not supported.

o Multiple emails are sent to approvers in a Clustering environment.

o In End User Create request screen, end user personalizationsettings of validity dates is not working.

o In End User Personalization screen, default value is necessary ifthe field is made mandatory.

o Role Import is not working if the source is Enterprise RoleManagement.

o If in a custom approver determinator, Functional Area of Role isselected as one of the parameters, workflow engine is ignoring thisparameter when determining approvers.

The following are added as part of Support Package 1:

o Localization for Polish has been added.

Support Package 2


o Role Names are case sensitive when searching for the roles in theend user screen.

o End User Validity dates are missing in the WSDL for the submitrequest web service.

o User's country specific date format in UME is not supported when

26.06.2012 Page 4 of 76


displaying the validity dates in the end user and approval screens.

o While approving the request, in the risk analysis screen, unable todetermine which risk is selected.

o In the SNC formula, custom fields are not supported.

o After the request is approved, if the role owner is changed, thenew owner is displayed in the request instead of the approver whoapproved it.

o Portal provisioning is giving an error for the 'CHANGE_USER'provisioning action is present in the request type.

o If the verification type is set to Challenge Response, the numberof unsuccesful attempts is not getting reset after a succesfullogin by the end user.

o Password Self Service is not working for a child system in a CUAsetup.

o After exporting the roles from the role search screen, the fileformat doesn't match with the import roles template. Also, if thisfile is used to import, the import fails.

o The custom fields and Verification Systems columns are missing inthe role import file template.

o In the Risk Analysis results screen, the Violation Count and Statusheaders are not aligned properly with the data.

o When editing role information, company has to be entered twice tosave the updated role.

o In the end user personalization, for the manager name, the settingis set to 'Yes if Data Missing', this setting fails in thefollowing scenario; when submitting the request for other user, theend user after searching for the user, is able to change themanager information, even though the manager information exists.

o When the stage level setting for Risk Analysis is set to Mandatory,during approval process, after getting the mandatory message, whengoing to the Risk Analysis screen, the roles are marked asrejected.

o When the detour condition is set up with 'Verification/TrainingFailed', the request is not taking detour even though the detourcondition is satisfied.

Support Package 2 Patch 1

The following issues are resolved as part of Support Package 2 Patch 1:

o End user request screen does not allow the Functional Area to benot selected.

o Files having extensions supported by Office 2007 could not be

26.06.2012 Page 5 of 76


uploaded as request attachments.

o In select roles screen, Role description is not shown whensearching roles by Transaction Code.

o When attributes contain comma in short description, the end userpersonalization configuration has no effect on end user screen.

o Documents attached to the request could not be opened from therequest review screen, when coming from search request feature.

o LDAP distribution could not be resolved to members at role ownerstage.

o When Searching for Users starting with 'Sn*', Search user does notreturn any users, although users exist in LDAP.

o Password self service does not work in conjunction with Global CUA.

o SNC Name is not provisioned in backend incase of request typechange.

o Provisioning Password Mail contains html tags instead of linebreaks.

Support Package 3


o Custom approver determinator throwing an internal server error whenthere were no standard attributes selected.

o Some versions are missing in SAP Version combo box in Connectormaintainance screen.

o Cancelled requests are wrongly as 'rejected' in request reviewscreen.

o Workflow was not able to resolve a Role based initiator with a +sign in Role name.

o Pagination Issue in Request attachments tab.

o In Role Re-Affirm process, System could not fetch the assignedusers, if the Role name contains a + sign in it.

o Risk analysis results were not invalidated, when a role is added orremoved to the request and approvers are able to bypass the riskanalysis

o When request is escalated, audit trail messages are incomplete.



26.06.2012 Page 6 of 76


o Fixed the issue with send from address in emails sent from system.Sent from address can be configured inConfiguration->Workflow->SMTP page.

o Custom field sorting issue in End user screen screen is Fixed.Custome field dropdown values are now sorted alphabetical order.

o Fixed the issue with not being able to configure SSO Redirector URLfor email links using a general configuration parameter.

Support Package 4

The following issues are resolved as part of Support Package 4 :

o LDAP Field mapping - incorrect labels for LOCALE and SAP_USER_IDfields.

o Enduser screen, selected company value is lost when User navigatesto Select Applications screen and returns.

o Incorrect error message while creating the mitigation workflow fromRAR.

o When exporting roles, Role Custom files are being repeated for eachrole in the exported excel sheet.

o When accessing CUP from portal launch pad, Request access screendoes not scale to fit the page.

o Enduser screen -Connector Type and Description are missing whensystems are added automaticly as a result of adding default roles

o Debug information is being logged, even when the log level is setto Error

o Issues with provisioning Licence data to CUA sysems.

o Issues with partial saving of SOD/UAR line items

o SOD/UAR Review - Mitigation Control field name lables areincorrect, in mandatory error message.

o SOD/UAR Review - When forwarding, unable to search users by User Idand email.

Support Package 5


o The valid to field in the account expires field is not convertingproperly.

o In a clustered environment, multiple notification and reminder

26.06.2012 Page 7 of 76


e-mails are sent.

o Multiple e-mail reminders are sent to one access approver.

o On request access screen in approver view, the telephone numbersaren't displayed. Also, when user data source is set to UME,manager telephone number is not populated.

o User's with multiple names are not showing correctly as requesteror manager. Name is being cut-off.

o When password self service module is used to change the password inAE, AE is not sending the complete password to the user throughEmail. This issue is happening not frequently (10/100 times).

o Performance issues with access enforcer.

o Office 2007 attachments do not work.

o Unable to re-route a request on hold.

o Only first page is unchecked after role display if you cancel.

o Provisioning does not work when company name has a dash.

o If you select "employee type" first when searching for a user, itgets reset after searching.

o Role search results in request creation are not sorted.

o Custom fields are not sorted alphabetically.

o When customer changes an SOD request it does not prompt them tosave the changes when they logout.

o When drilling down in UAR reviews, the permissions under functionsare missing.

o Tab is called SOD review instead of UAR review.

o Company ID in AC is only 8 characters, but the company ID in theback end can be up to 41 characters long.

o SOD request e-mails, the headings are not anchored correctly.

o Alignment for function/system/usage columns is not correct in SODreview request.

o In UAR request, the role details, transaction code listing is notsorted alphabetically.

o The column widths should be adjustable in the SOD review lineitems.

o In UAR and SOD review requests, there is a lot of unused screenspace.

o Grid format is displayed in reviewer and coordinator details

26.06.2012 Page 8 of 76


screens for SOD requests instead of normal format.

o When a reviewer enters comments in UAR or SOD review, the requeststicks in the comments tab.

o During approval by manager, error "err while n/a: user does notexist in the system" is displayed.

o Unable to get a challenge response during password reset.

o Manager is not correctly populated from LDAP.

o Role approval workflow fails when distribution groups are used.

o When clicking on the link of a closed request, it opens the requeststatus page in CUP but it does not show the specific request.

o In some requests, transaction usage is populated, and some are not.

o Distribution groups in workflows is not working (all members ofdistribution group don't receive the e-mail).

o Link in escalation e-mail takes reviewer/manager to a screen whereno records are found.

o In UAR review the load data job errors out "error exception insaving the request".

o If a delegated approver is removed from Active Directory, managercan no longer update delegation to anyone else "failed to savedelegate information".

o When selecting Unsecured Logon Allowed option under end userpersonalization, it's not possible to set the default value.

o The due date search request screen in SOD/UAR requests iscompletely different from that inside the request. Label shouldshow as review due date, not reaffirm due date.

o When requests have approval level as Role configured for roleapprover stage, there is junk data showing in the role owner stagein the audit information section.

o Message "risk analysis is invalidated" appears even after theapprover performs the risk analysis.

o "Access changed, risk analysis is invalidated" message is received,still able to proceed to the request approval confirmation screen.

o Distribution group names are limited to only 20 characters.

o In CUP, when reviewer performs an action on a line item, thereviewer is taken back to the first line item instead of where theaction was taken.

o The clear function in search request is not clearing all previouslyentered selection criteria.

26.06.2012 Page 9 of 76


o Dates are not populating when the user accesses CUP using the linkin the e-mail.

o Issue with RAR role usage synchronization.

o Role mapping via role import fails.

o The SOD requests are showing the same risk from different systemson one row.

o If user has a risk from a cross-system risk, reviewer is unable toidentify which function is coming form which system in thecross-system.

o Default employee type is overwritten.

o Pop up comes when searching for a role when there's a scriptinjection in the role name.

o Searching for roles with '_' is taken as a wildcard and does notreturn accurate results.

o Passwords are not sent correctly for multi-system requests.

o When performing a risk analysis for a system which is notmaintained in RAR, it shows the error "invalid system" instead of 0risk round.

o Searching for users in model my access by is case sensitive.

o Need ability to change mitigations from the risk analysis page.

o Download of initiators is spread out over different columns and notpossible to upload the .xls download back into CUP.

o Provisioning using the "keep" functionality using profiles is notworking.

o If first name is not stored in UME, unable to find the user whensearching even when searching by last name.

Support Package 6


o While using a Role with LDAP Distribution list as a Role Approver,is missing few Approvers from the Distribution list, when itcontains an empty Distribution list with no members in it.

o When drilling down in SOD reviews, the permissions under functionsare missing.

o In Cup, when reviewer performs an action on a line item, thereviewer is taken back to the first line item instead of where theaction was taken.

26.06.2012 Page 10 of 76


o In CUP escalated requests are stuck between reviewer stage andclose stage with both Auto provisioning ON/OFF, They do not getclosed automatically.

o Last executed column is showing blank in the SOD request.

o No option for SOD/UAR requests for service level report on informertab.

o Alignment of columns in SOD requests is not correct for functionpermission tab.

o The Reviewer and Coordinator columns labels are not correct for SODand UAR History and status Reports.

o In CUP, SOD/UAR Requests are taking longer time to open when a linkis selected from Review mail or escalation, closing emails, thereis no indication that application is processing. You see a "Done"message on status bar and a blank screen. If you wait for one ortwo minutes it will eventually show up the request.

o For SOD and UAR History Reports, the Column Header is modified from"Review Date" to "Last Action Date"

o Status report is generated based on user organization and notreviewer organization.

o CUP user Review Status Report does not generate for cancelled orclosed requests.

o Risk description is not shown in the sod review history report.

o While Cancelling the request from Configuration >> User Review >>Request Review, Header of the pop up window for Rejecting the usersshould be "confirmation" instead of "approval reaffirm".

o Change the label for System as Application on SOD and UAR HistoryReport search

o Unable to sort by userid or name column in UAR requests.

o The "approver delegation report" is not adequately protected usingUME permissions.

o Screen does not come back to Access control Violations/User AccessReview screen after Cancel or Reject action on Reject users screenin SOD/UAR requests respectively.

o UAR is not creating a separate request for each user that does nothave LDAP information.

o If reviewer performs any action "approve", "remove" or "mitigate"the application redirects them to General Instructions tab forcouple of seconds before shifting the focus to "User Access" or"Access Control violations" tab.

o If the user is signed in with a language other than English, the

26.06.2012 Page 11 of 76


notification e-mails show the e-mail argument and not the exactvalues (for example Request number, user ID and user name).

o The Risk Description does not show on the SOD History Report whendownloading to Excel.

o Downloaded SOD History Report shows "Review Date" which is supposedto be "Last Action Date".

o When downloading the UAR status report, the column headers "requestpriority", "reviewer" and "request status" are not shown the samein the downloaded report as they show on the screen.

o UAR Request escalation removes the Roles for the users from the SAPBack-end systems if the action is set to "Remove" and autoprovisioning is on.

o UAR and SOD history reports are considering the organization ofUser's in review instead of Reviewer's organization.

o In CUP, Status report for UAR and SOD workflow types is notfunctioning properly when reviewer generates the report forArchived requests. The generated report for Archived requestsdisplays the request (UAR/SOD) as "Zero" instead of originalnumber. However when reviewer drills down the request, it displaysthe correct request details and when reviewer downloads thisreport, the correct request number is shown in the excelspreadsheet.

o Archiving of Requests in CUP is not working.


The following issues are resolved as part of Support Package 6 Patch1 :

o Role Attributes fields configured as part of a customer approverdeterminater is missing in the template file after exporting fromCUP. This was not importing the approvers while import even aftermanually adding the missed Role attribute.

o Provisioning of Roles in Enterprise portal is not working when itis configured to LDAP.



o Risk Analysis in CUP is showing wrong Role Names for the Risks ifthere are Composite Role selected in the Request and Role has aspecial Characters like ':" in the name.

o Note: Related fix for this issue is in VIRCC 530_700 SP06 Patch2.

26.06.2012 Page 12 of 76


Support Package 7


o When Password Self Service Verification system from Configuration>> Self Service is set to "SAP HR", Request Access screen is notshowing after entering the login details.

o While importing the Roles from a file, there is no validation toverify the Company, Business Process and Sub processes exists inCUP.

o Archiving of Requests from Configuration >> Request >> Archiving isfailing to archive the closed requests.

o When a user exists in parent CUA and try to provision a user in CUAchild from CUP is creating the request, but sending a blankpassword in the email notification.

o When there is a special character like "<" or ">" is part of thepassword for an email is not showing (missing) in the outlook. Whentry to copy the email is showing the right password.

o While creating a request from My Work >> Create Request, Selectinga role By Trasaction code is not showing the Roles descriptions inthe search results.

o While creating a request from Request Access screen, Managerinformation is not getting from LDAP when User and Manages belowsto different Org Units.

o When the Role comparison job in SAP is not run in the CUA, theparent CUA cannot identify that the role exists in the childsystem, so the role is not assigned to the user, and CUP was notshowing an error when the role does not exists in the backendsystem.

o Assign the role "ViewDelegationReportAction" in UME to a rolewasn't showing the report Approver Delegation on Informer Tab. Whenthere was an additional authorization"ViewSODReviewHistoryReportAction" needs to be assigned to a roleto show the report Approver Delegation on Informer tab.

o While creating a request from Request Access Screen, Applicationsselected always shows the category "Other", even if user isselected "Production" or "Non-Production".

o While Uploading Business Process in CUP from Configuration >> Roles>> Attributes >> Business Process >> Import Button is not importingthe Short Description and Long Descriptions from a file.

o In CUP, when Reviewer drills down the Function, the description ofthe Authorization object is not displayed under the Permission tab.

o In HR triggers functionality for CUP, Request for position changeis not created when the new position has some roles assigned.

26.06.2012 Page 13 of 76


o In CUP, when reviewer drills down the function, there is anadditional bar "Actions", under Permission tab which is notrequired.

o While importing CAD approvars from Configuration >> Workflow >>Custom Approver Determinator and when there is an Role Attributeselected for a CAD is not importing the CAD approvers from a CUPtemplate file.

o While creating a request, when searching for users by email addressshowing all the users existing on the CUA with no email address inthe search result, even if they originally have email address isdefined.

o When removing a role during User Access Review withautoprovisioning activated, CUP is dropping all approvedroles/profiles and readding them in the backend system, in additionto the roles with Action Remove.

o Password self-service in CUP returns a message on successfulpassword reset and a password is sent to a user if one attempts toreset password in the child CUA system where the user doesn't havean account.

o The User Id field on the Login Page for the Request Access screenis restricted to 15 Characters, there are few users for which userid is longer than 15 characters and not able to login.

o In the Reminder email the subject is sending in English for theusers for which language is set to Hungarian.

o On the Request Access screen, Self Service link needs to bemodified as "Password Self Service".

o The option "Mobile Phone" is not available under Configuration >>Provisioning >> Field Mapping >> Application field. This preventsusers from provisioning this data in SU01.

o In the CUP work flow path, where there is Role apporver stage witha Distribution group as an approver for a Role goes to the Groupapprover inbox, but Apporver was not receiving any emailnotifications.

o In Custom Approver Determinater screen from Configuration >>Workflow >> Custom Approver Determinater, by clicking on the headerto sort the values, with each click additional row of theFunctional Area of Role is added.

o If the approver in last stage rejects the request should close therequest and Roles/Profiles should not provision in the SAPback-end.

o When a Custom Approver Determinator is created with Role Attributelike "Role Type" as one of the attribute, while approving therequest in the path for which the next stage is this CAD stageshows Approver not found error even approver is already configuredfor this stage.

26.06.2012 Page 14 of 76


o While creating a Request, when searching for LDAP groups brings thegroups for the User, however user is not able to select them asthey are grayed out.

o While creating a Request from Request access screen, Users getting"Error creating request. Approver not found." message for anyFirefighter(SPM) account type using CUP, even the Approver existsfor the Request attributes selected by user.

o CUP is not allowing to reset the Application URL and RedirectionURL values to blank from Configuration >> SMTP Server.

o While selecting Profiles as part of the CUP Request is notconfigurable to make the Valid from date not editable and set tocurrent date.

o While creating superuser access request by end user, FFIDs are notbeing assigned to the user or attached to the request.



o Web Service SAPGRC_AC_IDM_SUBMITREQUEST would only submit requestsfor portal roles maintained in all capital letters in the CUP rolelibrary.

o Web service SAPGRC_AC_IDM_SELECTAPPLICATION was only returning SAPconnector values, and was not returning SAPEP connectors.

o In the UAR/SOD history reports, duplicate records of the UAR/SODrequests are being displayed.

o While creating a request from Request Access Screen, when searchingfor roles, business process is not filtered correctly based onapplication area. All business processes show, regardless ofapplication area selected.

o When attempting to drill down to see the function details on an SODrequest, showing an error "Action Failed."

o In CUP, after executing the Org level Risk Analysis, the resultedRisks are not able to mitigate.

o If the requester and submitter of a request are the same person andboth have a language other than English, the notification e-mailsent has two URL links instead of just one.

o When the Authentication source for Self Service from Configuration>> Self Service is set to SAP HR, password self service fromRequest Access is not working

o In Oracle RTA systems, conflicts resulting from newly requestedaccess are not displayed during Risk Analysis. Only existing risksare shown

26.06.2012 Page 15 of 76


o While creating a request from Request Access screen, the functionalarea list on the screen is not getting populated when the user datasource is configured to use LDAP.

o While submitting a CUP Request from web service, if the flag forRisk Analysis on submission is set not performing the Risk Analysison submission.

Support Package 8


o If there's a profile in the request, the request does notprovision.

o In Internet Explorer 7.0, the language field is restricted.

o Provisioning for the other communication fields available in SU01does not work. If we go to provisioning field mapping in CUP wehave these fields available.

o The company name is not being populated in HR trigger requests.

o User group field is being overwritten even when "select" ismaintained in the request.

o Hungarian calendar formats are not correct.

o If display review screen is set to YES, this overwrites the riskanalysis mandatory setting.

o Unable to search roles by secondary approvals in administrationscreens.

o Search option in status report is case sensitive.

o Issue with reviewer and coordinator name details

o When "display review screen" is set to no in stage level, users canapprove their own requests.

o The graphs in the AE service level reports are distorted andincorrect.

o The role name is not coming over when doing the CUP role import.

o Request page hangs indefinitely and sometimes the action fails.

o In the audit trail, PD profiles are absent and once the requestgoes for approval, the request information page, the pd profilesare missing.

o When clicking on the next page option on the Manage Rejected Usersreport, the application asks to download instead of navigating tothe next page.

26.06.2012 Page 16 of 76


o When there is a large volume of HR trigger data, the job terminateswith error "maximum open cursors exceeded."

o Role description is missing during role import from erm into cup.

o Trying to model my access by results in a "no more storage space"error.

o Unable to search for users in Model Access By option.

o When we select the Path during the request reroute fromadministrator screen and select the PATH drop down, longdescription is displayed for the PATH whereas if you check at allother places the short description is displayed. Secondly the longdescription is not mandatory field so if we left blank. The emptyrow is displayed in the drop down.

o Able to create a CAD approver without having to select anattribute.

o Password expiration for oracle apps is not passing correctly.

o The menu path instead of the action is being returned for Oraclerisks.

o Validity dates for roles are not changed in Oracle applications.

o In AE, when the user clicks on the request, AE shows a navigationerror.

o Transaction usage dates are mismatched for regenerated SOD requestsand transaction usage dates are scrambled under propose removalscreen.

o Unable to upload approvers when mapping company with functionalarea.

o Some fields configured as mandatory, are not forced to be filledin.

o Manager is not correctly populated from SAP HR.

o Role name in CAD is not long enough and is not consistent with themaster data length.

o Even though workflow is set to force risk analysis (set asmandatory), the approver can still approve without doing the riskanalysis.

o Empty password email is sent when a new user is created on a childCUA system that is already existing in master cua client.

o Language drop down is missing if "end user verification required"is checked.

o Webservices only return SAP application/connector types and notSAPEP application/connector types.

26.06.2012 Page 17 of 76


o User details are not fetched correctly from LDAP data source.

o Typo error. Email spelling incorrect under change log >> change logconfiguration >> Generic Email ID Configuration.

o Portal user id is different from sap user id so we did the LDAPmapping to populate the portal user id in to a custom filed andalso created provisioning field mapping for portal. The issue isthat user is created with correct portal id but while provisioningthe role CUP is using the standard sap user id rather than theportal id and errors out.

o User default mapping with a custom field is not transferringcorreclty if there are parentheses in the custom field name.

o When importing roles from ERM, if the role description is notmaintained in detail description, the role description is comingover as junk data.

o When drilling down to the function details on an SAOD request,"action failed" error message found.

o Risks are mitigated even if the risk is removed from the requestprior to provisioning.

o There is a limitation in the number of PID's allowed (15).

o Unable to import portals roles after exporting them and changingdata.

o Even when custom fileds are defined as mandatory, requests can besubmitted without data in these fields.

o Unable to create more than 11 parameters for a user default.

o Translation issues with German.

o Unable to remove the role from an Oracle system.

o If the first stage is role and the stage level setting for the'Path Revaluation for New Roles' is:'All roles in the evaluationpath' then if you are adding a role and rejecting a role in samerequest,it gives error while approving.

o Importing template roles is assigning it as a single role and not atemplate role.

o Change request is submitted for a new, non-existing user and therequest contains a role. After approval at security stage, AEthrows an error, user was not provisioned. But, when a changerequest for a new, non-existing user and the request DOES NOTcontain any role, the request goes thru without any errors and itshows in the audit log that the user is provisioned to the backend.

o AE requests that contain roles with parentheses are rejected.

o On AE home page, the About link doesn't show the build details.

26.06.2012 Page 18 of 76


o Incorrect mouesover of template roles & template profiles.

o Searching via approver ID in request audit trail fails to revealresults.

o Unable to reset password from PSS when more than one User ID isassigned to Personnel No and one is valid and the other one areinvalid.

o When submitting a request for another user, the manager field iseditable even if configuration >> End User Personalization is setto Editable "No".

o When cancelling a request, the profiles are still provisioned, thisis specific to a custom BAPI.

o Role mapping allows creation of duplicate entries.

o If a custom field is dfeined in the workflwo field as NO, thesystem will still allow them to be added as an attribute in theworkflow initiator configuration.

o Composite roles are not shown when searching for for roles bytransaction.

o When you create a custom field applicable to a role with sapdropdown, adding this custom field in a role results in an "erroron page".

o When creating a request to delete a user in two systems, but theydon't exist in one of the systems, proper error message is notdisplayed.

o When attempting to upload role mapping, only one depednent role canbe mapped to a main role.

o Request reason is not provisioned as FFID comments in thefirefighter backend when provisioning firefighters.

o When trying to submit a request with profiles, error message"invalid roles validity" displayed.

o Selected entries cannot be deleted from a CAD with multipleentries.

o Following columns are not internationalized in role import: ResponsibilityID and ReaffirmPeriod.

o When request is escalated to alternate approval at role ownerstage, it does not go to the alternate approver inbox.

o Manager is receiving a duplicate messages while approval orrejection or escalation or closing of the request.

o After the snd job for hr trigger is run, the process log showsrequest created, but there is no request.

26.06.2012 Page 19 of 76


o The comments pop up should appear on user access tab, but when itappears, it stays at the user access tab instead of going to thecomments tab.

o When stage level risk analysis is mandatory, application is notasking approver to perform the risk analysis even when a role isadded or removed.

o Import role option label is not displaying "import role/group".Group imported form a file is missing type icon for group.

o When a reviewer forwards a request to an approver, the email is notsent to the forwarded approvers.

o Scroll bar is appearing at General Information screen in UARrequests.

o Scroll bars are not available in User Access tab of UAR or AccessControls Violations tab of SOD requests.

o When printing the SOD History report, the risk description is notshown.

o Role reaffirm user does not see the user validity dates when tryingto reaafirm the role.

o Unable to change CADs with large number of line items.

o Unable to save and change initiators with large number of lineitems due to system timeout.

o When searching an initiator with a large number of line itmes, thesearch takes a very long time.



o Approvers are receiving emails to approve for the Roles for whichthey are not the approvers. Audit log for the request shows thewrong approvers approving for the stage.

o When the stage level setting for Risk Analysis is mandatory andrejected one of the Role from the request is not allowing toapprove even after executing the Risk Analysis, keep forcing to doRisk Analysis while approving.

o While rejecting a Role to which other Roles are mapped along withthe LDAP EP Portal group, it errors out while approving. Therequest is still open, but it provisions the LDAP group in theportal and user is created in the backend SAP system.

o While downloading the request details, Role Ids are displayinginstead of Role names.

26.06.2012 Page 20 of 76


o Importing of CAD approvers from a file is slow.



o User Group provisioning in Portal fails when its try to provisionwith the user group which is already exists to User.

o When CAD Stage Level setting for "Approval Level" is set to "AnyOne Approver" and CAD line Item approver approves the request,Request is moving to Next stage instead of waiting for other CADline items approver to approve.

o Attribute "Action of role" disappearing some times in the Dropdownwhen creating an initiator.

o When Stage Level setting "Rejection Level" is set to "Role" andforwarded approver rejects the request, Roles are gettingprovisioned.

o Request is not moving to next stage when forwarded approverapproves the request at Role Owner Stage.

Support Package 9


o In configuration - end user personalization, unable to define therequest reason as a mandatory field. In this same area, for therequest type unable to set "not editable" to be yes.

o While adding the child roles in role mapping if you wants to addthe same role for 2 systems for one main role then only one role isshown at the screen.

o The functional area is mapped with the user group in LDAP. When wefetch the user the functional area will be successfully fetchedhowever when we go to different screen like selection of manager orselection of roles, the functional area will disappear.

o Roles selection restriction in CUP requests is not happeningcorrectly. Even when functional area is locked in end userpersonalization, the functional area can still be selected and thevalue changed which allows user to search for roles in otherfunctional areas.

o Triggers are not getting created when customer has mapped the field"DAT01" which is available in infotype "0041(Date Specification)".If you remove this mapping then the trigger are working fine.

o In Password Self Services link, after entering the User ID andapprove with the "enter"-key, the "Create Request"-Screen appears.

26.06.2012 Page 21 of 76


If we don't approve with the "Enter"-key, but hit the button"logon", the self-service screen appears correctly.

o When you change the Position of the employee/ Terminate theEmployee, the HR trigger data is pulling the wrong the User Startdate.

o When you download the initiator form configuration - workflow -initiator, the data is downloaded only in English versus the locallanguage.

o Under Select Roles/Groups, Request Reason tab, the header forrequest reason is incorrect.

o The configuration option " Check Auto Provisioning from End ofRequest to end of each path" is not translated correctly in German.

o When the requests is running in two parallel paths, forwarding therequest errors with "Error : Failed to forward request No.## ."

o In the User Access Review History Report, the field "Action" isdisplayed in English even when logged on under a differentlanguage.

o LDAP Connector with password encryption type DIGEST-MD5 causesfailure in connection test. Setting to None is successful. Logwith error is below screenshots in this message.

o Request errors out in provisioning user which does not exist in theback end (Oracle-Greenlight RTA). However, the error stated thatit was a stage error while the log shows the error as "User doesnot exist" which is correct.

o CUP allows users to upload invalid request attachment files such asexecutables and batch files.

o While running the Risk Analysis within a request, Risks weregenerated, but without the Org Rule Description showing within theviolation report.

o During a Change Request, CUP does not create a user on the Oraclebackend regardless of the configuration setting for the parameterAuto Provisioning --> Change Request Option.

o There is a misspelling under the change log - change logconfiguration - generic email id configuration. It says Emaailinstead of Email.

o The ROLEPROFNAME attribute in the back-end GRC tables is incorrectand is displaying through the web services to IdM. The roles wereloaded in with the technical names (YRS:FI:AR:CSH_APP) but they arenow coming up with a number that appears to be generated.

o CUP not allowing User Default Parameter Ids (PID) with more than 20characters.

o Answer to the Password Self Service Questions are stored in cleartext in the tables and are not encrypted.

26.06.2012 Page 22 of 76


o When trying to view the Request-> administration in Configuration,it's requiring the user to have "ModifyWorkflowConfiguration"action apart from the "ViewRequestsAdministration". This alsoprovides the user to access and change the Workflow.

o If "risk analysis at submission" is set to YES and if 2 requestsare submitted around same period of time and suppose the first ofthose requests risk analysis fails for some reason and the secondrequest is created successfully then CUP cannot rollback the numbergenerated for the first request and no data is saved in to thedatabase hence request gets missed from the system. This alsocauses a block where no new requests can be created and an ORA-001error occurs.

o Role reaffirm audit trail is not shown. When approver reaffirms arole then a role reaffirm request is generated for which audittrail can be seen under "Request Audit Trail" link but nothing isshown.

o When searching for a user in HR system, if Inactive and Active userID's exist for the HR user, CUP is randomly picking the user ID.Sometimes, it is picking the inactive user.

o When comments are entered by an administrator, they are not trulysaved until the request is processed. Warning message added tomake this clearer.

o When searching for a user with last name or first name, the searchis taking a long time to show results.

o There is a 'Delete' button on the Mitigating Control maintenancerequest in CUP that produces an error message when clicked thatdoes not apply to mitigating control. Please see attachment forscreen captures. We believe this is a bug and the 'Delete' buttonneeds to be removed for this screen. There is a 'Delete' button onthe Mitigating Control maintenance request in CUP that produces anerror message when clicked that does not apply to mitigatingcontrol. Please see attachment for screen captures. The error is:Select at least one active SAP system and at least one role or aprofile. We believe this is a bug and the 'Delete' button needs tobe removed for this screen.

o When a request is rerouted, the Stage ID shows in the requestinstead of the stage description.

o When the User Data Source is "SAPHR", the User Search is pullingWrong User Start Date which is populating the request.

o When a reviewer tries to open the SOD/UAR review request from theemail link, a navigation error is shown.

o If you search the requests by requestor in the service levelreport, the systems shows you all requests, not only the ones whichwere created by the specified requestor.

o The calendar displayed in Hungarian has mixed language (Hungarianand English) and starts on the incorrect day of the week.

26.06.2012 Page 23 of 76


o The text of custom fields which have drop down values are truncatedand the entire text is not shown.

o Risk analysis times out and the GRC server crashes when riskanalysis is performed on large roles that have numerous conflicts.

o When we try to reset the password for enterprise portal using theSAP HR verification, it gives the error "Method not implemented".

o Request audit trail showing duplicate entries.

o Cannot import the Initiator exported xls file, as the header in theexported file has "Technical Keys" rather than values. Replacingthe Header with the old header values, then import is successful.

o The pop up boxes for Reaffirmation for APPROVE, REJECT and CREATEUSER are limited to 15 characters. When using LDAP as data source,passwords can be much longer than 15 characters. The passwordlength for logging on was extended in sp9, but the reaffirmpassword pop up box was not extended.

o Risk analysis does not work when rules are maintained in the ABAPback-end (CC 4.0).

o While selecting the group on select roles screen while submitting arequest CUP, gives validation message 'Enter a valid value for"group name"'

o UAR requests cannot be generated even after running the backgroundjob UAR Review Load Data. Error"java.lang.ArrayIndexOutOfBoundsException" is seen in the logs.

o Company info is not coming correctly from the LDAP data source.This is due to case sensitivity.

o Requests by Roles and Role Owners in Informer Reports, filtercriteria role with wildcard "*" is not working.

o Roles are getting provisioned if the request is rejected with theconfiguration of Rejection Level as "Request" at the stage levelsettings.

o Telephone extension field in SU01 was not provisioned.

o When number of unsuccessful attempts is set to 0 underConfiguration >> Password self service. User gets lockedimmediately even without attempting to logon even once.

o Attribute "Action of role" does not appear in the Dropdown whencreating an initiator

o NEW FEATURE - A new reporting data mart has been introduced toenable custom reporting on RAR and CUP data. The data mart extractsrelevant data from RAR and CUP and converts data for reportingpurposes. The data mart is non-historical, with published schema toenable customer to integrate with any reporting tool. Please referto sap note 1369045 for more information.

26.06.2012 Page 24 of 76


o NEW FEATURES - There are several new features introduced with SP09in all components. Please refer athttp://service.sap.com/instguides - > SAP BusinessObjects -> SAPBusinessObjects Governance, Risk, Compliance (GRC) -> AccessControl -> SAP GRC Access Control 5.3 for the features implementedin SP09.

o CUP has some cross site scripting vulnerabilities which areaddressed.

o Web service for IDM is not allowing user to select multipleapplications.

o In the Manage Rejections screen, it's displaying an error whenselecting the next page option while generating new requests forrejected users.

o When creating a new user request which contains roles withconflicts, the simulation feature does not allow for more than 1simulation. When you simulate removing a role and then changingthe role status to KEEP and re-running the risk analysis, the riskviolations do not re-appear. The request is allowed to besubmitted and approved. The role is still listed on the request asKEEP, so even though it won't provision in the back-end system, theapprovers see it on the request form.

o Searching for a user using SAPHR as the data source returns usersthat are separated or have an expired validity date. The searchshould only return user ID's that are valid as of the current date.

o A request is created with default role ( having no role owner),then the first stage approver is adding roles. The request issuppose to go to the next stage "Role Owner" however it takes thedetour path for which condition is set ' No Role Owner' . Therequest takes the right path if the roles are added while creatingrequest.

o If the Validity dates are blank for a user in the backend (SU01),CUP fills in junk values in the validity field on the Request.

o While approving requests, it is not taking the new valid-to date,but keeps the old valid-to date when the request was originallysubmitted. When it is assigned a new date and request is approved,it gives the message "Please get the updated request" but if youlook at the valid-to date, it reverts to the old date.

o When 1 role is rejected in a multi-role request, the Approver isforced (via STAGE config option) to enter reason for rejecting therole. However, those comments are not retained in the request andcannot be subsequently displayed by the user either in the searchrequest screen or the audit trail.

o It is not possible to re-add a removed role if the request is in"HOLD" request.

o Excel files cannot be uploaded if the extension is .XLS, howeverthey can be uploaded if the extension is .xls.

26.06.2012 Page 25 of 76


o While searching the role, the header in the role search should be"Description" instead of "Detail Description".

o Submission email has a duplicate application link (two links in theemail instead of one).

o When creating a job, if the time in the "Between" start date ismore than "Between" end date, then the page just hangs. It shouldshow an error message to the user that the end time is greater thanthe start time.

o When logged into CUP in French language and trying to create thenumber range, an error on the page is displayed in the browserstatus bar and user is unable to create the number range. Clickingon Create button does not do anything.

o Service Level Report "Analytical view does not display requeststhat don't have manager info. In addition, the exceeding servicelevel check box when checked, it does not display reports thatdon't have manager info.

o Risk Analysis result is inconsistent in CUP for existing user andfor new user. Risks are not shown in CUP when an existing useralready has the role that creates the conflict, but the risk isshown when creating a new user request and adding that role to theuser.. In CUP the parameter for "Consider Mitigation Control" isset to "YES"(checked).

o The CUP service level report graphs are distorted with black linesand no data when date ranges are used.

o Disabled roles are now excluded from the search results whenchoosing roles.

o In CUP, Stage and Path filter on User review status report for bothSOD/UAR requests seems to function incorrectly. For Example, theselection filter does not appear to be working when we filter onStage as SOD_REVIEWER, and UAR_REVIEWER.

o When searching for the Roles/Profiles in the request creation &select the type of access in Role Search screen as "model my accessby", it's taking long time to retrieve the results.

o Role provisioning error is thrown for portal request if the rolerequested in the request is already assigned to the user in portal.

o New request type does not provision license data to the childsystem in CUA environment.

o Forward with no return is not moving the request to the next stageat the role owner stage.

o Portal user id is different from sap user id so we did the LDAPmapping to populate the portal user id in to a custom filed andalso created provisioning field mapping for portal. The issue isthat user is created with correct portal id but while provisioningthe role CUP is using the standard sap user id rather than the

26.06.2012 Page 26 of 76


portal id and errors out.



o While creating a CUP Request from Access Request form, CustomFields and Request reason are not retaining the values whilesubmitting a Request.

o Rejected Roles are provisioning when two Role Approvers try toapproved the request concurrently.



o When selecting roles, either via role selection or model my accessby feature, not all roles chosen are moved to the selected rolepage.

Support Package 10


o In ERM request types, the system insert the characters <(><"BR"> inthe detail description for the requests instead of showing linebreaks.

o When importing roles from ERM to CUP, if the master data in ERMdoes not exist in CUP, system does not validate when importing roleinformation which causes role import to fail.

o When rejecting the request, the approver is still required to runrisk analysis which is not necessary since the request is beingrejected.

o Unable to search roles that have business processes assigned thatare defined with Portuguese specific letters: Example: FINANÇAS

o Mapped roles do not take the validity date of the parent role. Anew note has been added to the role mapping screen to explain this.Note says "No relationship is maintained between main roles andmapped roles in an access request. Mapped roles provide the abilityto include additional roles and are not removed when main roles aredeleted from the request. Validity for main roles are not appliedto mapped roles. "

o Creating a new user default fails if the same short descriptionalready exists in another user default setting. Error messagechanged to make this clearer. Message now will indicate "ActionFailed, duplicate user defaults found -change Short Description"

o If we create a new user default with the same name as existing one,the new user default overwrites the existing old one, without

26.06.2012 Page 27 of 76


warning.

o Importing of exported configuration setting fails with message"Action Fails". This is caused by special characters used inroles.

o Stage and Path filter on User review status report for both SOD/UARrequests returns incorrect results.

o Multiple duplicate emails are received by an alternate approverwhen a request is escalated to an Alternate Approver.

o When validity dates are set to 00000000 in LDAP, CUP is displayingthe validity dates incorrectly. Fix is that if there validitydates for users are present in LDAP, CUP fetches the dates AS ISotherwise it considers the system date as 'From date' and12/31/9999 as 'To date' incase of blank values, maintained in LDAP.

o Cost center is not provisioning correctly during Change requestseven when provisioning > field mapping is maintained correctly forcost center.

o The connector category is changed after submitting the request.

o German translation is incorrect in password self service screen.

o Role Details Descriptions are not shown when mousing over thatsection in a request.

o When using the Super User Access request, CUP provisions thefirefighter to a firefighter id without assigning the owner to thefirefighter. As a result, the FF log report showed blank owner forthat firefighter.

o When running Risk Analysis via webservice, no risks are beingreturned. This is due to the user ID being passed in lower case.

o Incorrect manager information is returned. This occurs if SAP HR isused as data source and the manager resides in a different org unitthan the user.

o Navigation error occurs when attempting to download the requestfrom the VIEW link in the initial email after request is in "ClosedStatus".

o If a request is escalated to a delegated approver, that approvercannot see the request in his inbox.

o When a request is put on hold that has multiple approvers, theapprovers continue to receive email reminders about the requesteven though they don't see it in their inbox. The fix is that theapprovers will no longer receive reminder emails when a request isin "hold" status.

o The GRC approver I-view through portals is not working properlythrough Enterprise Portals when on Windows XP.

o The lead approver in the "select role screen" is not displayed

26.06.2012 Page 28 of 76


correctly.

o Embedding the CUP web URL into another web browser frame stoppedworking post SP8. This has now been resolved so users can embedthe CUP URL into an iview or other frameset.

o When running the "roles assigned/removed" report, incorrect resultsare returned when using the "approver" field alone.

o The system name selected in the request screen is not transferredwhen clicking on the "select superuser access" tab.

o Users are not shown correctly during the role reaffirm process. Ifthere is a "&" in role name then while doing role reaffirm this isnot handled properly.

o The role provisioning fails with error "HR Object ######## doesn'texist in the SAP Database# where ######## represents the dataplaced in the Position field of the request. The role is notdeleted from the userid. This occurs when CUA provisioning isconfigured.

o The request type description is not shown in the notifications.The request type ID is shown instead.

o If the name of the user default is changed, it is still saved withthe previous name entered and the changed text is not saved.

o Request is not moving to next stage from role owner stage if onerole rejected and one role added on previous stage.

o Internet Explorer throws a JavaScript error (Invalid Syntax error)when the user clicks on arrow icon when clicking on the arrowbutton when changing the approver on role attributes.

o Manager information not fetching correctly from SAP HR system whenrunning HR Trigger Load Data

o Firefighter ID description is incorrectly displayed in the requestwhen in the Approver's inbox.

o When selecting one of the pie chart slices from Informer TabChart-View, the results are not correct when logged in under alanguage other than English.

o Role import from file fails. This is caused by critical levelbeing in lower case.

o When creating a super user access, if the approver adds a newfirefighter id to the access request, then only the first requestedfirefighter id will be provisioned, not the second one.

o Approvers do not see the request in their inbox if the request isin role stage. This happens if the approver is a distributionlist.

o Group removal for portal system from UAR request is failing.

26.06.2012 Page 29 of 76


o Escape route not working correctly when user is logged in underGerman. The conditions for the escape route are not displaying inthe configuration tab.

o Audit trail in request is not showing the user ID even though itshows up in the audit trail under Informer tab.

o Roles are not provisioning correctly if using "model my access by"feature.

o Auto-provisioning fails due to CUP not adhering to configuredpassword parameter requirements in the back-end ABAP system. Ifthe configuration in ABAP has minimum password length to more than8, the password reset function from CUP is unable to set thepassword correctly.

o When accessing Informer > Provisioning > Select ALL, the approversand graph is presented correctly. If select by individualapprover, and graph is blank.

o Risks are not sorted alphabetically by Risk ID in the risk analysistab. This is fixed to sort based on risk ID.

o When SUBMIT button is disabled, SELECT SUPERUSER ACCESS button isenabled to ALL Request Types, regardless of defined "Action Types".

o Unable to pull user details from LDAP if the group path isconfigured in the connector setting.

o While updating a user's access using "Model my Access by", itgenerates an error message while clicking on the Search button. Theerror message is "Data retrieval from system xxx failed :com.virsa.ae.service.ServiceException: No more storage spaceavailable for extending an internal table."

o In 'Search Role' functionality 'Role description' is displaying anerratic value if the field is kept blank.

o When two approvers are in the same request and the first userrejects their assigned role and the second approver rejects theirassigned role, the role from the first user is provisioned.

o User Review - Request review - Reviewer selection gives actionfailed error when trying to change or add new reviewers for UARrequest.

o Initiators are not able to save when existing attribute deleted andadded new attribute. This is specific for old initiators createdin 5.2. For initiators created in 5.3, no issues.

o Valid to and from dates in CUP request are the not correct, afterbeing passed from IDM. The dates are the same when they should bedifferent.

o IDM WebService SAPGRC_AC_IDM_AUDITTRAIL returns duplicate audit logentries.

26.06.2012 Page 30 of 76


o When a request has two roles with two different approvers, emailnotification sent based on the last status of the request. Thismeans if the second approver approved the role, then emailnotification will sent an approval notification. If the secondapprover rejected the role, requestor/user received the rejectnotification.

o When trying to configure Field Mappings for HR Triggers in CUP,navigation screen does not load and is in a continuous loop.

o The value for Request Reason and any custom field values are lostwhen request is submitted from the End User login screen.

o Mitigation always stay in request even if the Risk are removed bydeleting the roles. Fix is that the mitigation is removed is thecorresponding risk is removed from the request.

o The new Standard User Group field introduced in support pack 9clashes with custom field already defined by the customer in theprevious versions of CUP.

o CAD is not able to determine proper approver. This happens whenthe CAD is based on a custom field.

o Role reaffirm fails in CUA systems with message "Reaffirm Failed".

o Not able to save existing initiators when a custom field is addedas a attribute

o Unable to save a CAD that has more than 16 approvers.

o When a request is created for another user, the Requesterinformation is populated from the Authentication source instead ofthe data source. This is fixed so that the REquster information ispopulated from the Data source even when they request for anotheruser.

o If you refresh the internet explorer page while on the "user logon"page, the page is displayed incorrectly.

o When adding additional profiles, all previously entered requestreasons are lost.

o Select Roles/Groups Screen in Request creation: Template Profilepreviously assigned to the request is not selectable / selectiongrays out (same as existing Roles behaviour) in create/ChangeRequest.

o While removing the roles from CUP the corresponding profiles werenot removed in the backend system.

o Wrong Translation of the Risk & Mitigation description if the userlogs in under a language other than English.

o If manager information is entered manually then request is routedto incorrect person on manager stage.

26.06.2012 Page 31 of 76


o Filter not working correctly when searching for the Firefightersfor Super user access.

o CUP - ERM workflow contains http:// link instead of https. Whenusing https protocol to access the portal system, in the CUP roleapproval request the link which is pointing to role definition inERM system contains http:// prefix and the port number of the httpsport of the java engine.

o Configuration > Background Job, schedule a UAR Load Data task.While task is executed go to User Review > UAR Load Data Tasks andtry to modify the task and below the error message :'UAR Load Data Task <task name> is running as a background job andcannot be modified'

o CUA PSS incorrect password while resetting password in childsystem.

o Duplicate records are coming in Request Audit Trail when a requesttakes a predefined Detour Path.

o limitation in the selection of Status field in DelegatedAdministrator (Informer) reporting.

o SNC and communication field retrival from user master record frombackend.

o User forced to select a date before 2009 as a start date for a backgroung jobs in CUP.

o Config -> roles-> role selections : Message text change from'Display expired roles for Exisiting roles' to "Display expiredRoles'.

o Addition of one more option "All" along with existing Active andInactive status in Approver deletion screen.

o While creating change request some fileds pull erraticdescriptions.

o No default role added though the attributes (like business process)meets the role addition condition of default role.

o Job ID column appears in download report though there is no Job IDcolumn in the SoD Review History Report output.

o In the Audit Trail, wrong info. is being provided for the rolesthat are dependent on the removed roles.

o In the Audit Trail, wrong info. is being provided for the rolesthat are

o Undefined Role approver is appearing for roles during approvalprocess

o Filter does not work while selecting the stage for a path in InUser access review report

26.06.2012 Page 32 of 76


o When we are resetting password for a user in multiple systemsincluding CUA systems, then there is an error for CUA systems andit is not resetting for any of the CUA systems if SCUM setting in"Global" for initial password

o When user select "synchronize on all systems", to reset thepassword in the child system, during password self service, errorgets generated listing all the systems don't have the userincluding in the system where it does exist. Message text "Actionfailed" is changed to "user not existing in the systems "

o In a new request creation, field userID not marked as mandatory.

o Escalation Emails are sent to the user once when first time theEscalation and Email Dispatcher is run.

o Request Configuration --> Request Type in Russian lanuage: Createbutton on screen is diabled.

o Request does not fetch Manager's Telephone number for HR Trigger.

o During Permission level risk analysis, Role level mitigation is notconsidered though Mitigation control is added to user.

o While password reset in CUA, error is generated that user is lockedin both systems even if user is locked just in child system.

o User Group value is not getting changed in the backend.


The following issues are resolved part of Support Package 10 Patch 1:

o Request escalated to Alternate Approver cannot be approved by theApprover and they receive error message "error processing yourrequest" when they attempt to approve. The requests can beapproved by the administrator.

o Error Message "error:null" is received when using theopensql_test.jsp webpage to run Count (*) queries

o Error Message "expecting LPAREN, found '&' " is received when usingthe opensql_test.jsp webpage to run Count (*) queries.

o Column headers are mismatched to the actual column values in theUAR/SOD status report sent as attachment in an email reminder tocoordinator.Specifically, JoB ID Task Name is containing therequest type and columns are shifted to left.When Downloading theInformer => User Review Status report the column header andcorresponding data does not match.Request type was shifted underJob ID Task Name and Reject (Last column) was empty.

o In the UAR/SOD request, when a reviewer selects the Cancel optionfrom the User access button of UAR/SOD request without saving therequest, the application displays a warning message asking to savedata. If the reviewer selects the "No" option, then theapplication is not returning back to the Request, instead it

26.06.2012 Page 33 of 76


displays the Warning message again.

o Upon saving an action for a line item on a UAR request, CUP returnsthe Reviewer back to the first line item on the request instead ofthe line item where the action was taken.

o The User Review Status report for both UAR and SOD requests isdisplaying incorrect counts under the columns "Completed","Rejected" and "Missing".

o Beginning in SP10, the CAD stage for the UAR and SOD workflowrequires all the approvers to approve. Previously, any oneapprover could approve. With this patch, the logic is reverted topre-SP10 logic where any one approver can approve for UAR SOD CADstages.


The following issue is resolved part of Support Package 10 Patch 2:

o In CUP Open Sql interface, while running SQL query against ACtables, all the SQL Queries with the WHERE clause is returningIncorrect Values.

Support Package 11


o Currently, when logging in to CUP the first time or afterexpiration of the password, unable to change the password direct inCUP and confusing error message comes up. Had to go to the UMEhomepage in order to change the password. Now, when expiredpassword is entered, a link will be provided to take the userdirect to UME homepage to change the password.

o The Role Import from ERM fails if the role name contains '-'(dash).

o Unable to import roles from ERM in background mode, only could doit in foreground. With this support pack, provided a pop up to seehow many roles were imported.

o With support pack 7, the display of CAD's was changed from a listthat showed all values to paged listing where a user has to pagethrough to find the CAD to change. With this support pack, ahyperlink called "show all" so that if the user wants to see allCAD's listed on a single page, they can.

o NEW FEATURE - With this support pack, a new feature is delivered toallow a user to delete ALL REQUESTS in CUP. This feature isspecifically designed to be used in a non-productive environment todelete test data so that custom fields and workflows can be changedor removed.

o The areas below were not translated into Slovakian and insteadshowed in English.

Change approver in CAD

26.06.2012 Page 34 of 76


Reset button in all reports

Process log > HR Triggers

End form personalization

Workflow > CUA system > By system-> consider as CUA iscoming as YES /NO

o Group object class and user in group were not displayed properly inLDAP field mapping.

o When archiving requests, the "from date" was not a required fieldand could be left empty, but this resulted in no requests beingarchived. This support pack makes the "from date" a requiredfield.

o CUP does not show save action after saving the detour 'Action' inGerman.

o Unable to see the connector name in role import dropdown list iftrying to import NON-SAP roles from ERM in CUP.

o If you forward a request to an approver (A) who has delegated toanother approver (B) then the approver B should get the request inhis inbox. This functionality is not working.

o If infotype 0105 is updated using the PA30 transaction, CUPTriggers occurs as expected. However, if the 0105 record is updatedusing IDOCs, the CUP hr trigger does not occur.

o Under Informer->List of Roles and Roles Approvers, the FunctionArea short descriptions are displayed, but when the data isexported, the functional area ID is shown instead.

o Informer tab chart view gives error when a particular system isselected for Archived requests.

o The UAR/SOD status report which is sent as attachment in emailreminder to coordinator have the columns and corresponding datamismatched. In addition, Informer => User Review Status reportwhen downloaded, the report column header and corresponding datadoes not match.

o Searching for role names in informer - analysis view - analyticalreports - list roles and role approvers is case sensitive. In thissupport pack, removing the case sensitivity so roles are displayedregardless of casing of the search.

o Existing portal groups that are currently assigned to the backenduser ID are not showing up on CUP.

o CUP makes unindexed searches to LDAP directory which causesperformance concerns. Coding changed to index the search andreduce performance issues.

o Manager cannot be fetched from LDAP when user path is not provided.

26.06.2012 Page 35 of 76


o Unable to pull the User Information from LDAP. The issue isspecific if the domain name had a '.'

o After installation of Support pack 9, unable to run Count(*)queries using the opensql.jsp page. Message "Error: Null" isreceived.

o User ID is the only standard field for EP provisioning - all otherfields need to be mapped in provisioning field mapping if they areto be provisioned.

o Error when provisioning if mobile number is left blank or if thereis already a value in Mobile Number in the back-end system.

o If request has standard field "user group" in lower case, therequest cannot be provisioned.

o After upgrade from 5.2 to 5.3 SP08.1, the user defaults were notprovisioned.

o While provisioning the request with roles to provision in twodifferent backend system for a particular user who does not existin one of the provisioning system, the system throws error as"Error in Provisioning your request, Request no: 121 error details: VE7-401: User TESTHN3 does not exist in SAP System."

o The password self-service email text is redundant. This supportpack changes the text so it reads "This is to inform you that yourpassword has been reset as below:"

o Password Self Service not working after upgrade from CUP 5.3 SP7 toCUP 5.3 SP9. Unable to access the password self service screen.

o Password self service is not resetting the password in SAPHRsystems if verification is required beforehand.

o Password self-service does not incorporate the user mapping whenresetting the ID and instead resets the master data source ID andnot the proper ID on the target system.

o When the password is sent as a link in PSS mail, sometimes whenclicking on the link, it is empty and does not pull up the properpage.

o When signed in under German in Password Self Service, the message'Auf beliebig antworten 1 Unterstehende Fragen' has been changed to'Auf 1 der aufgeführten Fragen bitte beliebig antworten.'

o Go to PSS End User form and click on re-register and then submit.No message will be displayed for registration and control will cometo the End User form Screen.

o When user ID that has more than 20 characters and tries to accessthe Password Self-service it shows a blank page.

o Start date incorrectly picked from SAPHR systems

26.06.2012 Page 36 of 76


o User search is returning incorrect users based on search criteria,including blank user ID's

o After upgrade from 5.2 to AC 5.3, the old requests created in CUP,cannot be opened, processed or copied. Clicking on request givesthe following error: "Error : Request cannot be displayed as therequest status has been changed."

o Entering comments will be saved only after the action is performedon the request.

o Approvers that have an apostrophe in their user ID can't approverequests.

o Requests cannot be approved if the CAD is assigned a role withspecial characters such as ?, >, & or #.

o The request status didn't contain the requests for which the SAPUser id was mapped.

o Output of more than 7 pages does not "print to page".

o Complete file path was shown for attached file and serial number isgenerated at request review screen.

o The following Czech language translation issues have been resolved.

1.Some of the tool tips are not translated on Approver view andChart View Reports

2.Some of the button labels are not translated inConfiguration

3.Default Templates are not translated correctly.

o If the User ID on the request form is more than 12 char., which ismore than the field length in SAP systems, CUP truncates the UserID without giving the warning. With this support pack, if therequest is related to an SAP system, it will validate that the IDis 12 characters or smaller and provide a message if that length isexceeded.

o If the manager name is longer than 35 characters, unable to createor approve requests and receive error message "Error creatingrequest. Length of Managers First name: 41 should be less that 35."With this support pack, the length has been changed to 50characters for first name and 50 characters for last name. If nameis longer than that, an error will still be displayed.

o When request type "Change Account" is created, the default rolesfor request type "New Account" are incorrectly added in therequest.

o Inconsistent naming in the column names related to Firefighter IDs.In CUP the name is 'SuperUser Coordinator' and in R3 transaction/VIRSA/VFAT it is 'Controller'. This support pack is making thename in CUP Controller so they are consistent.

26.06.2012 Page 37 of 76


o Currently "Business Process" is not a standard field on the enduser request form. It is a standard field in the "My Work" area.This support pack will change it so business process is a standardfield on the end user request form to make it consistent.

o Even if the end user personalization screen is configured for useremail to be editable, the user is still not able to edit the emailaddress when creating the request.

o In the End user Personalization, the Field name - "Submit" is setto non- mandatory, un-editable and non-visible. However the SelectRole button is active and after the request is created and if theselect role is selected, the Submit button will then be visible andcan be selected. Note: If the Field name - 'Submit' is set tovisible (End user Personalization) then after the creation ofrequest the 'Select Role' is grayed out.

o Role search is not proper at request access form if role selectionfor approvers was restricted to functional area.

o The actions "add" and "keep" are not translated properly in Germanwhen using "model my access by".

o When searching for a Firefighter ID in CUP, the ID's are not listedin alphabetical order.

o For user registration, success and error messages were nottranslated in Hungarian & continue button was not translated atrequest access page.

o For Hungarian, registration failure message is not translated,success message is not translated, and continue button is nottranslated at the main request access screen

o Validity dates are not shown for roles with keep action.

o When importing or searching the Reviewer Coordinator mapping orcreate new mapping, then the response is very slow.

o When clicking on the 'Cancel' button in the UAR Request,application displays the Warning message to save the changes madein the UAR Request , then after clicking on 'No' button to returnback to the request again to save the changes made, applicationcontinue to display the warning message.

o When creating a mitigation control from CUP, the Business Units inRAR appear as Functional areas in CUP.

o Under CUP Configuration, there is a disparity between the linkdisplayed on the Left Navigation bar and the Header Name on thescreen. Left Navigation Link says: "End User Personalization"while Header Name on the common area says: "Request FormCustomization". This support pack is changing the left navigationlink name to "Request Form customization"

o The user "valid from" and "valid to" are always retrieved from userdetails data source.

26.06.2012 Page 38 of 76


o In CUP, the email language for the provisioning notifications isdetermined by the last approver. So if the last approver logs onin English, the provisioning notification is sent in English, butif the last approver logs in under Japanese, the provisioningnotification is sent in Japanese. With this support pack, theprovisioning notification will be sent out based on the requester'slogin language, not the approver's login language.

o Multiple emails are sent to an approver if the request goes downparallel paths. With this support pack, Email notifications willbe consolidated at the stage level for a request with multi paths:

- If there are multiple paths, and two or more than two pathshave the same approver (based on email address) at a stage,email notifications will be consolidated into one. And only oneemail will be sent to the approver email address.

- Note: For email notification configuration, if parameter<path> is included in the configuration content, emails CANNOTbe consolidated. Emails can be consolidated only when Path isnot included in the email content configuration.

o In CUP, the SMTP port is hardcoded to be 25 and cannot be changed.With this support pack, the port is configurable for each customer.

o If the request is flowing in two paths and the rejection is done inthe last stage of the two paths, the whole request gets rejected.However if the request is rejected first (in one of the paths) andthe final stage of the whole request approves the request, theapproved roles get provisioned.

o If in the CUP request, a new role is added to the request and thenrisk analysis is executed again, it is showing all the risk whichwere mitigated and ignored previously.

o Beginning with SP9, there is a threshold value in RAR that willreturn an exception to CUP if a maximum number of violations isexceeded. This threshold was note being adhered to in CUP andrunning analysis on larger roles still resulted in a timeout inCUP.



o For workflow type CUP, Approval type for stage is set to "Any OneApprover", however request is still requiring approval from allother approvers.

o CUP does not fetch SNC name while creating the request when arequest is created on behalf of another user.


The following issues are resolved part of Support Package 11 Patch 2:

o Displaying wrong CAD approver list while user try to change

26.06.2012 Page 39 of 76


exisitng CAD approvers.

o Unable to archieve 'Closed' Requests.

o Unable to view the archived requests from request administration.

o De-provisioning fails while removing a LDAP group from a user incase of SUNONE LDAP.



o Unable to gray out the "valid from" date for profiles usingparameter 97 in virsa_ae_ermconfig.

Support Package 12

o When the approver changes the validity date of a Firefighter/SPMrequest, it is not captured in the audit trail.

o When removing a role that is already assigned to a user in thebackend, the role is removed in the backend, but no audit trail iscreated in the user master record: the 'last change date' is leftunchanged and in the SUIM transaction change report, no record isvisible.

o When a user logs on to CUP the first time without changing theirpassword first in UME, an error message is returned 'User passwordexpired, login into UME and change the password'. With thissupport pack, a change went in so that now the error message willtell the user to click a link to change the password. The linkspulls up a session of UME where the user can change the password,close the UME window and then re-login to CUP with this password.

o Unable to change approvers through the CAD. Selecting CAD "New SAPUser" to change approvers opens up the "Change SAP User" CAD tablesof users instead.

o Going to Configuration-> HR Trigger -> Field Mapping, the sessionjust hangs.

o Running the archive job does not archive all requests that meet thearchiving criteria.

o Unable to import initiators which have custom attributes. Message"Import status: 0 successfully imported".

o Unable to create a subprocess that has the same text as anothersubprocess. With this support pack, removing validation of thesubprocess text. The subprocess ID and business process ID are nowthe only key fields.

o An Application URL is configured in Configuration -> Workflow ->SMTP Server. This URL is removed and the field is made empty andsaved. However, the old URL is still used by the CUP applicationeven after refreshing under Miscellaneous -> Refresh Cache. The

26.06.2012 Page 40 of 76


only way to remove the link is to reboot the GRC J2EE server.

o When reviewing Configuration - Change Log - Search Change Log, afiltered record is displayed even though it is deleted. Incorrectchange log information is being displayed for deleted attributes.

o Unable to cancel requests in the administrator mode in CUP. Theerror message of "Failed to cancel the following requests" messageshows.

o Several UME actions are not working as expected.

- UME action AE.ViewRequestsAdministration can not work by itself(need the UME action AE.ModifyWorkflowConfiguration inaddition).

- UME action AE.ViewConfigSystemLogAction can not work by itself(need the UME action AE.ModifyWorkflowConfiguration inaddition).

- Configuration\Request\Stale Requests not accessible with UMEaction AE.ViewStaleRequests.

- But Configuration\Request\Stale Requests is accessible with UMEaction AE.ArchivingRequest.

o There are certain PID entries where the values for those PID'sactually have leading "space" keys. PID 'FOP' is an example ofthis. The actual value that SU01 needs is 'spacespaceXspaceX'(looks like "X X" in the PID in su01). In CUP if you try to enterthis value in user defaults, it drops the first two leading spacesso that in cup, it's X X, which is incorrect.

o The roles with name having '_' in it, are showing multiple entriesfor same Functional Area and user is unable to delete the multipleentries.

o On End user Personalization screen for Company attribute thedefault value drop down shows business process values instead ofcompany values.

o Initiators can be uploaded without having the mandatory field shortdescription in the upload file.

o CAD for Company Attribute shows a blank value.

o Error is received when trying to export the results fromConfiguration Validator Diagnostic Tool- Access Control 5.3. Thefollowing error below is shown./temp/webdynpro/web/sap.com/grc~accvwdcomp/Components/com.sap.grc.ac.cv.wdapp.CheckComp (Is a directory (errno: 21)).

o In some case the delegations (active or not) are not displayed.This occurs when the delegated user is removed from the UMEdatabase.

o When the format of the date is DD/MM/YYYY, then 'Invalid DateRange' message appears while saving the Approver Delegation. The

26.06.2012 Page 41 of 76


message should not appear as the date range is correct.

o When using the administrator function for delegates, when theadministrator wants to change a delegate the screen shows onedelegation 3 times.

o Unable to clean up obsolete entries in the hr trigger process log.With this support pack, a new button called "clear" will allowusers to clear the process log.

o The User Review Status report is displaying incorrect counts undercolumns 'Completed', 'Rejected', and 'Missing'. This issue is forboth types of Report UAR as well as SOD.

o In CUP, when going to management view- Role assigned/removed andsearch for archived requests, it shows the number in chart butclicking on the chart brings back a blank page instead of drillingdown into the data.

o With the GRC AC 5.3 SP10 Patch-1 CUP Open Sql interface, all theSQL Queries with the WHERE clause are returning Incorrect Values.

o Several SQL statements had significant run times. These have beenchanged to improve performance.

o Added index for table VT_AE_CHG_LOG_FLD on column CHG_LOG_ID.

o Password sent to user is 40 characters in length, even thoughparameter gen_psw_max_length is set to be some other length. Thisis specific to basis 700 systems as GRC was not taking into accountthis parameter when generating the password.

o When using the 'Model by Access' selection to provision a request,roles that were supposed to be ADDED per the request were not beingadded in the backend.

o Users are not removed from LDAP groups as per the request, eventhough the request indicates it was completed and provisioning wasdone.

o The user group tab value in the user defaults is not being updatedin the backend "GROUPS" tab , if the user already exists. For theusers which do not exist in the backend the value is beingprovisioned In the "GROUPS" tab.

o In CUA environments, when a new user is created via CUP, even ifthe CUA master client is not on the request, the CUA master clientis being assigned to the user account on the System tab of the useraccount in CUA.

o Error in provisioning if FAX number or FAX Extension is left blank.

o In CUA systems, when Initial password setting is 'Global', then thepassword sent is empty. With this support pack, the email willindicate the password is the same as on the parent client.

o User Defaults are not provisioning in a scenario where the userdefault mapping is based on role and request contains more than one

26.06.2012 Page 42 of 76


role.

o Roles are getting removed however their associated profiles arenot. These associated profiles are visible in display mode only andnot in change mode. If one single role is assigned in twocomposite roles and both of these composite roles are assigned to auser in su01. If user removes one of the composite role it removethe single role as well from user master record which it should notas another composite role is still assigned. These issues arespecific to ABAP back-end 7.01.

o Getting an error message "error processing your request" when wetry to auto provision the already existed LDAP group to the userand request does not close.

o For CUA Systems, change account provisioning, is not working ifvalue of field "Create user if does not Exist" is set to "No" inAuto provisioning configuration which should not be considered ifuser already exist in back end system. Users are not gettingchanged into backend system.

o The first time a user (in CUP) clicks on "Request Access" and thenon "Password Self Service" and authenticates, the wheel keepsspinning endlessly. No User Registration screen shows up. Nextauthenticating on the self service link again, it returns anothererror as below;

Application error occurred during request processing. Details: java.lang.NullPointerException: null Exception id:[005056885407004C0000005D0000560600047D8D93D4C60C]

o Go to Configuration-> Self Service -> Select Authentication Sourceas "Challenge Response" and Service to Disable Verification as"Password Self Service or All". Click on Password Self Service onEnd User Form and authenticate the User. Now on PSS screen click onRe-register button. User ID is Missing and due to thatregistration is not done.

o When a non English user registers for PSS first time, the challengeresponse questions is shown in the language of user. Afterregistration, the registered question is shown only in English andnot the language of user even though the question is maintained inthe language of user.

o Manager information is not populated in the request. This occursif SAP HR is the data source and the user and manager are indifferent org units.

o User group is not retrieved when Connector is set to SAPHR. Thishappens when User Details Source SAP system is changed from NH toHR it no longer pulls the Advanced Option defaults from theback-end system to front-end.

o Search for FFids fails while creating request for Super User inCUP. This happens if the FF ids descriptions are maintained in onelanguage, but the user logs into CUP under a separate language.

o Searching for users by email address takes a long time andsometimes times out.

26.06.2012 Page 43 of 76


o Searching for users by ID does not work if the user data source isset to be SAPHR.

o Searching for users by email address is case sensitive.

o When selecting a request that has two unique role approvers andforwarding it to another user on behalf of one role approver thereis an issue. The user who the request is forwarded to approves therequest and both roles are provisioned even for the role that theuser wasn't forwarded on behalf of.

o Mandatory comments are not enforced when rejecting a role at risksimulation.

o Unable to gray out the "valid from" date for profiles usingparameter 97 in virsa_ae_ermconfig.

o Mitigation description in CUP is cut off. The description in RARis much longer than the description displayed in CUP.

o When searching for a FireFighter ID the term "SuperuserCoordinator" is used. With this support pack, the term has beenchanged to be "Controller".

o Unable to view archived requests via Request - Administration.Error message: "Request Approval Screen is not displayed becauseRequest Status has changed"

o The SNC field value is deleted from the request form if you searchfor the user and comes again on request form.

o Mitigations are not saved when there are multiple approvers for arequest and the last approver rejects the request. This isspecific to configuration that has one stage workflow with approvalat the role level. The approved roles provision, but the attachedmitigations are not saved to the RAR tables.

o Manager Information is not coming when request is created using HRTrigger.

o Several field labels in CUP were not correctly translated intoGerman.

o Date is displayed in incorrect format YY.MM.DD when logged inSlovenian language i.e. the year is in 2 digits. It should showyear in 4 digits.

o The creation from/to fields for searching requests is nottranslated correctly in French. In addition, error messages are inEnglish even if user language is selected to another language.Finally, when logged in under French or German, the calendar showsSunday and Monday as the weekend instead of Saturday and Sunday.

o Jco connection fails and unable to create requests. This isspecific to NW SP16 and greater as there was a change in theNetweaver saving of passwords.

26.06.2012 Page 44 of 76


o The getSubmitRequest web service does not include PD profiles inits definition so unable to provision pd profiles via web service.

o SAPGRC_AC_IDM_SUBMITREQUEST webservice has been enhanced to allowit to be used for Super User Access Requests.

o The custom field USERGROUP is blanked out after request submission.

o Recieving the following error message from IDM/VDS when trying tocreate a request through webservice, SAPGRC_AC_IDM_SUBMITREQUEST.Exception: (GRC Submit Request:1:[msgcode=2010;msgdescription=SqlException occured while insertingApplication;msgtype=JAVA ERROR]). This occurs if the requestreason is greater than 300 characters. With this support pack, anerror message will be delivered to indicate this is the cause ofthe issue.

o When logged in under Dutch language, the "submit" button afterselecting a role is incorrectly labelled "add".

o The request submitted from the IDM web service fromSAPGRC_AC_IDM_SUBMITREQUEST, will not show risks if the request hasprofiles. The setting Run Risk Analysis on Request Submission is'yes'.

o In case of multi data source, when there is no SNC in LDAP, It isbrought from CUA & SNC is assigned to USERID field.

o The label "Archived Requests" is being changed to "ArchivedRequests Only" in all reports.

o Risk analysis results are inconsistently displayed if a userswitches systems from All to one system.

o If in the CUP request, subsequent approvers remove roles from therequest and perform the risk analysis, it is showing all the riskwhich were mitigated and ignored previously.

o Roles are imported fine in the system, but the logs shows thefollowing exception many times. LocaleDAO.insert(): insert = tablename = VT_AE_ROLDTLS_LOC 2009-09-23 10:19:07,939[SAPEngine_Application_Thread[impl:3]_30] ERROR LocaleDAO : insert: : An Exception is thrown while executing insertstmt*******com.sap.sql.log.OpenSQLException: Cannot assign an emptystring to host variable 3. atcom.sap.sql.log.Syslog.createAndLogOpenSQLException(Syslog.java:85).

o Uploading the roles with incorrect information like company, subprocess, the log does not give any corresponding warning message inthe System Logs if the logging level is set to "warn". Theinformation is only there if logging level is set to "debug".

o 'Action Failed' error is coming while importing roles from EP.

o Using role reaffirm results is users losing access to roles thatthey should not. In addition, sometimes roles aren't removed that

26.06.2012 Page 45 of 76


should be removed. This results when two different role approversare approving roles that a single user has.

o Unable to search for roles when both Functional Area and Companydetails are entered.

o "Model my Access by" has no translation in German.

o While selecting firefighter IDs during creation of request, the"Existing Firefighter IDs" button returns all the firefighter IDsfrom backend system, not just the Firefighter ID's assigned to theuser ID on the request.

o In CUP, when Reviewer performs an action on any line item of UARrequest, then Reviewer was taken back to first line item instead ofthe line item where action was taken.

o Risk Analysis is CUP is showing incorrect risks when it's run for"ALL" systems. This specifically happens if the request hasmultiple systems, but in RAR, rules are only created for one ofthose systems.

o While running the SOD review load data not all the risk violationsare being reported.

o If there are multiple Role approvers or Risk Owners for UAR/SODrequest, then the requests are not getting generated by the UAR/SoDReview Load data background job.

o Department field is shown as blank, even though the field value hasbeen specified. This happens when the request is raised via theWebService "SAPGRC_AC_IDM_SUBMITREQUEST".

o Standard field "Accounting Number" which was introduced in SP09 ismissing under the LDAP field mapping "AC fields".

o If request provisioning fails in the back-end, the request closedand does not go to the escape route. For example, the request couldfail if the maximum number of profiles that the user can have isexceeded. Another possibility is that the user is locked forediting by someone else which prevents CUP provisioning. With thissupport pack, if roles are not provisioned for any reason in theback-end system, it goes to the configured escape route.

o While approver is trying to approve the request after rejecting theroles it is giving approver not found exception.

o Alternate role approver receiving 2 emails in case of escalation toalternate approver.

o Requests that are on hold are not escalated as expected. Instead,the request stays with the original approver.

o Request is not escalating to administrator at Manager and Rolestage.

o The reminder mail is not sent to alternate approver when therequest gets escalated to alternate approver.

26.06.2012 Page 46 of 76


o Escalation for UAR/SOD requests is not working.

o In email notifications, if the variable "request type" is added, itshows the request type ID, not the long description.

o All role approvers cannot able to select or pick the roles fromexisting roles screen. Only the approver whose name is displayedadjacent to role in the screen for that particular role is able topick or select, and for other role owners of the same role itsgrayed out.

o Lower screen resolution, for example (1024x 768) or (1440x 900) ismaking the approval reaffirm pop up window hidden from the userviewable area to approve.

o The request was closed but the reminder emails are being sent to toapprovers for closed request.

o The request forwarded by the Administrator to the Role Owner whohas not approved the request. The role owner will approve therequest, but this will again show up in his Inbox for approval.

o When we try to Change the decimal notation of the already existinguser from 1,234,567.89 to 1.234.567,89 user default, it is notworking although if we try to change from 1.234.567,89 to1,234,567.89 or 1 234567,89 it works fine. Only the above mentionedcombination is not working.

o Password of user is not coming into email for CUA system when AutoProvisioning Type is set to "No Auto Provision".

o Global escalation (Deactivate and forward to next stage) is notworking for UAR/SOD type request.

o When trying to create delegation in CUP via menu Configuration /Requests / Approver delegation, all of the steps are very slow,they take about 2 min or more without any load on the system.

o Whenever user uploads attachment in any request then correspondingfiles at OS level are being generated within same path which lieson user's computer. Also whenever user opens attachment in requestit does not show the request and errors out.


The following issues are resolved as part of Support Package 12 Patch1:

o Provisioning of portal system is failing to modify the user groups,when UME is configured the user data source as LDAP and CUP requesttype is change or delete.

o When creating a request in CUP, not able to select existing portalgroups of any users. The existing groups selection is disabled andnot allowed to select.

26.06.2012 Page 47 of 76


Support Package 13


o Error message "Error provisioning your request" occurs whichresults in the request is not closing due to provisioning error.The user account is actually being created and roles areprovisioned, but the request remains in open status. This iscaused by a change made in SP12 that requires user group to bepopulated and if it isn't, user defaults are not provisioned whichcauses this error.

o The Change Name Self Service is not working. It gives an error"User ID could not be changed in the following system(s): VE8 :Change Name Error, new password empty".

o In CUP, if approver opens a request which came from ERM and ispending for approval and then clicks on the ROLE name to see allthe details about role, the CUP screen hangs.

o In CUP, for the ERM request, when we click on the name of the roleto see its details then ideally a pop up should appear showing thedetails about the role. But that pop up does not appears when weopen the request by navigating through "My Work->Search Requests".

o Audit trail displays incorrect translation for rejected roles. TheAudit trail in English is displayed correctly.

o In a request, when you click on Existing Roles/Groups, theEnterprise Portal roles come in as read only and the action (add,keep, remove) cannot be changed. This is only for EnterprisePortal roles.

o The risk analysis in CUP does not show critical permission risks,nor does the risk detail show down to the permission level. Withthis support pack, the risk analysis in CUP will show the samelevel of detail as seen in the RAR detail report.

o Several changes have been made to properly support SPM(Firefighter) requests in CUP.

1. If a request has multiple firefighter ID's on it withdifferent approvers, if any approver approves, all firefighter ID'sare assigned. With this support pack, new configuration has beenadded to treat firefight ID's like roles so approval happens likeroles.

2. If the Firefighter owner ID is different in the authenticationsystem than in the ABAP back-end, the owner was not able to see therequest in their in box or approve. With this configuration changeof Firefighter ID's being handled like roles, this issue will nolonger occur as it will be handled via Custom ApproverDeterminators.

3. Previously, the webservices could not be used to submit arequest for Firefighter ID's. This has been changed so now webservices can be used.

26.06.2012 Page 48 of 76


o When you provision a firefighter id via CUP under the "comments" section in the Firefighter application, the standard entry is"Assigned by CUP reason:", This is not grammatically correct orcomplete. This has been changed to "Assigned by GRC AC CUP".

o When stage is set to revaluation path is for New roles only, itsplits the SOD approver stage when last approver adds new role withnew approver. If SOD approver gets to request and mitigates andapproves before the last new role owner approves then it starts themitigation and approval for all risks and roles again.

o Customer is required to use the SAP Router string to make aconnection from the GRC system to the backend R/3. The issue isthat within CUP while defining the connector, they can't specifythe complete Router String in the field 'Application Server Host'because it's restricted to 40 characters. With this support pack,the length is being increased.

o If a user first selects roles via normal role search and thensearches again by "model my access by", the original roles are notretained, only the "model my access by" roles are retained in therequest.

o With this support pack, risk analysis will no longer be required ifan approver rejects the entire request.

o Even if the 'Valid to' date is made mandatory in the End UserPersonalization screen, users are still able to submit requestswithout filling in this field.

o Risk Description comes in German language even though the logged inlanguage is English.

o When submitting a request on behalf of someone, error "ErrorCreating Request" appears. This happens because of the telephonenumber stored in LDAP is longer than the available field length inCUP.

o when downloading the request to a word document, the "RequestReason" section is blank and does not include the data filled in bythe requester in Request Reason.

o when creating a request, error "error creating request. MultipleInitiators found" occurs. This happens if the initiators havesimilar roles in them such as role Z:FI* and other with Z.FI*.CUP is not able to differentiate between these role names andthrowing multiple initiator error.

o Identity Management (IDM) uses GRC Webservice,SAPGRC_AC_IDM_REQUESTDETAILS, to read the status for each roleassignment within the request. When a request is cancelled in CUP,the webservice does not return accurate information where as audittrail shows the correct information. This causes IDM to be out ofsync with the user's access level from a reporting/auditingperspective.

o If customer is creating multi user request and the "enable account

26.06.2012 Page 49 of 76


validation" is turned on for change requests, error "User MultiUser does not exist in systems" occurs.

o Password self service in CUP ignores the system settinglogin/password_change_waittime in the back end ABAP system andallows a user to reset their password multiple times, even thoughthis is prevented in the back-end system.

o Mitigated risks are shown in CUP request while doing risk analysis.This occurs if there are cross system risks and the CUP requestonly includes one of the systems in the request.

o The audit trail is incorrectly showing html code such as "<FONTcolor=#0000cc>".

o Audit trail cannot be searched for the requests based on the valueof filter attribute "Stage".

o Mitigation control is created for all risk ids using * in risk .When the Risk Analysis is performed in CUP and when we try tomitigate the risk, the Mitigation control search does not bring themitigation control defined for * risks.

o Navigate to Configuration->HR Trigger->Field Mapping and select anysystem. The first row contains blank entries.

o If a 4 digit risk has both org rule relevant and non-org rulerelevant risks, the mitigations are not being assigned correctly inRAR. Basically the mitigations for the non-org rule relevant risksdon't get populated in the correct table which causes them tocontinue to show, even though they've been mitigated.

o When UAR request are generated, if the LDAP user Ids are mapped toSAP user ids, the user's and managers for those request are notfound as the user id passed is R3 user id and that ID does notexist in LDAP.

o In the audit trail, if an LDAP group is removed, the user it wasremoved from is not specified.

o In the CUP, if we have character "&" in the name of the companythen when we copy the request then the "company" field's value isnot copied.

o CUP approvers are unable to display the contents of CUP requestswhen clicking the request tabs. The internet explorer reports themessage "error on page" and request tab content does not show. Thishappens when you logon in Dutch language.

o When approving a request, an error message comes that does nottruly indicate the actual error. Error messages changed to state:

1) scenario 1: role is disabled: Message: Following Roles aredisabled.2) scenario 2: role validity date is incorrect, with expired roles.

o If a request has multiple paths with same approver then duplicateemails are generated and sent to the same approver.

26.06.2012 Page 50 of 76


o when running a risk analysis for a multi-user request, a new errormessage is introduced which indicates the risk analysis will onlybe performed for roles in the request.

o Critical permission risks cannot be drilled down into. Inaddition, for critical permission risks, the role description isnot shown.

o Previously, unable to remove Firefighter ID's in an SPM request.With this support pack, now are able to remove FF ID's from a CUPrequest.

o User profiles are not removed if the connector is an HR connectortype.

o Stage level setting for 'Allow Approver despite Risk' as "NO" isignored when Risk Analysis on submission is "YES".

o If a request is forwarded during role stage with no return and theforwarded approver approves the roles, all roles in the request areapproved and provisioned, not just the roles owned by the forwardedapprovers.

o After implementation of AC 5.3 SP12, can no longer export data viaConfiguration --> Initial System Data --> Export data. Only thefirst entry 'Initial data' is tagged for export. After pushingthe Export button, error 'Action Failed' received.

o In case of a plus '+' symbol in the profile name, the initiator maintenance has a bug. It does not replace the '+' with '\+' whenmultiple profiles are added to the initiator.

o While selecting Template Profile, for generating profile followinginfo need to send to custom BAPI Parameters for each templateprofile (System, Role, Parameter, Parameter Value)

o The stale request job stays in busy status even after it completes.

o Not able to open request attachments (in Unix/Linix environment).



o Files with the extension (#.msg#) is not allowing to attach to theRequest. Please refer to the SAP Note 1232736 for more details.

o Searching for Mitigation controls while mitigating a Risk in CUPrequest resulting an error and not returning any results.

o Approvers part of a LDAP distribution group in Role owner stage isnot able to reject their own roles in the CUP Request. All theRoles are disabled and not able to reject.

o Risk Analysis Mandatory validation ignored for CAD Stage (Rolebased) when Approval/Rejection Level is set to Role.

26.06.2012 Page 51 of 76


o In CUP Request access screen, Functional area selection is notholding the values after selecting the user from user data source.



o Forwarded approver unable to reject the request where Role approverforwards a request to the other Role approver or to a new approvernot in the Role approvers list.



o if the SNC url in request form customization is'p:#!#userDomain#!#\#!#userId#!#' then after request is submittedthe userid is changed to Upper Case, and is provisioned as UpperCase. This Causes SSO login issues for users. It is fixed in twoways. 1.With This Patch you will have to manually change the Valuesin the tableVIRSA_AE_ERMCONFIG for parameter 157 to be 1 (defaultis 0). If this is changed to 1, the existing user id field for SNCwill consider the ldap or searched user#s user id and will notconvert to upper case. If this parameter remains at 0, the searchuser's user id will ne converted to UpperCase. 2.If you use SNCfield name as userIdForSNC then the user id will be saved as it is.

Support Package 14


Please implement the SNOTE 1543524 for VIRSANH 530_700 &VIRSAHR 530_700 release which is mandatory.

Please execute the report /VIRSA/TRANSFER_UTILITY_REP tomigrate the data from /VIRSA/RULEATTR to /VIRSA/RULEATTRN.This would address the issues related to HR triggers.

o Previously when a role was rejected by an approver, the audit logwould state "#Could not add ROLEID role with validity dates." Thiswas confusing to auditors since it did not specifically state thatthe role was rejected.

o The audit trail of requests which were approved by a French usershows both English and French text when it should only show Frenchtext.

o Previously, a user could not put a dash "-" when creating abusiness process or subprocess in CUP, but in ERM they could. Tokeep consistency, CUP has now been changed to allow users to entera dash when creating business process and subprocess ID's.

o Configuration #Change logs# are not capturing the data when anyCustom Approver Determinator is deleted.

26.06.2012 Page 52 of 76


o In SP13 , a new configuration option was delivered underConfiguration=>Header Configuration=>Enable Header to set whether acustomer sees the header. If this configuration is set to NO andthe internet explorer window is resized, the CUP application hangs.

o Under Configuration - User Review - Request Review, if you do notenter any selection data and press search, no data is returned, noris a warning message displayed.

o Under Configuration - Field Mapping - LDAP Mapping, the User InGroup label is not correct. It displays as LBL_USER_IN_GROUP (EN).

o In Configuration > End User Personalization, the Priority field isset with default to 'Select'. This is not showing up as a defaultin the End User screen.

o Under Configuration - User Review - Manage Rejections, the data canbe sorted on the screen. But when the data is downloaded, the sortcriteria is not carried over to the Excel document which remainsunsorted.

o Under Configuration - User Review - Manage Rejections, the data canbe sorted on the screen. If a user goes to a page other than 1 andchooses some of the requests to edit, when they come back to thelisting, sort order is gone and it defaults back to page 1 insteadof the page they were on.

o While creating the attribute - Business Process, the system giveserror Enter a valid value for "ADM_ALTAPPROVERID". This occurs ifthe alternate approver ID is greater than 8 characters. With thissupport pack, this issue is resolved so alternate approver ID's canbe up to 16 characters which is the allowed amount in the approvertable.

o Under Configuration - Request - Approver Delegation, a singledelegation is appearing multiple times in the result section.

o While scheduling background jobs, unable to select the time frame -23:01 - 23:59.

o If the administrator forwards the request (from Requestadministration) on behalf of multiple approvers in a stage to aparticular approver then the approver gets multiple emails. Thenumber of duplicate emails sent equals the number of approvers inthat stage.

o The request type description is not coming in reminder emails.

o Unable to load a role into CUP and receive and "action failed"message. This occurs if a role already exists in CUP for aspecific system and has a custom field attached to it. If thissame role name is imported, but for a different system, this erroroccurs.

o HR triggers are not executing properly based on the configuredrule. The specific situation is that when HR Trigger Rule iscreated which is having attribute with the same values for these

26.06.2012 Page 53 of 76


fields # InfoType, SubType, Field, Operator, then these recordswill not be saved to the backend table # /VIRSA/RULEATTR. Still asuccess message is shown to the user # #Action Successful#. So therule appears to have been created, but it is not correctly savedwhich results in the HR trigger not following the hr trigger rule.

o A user's delimited ID from infotype 0105 is populating the HRtrigger table, instead of the current 0105 record. This results inthe user's old ID being included in the HR trigger request insteadof the user's new ID.

o The user group that is filled in HR Triggers Actions is not gettingprovisioned when user is provisioning using HR Triggers. A rule isnot getting saved in HR triggers if it has the same info type andfiles with different value and an OR condition. "

o Under Informer - Chart View - Access Requests, requests of type"User Access Review" do not show completely in the graphs.

o The User Access Review History report had a limit of 9,999 recordsthat could be displayed. With this support pack, the limit hasbeen set to be 999999. If this is set to"0" will bring the completedata.

o User Cannot change password in CUP screen after deploying JTECHSSP13 and JTECHF SP10. It directs to UME, but the link is notredirecting them.

o UME authentication is replaced with CUP login screen.

o The password self service email does not contain the user's ID,instead it shows value "#_!PWD_RESET_USER_ID#_! ". This supportpack correct this so that the proper user ID shows.

o When using password self service, a user is unable to authenticateand reset their password. This occurs if LDAP is configured forauthentication and the user's LDAP ID is different than their SAPuser ID.

o CUA systems that are configured to provision via synchronous modework. With this support pack, CUP can now support asynchronous modeas well.

o If Provisioning Type under Configuration -> Workflow -> AutoProvisioning is configured as indirect/combined , PD profilesprovisioning is giving error.

o When submitting a request, a Java Script error comes stating that'userGroup' is null or not an object". This occurs if the UserGroup is set mandatory in Request Form Customization configuration.

o Creation of Multi-user requests results in incorrect/junkcharacters in the User ID field. This occurs if the multi-userfile used for import is formatted as UTF-8.

o The user defaults are not getting provisioned to child system ifthe CUA master setting is configured to be proposal. This occursif the user exists in the CUA master system, but not in the CUA

26.06.2012 Page 54 of 76


child system and the CUP request is created to for only the CUAchild system. It provisions the user defaults in CUA master butnot in the CUA child.

o Previously, if a user had UME action RestrictModifyExistingRole,they could change existing roles assigned to users. Now, usersthat have this UME action will now not be able to Change Existingroles assigned to users.

o Roles with Remove action are highlighted in red/pink color now.This is comparable to how roles with remove looked pre-support pack9.

o For the reports below, when a user searches for requests and thesearch results in multiple pages, if the user goes to a page otherthan 1 and opens a request, but then cancels to come back, CUPtakes them back to page 1 instead of the page they were on whenthey opened the request. With this support pack, when the displayis cancelled, CUP takes the user back to the page where the requestwas listed. The reports this is resolved for 1) Configuration ->Workflow -> Initiator 2) Configuration -> Workflow -> Customapprover determinator 3) Configuration -> Workflow -> Stage

o The manager name is not displayed in the request header section forclosed requested. This occurs when a request is rerouted at asubsequent stage to the manager stage. The manager's name then isno longer displayed.

o The description of the Firefighter ID does not display correctly inthe CUP SuperUser Access request types.

o Customer is getting the error #A Script on this page is causing IEto run slow in GRC CUP# when he clicks on More in the requestscreen.

o Message "Error Creating Request" occurs when a user tries to submita request for creation. This occurs when role mapping is used andthe Risk Analysis on Submission configuration is set to YES.

o When copying a request, even roles that are disabled at the time ofthe copy are copied over. With this support pack, only roles thatare currently active will be copied over into the new request.

o The segregation of duties risk results are inconsistentlydisplayed. Specifically, the number of risks keeps increasing whenswitching from All system to one specific system. This occurs ifthe request has more than one system.

o When trying to assign an existing mitigating control to asegregation of duties risk, receive error message "action failed".

o When performing risk analysis for Portal systems, risk analysis isinconsistent. Sometimes the right results show, sometimes 0 risksshow, even though there are risks.

o Critical permission risks are not showing when running riskanalysis in CUP.

26.06.2012 Page 55 of 76


o Under Informer - Analytical Reports - List Roles and RoleApprovers, the role description is not showing. This occurs if theroles were imported from ERM.

o When approver clicks on the #Role Reaffirm# link, the CUPapplication just hangs and does not go any further or shows anydata. This occurs if there is an invalid role reaffirm date.

o Search for roles based on transaction codes is not displaying thoseroles in which the transaction codes have been added manually ins_tcode. The search was only working for transaction codes addedvia the menu.

o Search for a single Firefighter ID in CUP takes a very long time.

o When searching for Superusers (Firefighters), the search criteriais not maintained in the results screen. All Superusers are shownin the results screen, regardless of the search criteria used.

o The upgrade from 5.3 SP8 to SP13 took several days. With thissupport pack, the upgrade step has been optimized.

o Approvers can approve a request that has conflicts, even when theStage level Setting : Approve Request Despite Risks is set to #NO#.

o The Reject button is not highlighted or available on the requestapproval screen. This occurs if the customer has configured toprovision at end of path and stage level configuration is approvallevel and rejection level is at #Request#. If the request has twopaths, and the first path is approved and provisioned, the approverfor the second path can no longer reject.

o ERM role approval email notifications are not sent even if the roleis approved or rejected. New functionality is available with thissupport back to configure role rejection and approval emails forERM workflow types.

o Escalation of requests on Hold depends on the ERM configurationparameter: PARAM number 150. Requests on hold will escalate if itsvalue is set as 1, otherwise not. For setting in CUP, go toConfiguration -> Support -> 'Configuration for Escalate On Hold'.Requests on hold will escalate when 'Escalation is on hold' is setas Yes.

o New feature for logon language , when language is set in thebrowser , CUP will consider the browser language.please find thenote 1534088 which clearly describes how it works. For settingthis in the browser go to Tools -> Internet Options -> In Generaltab select languages -> and add the language to be used by CUP .



o If 2 roles with different approvers are requested, first approverrejects his role and second approver forwards the request to first

26.06.2012 Page 56 of 76


one, first approver can reject the forwarded role.

o If 3 roles are requested (2 roles with different approvers and 1default role), first role approver rejects his role and second roleapprover forwards the request to another approver different fromthe first one, then that approver can reject the request on behalfof second approver.



o Though Risk Analysis is set as mandatory at CAD Stage, Approver isable to approve request without being asked to perform RiskAnalysis.

o While trying to open the attachments before approving a request,dump is shown.

o When the Request Status is checked for the user existing in userdata source but not in detail data source , 'Action failed' Erroris shown.


The following issue is resolved as part of Support Package 14 Patch3:

o User information is retrieved from Microsoft Active Directory withmultiple domain configuration, as CUP user data source is set asSAP UME and Data Source of UME is set as LDAP. Now while creating arequest, user ID retrieved is extended with domain extension, andthus the request cannot be provisioned as the user ID contains morethan 12 characters.


The following issue is resolved as part of Support Package 14 Patch5:

o When we import CAD with more than 10,000 entries, then some of thecolumns are not populating the data in the server. The issue isrelated to the buffer size of the Database server.

Support Package 15


o Though Risk Analysis is set as mandatory at CAD Stage, Approver isable to approve request without being asked to perform RiskAnalysis.

o Password Self Service should be in sync with RZ11 settings.

o Request is not visible when Approver 1, delegated for an Approver 2to whom request is been forwarded from different Approver 3, puts

26.06.2012 Page 57 of 76


it on hold.

o When user does not exist in the SAP HR system (set as Detail DataSource), while acessing the Request Status tab at End User Page ,it was showing Action failed error.

o While trying to open the attachments before approving a request,dump is shown.

o Complete Comments given when Re affirming the role were notdisplayed at Request Audit Trail for Role Re affirm.

o Some Slovenian language characters are displayed as #?# when therequest is downloaded after provisioning the request.

o Custom Fields without default value can not be created or saved.

o Navigation to next page to select Systems was not working WhenLocking/Un locking User having more than 10 systems . Now all thesystems are displayed in one page.

o User Names are missing from the Audit log for Role Removal in UAR.

o User is not able to register when the answer to Challenge Responsequestions contains characters other than english.

o While selecting Roles/profiles/Groups at Request Creation Page,Access Type Description field is case sensitive.

o Start and End dates of a user are not updated for the SAP EPSystems.

o All Primary Role Owners are not receiving Approval EmailNotifications.

o Custom Function Modules are not getting called for CUA systems.

o Role Name is missing when downloading Provisioning requests fromthe Chart View.

o Advance view is not displaying any information of the Risks.

o When we change the "Superuser Access as Roles = NO" under the"Model Super Access as Roles" (In Configuration-Role Selectionscreen) section, the selection of "Approvers" and "AccessRequestor" section changes to "Restrict Role Selection" due towhich it gives that validation error message while saving.

o Request dates modification shows a blank page for Due Date. NowDates are selected from calender.

o When the system of child role is disabled and this system is addedin the request automatically due to role mapping, even if thecategory of system is non production it is shown to have categoryas production.

o The download of requests (after you approve) in Spanish language istruncating the header of the downloaded document, which is opened

26.06.2012 Page 58 of 76


in .doc format.

o Request stays in open status after approval.

o Webservice "SAPGRC_AC_IDM_PROVISININGLOG" shows ROLEPROFID insteadof Technical Role Name.

o Field Mapping in HR Trigger is not getting Saved.

o Password Self Service email content is incorrect.

o Action failed error is coming after saving a role and clicking onthe cancel button.

o Some roles are not displayed for Risks having Critical Actionsdefined at Object level.

o A new "Email Arguments" feature has been added at the Stage Levelconfiguration to send the Comments entered while Reject/Approve arequest, in the email notifications.

o Custom fields of Text Type do not have provision for having defaultvalues.

o Download functionality for Searched Change Log items.

o The user was not getting provisioned if the company code which ispassed through the request is not available in the R3 system. NowIf the company passed through the request is available in the R3system, then the user will be provisioned with the passed companycode otherwise user will be provisioned with the default companycode and audit trail will show the message that user provisionedwith default company code.

o At Request Status Page, when the requests are searched with Selector Canceled option in dropdown, it does not retain the value ofsearch criterion in dropdown.

o An error is displayed when a spanish user selects future validitydates for a role while creating request.



o Though the auto provisioning is failing at last stage, request isgetting closed despite of Escape Route configured for the same.

o Performance improvement of SAPGRC_AC_IDM_ROLEDETAILS webservice.



o While importing roles from the excel file, Company attributes needto be separated with semicolon instead of period.

26.06.2012 Page 59 of 76


o While creating request from End User Form, if Functional Area fieldis kept mandatory, Business Process becomes mandatory and requestcreation errors out second time.

o Message "Use your Network User ID to log on" is not shown whileuser logs into the system, when the authentication is set toMultiple LDAP.

o Password Self-Service is not working for Italian language.

o Audit Trail will not show role actions after escalation of arequest.

o Disabled roles are not displayed when the search is based on thesystem.

o UAR jobs created in German are not displayed when user logs in withenglish language.

o Portal Role for iView of Password Self Service does not display thePassword Self Service Screen.



o At Roleowner stage if Approver Determinator is Role, Request is notin the inbox of the Approver in case of LDAP mapped to UME as datasource.



o In change account request for user,changes are getting reflectedinto backend system but existing values of RML fields(RML Name,Client, Sys Name) in other communications in SU01 are left blank.



o Configuration to consider or ignore browser language is provided .It can be configured with the initial append data file. For detailsPlease refer to the Note - 1601297.

o After Upgrading to SP15 Some Customers are facing errors whenaccessing their work Queue through index_apr.jsp.



26.06.2012 Page 60 of 76


o When logging via End User, the Request is not being created andgiving error 'Approver Not Found' and when the same Request iscreated from CUP Login, the Request gets submitted successfully.

o Request does not escalate to the Alternate Approver after runningEscalation background job at Role Owner stage. Stage level settingis set to Escalate in 'n' Hours(Request Wait time) EscalationConfiguration: "Forward to Alternate Approver".

o CUP cannot find approver if request created by web serviceSAPGRC_AC_IDM_SUBMITREQUEST.



o While Downloding the Roles to Excel file, company attributes areseperated by semicoloumn . For furhter details please refer to theSap Note:1614723.



o When a request is copied, Even though the category of system isNon Production it is shown as Production for SAP EP LDAP.

o In Chinese Language, In End User Form the Manager first name andmanager last name is translated correctly.

o Role stage configured to reject at role level would still allowapprover to choose to reject at role or request level.

o Role validity dates (valid from and valid to) are blanked out if anapprover rejects one role on the request and reruns risksimulation.

o Even though the stage setting for Risk Analysis Mandatory is set tobe YES and Approve Request Despite Risks is set to be NO, if theapprover clicks Cancel after running risk analysis, they are ableto approve the request, even though it has risks. This should nothappen. With this configuration, approvers should only be able toapprove requests with no conflicts, or if the conflicts aremitigated.


The following issues are resolved as part of Support Package15 Patch12:

o UAR request is not generated for users whose manager record isinactive/disabled in LDAP when the Admin Review is set to Yes.

o Unable to remove the Portal groups from the user assignment in UARrequests. For further information Please refer to the SAP Note

26.06.2012 Page 61 of 76


1647514.



o HRTrigger request is not triggered when the User End Validity dateis on the previous date. With this patch you will have to manuallychange the value in table VIRSA_AE_ERMCONFIG for paremeter 158 tobe 1(default is 0). if this is 1 then the user will not beterminated on a previous date in HR Trigger Request(currentbehaviour). If this is 0 then the user will be terminated on aprevious date.



oSupport Package 16


o When a request contains multiple roles that all have the sameapprover, the audit trail shows that approver's name multipletimes. For example, if the request contains 4 roles that all havethe same approver, that approver's name is shown 4 times in theaudit trail. With this support pack, the audit trail will only showthe approver's name once.

o The tab "Access Type" on the CUP access is showing in Englishlanguage when logged in under Norwegian. With this support pack,the "Access Type" tab is translated properly into Norwegian.

o When creating and approving a request, the fields "SNC Name" and"Unsecure Logon Allowed SNC" are shown. However, once the requestis approved, these fields no longer show in the request details orin the audit trail.

o After installing SP14, patch 1, customer is experiencing high CPUand memory utilization.

o Role validity dates (valid from and valid to) are blanked out if anapprover rejects one role on the request and reruns risksimulation.

o The risk still shows in a request, even though the role thatcreates the risk has been rejected by the approver. Due to thisissue, the stage detour may be called because CUP still believesthere is a segregation of duties violation, even though there isnot. This occurs when the Role Approval Stage setting has RiskAnalysis Mandatory option set to "YES - when access changes". Withthis support pack, you will have to manually change the value intable VIRSA_AE_ERMCONFIG for parameter 146 to be 1 (default is 0).

26.06.2012 Page 62 of 76


If this is changed to 1, then risk analysis will be recalculatedwhen the role is rejected. If this parameter remains at 0, the riskanalysis is invalidated and the request will go to the detour path(if configured).

o Creating an iView for Request Approver page using index_apr.jsp,user is redirected to index.jsp page rather than request approverI.e. index_apr.jsp.

o Even though the stage setting for Risk Analysis Mandatory is set tobe YES and Approve Request Despite Risks is set to be NO, if theapprover clicks Cancel after running risk analysis, they are ableto approve the request, even though it has risks. This should nothappen. With this configuration, approvers should only be able toapprove requests with no conflicts, or if the conflicts aremitigated. This issue is resolved with this support pack.

o In Norwegian language, when a request is created which has a risk,the risk level description in the informer report shows the text as'HIGH' instead of 'HOY'.

o When creating a request, error message "Error creating request.Length of User First Name : xx should be less than 50" occurs. Thishappens if the user's last name in the request contains characterswith spaces. CUP is incorrectly adding the number of characters inthe last name to the number of characters in the first name whichcauses this error.

o When opening the CUP URL http://server:port/AE/index.jsp, via GRCRole assigned to the Enterprise Portal user, there is an errorwarning in the Status bar of the browser saying "Done, but witherrors on the page." The occurs when the CUP URL is maintained inthe iVIEW and further assigned via Role to the User in the Portal.

o The HTTPS link to CUP no longer works as of SP14 (the HTTP linkdoes work). The log in screen appears but when clicking on the userlog on or request access link, it errors with "Navigation to thewebpage was cancelled".

o "When importing roles to CUP from ERM, the import statusincorrectly displays the number of roles imported. The message mayshow, ""Import status: 6 successfully imported from 6 recordsfound"", but actually only 3 roles were imported".

o "After upgrading to SP14, the UME login screen would show forseveral seconds when logging into the CUP application, and thenafter, the CUP screen would be visible. This change was done inSP14 to resolve an issue with the password change functionality, asusers could not change their passwords using the standard CUP loginscreen. With this support pack, a new configuration option has beenadded under Configuration - Support If the new option ""Load SAPNetweaver screen as login screen"" is set to NO, the old CUP loginscreen is used and you will no longer see the UME login screenflash by. However, because of the previous issue fixed, if this isthe configuration setting, you will NOT see the password changeoption available on this screen. If this configuration option isset to YES, you may experience seeing the UME flash screen, butthis is the only screen where you can change the CUP password".

26.06.2012 Page 63 of 76


o When creating a SuperUser Access request, selection of afirefighter ID was not mandatory. With this support pack,configuration can be set to have an error message come up if aSuperUser Access request is created without a Firefighter IDselected. To enable this option, ensure table VIRSA_AE_ERMCONFIGhas an entry for parameter ID 153 with a value of 1.

o Error message "Enter a valid value for group name" occurs whensearching for a Portal system role using the role's complete name.

o When creating a change account request for a non-existing user, therequest gets closed without any error messages. This occurs whenConfiguration - Workflow - Auto Provisioning - Auto ProvisioningType is set to "No Auto-provisioning". With this support pack, if arequest goes through for a non-existing user, an error will bedisplayed when assigning roles using the Assign Roles tab.

o In the SAPGRC_AC_IDM_REQUESTSTATUS web service, if Request ID fieldis kept blank, the application is displaying result for one recordwithout validating the input field. With this support pack, anerror is now displayed that says "Please enter the Request ID".

o Logging on to CUP from the AC launch pad is working fine. Howeverif in a new browser, you use the same URL(http://server:port/AE/index_apr.jsp) and click on logon, thescreen starts shaking with the error: 400 illegal SSL request.

o NEW FUNCTIONALITY - 5.3 CUP application is now compatible withBasis 7.3 release. The installation files are available on the SAPService Marketplace.

o Import the xml file AE_init_clean_and_insert_data.xml into CUP inSP16 got action failed error. Error in the error log showed"Invalid time format".



o If the CUP Request consists of Addition and Removal of Roles in asingle request then the CUP SPML does not consists of the RemoveActions.



o After Upgrading to SP14, It is not possible to logon to cup by thedirect link.

o This is the case of Multiple approvers at a CAD stage. Approver1 isforwarding the request for Approver2 . Request goes to theforwarded approver. Now once this approver2 approves the request,But the request still remains open and returns a message "Requestis approved, pending for other approvers". Stage settings are

26.06.2012 Page 64 of 76


"Approval Type: Any one Approver", "Forward Type: Any oneApprover".

o In PSS if we ADD the systems the filter criteria for selectCategory is not working properly.

o When only SPM request type is set to Active in CUP Configurationthen the End User can't see the Request Access screen which showsvarious request types and Password self service link.

o In Initial System Data, Exportdata from the source system. Andimport it into the Target System. The email data in the Stage levelsettings is not imported into the target system.

o Create a request for Locking of a user by selecting the System. Atthe Stage when the stage owner clicks on LOCK/UNLOCK, the Selectsystems is not populating the Systems and showing empty.

o When the approver clicks on the VIEW link received in the emailnotification only one third of the screen is displayed.

o When Customer upgraded from SP08 to SP14, the reports underinformer-> Chart view -> Provisioing -> Select the individualApprover who is not the Lead Approver then the chart shows empty.

o When role is details is saved each time,in edit or change mode, thecustom field value is keep on changing but, while in view mode itsworking fine.

o Under the Custom Attribute for portal roles, choose an attributeand a corresponding value, then SAVE. In the resulting screen, youwill notice that the selected value is changed to something else.This value should be retained as it impacts the workflow process offinding approvers. The value is lost while saving.

o The Role Owner stage is set to consider "Path Revaluation for NewRoles=New Roles Only" and "Approval Type=Any One Approver". Whenrequest is created and assigned to a role owner stage, the firstrole owner is adding another role, for which he is one of the roleowner, but not the lead Approver. Now, the request is approved andmoved to next stage without any problem. Before this SP the requeststatus is still pending for other approver.


o Request does not escalate to the Alternate Approver after running Escalation background job at Role Owner stage.



o When the SAP user Ids are mapped to Custom field Portal/LDAP Ids,the existing roles and groups are not returned.


26.06.2012 Page 65 of 76



o When user ID in UAR request has special Norwegian characters(ex.CCLÖCHTER), reviewer cannot perform Actions like approve, reject.



o Inconsistency in the select roles/groups. Select the Access Typesas Groups and then select the Application Area or Business area,the Type of Access returns to Roles. The same happens when clickingon Go, the Type of Access defaults to Roles.

o issue related to the UME Redirection of the HTPPS protocal. Whenever you copy/type the CUP URL in IE then error in redirection URLoccurs.

o In Configuration Validator, RTA checks are failing.



o Role import fails for multiple Company attributes.

o Roles provision while request is rejected by forwarded approver atCAD stage.



o The field length of the cost centre in HR is 10 characters but inSU01 (XUKOSTL) it is 8 characters . If the cost center is of 10characters then the last 2 characters are truncated . If the costcenter has zeros(0) initially then the zeros(0) will ne removed andthe remaining 8 characters are saved in cost center of SU01.

o After changing the password in UME, the CUP page opens in Englishlanguage even though some other language was provided in CUP Logonpage.



o In the CAD Stage (based upon the Custom field) If the Approverforward the request to another approver with forward with noreturn, then the forwarded approver is unable to approve therequest.

26.06.2012 Page 66 of 76




o The request provision fails in EP Systems when the user is notexisting and the Request Type is of Lock and change account.

o Unable to remove the Portal groups from the user assignment in UARrequests. For further information Please refer to the SAP Note1647514.


o After Applying this Patch, The Validity dates for Roles can beentered only through calender, while creation or submission of arequest through Approval Screen.



o Alternate Role Approvers cannot reject the roles in the requestwhen the request is Escalated (Role stage setting - Escalate toAlternate Approver).



o NULL field value in transaction field is displayed in the #CriticalAccess Risk#. This has been fixed and now if the risk is apermission level risk then the object name will be displayed inthis column.

o For a mitigation control workflow, the display request screen doesnot show the risk description, although it is filled up in RAR.This has been fixed and now proper description will be displayed asper maintained in RAR.



o In the Login screen while resetting the password (User passwordexpired, Log on to UME to change the password here) it is notgetting redirected to the original CUP screen.



26.06.2012 Page 67 of 76


o Escallation Background job always goes to busy status.



o Unable to create the UAR Requests while executing the UARBackground job when the Role Criticality maintained in the UAR .

Support Package 17


o When the Authentication system is set to HR system, and the UserAuthentication is set to Personal Number, after a reboot of J2EEthe User Authentication is reset to User ID.

o Role owner is not able to approve the roles in a request as theoption is disable. In the Role owner stage after doing some changeslike escalte to alternate approver, reroute , forward and atlastthe role owner is not able to approve his roles.

o if the SNC url in request form customization is'p:#!#userDomain#!#\#!#userId#!#' then after request is submittedthe userid is changed to Upper Case, and is provisioned as UpperCase. This Causes SSO login issues for users. It is fixed in twoways. 1.With This Patch you will have to manually change the Valuesin the tableVIRSA_AE_ERMCONFIG for parameter 157 to be 1 (defaultis 0). If this is changed to 1, the existing user id field for SNCwill consider the ldap or searched user,s user id and will notconvert to upper case. If this parameter remains at 0, the searchuser's user id will be converted to UpperCase. 2.If you use SNCfield name as userIdForSNC then the user id will be saved as it is.

o When assigning or removing mitigating control, a mail is sent outto the monitor to inform him/her about the action. When doing thisin RAR, the mail is sent out in Norwegian. However, doing the samein CUP, the mails that are sent out are in English.

o When the Customer imports or exports large quantity of roles, like20,000 or 30,000 roles then the server is restarting. Its relatedto performance.

o CUP cannot find approver if request created by web serviceSAPGRC_AC_IDM_SUBMITREQUEST.

o The PSS Questions that are inactive/deactive are still shown whileself registration.

o Change History of Risks in RAR shows wrong username while approvingthe requests from the CUP. Example: Enable the Workflow in RAR forRisk Maintenance. Create, update, delete a risk. Request iscreated in Cup. Approve the requests. Approve the request for thedelete Risk. see the change history of Risk in RAR. It shows the

26.06.2012 Page 68 of 76


wrong user name for the delete risk.

o When logging via End User, the Request is not being created andgiving error 'Approver Not Found' and when the same Request iscreated from CUP Login, the Request gets submitted successfully.

o In Configuration Validator, RTA checks are failing.

o Analytical Report 'List Roles and Role Approvers' shows duplicateentries.

o The HR TRigger request creation fails, when the request has the'Role Mandatory' configuration as yes in the Request formcustomization.



o Password Self Service- If the initial password of the user isexpired then the user is not able to perform any action. And thereis no proper message displayed for the same.

o The field length of the cost centre in HR is 10 characters but inSU01 (XUKOSTL) it is 8 characters . If the cost center is of 10characters then the last 2 characters are cut off . If the costcenter has zeros(0) initially then the zeros(0) will ne removed andthe remaining 8 characters are saved in cost center of SU01.

o While Creating a request, if we enter the role validity datemanually and submit the request, then the role validity date isshown as 12/31/9999 instead of the value we have entered.

o In CAD Stage, a request containing atleat 1 role has been forwardedto another approver with no return and he rejects the role.Eventhough the approver rejects the request, the roles areprovisioned in the backend. The stege level setting parametes areApproval level & reject level- role, Approval type - Any oneapprover.





o After Applying this Patch, The Validity dates for Roles /Firefighters can be entered only through calender, while creationor submission of a request.

26.06.2012 Page 69 of 76




o After Applying this Patch, Mitigation of a Risk for Specific OrgRules in CUP results in updating the user only in Mitigated UserOrganization Rule in RAR.



o Inconsistency results in role import funtionality.(roles areuploaded, but some of the fields like business process subprocessetc are missing).

o When default role is created at role level and request of othertype is created with composite role selected in it results intoError "X At least one Default Role must be selected for eachAttribute-Value pair".



o UAR Requests are not getting closed when the user is not existingin the Backend system and performing the Remove action for the userwithin the UAR request.

o If the role description entered in lower/mixed case while creatinga role, while searching Role Description is converted to uppercase.



o Security Warning pop up message shown when the user login into theCUP application.

Support Package 18



o After Applying this Patch, The Validity dates for Roles/Firefighters can be entered only through calender, while creationor submission of a request.

26.06.2012 Page 70 of 76


o Roles provision while request is rejected by forwarded approverat CAD stage.




o Even though the stage setting for Risk Analysis Mandatory is setto be YES and Approve Request Despite Risks is set to be NO, if theapprover clicks Cancel after running risk analysis, they are ableto approve the request, even though it has risks. This should nothappen. With this configuration, approvers should only be able toapprove requests with no conflicts, or if the conflicts aremitigated.


o issue related to the UME Redirection of the HTPPS protocal. Whenever you copy/type the CUP URL in IE then error in redirection URLoccurs.

o When the SAP user Ids are mapped to Custom field Portal/LDAP Ids,the existing roles and groups are not returned.

o Role import fails for multiple Company attributes.

o The field length of the cost centre in HR is 10 characters but inSU01 (XUKOSTL) it is 8 characters. If the cost center is of 10characters then the last 2 characters are truncated. If the costcenter has zeros(0) initially then the zeros(0) will ne removed andthe remaining 8 characters are saved in cost center of SU01.

o For Some Customers Password self sevice is not generating thepassword for Italian and French Users. They just get a blankscreen.

o Password Self Service- If the initial password of the user isexpired then the user is not able to perform any action. And thereis no proper message displayed for the same.



o After Applying this Patch, The Validity dates for Roles /Firefighters can be entered only through calender, while creationor submission of a request.

26.06.2012 Page 71 of 76


o After Applying this Patch, Mitigation of a Risk for Specific OrgRules in CUP results in updating the user only in Mitigated UserOrganization Rule in RAR.

o The downloaded excel spread sheet contains the junk characters whenthe file opened in MAC System.

o "Action Failed" error occurred while importing the roles in CUPthrough Excel in Internet explorer 9. After applying this patch thedownload/ import functionality will work well on the IE 9 as well.

o Role Search on description fetching incorrect results. Afterapplying this patch the role search can search with all thecharacter cases.

o The language of the PSS Mail is currently in english. Afterapplying this patch, the mail language would be diplayed accordingto the user logged in the end user form.



o Forward with delegation does not work for stage configuration withall approver type.

o The request provision fails in EP Systems when the user is notexisting and the Request Type is of Lock and change account.

o Unable to remove the Portal groups from the user assignment in UARrequests. For further information Please refer to the SAP Note1647514.




o NULL field value in transaction field is displayed in the #CriticalAccess Risk#. This has been fixed and now if the risk is apermission level risk then the object name will be displayed inthis column.

o For a mitigation control workflow, the display request screen doesnot show the risk description, although it is filled up in RAR.This has been fixed and now proper description will be displayed asper maintained in RAR.

o When default role is created at role level and request of othertype is created with composite role selected in it results intoError "X At least one Default Role must be selected for eachAttribute-Value pair".

26.06.2012 Page 72 of 76




o In the Login screen while resetting the password (password isexpired - User password expired, Log on to UME to change thepassword here) it is not getting redirected to the original CUPscreen.



o UAR Requests are not getting closed when the user is not existingin the Backend system and performing the Remove action for the userwithin the UAR request.

o If the role description entered in lower/mixed case while creatinga role, while searching Role Description is converted to uppercase.



o After applying this patch the reminder mail will have only shortdescription of the request type instead of both the technical nameand short description if the value of param 159 is 1 in"VIRSA_AE_ERMCONFIG" table else it will work as it works now. Thedefault value of this param will be 0.



o If the Role owner Performs Reject and Hold Request operations for aRole who is the Approver and tries to approve the Request, therequest shows message 'Pending for other Approvers' even though thestage configuration is Approval/Reject level is 'ROLE' and ApprovalType is 'Any one Approver'.



o Change user account request for resetting telephone number resetsthe values of telephone extension, fax, fax extension to blank.


The following issues are resolved as part of Support Package18 Patch9

26.06.2012 Page 73 of 76


o Email Notifications are not sent to all Approvers when the Approveris the one of the Role Approver for 2 Roles in 2 different systemsin a Role based Request.



o when the name of file contains some special characters (for eg.kötü) then the files could not be attached/opened with the request.

o Error while Deleting and Uploading the CAD Attributes.



o Change Logs are not maintained when changing the configurationsetting of stale Request.

o On restarting the server expired roles are not shown even thoughthe configuration to show expired roles is set to YES.

o While creating request from end user form, the request formcustomization setting for roles (as mandatory) is ignored.

o Application attributes are not populated in field mapping for EPRTA 730 Systems.



o Background Jobs do not get available.

o Role search based on any TCODE gives fix set of roles irrespectiveof TCODE.when searched using Role Search web service.



o Custom fields are by default included while searchingrequests-Follow the below steps while searching for requests. 1)If you want to consider custom fields and default values of textfield type custom fields then you have to set parameter 160 ofVIRSA_AE_ERMCONFIG table to '0'. 2) If you don't want to considercustom fields and default values of text field type custom fieldsthen you have to set parameter 160 of VIRSA_AE_ERMCONFIG table to'1'.

o Application URL is not being properly used to create the emailnotification link when using a Portal iView to launch GRC.

26.06.2012 Page 74 of 76


Support Package 19

The following issues are resolved as part of Support Package19

o While requesting if we put role validity date manually and submitthe request then role validity date is still showing 12/31/9999 butnot the value we had given.

o While trying to import roles from a spreadsheet, it#s returning anerror #Action Failed#.

o Unable to create a new connector in CUP or edit existing.

o If users login with a language other than English (French for eg.)they do not see PSS challenge response questions in theircorresponding logon language.

o Deleting a sub Business process gives error 'no rows selected'.

o Unable to change or delete functional areas

o Role search on short description is fetching incorrect results.

o Customer is unable to save the configuration Model Superuser Accessas roles to NO.

o Text truncated in the Request Reason tab and the scroll bar is notaligned as per the window size.

o When primary approver has delegate approver and somone forwardsrequest in CUP to primary approver then delegate approver cannotapprove the request. It requires approval by primary approver toclose the request.

o When the "Support" Configure Logon Screen is set to "No", we areunable to log into CUP, or ERM and receive a message "Invalid UserCredentials".

o users whose initial password is set by admin recieve error message"User password Expired. Log on to UME to change password here" whentrying to log on into CUP. A click on here link of message leads toanother error message "Cannot redirect to the requestedapplication, the redirect attribute is invalid".

o An unexpect value or NULL reports in RAR & IN CUP risk analysis forany found critical action.

o For a mitigation control workflow, the display request screen doesnot show the risk description, although it is filled up in RAR.

o On performing risk analysis(Permission level) in CUP it shows risksfor which the advance view is empty and object name is not visible.Doing risk analysis for same role in RAR we find no risksassociated.

o Password Self Service-If the initial password of the user is

26.06.2012 Page 75 of 76


expired then the user is not able to perform any action. Also thereis no proper message displayed for the same.

Header Data

Release Status: Released for CustomerReleased on: 26.06.2012 04:34:49Master Language: EnglishPriority: Recommendations/additional infoCategory: Installation informationPrimary Component: GRC-SAC-ARQ Access Request

Valid Releases

Software Component Release FromRelease

ToRelease

andSubsequent

VIRAE 530_700 530.700 530.700

Related Notes

Number Short Text

1647514 GRC AC 5.3 , CUP 5.3 , AE 5.3 , SAP EP connector config

1614531 Error processing your request, Error Msg : malformedrequests

1603540 Field Length for Business Process and Sub-Process in AC 5.3

1603374 Error "Enter a User ID of less than 12 characters"

1603284 User Search does not return result for LDAP User Data Source

1601600 Error message 'Could not import a file;contains script'

1592079 Default role - Error on page

1591106 Querying CLOB type columns in SQL query

1554004 How to provision Superuser Access (FFIDs) As Roles

1544317 Password missing in the email sent to the requestor.

1534088 Language preferences in ERM and CUP

1528078 Creation of Connector in Firefighter Frontend erroring-out

1517569 Superuser Access request type not available

1515625 How to set the Role Status of exported roles in the template

1514174 Mitigating Critical Transaction in CUP 5.3

1514173 Error Message : noSuchIdentifier while Provisioning EP Roles

1510891 New Field - Access Type under Import Roles in CUP

1485219 Disabled Log-Off link in GRC Applications

1484780 Risk analysis Mandatory setting not working at all stages

1481946 Roles imported via template are not being provisioned

1478400 Unable to create field mapping for a Portal connector

1475437 How to delete a Workflow

1472216 Upgrade GRC from 5.2 to 5.3 and J2EE version

1455885 Disable logoff button in Access Controls

1451616 CUP- Password Self Service - requires password to be entered

1433940 Access Control compatibility on Netweaver Java server 7.01

26.06.2012 Page 76 of 76


Number Short Text

1397626 SP09 CUP - Missing functionalities

1369045 AC SP09 Data Mart Design Description

1352498 Support Pack Numbering - GRC Access Control

1314799 Users Analyzed on Management Report are not accurate

1302804 After applying CUP 5.3 SP's, Request data is not displayed

1286594 Custom Field's Varchar Length

1286024 Configuration of EP Connector for UME Provisioning from CUP

1251066 How to Disable a Role in Compliant User Provisioning

1228952 Configuration of Email Reminders job

1174625 Access Control 5.3 Java Support Pack Installation

1168875 GRC AC 5.3 SPXX Release information note

SP Patch Level

Software Component Version Support Package SP PatchLevel

VIRAE 530_700 SP015 000016

VIRAE 530_700 SP016 000013

VIRAE 530_700 SP017 000011

VIRAE 530_700 SP018 000013

VIRAE 530_700 SP019 000000

sapnote_0001168508[1]

Documents

configurationrequeststale

support updated

request form

cua master

reruns risk

hr trigger

sod history

critical access