This article describes a few case scenarios where the solution is achieved by implementing the BAdI delivered in Note 2145358, where by ABAP code can be introduced to ignore role assignment validation for provisioning actions Remove, Retain, Extend.
Case scenarios (1)
When trying to remove an existing role, or change/retain role from the user's account, the following errors are thrown:
a. Single Role <XXX> is not assigned to user in system <RFC Dest>. The action Remove cannot be performed
b. Single Role <XXX> is not assigned to user in system <RFC Dest>. The action Retain/Change Date cannot be performed
Case scenario (2)
The Portal or LDAP connectors return the user id in lower case and as a result, the user assignments fetched from the repository table GRACUSERROLE (via Existing Assignments button) are not found. This table has user ids in upper case, therefore the validation fails. This validation was added newly in 10.1, and the request throws the error:
Role <XXX> is not assigned to user in System <XXX>. The action <XXX> cannot be performed.
Case scenario (3)
Access Request submission containing retired roles is allowed by the application, when the request is created via templates or copy request functionality which contain retired roles.
SAP GRC Access Control 10.0
SAP GRC Access Control 10.1
ignore assignment validation action removal remove retain extend single role is not assigned to user in system the action cannot be performed validation existing non-existing role CV_CONTINUE_VALIDATION IF_REQ_ITEM_VALIDATE VALIDATE VALIDATE_REQITEM_PROV_ACTION bypass validations submission approve error retired template copy ignore , KBA , GRC-SAC-ARQ , Access Request , How To
About this pageThis is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).
Search for additional results
Visit SAP Support Portal's SAP Notes and KBA Search.