Note 1168183 - Enterprise Role Management 5.3 Support Package (VIRRE)

Version / Date 74 / 2013-04-09
Priority Recommendations/additional info
Category Installation information
Primary Component GRC-SAC-BRM Business Role Management
Secondary Components


This note provides information about the issues resolved in SAP GRC Access Control 5.3 - Enterprise Role Management  Support Packages.

Other terms

Role Expert, Access Controls, VIRRE, Enterprise Role Management

Reason and Prerequisites
  • Access Control 5.3 version should be installed prior to installing the support packages.


This note is updated on a regular basis. Review the current version of this note before you start the installation.

  1. Change History
  2. General Information
  3. Resolved Issues

1. Change History

Date Short Description
05.08.2008 Created note for Support Package 1
07.03.2008 Edited note for Support Package 2
07.24.2008 Edited note for Support Package 3
09.23.2008 Edited note for Support Package 4
11.11.2008 Edited note for Support Package 5
12.12.2008 Edited note for Support Package 5 Patch 1
02.12.2009 Edited note for Support Package 6 Patch 1
02.20.2009 Edited note for Support Package 6 Patch 2
03.15.2009 Edited note for Support Package 7
04.16.2009 Edited note for Support Package 7 Patch 1
05.20.2009 Edited note for Support Package 8
06.24.2009 Edited note for Support Package 8 Patch 1
07.24.2009 Edited note for Support Package 8 Patch 2
09.30.2009 Edited note for Support Package 9
11.04.2009 Edited note for Support Package 9 Patch 1
12.07.2009 Edited note for Support Package 10
02.22.2010 Edited note for Support Package 11
03.22.2010 Edited note for Support Package 11 Patch 1
03.31.2010 Edited note for Support Package 11 Patch 2
05.28.2010 Edited note for Support Package 12
08.27.2010 Edited note for Support Package 13
09.28.2010 Edited note for Support Package 13 Patch 1
10.22.2010 Edited note for Support Package 13 Patch 2
12.16.2010 Edited note for Support Package 14
02.02.2011 Edited note for Support Package 14 Patch 1
02.17.2011 Edited note for Support Package 14 Patch 2
03.14.2011 Edited note for Support Package 15
06.15.2011 Edited note for Support Package 16
07.15.2011 Edited note for Support Package 15 Patch 1
08.04.2011 Edited note for Support Package 15 Patch 2
09.19.2011 Edited note for Support Package 17
10.14.2011 Edited note for Support Package 15 Patch 3
11.11.2011 Edited note for Support Package 15 Patch 4
11.14.2011 Edited note for Support Package 16 Patch 1
12.05.2011 Edited note for Support Package 18
12.15.2011 Edited note for Support Package 17 Patch 1
12.21.2011 Edited note for Support Package 16 Patch 2
02.24.2012 Edited note for Support Package 18 Patch 1
04.10.2012 Edited note for Support Package 19
06.28.2012 Edited note for Support Package 19 Patch 2
09.10.2012 Edited note for Support Package 17 Patch 2
02.01.2013 Edited note for Support Package 20.

2. General Information
  • These support packages are not automatically sent to all customers. To perform this installation, download the appropriate packages from the SAP Service Marketplace.
  • To install this support pack, please follow the "SAP GRC Access Control 5.3 Installation Procedures" section of the "SAP GRC Access Control 5.3" installation guide.

3. Resolved Issues

The following issues have been resolved in Support Package 1:
  • Localization for Polish has been added.
  • Issues related to internationalization have been resolved.

The following issues have been resolved for Support Package 2:

  • A new Background Job 'Role Generation Status Sync' has been added. This job will update the generation status for all the roles in ERM database from all available systems.
  • Issue related to Role Attributes (Business Process, Sub Process, Project Release, Custom Fields and Functional Area) export has been fixed. Earlier all rows in a table get exported by clicking on export button but now only selected rows will be exported.
  • Issue related to Org Value Mapping export has been fixed. Earlier all rows in a table get exported by clicking on export button but now only selected rows will be exported.

The following issues have been resolved for Support Package 3:

  • Maintenance of Roles with respect to global and local  maintenance of org level values of authorization data behaves same both in ERM and PFCG.
  • On ERM connectors, the field SAP Version combo Box was showing the wrong values. This issue is corrected here.
  • While navigating from Back Button was not prompting to save the changes. Which is corrected.
  • Viewing of the Back-ground Jobs or System logs screen required additional UME Business process authorization. Which is corrected and now it is not depending on any other UME permissions except it's own.
  • Cross-Site Scripting vulnerabilities of application are resolved.
  • Accessing of application sensitive data over HTTP is not allowed now.

The following issues have been resolved for Support Package 4:

  • PFCG Change History Report used to show only what action was done on the role and not which transaction was inserted or deleted .This has been fixed in this support pack.
  • ERM Change History didn't have date validation enforcement and was accepting from date greater than to date. This has been fixed.
  • Mass Role import was not overwriting the Role Descriptions when the overwrite option is selected. This has been fixed.
  • Anonymous access to the application was possible by using the application URLs even when not logged in to the application. This has been fixed.
  • JSP Templates for internal servlet usage were directly accesible via Http though they were not intended to be.This has been fixed.
  • Files and directories that used to aid the development process which were under test directory will no longer be available to avoid access to any malicious users.
  • Previously, when used to create a role with manually added objects, provided global org level values to the same and then generate the roles on the back-end systems then the global org level values didn't used to propagate to back-end systems after role was generated. This issue is fixed now.
  • When a role created in Enterprise Role Management was generated on any back-end systems then for the authorizations that contain global org level values used to get $ prepended values also populated after role generation.This has been fixed .
  • There will a Flexibility (while generating a role) to generate roles either in foreground (synchronuos) or background (asynchronuos process) based on the requirements.
  • While Role Generation for multiple systems is switched on and the role is generated after selecting the systems, By clicking the back button doesn't use to propagate back to search roles result screen (from where it started). It has been fixed in this support pack.

The following issues have been resolved for Support Package 5:

  • Deletion of roles from both front-end and back-end systems is now possible. Earlier deletion was happening only from front-end.
  • Automatic Risk Analysis while Role Generation can now be made optional via. configuration.
  • Issues with propogation of org. levels from master role to derived roles are now fixed.
  • Issues with duplicate role usage entries in UAR Report if a user has the same role assigned multiple times with different validity periods are now fixed.
  • Manually maintained org levels field values in master roles were not properly propogated to derived roles.
  • In certain scenarios when a master role's authorization data is saved, its derived roles' org levels were disappearing. This is now fixed.
  • Roles imported via. Mass Role Import show duplicate global org values if the imported data contains duplicate entries.
  • If on addition of new Tcode or object a new org level is added to authorization data of a  master role then on saving that master role this new org level was not getting propagated properly to its derived roles.
  • Error in searching approvers for Role Creation when first name is not maintained in UME.
  • Derived Role's authorization flag used to turn from maintained to standard upon saving master role#s authorization data when the corresponding authorization flag in master role is standard.
  • There were some issues with respect to authorizations and org levels when role was generated twice on back-end system in some scenarios .It is fixed.
  • PFCG Synchronization used to throw unhandled exception when the first field in any of the role's authorizations happend to be an org. level.

Note: For information on the feature changes and enhancements for SP05, see SAP Note: 1282351, Access Control 5.3 Support Package 05 Supplemental Note.

The following issues have been resolved for Support Package 5 Patch 1:

  • User Access Request in CUP showing indirectly assigned Roles to a user for action, in addition to the Directly Assigned Roles. Part of this issue fixed in SAP Back-end. Please refer the SAP S-note # 1278318 for the details for the ABAP fix.

The following issues have been resolved for Support Package 6 Patch 1:

  • Time-out issue with role usage synchronization job while synchronizing users with large number of roles assigned is now fixed.

The following issues have been resolved for Support Package 6 Patch 2:

  • Importing the Roles in ERM is failing if Org field values exceeds 25 characters length.

The following issues have been resolved for Support Package 7:

  • In RAR, it is possible to define critical permissions (Eg:-S_DEVELOP). To do this, it is necessary to create a function that only includes this permission and no action. However in ERM, while creating Roles, if the used function only includes permissions and no actions, then these permissions are not visible within the created role.
  • While importing the roles in CUP from ERM, it is fetching all the roles irrespective of the role status. It should supposed to be fetching only the roles which have the status of "Production" or Roles are already Generated on back-end system.
  • When generating roles from ERM Mass Generation, roles will be generated successfully including Authorizations. However when roles are viewed in front-end, the generation phase still shows in yellow and is not turned to green.
  • When changing the Approver for a role(s) via Mass Maintenance =>Update, the approver doesn't change. This happens even if changing the Approver from Configuration >> Workflow >> Approval Criteria.
  • It is not possible to re-arrange the sequence (order) of the steps within an existing methodology process (for example we cannot move "Approval Step" before "Derivation step").
  • During a back-up procedure, if the database is automatically restarted, ERM is unable to connect to the database automatically.
  • Some of the Authorization Objects are not getting removed even after removing the Transactions for which they belongs to.
  • ERM role usage synchronization job is duplicating the user/role information in VT_RE_ROLE_USG table.
  • In ERM, Role Usage Synchronization job is fetching data for deleted Users and it is also processing the role usage for those deleted users which is resulting in longer run time of job and may result in time out for some of the batches.
  • Search roles in ERM, when there is a "_" was showing the wrong results.
  • While adding a Transaction in ERM, if transaction contains a "." or "/" in the id is not getting the Authorization Objects from SAP system.
  • Creation of Role in ERM generates an ABAP dump due to changes in one of the R/3 function modules (PRGN_RFC_CHANGE_TRANSACTIONS) in the latest release.It has been fixed in this support pack.

The following issues have been resolved for Support Package 7 Patch 1:

  • Transaction usage detailed report does not show the Composite Roles of a user, when user executed a transaction from a Single Role part of the Composite Role. Due to this, transaction usage for Composite Roles of a user in UAR request shows zero transaction usage.
  • The connection using SAP JCO in ERM connects directly to the Application Server even after having the Message Server configured as part of the connection, which is not causing the load balancing to leverage other available application servers.
  • While creating or changing a Role in ERM, search a function for addition to an authorization data is failing to bring the data.

The following issues have been resolved for Support Package 8:

  • Critical Actions risks that have authorization objects as well, defined in RAR, are not shown up in Role risk analysis in ERM before the role generation.
  • Running the "compare user roles" report does not work for BW, Solution Manager or other non-ECC systems.
  • When performing the Transaction/Object/Field Sync, error "statement is closed at the index 501 Transaction ID" comes up.
  • "Unhandled Error n/a" on opening the Role authorization of some roles that have been imported in ERM.
  • Delivered UME roles do not provide necessary access to the configuration tabs.
  • When using multi-language, the role description and detailed description are not correctly generated in the SAP systems.
  • Org fields are disappearing upon uploading and copying of the roles.
  • Role usage for composite roles is not correctly recorded.
  • Unable to import composite roles correctly.
  • The sapjco connection works differently in ERM than in CUP which results in performance issues in ERM.
  • In non-English language, the PFCG Change History report in ERM does not work.
  • Incorrect description of authorization object is shown.
  • Australian date format is not shown in ERM.
  • When approving a role in CUP that was created in ERM, unable to add comments as "error on page" received.
  • When using "System Type" as approval criteria, it shows "5" instead of the text "enterprise".
  • If the customized object group name and description is given under permissions in a function in RAR, that function can't be added to a role in ERM as it generates an unhandled error.
  • Derived roles are not correctly inheriting the global organization value.
  • Doing mass maintenance for non-sap roles results in an unhandled error.
  • When importing non-sap roles, an unhandled error results, but roles do import.
  • Unhandled error on role generation in background when "Conduct risk analysis before generation" is "No" and "Use logged on user credentials for role generation" as "No".
  • Manually added auth objects show duplicate field values in some cases.
  • Error "Derived role data required" when generating a composite role, with already generated single role, first time.
  • Comparing two large roles takes a long time.
  • If no default connector is set for risk analysis and risk analysis mandatory is set to yes, role can still be generated without risk analysis occurring.
  • If an object is added manually in a role in PFCG and then synched with ERM, the object is not set as "manually" maintained in ERM, it is generated as "changed."
  • If a user is deleted in backend, Role usage synchronization retrieves this deleted user in the User table.
  • Risk analysis still shows the Risks in CUP, even after mitigated in ERM.
  • Inconsistency in the number of characters supported for System Name in ERM and RAR. As a fix, a warning message "System Name is required to be less than 10 characters in order to use RAR with ERM" has been introduced
  • Various translation issues in Italian, Spanish, Portuguese.

The following issues have been resolved for Support Package 8 Patch 1:

  • When an Approval Criteria is changed, approvers for existing roles were not properly updated.
  • Risk analysis at object level was showing different violations when ran multiple times, particularly on Oracle database.
  • ERM object level Risk analysis was not showing conflicting Risks that were defined either only at transaction level or at both the levels. And if user switches to the transaction type then it is not showing Critical action Risks that were defined at both the levels.

The following issues have been resolved for Support Package 8 Patch 2:

  • ERM Change history functionality is not capturing the changes of the Customer Attribute values.
  • When a Risk contains transactions with "-" in the name is showing in-correct Risk analysis results in ERM.

The following issues have been resolved for Support Package 9:

  • In ERM, the Role Synchronization job is not giving the cumulative count of Users records which are added to database, which is not the case prior SP07 installation.
  • When a change is made to any approver in the Workflow -> Approval criteria, it will change the approver for all the roles even if the approval criteria for which we changed the approver does not apply to the role.
  • Organization level is not imported correctly during mass role import, for those org levels whose names didn't match their variables. For example, org field name is CSWRK and variable is $WERKS.  This does not upload correctly.
  • The role is provisioned (generated) into the risk analysis system instead of the role generation system.  This only happens when generating the role in background mode when the system landscape is set up with two systems, one for risk analysis and the other for role generation.  Generating role in foreground does not cause this to happen.
  • When trying to import profiles into the system using mass role import, error message is displayed: "Unknown error occurred while performing operation (n/a)".  This is specific to LINUX systems.
  • The role change history does not reflect the change made in custom attribute tab in role change.  If adding different value to the same field, the second value change is not recorded in change history.
  • Critical permission risks were not shown in the Role Risk Analysis screen whether the risk analysis was done at action or permission level.
  • When trying to maintain the authorizations using the feature "Maintain in PFCG" and under  "Objects By Class", unable to pull up transaction PFCG.  This is caused if no transaction codes are added (only have permissions no s_tcode).
  • Critical action risks are not returned when running at 'object' level.
  • The risk description is not correct for the Risk ID shown in risk analysis.  This happens if the transaction code has a dash '-' in the transaction code ID.
  • Role methodology of a Role is not reset to definition phase, if any attribute is changed in the role. This issue is fixed by providing a configurable option which determines whether changes to role definition will reset methodology to definition phase. Role attributes that are considered for it are Business Process, Sub Process, Project/Release, Functional Area, Approvers custom Attributes and Single Roles (For Composite Roles only).
  • System name can be greater than 10 characters in ERM; however, the system ID is limited to 10 characters in RAR and CUP.  To prevent issues, a new warning message is now inserted if a connector ID greater than 10 characters is created.
  • Existing single roles are getting deleted from Composite role when trying to add some additional single roles.
  • It is not possible to drill down into the graphs on Role Library to list the roles on the basis of Business Processes.  This happens is the business process has a count of roles which is less in comparison to other business processes.
  • NEW FEATURE - Role information text file for mass Role import was cumbersome in user handling . Introducing a new feature to use Excel sheet as Role Information File with additional role attributes.
  • NEW FEATURE - Role usage sync now has options to include or exclude specific users.  UAR analysis is changed so that customers can run the UAR job and see the audit trail as required.
  • When upgrading 5.2 to 5.3 post sp5 (or 5.3 pre-sp5 to 5.3 post sp6), there was an issue that caused the Java server to fail due to out of memory exception.  This is caused by a large amount of data in one specific ERM table.
  • In ERM, the detailed view of transaction usage report is not showing the single roles which are part of composite roles for each transaction.
  • The organization values for derived roles are not being reflected in the generated role in the SAP back-end.  This is specific Basis 700 systems that are lower than support pack 17.
  • Informer -> Analytical Report -> List transactions in roles not working correctly. When searching for roles, it does not show results for single roles that are part of multiple composite roles.
  • Derived Org Level value in Role Derivation screen is always showing the initial created value. If you  change the value by deleting the original value, and adding a different value, the original value is still the value shown.
  • NEW FEATURE - New role attributes have been introduced in ERM including Critical Level, Role Owner and Role approver to ensure consistency with CUP
  • NEW FEATURES - There are several new features introduced with SP09 in all components.  Please refer at - > SAP BusinessObjects -> SAP BusinessObjects Governance, Risk, Compliance (GRC) -> Access Control -> SAP GRC Access Control 5.3 for the features implemented in SP09.
  • Various fields in ERM were not correctly translated into German.  These include:
    1) By creating a naming convention in ERM, there is a field to activate or deactivate the convention. This field is labeled with "Enforced" in the English version and "Erzwungen" in the German version. It would be better to name this "Status" in both versions.
    2) By creating or changing a connector (system) in ERM, the button to cancel the action has an incorrect label. Instead of "Abbrechen" the second "e" is missing and the label is "Abbrechn".
    3) In ERM you can configure some role attributes, among others the functional area. In the German version the label for that is "Funktnsbereich", but it should be "Funktionsbereich". The "io" is missing.
  • Even when configuration->miscellaneous-> "Ticket number after authorization data" is set to #YES#, customer is able to generate the role without providing a ticket number.  When a Transaction is added and go to Authorization Data-> Object by class tab and press the #Maintain in PFCG# button, it allows saving the Authorization data before adding any Ticket number.
  • When customer exports a role from the backend R/3 system using transaction code /n/virsa/re_dnldroles, then import it using Mass Role Import only the first line of a long description got populated.
  • The Job "Transaction or Object or Field Sync" gives errors in the job history but overall status is completed.   The job shows an error of "error synchronizing transaction information for (language) and connector (connector id)."
  • Organization level field $FM_FIRKS is not correctly passing values from the ERM front-end to the role being generated in the back-end.
  • Functional ID descriptions in ERM can be more than 40 characters, but in CUP this field is limited to 40 characters.  With sp9, a warning message will now pop up if a functional ID is created with a description greater than 40 characters.
  • Unable to import composite roles if they contain single roles that have similar names.  Error is due to : and _ usage in the single role names. A duplicate key error is thrown when trying to import the composite role.

The following issues have been resolved for Support Package 9 Patch 1:

  • When an object has more than one authorization and at least one of the authorization is disabled then after role generation the traffic lights corresponding to that objects used to get corrupted and at times blank lines were added in some fields' values.

The following issues have been resolved for Support Package 10:

  • The same role gives different permission level segregation of duties results in ERM when compared to RAR.  ERM has been corrected to show the same risks as shown in RAR when doing simulation.
  • The analytical report for Role relationship to user and group in ERM is restricted to 999 hits.  This has now been changed so the max number of hits is now changed to be 99,999.
  • On performing Mass Role Import in ERM, all objects set to inactive in PFCG are shown as not completed (yellow) in ERM.  A new facility "activation and inactivation bulb" at object level has been added to activate and inactive objects at a level above individual authorization object levels.
  • ERM does not allow a user to delete a connector even after deleting the roles associated with that connector.  Users with the correct UME permissions are now able to delete an unused connector.
  • Adding a transaction to a master role, which has a derived role attached, an "x n/a" error message is received and the transactions is not added to the master role.  If the derived role is deleted, transactions can then be added.  Now, users may add a transaction to the master role without deleting the derived roles.
  • When migrating roles from Role Expert 4.0 to ERM 5.3, derived roles are not imported.  This was caused because Role Expert 4.0 did not have a role type of "derived".
  • Permission level risk analysis fails with error message "Action Failed".
  • Unable to control who can change the Role approvers.  Anyone who can change the role can change the role approver.  With this support pack, a new UME permission "ViewChangeRoleApprovers" has been added to the existing user permission list, to allow users to Add/Change/Delete Role Approvers while changing Role in ERM.
  • Error on page during Mass update of huge number of roles for Approvers, Functional Area etc., However mass update of smaller subset of roles is successful.   Now, there is no limitation on number of Roles used for mass update.
  • User is able to mitigate a risk even though they don't have the action ViewMitigateRisks in UME.  New UME permission "ViewRiskMitigation" has been added to the existing user permission list, to allow users to perform Risk Mitigation in ERM.  This permission has to be added to users that need to be able to mitigate risks.
  • Error "Failed to update database info: DB2 SQL Error: SQLCODE=-803, SQLSTATE=23505, SQLERRMC=1;SAPGRCDB.VT_RE_RLCONSTATS" occurs when generating a role and role is not generated.  This is specific to DB2 databases and has been resolved.
  • After deactivating an authorization object, system does not save the deactivated state and it reverts back to the original activated value. Authorization object deactivation is now possible through the minus sign located against that specific authorization object.
  • On searching for particular roles under Role Comparison, it is returning all roles.  With this support pack, providing the ability to limit the search of roles to find a specific role.
  • The system name displayed in the ERM risk analysis is the technical name of the JCo connection instead of the text of the configured system.
  • Not all organizational level fields are synched properly between ERM and PFCG.  Specific examples are field IWERK not being synched.
  • Mass role import function for uploading backend roles to ERM is not working. Even though ERM indicates roles uploaded successfully, only the first 15 roles are  uploaded and the rest fail.  Now, the role upload through excel can handle unlimited roles for uploading.
  • The import of derived roles is not taking into account the values specified in the org level files.
  • Delivered ERM roles are missing the following actions that are listed in the Security Guide for 5.3 on page 35.
  • ERM and CUP allow different number of characters in Functional Area.  In CUP it can be no more than 8 characters, but in ERM it can be up to 100. Having inconsistent Functional Area ID's between CUP and ERM can cause issues when importing roles from ERM into CUP.  With this support pack, ERM now will generate a warning if the Functional Area ID is more than 8 characters to ensure consistency with CUP functional area.
  • Analytical report #User to Role Relationship# does not work correctly and fails to report data for Composite roles..
  • Even after generation, the derived role status is shown to be #Current profile not generated#. If the role is generated for the second time it shows the correct status.
  • Roles can be generated with risks even when "allow role generation with risk violation" is set to no.  This happens if less than all 4 options are selected in this configuration option.
  • When deleting a role in background, the job status never shows completion of the job.
  • Changing the Approver and applying this change to existing roles will not be recorded in the change history.
  • Informer report parameters are case sensitive.  Now with this support pack, the fields are case insensitive.
  • ERM allows a user to import an org value mapping file that does not contain all required fields.  With this support pack, an error message is introduced to prevent this.
  • When clicking on the back button of mitigation screen, a 500 Internal server error occurs saying "java.lang.nullpointerexception:  null"
  • Mass risk analysis is not showing the roles as having risks in the job history, even though the roles do have risks.  This only happens if this is the first run of the risk analysis for the role.
  • Deleting a transaction from a role causes an organizational level field (such as plant/WERKS) to be deleted as well even though other transactions in the role still require this organizational level.
  • The date format in the PFCG change history report shows as YYYY/MM/DD. All other reports show as MM/DD/YYYY.  With this support pack, the PFCG change history report now shows date in standard format.
  • In the Role usage synchronization job, unable to select or deselect "Reference" user type from the job.  It includes reference users if "dialog" users are selected.  With this support pack, now deliver "reference" user type as a unique user type separate from dialog.
  • Using the "tab" key jumps to fields in jumbled order.  With this support pack, the "tab" key now jumps to the proper fields.
  • If an org level field is manually changed in a copied authorization object that has a status of "maintained", that manually changed field is still overwritten by the org level field when it should remain as the manually maintained field.
  • Roles are generated with risks, even though "allow role generation with violation" is set to no.  This happens if the configuration option "role generation on multiple system" is set to YES.
  • The configuration and role management tabs are not correctly translated for French, German or Norwegian.
  • The system dropdown control is empty for Informer->Reports if a user is logged on in Russian language.
  • In the Test for Count authorizations for Users report, the System drop down shows systems only for Russian language and not for other languages.
  • The first and last configuration parameters are missing Russian translation.
  • The Background, Org Levels, Role Generation, Mass Role Generation, Mass Risk analysis, Role Search in Informer reports are not correctly translated for Russian language.
  • Master Role maintained authorization object field value is inherited by derived role on the Derived Role generation.

The following issues have been resolved for Support Package 11:

  • Roles are imported into ERM with organizational level CSWRK when they do not have this field in PFCG.
  • UAR requests are not generated for all the systems after the completion of UAR Review Load Data background Job.
  • Unable to import a role with error saying it's unable to determine a business process match.  The cause is that the system allows 1 Sub-business process to be linked with multiple business processes when data is imported from files. This correction is to prevent a user from being able to load a single sub-process against multiple business processes.
  • While importing the roles in CUP from ERM It fetch all the roles.  This support pack changes the logic so that role will be imported in the following conditions:1. When the Role status is set to 'Production'. 2. When the roles are generated and available in the backend system.
  • The methodology process of a role does not ensure that the role should go through role approval again when the role is changes through mass maintenance.  The fix is to ensure that Methodology process should reset for the Role(s) which are changed using Mass Maintenance in order to do Role approval.
  • During mass role import, unable to do a mass approval for all roles to move them to generated status.  Had to approve each role individually. As part of the fix we are providing a way for you to ensure that you don't necessarily need to go through approval phase of the roles by putting "Yes" in column after alternative approver in role information file (for the roles you want not to go through approval phase).
  • While logging into ERM, user is unable to change the user password required during first time logon or password expiration. User had to go to the UME login page in order to change the password. Now, whenever expired password or initial password change is required, ERM login will provide a link that directly takes the user to the UME logon page to change the password
  • User was able to input a lower case transaction code in ERM which when transferred to PFCG in the back-end was not correctly translated to all upper case.  The fix is that ERM will convert all transactions to upper case.
  • The wrong language description is shown after mass importing roles.  The issue is due to the fact that the languages retrieved from the CacheManager are not correct.
  • After installation of Support pack 9, unable to run Count(*) queries using the open_sql.jsp page.  Message "Error:Null" is received.This fix is provided at CUP interface .
  • When running the Org Value Mapping job under configuration, error "action failed" received.  The cause is that the database connection opened is not being closed and that is causing too many open connections due to which JDBC connection pool is getting exhausted.
  • When you open any role in change mode and click on the lock button on top right hand side then instead of locking the role it toggles to display mode.  This fix is to change the icon so it only shows an "unlock" icon as that is the intended functionality.  The functionality does not allow you to lock a role, only unlock it.
  • The Configuration - Miscellaneous screen is blank even after reapplying the .xml files following note 1255303.
  • Naming standards for composite roles do not work correctly as it forces entering a profile name, even if profile name is not a required field for the composite role.
  • Error is occurring while adding a function to a role in ERM.  Error message is "Unknown error occurred while performing operation (Cannot assign a java.lang.String object of length 55 to host variable 2 which has JDBC type VARCHAR(50). in method insertOrgLvlsForRole)
  • The role status and criticality level are not correctly migrated from Role Expert 4.0 to ERM 5.3.
  • Role generation flag is Green even when the role is not generated because of risk violations in the role.
  • When a custom field that includes date is added to ERM, an internet explorer error is shown saying there are problems with the website on Line 528.
  • Changing the detailed description of a role is not showing in the change history.

The following issues have been resolved for Support Package 11 Patch 1:

  • Inconsistent Risk Analysis results while changing and running SOD analysis for a Role in ERM.
  • While changing existing Role i.e by adding manual object, deleting TCODE, it removes the manually added object after saving chages to the role in ERM.
  • There is mix up of authorizations to the end-users, where ever there are multiple nodes for a authorization Object.
  • While deleting tcodes from a role in PFCG, values of object fields associated with some other tcodes are getting deleted from ERM roles.

The following issues have been resolved for Support Package 11 Patch 2:

  • Whenever user modify the role from ERM and generate the role into R/3 system, AGR_1251 table is storing huge data.

The following issues have been resolved for Support Package 12:

  • The Help Link is now changed to link directly to Access Control help. Previously, it was going to the generic help and users had to drill down to find the Access Control help.
  • When performing mass import of roles, 1) the job history does not always display the role names 2) failure of the import does not always identify the failed role.
  • Changing an org. level value globally is not resetting the methodology process to have the authorization step to be yellow, even if we set Reset Role Methodology when Changing Role Attributes is set to yes under miscellaneous configuration
  • Using mass maintenance to adjust field values for existing authorization objects creates new profiles for the new field values instead of adding the values to the existing authorization profiles. This result in new node of the authorization object being created instead of adding the value to the existing one.
  • There is no option in mass maintenance to add/change/delete organization level field values to groups of roles.
  • Imported roles are not following the configured default methodology.
  • The system landscape is not shown for subroles while searching within composite roles.
  • After implementing SP09, the Transaction usage report is not considering the transactions which are maintained in Intervals (ranges) or with a wild card (*) in  Authorization Object S_TCODE.
  • The Role Description is getting split into multiple lines in the backend after generation.
  • When user is searching Role in Mass update based on organization level, the search is not returning all the roles that it should.
  • Risk analysis is not returning correct results if ERM has a role with an authorization object that has multiple nodes/authorizations with different field values.  Instead of analyzing them as separate authorizations, ERM combines all the field values and returns false positive risks.
  • When trying to change a role, error message "Correct the following errors enter a valid value for profile". This occurs when a role has multiple profiles and is uploaded from the back-end system. If the last profile having 11 characters, this causes the issue.
  • User cannot delete authorization objects from a role in ERM but can only inactive them. With this support pack, Inactive authorization objects can be completely deleted in ERM.
  • If creating a role in the definition stage and the role approver has been determined, selection of the Approver(Provisioning) check box is not saved.
  • Changing master roles that have many derived roles causes a timeout error.
  • ERM displays an error message in objects by transaction in authorization data view when trying to page down. Error message is 403 Forbidden error "you are not authorized to view the requested resource".
  • Periodic jobs (weekly/daily) are not triggered after one successful cycle completes. The jobs stay in Ready status instead of executing based on the schedule.
  • Single roles in a composite role are displayed as duplicated after saving the composite role and viewing it again. This occurs if the system landscape description is maintained in a language different than one defined under miscellaneous configuration.
  • The last column in the Role info template excel sheet does not have a name. Added column header 'Set Role Methodology Complete?'
  • Custom field and functional area of the role are not imported during mass import. This happens if there are two lines for the role in the RE info file where the first line has Role Approver and second line has Role Owner.
  • The signal flag for objects for org level fields turns yellow instead of staying red to indicate there are org level fields that do not have any values. In addition, the default values for org level fields VKORG and VTWEG are not displayed.
  • If a role has multiple nodes with different statuses (Standard, Changed and Manually), ERM converts all of the statuses to Manual when generating the role.
  • Changing an open field value after initial setting of values incorrectly changes the status to Changed when it should remain as Maintained.
  • System-specific org levels are not being fetched when creating a role. If systems have different org levels, the org levels will show in all systems, irrespective of whether the field is actually an org level for the system for which the role is being created.
  • If ERM is configured to have two concurrent background jobs and one of two running background jobs is deactivated, any new background job scheduled goes into Waiting status instead of Running status.
  • Entering an invalid activity value in ERM is saved in back-end PFCG. There is no validation that the activity value is a valid value.
  • Error message "Unknown error occurred while performing operation" occurs when doing mass role import.
  • In mass maintenance, searching for a role using an org level field value does not return results.
  • If a derived role has a global org field value deleted, it defaults back with the $ value.  Saving the master role should push the master value down again to the derived role but $ value stays in the role.
  • If a master role has a blank org value, this blank value is transferred to the derived role.  Subsequent changes to the master role in this org value field are not correctly transferred down to the derived role as the field remains blank in the derived role.
  • ERM does not automatically populate the Role Approver based on the configuration defined in Approval Workflow Criteria at the time of Role Import/reimport.
  • Searching for roles in Mass Maintenance does not work properly.  When roles are selected and then the landscape is selected, the searched roles list is gone and all roles are returned.  When you search roles without specifying a landscape, it returns the roles based on the search criteria.
  • ERM does not migrate all the roles with Critical level field value while upgrading lower version to higher version (SP08 to SP11)
  • If a role has only one org level field populated, then the org levels that don't have values are not being displayed when the role is generated in PFCG.
  • The transaction menus (folders) disappear in the Backend when you regenerate the Role from ERM.
  • Mass role update on ABAP 7.01 systems is not working and role changes are not flowing through to master or derived roles.  This is caused by a change to the standard function module used by ERM.
  • When performing mass role import, role descriptions with a Z locale in table AGR_TEXTS generate the error "role not imported; unable to delete existing role".
  • When there are two nodes under a single authorization object, one Standard and one Maintained, generating the role from ERM introduces extra $<ORGFIELD> (Open Org Values) values added to the field.
  • If a role has a manually called authorization object and a transaction is deleted from the role, a duplicate blank calling of the manual authorization object is being inserted by ERM.
  • In the Mass Maintenance screen, performing a mass change for owner where the owner name is chosen by searching does not result in the owner name being updated.  If the owner name is keyed in directly versus using the search, then the change is made.
  • Not all changes performed in ERM are being correctly reflected in the SUIM change history reports of the back-end ABAP system.
  • When a derived role is created from a master role that has multiple nodes under a single authorization object, ERM is improperly consolidating these nodes in the derived role into one single calling.
  • ERM allows changes in Standard S_TCODE Object. This is not allowed in PFCG, Customer has to add S_tcode object manually to add any new value
  • NEW FEATURE - A new configuration parameter is now available to allow customers to enable/disable the log off URL within the Access Control capabilities.
  • Error "action failed" occurs when running transaction level risk analysis.  This only occurs if the option under Configuration => Miscellaneous => Risk Analysis and Remediation web services is set to be "Do not use Web Service; CC deployed on the same server".  If option is changed to "use Web Service", this error does not occur.
  • The data in table AGR_1251 is different if a role is generated from ERM versus directly from PFCG.
  • Error "risk analysis failed; violations exceeds the threshold limit" occurs when running transaction level risk analysis.  This only occurs if the option under Configuration =>- Miscellaneous => Risk Analysis and Remediation web services is set to be "Do not use Web Service; CC deployed on the same server". If option is changed to "use Web Service", this error does not occur.
  • In the Risk analysis detail report, the "to" value of the report has incorrect values for some of the line items.  This happens if the RAR rules are configured to have a range of values (such as ACTVT 01-02). The 02 value will then show for all ACTVT line items, not just the specific field configured this way in the rules.
  • If ERM has an authorization object with status Changed, and the transaction corresponding to the authorization object is removed, the authorization object is correctly removed.  However, if the same transaction code is re-added to the role, the authorization object is coming in Changed status with the prior values, instead of coming in as New status with open fields.

The following issues have been resolved for Support Package 13:

  • The SAP type custom attribute for table agr_1250  is taking around 15 min. to load in the drop down while it is used for adding during the creation of role. Subsequent addition of this custom attribute results in hanging of the application.
  • Transaction code descriptions are missing when loading roles via mass role import.
  • When the user tries to change the role owner and approver through Mass Update module it is not happening.
  • When a mitigating control is assigned to a role in ERM, the validity date defaults to 100 days instead of using the configuration in RAR set in Configuration - Mitigating Controls. With this support pack, the validity date in ERM will match what it is in RAR configuration.
  • The ERM Role usage sync job is not deleting the existing data for excluded users if the user type is changed in Miscellaneous configuration.  For example, if the job is first run for all users, but then subsequently run for Dialog Users Only, the non-dialog users were note deleted from the ERM role usage sync tables.
  • Unable to import derived roles if there is no corresponding org level file, even if the roles don't have any org level fields.  Error "Role not Imported" occurs in the log.  Now, a user can import a derive role by enabling the Dummy Org Level concept in the Miscellaneous tab.
  • In ERM mitigation control description is shown instead of the actual mitigation control id when mitigating a role.  Now when performing risk mitigation for a risk, the mitigating control ID is shown instead of description.
  • Expired users are not deleted even though configuration setting being made to exclude expired users.  With this support pack, a new background job 'Synchronization of User Validity Date' is created which will populate existing user data with validity date and after that scheduling role usage synchronization job will remove the inactive users from database if exclude expired user is set to 'Yes'.
  • When sorting by date on the ERM Transaction Usage Report, the dates sort as a "TEXT" field and not as a date field.
  • When deleting the roles using the option "Delete from both frontend and backend", roles are not deleted if the role does not exist in any one of the system which is used in a landscape.
  • Within the role creation/modification screens, the combo box for sub process was unsorted.  Now, the data will be sorted based on selected business process.
  • A new configuration option has been provided which allows you to hide/display the header logo for proper integration with NW Portal.
  • After selected business process, Subprocess & Functional Area, the approver data is not picked properly.
  • Transaction synch job is taking lot of time and the server hangs after running the job for 24 hours.  The performance of this particular job is improves as the part of the fix and now the job is finished in around 35-40 min. (on a fresh system) which was taking around 70-80 min. earlier.
  • A user could have a role open in edit mode in both ERM and PFCG at the same time.  The only changes saved then will be the changes done by the user who last clicks on the save/generate button.   With this support pack, a mechanism is provided so that if role is open in back end and changed and after open in ERM front end and changed a pop up is displayed asking for user input to overwrite backend role with front end changes or not. Also if user does not overwrite backend role he has a option to sync it from backend.
  • When adding or removing transactions or org fields, the change history of ERM shows redundant records.
  • Message "No Risks Found" shown, even though there are Critical transaction level risks.
  • The ERM drop down lists for custom attributes and sub-processes are not sorted alphabetically.
  • Custom fields with large content values are not completely displayed in the drop down list.  This is changing so the full 100 characters are displayed in the drop down listing.
  • If a single role has the description maintained in different languages, the single roles are displayed multiple times in the composite roles.
  • When running the Role Usage Synchronization job in ERM, it throwing an error 'ORA-01795: maximum number of expressions in a list is 1000'.
  • Within the "authorization" area of a role on the Transactions tab, there is an entry under the Transaction Code column called MANUALLY.  This incorrectly came up if the customer added any custom authorization objects to the role and has now been removed with this support pack.
  • Critical permission risks are not shown at time of role generation if "conduct risk analysis for role generation" was set to yes and "allow role generation with violations" were set to no.
  • The report "Compare User Roles" on the Informer tab is not returning correct results.  Only roles that are shared by the two compared users are showing.  This report should show roles that the source user has and target doesn't as ADD and should show roles that the source doesn't have and the target has as REMOVE.  The only roles shown are KEEP which are the roles that are shared between the two users.
  • In ERM, you aren't able to go to PFCG unless  you first enter a transaction code in ERM.  Specifically, if you   go to Go to Objects by Class and click on Maintain in PFCG, if the role has no transactions in ERM, this will pull up an error  ""Illegal handler: trying to access row values in a  table which does not have any rows yet.
  • Roles are not importing into ERM application via Mass Role Import. Error occurs: " Unhandled error; n/a".  This happens if you try to import roles and don't use the org file for upload even though it is not a derived role.
  • When mass maintenance is used to add transaction codes to multiple roles, the authorization objects of some of the transaction codes were not inserted into the role authorizations.
  • Background job task name "Save Authorizations to derived Roles" is only available in English. This is not available in any other language.
  • If the authorization object is changed from STANDARD to MANUALLY in PFCG and then imported into ERM, then next time the role is generated back into PFCG, it changes the authorization object status back to STANDARD when it should remain MANUALLY.

The following issues have been resolved for Support Package 13 Patch 1:

  • Composite role risk analysis was giving false positive risks. For example, if composite role A has single role B and single role C, then when performing risk analysis on A, authorizations were being combined from B and C. This patch ensures that single role authorizations are not combined when performing risk analysis for a composite role.

The following issues have been resolved for Support Package 13 Patch 2:

  • Mitigation search is not working in ERM after support pack 13.

The following issues have been resolved for Support Package 14:

Please implement the SNOTE 1543524 for VIRSANH 530_700 & VIRSAHR 530_700 release which is mandatory.

Please execute the report /VIRSA/TRANSFER_UTILITY_REP to migrate the    data from /VIRSA/RULEATTR  to /VIRSA/RULEATTRN. This would address the  issues related to HR triggers.

  • When the "Conduct Risk Analysis before Role Generation" configuration option is set to YES, and if the role generation fails then the Risk Analysis step will not be marked as completed.
  • In Role Comparison - Search, custom fields are not showing in the results screen.
  • Global org level values are not populating correctly down to authorization objects.  Specifically, if an authorization object is manually changed to include 1 additional org level value in addition to the global value, the global value is removed.
  • Manually added authorization objects are being deleted after deletion of a transaction code.  Manually added authorization objects should not be changed with any change to transactions.
  • Using Mass Update, have the ability to change the "standard" s_tcode calling without changing the menu.  With this support pack, it's locked down so no changes can be made to the standard s_tcode calling.
  • Using Mass Update, it was possible to delete the field TCD from the standard authorization object s_tcode.  With this support pack, this is locked down so that the standard s_tcode fields cannot be deleted.
  • In ERM, it is possible to delete the standard s_tcode calling by first inactivating and then deleting the object.  With this support pack, the ERM functionality now matches PFCG where you cannot delete the standard s_tcode calling.
  • When clicking on Informer >> Access Requests >> Request by Type, the counts for request type are mismatched between the bar graph and the drill down within the application.
  • After upgrading to support pack 12, the VIRSA_AE_ERMCONFIG table still shows as being version 11.2.
  • In the Informer  tab, the Report titled User To Role Relationship has a maximum number of hits limit of 99,999.  With this support pack, a new configuration option will be made available so each customer can determine what maximum number of hits they want this report to default with. The new configuration is available under the Miscellaneous selection and is called "Maximum No. of Hits".
  • If a role is open in PFCG, a user is still allowed to submit a job to delete the role in ERM.  With this support pack, if a role is locked, you cannot submit a job to delete the role in ERM.
  • When deleting a role in ERM, the job history does not show details of whether the role is deleted and the role is not deleted in either ERM or the back-end system.
  • Composite roles which contain single roles could not be deleted from back-end via ERM, even though ERM indicates the deletion was successful.
  • Single roles which are part of composite roles could not be deleted from back-end via ERM.  Error message "cannot delete role:  dependency" is shown in the job log.
  • Only one approver is shown when multiple custom attributes are used for approval criteria, even though multiple approvers meet the criteria.
  • Changing the approver via Configuration - Workflow - Approval Criteria does not show up in the Change History for the role.
  • Upon importing roles using the bulk and info file, the job history shows an invalid entry that states "Role n/a import failed" even though the role import was successful.
  • The background job history does not show the role name for newly created or overwritten roles when importing roles via background jobs.
  • Error message "role not imorted" shows instead of "role not imported". Text corrected with this support pack.
  • Sorting the results under Informer Reports - Roles by Date of Generation by date sorts only by date, but not by time.
  • If the Business Process has an '&' symbol and this business process ID is used in the Naming Convention for a role, the business process name is not correctly inserted into the role name.
  • Updates done to a role in the "testing" phase are not shown in the Change History for the role.
  • When doing risk analysis, message "action failed" appears.  This occurs if the role has a manually added value of s_tcode and that authorization object is blank (no transactions assigned).
  • Approval criteria changes are not flowing through to impacted roles if #Apply to Existing Roles#  button is not pressed immediately.
  • When a role is generated in background, the role is generated, but it does not progress to the next stage.
  • If role generation fails, the workflow still proceeds to the next step. With this support pack, if role generation stage fails, the workflow will not proceed to the next step.
  • The critical level is not saved when saving a role in Spanish Language.
  • When trying to add a function to a role, error message "unhandled error:6" occurs.
  • The critical level description is not showing in the Role Detail screen when logged in under non-English language.
  • When a role has transactions added directly as well as being added via functions, when the directly added transaction is deleted, it deletes the function transactions as well.  When the same function is added back, the authorization objects are deleted instead of being added back.
  • When trying to upload files, error  #Cannot attach and empty file# occurs.
  • Risks are showing in ERM that should not show as the role does not satisfy the rule as defined in RAR.
  • Description field for the system connectors do not display properly when logon language is non-English. No connector information is displayed in the Informer > Analytical Reports > Transaction Usage report System selection screen.  This is also happening in the Informer > Ana

Affected Releases
Software Component Release From Release To Release And subsequent

Related Notes
1635008Important Notes for Business Role Management 5.3 and 10.0
1603540Field Length for Business Process and Sub-Process in AC 5.3
1590008JAVA output encoding
1548963Role is not generated in ERM
1546117Receive Unhandled error; -1 and 500 Internal Server Error
1544716When changing Role in PFCG gets 'User Locked' Error
1544715Not able to Import the Roles to ERM from WTS system
1543515You get the Error "Enter a valid upload file format"
1542113The Button 'Apply to existing Roles' is greyed out in ERM
1541073Running Risk Analysis on Role results in Action Failed