Have you ever come across a scenario whereby you have gone through the process of changing your role in BRM, sent for approval, ran the SOD analysis and only to find that the risk approvers have approved the risks but the role is stuck in "Risk Approver"?
You have checked that all workflows have been complete and also confirmed the GRACROLE table shows the table is holding a lock but there is still an issue? This custom program can be used in a break glass scenario to unlock the role in your production system.
Please note that this program should not be accessible to GRC/Security consultants in their daily role, we would suggest this be used in conjunction with Firefighter so that all logs are captured, reviewed and approved by the FF owners.
Follow the steps below to create the new report and then after successful testing, transport it to your Production system.
Go to SE38 in your GRC Development system and create a new report. You can call it whatever you like, we would recommend some sort of custom identifier like Z_ , ZZ_ etc. (Z_UNLOCK_BRM_ROLE)
Copy the below code into the program, save & activate it.
*&---------------------------------------------------------------------*
*& Report ZZ_DELETE_BRM_ROLERLATE
*&
*&---------------------------------------------------------------------*
*&
*&
*&---------------------------------------------------------------------*
REPORT ZZ_UNLOCK_BRM_ROLE.
TABLES : GRACROLE.
DATA : IV_ROLE TYPE TABLE OF GRACROLE.
DATA : WA_ROLE TYPE GRACROLE.
** Selection criteria
PARAMETERS P_ROLE TYPE GRACROLE-ROLE_NAME OBLIGATORY.
PARAMETERS P_CONGRP TYPE GRACROLE-CONNECTOR_GRP OBLIGATORY.
parameters test type checkbox default 'X'.
IF P_ROLE IS INITIAL.
WRITE :/ '****PLEASE ENTER THE ROLE NAME****'.
EXIT.
ENDIF.
IF P_CONGRP IS INITIAL.
WRITE :/ '****PLEASE ENTER THE CONNECTOR NAME****'.
EXIT.
ENDIF.
SELECT SINGLE * INTO WA_ROLE FROM GRACROLE WHERE ROLE_NAME = P_ROLE AND CONNECTOR_GRP = P_CONGRP AND LOCKED = 'X'.
IF SY-SUBRC <> 0.
WRITE: /.
WRITE : '**** ROLE DOES NOT EXIST OR THE ROLE IS NOT LOCKED ****'.
EXIT.
ENDIF.
IF TEST IS INITIAL.
IF WA_ROLE IS NOT INITIAL.
WA_ROLE-LOCKED = ''.
UPDATE GRACROLE FROM WA_ROLE.
IF SY-SUBRC = 0.
WRITE : / '***ROLE IS NOW UNLOCKED***'.
WRITE :/ WA_ROLE-ROLE_NAME, WA_ROLE-ROLEID, WA_ROLE-LOCKED.
ENDIF.
ENDIF.
ELSE.
WRITE:/ '****ROLE IS CURRENTLY LOCKED****'.
WRITE :/ WA_ROLE-ROLE_NAME, WA_ROLE-ROLEID, WA_ROLE-LOCKED.
ENDIF.
The program consists of the following parameters that need to be entered:
P_ROLE: This is where you enter the role name that you wish to unlock.
P_CONGRP: This is where you specify the GRC connector group name.
TEST: If you want to check the role in TEST mode, place an "X" in this box, this will not unlock the role. If you wish to carry out the unlock, then remove the X and leave it blank.
Its as simple as that. Again, I must re-iterate, this should only be used if you have correctly made sure all approvals have been received. It seems to be a bug with GRC 12.0 atm, maybe it will be fixed in the future.
More information can be found in https://me.sap.com/notes/1805237/E