on 06-23-2011 10:20 AM
I configured GRC AC 10 SP4 workflow using the document "AC 10.0 Pre-Implementatio From Post-Installation to First Access Request.pdf". And using the default BC-Sets.
I can create an access request. But it will never find/assign an approver.
Something strange is also happening:
When I do search the created request and click on Administration (currently logged as user BHT), I get the following messages:
User '&FF_CNTLR&' has no authorization for process '&SAP_GRAC_ACCESS_REQUEST&' administration Display Help
User 'SAP_GRAC_ACCESS_REQUEST' has no authorization for process 'FF_CNTLR' administration
The User FF_CNTLR is supposed to be the manager who should approve this request. He has the role SAP_GRAC_ACCESS_APPROVER assigned.
Now, in order to be able to administer the request that I created as BHT (with Manager FF_CNTLR), I have to assign to the Manager FF_CNTLR the role for Workflow administration. Only then will the screen open the request- as it should.
It looks like the system is doing some confusion between the two users.
Earlier, I also managed to create a request, while beeing logged as BHT, and having entered FF_CNTLR as manager, then the user I requested the change for was suddenly not any more BHT, but FF_CNTLR. I then changed the request from Self to Other, and finally saved it. The result: A request which requestor FF_CNTLR (altough I did all steps while beeing logged as BHT) - I guess there is also a bug - or it is the same problem.
But for the time beeing - I would just be happy if any approver would be found.
Does anybody have an idea??
Hey Benno,
Can you paste here the audit log for the request number not finding an approver? Also which agent rule are you using in the first stage?
I'm not sure I completely follow the second problem, but I can confirm that for an approver you only need a equivalent to SAP_GRAC_ACCESS_APPROVER, plus the stadard roles SAP_GRAC_END_USER, SAP_GRAC_BASE, SAP_GRAC_NWBC.
No need to add the workflow admin role to approve request addressed to the user.
Luis
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Luis,
here is the audit log:
Audit Log
Time Stamp
Updated By
Request 9000000007 of type Change Account Submitted by Benno Hirt ( BHT ) for Benno Hirt1 ( BHT ) with Priority 000
23.06.2011 08:50:04,2560000 Benno,Hirt (BHT)
G10CLNT100 System added to User BHT for action 'Change User'
23.06.2011 08:50:04,2650000 Benno,Hirt (BHT)
and the path status:
Stage Seq. No.
Stage Description
Path Description
Path Status
Stage Status
001 GRAC_DEFAULT_STAGE GRAC_DEFAULT_PATH
the agent rule id is:
GRAC_MSMP_MANAGER_AGENT , rule type: F Agent Type: GRC API Rules
kind regards,
benno.
It is actually covered in the GRC 10.0 Post-Installation Guide in our BPX web site:
http://www.sdn.sap.com/irj/bpx/grc
Edited by: Luis Bustamante on Jun 23, 2011 12:47 PM, fixed URL
ok - my fault - I must have skipped the entire WF-related section. Now I have done all that - except one point, I do not know what to enter to bring it to green:
in Automatic Workflow Customizing - Maintain Additional Settings and Services - Maintain Web Server
what are the values I have to enter there ?
I have created a new request - but for the time beeing there is no change - nothing in Audit log talks about WF-BATCH user...
Just set the values as per the example, use the FQDN the the server, port 8000, and the same path as shown there: SAP/BC/WORKFLOW_XML/?
That should bring it to green.
Try using the MSMP Instance Runtime Monitor to debug the problem, it is under URL .../sap/bc/webdynpro/sap/grfnmwmsmpmon?spa-language=EN. Also transaction SWI2_FREQ is useful to debug problems.
It should be working if you followed the post-install guide and the pre-implementation, I'm inclined to think still problem is related to the workflow user, please assign temporarily SAP_ALL and retest.
Thanks for this input. The workflow customizing is now green. I have added SAP_ALL to WF-BATCH. I ran a WF-test and received an Item in my inbox saying it is working fine. I created new access requests.
Using the browser baised WF monitor (and/or SWI2_FREQ), I can only see that there is NO WorkItem. It looks as if the workflow was never triggered
I have gone through all available documentation - and managed also to make Email notification work (upon request submission I get now an Email notification). But the WF doesn't really start.
Is it possible to debug NBWC step by step - maybe I would then see why the workflow event gets not raised... - or does anybody have any other idea how to get further?
thanks again!
Sorry I don't know much about the WF monitor page, but good to hear you got the work item in the inbox.
For notifications there is a recently published guide in the BPX website on the topic.
What do you mean workflow does not start? I thought you had it in your inbox already, I'm confused now. Usually the audit log is enough once you get the WF user working, it shluld tell you exactly what's failing.
So far I don't know any other tool for monitoring MSMP workflows other than what I mentioned... some generic logs are stored in objects GRFN and GRAC using transaction SLG1.
when I say that I had a Workitem in my inbox, this was due to testing of the automatic workflow customizing. There is a button to check it really works. This is SAP standard and has nothing to do with GRC.
From within GRC AC the workflow is never started - no workitem is created. Therefore no approver gets a workitem. Something seems to fail upon raising the event to trigger/start the access request workflow.
I have checked the BAL logs, also dumps (ST22). But there is nothing.
I have here below a portion of the NWBC trace - maybe someone understands it...
INFO <NWBC.ConnectionManager> | Added protocol/server/port URL: http://aglgesrvsap10.agentil.local:8000/sap/bc/webdynpro/SAP/GRAC_OIF_REQUEST_SUBMISSION?sap-client=...
DEBUG <NWBC.Foundation> | BEGIN: Fire_EvNavigateURL(connectionName G10CLNT100, sessionID 1,.navTreeTargetID ,.url 'http://aglgesrvsap10.agentil.local:8000/sap/bc/webdynpro/SAP/GRAC_OIF_REQUEST_SUBMISSION?sap-client=100&sap-language=EN&sap-nwbc-context=02DAMDUzLjIuOTAwMDA=',.title Access Request, mode NAV_MODE_NEWWINDOW_HEADERLESS, windowAttributes 'toolbar=no,resizable=yes', windowID , workProtect true, toHistory false, nodeToSelectID (null), canvasAppType 4112, suspendCurrentSession false)
DEBUG <NWBC.Foundation> | invoking event handler method
DEBUG <NWBC.Foundation> | END
DEBUG <NWBC.ConnectionManager> | END : resolveABAP // 124 ms
DEBUG <NWBC.ConnectionManager> | END : executeBackgroundJob('JOB_ABAP_RESOLVE') // 124 ms
Workingset=131976[1288] KB / Pagefile=137712[2056] KB
DEBUG <NWBC.SessionManager> | BEGIN: CSessionManager::CreateDependingSession(sessionID 2, originatingSessionID 1)
DEBUG <NWBC.SessionManager> | BEGIN: CSessionManager::CreateSession(sessionID 2)
DEBUG <NWBC.SessionManager> | CreateSession(sessionID 2, connectionName G10CLNT100)
DEBUG <NWBC.SessionContext> | CSessionContext::initialize(sessionID 2, windowId , navTreeNodeID b9becfe7-7a4d-4139-a8f0-6e9ffdcab273, navTreeTargetID )
DEBUG <NWBC.SessionManager> | END
DEBUG <NWBC.SessionManager> | Added session dependency 2=>1 (child=>parent)
DEBUG <NWBC.SessionManager> | END : // 1 ms
23.06.2011 18:25:21.292
Workingset=134956[2980] KB / Pagefile=140804[3092] KB
DEBUG <NWBC.SessionEPCM> | ISessionEPCM::subscribeEvent(urn:com.sapportals.portal:workprotect::'inquiryProtection', sessionID 2, connectionName G10CLNT100)
DEBUG <NWBC.SessionEPCM> | subscribeEpcmEvent(urn:com.sapportals.portal:workprotect::'inquiryProtection', sessionID 2, connectionName G10CLNT100, object passed, functionName UCF_WorkProtectHandler)
23.06.2011 18:25:23.615
Workingset=140748[5792] KB / Pagefile=146380[5576] KB
DEBUG <NWBC.SessionContext> | ISessionContext::getVisualPlugin(sessionID 2, connectionName G10CLNT100)
DEBUG <NWBC.SessionContext> | ISessionContext::getHelpCenterPlugin(sessionID 2, connectionName G10CLNT100)
DEBUG <NWBC.SessionContext> | ISessionContext::getSessionPlugin(sessionID 2, connectionName G10CLNT100)
DEBUG <NWBC.SessionContext> | ISessionContext::getVersion(sessionID 2, connectionName G10CLNT100) => 1.1
DEBUG <NWBC.SessionContext> | ISessionContext::getVisualPlugin(sessionID 2, connectionName G10CLNT100)
DEBUG <NWBC.SessionContext> | ISessionContext::getHelpCenterPlugin(sessionID 2, connectionName G10CLNT100)
DEBUG <NWBC.SessionContext> | ISessionContext::getSessionPlugin(sessionID 2, connectionName G10CLNT100)
DEBUG <NWBC.SessionContext> | ISessionContext::getVersion(sessionID 2, connectionName G10CLNT100) => 1.1
DEBUG <NWBC.SessionContext> | ISessionContext::setCanvasTitle(title 'Access Request', sessionID 2, connectionName G10CLNT100)
DEBUG <NWBC.Foundation> | BEGIN: Fire_EvTitleChanged(sessionID 2, title Access Request)
DEBUG <NWBC.Foundation> | invoking event handler method
DEBUG <NWBC.Foundation> | END
23.06.2011 18:30:40.185
Workingset=159464[18716] KB / Pagefile=159712[13332] KB
DEBUG <NWBC.Foundation> | BEGIN: CFoundation::OnNewCookies('http://aglgesrvsap10.agentil.local:8000/sap/bc/webdynpro/SAP/GRAC_OIF_REQUEST_SUBMISSION;sap-ext-sid=5aa5bceb-c58e-4b4c-a9b8-7040c7aed12b-837cbfe1-5f?sap-contextid=SID%3aANON%3aaglgesrvsap10_G10_00%3akuf3DEOj3RotbG_b7mZyxs766YT8fkkxdIdyzqvy-NEW')
DEBUG <NWBC.Foundation> | ADDED new cookie: 'sap-contextid'[1]=0 (domain aglgesrvsap10.agentil.local, path /sap/bc/webdynpro/SAP/GRAC_OIF_REQUEST_SUBMISSION;sap-ext-sid=5aa5bceb-c58e-4b4c-a9b8-7040c7aed12b-837cbfe1-5f, httpOnly=0, secure=0, expires=1: 01/01/1980 00:00)
DEBUG <NWBC.Foundation> | Cookie store:
DEBUG <NWBC.Foundation> | 'sap-usercontext'[30]=sap-language=EN&sap-client=100 (domain aglgesrvsap10.agentil.local, path /, httpOnly=0, secure=0, expires=false)
DEBUG <NWBC.Foundation> | 'MYSAPSSO2'[486]=AjQxMDMBAB...g9kQ%3d%3d (domain agentil.local, path /, httpOnly=0, secure=0, expires=false)
DEBUG <NWBC.Foundation> | 'sap-contextid'[80]=SID%3aANON...fpu6yW-NEW (domain aglgesrvsap10.agentil.local, path /nwbc/, httpOnly=0, secure=0, expires=false)
DEBUG <NWBC.Foundation> | 'sap-contextid'[1]=0 (domain aglgesrvsap10.agentil.local, path /sap/bc/webdynpro/SAP/GRAC_OIF_REQUEST_SUBMISSION;sap-ext-sid=5aa5bceb-c58e-4b4c-a9b8-7040c7aed12b-837cbfe1-5f, httpOnly=0, secure=0, expires=1: 01/01/1980 00:00)
DEBUG <NWBC.Foundation> | END : // 1 ms
DEBUG <NWBC.SessionContext> | ISessionContext::closeSession(sessionID 2, connectionName G10CLNT100)
DEBUG <NWBC.Foundation> | BEGIN: Fire_EvCloseSession(sessionID 2)
DEBUG <NWBC.Foundation> | invoking event handler method
DEBUG <NWBC.Foundation> | END
Workingset=159976 KB / Pagefile=159812 KB
DEBUG <NWBC.SessionContext> | Fire_EvIsDirty()
DEBUG <NWBC.SessionContext> | Fire_EvIsDirty: invoking event handler method
DEBUG <NWBC.SessionEPCM> | BEGIN: epcm.getGlobalDirty
DEBUG <NWBC.SessionEPCM> | ISessionEPCM::raiseEventInternal(urn:com.sapportals.portal:workprotect::'inquiryProtection', parameters , sessionID 2, connectionName G10CLNT100)
DEBUG <NWBC.SessionEPCM> | invoked JS function' UCF_WorkProtectHandler'() returned {'0', vt=11 (BOOL=11,BSTR=8) )}, hr=0x0(S_OK)
DEBUG <NWBC.SessionEPCM> | return getGlobalDirty=FALSE
DEBUG <NWBC.SessionEPCM> | END : epcm.getGlobalDirty // 16 ms
DEBUG <NWBC.SessionContext> | Fire_EvIsDirty done -> dirty false
Workingset=160008 KB / Pagefile=160856[+1044] KB
DEBUG <NWBC.SessionManager> | BEGIN: CSessionManager::CloseSession(sessionID 2)
DEBUG <NWBC.SessionManager> | CloseSession(sessionID 2)
DEBUG <NWBC.SessionManager> | Removed session dependency: 2=>1 (child=>parent)
DEBUG <NWBC.SessionContext> | beforeSessionClosure(sessionID 2, connectionName G10CLNT100)
DEBUG <NWBC.SessionContext> | Fire_EvBeforeSessionClosure()
DEBUG <NWBC.SessionContext> | Fire_EvBeforeSessionClosure done
DEBUG <NWBC.SessionManager> | END : // 1 ms
DEBUG <NWBC.SessionEPCM> | epcm.unsubscribeEvent: name parameter is NULL
Do you see the number in the define number range increase when you submit the request? Try using another number range. Other than that I haven't got any more ideas I'm afraid, please create a CSS message. Problem might be due to inconsistency in the DB due to requests submitted without completing the post-installation, I know you've done it now but there might be some stalled requests... I had a similar problem once and increasing manually the number range worked for me.
For completeness, the problem is that the task specific customizing cannot be done from IMG (as shown in the GRC post-installation) if the plugins are installed in the GRC box. They have to be done manually using SWE2. We will include this in the next version of the GRC post-installation guide.
Regards,
Luis
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.