If you want to configurate a "no_stage" like in 5.3., you have to create the following entries in MSMP:

- step 6 "maint route mapping":

RuleID: GRAC_MSMP_ROUTE_NO_ROLEOWNER

RuleResult:NO_ROLE_OWNER

PathID: Z_XXXX_NO_STAGE (your own name)

- step 5 "maintain path":

select your path and the relevant stage.

Open the stage details and activate the routing with the Rule ID: GRAC_MSMP_ROUTE_NO_ROLEOWNER and the Routing Level: Line Item Level

I must be doing something wrong. Would it be possible to verify below:

Step 5:

2 paths:

Main path with 2 stages

Detour path without stages

Main path: stage 2 - Role Approvers

Stage Config Id: GRAC_ROLEOWNER

Agent ID: GRAC_ROLEOWNER

Routing Enabled: Yes

Rule Type: Function Module

Rule Id: GRAC_MSMP_ROUTE_NO_ROLEOWNER

Level: Line Item

Step 6:

Rule Id: GRAC_MSMP_ROUTE_NO_ROLEOWNER

Rule Result: NO_ROLE_OWNER

From Path: empty

From Stage: empty

Path ID: [name detour path]

Saved and activated flow.

However, when going into stage 2 -> System keeps saying "no agent found ... GRAC_ROLEOWNER"

What should I change? Thx!

Hi,

In regards to the empty path, should there not be any of Stage configurations (Task Settings) needed to be utilised to make Role Owner-less roles be escalated to the next stage?

When Saving ( Plus simulating) when Generating the Version, do you get any error messages?

We have one warning -> no data maintained in GRFNMWCNGLBESR

All other checks are green.

That message is just stating that you have no escape path set.

If you go back to the Process ID in screen 1 again, and set the escape path information, you should be able to generate without any warning, and then activate the process and try it again.

Hope that helps.

That configuration indeed turns out to be mandatory. Thx!

However seems that what is stated above is not working. A detour path without stages seems not to be working.

Question remains: how to best tackle problem mentioned above? (some roles with and others without role owner)

Thx!

I suppose for such a scenario, you may need to create a custom BRF+ rule where it captures the scenario of if the role has no owner- go to a default Security Admin etc.

Edited by: Kaushal Vastani on Oct 30, 2011 6:16 PM

I assume that would be the same as a detour with the Sec Amin as stage in a detour.

There is also the parameter 2038 which auto approves requests for roles without a role owner. However, I understood that all roles in the request should then be owner-less.

Didn't find a good alternative for the "no_stage" of 5.3 yet.

Hi,

Just been thinking about the scenario you described in your last post.

If you were to enable "Access Request Role Selection: 2038 Auto Approve Roles without

Approvers = YES"

This should allow to automatically approve access requests for roles without role owners at the role owner stage, as well as having roles with owners being approvable. What I would suggest is that if there are any SOD violations, it gets detoured to the Security Admin after this stage.

Have you considered trying this flow out and seeing what happens?

Hope this does help.