cancel
Showing results for 
Search instead for 
Did you mean: 

GRC AC10 Agent based upon Role Attributes

Former Member
0 Kudos

Hi Experts,

Need your help on the issue.

We are trying to achieve below configuration-

After the Access request is generated, at the first stage, the approver should be selected based upon the business process of the role. If there are multiple roles with different Business Processes and their approvers, all of them should approve the request and then request should go to the next stage.

There is also a field Business Process in the Access Request Screen which denotes the User's association with Business Process and not of the role. We are able to trigger the approval based upon this field, but we can;t find any option of approver selection based upon the business process of the role.

Can some one show a way to achieve that?

We are facing another problem, when the request is approved based upon the field Business Process in the Access Request screen, we are not able to find the request in next stage, it is still showing in the same stage while the role attached is only one and no other approver defined.

What could be the reason behind it? Any help is highly appreciated.

Thanks in advance,

Sabita

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hello,

There are a few options, but the painless and easiest option is as follows:

1) Assign a Business Process to each role.

2) I assume you have the same role owners for each role from the same business process, so assign them also into the attributes

3) Role Approval stage configuration - ensure that approval can be done by line item and approved by any approver.

The "Painful" way is to make a custom agent and create a BRFplus rule to split the request out by role attirbutes, but given the standard functionality available within the delivered Access Request MSMP process, you can easily avoid using this method.

As for your second problem, I assume if the first one gets sorted, your second issue will be gone, unless you have further stages and paths defined.

All the best.

Former Member
0 Kudos

Hi Kaushal,

Sorry I forgot to mention that we are using custom workflows.

Our Path is as below -

Stage 1. Role owners ( all role owners have to approve)

Satge 2 - BSM - to check and approve license availability in case a new account,

Stage - 3 Security Admin - to chec call details and approve to provision it

After stage 1 there is one detour in case there is SOD then user module owner will do the mitigation or reject the role assignment.

When I create a custom agent, I am not able to see the option of role attributes based upon which approver should be defined.

The approver is getting picked based upon the business process field in the request. After this approval, the requets is still showing in the same stage without any further approver.

Any idea what is wrong with it and how can we take role attributes in custom agent?

Regards,

Sabita

Former Member
0 Kudos

You need to make a custom BRfplus agent bby LineItem to do that.

Basically you want the various different role line items to be reviewed by the role's functional area, so for this you can create a Decision table to map out the different Agent results (User_ID).

Former Member
0 Kudos

Hi Kaushal,

That is exactly what we are doing, but there is no option to map role's attribute to the approvers or user IDs.

We can map business process which appears in the access request fields(assosicated with the User), we can map a role directly to a approver, but there is no option to map role's attibute to the approver e.g. business process of a role, as it was available in CUP 5.3.

Ha someone tried this option?

Regards,

Sabita

Former Member
0 Kudos

Hello Sabita,

You can use the transaction : GRFNMW_DBGMONITOR_WD to check the logs.

What i understand from your requirement and what would be my approach.

1) Approvers who will be ROLE OWNERS

> In this case 1st thing is you should upload few ROLES( NWBC>Access Mgmt-->Role Import) with all the details i.e function area, company , role owner, alternate approver

---> Now create a "Custom Initiator from SPRO >GRC>AC>workflow for access control>Define Worflow Related to MSMP rules for Process ID SAP_GRAC_ACCESS_REQUEST

Run Tx: BRF+ , and you will see a rule created , drill down to "Expression-->Decision Tree"

and use "Table settings" to select "Condition Column" & "Result Rule sets", where you can configure the Custom Initiator

Now run Open MSMP workflow config window

1) Process Global settings ( Notification details if necessary)

2) Maintain Rules (add your custom initiator rule )

3) Maintain agents ( check & if not present add Role owner agent)

i.e. GRAC_AR_ROLE_OWNER (This will satisfy 1 st requirement)

Create a new agent as BSM and mapp them as "directly mapped user" , similarly for the 3rd stage you can use directly mapped user.

4)Variables & Templates --> Skip

5)Maintain Path ( add 3 stages as required i.e role owner, BSM & security officer)

Now for each stage click on "modify Task Settings" & click on individual check boxes as relevant , you can select "All approvers" or "Any one approver", Approve Request based on System & Role , or Request .

Same applies to all the other 2 stages.

6) Maint Route Mapping --> put the path ID created in previous stage and save and activate.

I hope this should give you some fair idea.

Thanks

Victor

simon_persin4
Contributor
0 Kudos

Hi Guys,

In BRF+ you have multiple entries in the context relevant results for BPROC. These will be the different entry points fo rthe business process. Make sure that you are using the correct one to use the one for the role attributes rather than the Access Request Headers (e.g. use the one from the LINEITEM rather than the HEADER).

Alternatively, create a new Data Element in BRF+ and link that up to the required functions and expressions which will then allow you to use it in the decision tables.

This will then allow you to move away from the directly mapped users solution suggested by Victor (although that way will work if you do not want any logic behind the users being identified).

Simon

Former Member
0 Kudos

Hi Simon,

I don't see any option to create a data element in BRF+ and link them to required functions and expressions.

In BRF+ we are selecting BPROC (line Item) to define role owner as approver, but it doesn't take the attribute of ROle instead it is taking field Business Process in the request.

Regards,

Sabita

Former Member
0 Kudos

Hi Victor,

We have followed the same process as you have described here, only one difference is that we are creating custom (BRF+) agent for role approver stage where request approvers will be picked up based upon the business process of the role.

The BPROC we are taking as line item is taking business process given in access request and not the attribute of the role.

The default SAP delivered GRAC_AR_ROLE_OWNER is Function Module baesd and we don't know how to alter it as per our requirement.

Need your feedback on this.

Regrads,

Sabita

Former Member
0 Kudos

Hi Victor,

We have created many requests for whic hwe are not able to see any error message or approver.

The tcode GRFNMW_DBGMONITOR_WD shows no logs at all. Do we need to configure logs anywhere?

Regards,

Sabita

Former Member
0 Kudos

Hello Sabita,

Please use the below note to configure the MSMP debug logs

SAP Note 1624069 - GRC 10.0 Enabling Debug Logging for MSMP

Regarding the BRF+ object , use the object "ROLE CONNECTOR" , it should resolve your purpose.

Please note that you must have assigned at least one owner to the role in BRM.

Try to run simulation on the BRF+ rules

by going to "function" under the BRF+ rule , you will see the "Start Simulation" option.

Let me know if you need any help.

Thanks

regards,

Victor

Former Member
0 Kudos

Regarding the BRF+ object , use the object "ROLE CONNECTOR" , it should resolve your purpose.

Please note that you must have assigned at least one owner to the role in BRM.

ROLE CONNECTOR is for RFC connector-e.g. pointing to backend system and not role attributes like business process, sub-process etc.

Regards,

Sabita

Former Member
0 Kudos

Hello Sabita,

Sorry for providing wrong feedback. I understood your query now and it does seems to be complex.

This can be sufficed only if you are able to find what is the "Field Name" for Business Process & Sub business process for a role under BRM Dynpro screen, which i suppose your ABAP/Webdynpro consultant will be able to figure out.

Then you need to see that you add these fields on the CUP screen , so that the User can select and keep then mandatory.

Now when you go to the BRF+ for the Access Request Initator , you need to check if these fields are seen directly or not.

Even i am following with SAP to know how can we enable a custom object/field added in CUP screen be made available in BRF+ screen.

I haven't received any reply as yet.

I will follow up and if i come up with any details i will share the same.

Thank You.

regards,

Victor

Answers (1)

Answers (1)

Former Member
0 Kudos

Hi, Sabita.

Just wanted to ask you how can I achieve to trigger the approval based upon the Business Process field selected in the Access Request screen. I've already created a BRF+ iniciator rule which recognize the request type (path) and then send it to their respective stages.

The thing is that we need that, in the first two stages, the approver has to be pointed out based on the Business Process selected in the request.

Hope you have some time to respond.

BR

(cc )