cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC AC 10.0 - MSMP Workflow is not sending email for Firefighter provisioning

Go to solution
Former Member

on ‎04-11-2012 11:28 PM

0 Kudos

Hi Gurus,

I have installed GRC - AC 10.0 and I want to configure EAM to allow automatically provisioning of Firefighter with following steps:

1. -In Access Management,  AC Owners, FF ids, Controlles, Reason Codes are setup in advance

2. - I can create a manual  Access Request for a Firefighter assignment and is functional without any issue

3. - Common workflow has been activated

4. - Email server has been configured and checked that can send emails

5. - In IMG  -> GRC -> Access Control -> Workflow for Access Control -> Maintain MSMP Workflow  I have activated SAP Process Id-s :

SAP_GRAC_ACCESS_REQUEST

using the default settings .

6. At Pct #5 Maintain Paths- Stage Definition- I have checked boxes - Approve by Email & Approve and I have Activated it.

Then, I create a access request again and no email is send it out to Owner.

In MSMP, in Pct #5, I have all for Process Id SAP_GRAC_ACCESS_REQUEST , I have left all 3 paths:

GRAC_MANAGER

GRAC_ROLEOWNER

GRAC_SECURITY

7. I have tried to activate other processes id-s:

SAP_GRAC_FIREFIGHTER_LOG_REPORT 

SAP_GRAC_ROLE_APPR

however with the same result.

All my SPM Owners and FF-ids have email adress, how should I maintain their email in MSMP, as the documentation is confusing for me.

8. Then, at Point #3 - Maintain Agents - I have created a Z Rule where I have mapped directly the Account ID-s and I have assigned it in Pct 5 (Maintain Paths) and activated- without any result.

Thank You,

Marc

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

kevin_tucholke1
Contributor
‎04-12-2012 12:37 AM
0 Kudos

Marc:

Have you configured the Stage Notifications for the stage you are questioning?  Did you see if the request was in the approvers NWBC Inbox??  If request is not in inbox, then no email will go out.  The notification event you want is New Work Item.

Hope this helps.

Kevin.

Show replies
Show replies
Former Member
‎04-12-2012 9:49 PM
0 Kudos

Hi Kevin,

I have email now request in the Approvers NWBC Inbox, however when I Submit/ Approve the request, no FF id is provisioned.

Do you have any suggestion?

Thanks,

Marc

kevin_tucholke1
Contributor
‎04-12-2012 11:01 PM
0 Kudos

Marc:  have you checked the following areas:

1.  Search for the request in NWBC and see if there are any issues.  Did the request provision and is it in FINISHED instace status?

2.  Txn:  SLG1 to check for any authorization issues for the user IDs being used to provision.

2.  MSMP instance monitor to see if any clue as to what has happened.  Transaction is GRFNMW_DBGMONITOR_WD.

I have found that without knowing the full situation, it's difficult to troubleshoot, and this is where you need to start.  With the informaiton here, you should be able to determine WHY.

Thanks.

Kevin

Former Member
‎04-14-2012 4:05 AM
0 Kudos

Hi Kevin,

I have checked again Tr.  GRFNMW_DBGMONITOR_WD and :

MSMP Instance  Status=Running

Approval Status=Pending

and MSMP Instance ID > Audit Log Tab> with following messags:

:" FF-id ..access added for approval at Path GRAC_DEFAULT_PATH" stage GRAC_MANAGER

-"..Approved by OWNER.." at Path GRAC_DEFAULT_PATH and Stage GRAC_MANGER

-..FF-id is approved for user "Assign"

-.."No Agent found, canceling path GRAC_DEFAULT_PATH (in stage no. 002 -GRAC_ROLEOWNER)

Thanks,

Marc

kevin_tucholke1
Contributor
‎04-15-2012 6:46 AM
0 Kudos

Marc:

I recently ran into the same issue.  If you have your controllers set in the NWBC, check the background ID to make sure that this ID (possible something like WF-BATCH, has sufficient authorization).  My client did not inlcude enough authorization on that, and the user could not look up users.  After adding SAP_GRAC_ALL (or customer specific equivelant), then the workflow did not error out.  Also, I am recommending that it is important to have an Approver Not Found Escape route on EVERY Process ID that is used.  SAP does not currently deliver a GRAC_SECURITY agent for the FF Log Review workflow, but I created a PFCG Agent Rule using the customer specific copy of the MSMP Admin role, then assigned that role to the Admin users.  Then I created my Escape Route on the FF Log Process ID.  Workflows will not give error when an approver is not found like it did in previous versions, and the workflow will begin to process, but since no Escape Route is availabel will just cancel at the stage leve.

Thanks,

Kevin

kevin_tucholke1
Contributor
‎04-15-2012 6:46 AM
0 Kudos

Marc:

I recently ran into the same issue.  If you have your controllers set in the NWBC, check the background ID to make sure that this ID (possible something like WF-BATCH, has sufficient authorization).  My client did not inlcude enough authorization on that, and the user could not look up users.  After adding SAP_GRAC_ALL (or customer specific equivelant), then the workflow did not error out.  Also, I am recommending that it is important to have an Approver Not Found Escape route on EVERY Process ID that is used.  SAP does not currently deliver a GRAC_SECURITY agent for the FF Log Review workflow, but I created a PFCG Agent Rule using the customer specific copy of the MSMP Admin role, then assigned that role to the Admin users.  Then I created my Escape Route on the FF Log Process ID.  Workflows will not give error when an approver is not found like it did in previous versions, and the workflow will begin to process, but since no Escape Route is availabel will just cancel at the stage leve.

Thanks,

Kevin

Former Member
‎04-20-2012 4:51 PM
0 Kudos

Hi Kevin,

Thank You for your helpfull information, they were really good however I have been re-assingned to a different project, I will pass your steps to my colleagues.

Thank You again,

Marc

Answers (2)

Answers (2)

Former Member
‎04-13-2012 2:24 AM
0 Kudos

Hi Kevin,

I have checked and:

1. My Request did not provision and is in Running status

2. Transaction: SLG1  with messages;

- Controller ID not specified

-Message GRAC_SPM_MESSAGE130 (& 1& 2) :Specify Controller Group Name & Specify Delivery option

3. GRFNMW_DBGMONITOR_WD is empty

As NWBC is configured, I presume the issues are in MSMP.

If you have any suggestions, please let me know.


Thank You,

Marc

Show replies
Show replies
Former Member
‎04-13-2012 10:24 AM
0 Kudos

Hi Marc,

Check if you have maintained the Owner and controller of the Fire Fighter, also notification type (Email, Workflow or Log Display)

Regards,

Ajesh.

Former Member
‎04-13-2012 2:00 PM
0 Kudos

Hi Ajesh,

Tr NWBC>

1. GRC Role Assignment- Create FF ID Owner & FF ID Controlle- as I can notice now, there is Distribution List Email market mandatory and innactive for Group Type Options: Owner & Owner Gorup- this one is missing from my settings - becomes enabled only when I choose Group Type "LDAP Group" - which we don't use it, we use direct mapping from master record

Tr SUGR - I have created an Owner Group however all I have added the user- ids and each user id has his own email address in his Master Record

2. Tr NWBC>Superuser Maintanance> Controllers> if I choose Notification by - workflow and I have a Access Request created by FF-id Requester, no email will be in NWBC- Inbox of my Owner, however if I change the notification to "Email" I have receving an email in Owner's Inbox.Which can be open and I can click on "Submit" button without any provisioning of FF-id.

3. Super User Maintenance- I have Firefighter assigned to FF-id & Controllers assigned to FF-ids

Do you have any suggestions?

Thank You,

Marc

Former Member
‎04-13-2012 7:46 PM
0 Kudos

Hi Ajesh,

I have reviewed the Process ID - SAP_GRAC_ACCESS_REQUEST and in Pt #5I have maintained the Stages> GRAC_MANAGER >Notification Settings and my Approver is receiving the Nofication email. However I cannot provision the FF- id yet.

Thank You,

Marc

Former Member
‎04-12-2012 6:52 AM
0 Kudos

Hi Marc,

Aprart from Kevin recommendation, I suggest you re-visit the following doc and see if you have missed any steps.

http://scn.sap.com/docs/DOC-1562

Make sure you have maintained the following parameters:

Workflow 1113 WF-BATCH

Emergency Access Management 4002 YES

Emergency Access Management 4003 YES

Emergency Access Management 4004 YES

Emergency Access Management 4005 YES

Emergency Access Management 4006 YES

Emergency Access Management 4007 YES

Emergency Access Management 4008 YES

Emergency Access Management 4009 YES

Regards,

Ajesh.

Show replies
Show replies
Former Member
‎04-12-2012 8:18 PM
0 Kudos

Hi Ajesh,

I have updated parameter 1113 with value WF-BATCH

Former Member
‎04-12-2012 8:20 PM
0 Kudos

Thank You,

Marc

Ask a Question