on 09-10-2012 11:17 PM
We are testing "Fire Fighter Log Report Review Workflow" (GRC 10.0 SP08) and have a scenario with two controllers. If Controller#1 gets to the request first and approves it, then how is Controller#2 supposed to see this? When he clicks the link in email for the work item after Controller#1 has approveid, GRC says "Controller#2 is not a valid approver". That's obviously not true, and we think a better message would be "request has changed status" or "been approved". But if Controller#2 wants to see the request and what Controller#1 did, which report should he view? I can see it as an administrator under NWBC=>Access Mgt=>Access Request Admin=>Search Requests. But the controllers do not have this menu. I may just need to grant some additional security in SU01, but don't know how to figure out what role or authobj would provide that report. I also would rather not give them more access than necessary (e.g admin).
Thanks!
Heraleen Bowers
Hi
Can anyone tell me if it is Ok to both have the Approver role and the Controller role in GRC
for the FF part
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Heraleen,
As one of the controllers have approved so the workitem has been completed, that's why for second
controller the error message is coming. This is valid scenario.This mail is just a notification that some session has been performed. But if the second controller wants to see the logs he can go to Consolidated log report and see the logs executed.
Also if you want you can use delivery option as Email, then controller can view the logs by clicking on link.
Hope it answer's your query.
Thanks & Regards,
Chandani
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Heraleen,
there is a possibility to change stage settings from Any one approver to All approvers. It means that all assigned approvers (controllers) have to approve the workitem to be finished.
If this is not suitable you need to add to the controllers roles tab Access management o (if they do not already have it). Requests should be controlled by object GRAC_REQ (ACTVT 03). You can use authorization trace in ABAP - transaction ST01 - but carefully not all controlled objects are always needed.
regards
Igor
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.