cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Escape routing?

Go to solution
Former Member

on ‎01-24-2013 7:25 PM

0 Kudos

Hello experts.   When an approver is not found for a FF log review WF request, we want it to come to attention of SAP Security.   I think that means I need to “set escape routing” and specify an Escape Path.  But when I do a search for path, I only see GRAC_DEFAULT_PATH.   So next I tried to create a new path eg GRAC_SECURITY or GRAC_ESCAPE?   However when I tried to create a stage for this new path in Step 5 of MSMP WF config e.g. seq=001, there are only two shown – GRAC_DEFAULT_STAGE and GRAC_FF_OWNER.  Where in the config I have to create these Stage Config IDs so a new one like GRAC_SECURITY show up in the selection list?  Anyone seen any good documentation on how to do this, BTW?

Thanks!

Heraleen

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

kevin_tucholke1
Contributor
‎01-24-2013 7:36 PM
0 Kudos

Heraleen:

When you have created the path, and while that path is still highlighted, click ADD under Maintain Stages. 

Enter your Stage ID number (recommendation is start with 010, and increment by 10) which will allow for expansion if ever needed later.  In Stage Config ID, enter the ID you want the stage to ber, enter description, click link below, fill in necessary items.    You wll then need to save, click Modify Stage Settigns, and complete the bottom check boxes, then click notification settings, enter the events and template for the email notifications you want.

This is no different than creating any other custom Path/Stage.

Hope this helps!

Kevin T

Show replies
Show replies
Former Member
‎01-24-2013 8:02 PM
0 Kudos

Thanks Kevin.   This is our first custom path/stage, so please forgive me for asking some basic questions     I'd love to read the manual on all this if I could find one!  (maybe you could author? )

Following the steps you listed, I had a few questions:

- what would be the purpose of "routing enabled" in this scenario (where no valid controlller found)?

- which escalation type would be appropriate?

- under task settings what does "reroute" allow?   Can security admin somehow send to another controller? (e.g. the new manager)

- under task settings I see "confirm rejection" but I've not seen option to "reject" in our workflow (the basic FF log review WF is working OK for us).  What purpose does "reject" serve and how do I make it available to controller (or security admin)?

- under notification settings when I look at available events, I don't see one for "escape" -- only the normal stuff like Approved, Escalation, etc.   Do I have to create Notification Event=Escape?

If there is any documentation about all these options, please point me at it.

Former Member
‎01-24-2013 8:23 PM
0 Kudos

I tried entering the stage ID I wanted to make up, Security (instead of picking from dropdown list).  It saved OK but I got an error in generating the new version "Configuration ID SECURITY check reported errors (BADI for task TS76308028 - class CL_GRAC_SPM_AUDIT_REVIEW).   So seems like I'm missing a step.

kevin_tucholke1
Contributor
‎01-24-2013 8:47 PM
0 Kudos

Heraleen:

My apologies, I had thought you would have had other workflows already in play...My bad for making that assumption.... 

Create Path (just ID and description)

Create Stage (Stage #, ID, Description, Agent ID (Security), approval type (any),  routing and escalation should not be used on an escape route)

Click Save

Click Modify Task Settings...you will want at a MINIMUM -

REROUTE checked as the security person will need to re-route this back to the appropriate path when the fix is complete. 

I would also check CONFIRM APPROVAL and CONFIRM REJECTION as these folks shoud not be doing either, and this woudl make them have to approve/reject twice and hopefully remember they need to re-route)

then click save.

Next you want to set at least a NEW WORK ITEM notification in Notification Settings.

then go to Generate Versions, click save and place in a transport.

Go back to Global Process Settings, enable escape route and search for the path stage you just created.

go back to Generate Versions, SAVE/SIMULATE, place in same transport, then Activate.

go to this link on SDN

AC 10.0 - Customizing Workflows for Access Management

It is for the Access Request Management piece and focuses on the access request MSMP process, but the concepts are still the same even for FF Review from a technical workflow setup stance.

I would also recommend that you think about taking the GRC300 (for AC10) which covers the basics for MSMP workflow.

I hope that this helps...

Thanks.

Kevin Tucholke

Former Member
‎01-25-2013 3:32 PM
0 Kudos

Thanks!  That was very helpful.  I followed the steps and my new version generated successfully.   When I tried what I think should be escape condition ("Approver not found", by removing the controller in setup) I'm not getting anything.  While I see the FF activity in Consolidated Log report, I see nothing in GRFNMW_DBGMONITOR_WD, SWI1, SOST, SLG1, SM21.   Is there any other transactions I should be looking to see what's going on? 

Believe it or not I did take the GRC300 class in fall of 2011.  Since then we've only migrated an existing UAR workflow but not developed anything new.   So I will look for the eDocumentation we got during class to review this stuff.   Thanks for the link.   That's a very good document.

Former Member
‎02-05-2013 6:38 PM
0 Kudos

Hi Heraleen,

I have had some problems with Escape Routes for Approver Not Found, until I got aware that, if a stage has a BRF+ agent with a Decision Table, and the Table Setting "Return an initial value if no match is found" is NOT marked. The MSMP do not trigger the Escape route.

If that is your scenario, maybe this can help.

Good luck,

Vaner

Answers (0)

Ask a Question