cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Workflow Approvers

Go to solution
Former Member

on ‎05-07-2013 5:44 AM

0 Kudos

Hi Experts

Few questions if you can help

1: Before implementing Access Request Management do we have to implement Role Management. I Activated BC Sets for Workflow GRC_MSMP_CONFIGURATION and when go to Access Reuest to create a request, it does not find any roles.

2. When any workflow created e.g; Function Maintenance, where does request goes to. Where do we specify name of person who would Approve it. Is it in BRF+. I changed Function and clicked on Submit and it says request submitted. Should it come in MyHome/Work Inbox (I think yes). How can I see that request as an administrator. When I go to SBWP and in Outbox under Started workflow, I can see that request. How can I approve it.

3. Our GRC system not connected with HR or LDAP. So how does GRC would know user/manager relationship

I will appreciate your help greatly.

Regards

Masood

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Colleen
Advisor
Advisor
‎05-09-2013 2:22 AM
0 Kudos

HI Masood

To extend on Ashish's comments....

BRM - you will need to import your roles to the GRC Role repository. You will need to ensure the Details Provisioning tab has been maintained to make the roles Productive or they cannot be selected in provisioning. Ensure you run your object synch jobs as well

For the case of finding which Agent the Workflow is assigned to you can look at the MSMP Instance Runtime Monitor via transaction GRFNMW_DBGMONITOR_WD - MSMP Instance Runtime Monitor

Finally, if you don't have a data source such as HR or LDAP to identify manager then you cannot use this field. You could open it up and force users to enter their Manager but it would be difficult to validate.

Show replies
Show replies
Former Member
‎05-10-2013 3:11 AM
0 Kudos

Hi Ashish and Colleen

Thanks a lot for your very helpful answer. Colleen, thanks heaps for helping once again. I never knew about this transaction and it looks wonderful.

After seeing your answer, I hvae imported ECC roles to BRM. First few times it gave me errors but by following guidlines in SDN docos, eventually it worked. (Feel i have achieved something)

I can see task or request in MSMP Instance Runtime Monitor. No Approvers were assigned.

In MSM Workflow Configuration for workflow process " SAP_GRAC_FUNC_APPR", in stage 3, Maintain Agents" Agent ID is GRAC_FUNCTION_APPROVER and Agent Type is PFCG Roles

Does PFCG Roles means that request goes to person who have role PFCG "SAP_GRAC_FUNCTION_APPROVER" assigned in SU01

How can I clear/approve above request stuck in the queue. I would like to learn the correct settings so I can setup approver so it goes to approver and this way I will be able to learn and apply this to other requests.

Plug-ins to our ERP system are as below. Does it mean we can get Employee/Manager information from ERP to GRC or is anything else needs to be installed.

Sorry guys, I am asking lots of questions, unfortuantely we do not have consultant and I would love to learn all these.

Regards

Masood

Colleen
Advisor
Advisor
‎05-13-2013 5:09 AM
0 Kudos

Hi Masood

yes - that transaction is a favourite of mine. Glad to hear you progressed some of your config - it does get easier.

PFCG Role question - if your Agent is based on PFCG role, then yes all users with that role assigned in their user buffer (role validity date) will become the possible agents. The Agent Types can be

  • PFCG Role - yes user users to be assigned the role in PFCG for the validity date
  • PFCG Group - SU01 Groups tab authorisation group is assigned
  • Custom User group - you create this group with a specific list of SAP User Ids in MSMP
  • GRC API rule - Configure a Agent Rule in MSMP (which may be determine by BRFplus, BRFplus flat line, Function Module or Class/Method

For the missing approver in workflow:

  1. Workflow Administrator (setup in Access Control Owner) can go into NWBC >  Access Management > Access Request Administration > Search Requests to open the request and approve/reject/route
  2. SE38 Program GRFNMW_MANUAL_INSTANCE_CANCEL can allow you to cancel the WF (you need to obtain the Instance Runtime number from the transaction I gave you). You can then fix your missing agent and trigger a new request

To avoid missing agent in future, on the MSMP Global Process Setup, you should configure an Escape Path for when this situation occurs.

Note: for the MSMP Runtime transaction - look at the Logs Tab and then you can see the MSMP path routing and current agents, etc.

For Manager - it's not a case of SP. It comes back to whether or not your system (ERP) has a HR Org Structure you can read from or the AD has the Manager Field maintained or some other custom way to derive manager. If you don't , you can't use that Agent.

Former Member
‎05-14-2013 7:00 AM
0 Kudos

Hi Colleen

With your excellent instructions, I managed to clear the error and also tested again with new Function Worklow Approver and it worked beautifully. I wanted to see how does approve/reject functionality looks like and thanfully you helped me.

Please allow me to ask one more question. I believe we have HR Org Structure setup in our ERP system. How do we get our GRC system to populate this field. I understand this may be a big question to answer, I will be very grateful if you can direct me to some source or if you can help with that.

Kind Regards

Masood

Colleen
Advisor
Advisor
‎05-17-2013 5:08 AM
0 Kudos

Hi Masood

do you mean that you want to set up workflow for position-based security requests.

In GRC you can set up your connections and configure CUP to provision access to Job, Position, Org Unit. There's quite a few configuration steps.

For the benefit of the community, I'd recommend you post a new thread with this topic as quite a few members would benefit. I have theory on how to do it, however, my solution is not position based to give you all the steps.

For a starting reference, the link below is SAP wiki article for the HR Trigger and overview

http://wiki.sdn.sap.com/wiki/display/GRC/GRC+10.0+-+HR+Trigger+configuration

http://wiki.sdn.sap.com/wiki/display/GRC/Understanding+HR+Triggers+in+Access+Control+10.0

You will need to configure your CUP and look at Provisioning Settings and MSMP.

Former Member
‎05-17-2013 5:40 AM
0 Kudos

Hi Colleen

As always thanks very much for your very helpful answers. First of all I do not know why mediater takes so many days to post my questions here.

I managed to configure User Provisioning. I tested by assigning a role to existing user. We are not using Position Based security. In my case roles are provisioned through CUA (direct provisioning). I picked manager manually in Access Request. However, would like to see if it is posible to pick up manager automatically without having position based security.

Thanks a lot for sharing other two links. I will defintely try to test those as well. Please do share if you have detailed information or link for learning BRF+ from beginning.

Sure I will post separate question to configure CUP.

Kind Regards

Masood

Answers (1)

Answers (1)

Former Member
‎05-08-2013 1:49 PM
0 Kudos

Dear Masood,

1. Yes, In Access Request, you would be assigning the Roles to users. It is best practice to BRM       before you Implement Access Request.

2. If you are using the MSMP workflow then you are required to set the approver at the stage level of the MSMP. Approver will get the work Item in its Inbox. you can also make use of  BRF.

3. You are required to maintain the connection with the HR system or LDAP to maintain the manager.

   otherwise, there will be no use of manager field even If you add manually.

Thanks & Regards,

Ashish

Show replies
Show replies
Ask a Question