cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Approval Management in SAP IdM 7.2 SP8

Go to solution
former_member190695
Participant

on ‎08-30-2013 1:14 PM

0 Kudos

Dear All,

As you may probably noticed the Approval Management in SAP IdM 7.2 SP8 and perhaps before has been changed a bit.

It's now not possible If an actor has been involved in the Role Assignment process as an approver or requestor to approve the Approval request.

e.g. If a manager of a user requested a new role and the Business Role requires approvals; If you first task is "Manager Approval", the request will be declined with reason: Insufficient number of approvers because the requestor and Approver are the same. Another example: If the requestor or a previous approver are the same as for example a Role Owner and you have an Approval Task that requires Role Owner approver, this request will be rejected as well with the same reason. My examples are based on getting approvers from MX_PENDING_VALUE.

I have many scenario's in my head but before testing any of them I want to hear from you how you deal with this matter.

I appreciate all your comments.

Regards,

Ridouan

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎08-30-2013 10:58 PM
0 Kudos

Hi Ridouan

I haven't come across this problem but I tend to make it a habit of manipulating the Pending Value before sending it to the approval task anyway.  You can determine if the currently required approver is the requestor or a previous approver and skip the approval task.  I've done this before just to reduce user anger at approving their own requests or to ensure that the managers manager has to approve requests so there is at least some accountability.

Peter

Show replies
Show replies
former_member190695
Participant
‎09-04-2013 12:03 PM
0 Kudos

Hi Peter,

This is exactly what I am trying to achieve but in my case the request is automatically approved by system If the manager for example is the same as requester.

I have a multi-step approval process and I am retrieving approvers from PVO. I am able to approve the manager step but my request is failing at the approvers step with insufficient number of approvers. The approver was not involved in any of the previous steps and is not the same as the requester.

Regards,

Ridouan

Former Member
‎09-05-2013 12:21 AM
0 Kudos

You can interrogate the PVO before it gets to the approvers step and determine if the approver is the same as the manager.  If it is, bypass the step (or add another approver).

Peter

Former Member
‎03-17-2014 6:36 AM
0 Kudos

Hi Peter/Ridouan,

Thanks for your suggestions.

I am facing a similar issue where the request is not moving to the approvers' "todo" tab. I raised the request for another user for role assignment to his id and the request never appeared in todo tab of the approver(approver is differentn from requester(its me in this case) and person for which role is requested(my colleague).

Is there any tracing mechanism in IDM to trace the changes in PVO? or do i need to run any database scripts to enable workflow?

Appreciate your comments on this.

Thanks and regards,

Nitin

Former Member
‎03-17-2014 7:19 AM
0 Kudos

Hi Nitin,

Try enabling the trace on the user MSKEY for which you are requesting the role. This will reveal more information on what is happening exactly. From there you might get some information where exactly the issue is.

To enable trace, in the identity center set the value of the global constant MX_TRACE_ENTRY to the MSKEY of the user for whom the role is requested.

Alternatively, you can enable trace using ADMIN UI, goto Trace tab and provide mskey.

Apart from that you can also have a look at these views

idmv_approvals_basic

idmv_approvals_ext

idmv_approvers_basic

idmv_approvers_ext

All the best !!

~ Krishna.

Former Member
‎03-17-2014 8:57 PM
0 Kudos

You can check the provisioning queue and see if its hanging on something.  Another task may have failed or still be in process.

Peter

former_member190695
Participant
‎03-19-2014 8:37 PM
0 Kudos

Hi Nitin,

Please configure tracing as described by Krishna e.g.  MX_TRACE_RT = True and MX_TRACE_ENTRY equals to the user MSKEYVALYE like <Administrator>

You can find the values in the Global Constants, If the constants are not there you can just create them and add the values.

Make sure the dispatcher Log Level is set accordingly.

You can also configure notification as I believe your issue is related to Insufficient Approvers.

Check MC_SYSLOG table as you might find some additional information there as well.

Regards,

Ridouan

Answers (0)

Ask a Question