cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Issue with Role Management Approval

Go to solution
Former Member

on ‎10-09-2013 12:52 AM

0 Kudos

Hi Experts

I am trying to create Business Role in BRM. I configured MSMP workflow SAP_GRC_ROLE_APPR as suggested in "AC 10.0 - Business Role Management" guide in this SCN.

Issue is that worflow approved at first level. But then it just stays in Pending mode. When I open Business role on BRN it says that

Error: Role xxxxxxxxx is in locked mode

Warning:    Role xxxxxxxxx is pending approval

I can not find where the workflow is gone and what it is pending on. Any help will be greatly appreciated

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Colleen
Advisor
Advisor
‎10-09-2013 1:39 AM
0 Kudos

Hi Masood

How many levels of approval do you have? Also, did you try to push the WF through as I can see detouring, etc?

The lock status will not release until the outsanding WF is completed. There were issues with BRM around SP9/10 where the final task was not completing to close it out.

Have a look at following KB to fix lock status 1796774 - BRM role is locked or in Pending Status

What MSMP Stage configuration do you have and Agents to fix root cause?

Regards

Colleen

Show replies
Show replies
Former Member
‎10-09-2013 2:25 AM
0 Kudos

Hi Colleen

Thanks very much for such a quick help. We are on SP9 and hopefully very soon we will be going to SP12. Surely I will look at SAP note you advised.

In BRM at Define Role tab under Owners/Approvers, I have only one approve and that is myself. I did receive approval request in my Inbox and I have approve it already but after that not sure where it is gone. SAP Note may fix this.

I am not really sure where to check "MSMP Stage configuration".

If it is MSM Instance Runtime Monitor (the transaciton which you gave me few months back) under Runtime and tab Data Log it says Stage Seq. No 001.

In Notification tab it say NEW_WorkITem.

Once again thanks very much for sharing your knowledge and helping to fix this issue.

Colleen
Advisor
Advisor
‎10-09-2013 3:11 AM
0 Kudos

Hi Masood

Oh I meant a screen shot in MSMP configuration for the Steps (how many approvers)

The latest screen shot for Notification are the email sent depending on the event. Transaction SOST should show those

MSMP Instance Runtime is great - I usually focus on Approvers, Routing and Workflow tabs. In noticed one of the had ERROR. You might be able to check SLG1 logs to see if any further information on the error. Also try selecting the tnry to see if further information is provided

You can look at the WF transaction - SWIA to see if the tasks have closed out execept for the overall complete. if the approval step is completed, etc and only the Close event is outstanding then the KB article I mentioned may help. However, MSMP Instance Runtime is usually more helpful that the SW* transactions (in GRC AC situation).

Again, check the note and see how you goes.

former_member193066
Active Contributor
‎10-09-2013 7:29 AM
0 Kudos

seems issue with msmp configuration.

..

what you can do is go to search request and select for role approver request type and search .

send the log file.

Regards,

Prasant

Former Member
‎10-09-2013 11:07 PM
0 Kudos

Hi Colleen

Thanks for your help. Screenshot is below MSMP Config stage no5 - Maintain Paths.

Regards

Masood

Former Member
‎10-09-2013 11:09 PM
0 Kudos

Hi Prasant

Thanks for your help. Here is the Log from Role Approver Workflow

Regards

Masood

Colleen
Advisor
Advisor
‎10-10-2013 1:54 AM
0 Kudos

Hi Masood

Why do you have Request Type 'Delete Mitigating Assignment' when this is a 'Role Approval Workflow'

Regards

Colleen

Former Member
‎10-10-2013 5:44 AM
0 Kudos

Hi Colleen

I did not any Request Type ' Delete Mitigating Assignment" anywhere. I am not sure where it picks up from. I tried creating new Business role and it also showing exact same description. It shows this as soon as Role Owner approves.

Regards

Masood

Colleen
Advisor
Advisor
‎10-10-2013 5:59 AM
0 Kudos

Hi Masood

Have a look at:

IMG Navigation Path: “Governance, Risk and Compliance > Access Control > User Provisioning > Define Request Type”

In the Request Type (I had 21 in my system) it mentions the MSMP Process Id SAP_GRAC_ROLE_APPR. This may be related to issue and has a box for description.

Configuration parameter 3022 should then be the same Request Type Value (21)

Regards

Colleen

Former Member
‎10-10-2013 6:19 AM
0 Kudos

Hi Colleen

Once again this is new for me and it is so nice that you are sharing your great insight and knowledge. Does these request type populated by BC sets? I have not created any of these.

From my screenshot below: should I create new for MSMP Process Id SAP_GRAC_ROLE_APPR or should I just change "Request type 123" - "Role Approval"  to SAP_GRAC_ROLE_APPR

Also Config parameter 3022 is not set yet. Once you advise I will try accordingly.

Regards

Masood

Colleen
Advisor
Advisor
‎10-10-2013 6:27 AM
0 Kudos

Hi Masood

Yes it is initially populated by the BC Set GRAC_ACCESS_REQUEST_REQ_TYPE

I recall having issues when I applied SP (can't remember which one) where the Request Type values got a bit mixed up (there were a few threads on this)

I recommend you go to BC Sets and compare the original against what you have to see differences. I think you can modify them directly in SE16 to avoid the IMG logic that stops you from editing them (that is if you need to revert them back).

If you did not have a Role Approval MSMP entry in here it may be causing the null issue.

Whatever value you have in the Request Type you need to match it in the configuration parameter. Also, ensure you flag the Request Type to Active. You only need one for Role Approval.

Regards

Colleen

Ps - refer to http://scn.sap.com/thread/3328789 as the example - same values with Request Type 21 and parameter 3022

Message was edited by: Colleen Lee Added SCN URL link

former_member193066
Active Contributor
‎10-10-2013 7:57 AM
0 Kudos

this look likes its meshed up..

please maintain appropriate request type against process id.

REgards,

Prasant

Former Member
‎10-14-2013 4:19 AM
0 Kudos

Hi Colleen

Thanks a lot for your help. We applied SAP Note and it fixed error message and Warning.

I setup config settings and now role status is complete.

I created Business Role in BRM and put some composite and single roles in side it.Role Status of my Business Role is "Production". I am trying to do user provisioning in development system and it is not working. For some reason AuditLog is saying thay "RFC destination PARCLNT100 does not exist". First of all PARCLNT100 is our production system and I do not want it to do user provisioning in that system. While creating Access Reqyest for Business Role it did not let me select system.

When I assign single role or composite role in User Access Request, they get provisioned correctly in my development system.

Please advise what I am doing wrong.

Regards

Masood

Colleen
Advisor
Advisor
‎10-14-2013 4:28 AM
0 Kudos

Hi Masood

In the Single/Composite roles for the mappings, etc do you have the Provisioning Setting for that system switched off?

Role > Additional Details > Provisioning > System - Provisioning Allowed set to No?

If this doesn't help, I recommend you create a new thread and post this question so the entire community can assist as it is a new topic.

Regards

Colleen

Answers (0)

Ask a Question