- SAP Community
- Products and Technology
- Additional Q&A
- MSMP Issue - GRC 10
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
MSMP Issue - GRC 10
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 01-30-2014 7:24 AM
Hi All,
Request Type : New Account
Roles : X [Has Role Owner] and Y [Has Role Owner] added
Request Submitted.
Default Role : Added based on request attributes - Z [No Role Owner]
Step 1: Request is at Manager stage. Manager can see all 3 roles [2 mentioned in request] + 1 [Added by default].
Manager approved the request. In this case 2 roles with role owners need to go to next stage. One role which is default role should be moved to different path and for this role there should not have any approval and should get assigned directly.
Problem is from Manager stage, 2 roles are going to next stage but the 3rd role, how to manage this as this should not have any approval and the user has not yet been created as request type is New Account.
I defined no role owner detour path at manager stage, so my third role goes to that path, but again that path should not have any stages, so it will look for provisioning to user, but user is not created yet
Anyone came across this scenario.
My Requirement : Default roles should not have any approval. But according to the scenario shared above i am not able to handle the role without role owner or default role to wait until the user gets created. Please guide me with your valuable inputs in this case.
Regards,
Madhu.
Accepted Solutions (1)
Accepted Solutions (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Dear Madhu,
did you set the parameter 2038 (Auto Approve Roles without Approvers)? With my configurations, which seems to be similar than yours, it is working fine. I have set 2038 to YES.
Regards,
Alessandro
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Answers (3)
Answers (3)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Alessandro/Vaner/Prasant,
I have set 2038 parameter as YES. Even then my roles are not getting auto approved.
First stage Manager - Don't have any routing enabled. We are on GRC SP13. Provisioning settings are "END OF THE PATH".
My scenario will work only if i route the roles without approvers from Manager stage to No Stage path with provisioning settings END OF THE REQUEST. But i wanted to achieve with out changing my provisioning settings.
If i have my parameter 2038 as YES, do i need to make any additional configuration to make my workflow auto approve roles with out role owners? As it was not working for me now.
Role Owner - Determined on the basis of role attributes and it a custom BRF+ agent rule.
Reason i don't want to change my provisioning settings:
At security stage we have a routing rule enable where request will go to 2 paths and once path on approval creates the user and other path will then be approved and role will be assigned. If i enable END OF REQUEST this will fail. If i enable end of path my first routing fails
Please suggest your ideas on this.
Regards,
Madhu.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Dear Madhu,
I think we have 2 topics here:
1. Why parameter 2038 = Yes did not work:
Maybe it is because you are not using the standard Role Owner process (function module GRAC_MSMP_ROLEOWNER). I have never used this 2038=Yes configuration, then I can say it for sure, it is just a guess.
Maybe the way your agent return the approver information for roles with no owner is not the same as the standard (I have seen some debugs a "space" being returned). Or maybe the parameter works only with standard agent.
2. Multi path request with User Creation and Roles Assignment have Provision failures when path without user creation action ends before path with the user creation action.
The only way I know is "End of request" provision setting. It should work fine even with the routing you have in security stage.
When all paths end, GRC will provision it and will perform first the Create User and after that the Role Assignments.
Notice that a "No provision log" message may appear in Audit log when a path ends, disconsider it. Provision log will be available when last path ends.
Have you tried it?
Can you share with us some more information about this routing in Security Stage? I did not understand why you need it.
Regards,
Vaner
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Vaner,
Thanks a lot for taking your time and analyzing my scenario and for suggestions. I have given my scenario details below. Please check.
Our New account workflow has below scenarios.
1. Manager -> Role Owner [Custom BRF+ agents rules] -> GRC Admin
2. Default role - Will be included based on request attributes. This role should be auto approved.
3. At GRC admin stage, up on approval, if the request has some role say "X", in that case my workflow should go to detour path for additional approval for that role X separately. User creation will happen in normal path and this additional role would be assigned to the created user after approval of detour path.
Detour path has only one stage. This scenario is currently working fine as i have a routing rule defined for it. My provisioning settings "END OF THE PATH" helps this scenario to be successful.
Issue:
1. Default role is not getting auto approved though i have 2038 parameter set as YES. I doubt this might work only for standard role owner agent not for customized agents.
2. I am sending my default role to detour path [without any stages] at Manager stage
3. Now default role waits until the request gets completed and at the end of the request this is getting assigned to the created user. Here provisioning settings are "END OF REQUEST"
4. This is where my issue is, for default roles to get auto approved it is working only with end of request and my other scenario at stage 3 as explained above will work only with end of path.
These two are contradicting. Based on this can you suggest if any workaround is possible for my both scenarios to work?
Thanks in advance.
Regards,
Madhu.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Madhu,
Here is my take.,
1. Default role is not getting auto approved though i have 2038 parameter set as YES. I doubt this might work only for standard role owner agent not for customized agents.
You are right this will work only for standard agents. I see you are using custom BRF+ rule to identify role owners. Create a routing rule for the default roles and generate result like " NO_APPROVER"
Map the routing rule to your stage in which you want to split the request say "Manager". Maintain a path with no stage and in the MSMP routing, map the result "NO_APPROVER" to path with no stages
2. I am sending my default role to detour path [without any stages] at Manager stage
You can split the request at any stage
3. Now default role waits until the request gets completed and at the end of the request this is getting assigned to the created user. Here provisioning settings are "END OF REQUEST"
Set the provisioning settings to "Auto Provision at End of Each path" (this option works only when you split the request in to parallel workflows which you are doing in step 1)
4. This is where my issue is, for default roles to get auto approved it is working only with end of request and my other scenario at stage 3 as explained above will work only with end of path.
In my setup I use the above explained.,
Dummy Stage (split the request into 2 workflows, no approval required, moves to next stage after 1 min) - Role Owner (Custom rules) - Security
Parameter 2038 is set to NO
My provisioning settings are "End of Path", so the default role is provisioned first and waits for other roles from other path/s
Thanks.
Regards,
Muthu
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Muthu,
Thanks for taking your time in clarifying my issue.
1. I already have a routing rule here and my workflow splits in to two paths. Default role will go to a path with no stages. Main path will follow all the 3 stages as defined.
Workflow is for creating new user:
1. Default role will go to path with no stages and will wait until end of request then it will provision once my main path gets approved at all stages. For this my provisioning settings should be "END OF REQUEST". If i maintain them as "END OF PATH", default role, since it is in a path with no stages it directly tries to provision and fails as the user is not yet created. [User creation will happen through main path]. Hence i used END OF REQUEST setting and then issue was resolved for this scenario.
2. At security stage i want my workflow to take a detour path if the request has a role say "X". For this scenario, detour path will have a stage and need to be approved. So at security stage if routing rule is satisfied, main path will create user and assign all roles except role "X". This role X will go to detour path and will be provisioned later after approval.
Example:
User raised a access request for New User creation with roles X and Y. Based on the request attributes and default role settings a role Z is added to request.
Stage 1: Manager
Process:
Manager approved the request. Roles X and Y will go in main path to next stage [Role Owner] for approval.
Role Z will go to detour path with no stages. For this scenario to work, provisioning setting should be "END OF REQUEST", so that default role waits until main path also completes its approvals. Once done this default role will be provisioned.
If provisioning settings are END OF PATH, detour path with no stages will try to provision immediately and since that user is not yet created, throws error and fails.
Hence i went for END OF REQUEST setting.
Stage 2: Role Owner
Process:
Role owner approves both roles X and Y and these roles go to next path GRC admin.
Stage 3: GRC Admin
Process:
This stage has a routing rule. If a new user request has role Y, go to detour path with one stage. Since this request has role Y, request will split where role Y goes to detour path and in main path since all stages are approved, user will be created and role X is assigned. [This user creation and assignment of role X will happen only if provisioning setting is maintained as END OF PATH]
Role Y will be in detour path and once approved there this role will be assigned to user.
Issue
My issue is i want scenarios at stage 1 and stage 3 to work together with common provisioning setting.
Let me know if i am doing something wrong here or If any workaround available for my scenario.
Regards,
Madhu.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Madhu,
1. Default role will go to path with no stages and will wait until end of request then it will provision once my main path gets approved at all stages. For this my provisioning settings should be "END OF REQUEST". If i maintain them as "END OF PATH", default role, since it is in a path with no stages it directly tries to provision and fails as the user is not yet created. [User creation will happen through main path]. Hence i used END OF REQUEST setting and then issue was resolved for this scenario.
In the "Global Provisioning Configuration" under option "Create user if does not exist" check the box "For Assign Role Action" and maintain the provisioning options to be "Auto provisioning at end of path". When default role with no approval required this will create a user ID with the default role and will not wait of the main path for user ID creation
For stage 3 anyways you need to set the "End of Path"
Try this and let me know.
Regards,
Muthu
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Dear Madhu,
Sorry for the delay... I have been away of GRC topics for some time, I have been assigned other responsibilities.
Let me see if I can be of any assistance to you...
Your Issue #
1. I do believe that parameter 2038 is ignored in Custom Rule (BRF+), I think that, if you "Role Owner" determination is not the standard GRAC_ROLEOWNER agent, you have to provide proper code yourself in a Function Module that reads GRAC_CONFIG table for parameter 2038 and handle it.
2. I did a different approach. As we have few "Default Roles" that needs no approval, I am handling it in Initiator and spliting it to a specific path with no stage.
This way I "auto-approve" and prevent any further stage for specific roles, can be sure all others must have an approver assigned and path/stages.
Notice that this can only work in a Create User AND Assign Role request if provisioning is set to END-OF-REQUEST.
technically, I already had rule based on system and request type, then I added the Role_name field in initiatior rules and duplicated my entries in the decision table: one entry for Role_name * "except" my named default roles resulting in my normal path and another entry with Role_name = one of my named default roles.
The advantage of an initiator is that you don't need to run the first stage to get it in the proper path.
3 and 4 - I see no way around it. Only end-of-request provisioning setting ensures that you do not try to assign a role to a not yet created user.
What you can try is to have a "Provisioning failure" escape route directing the request to someone who will wait for the other path (create user) completes and then re-submit the request. Not a neat solution, depends on manual check.
As far as I can see, we do not have much different scenarios, and you could work as we do: parameter 2038=NO, provisioning setting END-OF-REQUEST, and split the request in 2 paths (one for default roles, other for all the others).
I currently split some request in 3 paths (1 for Create User, 1 for the role assignments and a 3rd for auto approve roles in a no-stage). It is working fine, allows me to handle all situations, including different notifications scenarios.
Only routings I have are for SOD violations.
I hope this can help.
Best Regards,
Vaner
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hey Muthu,
Long time, hope you're well. The situation I have is that I'm using the standard MSMP role owner agent, and I have 2038 set to YES. What is happening is that the role owner is not found and so the request is sent to the approver not found escape path.
What I'm trying to do is to have it auto approve the role.
What do you suggest?
Thanks,
Santosh
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
provision settings, if you have detour for roles without role owner create a blank path(without stage) and route it there.
and will wait till close of request or create user and provision these depends upon your provsion settings.
Prasant
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Dear Madhu,
If I understood it correctly.
You do not need to route the roles with no owner to another path, (supposing you setup parameter 2038 as suggested by Alessandro).
If you just leave the Manager Stage with no Routing it should work fine. Role would not go to any role owner but will remain in the request for provisioning.
In case you need to trigger a separate path to these default roles, it will only work if your backend Provisioning Setting is "end of Request". If you have it as "End of Path" then GRC will try to provision the default role before the user is created. I had this problem and could not work with "End of Path" provisioning in backends that we use "New" Request type (actions create and assign object).
Hope this helps. Let me know if I misunderstood the scenario.
Regards,
Vaner
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- 1H 2024 - VRP-14025 - Enhancements in Compensation Statements in Human Capital Management Q&A
- Invalid value of "AppName" in MDKProject.json. It should contain only alphanumeric characters in Technology Q&A
- Can you force a KF IBP to ECC task to FINISH WITH ERROR if the Error Log shows an Errors? in Supply Chain Management Q&A
- 1H 2024 SCM-19894 - Validation for Permanently Deleting Positions with Nomination Records in Human Capital Management Q&A
- A report object, section or area with this name already exists in the report error in AR Invoice in Enterprise Resource Planning Q&A
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.