cancel
Showing results for 
Search instead for 
Did you mean: 

Role Approval request not visible in Role Approvers ToDo tab

Former Member
0 Kudos

Hi IDM Experts,

We have implemented IDM 7.2 SP8 in our project. We have performed the basic configuration for Identity center and IDM UI. The initial load from CRM is also completed successfully.

We followed the steps in guide https://scn.sap.com/docs/DOC-26322 to configure workflow such that in case role is requested to be assigned to user, the request goes to role approver(in his todo tab) for approval. The access will then be provisioned into backend CRM system on successfully
approval. However, we are facing an issue where the Role approver does not get anything in "TODO" tab for approval. The request shows in "Pending" status and logs show that tthe request is pending approval, however, it never appears in role approvers queue.

Kindly help on the issue. Please provide below information:
1) We can check in logs that the request is pending approval. Is there any way we can check where is the request routed to and whoose approval is pending here if it did not goto "Role Approver" for approval.
2) Any trouble shooting mechanism/tool available in IDM to debug issues like this.

Thanks in advance for your help.

Thanks and regards,

Nitin

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi Nitin,

Enable trace on the user and examine the trace. It might provide some useful information to fix your issue.

To know how to enable trace, see my reply in this thread.

http://scn.sap.com/thread/3415279

Thanks,

Krishna.

Former Member
0 Kudos

Hi Krishna,

Thanks for your reply and suggestion.

As suggested, i ran the trace and PFA the same for your reference.

As per my understanding from the trace, the MX_Approver is successfully getting maintained as "administrator"(role owner in our case), however, i could not get anything from the trace which tells me why the request is not visible in Approvers todo tab.

Appreciate your comments on this.

Thanks and regards,

Nitin

Former Member
0 Kudos

Hi Nitin,

A quick question, How did you install the IDM database ? By executing the mxmc-install.cmd from command prompt or you have executed the sql scripts in sql query editor ?

Just wanted to check, as I faced the similar problem with approvals long back when I installed the database by running the sql scripts from sql query editor. Thiis is due to the dependencies on the sql objects.

After I deleted database and reinstalled from command prompt by executing mxmc-install.cmd everything is fine.

Any ways, I am looking at the trace you have shared. Let me get back to you.

~Krishna.

Former Member
0 Kudos

Hi Krishna,

I just confirmed from my Basis team that the IDM databse was installed using the mxmc-install.cmd from command prompt.

One more query, as per my understanding the MSKEYVALUE for a user is the user id of the user in IDM, right? I executed the below query :

select * from idmv_link_ext where mcThisMskeyValue = <the concerned user#s MSKEYVALUE> and maintained the user id(a_bowalekar) in MSKEYvalue, however, the result was an error saying:

Error Occured

-Err          =     -2147217900

-Desc       =     Invalid column name 'A_BOWALEKAR"

Is there something i am doing wrong.

Regards,

Nitin

Former Member
0 Kudos

Hi Nitin,

You should give the MSKEYVALUE in single quotes. like below.

select * from idmv_link_ext where mcThisMskeyValue='A_BOWALEKAR'

~Krishna.

Former Member
0 Kudos

Hi Nitin,

What type of approval you have configured. Are you configuring the approver on role ? or on task ? or on pending value object ?

Are you trying both Manager & Role Owner approval ?

From the trace I can see a task getting triggered preprocessing apporvals. Are you configuring the apporvals using pending value object ?

Can you please share the screen shots of how you configured the approvals ?

Screen shots of the following would help.

1. Approvers tab on the role

2. Member events tab on the role.

3. Approval task Approval tab.

~Krishna.

Former Member
0 Kudos

Hi Krishna,

Please find below my response:

1) We have configured "pending value object".

2) We are only using Role Owner approval and no "Manager" approval.

Also, please attached the requested screenshots. We have maintained the owner in "visibility tab" and our approvers tab is blank.

Thanks in advance for your help.

regards,

Nits

Message was edited by: Nits SAP

Former Member
0 Kudos

Hi Nitin,

If you are trying to implement Role Owner approval, I would recommend you to define the approver on the role and configure the approval task to get the approvers from Role/privilege. Its simple and straight forward.

For implementing Role Owner approval , refer to section 2.3 of this document.

Is there any specific reason to implement this role owner approval using PVO ?

If you still want to go ahead implementing this with PVO, your configuration of approver on visibility tab looks fine. Can you check the attributes and fields of the pre-processiong approvers pass such that they are as per the the document and it is pointing to correct identity store, and entry type.

All the best !!

~ Krishna.

Answers (3)

Answers (3)

Former Member
0 Kudos

Hi Krishna/Arun/Fadoua,

Thanks guys for your suggestions and help.

The issue with workflow is now resolved and the approver is now able to see the "role assignment" requests in todo tab.

I am facing a different issue now. We try to request a role in IDM UI through the self service task(using the standard "request role assiognment" task from provisioning framework), the request successfully goes to owner for approval, owner approves and the role is successfully assigned in the backend ABAP system(for which repository is defined in MMC).

However, when i am trying to request for a role from "manage" tab for some other user, the request moves to "OK" status without making any changes to user's profile in backend.

I am confused here why its working with selfservice task but not with assign task in manage tab.

In addition to the above do we have any tracig mechanism in IDM to understand where is it failing.

Appreciate your expert comments on the same.

Thanks and regards,

Nits

Former Member
0 Kudos

Hi Nits,

Are you trying with the same role ? I mean the role which you have requested through self-service and trying to assign through Manage tab is same ?

Can you provide the screenshots of member privileges, role privileges  and member events tabs of the role which you are trying to assign through Manage tab.

If you have not mapped any ABAP privileges to this business role, and when you request this role, it will simple go to OK status. If you have mapped any ABAP privileges for this business role, then till the ABAP Role privileges are provisioned, the role will be in pending state, and after all ABAP role privileges mapped are provisioned to the target system, then the business role assignment status changes to OK.

Hope this helps.

~ Krishna.

Former Member
0 Kudos

Hi Krishna,

Thanks for the reqply.

Yes, i am using the same role for assignment to Users.

One correction here, role assignment is working through "Manage tab" as well for users for which its working through "Self Service tab", i.e. its working for only specific users and not for all loaded after "initial load". I checked table idmv_value_ext_active and could not find any difference in attributes of these users.

Only thing i can find is, its working for users i manually created in IDM MMC and UI before initial load with manager as well as administrator privelleges. Is it some issue with initial load? is there any other table i can use to compare attributes of the two set of users?

Thanks and regards,

Nits

Former Member
0 Kudos

Hi Nits,

When you performed the initial load for your ABAP system, did you modify the standard initial load jobs ?

Can you also compare the user created in IDM UI and provisioned to ABAP and user loaded to IDM from ABAP and see if they have the attribute ACCOUNT<REPNAME> attribute set ?

~ Krishna

Former Member
0 Kudos


Hi Krishna,

We are using the standard initial load jobs for ABAP system.

I checked and found that the attribute Account<Repositoryname> is maintained for all the users loaded through Initial Load as well as for the ones already present in IDM(for which the provisionong is working).

Thanks and regards,

Nits

Former Member
0 Kudos

Hi Nitin,

How do you assign the role to the user? if it's trought IDM UI, you loggin with which user?

There is a limitation on approval with SP08 : the requestor of the assignement can not be define as an approver.... but in this case the approval is automaticaly rejected by the system ...

in which logs / table can you see that your request is "pending for approval" ?

I also would recomand you to use the simple scenario "get approver from role/privs" of as krishna mentioned. (unless you need to do more custum actions)

Besides, you can check approval entries and status in DB views :MXWV_ApprovalQueue ...

Fadoua


Former Member
0 Kudos

Hi Nithin,

Can you plz post all the attributes you see in the pending request when you run in your DB, that should help to guide you in a better way.

Thanks,

Arun