cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Delegation You are not authorized to approve the request message

Go to solution
Former Member

on ‎04-11-2014 8:35 PM

0 Kudos

Hello all, i hope you are well, i would like to know if it´s possible to delegate just approval role.

Example:

Manager is going out for business travel for one week and he wants to delegate his secretary so.

User1(manager) delegates to user2(secretary).

If i log on using the secretary id i can see in my inbox all the depending aproval, i open a request to submit approval but when i click on it a message display that i don't have authorization.

So, in this case i just want to delegate approval role so is it possible to do that?

I mean i don´t want that somebody else who has the approval rule can approve this request, i just one that secretary (in this case) just approve without getting Functional Manager Roles.

Also if you can help me to understand why she can reject this acess request but she can not approve even if delegation is activated.

Thanks a lot.

Picho

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

alessandr0
Active Contributor
‎04-13-2014 8:36 PM
0 Kudos

Dear Picho,

you can delegate approvals to another user with "Manager Delegation". Beside that the alternate approver needs the proper authorization to approve (authorization must be given) an access request. Check in SLG1 the authorization which is missing for the secretary and what has to be authorized.

Authorization does only mean that the baseline is given to approve requests. Without a proper delegation no one can approve the request.

Let me know if you need more in detail.

Regards,

Alessandro

Show replies
Show replies
Former Member
‎04-14-2014 6:26 PM
0 Kudos

So, what i am understanding is that she needs the role that contains auth objects to perform approval for requests.

But i would like to know which is the best approach, i mean have a separate role for all users that only contains this auth object and when someone delegates he needs first to request this role or what do you suggest?

I mean if it is possible me as a Manager delegate just my role to the secretary and she is the only one that can approve all items in my inbox.

I want to know hoe does GRC works, if i am delegating my approval to my secretary what should need to be done, she must request access to that role that contains the auth object for approval or is it possible by just delegate and activate for a specific period.

Thanks a lot.

Picho

alessandr0
Active Contributor
‎04-14-2014 8:49 PM
0 Kudos

From my point of view this authorization should be given to all GRC users, means to whom ever can access GRC should be able to display and approve requests <- just from the authorization point of view so that the functionality is given. This doesn't mean that a user is allowed to approve requests from someone else, it is just the technical authorization for approving.

When it comes to approving a request it is required to be the approver either as manager or as role owner or in your case as a deputy. While routing a request only the named user (or a deputy) can approve his requests. If a manager sets a deputization to his secretary than for a specific time the secretary is also allowed to approve request on behalf of the manager.

Please let me know if you need more information.

Regards,

Alessandro

Former Member
‎04-14-2014 9:48 PM
0 Kudos

Thanks Alessandro this is now clear from me so i think i will give access to all end users to approve requests, but this will not work until role approver or manager activate his delegation.

So i think i will do that, i was planing to give all users the authorization to view requests but if they are not activated, they cannot approve.

Thanks a lot this was really helpfull.

Have a great week.

Best Regards.

Picho

Former Member
‎04-14-2014 10:05 PM
0 Kudos

Picho,

I am rather surprised by this decision. What is the point of having authorized approvers if every single user is authorized? It makes that approval stage rather meaningless, wouldn't you think? That sounds like a set up for collusion between users. Did the Internal Controls people sign off on this process/ security design? I have never seen it done like that, and this is my third GRC10 project.

Or have I just worked at comparatively restrictive organizations? Does anyone else here have experience with such a process design, where any GRC user could approve a request if it was delegated to him/her?

Regards,

Gretchen

Former Member
‎04-14-2014 10:17 PM
0 Kudos

Hello Gretchen

What i am trying to do is just delegate the approval to another end user.

For example if i am the Manager i will be outside for one week because of vacations so i need to delegate my approval to another user, in this case my assistant.

I don´t want that any user can approve any GRC request just want to know how does it works.

I made a test where i delegate my approval to my assistan but if i use her user id i can see my work inbox but canpt authorized.

Just want to understand how does the delegation process on GRC works.

Thanks

Former Member
‎04-14-2014 10:33 PM
0 Kudos

Picho,

In our process, the control is that the first approval is by the manager, which is the user's manager as configured in the LDAP directory. A manager can delegate to someone else via the IdM solution, but if it is not an authorized manager (someone set up as a user in the GRC system with the manager role assigned), s/he will not be able to approve access requests. Likewise, role approvers can delegate to another authorized role approver. That is how the controls were designed, and our security design supports those controls.  Our controls people are pleased with the stronger controls of GRC 10.0 compared to the process of manager's approval by attached emails in our 5.3 system.

But, again, perhaps others have different views about what constitutes effective controls on this process.
I invite opposing views to be expressed.

Gretchen

alessandr0
Active Contributor
‎04-15-2014 6:53 AM
0 Kudos

Dear Gretchen,

thanks for your feedback. From my point of view it's a managers responsibility to whom he/she delegates his/her duty. In our enterprise manager's deputies are not always "managers", can also be that a "normal" worker is a deputy (e.g. a key-user).

However, I still assume that the managers knows to whom he/she delegetes this authority and in exceptional cases the traceability is continuously given. With my configuration the manager (and if a delegation is set as well the deputy) will be informed by email automatically if a new request needs to be approved. In case of uncertainties or missing information the manager can always review the deputy's decision and react. I am aware that this can lead to a potential risk, but somehow a company has to trust their employees (mutual trust) and has to be "workable" to compete with others.

Looking forward to your furhter thoughts in this regard.

Best regards,

Alessandro

Former Member
‎04-16-2014 10:57 AM
0 Kudos

Hello,

I'm just wondering how you are maintaining the access in GRC for managers to be able to approve access requests from their team members as they show-up in LDAP.

We have a plan to include the manager approval at the first stage of the workflow but it won't be easy to keep the GRC access accurate against the LDAP that is linked to our HR DB.

Our concern is when a manager is newly named and if a GRC access request is processed we might not have that manager setup in our GRC and therefore he won't be able to approve and even not receive anything in his work inbox.

How can we ensure to keep the GRC access in synch with the LDAP and HR for managers ?

The same question would be about managers that are moving to a self leader position as here we will need to ensure that approval capabilities and even the entire GRC access are removed.

Do you have any best practice to keep GRC in synch for managers ?

Concerning the delegation, I could see that SAP IDM is proposing or will propose some context based permission to allow someone that receives delegation authority to approve.

Would GRC receive that capability as well in the future ?

If not already in the roadmap, it would be interesting to have it.

Feel free to share your thoughts.
Thanks.
Patrick.

Answers (0)

Ask a Question