If you are using default methodology then you need to configure BRF+ rule to map the role attributes to the condition groups. in NWBC you map those condition groups to your approvers

role content approves rols changes - BRM approval

role owner used in access request approvals

Because you have to add them to the role

if you set user up as access control owner for role content and then add them to that screen you just posted you will be able to submit role for approval

if you added approver to condition group mapping, you have to do IMG config and BRF+ rule so you can then press default approver button on you screen. This will result in your approvers being automatically added to the table on your screen

either way the role must have approvers on that screen for you to submit for role approval

Hi Sabrina

In BRF+:

• Set your decision table with the criteria you want to determine your approver by
• For each difference scenario (i.e. each row in your decision table) enter a free text condition group value that you can map 1 or more approvers to
• Ensure the decision table, function and application are all activated

Example: You want to approve roles  based on business process. Your table would have a column for business process and one for the condition group result. You would add an entry for each business process and then enter a condition group (could be the same value if you chose to)

In the IMG:

• You need to configure the Assign the Condition Groups to the BRF+ Function: You need to add the entry APPROVER and the BRF+ Application and Function Name (not the Ids)

This tells GRC which BRF+ function to execute when you press default approvers in the BRM approver screen

In NWBC  and SU01(User setup):

• Each Role Content Owner needs an SU01 account
• Each Role Content Owner must be assigned Role Content Approver in the Access Control Owners Screen
• You must then map condition group (the values you specified in BRF+) to the Approvers in your central table and flag the approver as type of approver

Once all of these are done you can the press the "Default Approval button". The BRF+ function from your IMG will be executed and decision table logic to identify condition group. The condition group mappings willl identify the approvers you mentioned and they will then default into the role approvers section

Regards

Colleen

Hi Sabrina

You seemed to have confirmed role approval and the role methodology BRF+ configuration

At second I assigned the Condition Group Type to the BRF+ Rule

The entry that applies here is the APPROVER. METHODOLOGY is for changing the steps for the approval

"Condiiton Group IDs to the Methodology Process" -

this is used to default your role methodology which are the steps in the BRM screen to go through when maintaining a role. It looks like you BRF+ condition groups have been mapped in for role methodology

Condition Group has been used twice to represent different mapping groups. Approval Condition Group is used to Role Content Approvers to the group via NWBC while Methodology Condition Groups maps the group to the role methodology to determine how the BRM steps are displayed

The Role Content Approval process doesn't use the MSMP so nothing for you to do there

At second I assigned the Condition Group Type to the BRF+ Rule

Have a look at that screen shot again.. it looks like you mapped methodology and approval around the wrong way for the function?

I assume you have set up the Access Control owners looking at your original screen shots

Regards

Colleen

Fantastic news. Well done and good luck with the rest.

G'Day Colleen,

Thank you for a very informative document. After spending the last hour or so figuring out what I was doing wrong, boy! was I glad to find this thread. The 'Approver Rule' was doing my head in as I could not understand how this is integrated with the 'Approval Request'. Although I've done everything I was supposed to as per the SAP BRM document. One thing it never mentioned is about the Mapping the 'Approver Condition Group ID'  to Role Owners in NWBC. Once I gathered this from your answers, I could see the connection!! So Thank you.

However I've got a problem. I followed all the steps you've mentioned down to the T but once I hit the 'Initiate Approval' button, the request isn't going to the intended Approver (the one mapped in 'Role Owners'), although she shows up as the default approver. For reasons I cannot I understand it keeps going through to the MSMP workflow stage Approver. My understanding was MSMP does not come into play in this scenario, so I would really appreciate it if you could enlighten me as to what I am doing wrong or is this how its supposed to be? Here is an extract from the SAP BRM document, which is further confusing me:

- Role Approval Workflow needs to be maintained if Approval step is there in Role Creation Methodology

- The default workflow process can be used to set up Role Approval Workflow Process

- In Step 5, maintain the Stage settings and select the Agent ID as GRAC_ROLE_APPROVER or the approver rule created in BRF+

So does this mean that I have to maintain Approvers in MSMP as opposed to the default Approver in the Role Methodology? Which doesn't make sense!

Regards,

Leo..

Hi Leo

Are you doing BRM role content approval here?

Can you please include a screen shot of the approver in formation in BRM and what you mean with routing to an MSMP approver?

Regards

Colleen

Hi Colleen,

Yes I am doing(trying) BRM Role Content Approval. For starters is it different from Role Approval? If so how? Both seem to serve the same purpose right and it would be rather redundant to have two approvals.

Please find the screen shots below:

1) BRF+ Decision Table

   The second condition is just a 'catch all', which I picked up from your other thread!!

2) Assign Condition Group to BRF+

3) Role Owners - NWBC

4) Default Approver - Role Methodology

Approver is maintained in NWBC: Access Control Owners, Role Owners and she obviously exists in SU01.

From what I gathered so far, once I hit the 'Initiate Approval' button in the Role Methodology Approval step, the request should go to 'M Paynter' right? however she hasn't received any requests for approval and the person specified as the Approver in MSMP path has received the request.

I would appreciate it if you can kindly point to me as to what I am doing wrong or have I got this all wrong?

Regards,

Leo..

Hi Leo

That config looks good. Did you complete the IMG Workflow task activation pieces? There is help information in the IMG for Access Controls Workflow. You need to set the WF/TS items for the workflow so they do go to the approver

Who actually received it? Perhaps it's coincidence that the person who received it is in MSMP as well. The MSMP is tied to a Process ID (these are hard coded and non of them are business role management).

If you go to the Administration in NWBC you can look up the request to see where/why it routed to a specific approver as well. Alternatively, there is an option for Search Requests under Access provisioning (I think - sorry am doing this from memory).

Regards

Colleen

Hiya Colleen,

I did check out in NWBC and that is how I realized who the approval request went to (and it is a different person altogether). It followed the default path for BRM Approval in MSMP. Everything is working fine except for the approval not going to who I expect it would go to.

Please help me understand one thing. When you hit the 'Initiate Approval' in BRM who is it supposed to go to? The default Approver or would it follow MSMP workflow and then go to the Approver specified over there?

As for your "Did you complete the IMG Workflow task activation pieces", Forgive me but I'm not sure what you mean by that. I've configured MSMP for different things like Access Request etc and they all work fine but I haven't touched the workflows in any way for this and the default Approver is not mentioned anywhere in MSMP workflows as I did not think they would come into play. Would it?

Regards,

Leo..

Hi Leo

MSMP is for specific Process Ids (I think there are about 10 of them). You will see them on the first tab in the MSMP. This includes User Access Request (and HR); Function Approvals; Risks; Mitigating Controls; Mitigation Assignments; SoD Reviews and UAR Review

Business Role Content Approval (BRM with the approval methodology) does not use MSMP. It does use the BRF+ rule (which you appear to have successful configured as you defaulted your on the Approval tab). The approvers (assignment) are referenced as Agents int eh UAR MSMPs.

The Workflow Tasks Activation you will find in the IMG menu path and GRC (I think common area). It's a step you do as part of enabling workflow.

Do you have a screen shot to prove that you BRM content approval (approve step for the role methodology) is going to an MSMP agent?

Regards

Colleen

Dear Colleen,

Thank you for getting back to me. Looks like something is getting lost in the translation. My apologies for not being clearer. So let me back up a bit and explain what exactly I am trying to achieve and what I am expecting out of it.

For starters, thanks to your MSMP blog I've got a clear understanding of how it works and I managed to successfully customize the default workflows and I've created my own Rules as well using BRF+. I am also aware as to what needs to be done in IMG to activate MSMP Workflows (I do have a query but I'll get back to you on that later). So my current query is not in regards to MSMP.

What I am trying to achieve

I've created a BRF+ Rule to trigger if the following condition comes into play:

1) If the Role Type=Single & Role Sensitivity=Confidential, then it should trigger a certain Methodology and Approver Rule

2) If the Role Type=Single & Role Sensitivity<>Confidential, then it should trigger a certain Methodology and Approver Rule

I created a methodology for both scenarios and linked them with the Condition Group: Working just fine!

I defined Approvers for both scenarios and linked them with the Condition Group: Working just fine!

* At this stage I haven't touched MSMP and not expecting MSMP to come into play as you pointed out.

What I am expecting to happen

Now that both Methodlogy and Approvers are in place and working (Showing up in the default approvers in BRM), so once I hit the 'Initiate Approval' button I am expecting the approval request to go to the defined default approver as follows:

However it isn't going to her and its going though MSMP WF as follows:

Now I don't know if this is what's meant to happen but my logic says (right or misguided) that:

• Why create an Approver Rule and define the default Approvers, if it follows an MSMP WF? and
• What happened to the Approval request, which is meant to go to the Default Approver (M Paynter)?
• Does MSMP come into play in any way to generate a Role using BRM?

So I hope, I tried to convey what is bugging me and would appreciate if you could kindly shed some light on my dilemma.

Regards,

Leo..

Hi Leo

you were clear but my brain did quite realise that your question is different to the original question here. In hindsight it would have made sense that you created your own question. In addition, having not touched BRM in 18 months I seem to have forgotten a bit (quickly checked my notes) and kept thinking all of the BRM was just BRF and not using MSMP (I think when I configured it I used the Agent rule for role owner so never had to build others).

Okay. The button to default the approver uses the BRF+ rule with the condition group mapping to default the approver. This original question was raised due to this problem. As we both agree - no MSMP involved.

The Methodology Step to submit role for approver, however, is based on Process Id SAP_GRAC_ROLE_APPR. Hence why yours is going down the MSMP path,

So the part you need to check is to go into the MSMP and look at you your Stage definition to see what Agent has been mapped. Once you identify the Agent, go to the Agent tab to see what the rule is (i.e. is it picking Role Owner agent or something else). The MSMP Instance Runtime provides the calculation steps. But it will all come down to what agent you have.

Aplogies for confusion.

In summary there are two seperate activities.

1. Default Approvers - uses BRF+ rule to help default role content and assignments approvers

2. Approve Role Step - uses the MSMP

I kept thinking about the first and you kept asking about the second

Regards

Colleen

Dear Colleen,

Thanks you. Finally some semblance of clarity. I could see from the result that MSMP has a say in the approval process but I could not fathom the fact that we are using two kinds of Approvals:

1. Role Content Approval - Through BRF+ Condition
2. MSMP Approval - Role Owner etc

That was the confusion as it seems redundant to have two approvals for pretty much the same thing. I believe in both cases (I am guessing) the Approver would be the same person, approving precisely the same thing. So why not have just one, that was my dilemma.

I still got to figure out why the Default Approver (BRF+) hasn't received any approval request though? Any thoughts?

This brings to my next problem.

Is there a way I can tie up the BRF+ Approver Rule I created, with an 'Agent Rule' in MSMP so I can use the conditions defined to dictate who the request should go to. For Example:

1. Condition 1: Then Approver1
2. Condition 2: Then Approver 2

I tried creating an Initiator Rule from scratch for SAP_GRAC_ROLE_APPR Process ID and everything seems to be OK except the Configuration ID part in Stages. The error messages are as follows:

• I tried defining my own configuration ID for Stage 1:

• So I tried changing the name of the config ID thinking maybe there is a particular naming convention I have to follow:

• Next I tried using the default configuration ID and link my Agent ID to it:

So I would appreciate it if you could you tell what on earth is happening as I never had this problem with my other Initiator Rules. Is there a particular 'Naming Convention' for stage config IDs or can I give anything as long as they start with a Z/Y/X?

Regards,

Leo..

P.S: Please do let me know if the questions are becoming a bit of a drag. I'm sure you've got more serious questions out there, which needs your expertise.

Hi Leo

I think you are at the stage where you need to open your own question as this is not really related to the original. Reference this thread so everyone else knows the full story

When you open it, please include screen shots of your MSMP configuration steps for the Process Id SAP_GRAC_ROLE_APPR

I will happily add some more comments about your questions as well but you will get others jumping in and better support to resolve

Regards

Colleen

No Worries Colleen. I gathered that from the messages. I only posted here because it was some what related but then it kept evolving, so as you pointed out it makes more sense to have raised my own. Ah well! you know what they say about hindsight and all. I was expecting more people to jump in, so one person does not have to keep answering (like yourself. My apologies) but I did not realize this is somewhat a closed conversation.

Now I have to figure out how to start this as a question on its own and reference it (add a link?) as I've never done that before but I'm sure its pretty straight forward.

Regards,

Leo..