cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC 10.0 ARM - Request picks up wrong manager

former_member297605
Active Participant

on ‎07-01-2014 2:18 PM

0 Kudos

Hi All

I have a client who is on IdM 7.2 SP 6 with integration into GRC - AC 10.0 for Risk Analysis.

The system is set up in such a way that when the HR/PY team in the business hires a new employee and flags the position for SAP access the IdM extract job in SAP pushes the user into IdM. In IdM the required Business roles are assigned to the user which triggers a GRC Access Request automatically in GRC with the roles required for the user and sent to the user's manager for approval. Once approved it is sent back to IdM and the user is provisioned with the required SAP access roles.

The issue I have is two new users are assigned to the same position in SAP HR. For one the manager has received the GRC approval email and has approved the request and the user has been provisioned. However, for the other user who is assigned to the same position the manager has not received an email for approval or has a workflow inbox item to approve. On investigation I found that for the second user the Access Request has some how picked up the wrong manager. How is this possible? What should I check to understand how this occurred? Please advise.

I have already checked the following

1. Checked SLG1 - no errors

2, Checked the Org structure and both users are assigned to the same org unit/position.

3. The HR/PY team have confirmed that the PA20 records are the same for both users.

4. The MSMP Instance Runtime monitor shows the following

Thanks

Ran

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

FilipGRC
Contributor
‎07-03-2014 4:52 PM
0 Kudos

Hi Ranjit,

to help I need to understnad bettwe what exacly you did - first did the second manager (wrong) received any notificaiton? Second was this is separate requests or in one request using multiple users option?

Are both users corectily maintained in PA105 in terms of system logins?

Show replies
Show replies
former_member297605
Active Participant
‎07-04-2014 11:52 AM
0 Kudos

Hi Filip.... It actually goes straight to the GRC admin - not sure why as both users are assigned to the same HR position. For one user, the approval goes to the correct manager and for the other to the GRC admin.

There is IdM integration in the set up i.e. when a business role is requested to be assigned in IdM it sends it to GRC AC and a access request is raised automatically for each user and manager approval is sought here. Once approved the result is sent back to Idm and the roles are assigned to the users.

So, it was separate requests.

Yes their inotype 105 set up is correct.

Thanks

Ran

alessandr0
Active Contributor
‎07-01-2014 5:40 PM
0 Kudos

Dear Ran,

did you see note 1635411.

In some systems it is also necessary to check the communication info type 0105 in HR to ensure the personnel is mapped with the SAP user id.

Keep us updated if the issue could be fixed.

Best regards,

Alessandro

Show replies
Show replies
former_member297605
Active Participant
‎07-03-2014 2:01 PM
0 Kudos

Hi Alessandro.....Thanks for your advice and sorry for my late response. I will check the SAP note.

The 0105 inotype is maintained with the correct usernames for the users.

Thanks

Ran

former_member192837
Participant
‎07-01-2014 3:09 PM
0 Kudos

Hi, Check IDM-VDS logs for both the access request what was handed over from IDM to GRC. Regards Dilip

Show replies
Show replies
former_member297605
Active Participant
‎07-03-2014 1:58 PM
0 Kudos

Hi Dilip .....Thanks for your advice and sorry for my late response. I am quite new to IdM. Please could you let me know where to look for the IDM-VDS logs.

Thanks

former_member192837
Participant
‎07-03-2014 2:26 PM
0 Kudos

Hi,

Open the operations log at <VDS install directory>\configurations\<your config name>\log\operation.trc

And check logs for access request of your concern.

Regards

Dilip

former_member297605
Active Participant
‎07-04-2014 11:43 AM
0 Kudos

Thanks Dilip... I'll try that.

former_member297605
Active Participant
‎07-06-2014 10:08 AM
0 Kudos

Hi Dilip

Please see below, is this where I should be looking for the relevant Access Requests?

How do I search specifically for the Access Requests in this log?

Please advise.

Thanks a lot.

former_member192837
Participant
‎07-07-2014 5:54 AM
0 Kudos

Hi, Try searching with user ID or Access request Number or try replicating and check recent logs. Regards Dilip

former_member297605
Active Participant
‎07-15-2014 3:42 AM
0 Kudos

Hi Dilip

The log only shows data for today.

How do we check for logs for a specific date in the recent past.

Please advise.

Ask a Question