on 07-01-2014 2:18 PM
Hi All
I have a client who is on IdM 7.2 SP 6 with integration into GRC - AC 10.0 for Risk Analysis.
The system is set up in such a way that when the HR/PY team in the business hires a new employee and flags the position for SAP access the IdM extract job in SAP pushes the user into IdM. In IdM the required Business roles are assigned to the user which triggers a GRC Access Request automatically in GRC with the roles required for the user and sent to the user's manager for approval. Once approved it is sent back to IdM and the user is provisioned with the required SAP access roles.
The issue I have is two new users are assigned to the same position in SAP HR. For one the manager has received the GRC approval email and has approved the request and the user has been provisioned. However, for the other user who is assigned to the same position the manager has not received an email for approval or has a workflow inbox item to approve. On investigation I found that for the second user the Access Request has some how picked up the wrong manager. How is this possible? What should I check to understand how this occurred? Please advise.
I have already checked the following
1. Checked SLG1 - no errors
2, Checked the Org structure and both users are assigned to the same org unit/position.
3. The HR/PY team have confirmed that the PA20 records are the same for both users.
4. The MSMP Instance Runtime monitor shows the following
Thanks
Ran
Hi Ranjit,
to help I need to understnad bettwe what exacly you did - first did the second manager (wrong) received any notificaiton? Second was this is separate requests or in one request using multiple users option?
Are both users corectily maintained in PA105 in terms of system logins?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Filip.... It actually goes straight to the GRC admin - not sure why as both users are assigned to the same HR position. For one user, the approval goes to the correct manager and for the other to the GRC admin.
There is IdM integration in the set up i.e. when a business role is requested to be assigned in IdM it sends it to GRC AC and a access request is raised automatically for each user and manager approval is sought here. Once approved the result is sent back to Idm and the roles are assigned to the users.
So, it was separate requests.
Yes their inotype 105 set up is correct.
Thanks
Ran
Dear Ran,
did you see note 1635411.
In some systems it is also necessary to check the communication info type 0105 in HR to ensure the personnel is mapped with the SAP user id.
Keep us updated if the issue could be fixed.
Best regards,
Alessandro
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi, Check IDM-VDS logs for both the access request what was handed over from IDM to GRC. Regards Dilip
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.