on 09-07-2014 2:57 PM
hi sap gurus,
i configured grc 10 system successfully. I created one user: GR_AR_APP001 and assign following roles:
SAP_GRAC_ACCESS_APPROVER
SAP_GRAC_ACCESS_REQUEST_ADMIN
SAP_GRC_FN_BASE
SAP_GRC_FN_NUSINESS_USER
and I maintained GR_AR_APP001 in access control owners as "POINT OF CONTACT", "SECURITY LEAD" and "WORKFLOW ADMINISTRATOR"
but when i am creating access request for new user and defining MANAGER under user details tab as GR_AR_APP001.
the user GR_AR_APP001 is not receiving any request for APPROVE or REJECT in his WORK INBOX.
can u please guide me how to configure APPROVER or MANAGER to approve or reject request.
I will be very much thankful if you guide me successfully.
This message was moderated.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
This message was moderated.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Sahil
Who are the agents in your MSMP? Have you looked at the MSMP instance runtime to see where it is attempting to send the request to?
If the Manager is receiving the request but the buttons are missing what is in the configuration for the stage in the MSMP path?
Regards
Colleen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Colleen,
sorry for late reply as I was trying all the options, but I am not able to do it.
in MSMP, I maintained all the default stages, in MSMP stage3, I used the default agent id, that is GRAC_MANAGER,
and created one user:
GR_AR_APP001 and assign following roles:
SAP_GRAC_ACCESS_APPROVER
SAP_GRAC_ACCESS_REQUEST_ADMIN
SAP_GRC_FN_BASE
SAP_GRC_FN_NUSINESS_USER
and I maintained GR_AR_APP001 in access control owners as "POINT OF CONTACT", "SECURITY LEAD" and "WORKFLOW ADMINISTRATOR"
but still this user: GR_AR_APP001 is not getting any request in his WORK INBOX.
I tried one more option, I created one agent ID in STAGE3:
AGENT ID: ZGRAC_MANAGER
AGENT NAME: ZGRAC MAAER
AGENT PURPOSE: APPROVAL
AGENT TYPE: DIRECTLY MAPPED USERS
APPROVER GROUP ID: ZGRAC_MANAGER1
in which I added GR_AR_APP001 user,
and saved and activated msmp.
I created one request thought ARM for new account.
and I logged into system by GR_AR_APP001,
but still not able to see any request in his WORK INBOX.
Pls... can u guide me how to configure approver.
I have been trying it for the last one week.
Thanks in advance.
Hi Sahil
Can you please post some screen shots of your configuration for the MSMP configuration (Initiator Rule, Path/Stage and Agent). Also include a screen shot of the MSMP instance run time monitor for Agent routing to see how the path is evaluated.
When you built you MSMP did you save and activate it at the end? Did you also complete the workflow configuration tasks in the IMG (General Folder/Shared) for the Workflow?
The MSMP instance runtime will show if the MSMP has been configured to go to the correct path.
Regards
Colleen
Hi Colleen,
thanks a lot for your time.
PIC1: I created one user: GR_AR_APP001
and assigned all the GRC ROLES.
PIC2: I assigned owner type to GR_AR_APP001 user : POINT OF CONTACT, SECURITY LEAD and WORKFLOW ADMINISTRATOR in NWBC ACCESS CONTROL OWNERS
PIC3: I created one EUP 980 (copied from default EUP)
PIC4: I maintained default manager as GR_AR_APP001 user in 980 EUP
PIC5: I selected SAP_GRAC_ACCESS_REQUEST process id
PIC6: I created one agent id as ZGRAC_MANAGER11 in which I added approver user id: GR_AR_APP001
PIC7: I saved agent id
PIC8: I added agent id as ZGRAC_MANAGER11 in stage5 in manager stage.
PIC9: I saved
PIC10: I maintained EUP 980 (in which I configured manager as GR_AR_APP001 user) in stage 5 task settings
PIC11: Maintain Route Mapping, I clicked on next
PIC12 and PIC13: I saved and activated.
After this process I created one request for new account and selected the manager as GR_AR_APP001 and one request is created with request no 9000000030.
now I logged into system by user GR_AR_APP001 and checked, there is no request under his work inbox.
please guide me at least one procedure, how to receive request in approver work inbox so that I can learn other procedures to configure approver as per our organization requirement.
thanks for your support Colleen.
Hi Sahil
Adding the manager to the EUP configuration would not have been mandatory. Also, because you have defined a custom group in MSMP as the Agent, all of the agent setup for the user is not necessary (it does not matter if you put enter the Manager User Id on the user access request form as that field is used if you had chosen the SAP Standard Manager Agent rule).
The last screen shot that will help you the most is the MSMP Instance Runtime Monitor (GRFNMW_DBGMONITOR_WD). If go in there and find your workflow request you can go to configuration and look at the runtime tab for Approvers (google or search SCN and you will get information). This should show you the evaluation path of the MSMP to locate the approver. It will also show you if it was unable to find the agent.
Two others things to check.
1. Does the SU01 account have an email address assigned (both Approver and your Workflow User Id)?
2. Did you complete the Workflow customising via the IMG (refer path below) for task TS76308026 and activate workflow WS76300056?
IMG Path: Governance, Risk and Compliance > General Settings > Workflow > Perform Task-Specific Customizing
If you have ruled out those two issues and the MSMP claims the item is with the agent but you cannot see it in the POWL inbox in NWBC then:
As a general observation you need to go through any study notes as it looks like you are attempting anything to get it to work. The Access Control Owners for Security, Point of Contact, etc will not help in this situation. You do not need to define the Manager approver in the EUP for MSMP to work.
Let us know how you go with those checks
Regards
Colleen
Hi Colleen,
thank you very much for your response.
following are the answers for your suggestions:
1. "Adding the manager to the EUP configuration would not have been mandatory"
The Manager User Id on the user access request form as that field is used if I had chosen the SAP Standard Manager Agent rule, but I already tried using Standard Manager, but I have not received any request in manger inbox.
First of all I want to know, if I used Standard Manager, which user will get the request in work inbox, who will be approver, is there any standard manager user id defined?
2. "The last screen shot that will help you the most is the MSMP Instance Runtime Monitor (GRFNMW_DBGMONITOR_WD)"
I did not understand, where can I look at runtime tab for approvers?
3. "Two others things to check.
1. Does the SU01 account have an email address assigned (both Approver and your Workflow User Id)?
2. Did you complete the Workflow customising via the IMG (refer path below) for task
TS76308026 and activate workflow WS76300056?
1. How to assign email address to approver and workflow user id?
2. Yes, I completed the Workflow customizing via IMG
4.
Yes, I switched the accounts and log out. But I haven't found any requests in inbox.
Guide me how to configure approver successfully. Suggest step by step document so that I could configure approvers successfully.
Thanks for your precious time to answer my queries Colleen.
Thanks a lot. I will be waiting for your next reply.
Hi Sahil
If you had used the Manager Agent in MSMP then it is a SE37 function module. You could look at the code and see what it does. In a nutshell, the Manager agent looks for the Manager entered in the Request Field.
The EUP configuration won't help you there except to default the Manager Id. Check your Access Request to see that the User Id is the manager you have for your configuration.
As far as the Instance Runtime goes, that was a poorly worded sentence on my side. What I am saying is go execute the transaction and look for the runtime details for the Access Request so that you can see what the MSMP path/stage the request went to and if an Agent was identified. Transaction is GRFNMW_DBGMONITOR_WD. Again, search or Google for this transaction and you will find information on it. It is a key transaction to assist in troubleshooting.
Please note if you make changes to the MSMP configuration you will need to create a new access request to test for configuration.
Regards
Colleen
Hi Colleen,
I read almost all the materials including GRC300 Course Version 10, Material Number: 50108669.
But I haven't found any step by step document where I can configure the Manager or the Approver.
I learnt BRF+ Initiator Rule, Agent Rule and Routing Rule, but I could not configure the Approver who can approve the request.
I have tried all the documents from SCN, Can u please guide me how to configure the Approver step by step procedure.
The following are the screen shots Transaction GRFNMW_DBGMONITOR_WD.
Thanks for your valuable time.
Sahil,
I have not gone through your complete post, sorry for jumping into the discussion. But, believe you were trying to access work item for approver (Manager, I think)). I noticed that you added "ZGRAC_MANAGER11 " as approver agent id and the approver type is "Directly Mapped Users".
May I know if you have maintained any User id for this type of agent? Secondly, are you checking correctly for the maintained approver id?
Regards,
faisal
Hi Faisal,
Thanks for your response.
Yes I maintained one used id in ZGRAC_MANAGER11 as GR_AR_APP001 and maintained this user in access control owner list as Security Lead and Point of Contact.
But still not able to get request in GR_AR_APP001 user work inbox.
I just want to know how to configure approver, who should be able get request in his work inbox and able to approve the request.
can guide me how to configure approver step by step procedure or at least send me the document so that my self will configure.
thanks a lot for your reply.
Sahil,
Actually Manager as Approver is provided in Access Request in User Details Tab. His ID is maintained in GRC System (for example: MANAGER). This "MANAGER" ID is maintained in Manager Field (in User Details) of Access Request.
If you use standard Agent Rule "GRAC***MANAGER", this will automatically send the request to "MANAGER" and if you login using MANAGER ID, you will be able to see the work item pending for his approval.
This is the standard behavior and straight forward.
I am not sure what is the purpose behind using this custom Agent agent. May you tell if this custom agent what you used is really required?
If possible, can you change as I said above?
Regards,
Faisal
Hi Sahil
Please be a bit more considerate of those of us who volunteer out time. My Friday night isn't always glued to SCN and I do have a day job
Faisal has already jumped in and explained the Manager agent. The reality though, I have given you places to look and approaches to investigate. Please stop asked for "step by step instructions". They don't exist and even if they did you would get further learning GRC by troubleshooting and investigating yourself.
The SAP standard Manager Agent rule uses an SE37 function module which goes to the access request and identifies the manager in entered in the access request at time of submission.
The MSMP instance run-time screen shot you showed me suggests the item did route to the intended agent (even though you built a custom rule). You could got back to the that transaction and looking at the configuration for workflow to see the MSMP steps be evaluated (as I suggested already). So if you configured you Workflow tasks properly (changed from background to general task); ensured the user master for the manager exists and has email assigned; and press the refresh button on the managers POWL inbox for items then you are probably at the stage where you need to raise an incident with SAP and get them to investigate for you. If you decide to raise an incident, it might be worth searching for notes since you are on an older support pack.
I cannot help you any further with out logging into your system - which is not an option.
Regards
Colleen
PS - it took me days to get my first MSMP process configured and working. Yes it was frustrating and took a while to figure out. However, once I did master it (and there was no-one available to give me step by step instruction), I did find it much easier to troubleshoot the next items.
Hi Colleen,
I am facing a similar issue with my MSMP workflow as my standard GRAC MANAGER agent rule is not able to find the manager ID provided in access request field for manager in the stage 01 of workflow and no work item is triggered in the inbox for manager to approve.I dont even get notification for the request submission ; the WF-Batch user appears to be fine as I get alerts for mitigation controls
when I checked the Perform Task-Specific Customizing ; I could not find TS76308026 and workflow WS76300056 under the GRC folder;please advise as GRFNMW_DBGMONITOR_WD logs are not helping me in this case.
Thanks
BR,
Sushant
Hello Colleen,
The workflow issue posted by me is resolved but the email notification is not working .
However, the task TS76308026 still doesn't appear in the hierarchy for GRC in the custoimizing IMG activity(Perform Automatic Workflow customizing) ;Do we expect to see this task in the hierarchy ?
BR,
Sushant
Hi Sushant
within the IMG look at the help information for workflow customising. You will see the list of workflows and tasks. It may have been that I wrote the wrong value
If your email notification is still not working, have a look to see that the workflow user has a valid email address and so does the recipient. In addition, look in SOST to see if you can find any information regarding the issue. Finally, check the MSMP instance runtime to see if any logs appear for trying to find the users to send the notification to
Regards
Colleen
Thank Colleen for a quick response;Most of your posts have helped me immensely.
The issue with email notification has been resolved; the sapconnect job had gone for a toss and hence the failure to trigger emails ; My MSMP AR workflow is successful and provisioning is done in the target system with notification at evey stage as configured.
However , I am still not getting the desired results from the final provisioning email that gets triggered to the end user \ requestor.Below is the context in the email.
"
Hi GRCADMIN
(DEMO_USER1),
The Request number : 29 , has been processed and the Request is Closed. The
details are as follows:
Z_XXXX_XXX_PAY_ADM Role assigned to DEMO_USER1 ( XXXCLNT200 )
Kind regards,
Access Control Administrator
"
NOTE : I had logged in as GRCADMIN and created a new user creation request for user DEMO_USER1 and as this was a new user creation request, I expected the %PROVISIONING% variable to capture and display the USER ID and password info as well in this notification.
The global provisioning settings for email is yes in IMG node for user provisioning.
Iam trying to troubleshoot but your comments may help me to expedite.
BR,
Sushant
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.