cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

HOW TO CONFIGURE MANAGER or APPROVER USER IN ACCESS REQUEST MANAGEMENT TO APPROVE OR REJECT REQUEST

Former Member

on ‎09-07-2014 2:57 PM

0 Kudos

hi sap gurus,

i configured grc 10 system successfully. I created one user: GR_AR_APP001 and assign following roles:

SAP_GRAC_ACCESS_APPROVER

SAP_GRAC_ACCESS_REQUEST_ADMIN

SAP_GRC_FN_BASE

SAP_GRC_FN_NUSINESS_USER

and I maintained GR_AR_APP001 in access control owners as "POINT OF CONTACT", "SECURITY LEAD" and "WORKFLOW ADMINISTRATOR"

but when i am creating access request for new user and defining MANAGER under user details tab as GR_AR_APP001.

the user GR_AR_APP001 is not receiving any request for APPROVE or REJECT in his WORK INBOX.

can u please guide me how to configure APPROVER or MANAGER to approve or reject request.

I will be very much thankful if you guide me successfully.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
‎02-16-2016 10:03 AM
0 Kudos

This message was moderated.

Show replies
Show replies
Former Member
‎12-09-2014 8:29 AM
0 Kudos

This message was moderated.

Show replies
Show replies
Colleen
Advisor
Advisor
‎09-08-2014 12:22 AM
0 Kudos

Hi Sahil

Who are the agents in your MSMP? Have you looked at the MSMP instance runtime to see where it is attempting to send the request to?

If the Manager is receiving the request but the buttons are missing what is in the configuration for the stage in the MSMP path?

Regards

Colleen

Show replies
Show replies
Former Member
‎09-08-2014 3:47 PM
0 Kudos

Hi Colleen,

sorry for late reply as I was trying all the options, but I am not able to do it.

in MSMP, I maintained all the default stages, in MSMP stage3, I used the default agent id, that is GRAC_MANAGER,

and created one user:

GR_AR_APP001 and assign following roles:

SAP_GRAC_ACCESS_APPROVER

SAP_GRAC_ACCESS_REQUEST_ADMIN

SAP_GRC_FN_BASE

SAP_GRC_FN_NUSINESS_USER

and I maintained GR_AR_APP001 in access control owners as "POINT OF CONTACT", "SECURITY LEAD" and "WORKFLOW ADMINISTRATOR"

but still this user: GR_AR_APP001 is not getting any request in his WORK INBOX.

I tried one more option, I created one agent ID in STAGE3:

AGENT ID: ZGRAC_MANAGER

AGENT NAME: ZGRAC MAAER

AGENT PURPOSE: APPROVAL

AGENT TYPE: DIRECTLY MAPPED USERS

APPROVER GROUP ID: ZGRAC_MANAGER1

in which I added GR_AR_APP001 user,

and saved and activated msmp.

I created one request thought ARM for new account.

and I logged into system by GR_AR_APP001,

but still not able to see any request in his WORK INBOX.

Pls... can u guide me how to configure approver.

I have been trying it for the last one week.

Thanks in advance.

Colleen
Advisor
Advisor
‎09-09-2014 2:36 AM
0 Kudos

Hi Sahil

Can you please post some screen shots of your configuration for the MSMP configuration (Initiator Rule, Path/Stage and Agent). Also include a screen shot of the MSMP instance run time monitor for Agent routing to see how the path is evaluated.

When you built you MSMP did you save and activate it at the end? Did you also complete the workflow configuration tasks in the IMG (General Folder/Shared) for the Workflow?

The MSMP instance runtime will show if the MSMP has been configured to go to the correct path.

Regards

Colleen

Former Member
‎09-09-2014 12:23 PM
0 Kudos

Hi Colleen,

thanks a lot for your time.

PIC1: I created one user: GR_AR_APP001

and assigned all the GRC ROLES.

PIC2: I assigned owner type to GR_AR_APP001 user : POINT OF CONTACT, SECURITY LEAD and WORKFLOW ADMINISTRATOR in NWBC ACCESS CONTROL OWNERS

PIC3: I created one EUP 980 (copied from default EUP)

PIC4: I maintained default manager as GR_AR_APP001 user in 980 EUP

PIC5: I selected SAP_GRAC_ACCESS_REQUEST process id

PIC6: I created one agent id as ZGRAC_MANAGER11 in which I added approver user id: GR_AR_APP001

PIC7: I saved agent id

PIC8: I added agent id as ZGRAC_MANAGER11 in stage5 in manager stage.

PIC9: I saved

PIC10: I maintained EUP 980 (in which I configured manager as GR_AR_APP001 user) in stage 5 task settings

PIC11: Maintain Route Mapping, I clicked on next

PIC12 and PIC13: I saved and activated.

After this process I created one request for new account and selected the manager as GR_AR_APP001 and one request is created with request no 9000000030.

now I logged into system by user GR_AR_APP001 and checked, there is no request under his work inbox.

please guide me at least one procedure, how to receive request in approver work inbox so that I can learn other procedures to configure approver as per our organization requirement.

thanks for your support Colleen.

Colleen
Advisor
Advisor
‎09-09-2014 11:44 PM
0 Kudos

Hi Sahil

Adding the manager to the EUP configuration would not have been mandatory. Also, because you have defined a custom group in MSMP as the Agent, all of the agent setup for the user is not necessary (it does not matter if you put enter the Manager User Id on the user access request form as that field is used if you had chosen the SAP Standard Manager Agent rule).

The last screen shot that will help you the most is the MSMP Instance Runtime Monitor (GRFNMW_DBGMONITOR_WD). If go in there and find your workflow request you can go to configuration and look at the runtime tab for Approvers (google or search SCN and you will get information). This should show you the evaluation path of the MSMP to locate the approver. It will also show you if it was unable to find the agent.

Two others things to check.

1. Does the SU01 account have an email address assigned (both Approver and your Workflow User Id)?

2. Did you complete the Workflow customising via the IMG (refer path below) for task TS76308026 and activate workflow WS76300056?

IMG Path: Governance, Risk and Compliance > General Settings > Workflow > Perform Task-Specific Customizing

If you have ruled out those two issues and the MSMP claims the item is with the agent but you cannot see it in the POWL inbox in NWBC then:

  • Ensure when you switch between the accounts make sure you did log out of yours and into the approvers. I have found NWBC HTML to buffer user credentials in the browser. It was quite annoying closing everything down to switch.
  • In the NWBC Work inbox (POWL) press the refresh button to see if needs to rerun the query to display the work items (they should appear on the ALL or the AC tabs not PC or RM)

As a general observation you need to go through any study notes as it looks like you are attempting anything to get it to work. The Access Control Owners for Security, Point of Contact, etc will not help in this situation. You do not need to define the Manager approver in the EUP for MSMP to work.

Let us know how you go with those checks

Regards

Colleen



Former Member
‎09-10-2014 11:54 AM
0 Kudos

Hi Colleen,

thank you very much for your response.

following are the answers for your suggestions:

1. "Adding the manager to the EUP configuration would not have been mandatory"

    The Manager User Id on the user access request form as that field is used if I had chosen the SAP Standard Manager Agent rule, but I already tried using Standard Manager, but I have not received any request in manger inbox.

     First of all I want to know, if I used Standard Manager, which user will get the request in work inbox, who will be approver, is there any standard manager user id defined?

2. "The last screen shot that will help you the most is the MSMP Instance Runtime Monitor (GRFNMW_DBGMONITOR_WD)"

    

     I did not understand, where can I look at runtime tab for approvers?

3.  "Two others things to check.

     1. Does the SU01 account have an email address assigned (both Approver and your Workflow      User Id)?

     2. Did you complete the Workflow customising via the IMG (refer path below) for task     

     TS76308026 and activate workflow WS76300056?

          1. How to assign email address to approver and workflow user id?

         

          2. Yes, I completed the Workflow customizing via IMG

4.     

    

          Yes, I switched the accounts and log out. But I haven't found any requests in inbox.

          Guide me how to configure approver successfully. Suggest step by step document so that I could configure approvers successfully.

Thanks for your precious time to answer my queries Colleen.

Thanks a lot. I will be waiting for your next reply.

Colleen
Advisor
Advisor
‎09-10-2014 11:33 PM
0 Kudos

Hi Sahil

If you had used the Manager Agent in MSMP then it is a SE37 function module. You could look at the code and see what it does. In a nutshell, the Manager agent looks for the Manager entered in the Request Field.

The EUP configuration won't help you there except to default the Manager Id. Check your Access Request to see that the User Id is the manager you have for your configuration.

As far as the Instance Runtime goes, that was a poorly worded sentence on my side. What I am saying is go execute the transaction and look for the runtime details for the Access Request so that you can see what the MSMP path/stage the request went to and if an Agent was identified. Transaction is GRFNMW_DBGMONITOR_WD. Again, search or Google for this transaction and you will find information on it. It is a key transaction to assist in troubleshooting.

Please note if you make changes to the MSMP configuration you will need to create a new access request to test for configuration.

Regards

Colleen

Former Member
‎09-11-2014 12:53 PM
0 Kudos

Hi Colleen,

I read almost all the materials including GRC300 Course Version 10, Material Number: 50108669.

But I haven't found any step by step document where I can configure the Manager or the Approver.

I learnt BRF+ Initiator Rule, Agent Rule and Routing Rule, but I could not configure the Approver who can approve the request.

I have tried all the documents from SCN, Can u please guide me how to configure the Approver step by step procedure.

The following are the screen shots Transaction GRFNMW_DBGMONITOR_WD.

Thanks for your valuable time.

Colleen
Advisor
Advisor
‎09-11-2014 1:03 PM
0 Kudos

According to your screen shot the item should be with the approver

are you sure you completed workflow config?

Can you look in the NWBC powl inbox for the approver again?

what support pack are you on?

Former Member
‎09-11-2014 1:18 PM
0 Kudos

Thanks for your quick reply Colleen.

Yes I checked work inbox of Approver.

following is the screen shot.

And the support pack is GRCFND_A     V1000     0009.

Former Member
‎09-11-2014 1:22 PM
0 Kudos

hi colleen,

is there any document to configure Approver?

Former Member
‎09-12-2014 4:16 PM
0 Kudos

This message was moderated.

former_member184114
Active Contributor
‎09-12-2014 5:16 PM
0 Kudos

Sahil,

I have not gone through your complete post, sorry for jumping into the discussion. But, believe you were trying to access work item for approver (Manager, I think)). I noticed that you added "ZGRAC_MANAGER11 " as approver agent id and the approver type is "Directly Mapped Users".

May I know if you have maintained any User id for this type of agent? Secondly, are you checking correctly for the maintained approver id?

Regards,

faisal

Former Member
‎09-12-2014 5:31 PM
0 Kudos

Hi Faisal,

Thanks for your response.

Yes I maintained one used id in ZGRAC_MANAGER11 as GR_AR_APP001 and maintained this user in access control owner list as Security Lead and Point of Contact.

But still not able to get request in GR_AR_APP001 user work inbox.

I just want to know how to configure approver, who should be able get request in his work inbox and able to approve the request.

can guide me how to configure approver step by step procedure or at least send me the document so that my self will configure.

thanks a lot for your reply.

former_member184114
Active Contributor
‎09-12-2014 8:48 PM
0 Kudos

Sahil,

Actually Manager as Approver is  provided in Access Request in User Details Tab. His ID is maintained in GRC System (for example: MANAGER). This "MANAGER" ID is maintained in Manager Field (in User Details) of Access Request.

If you use standard Agent Rule "GRAC***MANAGER", this will automatically send the request to "MANAGER" and if you login using MANAGER ID, you will be able to see the work item pending for his approval.

This is the standard behavior and straight forward.

I am not sure what is the purpose behind using this custom Agent agent. May you tell if this custom agent what you used is really required?

If possible, can you change as I said above?

Regards,

Faisal

Colleen
Advisor
Advisor
‎09-13-2014 10:10 AM
0 Kudos

Hi Sahil

Please be a bit more considerate of those of us who volunteer out time. My Friday night isn't always glued to SCN and I do have a day job

Faisal has already jumped in and explained the Manager agent. The reality though, I have given you places to look and approaches to investigate. Please stop asked for "step by step instructions". They don't exist and even if they did you would get further learning GRC by troubleshooting and investigating yourself.

The SAP standard Manager Agent rule uses an SE37 function module which goes to the access request and identifies the manager in entered in the access request at time of submission.

The MSMP instance run-time screen shot you showed me suggests the item did route to the intended agent (even though you built a custom rule). You could got back to the that transaction and looking at the configuration for workflow to see the MSMP steps be evaluated (as I suggested already). So if you configured you Workflow tasks properly (changed from background to general task); ensured the user master for the manager exists and has email assigned; and press the refresh button on the managers POWL inbox for items then you are probably at the stage where you need to raise an incident with SAP and get them to investigate for you. If you decide to raise an incident, it might be worth searching for notes since you are on an older support pack.

I cannot help you any further with out logging into your system - which is not an option.

Regards

Colleen

PS - it took me days to get my first MSMP process configured and working. Yes it was frustrating and took a while to figure out. However, once I did master it (and there was no-one available to give me step by step instruction), I did find it much easier to troubleshoot the next items.

Former Member
‎01-15-2015 1:39 PM
0 Kudos


Hi Colleen,


I am facing a similar issue with my MSMP workflow as my standard GRAC MANAGER agent rule is not able to find the manager ID provided in access request field for manager in the stage 01 of workflow and no work item is triggered in the  inbox for manager to approve.I dont  even get notification for the request submission ; the WF-Batch user appears to be  fine as I get alerts for mitigation controls


when I checked the Perform Task-Specific Customizing ; I could not find TS76308026 and  workflow WS76300056 under the GRC folder;please advise as GRFNMW_DBGMONITOR_WD logs are not helping me in this case.

Thanks

BR,

Sushant

Former Member
‎01-16-2015 5:22 AM
0 Kudos

Hello Colleen,

The workflow issue posted by me  is resolved but the email notification is not working .

However, the task TS76308026 still  doesn't appear in the hierarchy for GRC in the custoimizing IMG activity(Perform Automatic Workflow customizing) ;Do we expect to see this task in the hierarchy ?

BR,

Sushant

Colleen
Advisor
Advisor
‎01-18-2015 1:27 PM
0 Kudos

Hi Sushant

within the IMG look at the help information for workflow customising. You will see the list of workflows and tasks. It may have been that I wrote the wrong value

If your email notification is still not working, have a look to see that the workflow user has a valid email address and so does the recipient. In addition, look in SOST to see if you can find any information regarding the issue. Finally, check the MSMP instance runtime to see if any logs appear for trying to find the users to send the notification to

Regards

Colleen

Former Member
‎01-20-2015 2:19 PM
0 Kudos

Thank Colleen for a quick response;Most of your posts have helped me immensely.

The  issue with  email notification has been resolved; the sapconnect job had gone for a toss and hence the failure to trigger emails ; My MSMP  AR workflow is successful and provisioning is done in the target system with notification at evey stage as configured.

However , I am still not getting the desired results from the final provisioning email that gets triggered to the  end user \ requestor.Below is the context in the email.

"

Hi GRCADMIN
(DEMO_USER1),

The Request number : 29 , has been processed and the Request is Closed. The
details are as follows:

Z_XXXX_XXX_PAY_ADM Role assigned to DEMO_USER1 ( XXXCLNT200 )

Kind regards,

Access Control Administrator

"

NOTE : I had logged in as GRCADMIN and created a new user creation request for user DEMO_USER1 and as this was a new user creation request, I expected the %PROVISIONING% variable to capture and display the USER ID and password info as well in this notification.

The global provisioning settings for email is yes in IMG node for user provisioning.

Iam trying to troubleshoot but your  comments may help me to expedite.

BR,

Sushant

Ask a Question