cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC-AC Approval WF

Go to solution
Former Member

on ‎09-24-2014 7:36 PM

0 Kudos

Hello community,

During our Access Request WF only the Manager approval is being requested. The role in question is configured with Assignment Aprover user and also Role Content Aprover.

The request is successfully created but when the Manager from the user in question approve the request, the role is assigned. The Assignment Approver is not requested.

Someone know where can I adjust this?

Regards,

SL

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

kevin_tucholke1
Contributor
‎09-24-2014 8:57 PM
0 Kudos

Dear SL:

Without seeing your workflow set up this will be difficult to determine.  I would guess that your WF path would consist of at least the following:

     1. Manager Approval Stage

     2. Role Approver Stage (this would require that you either have a valid ID as the role assignment approver assigned to the role in role management)

Based upon your comments, this should not apply, but there is a scenario where if the role does not have an assignment approver AND you have set configuration to auto approve roles with no approver, it would just be auto approved or passed on to a subsequent stage.  I personally never recommend that due to the fact that it could be really easy to forget to add the approver IDs, and it may be a highly sensitive role.

You could look at the MSMP Instance Monitor for the technical details of the workflow and the decisions that were made.  You can access this either in SPRO or use transaction GRFNMW_DBGMONITOR_WD from the GRC ABAP screen.  If you look at the different tabs, you would be able to see the Audit Log (same as on the request), Messages log (this will give you all of the detailed decisions and calculations being taken), as well as a host of other items.

If the above does exist, then I would start checking the following:

1. Is the current MSMP Process ID version fully generated?

2. Do I have the correct MSMP Process ID Initiator configured in Maintain Rules?

3. Does my initiator trigger the correct workflow path and/or is my Maintain Route Mappings correct?

I hope this helps you on your way to troubleshooting MSMP workflow in GRC.

Cheers,

Kevin Tucholke

Principal Consultant

SAP America

Message was edited by: Kevin Tucholke

Show replies
Show replies
Former Member
‎09-25-2014 2:39 PM
0 Kudos

Hello Kevin,

Firstly thanks for your reply, really appreciate it. Bellow the print screens from my configuration:

Probably I should configure the Role Approver stage to require Role Assigner approval. That´s right? If yes, can you help with the steps for this?

Regards,

SL

Former Member
‎09-25-2014 3:08 PM
0 Kudos

I´ve read more about, probably I need to add a new Stage at the GRAC_DEFAULT_PATH for the Assignment Approver.

But wich Agent ID corresponds to the Role Assignment?

Regards,

SL

kevin_tucholke1
Contributor
‎09-25-2014 3:16 PM
0 Kudos

Dear SL:

This type of set up requires some detailed planning, but in short you need to add a second stage to the existing workflow you are using.

As I look at your screen shots, it looks like you are using the GRAC_DEFAULT_PATH which is what SAP delivers out of the box.  I can tell that in most cases for the Access Request MSMP Process ID, these really need to be customized to your various scenarios.  If you have not already, you should plan out all possible provisioning scenarios (New User, Change User, Lock User, Superuser...) that you are planning to use for workflow as well as any exception processing that might happen through the workflow (i.e. SOD).  For most cases I have seen these have different paths that they will take (and Superuser Request will always be different than provisioning Security roles as that is a totally different object).  The changes I speak of here in this paragraph, will have subsequent changes to other work centers in MSMP Workflow Configuration as well as the possibility of the addition of a new initiator rule (either custom function module or BRF+).

Also, just as a hint, when you create stages, you should number them in increments of 10 so if you need to place something in between you would be able to do so easily.

To add a new stage, you need to be in the change mode for the Process ID you need to work in.  Then highlight the path (as you have shown), then under the Stage area click create.  Configure the stage as needed with the correct parameters (Stage Details).  If you want notifications out, then you need to click on Stage notification settings.

The amount of planning required to properly set this up is definitely more than it takes to configure, but will be time well spent as this can be quite confusing when you finally get all of your workflows in.

I have given you the very high level steps to do this, and to give you any more would be impossible for me as I would have many questions to ask you as your preference on how your workflow is to work.

If you had left the Default path with the 3 stages that were delivered, then all you would have needed to do for an Role Provisioning request would have been to generate the initial version, but I only see that there is 1 stage in your default.

As a final thought for this, if you have a chance to take the GRC300 course offered by SAP Education, it spends and ENTIRE DAY on training just the basics of MSMP related BRF+ and the MSMP Configuration.

As you can probably tell, this is just not something that you can 'plug and play' if you will for configuration.  If the education course is not an option, I would look at bringing in a GRC consultant to help you with this and do some knowledge transfer in this area.

Sorry for the long answer, but have had many people try this on their own and not plan first, and at the end of the day, we have ended up ripping out every thing for workflow and start over and just want to try to make sure you may not have to go through that.

Sincerely

Kevin Tucholke

Principal Consultant

SAP America


kevin_tucholke1
Contributor
‎09-25-2014 3:21 PM
0 Kudos

Dear SL:

I believe that is listed as GRAC_ROLEOWNER (a little mis-named), but used in the Access Request process ID, this will look at the Owners in the role that are tagged with the Assignment Approver.

Make sense?

Thanks!

Kevin Tucholke

Former Member
‎09-25-2014 3:22 PM
0 Kudos

Hi Legend,

Role approval stage is missing from your MSMP workflows.

You need to set that up to have role assignment and role content approver processes in place.

And you can select: GRAC_ROLEOWNER as agent ID for role assignment.

Regards,

Ameet

Former Member
‎09-25-2014 7:01 PM
0 Kudos

Hello Kevin,

I added the GRAC_ROLEOWNER stage and now is working as I expected. I understand (within my limitations) and agree with your suggestion, unfortunely a SAP consultant or GRC 300 are not an option at this moment.

We already draw the worflows and some standard scenarios won´t be used. Now I will read and learn more about MSMP. The new challenge is remove not used Request Type from the list shown bellow:

And also create a new one, very similar to Change Account. Hope we can copy everything from one to the other and just adjust the necessary.

Thanks man, if I were your boss I would certainly give you a promotion.

Best regards,

SL

kevin_tucholke1
Contributor
‎09-25-2014 7:11 PM
0 Kudos

Request types are very easy to set up and also to disable (disable is just to unclick the Active box).  Also, if you don't need 2 change types, then you could just modify the existing with additional actions or update the text if you need to, otherwise you will need to just ADD (no copy functionality available for this) new entries.  Just 4 easy steps....

In the Request type maintenance IMG activity:

1.  Click new entries

2. Enter description, mark it active, select the appropriate MSMP process ID this relates to.

     NOTE:  Numbering will be automatic

3.  Click Select Action folder, add necessary actions that this request type would be able to perform.

4. Click SAVE, add to transport.

Hope this helps...

Kevin Tucholke

Principal Consultant

SAP America

Former Member
‎09-25-2014 7:14 PM
0 Kudos

God save America.

Best regards,

SL

leos
Active Participant
‎09-26-2014 10:33 AM
0 Kudos

Thanks for the great pointers and taking the time to share your expertise on this matter Kevin. I know it ain't my question but the information provided is applicable to everyone I suppose!

Never even knew there is a tcode to get detailed info on workflows instances (GRFNMW_DBGMONITOR_WD). Cheers for that. I can add that to my arsenal!!

Regards,

Leo..

Answers (0)

Ask a Question