cancel
Showing results for 
Search instead for 
Did you mean: 

GRC AC10.0 FF Workflows are not completing

Former Member
0 Kudos

Dear all,

after configuring the FF Access Request but also the FF Log Review Workflows and double checking all Post Implementation guides same as discussions at the SCN, I still have an issue.

While running through the WF I can submit / approve for each of the Workflows the ticket nothing happens afterwards. The Audit Log each time says e.g. "access is approved" or log is "approved by FF_CONTROL" but the workflow will remain the MSMP Instance Runtime Monitor on "decision pending" and is not coming to an end.

Does anyone has some good ideas?

Thanks,

Christian

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

So, quite interesting. When assigning SAP_ALL to the FF-Owner or FF-Controller for processing the approval it works. So it is an authorization issue and the SU53 is evidencing that. Based on that issue log, there are a large amount of authorizations missing.

So my questions for you would now be: what roles are you assigned our Owner/Controller to run smoothly through the workflows.

Thanks!

Colleen
Advisor
Advisor
0 Kudos

Hi Christian

looks like you found the root cause. There are SAP standard roles that you can use as the basis

Generally, I run a trace to identify the authorisations (transaction STAUTHTRACE is great) and then sift through them to build the role. I pretty much take this approach for any security build (as well as using SU24 data as guidelines). SU24 data didn't help me much as none of the webdynpros or services had proposed values

Controller and Owner access will vary across everyone's system as it depends on whether workflow, etc is being used.

Regards

Colleen

Former Member
0 Kudos

So the miracle is solved: I created after the SU53 review an additional role that was containing the following objects: S_TCODE, S_RFC, S_CTS_ADMI, S_CTS_SADM and GRAC_REQ. I don't exactly know, why those are not complete but anyhow - now it is working fine.

Former Member
0 Kudos

Thanks, Colleen. Indeed, the problem is solved. Again thanks for your help. Without your first reply I would have missed to let the SLG1 being cleaned up. 😉

Cheers,

Christian

Colleen
Advisor
Advisor
0 Kudos

Hi Christian

Try removing S_CTS_ADMI and S_CTS_SADM from the role. This are most likely misleading authorisation checks (sometimes authorisation failure is a good thing and won't negatively impact the users). SU53 and security trace files provide some of the picture but shouldn't be taken as is. If they are needed, I would raise an incident with SAP.

S_RFC should be restricted to explicitly values. Depending on the GRAC_REQ values - you may not need all activities (sometime it loops through each value until you have at least one of the activities). These two objects do make sense as being required.

Regards

Colleen

Answers (1)

Answers (1)

Colleen
Advisor
Advisor
0 Kudos

Hi Christian

not sure if these are "good ideas" so I'll let you be the judge

  • obvious check - do you have any additional stages in your MSMP workflow for that path?
  • what Version and SP are you on (might be a bug)
  • Are you able to check SLG1, etc to see if there are any potential authorisation or other issues preventing the underlying Workflow from completing
  • Does SWIA transaction provider anything about the specific task (more than like the MSMP instance runtime will have this covered)

Regards

Colleen

Former Member
0 Kudos

Hi Colleen,

thanks for your prompt answer. Here my thoughts:

  • We are on V10.0, SP 14 due to an older NW version.
  • MSMP workflows are both having only one stage, but they are not closed for any reason.
  • SLG1 looks good besides one error for the WF-BATCH user saying "tRFC for work item 000000032014 is still in SM58 queue". These issues are not GRC related but might be worth investigating on them.
  • SWIA also looks okay for the single WF items mentioned in MSMP instance runtime. What's a bit confusing is that the workflow MSMP instance says approval pending, when looking into the work items is seems that all is complete. very stange. But compared to a rejected (completed) instance it seems that the stage status is not update but only the line item.

The funny thing is, when rejected an FF access request, this is running through properly.

Any ideas?

Thanks again,

Christian