cancel
Showing results for 
Search instead for 
Did you mean: 

In ARM, while creating a new/change request, roles are not added.

0 Kudos

Hello Gurus,

I am implementing SAP GRC 10.1, in which I have encountered this issue in ARM whenever I am creating a new/change request, the new user is been created but the assignment of the roles to this new user is not done. The roles for the new user is empty.

FYI, in MSMP i have defined an agent ID as pfcg user groups, so basically it means all the approvals will come to the users who belongs to the user group and as a approver i m going into the inbox and approving the request and the request has been successfully processed and the new user has been created but the role is not assigned to him.

Please help.

Thanks

Accepted Solutions (1)

Accepted Solutions (1)

0 Kudos

Hello all,

there was an authorization for WF-BATCH user.

Answers (6)

Answers (6)

0 Kudos

Hello All,

Can you all please confirm the actions in Request type?

The following screenshot is the list of action in Request type in my system, I dont see anything as Assign Role.

former_member185447
Active Contributor
0 Kudos

Hello Feroz,

  • Did you upload roles into BRM?
  • Did you set the status of the roles to production?

regards

deepak m

former_member204479
Active Participant
0 Kudos

Raj, Deepak,

If the roles are not uploaded in BRM or the status is not production or provisioning is not allowed ... the Roles would not be available for selection in the access request form itself, right?

But from the audit log it does look like the role was added to the request and submitted.

Feroz,

Action "Assign Objects" implies for roles and ff IDs/roles. There is no separate action called "Assign Roles".

Thanks

Sammukh

rindia
Active Contributor
0 Kudos

Hi Sammukh,

If provisioning Allowed is set to NO then in Access request this role will not be available to add in Access request form..

If Allow Autoprovisioning is set to NO, then it is available to add in Access request but upon approval this role will not be provisioned.

Regards

Raj

0 Kudos

Deepak,

This is what i made changes to and yes i did imported all the role through BRM

0 Kudos

Hello All,

This is what i found in SWIA, any idea what exactly is related to?

rindia
Active Contributor
0 Kudos

Hi Mohammed,

Have a quick check on these:

1. The value for Provisioning Allowed, Allow Auto Provisioning should be "YES" for a role.

NWBC - Role Management - Role Maintenance

2. In IMG are there any entries maintained in "Maintain System Provisioning Configuration" for your connector. If yes then check the value of Auto Prov.

The above entry will override the entries of "Maintain Global Provisioning Configuration".

Path: SPRO - IMG -GRC - AC - User Provisioning - Maintain Provisioning Settings

Regards

Raj

Former Member
0 Kudos

Hi Mohammed,

You have to take care of 3 aspects in this case:

1) As our friends mention check the request types activated in the process id Access_Request. Path is SPRO > SAP REF IMG > GRC > AC > User Provisioning > Define Request Type

Activate the request types - New Account, Change Account, & Assign Object. If you activate these requests in 3 different descriptions then ensure to activate all the 3.

2) In Auto provisioning settings check the provisioning settings as: End of the Request or Path

Also ensure to take care of other steps like provisioning type combined/ direct etc.

Path is: SPRO > SAP REF IMG > GRC > AC > User Provisioning > Auto Provisioning Settings

3) Important step is ensure to set the request field as system & role in the stage settings maintained in the path linked to this request at Maintain MSMP Workflow  

SPRO > SAP REF IMG > GRC > AC > Workfllow for access control > Maintain MSMP Workflow


If problem still persist may come back with more information. Please update how once it get fixed.


Thanks,

Sirish

former_member204479
Active Participant
0 Kudos

Hi Mohammed,

Can you check in request types (SPRO -> GRC -> Access Control -> User Provisioning -> Define Request Types) for new account and change account request types. If they have action "06 - Assign objects" added to them?

And yes, as Alessandro mentioned further information would be helpful!

Thanks

Sammukh

0 Kudos

Hello Sammukh,

Earlier i only had Create user and Assign Object assigned to the New account Request type but today i have added Change user object as well.

alessandr0
Active Contributor
0 Kudos

Dear Mohammed,

can you share the provisioning log, SLG1 and STAUTHTRACE. Strange behaviour and without the proper information difficult to help.

Regards,

Alessandro

0 Kudos

Hello,

here is the SLG1:

FYI,

In MSMP my client is using SAP_GRAC_ACCESS_REQUEST and not other Process ID and i dont think i even generated the other Process ID.

Quick Question: Do i need to generate SAP_GRAC_ROLE_APPR Workflow for Role assignment in the New account (SAP_GRAC_ACCESS_REQUET)??