cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Using GRAC_REQUEST_MITIGATION_MONITOR agent in Access Request workflow.

Go to solution
Former Member

on ‎04-04-2015 6:33 PM

0 Kudos

Hi Experts,

Could anyone explain how to use the SAP delivered agent GRAC_REQUEST_MITIGATION_MONITOR in Access Request workflow.I have tried to use the agent in my workflow and it dies out with the message-'agent not found'.Here are the details.

I have a simple workflow with 2 stages.1st is manager stage and after approval from user's manager request proceeds to stage 2 where role approver performs risk analysis.I have enabled routing at this stage with the rule GRAC_MSMP_DETOUR_SODVIOL.If SoDs are found then request is successfuly routed to 'SoD path'.The issue is in this path.where I have maintained a single stage with agent GRAC_REQUEST_MITIGATION_MONITOR.However the request is not routed to any approver at this stage.Error message being-agent not found.Could someone advise on this please?


P.S-Mitigation Controls exist for the risk IDs observed in the Risk analysis.I am on SP12.I did review note 1663551 which is for adding GRAC_REQUEST_MITIGATION_MONITOR to MSMP workflow which already exists in my case!

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

madhusap
Active Contributor
‎04-06-2015 2:08 PM
0 Kudos

Hi Mukund,

Mitigation monitor agent does not return any result if risk analysis is not executed after mitigating risks in access request.

In your case at role owner stage of workflow, role owner after mitigating all the risks of request should run risk analysis again. If agent of next stage is mitigation monitor then workflow goes to error state as no agent is found if risk analysis is not run by role owner after assigning mitigation controls.

Regards,

Madhu.

Show replies
Show replies
Former Member
‎04-06-2015 4:34 PM
0 Kudos

Hi Madhu,

Thanks.I was able to figure out the issue because of your answer.

The way it seems to work is that the risk must be mitigated before the stage with agent  GRAC_REQUEST_MITIGATION_MONITOR comes.I was not mitigating the risk and approving it hoping that system will determine the monitor based on the risk involved.Also in my case this agent was kept at SoD path where the workflow never goes if the risk is mitigated!I modified the work flow,adding a 3rd stage after role owner and once the role owner approved the request after mitigating the conflicts,the workflow was successfully routed to the monitor of the mitigating control.

However,what I am really hoping for is to somehow involve the mitigation control owner in the AR workflow so that he can review and approve the assignment of the control.Any ideas on that?

Thanks again

Mukund.

madhusap
Active Contributor
‎04-06-2015 4:46 PM
0 Kudos

Hi Mukund,

Glad to hear that your issue is fixed.

Basically whenever access request has risk violations, in your case when role owner mitigates the risks enable Control Assignment Approval workflow which goes to Mitigation Control Owner for approval. Only after approval for control assignment owner, your role owner can approve the request. For this enable the configuration which restricts the role owner from approving the requests in case of unmitigated risks using stage level task settings "Approve Despite risk" and by using BRF+ mitigation policy as per below note

1667440 - AC10 - Workflow Stage Task Settings for 'Approve Despite Risks'

Regards,

Madhu.

Former Member
‎04-08-2015 11:12 AM
0 Kudos

Hi Madhu,

Thanks again for the note. I have done the required settings as per your advise and it works!

Regards,

Mukund

Answers (2)

Answers (2)

Former Member
‎04-06-2015 7:51 AM
0 Kudos

Dear Mukund,

The best practice is to route SoD violation to Risk Owner Agent. This can be through Custom Agent ID(BRF+ decision table for Risk Owner) or Standard Risk Owner Agent Rule(available through SP pack 14 and above, for GRC 10).

Could you let know, if you need assistance on Custom Agent id

Mitigation Monitor is normally used for Reviewing Mit. Control assignment or Approving assignment, as per Business. However, if would still like to route request to Mit. monitor for SOD violation, please provide screenshot of Agent id(in Stage and Agent Rule id)

Regards

Plaban

Show replies
Show replies
Former Member
‎04-06-2015 4:57 PM
0 Kudos

Hi Plaban,

Thanks for dropping by!Yes,please help me with creating the agent rule for risk owner for AR workflow.That is,if my access request has risk A and B then the agent rule should determine the owners of this risk(say ownera and ownerb).I dont see any field in the AR related decision table related to risk ID.Looking forward to your answer.

Regards

Mukund

former_member197694
Active Contributor
‎04-04-2015 7:55 PM
0 Kudos

Hello Mukund,

May be similar issues discussed in below thread,might be useful

check below Note for some more information

2056823 - Functionality of Mitigation Approvers and Monitors

Regards

Baithi

Show replies
Show replies
Former Member
‎04-06-2015 6:27 AM
0 Kudos

Hi Baithi,

I am your old colleague .I hope you are doing good.Thanks for dropping by!

I have already gone through that thread and tried reviewing the code for the related FM rule GRAC_REQ_MITIG_MONITOR_AGENT in SE37 which I am not able to understand.

I hope someone can provide a practical example where they have used the agent.

Regards,

Mukund

former_member197694
Active Contributor
‎04-06-2015 8:03 AM
0 Kudos

Hello Mukund,

Good to see you in SCN

As per the error,the issue is with Agent at SOD Path

could you check below settings

1.Check authorization of Agent

2.Is agent defined under access control owner in NWBC and for mitigation control

3.check the log in transaction GRFNMW_DBGMONITOR_WD

Regards

Baithi

Ask a Question