cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

IDM 7.2 - GRC integration: APPROVAL_OPERATION_RESULT missing when processing request in IDM

Go to solution
Former Member

on ‎04-28-2015 3:52 PM

0 Kudos

Dear Gurus,

I'm currently despairing of the GRC Provisioning Framework 2 for IDM 7.2 SP9, Patch 11. We're using the centralized provisioning Scenario with AC Validation and AC Polling with the Standard GRC Provisioning Framework 2 and GRC 10.1. This is how the slightly modified provisioning framework looks like:

I just added the Action Tasks "Debug: Context" (1 & 2) which are just throwing out the context variables for the pending value object.

The process itself works fine:

1. Privilege assignment in IDM, Task "AC Validation" ist triggered

2. AC request is sent to GRC: no Errors, request created in GRC, request is approved in GRC

3. Polling starts: Task "AC Polling" reads request Status on GRC system

4. IDM receives Response: AC request is approved in GRC, IDM gets "OK" and starts the Task "Ordered Group"

5. Request Details are fetched from GRC

6. Custom Task "Debug: Context" (2) is executed and throws out following context variables and attributes:

- GRCSTATUS

- GRCROLEIDLIST

- MX_AC_RESULT of the PVO

7. Task "Process Request Details Result" is executed. Execution Log throws out following error (yellow frame):

8. Despite of the error, Task "Await Validation" is triggered and custom Task "Copy of Debug: Context" (1) is executed. When throwing out the context variables, GRCSTATUTS and GRCROLEIDLIST are not existing any more:

9. Task "Process AC Result" is executed. Execution Log throws out following error (yellow frame):

10. Privilege assignment is set to "failed" in IDM.

What bothers me here is that actually everything works fine. IDM gets a Response from GRC, even the context variables are created properly. Nevertheless, I always get an error at Step 7 (Process Request Details Result). This error is only visible in the execution log. Neither in the VDS operations log nor in the IDM Job Log I can see it. Since Step 7 uses a Java Library Method (com.sap.idm.grc.ac.polling.ExtACProcRequestDetailsResult.exec) I cannot - or rather I don't know how - to check what happens when this error occurs.

Also an odd Thing: When throwing out the context variables in step 6, I receive the GRCSTATUS context variable. When throwing it out in step 8, it is gone.

Does anybody know what exactly is happening here or how to solve this issue? Why is the APPROVAL_OPERATION_RESULT missing when it's clearly there in step 6?

Thanks for help,

Christina

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member200493
Explorer
‎04-29-2015 6:30 PM
0 Kudos

Hi Christina,

this is a very interesting issue. The Execution Log Error seems to me like the RT is not able to write the APPROVAL_OPERATION_RESULT to the pending value object. Does this attribute already exist in your store? If not, do you have the automatic creation of attribute enabled on your your identity store configuration?

I somehow remember that you have to enable this - either during the GRC initial load or during the first time you run the whole validation process.

I think this might help. Looking forward to receive your feedback.

Steffen

Show replies
Show replies
Former Member
‎04-30-2015 6:35 PM
0 Kudos

Hi Steffan,

you're right. Apparently IDM tries to create the Attribute approval_Operation_result during the process. Since automatic Attribute creation was not enabled it could not be used.

Enabling it solved the Problem.

SAP should include this into the IDM-GRC documentation.

Thank you so much for your help!

Kind regards, Christina

Answers (0)

Ask a Question