cancel
Showing results for 
Search instead for 
Did you mean: 

Auto Approve Roles without Role Approver

former_member185447
Active Contributor
0 Kudos

Hello GRC Team,

Warning: This is one of the Frequently Discussed Thread. Went through the discussions as well as SAP Notes but still couldn't get through the basic concepts. So, Please help me with more detailed and if possible with a screenshot or two.

Going through the SAP Note 1709391, In order to provision roles without owners, in addition to the parameter 2038, set a detour for no role owners to a no stage path.

I have two requirements to understand how this auto approval works.

Requirement No:1

There are 3 stages for the request to go through.

1) Manager and

2) Role Owner

3) Security

The Request is approved at manager level and in the second stage Role Owner is not available and it should automatically to go Security Stage.

Requirement No:2

There are 2 stages for the request to go through.

1) Manager and

2) Role Owner

The Request is approved at manager level and in the second stage Role Owner is not available and it should automatically get approved.

My Understanding is: In Requirement No:1, I need to Use BRF+ and In Requirement No:2, I Can do it using MSMP.

Please throw some light on this. Also, Let me know how and where to maintain No stage in MSMP

Regards,

Deepak M

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi Deepak,

Here are my thoughts:

  1. Requirement #1 - No BRF+ manipulation needed.  It appears that a pre-defined detour rule is available:

         

    • Use this rule in step 6 of MSMP "Maintain Route Mapping" and route FROM your existing path (with correct stage sequence) TO a new path, which could be called "No Role Owner Path":

              

    • "No Role Owner Path" will have no stages assigned:

             

    • Then, if the request contains a role that does not have an owner, this routing rule will kick in and the request will route to the "No Role Owner Path", where there is no approval required (no stages assigned).  Once the request makes it to this path, it will auto-approve and the access will be provisioned.

*** HOWEVER, because I have not configured this, I am not sure if this rule "GRAC_MSMP_ROUTE_NO_ROLEOWN" will route the ENTIRE request (including the roles that DO have role owners) or if it will split the request and send only the roles without owners down this path.  I have a feeling it will route the entire request, but you may be able to change this within the User Provisioning settings of SPRO (Maintain Provisioning Settings--> Auto provision at end of each PATH rather than at end of Request).  But even if this works, the request will probably not make it BACK to the Security stage for Risk Analysis.

The above *** note may indicate that you need to re-design your strategy all-together if the functionality does not work.  If this is the case, my recommendations on your new strategy would be as follows:

  1. Approval sequence should be 1.)Manager; 2.) Security; 3.)Role Owner.

          -With the approvals sequenced this way, you will be able to use the pre-defined routing rule GRAC_MSMP_ROUTE_NO_ROLEOWN at the end of the approval paths, which remediates the issue I mention above regarding the request not making it BACK to the Security stage after hitting the routing rule.

If not all requests need to go to the Security Stage, then you would need to configure the standard routing rule "GRAC_MSMP_DETOUR_SODVIOL" and map it in step 6 of MSMP just as described above with the other rule.  Then, you would need to route to a new path for requests containing Risk Violations, and create the appropriate stages thereafter.

Hope this get's you on the right track!  Let me know your difficulties and I can continue to help!

-Ken

former_member185447
Active Contributor
0 Kudos

Hello Ken,


Thanks for the mighty long and detailed reply.

I do have a small doubt in the following screenshot.

Let's Say I have created a Path with the name New_Account, and a empty path as No_Role_Owner_Path. Then I need to maintain the following values:

From Path ID = New_Account

Stage Sequence = Manager Stage Sequence No

To Path ID = No_Role_Owner_Path

If this is correct, I will just do the configuration and get back to you If I get struck.

Regards,

Deepak M

Former Member
0 Kudos

Yes this configuration should evaluate the request in path New_Account and look to see if there are any roles with no owners, and if so it should route to the No_Role_Owner_Path.

However, I think it is unlikely that you will be able to route back to the original workflow path to be able to finish with the Security stage, so I recommend having your approval sequence like this:

1. Manager

2. Security (SOD analysis and assign Mitigating Controls - will help Role Owner make decision too)

3. Role Owner (where the request can detour if no role owner found.  all approvals already captured, so the request will auto approve and provision)

Let me know if you have difficulty developing.

-Ken

Answers (1)

Answers (1)

former_member197694
Active Contributor
0 Kudos

Hello Deepak,

You need to enable routing at the stage before role owner

Did you get chance to check below SAP Note

1757735 - Auto Approve Roles or Systems without Approver



Hope it helps you



Regards

Baithi