cancel
Showing results for 
Search instead for 
Did you mean: 

GRC 10.1 - ARM - RoleOwner approval

0 Kudos

Hi experts!

Im working with ARM in GRC AC 10.1 (SP07). I have configured provisioning path (in proccess SAP_GRAC_ACCESS_REQUEST) including RoleOwner approval stage.

Problem is that when request includes several roles with different RoleOwners, if one of them reject request, then the whole request is rejected (not only his roles).

¿Is this normal way ARM works for request for several Roles with different RoleOwners? If so, ¿how does a RoleOwner reject his roles from a request?

Notice that Rejection level task settings for RoleOwner stage is configured like "Role".

Thanks!!

Accepted Solutions (0)

Answers (1)

Answers (1)

kevin_tucholke1
Contributor
0 Kudos

Emillano:

Yes, this is working as designed.  You have allowed in your task settings for that stage for them to reject the request (reject selection at the top of the screen).  Role are only rejected in the line item area and that is where they only are allowed to 'maintain' their specific line items.

Thanks,

Kevin Tucholke

Principal Technology Consultant

SAP America

0 Kudos

Thanks Kevin!

But then, ¿how does a RoleOwner reject all historia roles in a request? Considering scenario where there are several roleowners involve.

Former Member
0 Kudos

Emiliano,

If you do not want role assignment approvers to be able to reject the entire request, it sounds to me like your settings would need to be changed. We do not allow it here; managers approve/ reject at the request level, but role approvers approve/ reject at the line item level. It does not make sense for them to be able to reject a role that is not theirs to approve.

Gretchen

0 Kudos

Thanks forma your reply gretchen!

Think in this scenario: user submit request for several roles wich have a same roleowner. So, if role approver reject all roles at líne ítem level, next click on "send" (not in reject) then status of request would be approved and not rejected and it would be incorrect

kevin_tucholke1
Contributor
0 Kudos

The Role Owner can use the SELECT ALL button in the Line item area and then click the REJECT button just in the header of that line area.  This will set the roles to the reject status in the most left hand column.

The reject select at the tope of the screen (where the submit button is), is for request only.  Remember, when you require this at the line item level, the user is APPROVING the request as currently stated, which may mean that some ROLES are rejected and some are approved based upon the status at the beginning of the line.  Approval of a REQUEST does not always mean that all roles are approved, it means that it is approved as stated when the request has reached then end of its workflow.  If the request is rejected, it really does not matter if any roles are approved or not, it means that the ENTIRE request was inaccurate and incorrect.

Does that help clarify the difference??

Kevin

0 Kudos

I understand that, but it confuses end users: they recive an email saying "your request has been approved" and, in the other hand, no roles were provisioned.

kevin_tucholke1
Contributor
0 Kudos

In that case, all that I can say then is that this is an approver training issue as to when to use the Reject Request button vs the Reject Line Item button.

Approving a request, similar to approving a budget, can have line items that have been rejected.  In the overall view, the request is approved, yet the approver approved ALL rejected items.  This is the logic as it has been designed.

0 Kudos

Yes, i thought may be there was another option and it were a configuration issue, but i see arm works this way.. Thanks for clarificación!

Former Member
0 Kudos

Hi Emiliano,

Incase all roles are rejected, could you inform the role owner to reject at Request level, so that 'GRAC_AR_REJECTED', will trigger Rejection email. Else, Approval mail, stands true, as one of the role is approved.

Else, if you can have a stage after Role Owner, for Security team, who can reject the request, if all roles are rejected, and thus rejection email,can be sent to users

Regards

plaban

0 Kudos

Hi Plaban!

Problem is that role owner doesn´t know wheter he is the only role owner involved in request or not, so he can not reject the whole request even he reject all his line items.

I have a stage after role owner, but, when all roles are rejected at line item level, request is automatically closed and get status "approved". It´s not considering next stage because there isn´t any role for provisioning.