on 06-28-2015 7:13 AM
Dear experts,
I know in GRC 10, there is only one approver for mitigation control and multiple monitors and this is the standard functionality. I wanted to know if anyone know how to modify this MSMP workflow for mitigating control to have multiple approvers.
Is this possible? can we make changes in SAP delivered workflow to make custom stages to have multiple approvers for each control. Thanks in advance.
Regards,
Faisal
Hi Faisal,
you had asked for Multiple approvers for Mit. Control.So, you need to configure that in Setup-Mitigation Control, and not in MSMP workflow. Then, Workflow will go to all the approvers, assigned to the Mit. Control.
'All Approvers' and 'Any One approver', in Task Settings, will not forward workflow to multiple approvers, only if Mit. Control, has multiple approvers, assigned to it, already.
Any One approver will also forward the request to all approvers. However, workflow will move to the the next Stage, if the stage is approved by, any one of the approvers. Incase of all approvers, workflow will not move to next stage, unless all approvers have approvrd
regards
Plaban
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Faisal,
I apologize for recommending that particular solution, as it seems it is not possible to assign more than one "approver" for MC. You can, comparatively, assign multiple "Monitors", which is why I thought this was possible.
According to this thread, it is not possible:
http://scn.sap.com/thread/3533300
However, depending on your requirements we might be able to make this work using MSMP modification. First question: how many different people are going to be MC Approvers? My thoughts on a possible strategy are this:
Help me understand why multiple MC Assignment approvers are required. Sometimes, it is best to re-think the business requirement and guide the business to a more effective solution. What exactly was discussed and what was promised? If a secondary approver is a single person (ideal), then this is a very simple modification that I can help you through.
-Ken
Ok, Ken; I already seen the thread regarding not possible in past but still I wanted to through this question out there.
The issue is my IC team is using some other kind of form in SharePoint to (risk acceptant form)and they are not using mitigating control in GRC at this time. The form they are using it has a workflow that sends an email to each approvers and they have 4 approvers. manager, then sox controller, then controller and the head of the controller.
I'm purposing to use mitigating control in GRC rather than SharePoint where put lot of effort to extract all risks out from the GRC and give it to SharePoint team to implement
I wanted to make my case solid to present this proposal if I can meet their existing process in MIT control in GRC they might convene because there are already some concerns I have for example when you create MIT C. the workflow doesn't send an email, it just sent message to the GRC owner/approver in their inbox to approve or assign MIT C. to users. which is also weak because they are receiving email in current process
I wanted to meet their existing requirement to at least look at MIT C. in GRC. I would like to introduce the MIT C in GRC rather than using this web form that has workflow.
Let me know what you think if I have solid case to convenes them.
Regards,
Faisal
A few thoughts:
I recommend using a combination of SharePoint and GRC as a solution, and leaving all approvals outside of GRC:
It is also possible to turn off workflow entirely for MC Maintenance and Assignment. These are "workflow" parameters within Maintain Configuration Settings in GRC IMG - param 1061 and 1062. If you choose to select "NO" for these parameters, any ARM requests that need MCs assigned will not need to go for approval in order to assign the MC. To compensate for the lack of approval, you can report on MC assignment periodically and review with the stakeholders, which saves time and makes ARM requests more efficient (lower number of approvals needed while still remaining compliant).
Hopefully some of these points will help you determine the best solution for your Org.
-Ken
Ken Golden wrote:
A few thoughts:
- Anytime you want a user's Manager to approve or be notified from GRC, the manager MUST have a GRC account. This can be a deal-breaker if your Org has thousands of Managers. Therefore, we can say that Manager approval within GRC is probably not a good idea - rather you can keep the SharePoint process or ticketing system to capture manager approval.
We automated the creation of accounts in the GRC system for managers and it works fairly well. Whether your user data source is your HR system or your LDAP, managers are identified somehow. I suggest that you consider it so that requiring manager approval is not necessarily a deal breaker. Taking manager approval offline is the kind of kink in the process that the GRC system was supposed to help eliminate. Automating the manager approval is one of the things that our requesters really enjoyed about our GRC 10 workflow.
Regards,
Gretchen
Ken,
Our IdM solution creates our SAP user IDs, and it gets user attributes from SAP HR, one of which identifies which IDs have employees that directly report to them. By my recollection it did not require extraordinary effort for them to set up a daily job that recognizes when there is a new such relationship, check to see if that manager already had an ID in the GRC system, and if not, create it, put it in the correct LDAP group, and assign it the access needed by manager approvers. I am not an IdM expert, but that it the process at a high level.
Regards,
Gretchen
Hi Faisal,
This should be a simple modification. Within "Modify Task Settings" for the standard approval Stage, change "Approval Type" to "All Approvers" instead of "Any One Approver". The result, all approvers must approve the request (in parallel) before the request advances past the stage. You can do this for any type of workflow.
FYI you also need to click "Modify" (instead of Modify Task Settings) and make sure the change is found here too:
Regards,
Ken
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks a lot Ken,
Have you ever tried this? did it work? I was under the imprison that SAP delivered MSMP will not be modifiable. I'll try it and let you know if that works.
Also I wanted ask you another question regarding MSMP workflow. I'm also in process of configuring ARM the (Access request manager) but do not have solid grasp to configure SAP_GRAC_ACCESS_REQUEST. Is there lot of changes I have to do or just minor? Is there any step by step document out there I can use to configure my access request MSMP workflow . I know it is depend on my company requirement but just wanted to find out how to setup for two or three approvers and what is the best practice around it..
Regards,
Faisal
Faisal,
The modification I described above should work. This modification isn't actually changing any standard delivered SAP content; rather it is modifying Stage Task settings, which are designed to be customizable. I do not think there will be an issue with making this work.
The ARM configuration is a bit more complex. I do not have any guides available to share with you, but I can give you some guidance. What you really need is the GRC 10 training for Access Control, but to help you get started, keep these steps in mind:
Configuring ARM:
I hope this gets you started in the right direction. ARM configuration can take 1 day if you know what you are doing, but it can also take months of trial and error if you are new to it.
Message me directly and I can help you along the way.
-Ken
Hello Ken again,
I just tried the above changes and still Mitigating control doesn't take more than one approver, when I was setting up I assigned two approvers while I was trying to create control in Access risk tab, it says only one approver can be assigned to mitigating control. any other suggestion or I'm not doing the right way.
Please let me know, thanks in advance
Regards,
Faisal
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.