cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Access Control 10.1 approval workflow query

Go to solution
Former Member

on ‎08-11-2015 9:16 AM

0 Kudos

Hi all

I'm hoping that you can assist with a query i have on the AC 10.1 ARM approval workflow process. I'm fairly new to this so please bare with me.

We are currently implementing the ARM module at a client, who has the following workflow request for new/change/unlock user account:

- User submits access request in GRC AC

- First level approver - Line Manager (risk analysis not mandatory)

- Second level approver - Business Process Owner (risk analysis mandatory)

- Third level approver - Authorizations/Security

The request is successfully submitted and is directed to the LM as 1st level approver. The LM approves the request and it's supposed to then be directed to the BPO for the 2nd level of approval, but it does not reach the BPO.

I’ve created a decision table in BRF+ to say if “Basis” is selected as the Business Process on an access request, it must go to the Basis BPO for approval. I've run a simulation on this table and the output results are correct. The table was checked, saved and activated.

I then used this tables Function ID to create a new Agents rule in MSMP (step 2 maintain rules) for the SAP_GRAC_ACCESS_REQUEST workflow process.

In step 3 maintain agents, I've created a new Agent ID called Z_BPO, as an approval purpose and GRC API type, and assigned the Agent Rule ID from step 2.

In step 5 maintain paths, I've created a "New User Account" path with 3 stages of approval - Z_BPO being the second level of approval.

When i try to Save/Simulate in step 7, a version cannot be generated as the IMG Configuration Tables contains errors. When the workflow starts checking the definition of Agent "Z_BPO", the following error is outlined: ABAP dictionary data object binding is out of synchronization.

I've checked the internet for assistance on this error to no avail. I think that i'm not defining the BRF+ decision table correctly within MSMP.

I've followed the documents on the below link that relate to BRF+ and MSMP extensively but i am still stuck.

Your urgent assistance and guidance on this is greatly appreciated.

Kind regards,

Neresha

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎09-09-2015 9:02 AM
0 Kudos

Hi all

After all the assistance and guidance from everyone, I managed to successfully set up the BRF+ table and the MSMP workflow.

After further investigation on why my access request was taking the escape route, I found that I should not have selected a "System" on the access request because when you select a "Role" to assign to the user, the System is automatically detected. I came across the following statement on another discussion:

"First of all adding system information is not required if you are not using business roles,or you are expecting a routing futher in the workflow or you have to set system validitiy for the user. System information is automatically picked by GRC as soon as you add single or composite role (not in case of business roles) ."

Once I only selected a role, the access request followed the workflow which I had configured.

Kind regards,

Neresha

Show replies
Show replies

Answers (3)

Answers (3)

Former Member
‎08-12-2015 7:26 AM
0 Kudos

Hi Neresha,

    Can you please attach Screen shot of the function?

Regards,

Fazil

Show replies
Show replies
Former Member
‎08-12-2015 9:47 AM
0 Kudos

Hi Naresha,

Please try with another function id:

Please check the transaction, Process ids. Agent type :  GRFNMW_CONFIGURE.

As per your requirement above mentioned, you create detour rule not an initiator rule for risk violations.

Regards,

Reddy

Former Member
‎08-12-2015 2:14 PM
0 Kudos

Hi Fazil

Please find updated screenshot of the Function details:

Kind regards,

Neresha

Former Member
‎08-11-2015 12:09 PM
0 Kudos

hi Neresha,

can you show screenshot of the BRF+ function/decision table. Data dictionary binding is related, to BRF+, and not error in MSMP.

regards

Plaban

Show replies
Show replies
Former Member
‎08-11-2015 12:36 PM
0 Kudos

Hi Plaban

Thank you for your reply.

Please see below screenshots:

1. BRF+ Decision Table:

2. BRF+ Decision Table settings:

3. BRF+ Function:

Is this what you are looking for?

Kind regards,

Neresha

Former Member
‎08-11-2015 12:54 PM
0 Kudos

Hi,

I think  you need to change Result data object as -- GRFN_MW_T_AGENT_ID

Remove user id and add this object.

Let me know the result.

Thanks

Mohan

Former Member
‎08-11-2015 2:46 PM
0 Kudos

Hi Mohan

Thank you so much for your suggestion - i can now successfully generate an MSMP version with no errors after adding GRFN_MW_T_AGENT_ID as my Result Data Object on my function. In BRF+ I've activated the decision table, function and application successfully.

However, on my access request, when it's supposed to be directed to the BPO for 2nd level approval, it takes an escape path to the authorizations team because it cannot find the approver.

My decision table now contains the following details, with NOTIFY_EXT_WHO_TYPE and NOTIFY_EXT_WHO_ID not mandatory. Is this correct?

I've set up step 5 maintain paths in MSMP as follows, which is pointing to the Z_BPO Agent ID. Is this correct?

Kind regards,

Neresha

Former Member
‎08-12-2015 1:39 AM
0 Kudos

hi ,

could you show your Modify and Modify Task settings, screenshot. check whether your Agent id is the same as rule id created, in both the above settings

regards

plaban

Former Member
‎08-12-2015 8:27 AM
0 Kudos

Hi Plaban

Please see screenshots below:

1. Modify

2. Modify Task Settings

The Agent ID Z_BPO is linked (in step 3 maintain agents) to the Rule ID created in step 2 maintain rules. Is this correct?

Kind regards,

Neresha

Former Member
‎08-12-2015 10:00 AM
0 Kudos

Hi Naresha,

1.Remove Itemnum in line item key

2.Remove user ids in Notify Ext who id.

3.Do not maintain who type

once this done, test in simulation mode and let me know result.

Thanks

Mohan

Former Member
‎08-12-2015 10:22 AM
0 Kudos

Hi Mohan

I have removed the cell values as requested:

I've also successfully tested in simulation mode, where it brings up the correct user ID per process:

Kind regards,

Neresha

Former Member
‎08-12-2015 10:27 AM
0 Kudos

Hi Neresha,

As Mohana said, you can try keeping Line item as blank. So " ", should appear. and USER_ID is not required.

'Who type' can be kept.

Regards

Plaban

Former Member
‎08-12-2015 10:46 AM
0 Kudos

HI ,

please remove column User ID, and give blank in Line item, i.e the same as ..WHO_TYPE

regards

Plaban

Former Member
‎08-12-2015 2:11 PM
0 Kudos

Hi Plaban

I've left all columns blank except for the BPROC column. I could not remove the USERID column completely as it gave me an inconsistency error when i tried to Check the BRF+ decision table.

I created a new access request to test, but after 1st level approval the request is sent to the escape path as it still cannot find the BPO level of approval.

In your suggestion to remove the USERID column from the decision table as it is not required, how does the system know who to send the request to for approval, if "Basis" is selected as the business process, if the user ID is not specified anywhere in the system?

Kind regards,

Neresha

Former Member
‎08-12-2015 2:14 PM
0 Kudos

Hi ,

It seems to be BRF+ is fine.

1)Can you check all paths where Z_BPO agent is mapped and check stage settings as well.

if you find different agent maintained in stage settings, change it to Z_BPO.

Activate MSMP and test again.

2)If it still have issues, run transaction code -- GRFNMW_DBGMONITOR_WD to view message log,to view configuration ,etc.

Thanks

Mohan

Former Member
‎08-13-2015 10:10 AM
0 Kudos

Hi Mohan

I've double checked that Z_BPO agent is mapped correctly. I even deleted my paths and stages and started from scratch.

I've run the GRFNMW debug and i think I've identified where the workflow stops. Under the Runtime Work Items tab, there is a Wait Step with the following message: Waiting for event 'REJECT' of object type 'CL_GRAC_ACCESS_REQUEST_WF'

I have again successfully gone through the

1. Perform Automatic Workflow Customizing

2. Perform Task-Specific Customizing (Assign Agents (PFTC) and Activate Event Linking (SWE2))

as per SAP post install checks.

I have ensured that WF-BATCH has SAP_ALL profile. But the access request still takes an escape.

See screenshots below from GRFNMW debug:

Kind regards,

Neresha

Former Member
‎04-25-2016 7:01 AM
0 Kudos

HI Mohana & Naresh

I am also facing similar issue with Role approval workflow BRF+ agent rule for role approver.

But i am unable to change Result data object to GRFN_MW_T_AGENT_ID . As it is not popping out from selct option.

Kindly assist,

Thanks!

Kapil

Former Member
‎08-11-2015 10:13 AM
0 Kudos

Hi Neresha,

    Have you checked, saved and activated the Function in BRF+ Agent Rule Application? I guess you have only activated the Decision Table. Please check, save and activate the function too.

Let me know if it works.

Regards,

Fazil

Show replies
Show replies
Former Member
‎08-11-2015 11:03 AM
0 Kudos

Hi Fazil

Thank you for your reply.

The BRF+ decision table, function and application are all saved, checked and activated with no errors (all 3 have green dots to indicate that they are active).

Was i correct in creating a new Agents rule in MSMP with the Function ID from BRF+?

Kind regards,

Neresha

Former Member
‎08-11-2015 11:24 AM
0 Kudos

Using the Function ID is correct.

Have you selected the correct "Business Process" field? There are 2 available, one is at header level, and the other is at line item level, i.e. the Business Process assigned to the role.

Also, have you created the agent rule as a "line item by line item" BRF+ rule?

Former Member
‎08-11-2015 12:25 PM
0 Kudos

Hi Harinam

Thank you for your reply.

I have selected the Access Request Line Item business process. I tried testing with the Header business process but no change.

I have also created the Agents rule as a BRFplus Flat Rule (LineItem by LineItem). Is the below correct?

Kind regards,

Neresha

Ask a Question