- SAP Community
- Products and Technology
- Additional Q&A
- Access Enforcer 5.2 - auto-provisioning error
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Access Enforcer 5.2 - auto-provisioning error
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 07-16-2008 4:47 AM
Hi all,
i have come across strange quirk in AE 5.2 that is causing my client some issues. During UAT, a scenario was tested for a new user request with two roles with different role managers. The results i obtained were as follows:
1. Role manager 1 rejects 1st role then role manager 2 approves 2nd role (in that order). Expected result is that the user is created and the 2nd role is provisioned in the system. Actual result was that user was created and 2nd role was provisioned in system. PASS
2. Role manager 1 approves 1st role and then role manager 2 rejects 2nd role (in that order). Expected result is that the user is created and the 1st role is provisioned in the system. Actual result was that the request was closed and no auto provisioning was done. FAIL
For some reason, AE is only picking up the last approval/rejection when deciding whether to auto-provision or not. So when the last role manager rejects their role that was requested, AE closes the entire request and does not provision other roles in the request even though they were already approved. If the last role manager approves their role that was requested, AE will provision access according to the roles that were previously approved/rejected.
This does not occur for multiple roles that have the same role manager, as they are able to reject some roles and approve others without any problems with the provisioning. Config is set up so that the role manager stage approvals are at the role level, and approval type is "all approvers". We have also configured auto-provisioning type as "Auto provision at end of request" and provision effective immediately as "Yes".
Any ideas what is going on?
Thanks,
Alexi
Accepted Solutions (1)
Accepted Solutions (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi, Alexi,
Does the role manager stage allow the rejection of the request, or just the rejection of roles and approval of the request?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi all,
thank you for your suggestions.
Currently, the role manager stage is set to approve or reject at the role level (not request level).
I will try and change the approval type to "Any one approver" as opposed to the current configuration of "All approvers", however I think I have tried this already but not sure if I changed the approval level to request before testing this. I will re-test and inform if this solves the issue.
Another question my client had was whether it was possible to provision roles immediately as each role manager approvers them (i.e. if there are 10 roles, all with different role managers, can AE provision each role as they are approved or does it have to wait for all role managers to approve/reject before auto-provisioning will be initiated)?
Thanks,
Alexi
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi all,
i've tried to resolve this issue by changing the configuration, however this has not resolved it. I've attached the audit log of two requests for the same roles, only difference is the order of the role approvals. In request 226, the first role manager approved their role and the second role manager rejected their role and AE did not auto-provision the approved role (the whole request appears to be rejected).
Request 226 Submitted by Alexi Tsafos(k01232) on 07/30/2008 15:44
YBC:ROLE_921-QAS Role Added
YBC:ROLE_922-QAS Role Added
ZU:COMMON-QAS Default Role Added By system
Request submitted for approval by Alexi Tsafos(K01232) on 07/30/2008 15:44
Approved By Alexi Tsafos(K01232) Path ERP_NEW and Stage LINE_MANAGER on 07/30/2008 15:44
ZU:COMMON-QAS Role Approved
YBC:ROLE_921-QAS Role Approved
YBC:ROLE_922-QAS Role Approved
Request submitted for role level approval by Carmen Richardson(K01231) on 07/30/2008 15:45
Approved By Carmen Richardson(K01231) Path ERP_NEW and Stage ROLE_MANAGER on 07/30/2008 15:45
YBC:ROLE_922-QAS Role Approved
Request submitted for role level rejection by Alexi Tsafos(K01232) on 07/30/2008 15:45
Rejected By Alexi Tsafos(K01232) Path ERP_NEW and Stage ROLE_MANAGER on 07/30/2008 15:45
YBC:ROLE_921-QAS Role Rejected
Request Closed By Alexi Tsafos(K01232) on 07/30/2008 15:45
Auto provisioned for request on 07/30/2008 15:45
In request 227, the first role manager rejected their role and the second role manager approved their role and AE auto-provisioned the approved role.
Request 227 Submitted by Alexi Tsafos(k01232) on 07/30/2008 15:50
YBC:ROLE_921-QAS Role Added
YBC:ROLE_922-QAS Role Added
ZU:COMMON-QAS Default Role Added By system
Request submitted for approval by Alexi Tsafos(K01232) on 07/30/2008 15:50
Approved By Alexi Tsafos(K01232) Path ERP_NEW and Stage LINE_MANAGER on 07/30/2008 15:50
ZU:COMMON-QAS Role Approved
YBC:ROLE_921-QAS Role Approved
YBC:ROLE_922-QAS Role Approved
Request submitted for role level rejection by Carmen Richardson(K01231) on 07/30/2008 15:50
Rejected By Carmen Richardson(K01231) Path ERP_NEW and Stage ROLE_MANAGER on 07/30/2008 15:50
YBC:ROLE_922-QAS Role Rejected
Request submitted for role level approval by Alexi Tsafos(K01232) on 07/30/2008 15:50
Approved By Alexi Tsafos(K01232) Path ERP_NEW and Stage ROLE_MANAGER on 07/30/2008 15:50
YBC:ROLE_921-QAS Role Approved
Auto provisioned for request on 07/30/2008 15:50
New User: AETEST20 created on 07/30/2008 15:50 in System(s): QAS.
Role: ZU:COMMON assigned to user: AETEST20 in System(s): QAS.
Role: YBC:ROLE_921 assigned to user: AETEST20 in System(s): QAS.
Request Closed By Alexi Tsafos(K01232) on 07/30/2008 15:50
As described in an earlier post, the stage config is set for "role" level approval by "any approver". I've also tried "role" level approval by "All approvers" and have the same problem.
Any ideas?
Thanks,
Alexi
Answers (2)
Answers (2)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Alexi-
Change the Stage Configuration for your Role Approval stage in Approver Type to "Any One Approver". And set your Rejection and Approval Level to Role.
This should work...
Ankur
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Alexi
It's quite strange, can you please paste us the log, which must tell the selection's made for the request and till the end(all approval) of the request.
even though it's a bit hard to understand the log will try to get some information for it.
Regards
Kiran Kumar
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Enforce Mitigation for High & Medium Level Risks in Access Request Management (ARM) in Financial Management Blogs by Members
- Enforce risk analysis before submitting the access request in GRC12 in Financial Management Q&A
- Gaia-X and IDS: Usage control for data sovereignty based on SAP Business Technology Platform in Technology Blogs by SAP
- RE :sap capm with sap web ide for hana (sap hana express 2sps04) in Technology Q&A
- Adjust a Cloud Application Programming (CAP) Model project to use SAP Cloud SDK 3 in Technology Blogs by SAP
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.