GRC AC 10 CUP : Provisioning of Approved roles (Line Item)

Similar Messages

• Offline approval for line item based Shopping carts

  Hi ,
  We are planning to  use offline approval and line item based approval (item based approval workflow) for shopping carts.
  For e.g. 10 line items in a cart can have 10 different  cost centres, and a line each need to go to respective cost centre managers for approval.
  have few clarifications:
  1. Can offline approval be used for item based shopping cart approval workflow?
  2. Can different line items be sent by mail to different mail boxes?
  3.  Will 1 manager see all the 10 line items OR only the 1  line item for which he is responsible?
  4. If he will get only line for which he is responsible , and once he clicks on approve , will this approval apply to his line item only , OR it will apply to all the 10 line items ?
  Rgds
  Sumendra

  Hi Sumedra,
  Which workflow are you using - application or process contrlled workflow?
  Assuming you are using process-controlled workflow - I will answer following questions -
  1. Can offline approval be used for item based shopping cart approval workflow?
  - Yes, it can be used !
  2. Can different line items be sent by mail to different mail boxes?
  Yes
  3. Will 1 manager see all the 10 line items OR only the 1 line item for which he is responsible?
  1 manager can 'see' all the items but he can only approve or reject the item that he is suppose to act on. All other item will be grayed out. However, this behaviour is configuarable !
  4. If he will get only line for which he is responsible , and once he clicks on approve , will this approval apply to his line item only , OR it will apply to all the 10 line items ?
  - see above
  Regards,
  Amit

• Line item based approval

  Hi All,
  I have line item based approval workflow WS14500015. My shopping cart has multiple line items each awaiting approval from multiple approvers.
  Now my requirement is when any approver approves his line items , that particular line items should not be allowed for changes even though the shopping cart has status awaiting approval coz others line items are still awaiting approval .
  Is this possible i.e user should be able to make changes to unapproved line items abut not approved line items .
  Can i user badi BBP_WFL_SECURE_BADI for this ?? Please if anyone has already done this please share your inputs .
  Thanks in advance
  Iftekhar Alam

  Hi Alam,
  have you checked the APPROVAL_HISTORY_TABLE and ITEM_APPROVAL_HISTORY_TABLE? Here you will receive information on already approved items and the current approval process.
  Kind regards,
  Thomas

• GRC AC 10.0: Info about rejected roles in the CUP Email

  Hello all,
  the GRC componetent CUP seems to be technically mature in comparison to Role Management component, but there is one thing where I am not sure, is it an error or did I miss some config parameters:
  When the CUP Request ist closed, the user gets an email (Template ID: GRAC_AR_CLOSE). Not all of the roles were approved, some of the roles were rejected. But the user gets an email where only the approved roles are listed:
  We would like to inform the user about the status of all roles in the CUP requests: which roles were approved and which roles were rejected. Is it possible to configure in MSMP Workflow?
  Right now we have the following setting:
  Thanks,
  regards Sabrina

  Hi Sabrina,
  To notify the requester for the roles which got rejected, you can try with Email notification template: GRAC_MSMP_ERM_REJECTED for the for the message class.
  You can create custom version of this template. For more understanding on how to customize the Email notification template, you can refer to: http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/605077fc-3577-2e10-e1a6-a743514d4eb3?QuickLink=index&…
  Hope this helps, Let us know if you face any issues.
  Regards,
  Ameet

• GRC 5.3 CUP auto provisioning of Mitigation Assignment in RAR

  Hello,
  Is there any other workflow that needs to be triggered for the auto provisioning of the Mitigation control id assignment to the userid in RAR system from CUP,  upon request completion?
  I created a request that after the final stage of sox approver, got auto provisioned roles assigned to the user id in the SAP system , but it also stated that auto provisioning failed and got re-routed to the detour path of the security admin as I configured in case of auto provisioning failure. When I look at the error log, it states:
  User Provisioning failed for System(s) : XYZ. Error Message : User type TE is unknown
     Role: ROLEA assigned to user: TESTER1 in System(s): XYZ.
  1). So, even though the approved role is being assigned to the user in the backend system, some other stuff is failing at auto provisioning. And I thought it might be the mitigation control assignment to the userid in RAR. I have the mitigation fields/objects active. But how do I ensure the auto-assignment of mitigation control ids also gets assigned on the same request upon sox approval?
  2). The other question is where is the value of the 'controller' stored when configuring a stage for workflow approver determinator in the sox approver stage? Where is this value picked up from? We don't want to use the RAR mitigation approvers or monitors, we want to use a custom approver id from CUP and then the control id to be assigned upon approval automatically to the userid in RAR via CUP request completion during auto provisioning. Is this possible? The only thing failing for us is trying to determine how to create the custom approver determinator for SOX approver in CUP since it asks for 'attribute' value for workflow type 'Compliant User Provisioning' which doesn't make sense for this.
  And then the above error even though the user role assignment is auto provisioning already but still giving the error as I listed above and re-routing to detour path instead of completing the request. Is it due to auto provisioning failure of mitigation control assignment in RAR?
  Thanks in advance,
  Alley
  Edited by: Alley1 on Sep 20, 2011 1:15 AM

  Hi Karell,
     Here is response to your questions:
  I can use the following CAD in an AE workflow: web service to fetch role approvers. I question this as it is merely a RE workflow service : No. As far as I know the web service is only for RE/ERM.
  Can the Risk Analysis be initiated in stage x automatically once stage (x-1) was completed. So no person involved, it is mandatory however, in my opinion there should be no extra person involved to actually press the button "Risk Analysis" : No. There is no way to automate the risk analysis part. Someone will have to click on the button to check for SoD violations. You can configure to run automatic risk analysis when the request is submitted but this is not 100% perfect. If someone adds or removes role during approval phase, it will invalidate the risk analysis which was run during request submission.
  Can somehow the Risk Owners defined in the RAR componed be asked to approve/reject risk that came out of the Risk Analysis described in my previous point. They should only be contacted when there is a risk indicated. : This is possible by following Babak's workflow.
  Regards,
  Alpesh

• CUP 5.3: Automated Provisioning for UME Roles

  Hi,
  Does CUP 5.3 provide automated provisioning for UME roles or just for R/3 roles?
  Thanks in advance. Best regards,
     Imanol

  In order to use UME provisioning though, the WebAS must have Portal components installed (not necessarily used). The Portal RTA uses the Portal's SPML interface that is installed with portal components.
  And please make sure to check the PAM - I think the Portal RTA only works for 7.00, if I'm not mistaken!
  Frank.

• Manual CUP provisioning

  We are using CUP (BO AC 5.3 SP14) with role provisioning via SAP CUA. Whenever there is a system upgrade etc on our CUA systems, we would prefer if any role requests could be "put on hold" in CUP, ie keep all workflow functionality but just not provision the role to the user in the last step. There are also other reasons why we during certain periods would like to control when roles are provisioned from CUP to SAP
  When turning off "Auto provision at end of each path" the system completes all workflow steps without problems, but the request is closed and the role not assigned in SAP
  Just turning off "Role auto provisioning" does not fulfill our requirements, as this assigns the role to the user in SAP but do not run the last user compare step
  So, is there any way to manually trigger/import the role assignment from CUP request database that have been approved in e.g the last 12h, or since the last manual import (delta)?
  Many thanks
  Mikael

  Hello Frank, and thanks for your reply - interesting alternative solution, though you also confirm this cannot easily be "imported" from the CUP database. I think we need to test this scenario in order to find the best option.
  I assume we need to setup a specific user for the CUA connector, so that all other connectors are still available when the CUA user is disabled. We already have a Manager and Role owner approval in our CUP workflow. The SAP role is assigned following role owner approval. If possible, we could perhaps redirect all requests that fails due to technical connector issues in the last approval/role assignment step to a Basis admin. That might mean we would automatically manage all technical scenarios whithout changing workflows
  Indeed this is not a very common scenario, but due to upgrades we will have several periods with downtime on our central CUA in the next coming months. We also have regular "freeze periods" in our environment, meaning no roles are allowed to be assigned. If we can still manage to run the workflow seamless for an end-user, then that would very useful
  Thanks for your input
  Mikael

• 'Approve' button not displaying in the Approve Role screen Inbox - AC 10

  Hello Gurus,
  I have a challenge and I'd be glad to have it fixed.
  I am configuring Role Management in GRC AC 10.0.
  I am in Approve Role phase.
  After clicking on Initiate Approval....It send the request to the Role Owner's work inbox for approval.
  However, when the role owner logs in, only the "Other actions" button shows. The "Approve" button does not show.
  The "other actions" have options for "Hold" and "Request information"
  Please note the following in the MSMP settings.
  I am using the default settings in MSMP
  Process ID - SAP_GRAC_ROLE_APPR
  Maintain Path (Path ID - GRAC_DEFAULT_PATH ) & Stage Config ID - GRAC_DEFAULT_STAGE
  Maintain Route Mapping - GRAC_ROLEAPPR_INITIATOR
  Generate Version - Version generation was successful.
  I have also assigned the following roles to the ROLE OWNER
  SAP_GRAC_BASE
  SAP_GRAC_NWBC
  SAP_GRAC_ROLE_MGMT_DESIGNER
  SAP_GRAC_ROLE_MGMT_ROLE_OWNER
  SAP_GRAC_ROLE_MGMT_USER
  Please help me...what am I doing wrong?
  Thanks

  Hi Colleen,
  Thanks for reply. I have configured the workflow with default path and with one stage (role owner approval). When we create roles, request is being sent for role owner for approval.
  Role owner is able to see the request in workplace inbox. But not able to approve it. We are getting the same kind of error when we raise requests for user access also (you can see the error screen shot for access request and the same kind of error is occurring for role approval also).
  All requests are stuck up at role owner for approval. Quick response is much appreciated.
  Regards
  Sasi

• Provision for Approval process

  Dear Experts,
  I have a requirement  "To be able to provision for Approval process by FInance, when role of business partner upgraded from prospect to customer"
  I guess this is done through Workflow concept. but I don't have Idea in detail.
  Looking forward for reply
  Regards
  Manu

  About your questions...
  1. According to my knowleadge there is no such standard functonality. But I implemented something similar in our company in the folowing way:
  - prospect is created in CRM
  - when prospect needs to be transformed to customer, salesman issues task with filled questionary
  - finance departments receives this task and if it agrees transforms frospect to customer in ERP with VA07
  2. If you mean that only certain data should be maintained by certain companies, then only via coding this could be achieved.
  3. If you mean that in relatonship you define, to which organization contat person belongs, then I'm not sure. Never tried it. For employees I know it is possible so robably it could be done also for contact persons.
  4. You can store documents. But if you want to have special access to this documents, then this would not be the case.
  5. Yes. You can use account hierarchies for that.
  Regards.

• Custom Fields in GRC 10.0 - CUP

  Dear Experts,
  Please help me in creating Custom fields in GRC 10 - ARM (CUP). I want to create Custom field called Country and assign approvers to that field and Make user of this field in user request form as mandatory field.
  Could you please let me know how to create custom field and assign approvers to the same and make the same mandatory while user is create a request for new account in the sytem.
  I appreciate your help.
  Thanks,
  Raj

  Hello Raj
  As per my knowledge we can create custom fields in SPRO, path is
  IMG>GRC>General settings>User defined fileds
  under this you will get two types
  1.NON HR defined fields
  2.HR Defined filds
  Baithi

• What BAPI's use the ERM of the SAP GRC AC 5.3 to create the roles in the R/

  Hello,
  Does somebody knows what BAPI's use the ERM of the SAP GRC AC 5.3 to create the roles in the R/3?
  Thank you in advance.
  Pablo Mortera.

  Pablo,
     I don't have access to the system right now. Go to SE38 and search for 'Virsa' BAPIs...it will list all the ERM BAPIs under RE. The naming convention is pretty straightforward so you will be able to find a create role BAPI. If you open this BAPI, you will be able to find the SAP delivered BAPI which is being used in PFCG.
  Alpesh

• CUP v5.3 SP11.1 - CUP Request button "Existing Roles/Groups"

  Hi!
  Re: CUP v5.3 SP11.1 - CUP Request button "Existing Roles/Groups"
  Can anyone explain why some of our CUP users will see this CUP button in the CUP Request and others will not? Are they missing a UME "ACTION"?
  The button works fine, but it only shows up for some users and not others.
  Thanks for your help!
  -john

  Hello ,
  For Approvers , the button "Existing Roles /Groups" will be visible only when the following "stage" level setting is set
  Change Request Content = Yes
  Add Role =Yes .
  Regards
  -Ranjiv

• ORM Approval Roles

  I have a need to send approval requests out to a group of people, not just to an individual. The first person that responds can process the approval. It is not a multi-step requirement.
  In ORM, I can create Approver roles and use a query to populate the approver role members. I cannot figure out how to assign the approval requests to the approver group. How is the Approval Role assigned to a Business Role?
  KC

  Let me clarify my need.
  When a manager in a business line identifies the need for a new business role, I need a workflow mechanism by which they can request a new role be created in ORM and specify the IT Roles that should comprise that business role. This request step is separate from the actual role definition itself that would occur in ORM after the request was approved.

• OIM 11g-configure SoD so that it works for direct provisioning of the roles

  Dear All,
  page 23-3 of Developer's Guide (OIM 11g) provides information regarding configuration of the SoD for Direct provisioning of the resources. How to configure SoD so that it works for direct provisioning of the roles?
  Thank you for your time
  Maria

  Rajiv,
  I did not find the documentation regarding this. But I hoped I will.
  In my project we assign roles directlly, not resources.
  I suspect the integration with Role Manager is required in this case. SoD module in OIA should be used then.
  Maria

• Provision Unix accounts/roles/groups to Directory server using OIM

  Hi,
  I have a requirement to integrated large number of Unix servers with LDAP (OID or Sun Directory Server) for Centralized Authentication and Authorization and to provision Unix accounts/roles/groups to Directory server using OIM, I have following queries.
  1. If using PAM_LDAP then what are the schema changes required in ldap to support it ?
  2. Does OIM's out of box connector for OID or Sun Directory Server supports Unix accounts/roles/groups provisioning to Directory server ? If not, can it be extend ? or do I need to write a custom connector ?
  3. If I use Oracle Authentication Services for OS for centralized unix account management then OIM provisioning is same as #2 or different ?
  Thanks
  Nitin

  yes. iPlanet connector support for multivalued attribute. Go through the connector doc. It will let you know how to extend its functionality.
  --nayan