AC 10 MSMP Workflow
Hello Experts,
We are just trying to configure the basic components of Access Control on AC 10.
We have configured PSS and when we are trying to configure workflow for access requests we are running into issues.
I Just wanted to check what I configured makes sense.
We only need basic functionality.
1.User Lock,Unlock ---Where the only Approver is Manager ( We have configured LDAP so the system picks up manager details for the user)
2.Next is Validity Extension where we don't want any stage but the users can change their validity date just by submitting request and request is auto approved (Auto Provisioning has been configured)
3.We need Change Acct(For Adding of new roles)
4.We need New Acct(For creating new acct and also adding roles in same step)
I see that the major difference w.r.t. 5.3 to 10 is that in 5.3 we have different kind of Request types and we can have different initiators but in 10 we have a process id (Access Request) which pretty much covers above 1-4 etc and we have a single standard initiator(If we want more we need to use BRF+)
So Initially I configured in such a way that the request only goes to manager and it is approved .Here I had to use the system name and it worked fine.
Then I configured second stage of role owner approval and then when i add system and role it was erroring out so i just added the role and did a change acct and it worked fine.Don't know why it wasn't taking system and role together(could be because the role already has system name and maybe it didn't want redundant values)
So after configuring second stage when I tried to use it for user lock/unlock it is erroring out as obviously it doesn't like taking just system name.
My Config settings based on MSMP workflow.
1. Process ID -- SAP_GRAC_ACCESS_REQUEST
2. Rule ID-GRAC_AC_INITIATOR(Rule Result --GRAC_DEFAULT_RESULT)
5.Maintain Paths-GRAC_DEFAULT_PATH
Maintain Stages- GRAC_MANAGER,GRAC_ROLEOWNER
sorry for such a long post but I am at my wit's end as I am so near yet so far from the solution.
Thanks
Uday
Hi Kuashal,
I had imported only 1 role using role import from access mgmt.I am not using ERM.
I also found out yesterday that the error i was getting gave me a new description
Incorrect path and stage class entry for process SAP_GRAC_ACCESS_REQUEST
Error when generating a new version 000027 for process SAP_GRAC_ACCESS_REQUEST
and also when i try to activate other process id's it works fine but only for this process id i am getting an error.
logged an OSS message .
Will get back with any reply
Similar Messages
-
Simple MSMP workflow for Emergency Access Management
Hi,
I am not able to get the EAM to work in Access Control 10. The user is able to successfully place a access request for FFid but there is a error in the workflow logs. I have not done any customization of the MSMP for GRAC_DEFAULT_PATH and other similar stages, as I am not aware of the the specific values that need to be maintained.
I want to avoid customizing as much as possible and use what SAP offers by default. The workflow steps I am looking for is : user places a request for FFid and the request is received by the FFid Owner (Manager) and approved by him, Once approved, the FFID is provisioned automatically and the user can login to tcode GRAC_SPM and use his FFid, and the Controller gets alerted about the log.Hi Veera,
Did you define a condition in your initiator decision table in BRF+ to route your EAM requests to firefighter path.
Do you have stage called FF Owner?
Did you create a Firefighter path in MSMP configuration with FF Owner stage in it?
Did you maintained route mapping in your MSMP workflow configuration?
Please share your BRF+ initiator decision table and MSMP workflow config screenshots to help you further.
If you are new to MSMP and BRF+ config, please check this link for understanding the concept.
MSMP - Multi Step Multi Process – GRC&#82... | SCN
Regards,
Madhu. -
How to create Detour in MSMP Workflow?
Hello GRC Experts,
we are implementing GRC Access Control 10.0 with all four components: CUP, BRM, EAM and RAR.
We have customized the CUP and BRM Workflows without Detour rules, they are working fine so far. But now we have a following issue:
We would like to create Detour rules for CUP Workflow for the following Scenario:
1. Case: No SoD
Request-->Role Owner Approval-->Provisioning
2. Case: SoD
Request--> SoD Risk-->Security Stage-->Role Owner (if Security Stage approves, then Role Owner also approves)--> Provisioning
I have Created two paths in MSMP workflow:
1st Path is Default Path with only one stage: Role Owner Approval stage
2nd Path is SoD Path with two stages:
Default and Security Stage
I have tested the CUP Workflow after creating of the Routing Rule, but it seems, it doesnt work. I have assigned a technical Role to a User, who has SOD risks. Me as approval received a notification about new work item, then I approved the role, and afterwards the Role was assigned to a user, whitout beeing forwarded to a security stage.
Can you please give me an advice what I have to do in order to make it work?
Thanks in advance,
best regards
SabrinaHello Mangesh,
let me explain you my issue:
When I am creating an request for my test user (Role Assigning), I am performing a Risk Analysis during the request creation. As you can see, I have SODs in my request.
My paths:
I have created two pathes:
Path1: GRAC_DEFAULT_PATH: with one stage. Routing enabled. With the ID: GRAC_MSMP_DETOUR_SODVIOL. Escalation to a Specified agend (Security Team)
Path 2: Z_GRAC_DEFAULT_PATH (SOD Path)
with two stages:
001:Role Owner Stage (Routing enabled) to a specified agent
002: Security Stage: no Routing enabled.
The Problem is, even though I have SOD in my reguest, no detour to a second path is occuring.There is somewhere a mistake, but I dont know where.
Here is my Route mapping.
Please, give me an advice, what I did wrong.
The another issue which makes me surprised. When I run the Report: Risk Volation in Access Request, there is no Violation! But I have SOD violations (see Schrrenshot no1)
Why this Report didnt Show the violations?
I hope, I could make you cleare, where is the Problem now?
Default path is working fine, bur the detour is not working. And the Report doesnt Show the violations...
Thanks in advance
best regards
Sabrina -
Error while creating stages & Generating a version for MSMP Workflow
Hello Everyone,
I am facing the below error while trying to create stages pertaining to the Z_PATH_2 defined by me.
I have entered the path ID and description , then pressed enter. Thereafter, I am clicking on the Z_PATH_2 row, and click on ADD in Stages section.
Still it gives me below error.
Also, the second screenshot shows the errors I get while saving and simulating the path. Since I was unable to define Z_PATH_2 stages, I considered GRAC_Default path.
Kindly help in this. I am sure I am missing something .
Screenshot 1:
Screenshot 2:
Thanks much in advance,
Regards,
ShrutiHi Shruti
What changes beyond MSMP custom path Z_PATH_2 have you done in the MSMP?
ERROR LOG
Database Table GRFNMWCDAGNT - record not found (key: SAP_GRAC_AR/MANAGER)
Checking defintion of Agent 'Manager (Process Type SAP_GRAC_AR/Manager)
AGent ID 'MANAGER' is not requested for purpose 'Approval', 'agent purpose ='
Can you also have a look at your agent configuration for MANAGER as I suspect have it set for notification. If you are using the agent for both approval and notification then you must have two agents with the same rule.
I recommend you delete the Z_PATH_2 and generate MSMP to ensure all other errors are fixed. Exit out completed to refresh buffers and then re-launch MSMP. Try to add the Z_PATH_2 again
You can also execute MSMP in SAPGUI power mode via transaction GRFNMW_CONFIGURE to check the table configuration. Be careful what you maintain here, however, sometimes you need to come in here and fix values before switching back to MSMP screen to fix issues.
Regards
Colleen -
GRC 10.0 - Warning Message - Issue - MSMP Workflows
Hi All,
I have a query on below warning message. Need advise from experts here.
In our scenario, at few stages of workflow, approver enters the comments and then clicks on SUBMIT button. Request gets approved. There will be a CLOSE button once the request is approved. Approver clicks on CLOSE button and will be shown a warning message as shown below.
"This application contains unsaved data which may be lost.
Do you want to continue without saving the changes"
Now during our UAT concern was raised by the client team and they don't want to see this message as request is already approved and this message looks irrelevant.
Please suggest if there is a way to avoid showing this message.
Thanks in Advance.
Regards,
Sai.Hi Andrzej,
Thanks for the details.
I will implement this not and get back to you.
Regards,
Sai. -
BRF+ Initiator Rule MSMP Workflow
Hi all,
I try to create a new initiator rule via BRF+. In this rule I want to check the request type and if there is a role approver for the roles added to the request.
The problem is, I can't find an entry for role approver in the structure GRAC_S_REQUEST_RULE_LINE. And a new added data object with the binding to the DDIC element GRAC_ROLE_APPROVER does not work.
What can I do?
Thanks in advance!
JanHi Jan,
When creating the new BRF+ rules, you should be looking to have an Expression with a Decision Tree and then define your logical criteria there which will then generate a specific result.
You will then assign the generated result to a path in the MSMP config.
I would ensure that you have the appropriate elements expressed in your decision tree to identify the desired results.
Simon -
MSMP Workflow - Add new settings for Maintain Stages
Hello all,
I have a question: It is possible to add a new folder under "maintain stages"( "Eg. Settings for OVM Approval). See attached.
If yes, how?
Thank you,
OvidiuHi Vimal,
here it is : http://help.sap.com/saphelp_45b/helpdata/en/2a/f9f542493111d182b70000e829fbfe/frameset.htm
For approvers & level determination, we can define it at spro.
SPRO- investment management(IM) - appropriation requests(AR) - control data - define partner determination & functions.
SPRO- IM - AR - approval - define approval levels for AR
Regards, -
HR Trigger request with a approval workflow in GRC AC 10.0
Hi Friends,
Is it possible that a HR triggered user creation request in GRC follow a stage approval based workflow ? Something like MSMP workflow ? Or can we route the HR triggered requests to MSMP worflows someway ? if yes, please help me with the details of the same.
Thanks in advance for your guidanceHi Prashant,
Refer : Understanding HR Triggers in Access Control 10.0 - Governance, Risk and Compliance - SCN Wiki
Also search on GRC community there is lot of material available.
BR,
Mangesh -
Error in FireFighter Log Review approval workflow (SWF_RUN646)
The MSMP workflow SAP_GRAC_FIREFIGHT_LOG_REPORT has been configured in the AC System with transaction SPRO.
The automatic customizing has been done, number ranges have been created. Back ground jobs are running and the customizing concerning FF id's, Controllers and Owners has been done.
The log in notification mail is sent to the controller correctly and also the notification about a new work item. The error message appears when the Controller tries to execute / open the data from the log file in the SAP Business workplace with transaction SBWP.
This is the error message:
Exit CL_GRAC_SPM_AUDIT_REVIEW triggered exeception for event STATE_CHG and (target) status READY->SELECTED: UI signature (ID:'') not MSMP - action for WorkIte
Message no. SWF_RUN646
Can anyone help?Hi Nagesh,
You need to maintain an MSMP workflow for the SAP_GRAC_FIREFIGHT_LOG_REPORT process id and activate it.Kindly run the sync jobs inorder to trigger it
Best Regards,
Nandita. -
Hello Experts,
I have cconfigured HR Triggers for change of position using Procedural call method. Created BRF+ Rule that identifies the condition and returns ACTION-ID. I can see that condition is satisfied when change of Position occurs, but it not following any workflow.
Where do we link the ACTION-ID to a workflow? Do we need to create new initiator with BRF+ Function ID ?
Already followed note 1591291 but did not help.
Thanks and Regards,
Ajesh.
Edited by: Ajesh Raju Pujari on Mar 4, 2012 2:56 PMHi all,
check the transavtion SLG1 run it backend system mention the following
Object: GRAC
Subobject:HRTRIGGER
External ID: *
then mention the dates and make * in remaning fileds for log class select All Logs and Log Creation ANy
Log Source Formatting select the first option then run the report
select the date which Hire actiivity taken place and Double click on it
you will get the log report and the exact error issue
Normally you define the workflow in SPRO as i nthe following the path
SPRO ->GRC -> Access Control -> Maintain mAC Application anf BRF+Fucntion mapping
maintain the workflow name
then you need to map the workflow in the MSMP GOto GRC->AC->workflow for access control -> Maintain MSMP workflow - select the standerd workflow you mentioned then go to the stage Maintain Path and maintain the path mentioned then go to stage Maintain Route Mapping and RUle ID for HR Trigger and PAth ID
hope it you solve -
GRC AC 10 SP13 - workflow not routing to multiple role owners
hello
We are experiencing issues in our production MSMP workflow where an access request with multiple business roles are not being routed to role owners after manager approval. The request contains four business roles. Three business roles have three different role owners. The fourth business role does not have a role owner assigned. After the manager approves the request, the business role without a role owner does not provision. The other three business roles do not route to their respective role owners. We have tested the same scenario in our development environment and it routes properly. I have validated our MSMP workflow settings in production and validated it was activated. I have also checked the instance monitor via GRFNMW_DBGMONITOR_WD and it does not give an indication why the request isn't routing.
Any ideas why we are seeing this? Below is a screen shot of the audit log.Hi Stacey
If DEV is working and PRD is not have you gone through and compared both and ensure latest MSMP configuration in PRD has been activated?
Also, is the approver COCHGG00 also the Role Owner?
Are you able to show you MSMP configuration? It's makes sense to analyse the log in the context of your configuration. E.g. does the Z_ADDTNL_ACCESS_PATH path have two stages: Manager and Role Owner of which there is a routing rule on the Manager approval to go to the NO_ROLE_OWNER path where the business role has no role owner?
Regards
Colleen -
Workflow is broken after system refresh
Dear Gurus,
We are planning on EHP upgrade to SP15. Prior to doing that we did a system copy of production to Development.
I completed all the config steps and now can also see that the New access request is pointing to the development system.
I creates a new Access request after completing all the sync jobs and master data update. The UAR request also gets submitted successfully and I get a UAR# triggered. As part of it I as a requestor also get a notification about the request#.
But it STOPS at this stage. I don's see an update on audit log as it usally does. It just stops with the requested information but does not trigger any email or a work item to the next stage approver (manager in my case).
Though this is a system copy we ensured all the event linkages were activated same as in production . BRF+ works fine with simulation and we also generated BRF+ and MSMP workflow.
Still no luck. I have used tcode GRFNMW_DBGMONITOR_WD for analysis and found that the following task ID's were also completed for a production request. But when I compared that with the Dev request that I created I see log does not process any background step .
TS76308024,TS76308025,TS76308027,TS76308048,TS76308025,TS76308027,TS76308048,TS76308051,WS76300056,TS76308026 (completed for succussfull completion in Prod)
I have ensured WF-BATCH ID is active and not locked.
In dev I only see TS76308024 (Ready) and WS76300056 (started)
I have activated the debug mode and I have enclosed the log result here.
Please help me on this to resolve the issue. We need to complete this and then perform SP 15 upgrade and move this all the way to production by 7/25.
Thanks
LakshmiHi Lakshmi,
basically the system copy should be done the same way as the standard copy process of other SAP systems. However, there are some additional steps to check.
Please verify old references for your old system as they don't exist in the new system:
- Connectors (remove if not used)
- MSMP Workflows; make sure the workflow service URL references the new host name
- etc.
Hope this helps to check.
Regards,
Alessandro -
Hello experts,
I have a test GRC system, that all my colleagues come there and make configurations...
Now after 1 year, many configurations are there and they cause error while i'm trying to generate new version of MSMP workflow.
So is there anyway for me to reset/clean the version of MSMP workflow(Access request), or can we reactivate the BC Set to overwrite all the configurations ?
Thanks in advance and best regards.Dear Toan,
you have following possibilities to manually recreate the configuration:
- Do manual copy of MSMP Workflow Configuration to your target system using transaction GRFNMW_CONFIGURE_WD in target system
- In source system you can use transaction GRFNMW_CONFIGURE - expert mode maintenance view based configuration of MSMP Workflow - to visit and save relevant parts of MSMP configuration to NEW transport request. The transport keys generated by GRFNMW_CONFIGURE are correct. You have to visit every referenced part of your process configuration and save it to the NEW request. Releasing transport request with transport keys generated by transaction GRFNMW_CONFIGURE won't cause any other issues (unless you violate any other limitations - i.e. if you try to modify SAP namespace entries of some configuration tables - aka. E-tables)
Please be aware that the transaction GRFNMW_CONFIGURE is expert mode only transaction and does not have lot of validation checks implemented (opposite to transaction GRFNMW_CONFIGURE_WD which should be primarily used when maintaining MSMP Workflow configuration). Thus using GRFNMW_CONFIGURE to maintain MSMP Approval Workflow configuration requires deep expert knowledge.
This transaction (GRFNMW_CONFIGURE) also allows deleting/modification of SAP-namespace pre-delivered entries which will cause MSMP Workflow to stop functionig properly. In such case fall back solution is to re-activate pre-delivered BC set GRC_MSMP_CONFIGURATION (transaction scpr20, expert mode activation) - this will overwrite MSMP configuration to it's post-delivery state. In some rare cases you can still have problems even after reactivating the BC set. In that case you have to compare the BC set values/entries with real content of the configuration DB tables included in this BC set. If you experience any extra entries in the DB table(s) which are not part of the BC set, you will have to delete them (i.e. programatically).
Hope this helps.
Regards,
Alessandro -
Hi All,
We have a situation where one client has already connected to GRC system to one system and configured workflows.
Now we are connecting GRC system to another 3 systems and configuring workflows.
Their configuration is completed. They have their MSMP version created with all their configurations. Now i have added few entries in the initiatoras required for newly connected systems and setup workflows required and created new MSMP version and added it to the transport request.
Does the new version I added to transport request contains only the updated entries by me or all the data.
My query is, If i transport my changes to from DEV to STG, only changes done by me will be transported to STG or all the data including things done by other client also will be in my transport request?
I assume that new version will have all the data including updated things as well as old things. So I assume that all data will be transported to next landscape.
I assume this would be the same case with BRF+ initiator i modified.
Is my understanding correct?
We are in a situation where, If other client has some more changes to be done and they come into DEV environment and made some changes and only their data needs to be moved to PRD without the changes added by us. Is this possible?
We are confused about transport requests concerning BRF+ and MSMP workflows
Someone please advise on how to handle our situation.
BR,
Sai.HI Sai
Have you tried putting the version into a transport and then go to SE01 to have a look at the contents. You know if the transport is the entire scope or just you changes (e.g. if table with asterisk is mentioned then it is being completely transport)
Assuming all MSMP changes originate from DEV and proper change control is in place you should ot have an issue on transporting someone elses - unless you mean that two people are maintaining MSMP at the same time and one person is not yet ready to release their change. The "unless" would depend on looking at the transport contents (possible, it limits to the Process Id and related configuration).
For BRF+, as this generates an SE37 function module, I would assume that the entire function is transport. Again you would need to look at the transport content. You would also search bpm community.
Regards
Colleen -
Error in Generating GRC BRF Agent Rule
Hello Gurus,
I am atrying to generate a BRF Agent Rule but am aaunable to activate MSMP workflow corresponding to that:
Error in MSMP Workflow while activation:
1) MSMP process SAP_GRAC_ACCESS_REQUEST_HR version IMG Configuration Tables contains errors
2) abap dictionary data object binding is out of synchronization
Below are the screen shots of my BRF Rule configuration. I have created a procedure call which is tied to function moduleHello,
I assume you have already checked the below document where it is explained the procedure call and Function
cross check your settings with below document
AC10.0/10.1: Create Rule Based on Risk Violation in Request, Using BRF+ Procedure Calls
if everything is fine provide the MSMP error screen shot.
Regards
Baithi
Maybe you are looking for
-
Error in executing a process for compilation for jsp
We have an iView which has jsp pages in it. We deployed the par & try toaccess the iview & we get an exception. The issue is that the iview has a jsp page. At the run time, this jsp is converted into a .java file without problem. But EP engine is hav
-
Select with like for multiple results
Hi, I need to find all the rows of a table that contain the values of another query in the table. My problem is that the table that I want to verify may contain a list of values and I'm not been able to think on an easy way to do this! Performance is
-
Problems with the Netweaver Linux VMWare Version
I've done the following points: -> download the: SAP NetWeaver7.0-Java-VMware-Trial -> download the: SUSE Linux Enterprise Server 10 -> download the: VMWare Player 2.0.2 for Windows Now i've started the VMWare Player, open the "SAP NetWeaver7.0-Java-
-
How do I get a device activation code for my ipad 2 so that I can activate Netflix?
My netflix account requires a device activation code. How do I get one for my ipad?
-
My new Canon 16-35 mm f4 is not recognized by Lightroom 5.6
I used the new lens and I am experiencing the same problem as someone else on this forum posted last month. The lens is not being recognized by Lightroom 5.6 and the distortion is severe... very severe. Can someone assist me with resolving this pro