CUP: Auto role reject on submission

Similar Messages

• Role Rejection Notification Issue

  Hi All,
  I have a doubt. Please help.
  When Request is rejected, Notification Event "REJECTED" triggers and mail notification is sent to inform Requestor or User.
  When user has selected 3 roles, out of which 2 are approved and one role is rejected. How to inform the user through mail notification that particular role is REJECTED by the role owner?
  Also I observed one more scenario
  My request has 2 roles with 2 different role owners. Both the owners rejected their respective roles and entered the comments for rejection. But since in LineItem rejection, role owners enters comments at LineItem level and then clicks on SUBMIT button, though both the roles are rejected at role owner stage, request is going to the next stage and getting closed there.
  Because of this the closing notification which we have maintained at 3rd stage is getting triggered though request ended at 2nd stage.
  I assume this is how GRC 10 system is behaving. So wanted to know how other consultants handled Role Rejection notifications in GRC 10.0. because i went through few notes and SAP confirmed that this is the standard behaviour
  1960393 - No detailed user notification for the rejected roles
  1849378 - GRC-10.0- MSMP, rejection notification is not getting triggered in case of 'System and Role' setting at Stage level
  Please provide your valuable inputs.
  Thanks in advance.
  Regards,
  Sai.

  Rejection notification will only be sent out if the whole request has been rejected, not if individual line items have been rejected.

• I need auto call reject how can make it in iphone 4s. 6.0.1

  I need auto call reject in iphone 4s 6.0.1

  Call blocking is not a feature that is available on the phone. You'd need to contact your carrier to see what services they offer.
  You can quickly silence the ringer for calls you don't intend to answer by tapping the power button once. Tapping it twice will send a call directly to voice mail.

• Error in auto role assignment based on membership rule

  Hi All,
  Now this is a strange behavior I am finding. I had created an auto-membership rule in OIM and had assigned that to a role in my OIM. Now whenever I created an user, and based on a custom attribute that I was setting in the create user page. Now this was working totally fine. After that I did LDAP Sync and all and I am sure it was working even then. Now suddenly the auto assignment of role has stopped working and the user doesn't seem to get the role automatically at all.
  And more strange is the point that when I modify any attribute in the user profile, the membership rule gets triggered just like it should during the user creation.
  Can someone suggest anything for this if they have faced the same?
  Thanks,
  $id

  I had been struggling with Role membership and access policies myself on 11.1.1.5.2.
  Look at the following articles if those help:
  Auto Role Membership Not Getting Evaluated On Create Event With Custom Post-Proccess Event Handler [ID 1469286.1]
  Role Memberships Given, But Access Policies Not Triggered For Enabled Users [ID 1473348.1]
  As for the limited release 11.1.1.5.2AK patch, it changes the way event handlers are triggered and the way access policy is re-evaluated. Also in that patch Oracle has given out new API for getting the service in event handler and that is supposed to bring order and synchronization of the event handlers. As far as confirmation from support goes, the event handlers are same from B2 to B3 and B4. Oracle is waiting to hear from customers about the results of the 11.1.1.5.2AK patch before it would be made available in GA.
  -Bikash
  Ref: {thread:id=2421106}

• When role rejected in CUP 5.3 SP8 we get error messages

  We have a request with tree roles and when we reject one role and hit the approve button we are asked to do a rsik analysis.
  After we run that and hit the approve button again we get thiese error messages:
  Access changed, Risk analysis is invalidated.
  Risk Analysis Mandatory
  We get these even if we run it again.

  The fix for this is in SP8.1

• GRC 5.3 CUP auto provisioning of Mitigation Assignment in RAR

  Hello,
  Is there any other workflow that needs to be triggered for the auto provisioning of the Mitigation control id assignment to the userid in RAR system from CUP,  upon request completion?
  I created a request that after the final stage of sox approver, got auto provisioned roles assigned to the user id in the SAP system , but it also stated that auto provisioning failed and got re-routed to the detour path of the security admin as I configured in case of auto provisioning failure. When I look at the error log, it states:
  User Provisioning failed for System(s) : XYZ. Error Message : User type TE is unknown
     Role: ROLEA assigned to user: TESTER1 in System(s): XYZ.
  1). So, even though the approved role is being assigned to the user in the backend system, some other stuff is failing at auto provisioning. And I thought it might be the mitigation control assignment to the userid in RAR. I have the mitigation fields/objects active. But how do I ensure the auto-assignment of mitigation control ids also gets assigned on the same request upon sox approval?
  2). The other question is where is the value of the 'controller' stored when configuring a stage for workflow approver determinator in the sox approver stage? Where is this value picked up from? We don't want to use the RAR mitigation approvers or monitors, we want to use a custom approver id from CUP and then the control id to be assigned upon approval automatically to the userid in RAR via CUP request completion during auto provisioning. Is this possible? The only thing failing for us is trying to determine how to create the custom approver determinator for SOX approver in CUP since it asks for 'attribute' value for workflow type 'Compliant User Provisioning' which doesn't make sense for this.
  And then the above error even though the user role assignment is auto provisioning already but still giving the error as I listed above and re-routing to detour path instead of completing the request. Is it due to auto provisioning failure of mitigation control assignment in RAR?
  Thanks in advance,
  Alley
  Edited by: Alley1 on Sep 20, 2011 1:15 AM

  Hi Karell,
     Here is response to your questions:
  I can use the following CAD in an AE workflow: web service to fetch role approvers. I question this as it is merely a RE workflow service : No. As far as I know the web service is only for RE/ERM.
  Can the Risk Analysis be initiated in stage x automatically once stage (x-1) was completed. So no person involved, it is mandatory however, in my opinion there should be no extra person involved to actually press the button "Risk Analysis" : No. There is no way to automate the risk analysis part. Someone will have to click on the button to check for SoD violations. You can configure to run automatic risk analysis when the request is submitted but this is not 100% perfect. If someone adds or removes role during approval phase, it will invalidate the risk analysis which was run during request submission.
  Can somehow the Risk Owners defined in the RAR componed be asked to approve/reject risk that came out of the Risk Analysis described in my previous point. They should only be contacted when there is a risk indicated. : This is possible by following Babak's workflow.
  Regards,
  Alpesh

• CUP assignment - Role Validity

  Hi,
  I have a question about role validity periods in CUP when the request gets approved. Currently valid from period is selected based on request creation date and end date is always set to 12/31/9999. Is there any way the 'from date' can be set to the date the request gets its final approval with out asking the approves to change the dates as the request can have multiple approvers.
  Request approval is set at role level and auto provisioning is in place.
  Thank you.
  R R

  Srinivasan,  Frank
  Thanks for the replies. A custom program that looks at these periods and send emails, among other actions, to users with role information. This program can not send emails if the validity period is beyond certain days.
  Is this FM /VIRSA/ROLE_ASSIGN_CUA can be customized to accomplish this?
  As an option we can ask approvers to change the from date to current day.
  Thanks
  R R

• CUP Auto Provisioning Error 260: User Comparison

  I am in the process of configuring the CUP 5.3 module within our ECC and SRM environments.  I believe the path and associated stages are established properly.  I have tested the auto provisioning functionality within both SRM and ECC.  As it relates to SRM, the auto provisioning functionality works without a hitch.  However, when I attempt to auto provision a user into our ECC environment, I receive the following error:
  Auto provisioned for request on 04/07/2010 13:41 
     New User: T00522 created on 04/07/2010 13:42 in System(s): DR4-300.
     User attributes changed for User : T00522 in System(s) :DR4-300.
     Role Provisioning failed for System(s) : DR4-300. Error Message : 260:User master comparison incomplete; see long text
  Speaking with out security team, the only time they have seen this issue was when they attempted to map a user, using PFCG, to a role.  However, I informed them that CUP uses SU01.  They have not experienced such an issue using SU01 and clicking on the user comparison button. 
  Interesting point:  The user record is created and roles assigned to user but have a red light indicator by the role within SU01.  However, when the next day rolls around the role has been changed to a Green light, profile assigned and everything is looking good.  Unfortunately, CUP can't seem to register this and when the Role Owner attempts to approve the role / user request again.  The same error occurs and until I can get around this error, the workflow is not closed out nor is the requester notifiied.
  Questions:
  (1)  How can I fix this issue, I assume it will require a security change to be made within the ECC environment?
  (2)  If this issue can't be fixed, can I get around this issue with a detour or other CUP error processing step?

  Denoted below is the log that corresponds to the 260 comparison error.  Does anyone know what access I am missing within the UME.  I have tested this provisioning process, manually, and do not run into a Comparison error within the SU01 screens:
  2010-04-27 13:44:54,748 [SAPEngine_Application_Thread[impl:3]_31] ERROR com.virsa.ae.service.ServiceException: 260:User master comparison incomplete; see long text
  com.virsa.ae.service.ServiceException: 260:User master comparison incomplete; see long text
       at com.virsa.ae.service.sap.SAPProvisionDAO.executeRoleOperation(SAPProvisionDAO.java:1706)
       at com.virsa.ae.service.sap.SAPProvisionDAO.assignRoles(SAPProvisionDAO.java:1458)
       at com.virsa.ae.service.sap.ProvisionSAPUserDAO.provisionInNonCUA(ProvisionSAPUserDAO.java:1232)
       at com.virsa.ae.service.sap.ProvisionSAPUserDAO.provisionRole(ProvisionSAPUserDAO.java:932)
       at com.virsa.ae.service.sap.ProvisionSAPUserDAO.provisionUser(ProvisionSAPUserDAO.java:118)
       at com.virsa.ae.accessrequests.bo.ProvisioningBO.autoProvision(ProvisioningBO.java:216)
       at com.virsa.ae.accessrequests.bo.RequestBO.autoProvisioningForApprove(RequestBO.java:4572)
       at com.virsa.ae.accessrequests.bo.RequestBO.callAEExitService(RequestBO.java:5565)
       at com.virsa.ae.accessrequests.bo.RequestBO.callExitService(RequestBO.java:5339)
       at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:5191)
       at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:4984)
       at com.virsa.ae.accessrequests.actions.RequestViewAction.confirmRequestApproval(RequestViewAction.java:941)
       at com.virsa.ae.accessrequests.actions.RequestViewAction.execute(RequestViewAction.java:103)
       at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:271)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(AccessController.java:219)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
  2010-04-27 13:44:54,927 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.accessrequests.bo.RequestAuditHelper : logMajorAction() :   : intHstId : 3068
  2010-04-27 13:44:54,972 [SAPEngine_Application_Thread[impl:3]_31] ERROR no dtos exist which are in the same state as the passing dto
  com.virsa.ae.core.ObjectNotFoundException: no dtos exist which are in the same state as the passing dto
       at com.virsa.ae.workflow.bo.WorkFlowBOHelper.getIfUnapprovedPathExists(WorkFlowBOHelper.java:2662)
       at com.virsa.ae.workflow.bo.WorkFlowBOHelper.handleWFForNewPathStage(WorkFlowBOHelper.java:2516)
       at com.virsa.ae.workflow.bo.WorkFlowRequestRerouteHelper.rerouteRequest(WorkFlowRequestRerouteHelper.java:68)
       at com.virsa.ae.workflow.bo.WorkFlowBO.rerouteRequest(WorkFlowBO.java:614)
       at com.virsa.ae.accessrequests.bo.RequestBO.rerouteRequestForAutoProvisioningFailure(RequestBO.java:6897)
       at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:5239)
       at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:4984)
       at com.virsa.ae.accessrequests.actions.RequestViewAction.confirmRequestApproval(RequestViewAction.java:941)
       at com.virsa.ae.accessrequests.actions.RequestViewAction.execute(RequestViewAction.java:103)
       at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:271)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(AccessController.java:219)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
  2010-04-27 13:44:55,394 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.accessrequests.actions.RequestViewAction : confirmRequestApproval() :   : setting context to true, ending context
  2010-04-27 13:44:55,414 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.RequestDataForwardDAO : findTransactions() :   : sbQuery : SELECT REQNO, REQPATHID, STAGE_NAME, FWDED_BY, APRVRID, ITERATION, FORWARD_TYPE, STATUS FROM VIRSA_AE_RQD_WPFWD WHERE REQNO = ?
  2010-04-27 13:44:55,486 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.SAPConnectorDAO : findAllActiveSAPConnectors :   :  going to return no of records= 3
  2010-04-27 13:44:55,495 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.OracleAppsConnectorDAO : findAllActiveORACLEConnectors :   :  going to return ImmutableList(empty)
  2010-04-27 13:44:55,498 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.PACSConnectorDAO : findAllActivePACSConnectors :   :  going to return ImmutableList(empty)
  2010-04-27 13:44:55,502 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.WSConnectorDAO : findAllActive :   :  going to return ImmutableList(empty)
  2010-04-27 13:44:55,505 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.ApplicationDAO : findAllForContext :   :  going to return ImmutableList(empty)
  2010-04-27 13:44:55,532 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.RequestDataSODConflictDAO : findAllForContext(SqljContext ctx)  :   :  going to return ImmutableList(empty)
  2010-04-27 13:44:55,535 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.RequestDataSODConflictDAO : findAllForContext(SqljContext ctx)  :   :  going to return ImmutableList(empty)
  2010-04-27 13:44:55,540 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.RequestDataMitigationDAO : findAllForContext(SqljContext ctx)  :   :  going to return ImmutableList(empty)
  2010-04-27 13:44:55,579 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.accessrequests.actions.RequestViewAction : pageLoad() :   : INTO the method
  2010-04-27 13:44:55,580 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.accessrequests.actions.RequestViewAction : pageLoad() :   : request number : 154
  2010-04-27 13:45:14,055 [SAPEngine_Application_Thread[impl:3]_18] INFO  com.virsa.ae.dao.sqlj.RequestTypeDAO : findAll :   :  going to return no of records= 20

• CUP Custom Role Attributes

  All -
  My question is about creating custom role attributes in CUP. I read in the "SAPu2122 GRC Access Control 5.3 Document Version 3.10 u2013 December 2009" on page 245 that "You can also define your own attributes to support your needs by adding custom fields." I have two questions:
  1) Can I defined custom role attributes outside of the delivered ones (Company, Functional Area, Application Area, Business Process, Business Sub-Process, and Functional Area & Company)?
  2) If "yes", where do I do this in CUP?
  I'm running AC 5.3 SP10.
  Any help would be appreciated.
  Thanks,
  Daniel

  Hi Daniel,
     Yes , you can define your own attributes as many as you want
  Configuration --> Custom Fields --> Field Label
  All these Field Labels will be shown as separate tab (Tab Name : Custom Attribute) , so in this tab you will get all the attributes which you have creates manually .( You can check this in configuration guide CUP)
  Hope this will help you
  Thanks
  Uma Shankar Tekumudi

• CUP - Indirect Role Assignment

  Hi All,
  Can anyone confirm confirmation that CUP can be used in conjunction with indirect assignment to assign some roles but not all.
  Regards

  Deepak,
    RAR should also work but I have not tried it. I have used CUP to do assignment. RAR has something called HR object analysis so it should be able to work.
  Regards,
  Alpesh

• CUP "view" role for reviews

  Hi experts,
  Is it possible to create a role in UME only with "view"/"information" actions?
  So that the revisors only can check the tab "my work", "informer", "configuration" and cannot change the configurations?
  If I give a UME-User only all "View*" roles the tab "configuration" appears but not with all subitems?! Otherwise the revisor get to do modifications in the systems. Okay all modifications are marked in the logs but this is again work for the admins to check the log-files after each review.
  Is there any possibilty to go round this process?
  Thanking you in anticipation,
  Alexa

  Hi Alexa,
  Yes it is possible to restrict CUP Reviewer's access to only "My Work" and "Informer" tabs, or even certain options under "Configuration tab" though GRC AC UME role/permissions.
  I would advise not to give "Configuration" tab access to the reviewers, as it contains ADMIN only functionalities. This can be done by not assigning Action "ViewConfiguration" to Reviewers in UME.  Also not all "Viewxxx" actions should be assigned to reviewers.
  To start with you can use SAP delivered "AEApprover" UME role for CUP Reviewers and then customize the permissions in it to suite your requirement.
  Refer latest Access Control Security guide to know more on different Actions/permissions.
  Regards,
  Amol

• ERM & CUP and Role Status attribute

  Hi,
  Under a strategy where roles are imported into CUP from ERM, could anyone share the use / meaning / purpose for "Role Status" attribute in EMR?
  Thanks for all. Best regards,
      Imanol

  Varun,
  We have been extensively checking the sync from ERM into CUP and I can tell you that roles into CUP can be imported eventhough they have Development status value in ERM.
  Anyone has identified the same behaviour in CUP when sync roles from ERM?
  Thanks for all. Best regards,
    Imanol

• CUP - button to reject request inhibited Version 5.3 SP14

  Hi,
  after it was applied in the SP14 GRC button to reject the request was only inhibited in step functional allowing you to reject functions. Does anyone know why and how to adjust the error?
  thanks.

  Hello,
  we have the same problem with SP14 (SP12 is ok) - after clicking on Reject button the option "Reject Request" is disabled and the option "Reject Roles" is enabled. When approver chooses "Reject Roles" the request is completed and FF account provisioned!
  I had to change approving settings for that stage:
  Approval Level: "System and Role" -> "Request"
  Rejection Level: "System and Role" -> "Request"
  Now when there is a request with two FF accounts (and two different approvers) one can approve his FF but when the next approver rejects the request nothing is provisioned.
  But better is nothing than provisioning rejected FF account!
  Pavel

• CUP auto provision to position

  Hello Experts
  I hope you can help me on this issue. We have just implemented CUP (SP14) and have set up auto provisioning, indiirect to a position.
  Despite this CUP is provisioning all requests directly to the User ID. There are no error messages to indicate that provisioning to the position has failed or even if it has been attempted. All back end funtionality is standard and working when tested manually. The CUP logs are not showing anything that I can decipher. It is as if the auto provision configuration indirect to the position is being ignored.
  Any ideas what could cause this behaviour?
  Thanks
  Barry

  Hi Jwalant
  Thanks very much for the reply,
  I am using SAPHR as the data source and for authentication. However we only want the user id to authenticate.
  Auto provisioning is set to indirect with position for Global and by System and I have tried Provisioning at end of request and at end of each path. This should work without using the personnel number in the authentication shouldn't it?
  The users Hr information is being pulled into the request without problem. It seems that CUP is making no effort to provision to the position, it just does it to the user every time.
  Any ideas?
  Thanks
  Barry

• CUP - default roles

  Hi,
  We are on AC5.3, SP11. I have configured default roles in CUP. Configuration is as follows:
  u2022     Consider default roles: Yes
  u2022     Request Type: New Account
  u2022     Default role level: Request
  u2022     User attributes: System
  u2022     I have also linked the system to the role
  When I create a request (attributes: new account and relevant system) I would expect the role that I have configured to pull through to my request under u201Cselect rolesu201D. This does not seem to be the case.
  Any idea what I am doing wrong? Or how the system is expected to behave?
  Any help will be appreciated.
  Thanks
  Mo

  Hi Mo,
  The scenario can be achieved by
  --In the request form customization make  Role as non mandatory
  --In the Configuration ->stage -> additional configuration -> make Add Role =Yes
  --Create a custom Text field where the end user who doesnt not know the exact role name can enter some text description.
  Based on this description the 1st approver can add the required role to the request.
  And users who know the role can add the same during request creation also.
  Regards
  -Ranjiv