CUP-SP13 Delegation Approver

Similar Messages

• GRC AC 10 CUP : Provisioning of Approved roles (Line Item)

  Hello Gurus,
  We have configured CUP in GRC AC 10, and mapped a workflow for the same.
  Now when a user request for new roles e.g.) 3 roles
  Role 1 , Role 2 , Role 3 each roles has a different role owner.
  When the request goes to the role owner for approval and 1 of the 3 role owner rejects the request the whole request gets rejected.
  Is it possible to have functionality where roles which are approved will go ahead and get "Provisioned" and the whole request wont completely get rejected ??
  Looking forward for your inputs !!
  Thanks in advance.
  Regards,
  Victor

  Hello Victor,
  I guess you can work with the approval/ rejection level (stage 5 in the WF configuration).
  Have a look at here: http://forums.sdn.sap.com/thread.jspa?threadID=1637574
  Cheers,
  Diego.

• CUP-SP13-Request not handled

  Hi all,
  Whenever a request is not handled by the approver (I mean in the cases that the main approver is on holidays for example) and there is no configuration set for the delegation or alternative approver, which is the best practise in these cases for approving that request?
  Any suggestion?
  Many thanks in advance!
  Marga.

  Two options:
  - an administrator approves the request
  - an administrator forwards the request to a different approver
  Administrators can also set delegations for approvers.
  Frank.

• CUP Forks & Security Approver Determinator

  Hi All,
  We are currently working on our CUP workflows and are planning on using forms to distinguish between manual provisioning (systems such as MDM console) and autoprovisioning (ABAP and java stacks). My question is, when we use the fork condition NON-SAP and SAP, where does CUP look to determine this? We are planning on using applications to setup our manual provisioning systems but I also know we could create them as dummy "other" connectors (although messy).
  Also, what is the difference between Security Lead and Security approver determinators when configuring a stage? What IDs does CUP look at for these two? I only see Security Lead under Approvers.
  Thanks!
  Grace Rae

  Hi Grace,
  Forks only work for non-SAP connectors, so you's have to go for a dummy system if you really need fork. Alternatively you can chose an initiator based on roles, which will also allow you to fork the request on the first stage.
  The security approver determinator is a group approver which looks for everyone with the UME role "AESecurity" and routes the request to them in parallel.
  Frank.

• CUP 5.3 - Approver Not Found for STD Determinator

  All,
  I am using the standard approver determinator for super user access - Super Access Owner.
  I have got an SPM Owner defined in the source system table for owners but CUP is returning an error message saying that the Approver is not found.
  The other Custom Approver Determinators seem to work but the standard one referencing SPM owners does not. Am I looking in the right place?
  Can any of you suggest how this can be corrected?
  Please advise me if you have any recommendations.
  Thanks,
  Simon
  Edited by: Simon Persin on Aug 17, 2009 11:51 AM Updated type on title.

  Hi Simon,
     Look at OSS note - 1350046. It may help.
  Regards,
  Alpesh

• GRC Access Control 5.3 CUP Role Provisioning Approval Buttons Missing

  When Approvers receive a Request in Compliant User Provisioning via email they click on the link but the action buttons are missing. (example approval, reject approval buttons are missing).  When they log in through the lauch pad the action buttons are visible.

  Hi,
  I would first check the links in the Application and redirect fields of the SMTP configuration.
  Then I would check the authorisations as these buttons are governed by authorisation actions.
  You can also look at the stage configuration and check whether th request reject field is set to show that button.
  Simon

• Advanced View in CUP - SP13

  Anyone install SP13? 
  After running a risk analyis on a request, when clicking on the advanced view I was expecting the permissions and system to appear for the risk.  However a no risks are displayed.  Additionally, when I remove role(s) from the request and re-simulate the risks aren't removed.
  Anyone aware of additional configuration that needs to occur to activate this "new" feature?  I'm using the V01 risk analysis webservice.
  Thanks

  Make sure that the key attribute is set for the master and detail VOs

• Error when trying to approve a mitigation control in CUP

  Hi,
  I have created a Mitigation Control in RAR and set-up the necessary workflow. The request ends up in CUP and the approver is able to see the request when he/she logs in, however the approver cannot approve or reject the request.
  The following error messages appear:
  - Approve: Error processing your request, Request no: 2 in stage : MITIGATION
  - Reject: Error rejecting request no: 2
  I have check the workflow many times now and I have also checked the mitigation URL's.
  Any idea what the problem can be?
  Thanks.

  Thank you for your response. No the approver is not part of the DL. I just added the approver to the workflow (CAD).
  Please find log details below:
  2010-03-18 16:09:32,729 [SAPEngine_Application_Thread[impl:3]_8] ERROR Service call exception; nested exception is:
       com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (401) Unauthorized. The requested URL was:"http://vgrdci.sap.client.co.za:51900/VirsaCCWFExitService5_2Service/Config1?style=document"
  java.rmi.RemoteException: Service call exception; nested exception is:
       com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (401) Unauthorized. The requested URL was:"http://vgrdci.sap.client.co.za:51900/VirsaCCWFExitService5_2Service/Config1?style=document"
       at com.virsa.ae.request.ws.cc.Config1BindingStub.execWFExitService(Config1BindingStub.java:87)
       at com.virsa.ae.request.ws.cc.Config1BindingStub.execWFExitService(Config1BindingStub.java:96)
       at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.callCCExitService(RequestExitServiceHelper.java:263)
       at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.callExitServiceForApprovedRequest(RequestExitServiceHelper.java:51)
       at com.virsa.ae.accessrequests.bo.RequestBO.callExitService(RequestBO.java:5335)
       at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:5174)
       at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:4967)
       at com.virsa.ae.accessrequests.actions.RequestViewAction.confirmRequestApproval(RequestViewAction.java:928)
       at com.virsa.ae.accessrequests.actions.RequestViewAction.execute(RequestViewAction.java:103)
       at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:271)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:425)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:455)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:455)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(AccessController.java:219)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  Caused by:
  com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (401) Unauthorized. The requested URL was:"http://vgrdci.sap.client.co.za:51900/VirsaCCWFExitService5_2Service/Config1?style=document"
       at com.sap.engine.services.webservices.jaxrpc.wsdl2java.soapbinding.MimeHttpBinding.handleResponseMessage(MimeHttpBinding.java:998)
       at com.sap.engine.services.webservices.jaxrpc.wsdl2java.soapbinding.MimeHttpBinding.call(MimeHttpBinding.java:1449)
       at com.virsa.ae.request.ws.cc.Config1BindingStub.execWFExitService(Config1BindingStub.java:80)
       ... 33 more

• Making comments mandatory for only some roles when approving CUP requests.

  Does anyone know if there is a way to make Comments required in CUP requests when approving a request for just certain roles?  We don't want comments to always be required, just if you are approving a request for Role XXX for example.
  I tried using the Comments Mandatory setting that is available on the Role Details screen (along with the associated flags on the Roles/Role Selection screen), but this only seems to require a 'request reason' for the role when the request is being built.  It doesn't require comments when the request is being approved.  (There also appears to be a bug with this because this request reason doesn't show up anywhere in the request after it is built.)
  I know you can set the Comments Mandatory on for the workflow stage, but then you have to enter a comment for every request, regardless of the roles.  We are wanting them to required only for a few specific roles.
  We are on GRC 5.3 11.2.
  Thanks.

  Hi Bob,
  It is not possible to enable the comment option only for few roles. Either it can be on for all, or off.
  Rgds,
  Raghu

• 3 Day Email Reminder in CUP for Approvers That have Not Approved

  Is it possible to set up a 3 day email reminder that a request needs to be approved if it is still sitting in CUP to be approved?  All I see in the configuration is were the reminder, submission & closing tabs can be configured by Days but the number of days pertains to all of the tabs.  Is this correct?

  Hi Laura,
  I'm not sure which version of CUP you're referring to. But in GRC CUP 5.3, on the configuration>workflow->email reminder tab, you will see above the email notifications types of 'reminder', 'submission' , and 'closing'.. the option to choose number of days b4 sending the email reminder. You can set that value to '3' and it should work. If the approvers haven't approved the request for 3 days, after the 3rd day, they will get email reminders sent to approve.
  Thanks,
  A.

• ERM Role con't be deleted Automatically after rejecting the request in CUP

  Hi Experts,
  I am involving the GRC implimentation project and ERM component is succefully configured with post-installation activites and also configure the workflow(1-stage) in CUP for role approval.
  After initiating request, the request was sent to appropriate approver for approval process and approved/ Rejected by the approver.For first case(Request approved) everything is looks fine.
  but whenever the request is rejected (second case) by the approver, the role is still present in ERM and ABAP backend as well as.
  please suggest me, if the role is deleted in ABAP/ERM system after rejecting the request by Role Approver in CUP. or still present the role in systems.
  Regards,
  Arjuna.

  Hi Jes,
  We so have a feature called Password Self Service which is used by users to reset their password using CUP. Also if the password is locked by multiple failed attempt, CUP even activate this user.
  However in your case administrator will be locking the user or deactivating the password, so CUP will not allow users to unlock their users as it has been locked by administrator.
  So CUP can only unlock those users which were locked due to failed attempts etc.
  Regards,
  Shweta

• Request waiting for approval

  Hi,
  I have request that is in status running from last 24 hours and waht it is doing is
  begin PO_REQAPPROVAL_ACTION.APPROVE_DOC (:v1, :v2, :v3, :v4, :v5); end;
  I got this by query
  SELECT vs.inst_id,vs.osuser,vw.event,vw.p1,vw.p2,vw.p3 ,vt.sql_text , vs.program
  FROM gv$session_wait vw, gv$sqltext vt , gv$session vs
  WHERE
  vt.address=vs.sql_address
  AND vs.inst_id = vw.inst_id
  AND vs.sid = vw.sid
  and vs.sid=xxxx
  Any idea what it is doing or how i process this or cancel this request or database session?
  thanks

  Hi Karunakar,
  Using Admin Delegation option will allow access to entire work Inbox of the Approver A who is on leave to Approver B who is delegated approver.
  NWBC -> Access Management -> Access Request Adminstration -> Admin Delegation
  If you really want only few requests to be approved by Delegated Approver Security admin can forward the request to new approver when main approver is on leave.
  Regards,
  Madhu.

• CUP/AE: Email notification not working

  Hi all,
          We are configuring SAP GRC v5.3 and we are not getting any email notifications for Role Approvers. When creating a role via ERM, the request is successfully generated on CUP during the Approval step but no notification emails are being sent to Approvers.
  We have activated java mail on Netweaver, configured the SMTP server and scheduled "Email Dispatcher" background job on CUP.
  Are we missing anything?
  Any help will be usefull for us.
  Regards.
  Leandro.

  Thanks for your reply, we could finally solve this issue. There was a communication problem between GRC and SMTP servers.
  Now we are facing the following issue. We have created an ERM Workflow with 2 approval stages for ERM requests on CUP.
  We are receiving "next approver" and "approved" notifications according to the 1st approval stage but only "next approver" notification according to the 2nd stage, after the "email dispatcher" background job is executed.
  Anyway, we are still not getting any "rejected" notifications after a role request is rejected at any stage of the workflow.
  Any ideas on this issue would be greatly appreciated.
  Regards.
  Leandro.
  Edited by: Leandro Perdomo on Jan 13, 2009 5:12 PM
  Edited by: Leandro Perdomo on Jan 13, 2009 7:10 PM

• Permission risks

  Hi,
  We would like understand how GRC system controls permission risks, we have 15 company codes and 90 business area and we have to identify risk and deny user access for cross company access.
  For example:
  User belongs to company code XX00 and assigned to some role (create purchase order) and request access for company code AA00 for some role, during risk analysis  in CUP system for approval of request, system should deny access for such combination.
  Please suggest on how we can control such issue in GRC AC
  Regards

  Hi Devesh,
  “The idea of delegation in Kerberos is that if a user makes a request to a final resource, and some
  intermediary accounts must process the request, then those intermediary accounts can be trusted to delegate on the user’s behalf. You can configure an account for delegation by using Active Directory Users and Computers as a domain administrator.
  Select Trust this user/computer for delegation to any service (Kerberos) under the Delegation tab of the user or computer account.”
  Quoted from this article below:
  Using Kerberos for SharePoint Authentication
  http://technet.microsoft.com/en-us/magazine/ee914605.aspx
  From my point of view, as long as the intermediary account can be trusted, then it is safe.
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• GRC AC v10 SPM WF - Workflow Item not showing up in WF Inbox

  GRC AC v10 - SP12
  The outlook email notification for the Workflow Item goes out, but there is nothing in the NWBC Inbox for the WF Item. Subsitution is setup correctly.
  Any ideas?
  -john

  Hi John
  this is probably be a silly question but what substitution did you set up for ZFF_CTL_01? I assume the item is in that user's inbox. Which user is meant to be receiving?
  I also noticed this KB article (1589130) which mentions the delegated person needs GRAC_REQ authorisation. Have you checked if security access issue?
  There was also mention that the delegated approver does not appear in the MSMP instance runtime (your screen shot suggests same situation unless you have not set up the delegation). SP14 delivers the fix or refer to  1915928 - UAM: Delegated Approver is not visible in the Instance status
  Possibly have a look at both of them to see if they resolve your issue.
  Regards
  Colleen