CUP Workflow - Approval on role level

Hi Community,
I have a question regarding the design/capabilities of CUP.
Scenario:
Stage 1 - based on Functional Area --> approval on request level
Stage 2 - based on organisational area of role --> approval on role level
===========================================
In stage 2, the person A receives the request with all the roles (let's say 10). Out of these 10 roles, there are 3 within his area. I understand that 7 are greyed out and therefore only approval for "his" 3 roles is required.
Here come the questions:
- If I set the stage to "mitigation enforced", a risk analysis needs to be performed. That Risk Analysis will deliver risks that derive from all 10 roles or only the 3?
- Since approval needs to be given for the other 7 roles as well by person B, the request is forwarded to person B once the person A approves. What is the order that CUP applies here? Who gets the request first? I know that the request is not split and parallel processing does not take place since I do not use different initiators... so it must be some kind of order that is applied.
Any help on this is greatly appreciated.
Mo

Mo,
   The risk analysis is always performed on full CUP request. It does not care @ who is the approver at that point.
Also, role owner level approval always happens parallely. You should try this and you will see it. There is no order. Both person A and person B can approve the request at same time.
Regards,
Alpesh

Similar Messages

  • GRC 5.3 CUP - Role level comment(Role approver comments)

    I have recently noticed that comments enterd by our role approvers are being cut short. Does anyone know if their is a character limit on this field?

    Hi Kevin,
    I had a simmillar issue with the textfield "request reason" when change a role vía ERM and the request is sent to to CUP workflow, there´s a textbox that allows you to comment the role changes. Are you talking about this?
    I used to write large explanations there and I realized that this explanations were shortened (cut) automaticaly by the application. I raised a SAP message and they told me that this is a functionality that they will take into account for the next patches and proposed me to write the comments in the "detailed description" field ("unlimited" lenght) instead as a workaround. I´m using SP 15, so i don´t know if this functionality was included in recently patches. maybe u can have a look on the patch info for the AC component.
    Regards,
    Diego.

  • ERM - Workflow Approval Configuration in ERM and CUP

    Hi Experts,
    I'm in the midst of configuring the workflow approval for ERM and have some queries.
    I followed the post-installation guide part 1 for ERM on the workflow configuration and have sucessfully done the following:
    1. Verified that the "AE_init_append_data_RE.xml" has been uploaded in CUP with Append option
    2. Verified that request type "RE_ROLE_APPROVAL" with workflow type "RE" exists
    3. Verified that priority "RE_HIGH" with workflow type "RE" exists
    4. Created a workflow initiator for ERM called "ROLE_APPROVAL" in CUP -> Configuration -> Workflow -> Initiator (with the said details as per the post-installation guide)
    5. Created a CAD called "ERM_ROLE_APPROVER" for ERM in CUP -> Configuration -> Workflow -> Custom Approver Determinator (with the said details as per the post installation guide, filling in the necessary URI, uname/pw for admin with UME roles)
    6. Created TWO stages , one stage for the role owner called "ERM_ROLE_APPROV", and one stage for the internal control owner called "ERM_ROLE_APPRO2", both with workflow type "RE" and Approver Determinator "ERM_ROLE_APPROVER" which was created in step 5 earlier.
    7. Created a path for ERM Role Approval Workflow in CUP -> Configuration -> Workflow -> Path, with workflow type "RE", Number of Stages "2", Initiator "ROLE_APPROVER", Active "checked" and I put Stage 1 as "ERM_ROLE_APPROV" and stage 2 as "ERM_ROLE_APPRO2".
    8. Configured the Exit Web Service (followed the details as per the post-installation guide for ERM)
    As my role approval is pretty straight forward (i.e. based on business process attribute defined, with each role owner being responsible for their business process), I did the following:
    1. Create approval criteria "Role Approver for Business Process FI"
    2. For that criteria, I based it on attribute "Business Process"
    3. I clicked on "Assign Approvers" to define who is the approver (i.e. the respective role owner responsible for Process FI)
    4. I defined the condition for this criteria, Condition = AND, Attribute = Business Process, Value = FI
    My queries:
    1. Is the approval criteria which I created in ERM, referring to 1st stage or 2nd stage of the path in CUP?
    2. I'm assuming that for query 1, the approval criteria which I created is for 1st stage (i.e. ERM_ROLE_APPROV), where can I configure the 2nd level approval for the internal control owner (i.e. ERM_ROLE_APPRO2, in the path which I defined in CUP)?
    Thanks!

    Hi Baldwin,
    All workflow paths in CUP are triggered by an Initiator.  Once the request from ERM meets "Initiator" ("ROLE_APPROVAL") requirements in CUP, the request will go to the first stage defined in the respective path. Approvers defined in each stage of the path can approve request. Once the request is approved in CUP, approval information will be sent to ERM and then the role in ERM will be moved to the next stage.
    Best Regards,
    Sirish Gullapalli.

  • CUP: Notification Mail after Role Approval

    Dear SAP Experts
    We are running GRC AC 5.3 SP11.2  and facing a problem with the CUP workflow behavior.
    Each time we change a existing user in the system and assign him at least two new roles with diffrent role owners, we get some problems at the role owner approval stage.
    As soon as the first role owner provides his role approval a message is sent out to the requestor, manager and user that all changes to the user profile are done. This behavior repeats for each role owner which has to provide a approval to that request. The roles it self are assigned to the user account when the last role owner approved the request.
    Under AC 5.2 we had only one mail beeing sent out to the requestor, manager and user when all roles were approved.
    The role owner stage has following settings:
    Approval Type --> All Approvers
    Do we have to customize some more settings as well?
    Many thanks for your help Jeffrey

    Hi Frank
    Following settings are implemented at the role owner stage (last stage before auto provisioning):
    Notification Configuration:
    Approved --> User / Requestor / Manager
    Rejected --> Requestor / Manager
    Different text for mails are maintained
    Additional Configuration
    Risk Analysis Mandatory -> No
    Change Request Content --> Yes
    Add Role --> No
    Path Revaluation for New Roles --> All Roles in Evaluation Path
    Approval Level --> Role
    Rejection Level  --> Role
    Approval Type --> All Approvers
    E-mail Group --> BLank
    Comments Mandatory --> Yes / Rejected
    Request Rejection --> No
    Reroute --> No
    Confirm Approval --> No
    Confirm Rejection --> No
    Reject by E-mail --> No
    Approve by E-mail --> No
    Forward Allowed --> No
    Approve Request Despite Risks -> Yes
    Display Review Screen--> Yes
    Additional Security Configuration (Approval Reaffirm)
    Approve --> No
    Reject --> No
    Create User --> No
    Under AC 5.2 we used the Notification Configuration / Approved Mail to inform the defined persons that the request is approved and provisioning is done. This mail has been sent out only once to the persons after all role owners worked on the request. Obviously AC 5.3 behaves different after we have done the migration:-))
    Jeffrey

  • Provisioning roles in UME with CUP workflow

    Hello,
    to give our users permission to approve requests in CUP we assign them to LDAP groups. These LDAP groups have different UME roles.
    Is there any possibility to request permnissions for UME roles via a CUP-workflow in general?
    We are using GRC 5.3 SP 8.1
    Thanks
    Manuel Kunkel

    There are some pre-requisites - you need portal content on your AS Java, the "plain" AS Java install won't do.
    Here's a detailed guide on how to set this up:
    http://www.sdn.sap.com/irj/bpx/grc?rid=/library/uuid/502a14db-6261-2c10-22b5-95117ab0e5ed
    Frank.

  • Purchase Order Workflow message for previous level approver

    Hi folks!!
    We are implementing PO workflow through which we want to notify the next level releaser as well as we also want to notify the previous levels releaser as well as Purchase requisition creator (if PR has been used as reference document to create PO).
    I have already successfully implemented the workflow, in which next level of approver gets the notification in his/her SAP Business Workplace as soon as the PO gets approved by the previous level.
    But my requirement is on final approval of PO, notification should also send back to the previous levels approver of PO and Requisition creator.How can I achieve it, please help.
    Best regards

    Hi,
    A check can be made during final level of approval for which e-mail will get triggered to the previous approver and the requisitioner. you would need to provide a Logic to your developer with the message body whihc will trigger an e-mail during final approver and mail recipients will be the previous approver and the Requisitioner which can be picked from Line item in Purchase Order.
    Prashant

  • CUP 5.3 (SP11) Risk Owner Approval in CUP workflow

    Hello Experts,
    I have a question...
    When you create a risk in RAR, is there any way you can send an approval request automatically to a Risk Owner already set in RAR?
    Unfortunately, there is no such option for risk in the CUP custom approver determinator.
    We want to set risk owners different from business process owners,* and risk owners are the ones responsible for risk approval.
    *We don't want to set the "business process" as an approver determinator.
    I would appreciate your advice.
    HM

    When you create a risk in RAR, is there any way you can send an approval request *automatically* to a Risk Owner already set in RAR?
      - CUP (Page 19/33)?
    Unfortunately, there is no such option for risk in the CUP custom approver determinator.
    There is - Request Type - Attribute
    Please have a look at the following document to create RISK (RAR) approval workflows in CUP (Page 19/33 - CAD):
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/e03cd86c-3aa7-2a10-1aa6-e845902f555d?quicklink=index&overridelayout=true
    Thanks
    Himadama

  • Role Expert Workflow Approval Criteria

    Hi,
    I am trying to add workflow approval criteria to Role Expert
    I have gone to the configuration menu -->workflow --> approval criteria
    I have set-up an approval expression 'Functional Area' = Finance. However when I go to search for an approver or alternate approver no results are returned. i have AE approvers set up in UME. Where does Role Expert pull this list of users information from?
    Thanks Gary

    I think you cannot directly change it since some of the roles are associated with your old workflow.
    However, you can contact SAP for the same and ask for the script.
    Regards,
    Faisal

  • Two level workflow approval

    Hi Experts,
    I am making a workflow which have two level approval , now the problem is that the first level approver is going only to workflow initiator and if I use any other ID it is not working , it just hangs there.
    Secondly if I send the first approval to workflow Initiator and it approves it then it hangs with second decision step.
    I have made the agent assignment as general task. I have also checked SWU3 and all the things in that are activated.
    Kindly help me in this issue.

    How are you giving the ID , I mean are you trying to specify the SAP username, if this is the case then try to append US to the user name.
    I mean if you like to send the wokritem to User ABCD then the expression should have the below value USABCD

  • GRC AC 10.0 Mass risk analysis vs. Role level analysis

    Hello GRC experts,
    I urgently need your advice on the issue  with deactivated permission objects which are identified as risks in the mass role analysis.
    For example, in one role we have deactivated the permission object: S_ARCHIVE, and there are No activities maintained.
    But in the mass role risk analysis  and in the CUP request this object S_ARCHIVE with the ACTVT 01 is displayed as risk. As you can see in the screenshot, there are no activites maintained at all. We have created the MSMP workflow where all CUP requests with risks should go the the Security Stage. Now we have the situation that even though our roles are clean, they are forwared to the Security stage. It is a huge problem, because our security stage has no even more to to, than before using GRC! Because the dectivated objects are identified as risks.
    Please advise me, how to solve the problem. Did I missed some config parameters or is it a well known problem?
    We are on SP14, AC 10.0.
    At the single role level there are no risks displayed.
    Thanks in advance,
    regards
    Sabrina

    Hi Sabrina,
    check note
    http://service.sap.com/sap/support/notes/2036645
    Please let me know if it works.
    Regards,
    Alessandro

  • Workflow approval - 'n' step BADI, Approval hierarchy problem

    Hi,
    Description of the issue:
    For a shopping cart approval, the approver's list determined by the 'n' step approval BADI does not include the user who is the immediate in the org. hierarchy. Rather the work item goes to the superior authority (say MD) for approval, which must not be the case.
    Pre-requisites checked:
    1. Checked the org. hierarchy - Proper.
    2. Checked the Roles maintainence for shopping cart approval - All is fine
    3. Checked for approval/spend limits also - All is fine.
    4. Tested BADI/Business Object - Approval Table is empty & Approver_administrator is 'WF-Admin was informed'.
    5. Workflow log (technical details) - Checked in the containers for 'Approver's list'.
    6. Checked table HRUS_D2 for any substitutes assigned - All seem fine.
    This is the org. hierarchy,
    (A - Requestor) --> (B - 1st level approver) --> (C - 2nd level approver) --> (D - MD final level approval)
    The approver's list shows two names instead of 3, that is only B & D and not C. Hence the work item goes to D directly than going to C.
    Please suggest.
    Best regards,
    Harsh Dave

    hi,
    Well the approver list is created from the badi for n-step approval in SRM.
    If you say that approver list is empty when testing the badi, then you have to check which workflow is used in your environmennt.
    It could be that  someone decided to create their own logic.
    so start by finding out which workflow template is used in this scenario, also you can set external break-points for users in teh approval badi which would be executed if you you use the approval preview in SRM (I'm guessing it is SRM since it sounds like it)
    Kind regards, Rob Dielemans

  • CUP Workflow issue

    Hi guys,
    First - this isn't my issue but an issue that my colleague is having. 
    Their workflows have been setup and they've been working for sometime now.  I wasn't involved in their setup.  However last week, their BASIS team did some change (details aren't available to me as yet) and now, their CUP workflows are having a specific issue.
    The path that I've examined is as follows:
    Start > Manager > Role Owner > Security > Finish
    The only custom approver is under Security.  The rest are as delivered in CUP.
    What used to happen would be that the manager would get an email with a link that, upon clicking, would go directly into the request.  Now, that link takes them to a login box.  My colleague said that the tool hasn't been reconfigured by him and that the only major change has been some BASIS changes.
    I'm not sure where to tell him to start looking, since everywhere I've looked seems to be ok.
    Thanks,
    Santosh

    Hi Alpesh,
    That's what I had also said, that perhaps the SSO config was broken.  However, my colleague insists that SSO wasn't enabled.  I have my doubts about this but I have no way to validate that it was working prior to this issue.
    I know that when I look at the stages, the email templates for Approved, Rejected, etc., don't have any URL in the template, only the message.  As far as I know, this is how it should be.  Do you agree?
    Thanks,
    Santosh

  • GRC 10.0 - Auto Approve default roles

    Hello All,
    Could you please help out me in the below scenarios.
         1) We have maintained default roles in NBWC- Access Management - Default roles.
         Also set the parameter 2038 to Yes- Auto approve roles without approver.
    In MSMP we have maintained Escape path if approver is not found at the role level.
    As default roles have no approver maintained request is taking the Escape Path which should not happen.
    We just want to auto approve the defualt roles and other than defualt roles request should take escape path if no approver found.
         2) In other action its quite same as the above one.
         When we are using provisioning type REMOVE for role removal. Request also takes the Escape path as Defualt roles has no approver.
    Once the ,Manager at first stage is approved, request should close for the removal type access.
    Please advise. Thanks in advance.

    In your custom initiator, you need to have mapped out all the scenarios of which path each line item in your request goes to.
    The condition columns can be an array of attributes, i.e. Request Type, Role name, Role Connector (System the Role is in), Functional area etc.
    In your case, if you want "default roles" auto approved, easiest thing to so is create an empty path (i.e. No stages) and have the initiator set so that if the "Role Name" is "X" (i.e. your default role), go to the path with no stages.
    BRF plus Flate Rule - GRC Integration - Governance, Risk and Compliance - SCN Wiki

  • Need help with a CUP workflow scenario

    Dear Experts,
    I'm sure it is not just me encountered this required scenario (or something similar).  I would like some pointers how to transcript it to a CUP workflow:
    Application admin logs a provisioning request.
    Security creates a user account and provisioning the roles on QA.
    Application admin ensures that the user undergoes training on QA.
    Upon passing the training, security replicates the user account and role assignment on PRD.
    The esoteric solution would be one request, two paths, two provisions. Is it somehow possible?
    Client doesn't use CUA.
    The security requirements are higher on PRD, where SoD handling will be required.
    Kind Regards,
    Vit Vesely
    Edited by: Vit Vesely on Apr 29, 2010 3:29 PM

    Hii Vit,
    If you want to have two paths for a single request than only possible solution will be to create role based initiator's.
    Role Based Initiatator's can be created by following Configuration -> Workflow-> Initiator-> create.
    Here Select the attibute as roles.
    For example create two Initiator
    Intiator1 -> having Role1 attribute -> Path1
    Intiator2 -> having Role2 attribute -> Path2
    Now in the request if u select Role 1 & Role 2, than request will follow the parallel path ( path1 & path 2)
    Else it is not possible to have parrallel workflow path for any other attribute.
    In Case you can have provisioning at end of the paths as well as end of the request.
    Kind Regards,
    Srinivasan

  • PO workflow - escalator at plant level

    Hi SAP people,
    do you know if it is possible to set the time for workflow escalator at plant level?
    I have implemented the PO approval flow but i want to define 2 different escalator...
    Thanks in advance
    Michela

    Hi,
    Either goto spro>MM>Procurement>Environment Data>Define attributes of system messages and make 06/341 as Error or Warning, as required.
    Or
    Make source list mandatory in material master.
    Or
    Source List mandatory at plant in Source List config.
    Or
    Remove the pricing condition PBXX from your prcing that means you will have only PB00 (Gross price) condition in your PO which is determine the gross price from Info or contract or SA or RFQ but can't allow user to enter the price at PO level w/o any source document
    Or
    Customer exit MM06E005-EXIT_SAPMM06E_012
    Regards,
    Ashish.

Maybe you are looking for

  • How do I print from HP Connect Photo

    I've been looking for an app or program which will permit me to select a photo from my album and print it. I have just downloaded HP Connect and Photo OK but I cannot get past the opening page. According to the video, there should be a place where I

  • CUA:  Wrong entries in the table USZBVSYS

    Hi All, While searching a particular user access to the child systems via SUIM - > Users by system, the report given output that the user have access to so and so system. Whereas that user already deleted and there is no user account in CUA and the r

  • Sap Query Link Tables

    Hi, I badly need your help.. How can I link Table LIPS to VBEP using SAP QUERY? I have join these two tables using key field VGBEL = VBELN and VGPOS=POSNR but database access takes too long.. I need to get Schedule line delivery date(VBEP- EDATU ) wh

  • LsIsDate not checking for validity correctly

    I am sure this problem has come up before but I couldn't find any discussions on this forum relevant to it. Basically I am using a text field to enter dates and validating it using LsIsDate. The problem is that dates that should not be valid are pass

  • Replacing data on Time Machine drive to a new drive- How?

    The external drive I use for Time Machine (off an IMac) has to be replaced and I want to know the best way to move the "backup" to a new drive. I'm thinking of saving the file to my desktop and then to the new drive. (La Cie is mailing a replacement