Detour path in GRC 10
Dear Expert ,
Any idea where we can maintain Detour configuration in GRC AC 10 .
In MSMP i can see route mapping but not sure if this is place where i need cinfigure detour as it doenot have option to set detour condition .
Thanks & Regards
Asheesh
HI Asheesh,
Can you confirm whether you fixed the issue. Routing works only if we reject the request ??
I have following scenario
1. No SoDs >> Take approval from Role Owner and create user/ assign the access using workflow
2. SoDs found >> Role Owner approval and then Security team approval after this userid will be created and assign the access
I have configured as below
Maintain Paths
1.GRAC_DEFUALT_PATH . In this I have configured re routing using Functional module GRAC_MSMP_DETOUR_SODVIOL to route from Role Owner stage to Security stage
2. ZGRAC_NO_SOD_PATH . .with stage as role owner only
Maintain Route Mapping
1. Map GRAC_DEFUALT_result to Default_path
2. Map GRAC_MSMP_DETOUR_SODVIOL to Defualt Path again for any SOD violations
3. Used one more functional module GRAC_INITIATOR_SOD_VIOLATIONS to check SoDs and map No SOD result to ZGRAC_NO_SOD_PATH
Workflow is working perfectly for Scenario# where SoD exist
But for Scenario#1 , it is still following same path with 2 stages . Ideally it should go to role owner and assign the access
I believe this is due to it is just following 1 path GRAC_DEFUALT_PATH even though there are no SODs
Similar Messages
-
GRC CUP 5.3 SP16, detour path not working for SOD violations
Hi,
Something bazaar is going on in our requests processing and not sure if that's the way SAP has set it up.
We configured a detour path for requests with SOD violations to go to the additional stage of 'SOX Approver' but the first stage (manager) does the risk analysis and Mitigation assignment and then it goes to Role owner approver that approves the roles access. Once the role owner approves the roles , if the request had SOD violations, even if the mitigation was selected and approved by the manager stage, it needs to go to the SOX approver stage to approve the mitigation assignment before the request can be auto provisioned for any requests that had sod violations.
But it seems to skip the sox approver detour path stage after the role owner approval and go directly to auto provisioing. I thought that any requests that had sod violations inspite of having mitigation assignment in a previous stage can be detoured to the next path for SOX approval and then auto provisioned. Since SAP doesn't give different approval option to approve mitigation vs. approve roles, wherever you make the risk analysis mandatory, that's where the mitigation controls have to be assigned. But we want the option to detour the path to SOX approver to approve those mitigation controls b4 auto provisioning the request.
Any idea of how to fix this?
Is the detour only going to work if the mitigation wasn't assigned? But then how can you get approval for the mitigation on a different stage if the same person has to assign and approve that?
Will appreciate any feedback in this.
Thanks,
AlleyI was actually able to resolve the issue by adding the role approver stage first to the sox approver detour path.. this way..if the manager has roles with sod violations and updates mitigations for it, it goes to the role approver via detour path as well first and then to the sox approver stage b4 auto provisioining. So, that solved our problem. And if the request doesn't have SOD violations then it just goes to the next stage without detour which also has the role approver as the last stage.
Since I couldn't get the sox approver stage to show up after the role approver as originally anticipated since the request already had mitigation assigned at the manager level, we did the above scenario to fix the issue.
Requestor>Manager->Role Approver-->auto provisioning (without SOD violations)
Requestor>Manager> Detour (Role Approver>SOX Approver)->Auto Provisioning (with SOD violations) -
Mitigation of risk at detour path
Dear experts,
I have a scenario wherein I am using detour path for SOD violation.I want that SOD violation path goes to person depending on type of risk present in access request.
The path with HR risk should go to person X where as non-HR(ECC) risk to person Y who will do the mitigation. There are only two(one from HR and other ECC) person to do mitigation.
They are responsible for only mitigation and mitigation control id approver/monitor are different.
How could this be achieved.Please share your thought.
Thanks,
MamoonHi Mamoon,
Please check the below link. This could be helpful for you.
AC10.0/10.1: Create Rule Based on Risk Violation in Request, Using BRF+ Procedure Calls
Regards,
Madhu. -
CUP 5.3 SP16, detour path for SOD violations doesn't exclude critical risks
Hello,
Has anyone else had this issue:
If you set your configuration to not require mitigation of critical risks, but only SOD risks, the workflow detour path condition 'SOD violations' still triggers to go to the detour path even if the request only has critical risks. This is a bug in the workflow detour logic. First of all, CUP doesn't differentiate between SOD violations vs Critical Risks violations. If we only want the mitigation approver detour to happen for SOD risks, the detour seems to happen even if the request only has critical risks issue which doesn't require mitigation.
Since our Approver determinator for SOX approval is the RAR Mitigation Control approver, the workflow detours to SOD violations path but doesn't find any mitigation approvers on critical risks and so goes to the administrator inbox as a approver not found issue escape route.
If SAP gives the option to not require to mitigate critical risks under config>mitigation>uncheck mark mitigation of critical risks not required, then the logic for detour also shouldn't happen for critical risks under 'SOD violations' condition. This doesn't make any sense why SAP has both in the same condition when one is clearly not SOD risks. Now our workflows keep failing bc of this bc we have several roles that might have a critical transaction or so, but we can't stop it from detouring even when we do not want them mitigated or approved for SOX stage. But we still need this detour path for additional approval for the actual SOD Risks.
Will greatly appreciate any1's feedback on what they have done to resolve this.
Thanks,
A.I was actually able to resolve the issue by adding the role approver stage first to the sox approver detour path.. this way..if the manager has roles with sod violations and updates mitigations for it, it goes to the role approver via detour path as well first and then to the sox approver stage b4 auto provisioining. So, that solved our problem. And if the request doesn't have SOD violations then it just goes to the next stage without detour which also has the role approver as the last stage.
Since I couldn't get the sox approver stage to show up after the role approver as originally anticipated since the request already had mitigation assigned at the manager level, we did the above scenario to fix the issue.
Requestor>Manager->Role Approver-->auto provisioning (without SOD violations)
Requestor>Manager> Detour (Role Approver>SOX Approver)->Auto Provisioning (with SOD violations) -
GRC AC 10- Multiple detour for single stage path
Hi Experts,
I wanted to know about a possibility or view. Do you know anyway where we can have multiple detour activated(like first detour 1 then detour 2 check) for single stage.
Actually once we click on routing rule, we get only select single detour selection option.
Please suggest idea.
(I would like to update that we do not want system to have multiple level of approver but only single role owner stage).
Final solution is creating custom detour having ability to handle multiple scenario but we are looking for no custom initiator)
Regards,
NishantHi Nis,
unfortunately in standard solution only one detour path can be added to single stage.
When we had such a challenge, like you described, we simply used custom initiator and this is truly the best option to go.
In our case we wanted to have different path (detour) for roles with special attribute an in the same time different path in case sod issue occurs. In other words we wanted to have 2 detours condition on one stage like you want to have. The option that suites our needs in the best way was to have custom initiator rule.
Filip -
Set SoD detour condition on path level?
Dear forum,
We have a parallel workflow where the different paths are divided by business processes.
We want that SoD free paths continue as normal. Problematic paths are sent for resolution.
The problem as I see it is that the SoD detour condition is set on request level, not path level. Both problematic and non-problematic paths will meet the condition and are pushed into the detour. The non-problematic path will get stalled, because it has to wait for mitigation approval. Is there any workaround?
Kind Regards,
Vit V.Hi Jose,
We have different detour paths for every parallel path. But if any SoD conflict is detected, the SoD condition is met for all paths and are pushed into the detour(s). Have you successfully tested it?
Example:
Main Paths
P1
P2
P3
Stages
_1: Manager
_2: Role Owner
_3: BPO (CAD business process of role)
P1_1
P1_2
P1_3
P2_1
P2_2
P2_3
P3_1
P3_2
P3_3
Detours (1-stage with mitigation controll approver)
P1_DT
P2_DT
P2_DT
SoD detour takes place at stages:
P1_2
P2_2
P3_2
Problem 1: If the SoD conflict condition is met, all paths are pushed into their detours
Problem 2: Let say we have two paths with SoD conflicts, a third one is not. Two mitigation controlls are applied. All three paths are pushed into their detour paths for mitigation approval.
Worst case scenaro:
Conflicting path 1: Mitgation Approver 1 approves
Conflicting path 2: Mitgation Approver 1 + Mitgation Approver 2 Approves
Non-conflicting path: Mitgation Approver 1 + Mitgation Approver 2 Approves
kind regards,
vit v -
GRC 10 - Business role, no role owner but associated role have owner....
Dear All,
In GRC 5.3 we perform the following mapping:
Business Role A mapped with (no owner)
- Technical Role 1 (from ECC with Owner1)
- Technical Role 2 (from CRM with Owner2)
- Technical Role 3 (from HR with Ownwer3)
IN GRC 5.3 we have a business role mapped with multiple child role(techinical role) from other system.
GRC 5.3 request is able to close and provisioned as it can see owners from child role.
Now in GRC 10, we did the same. Create a business role, then mapped the child role (technical role). Unfortunately, when manager approves the workflow reroute to "NO OWNER DETOUR PATH" because it cannot see the technical role owner.
Seems like GRC 10 is only looking at business role owner. We are unable to add Owner1, Owner2, Owner3 to the business role because when one of the owner approves, it will provision all the technical roles. We might have owners who will reject their role.
Please advice.
JackyHi Mustafa,
you can use end user personalization to avoid a role owner to approve roles for himself. Define a dedicated EUP for role owner stage and restrict via "Approve/Reject Own Requests" like shown below:
Does this answer your question?
Regards,
Alessandro -
Issue with Master data change workflow in GRC PC 10.1
Hi,
I have configured the work flow for master data changes in GRC PC 10.1, however approver is not able to view the request in inbox where are the organization owner is able to see the review for change request in inbox.
Please let me know if there is any config where we need to set the approvers for workflow, so that the system creates a request for approver.
Regards,
GiridharDear Giridhar,
Please, check the following configuration:
1. Activate the workflow (Path: SPRO -> GRC -> Shared Master Data Settings -> Activate Master Data Changes)
2. See whether Checkbox "Approval" is ticked for the selected entity
3. If you activate master data changes, please check whether the correct roles are indicated in the Maintain Custom Agent Determination Rules in the Workflow settings.
Business Event: 0FN_MDCHG_APPR
Role: Select the role you gave to the approver
After performing this configuration, a task must appear in the work inbox.
Best Regards,
Fernando -
Hello Experts,
I have cconfigured HR Triggers for change of position using Procedural call method. Created BRF+ Rule that identifies the condition and returns ACTION-ID. I can see that condition is satisfied when change of Position occurs, but it not following any workflow.
Where do we link the ACTION-ID to a workflow? Do we need to create new initiator with BRF+ Function ID ?
Already followed note 1591291 but did not help.
Thanks and Regards,
Ajesh.
Edited by: Ajesh Raju Pujari on Mar 4, 2012 2:56 PMHi all,
check the transavtion SLG1 run it backend system mention the following
Object: GRAC
Subobject:HRTRIGGER
External ID: *
then mention the dates and make * in remaning fileds for log class select All Logs and Log Creation ANy
Log Source Formatting select the first option then run the report
select the date which Hire actiivity taken place and Double click on it
you will get the log report and the exact error issue
Normally you define the workflow in SPRO as i nthe following the path
SPRO ->GRC -> Access Control -> Maintain mAC Application anf BRF+Fucntion mapping
maintain the workflow name
then you need to map the workflow in the MSMP GOto GRC->AC->workflow for access control -> Maintain MSMP workflow - select the standerd workflow you mentioned then go to the stage Maintain Path and maintain the path mentioned then go to stage Maintain Route Mapping and RUle ID for HR Trigger and PAth ID
hope it you solve -
CUP - Mitigation Controls in a Detour Workflow
Hello everybody,
I have a problem with a detour workflow in CUP.
I choose the detour condition: "SoD violation".
So in theory, if there is no conflicts the workflow don't take the detour path.
We supposed that the user request has an SoD conflict.
In the stage(s) before the detour, if we assign a mitigation control that mitigate the risk, the detour is still taken.
I think the workflow swich systematically to the detour if the request had a conflict, even if the risks were deleted by an Mitigation Controls assignment.
Does anyone have a solution to avoid the detour path if we mitigate the risks?
Thank you in advance!!Ben,
This is how CUP works. There is no configuration which allows you to ignore SOD violaton even if there is mitigation. You will have to live with this for now.
Regards,
Alpesh -
AE 5.2 - Detour Workflows - One of the Role Approver not found
Hi All,
My question is regarding using the Detour workflow functionality for the situation below - pls let me know if this possible or if any alternates are available.
- Main path has 2 stages (1) manager approver, (2) Role Approver.
If the Requestor asks for a Role that Does not have a Role Approver we would like to route this request to the Security lead.
- I have created a Detour Path with 1 stages - Secuity lead and associated with Stage 2 (Role approver) of the Main path based on the condition "No Role Owners"
- I still get the error "Approver not found at Stage @@@@"
Is the condition "No Role Owner" in the Detour workflow config for "Role Expert" workflows or for Access requests?
Is it possible to route the Request to Security if the Role being requested does not have a Role Approver? IF yes How?
thanks
THi,
sometimes in the Detour configuration you have the problem that the "Save" action is not saved properly.
If this entry is empty, please go into edit mode and save the detour config again, so that the action will actually display "Save".
Hopefully it works, then.
Regards,
Daniela -
GRC 5.3 CUP auto provisioning of Mitigation Assignment in RAR
Hello,
Is there any other workflow that needs to be triggered for the auto provisioning of the Mitigation control id assignment to the userid in RAR system from CUP, upon request completion?
I created a request that after the final stage of sox approver, got auto provisioned roles assigned to the user id in the SAP system , but it also stated that auto provisioning failed and got re-routed to the detour path of the security admin as I configured in case of auto provisioning failure. When I look at the error log, it states:
User Provisioning failed for System(s) : XYZ. Error Message : User type TE is unknown
Role: ROLEA assigned to user: TESTER1 in System(s): XYZ.
1). So, even though the approved role is being assigned to the user in the backend system, some other stuff is failing at auto provisioning. And I thought it might be the mitigation control assignment to the userid in RAR. I have the mitigation fields/objects active. But how do I ensure the auto-assignment of mitigation control ids also gets assigned on the same request upon sox approval?
2). The other question is where is the value of the 'controller' stored when configuring a stage for workflow approver determinator in the sox approver stage? Where is this value picked up from? We don't want to use the RAR mitigation approvers or monitors, we want to use a custom approver id from CUP and then the control id to be assigned upon approval automatically to the userid in RAR via CUP request completion during auto provisioning. Is this possible? The only thing failing for us is trying to determine how to create the custom approver determinator for SOX approver in CUP since it asks for 'attribute' value for workflow type 'Compliant User Provisioning' which doesn't make sense for this.
And then the above error even though the user role assignment is auto provisioning already but still giving the error as I listed above and re-routing to detour path instead of completing the request. Is it due to auto provisioning failure of mitigation control assignment in RAR?
Thanks in advance,
Alley
Edited by: Alley1 on Sep 20, 2011 1:15 AMHi Karell,
Here is response to your questions:
I can use the following CAD in an AE workflow: web service to fetch role approvers. I question this as it is merely a RE workflow service : No. As far as I know the web service is only for RE/ERM.
Can the Risk Analysis be initiated in stage x automatically once stage (x-1) was completed. So no person involved, it is mandatory however, in my opinion there should be no extra person involved to actually press the button "Risk Analysis" : No. There is no way to automate the risk analysis part. Someone will have to click on the button to check for SoD violations. You can configure to run automatic risk analysis when the request is submitted but this is not 100% perfect. If someone adds or removes role during approval phase, it will invalidate the risk analysis which was run during request submission.
Can somehow the Risk Owners defined in the RAR componed be asked to approve/reject risk that came out of the Risk Analysis described in my previous point. They should only be contacted when there is a risk indicated. : This is possible by following Babak's workflow.
Regards,
Alpesh -
Hi Experts,
I have a query regarding PSS in GRC 10.0.
1. Is it possible to restrict the number of questions user can register in PSS?
2. Is it possible to allow user to register for PSS using only Admin Defined questions and not user defined questions. Currently I can see both options available. Requirement is to hide "USER DEFINED QUESTIONS" option.
Regards,
Sai.Hi Alessandro,
Thanks for the note. I just implemented it today morning and able to restrict the option only to ADMIN DEFINED questions.
In this path SPRO>GRC > AC > User Provisioning > Maintain Password Self Service
I have the option to restrict the number of questions user need to answer when using PSS.
But my requirement is to restrict the number of questions user can register.
1. Currently I have defined 6 questions for PSS.
2. As of now user can register all questions or few questions.
3. Client is asking to restrict the user to register for only one of the admin defined questions and not all or more than one. But is this setting possible?
Regards,
Sai. -
Hello Experts,
I have some more interview questions on CC & AE please answer to these questions
1. What's the latest Support Pack for GRC 5.3? How it
differs from the previous one?
2. What are the issues faced by you in ERM & CUP after
golive?
3. Can we change Single roles, objects & Profile description
through mass maintenance of role? If yes, how?
4. What are the prerequisites for creating a workflow for
user provisioning?
5. How will you control GRC system if you have multiple
rulesets activated?
6. Can we view the changes of a role, happened in PFCG,
through GRC?
7. How will you mitigate a user against an authorization
object which is decided as sensitive by Business?
8. Give an example of SOD with object level control & also
decide the Risk implication from the Technical standpoint.
9. Is it possible to assign two roles with different
validity period to a user in one shot throughGRC? If yes,
how?
10. What's the use of Detour path? How Fork path differs
from Detour path?
11. How can you enable self password reset facility in GRC?
12. Can we have customized actions for creating request
types in CUP?
13. Which SOX rules got inherited in SAP GRC?
14. How many types of Background job you are familiar with?
Why Role/Profile & User Sync. job is required?
15. Where from can we change the default expiration time for
mitigating controls? What's the default value for the same?
16. How will you do the mass import of role in GRC?
17. Explain the total configuration & utility of SPM?
18. Can we create Logical systems in GRC? If yes, how & what
can be the advantages & disadvantages of the same?
19. Can we have different set of number ranges activated for
request generation?
20. Explain, how can we create derived roles in ERM? What
will be the significant changes in methodology for creating
composite roles?
21. Explain in detail how the different components of the
Access Controls suite integrate with each other
22.Explain the key problem areas in implementation of RAR
Thanks
karunakarHi karunakar,
here you can find a lot of documentation and links:
http://www.sdn.sap.com/irj/bpx/bpx-grc
Best,
Frank -
ARQ: Default Role Provisioning Problem in Access Request???
Hi,
This Business Scenario is very common to have default role(s) assigned to a User at the back end system. So I have the same requirement. In achieving this, I followed below thread here:
MSMP Issue - GRC 10
I have also followed the note#1616092 for configuring the Default Roles.
I have performed below activities:
1. Param#2009 = YES
2. Param#2010 = 001
3. Param#2011 = REQUEST
4. Param#2013 = SYSTEM
5. Param#2038 = YES
6. Imported a test role and NO ROLE OWNER is maintained.
7.In NWBC->-AM->RM, I maintained a test role as a default.
Now when I raise a request, application is successfully adding the default role to the request. However, the problem I am facing is that, one Manager approves the request, it is getting failed.
The Audit Log says that, the STAGE is "Completed" but I could also see "No Agent Found, Cancelling path XYZ (in stage no. 002- GRAC_ROLEOWNER)
May I know what I am missing here? Why I am getting error and how can I resolve it?
Please advise.
Regards,
FaisalHi Faisal,
sorry for late resposne I was away traveling.
default roles are being added by default to access request
Yes, these roles are added to the access request.
FN: OK
and this roles are following your normal paths which I guess assumes manager and role owner.
How such roles (not having role owner) will follow the normal path Manager->Role Owner if we are enabling routing (Rule ID: GRAC_MSMP_ROUTE_NO_ROLEOWNER) at manager stage level? Can you please help me understand this?
FN: OK If you enable routing it will go to routing path. I have understood your post as you put in question the behavior of default roles and my point was - they act exacly the same like regular roles.
- request is going to detour path
Does it answer my question?
FN: My point was default roles like all other will go to detur path (assuming you setup it globaly)
Deafault roles can have separate path (in my case) where only supervisor is approving it.
Instead of "GRAC_MSMP_ROUTE_NO_ROLEOWNER" I believe we can have our own rule to have a separate path for such default roles based upon business requirement. Correct me, if required.
FN; correct
It was design in way that initiator rule based on role crtivality is sending this rule to separate path without role owner.
Again, I believe you have enabled your custom rule here to achieve your business requirement instead standard rule id.
correct
If you do not have separate path - this role like any other will follow standard path you have.
Here, I had used a stage called "ZNO_STAGE_PATH" for routing the system line item, which does not have any owner. I used the same path ID for "GRAC_MSMP_ROUTE_NO_ROLEOWNER"Rule ID and it is working fine as of now.
FN: good
My question is that, do you think if I don't use "ZNO_STAGE_PATH" as Path ID for "GRAC_MSMP_ROUTE_NO_ROLEOWNER" Rule ID, should it follow the standard Manager->Role Owner path and these default roles get approved and assigned automatically?
FN: You should use the path ZNO_STAGE_PATH as path ID for routing rule.
If the role does not have role owner it will not allow you the even get to Role Onwer stage - request will be detured.
My point from the begining was - instead of using the routing rule - in our case we used separate path for default roles without role owner:) only consisted with manager stage. Again your approach is different but also will work.
Then which Path ID should I use for "GRAC_MSMP_ROUTE_NO_ROLEOWNER" Rule ID, as it is mandatory?
Should I use my current path for New/Change Account where at Manager level this was routed due to non availability of role owner?
Are you asking for default roles?
Please advise.
Regards,
Faisal
Maybe you are looking for
-
ERROR in Adobe Muse CC 2014.1.1
I am trying to create a lightbox in Adobe Muse CC 2014.1.1.. I want to achieve the following: The whole image to appear on the thumbnails (it only shows part of the image); and I want to increase the size of the larger image, so I click and drag the
-
Spooling to Text File - 30 million records - Getting Out of Memory Error
Hi All, I have an extremely large oracle table that I need to spool to a .txt file. The table has approximately 30 million records. I'm using Toad For Oracle version 10.5 and I'm on Oracle 10g. I've tried running the following spool command a few tim
-
How to liberate the memory fast !!!!!!!!!!!!!!!!!!!!!!
Hello, and thanks for read this lines. Well my problem is that my objects are or to null or I reuse more of them, but when I'm testing my midlet on my device (nokia 7650), the heap memory along the time is big. And when i`m using my app (5 minutes) i
-
You purchase properties in Arab game (Sultan desert), while the procurement process and the discount amount lost contact wrote the running game has been cooperation from them but the problem! I can't buy any properties in the game itself and the sci
-
Can someone tell me the best way to clean?
I have a MacBook Pro Retina 13" from mid-2014 that I bought this March. It's going good, except I've noticed some white spots on the left side of my trackpad, and a white streak on the right. (apologies if they're hard to see, but they're there, tr