ERM Methodology - Approval

Hi,
Can ERM allow having multiple approval steps in the methodology? We need 3 different approvals placed in different stages in the process.
For testing this, I created new request types of ERM in CUP. Created new steps of approval type in ERM and added them to the methodology. Used ERM request types as initiators for the workflows and attributes for CADs.
With this ERM has to send the request for approval to different approvers as per the CADs. But ERM is asking for role owner name in the role when submitting for approval.
Does only ERM CAD of type 'web service' works to send the request for approval?
Also ERM CAD type web service is working when a single approval step exists in the methodology. ERM 5.3 SP12.
Please help.
R M

Hello ,
To create multiple approval steps ,in CUP you need ot have atleast one ERM CAD type =attribute.
For eg:
Role Owner = X
ERM CAD1 Type=webservice
ERM CAD2 Type=attribute and approver =Y
Stage1 -> CAD1
Stage2-> CAD2
Path: Stage1 -> Stage2
In the above case , the workflow will first go to role owner X , then to CAD2 approver Y.
Regards
-Ranjiv

Similar Messages

  • ERM - Workflow Approval Configuration in ERM and CUP

    Hi Experts,
    I'm in the midst of configuring the workflow approval for ERM and have some queries.
    I followed the post-installation guide part 1 for ERM on the workflow configuration and have sucessfully done the following:
    1. Verified that the "AE_init_append_data_RE.xml" has been uploaded in CUP with Append option
    2. Verified that request type "RE_ROLE_APPROVAL" with workflow type "RE" exists
    3. Verified that priority "RE_HIGH" with workflow type "RE" exists
    4. Created a workflow initiator for ERM called "ROLE_APPROVAL" in CUP -> Configuration -> Workflow -> Initiator (with the said details as per the post-installation guide)
    5. Created a CAD called "ERM_ROLE_APPROVER" for ERM in CUP -> Configuration -> Workflow -> Custom Approver Determinator (with the said details as per the post installation guide, filling in the necessary URI, uname/pw for admin with UME roles)
    6. Created TWO stages , one stage for the role owner called "ERM_ROLE_APPROV", and one stage for the internal control owner called "ERM_ROLE_APPRO2", both with workflow type "RE" and Approver Determinator "ERM_ROLE_APPROVER" which was created in step 5 earlier.
    7. Created a path for ERM Role Approval Workflow in CUP -> Configuration -> Workflow -> Path, with workflow type "RE", Number of Stages "2", Initiator "ROLE_APPROVER", Active "checked" and I put Stage 1 as "ERM_ROLE_APPROV" and stage 2 as "ERM_ROLE_APPRO2".
    8. Configured the Exit Web Service (followed the details as per the post-installation guide for ERM)
    As my role approval is pretty straight forward (i.e. based on business process attribute defined, with each role owner being responsible for their business process), I did the following:
    1. Create approval criteria "Role Approver for Business Process FI"
    2. For that criteria, I based it on attribute "Business Process"
    3. I clicked on "Assign Approvers" to define who is the approver (i.e. the respective role owner responsible for Process FI)
    4. I defined the condition for this criteria, Condition = AND, Attribute = Business Process, Value = FI
    My queries:
    1. Is the approval criteria which I created in ERM, referring to 1st stage or 2nd stage of the path in CUP?
    2. I'm assuming that for query 1, the approval criteria which I created is for 1st stage (i.e. ERM_ROLE_APPROV), where can I configure the 2nd level approval for the internal control owner (i.e. ERM_ROLE_APPRO2, in the path which I defined in CUP)?
    Thanks!

    Hi Baldwin,
    All workflow paths in CUP are triggered by an Initiator.  Once the request from ERM meets "Initiator" ("ROLE_APPROVAL") requirements in CUP, the request will go to the first stage defined in the respective path. Approvers defined in each stage of the path can approve request. Once the request is approved in CUP, approval information will be sent to ERM and then the role in ERM will be moved to the next stage.
    Best Regards,
    Sirish Gullapalli.

  • ERM - CUP Approval Workflow E-mails

    Hello gurus,
    We are experiencing an issue with Role Expert (ERM) to Access Enforcer (CUP) role approval workflow. When a role reaches the approval stage in ERM, an e-mail notification with a link to CUP approval is sent to the designated approver's LDAP e-mail address.  This functions properly.  Following approval or rejection of the role, another e-mail should be sent to the requester's e-mail address to inform him/her that the role has been approved/rejected.  This e-mail is not functioning.  We have the same e-mail address configured in the LDAP, UME, and back-end SAP system, but this e-mail address is not receiving any notification of approval/rejection.
    This functionality is appropriately configured in CUP with the following:
    Name: RE_APPROVAL
    Workflow Type: Role Expert
    Approval Determinator: RE_APPROVAL
    Request Wait Time (Days): 0
    Request Wait Time (Hours): 0
    Escalation Configuration: None
    Approval Type: Any One Approver
    [No e-mail group]
    Request Rejection: Yes
    Re-Route: No
    Confirm Approval: Yes
    Confirm Rejection: Yes
    Reject By Email: No
    Approve By Email: No
    Forward Allowed: No
    No additional security.
    Has anyone seen this issue before?  Any advice for troubleshooting will be greatly appreciated.
    Thanks,
    Joy

    Hi everyone,
    We are experiencing something similiar as Joy related.
    We have configured in CUP 5.3 a workflow for ERM role approval with two stages.
    In both stages, the e-mail notification with a link to CUP approval is sent to the designated approver's e-mail address, but following approval or rejection of the role, the e-mail informing the role has been approved/rejected is not sent to the requester's e-mail address.
    In the first stage, the CAD is configured to send the request to the approver defined in the role in ERM (web service). In this stage, the requester's e-mail address is not receiving any notification of rejection but do recives all notifications of approval.
    The second stage is configured with a fixed approver, and in this case the requester's e-mail address is not receiving any notification of approval nor rejection.
    Any suggestions of what can we do to make this work?? We wolud like that both (approval and rejection) notifications be sent to the requester's requester's e-mail address.
    Or, if it is possible, can CUP be configured to send e-mail notifications of approval and rejection ONLY in the LAST stage of the workflow??
    Regards,
    Pablo

  • ERM Cannot approve a role: Invalid Priority Value

    Hi all,
    I'm implementing Enterprise Role Provisioning.
    When I test my workflow and I click on the "approve" button the following message appears: "Create a valid request"
    Looking at the log file, i found the following error message:
    2009-05-15 10:17:49,655 [SAPEngine_Application_Thread[impl:3]_42] ERROR 2010 : com.virsa.ae.core.ObjectNotFoundException: Invalid Priority Value : RE_HIGH
    It shold be a problem related to the Compliance User Provisioning module, but I can't understand what is missing.
    Can you help?
    Thanks

    Hi Annamaria.
    Do you create the priority RE_HIGH in CUP?
    If yes then what is the workflow type you have defined? It must be ERM.
    Whether your workflow for role approval is created in CUP?
    If not then create it with the name ROLE_APPROVAL with folowing value -
    Workflow type = ERM
    Attributes -
    Condition...................Atribute............Value
    AND..........................Priority.............RE High
    AND..........................Request Type...RE Role Approval
    Please let me know if you have any other issues.
    Regards,
    Sudip.
    Edited by: Sudip Saha on May 15, 2009 2:16 PM

  • CUP and ERM work flow error

    Hi Friends,
    When I am changing a role and triggering in the work flow for approval  it is showing following error
    2010-05-11 09:09:28,251 [SAPEngine_Application_Thread[impl:3]_32] ERROR  User :   not found to get full name
    2010-05-11 09:09:47,607 [SAPEngine_Application_Thread[impl:3]_25] ERROR
    java.lang.Throwable: java.lang.NullPointerException
         at com.virsa.re.workflow.client.WorkflowRequestClient.getRoleProcessContextDtos(WorkflowRequestClient.java:284)
         at com.virsa.re.workflow.client.WorkflowRequestClient.execSubmitRoleApprovalWF(WorkflowRequestClient.java:83)
         at com.virsa.re.workflow.actions.WorkflowRequestAction.submitApprovalRequest(WorkflowRequestAction.java:95)
         at com.virsa.re.workflow.actions.WorkflowRequestAction.execute(WorkflowRequestAction.java:54)
         at com.virsa.framework.NavigationEngine.execute(NavigationEngine.java:273)
         at com.virsa.framework.servlet.VFrameworkServlet.service(VFrameworkServlet.java:230)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.runServlet(FilterChainImpl.java:117)
         at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:62)
         at com.virsa.comp.history.filter.HistoryFilter.doFilter(HistoryFilter.java:43)
         at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:58)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:384)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
         at java.security.AccessController.doPrivileged(AccessController.java:219)
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
    FYI.. It is happening with the roles those are  uploaded earlier not when I am creating any new roles.
    Please Help.
    Regards,
    Satyabrat

    Hi Satyabrat,
    Which patch level you are on? Although seems not related to your issue, but there is a bug in Patch 11 -
    1. It doesn't update Approver from ERM-Workflow-Approver criteria
    2. it doesn't update criticality level ( if you didnt upgrade from Patch 8 to 9 and went on directly to patch 11).
    If you have any of above issues, then old roles and copy of old roles will not work properly.
    Check if you have criticality level defined and also try to change approver in ERM Role modification screen.
    it seems the configuration is correct as new roles are working fine but to make sure also check in CUP whether the first stage of Role creation is defined as webservice.
    Let us know if it helps.
    Regards,
    Sabita

  • Configuring ERM workflow in CUP issue (GRC AC 5.3)

    Hi once again fellow SAP Security Folk,
    Using GRC AC CUP 5.3 SP 13 I am trying to configure ERM workflow for the following scenario :
    Every role change made via ERM requires approval from relevant Business Process (BP) area.  If the role change contains an SOD conflict of Medium or higher then approval is required from a 2nd central approver (basically regardless of the business process area). 
    I have not been able to configure ERM workflow within CUP to be able to do this u2013 I have only been able to configure it for dual approval, i.e. every change must have approval from both BP approver and Central approver before request can progress.  I did this by assigning the Central approver to all Business Processes as an additional approver. This means that the conditions for the scenario above are met but the drawback is that all other requests also require approval from Central approver even though they donu2019t need to, generating additional workload.
    Can anyone advise if this is possible and how to do it ?
    Further info:-
    I have setup in CUP an ERM Initiator, an ERM Custom Approver Determinator (CAD), an ERM Stage.
    I have setup in ERM I have defined Business Process Approval Criteria for each Business Process approver.
    I tried creating a 2nd ERM stage using a separate 2nd ERM CAD but this meant all changes required 2nd approval before request can continue.
    I tried modifying the 1st Stage to Approval type All Approvers but this meant all changes required approval from all possible BP Approvers (instead of any one) before request can continue.
    I tried creating a Detour/Fork but could only see within the Workflow Type selection criteria non ERM workflow types.
    Thanks
    Steve

    You can either type in the configuration, like the what option you selected for approver (CAD or role or...etc), or other way is to capture the change log which shows what was the configuration for that stage....
    (Configuration -< Change Log -> Search Change log)
    Cheers !!
    Zaheer

  • ERM error

    Hi there,
    we have recently upgraded from GRC 5.3 SP11 to SP12
    i have an error in ERM which says '' error: create a valid request ''
    I have configured the workflow for ERM role approval in  CUP (path is active ) etc  but when o click on Role approval tab .. it throws out  the above error.
    any ideas? any one encountered this before ?
    Regards
    Kev

    Hi all,
    Thanks for all the responses , I have done all  the post config setting , theintegration between CUP and ERM is fine , the webservices are all correct with user name and password
    The approvers are defined and ERM and the approver also exist in CUP
    here are the logs
    ERM :LOG
    2010-07-26 11:57:43,953 [SAPEngine_Application_Thread[impl:3]_9] ERROR 2010 : com.virsa.ae.core.BOException: Exception in creating the new workflow
    2010-07-26 11:57:43,953 [SAPEngine_Application_Thread[impl:3]_9] DEBUG Adding msgValue: Code: 2010; Locale: en
    2010-07-26 11:57:43,953 [SAPEngine_Application_Thread[impl:3]_9] DEBUG Adding msg to msglist
    2010-07-26 11:57:43,953 [SAPEngine_Application_Thread[impl:3]_9] DEBUG forwarding to:loadEditRole.do
    2010-07-26 11:57:43,953 [SAPEngine_Application_Thread[impl:3]_9] DEBUG
    CUP log :
    2010-07-26 11:55:59,095 [SAPEngine_Application_Thread[impl:3]_27] ERROR com.virsa.ae.requestsubmit.RequestSubmission : submitRequest :   : setting error code to 2010
    com.virsa.ae.core.BOException: Exception in creating the new workflow
    Regards
    Kev

  • SMTP - Email notification requirement

    Hi Experts,
    I requested for my client's SMTP server name, as well as configured the background job in CUP background job. However, I'm still not getting emails being sent out. Is there anything that needs to be configured at the SMTP end in order for that to recognize GRC is trying to send out an email? There doesn't seem to be any place to input authentication details (assuming a GRC functional mailbox was created by the folks in charge of the SMTP)
    I checked the log in CUP and got something which says my SMTP is not recognised:
    2009-08-23 04:47:18,506 [Thread-1647] ERROR Cannot send the following email : email id  : 13, strFrom : ROLE_APPROVER, strTo : email name <removed>, subject : null
    com.virsa.ae.core.AEException: Exception in sending the mail :
         at com.virsa.ae.commons.utils.Util.sendEMail(Util.java:1596)
         at com.virsa.ae.commons.utils.Util.sendEMail(Util.java:1413)
         at com.virsa.ae.service.mail.MailScheduler.sendMail(MailScheduler.java:155)
         at com.virsa.ae.service.mail.MailScheduler.execute(MailScheduler.java:59)
         at com.virsa.ae.backgroundjobs.BackgroundTask.run(BackgroundTask.java:51)
         at java.util.TimerThread.mainLoop(Timer.java:461)
         at java.util.TimerThread.run(Timer.java:408)
    Caused by:
    javax.mail.SendFailedException: Sending failed;
      nested exception is:
         javax.mail.MessagingException: Unknown SMTP host: relays-intmail.xyz.com;
      nested exception is:
         java.net.UnknownHostException: relays-intmail.xyz.com
         at javax.mail.Transport.send0(Transport.java:219)
         at javax.mail.Transport.send(Transport.java:81)
         at com.virsa.ae.commons.utils.Util.sendEMail(Util.java:1592)
         ... 6 more
    I'm not overly experienced in this area and appreciate any in-sights from you guys! Thanks!

    Hi Experts,
    I managed to track down why the SMTP host name was not recognized. Apparently the host name was not maintained at the SMTP host file, and my client's network guy asked me to resolve the server name by IP address, which did the trick, and now I can send our emails.
    However, this led to 2 more queries which I would like to seek your advice on:
    #1
    I tried to configure the background job in CUP -> Config ->  Background Jobs
    I selected "Email Dispatcher" and chose the option "Other" in the Schedule Type.
    What should I set in order to let the job run every 1 minute? I have set
    Start time 0.00AM, Start Date 8/24/2009 (which was yesterday's date)
    Between 0.00AM AND 11.00PM
    Every Second 60, and I ticked Sunday to Saturday (i.e. every day)
    then I clicked Save.
    Am I doing this correctly?
    #2
    I have a 2 stage ERM approval. the 1st stage calling webservice to find the approval which is defined in ERM, while the other is using attributes, of which the approver is defined in CUP based on LDAP user details)
    For the 1st stage, I notice that when I go select and assign approvers (be it in ERM workflow approval, or in CUP 'Approver' Tab), I noted that some approver name/ID will appear like this
    Baldwin (BALDWIN1)
    while there are some that appears like
    Role_Approver, without the brackets next to it.
    I believe this has something to do with the email address, so I checked in the UME all the various parties (role requestor, approver) to make sure each have a valid email address, but I'm still getting the above despite this. Do I need to ensure that any party MUST have a valid and same SAP ID, NT ID (my LDAP) and also UME ID?
    Thanks!

  • ERM role methodology configuration

    Hi
    For some reason the stages in the role methodology process in the configuration tab are not in the same order as those showen in the create role screen in the role management tab.
    Does anyone have an idea how it can be fixed?
    Thank you for your help

    Hi...
    First Role definition -> Defining Authorization ->Deriving roles -> Performing risk analysis -> approval -> Generating role*
    we can use the arrow buttons to move the step up or down.
    For creating the methodology
    Login to ERM -> Configuration -> Methodology -> Process -> Create
    Regards
    Gangadhar

  • ERM SP13: New methodology for import roles

    Hi all,
    We have created and set as active a new process for the methodology, with only 3 steps (Definition, Testing and Approval).The problem is that when we import roles from R3, the roles are import to the system within the SAP default methodology which is inactive, with 7 steps (Definition, Authorization, Derivation, Risk Analysis, Approval, Generation and Testing).
    I have two questions:
    - How can i import the roles to the new and active methodology (3 steps)?
    - How can i select that the roles imported go to the last stage of the methodology? I mean, all the steps will be in "green option"?
    Thanks in advance. Best regards,
    Sergio

    Hi R M,
    Thanks for your quickly response,
    - About the apply to existing roles option, yes, i try that. But ERM continues apply the standard process for methodology. You think wil be resolved if i delete it?
    - About the column Set Role Methodology, youre right, now i can put all the import roles in the last stage of the methodology in "green option".
    Many thanks for your help,
    Sergio

  • ERM Role Methodology Process - Steps

    Hello Gurus,
    I am on SP17 and have uploaded relevant init files. Have also performed background job sync.
    When I create a role in Role Definition stage and save it, the role does not pass or promote to next step i.e. Role Authorization Stage. GRC saves the role properly.
    I have not defined any condition groups or custom fields. It is just plain role definition.
    Request your help on this.
    Thanks,
    SA

    Hi,
    Please, can you give more details for your configuration?
    I´m thinking that you don´t have ERM Workflow in CUP for workflow approval criteria. Do you have workflow configuration for ERM in CUP?
    Good luck!

  • Choose approver of ERM from the R/3 intead of UME.

    Hello,
    Iu2019m configuring the ERM module.
    I want to know if when I select an approver, can I choose this approver from an R/3 as we can do it in the CUP module instead of a UME user?
    Best Regards.
    Pablo Mortera.

    Hi Pablo,
    any approver in GRC AC will always have to exist in UME (too), as he will need to have an appropriate UME role to be able to approve in CUP.
    You maybe have defined an ABAP user source in CUP where you can search, but when the approver logs in, he will still have to have an UME role regardless.
    Frank.

  • Import Roles methodology @ ERM

    Hello all,
    We are facing some concerns regarding import roles methodology and would like to consult we you.
    The import roles methodology raised a concern since it is done partially by uploading data from an excel file (template by SAP).
    Our customer wants reassurance that this is a safe process and to know about other customers experience and results (how many problems they encounter? How fast is the process? What issues occur while uploading the roles to ERM? Related information etc.
    Could you advice?
    Thanks in advance
    Rothem

    Hello Rothem,
    1. Our customer wants reassurance that this is a safe process and to know about other customers experience and results (how many problems they encounter?
    The process is completely safe and even if you miss out on some of the role updates, you can still do specifically the ones you missed.
    2. How fast is the process?
    This is not generally a very time consuming tasks and provided your machine configuration is as per standards, this would not really be an area for concern at all. I mean, to my knowledge and experience I have not cme accross a situation where it took a lot of time and became a thing to worry about.
    3. What issues occur while uploading the roles to ERM? Related information etc.
    These I guess have already been mentioned by people in the above posts and are mostly of the similar nature, just as they are mentioning. Better to try first with a few of the Roles and then if it happens smoothly, you can upload the rest all in one go.
    Regards,
    Hersh.
    http://www.linkedin.com/in/hersh13
    Edited by: HERSH GUPTA on Jun 4, 2009 1:42 PM

  • How to define role approver/owner - through condition id in ERM 10.0

    Hi All,
    We have created a BRF + rule for Role approver with Business Process & Function area by giving the Result value as Condition ID eg., Z001
    We have provided this condition ID Z001 - in Role Owners table [Under Set Up- Role Owners] and defined the role approver and assignment approver with the User details.
    Now when we are trying to create a role with the above attribute combination of Business Process & Function area - the role is not picking up the Role Owners automatically in Owners/Approver tab [In 5.3 we can maintain approval criteria where we can define the role owners/approvers based on different attributes].
    Are we missing any configuration setting here for auto pick up of Role Owners based on defined attributes from Role Owner table.
    Thanks and Best Regards,
    Srihari.K

    Hello All,
    Please help us , I am also struggling with same issue.
    Thanks in advance,
    Jagat

  • Any methodology to secure a document on Sourcing Approval ?

    Hi All,
    I have a use case where we need to secure a document/attachment on the Sourcing Approval. The need is to publish this document to supplier portal at the facility level only and, at the same time, restrict view from selected internal folks that also need to approve the Sourcing Approval. Originally we believed we could secure this particular document with SDM on the Sourcing Approval and have since found that "Publish to Supplier Portal" does not actually function as intuitively expected. Also found it noted in the documentation that it does not actually publish. I have also attempted to use OLS to secure an attachment on the Sourcing Approval, and found that OLS on attachments is a GSM security feature, not SCRM or Sourcing Approval. Seeking a work-around to secure documents or attachments on the Sourcing Approval to match our use case.

    Hi. It doesn't look like there is a great solution for you with sourcing approvals. I would recommend submitting an enhancement request to allow you to use SDM or attachments on the sourcing approval with the proper supplier portal security.
    A couple of questions that will help provide a workaround.
    Will these docs be supplier specific? So for a spec, is it OK to share the docs across suppliers?
    On average and on the high end, how many specs will a facility provide?
    There are a few options each with thier own benefits and limitations:
    Store the docs on the Facility
    - If there are a lot of docs this might become difficult to manage
    - You would have to upload the doc to each facility
    - GSM users can be blocked from accessing the facility
    Store the docs on the Spec
    - Secure the doc with OLS so some GSM users can't access them
    - Only one doc would need to be uploaded per spec, this might be an advantage or disadvantage depending on the use case
    Use DRL
    - I beleive this would be the most flexible approach but probably the most management
    -I haven't thought this through fully but perhaps a catalog could be created for each supplier. This depends on how many you have and if suppliers are able to share the documents.
    - You will be able to limit access to GSM users and give specific access to Suppliers.
    - Again it might be a lot of management, but depending on the use case, it might be necessary - a lot of management that is
    Please let me know if this helps at all.
    Edited by: Segal on Mar 28, 2012 2:53 PM

Maybe you are looking for