GRC 10.1 - Routing at Request Submission in case of SOD violations

Similar Messages

• GRC CUP 5.3 SP16, detour path not working for SOD violations

  Hi,
  Something bazaar is going on in our requests processing and not sure if that's the way SAP has set it up.
  We configured a detour path for requests with SOD violations to go to the additional stage of 'SOX Approver' but the first stage (manager) does the risk analysis and Mitigation assignment and then it goes to Role owner approver that approves the roles access. Once the role owner approves the roles , if the request had SOD violations, even if the mitigation was selected and approved by the manager stage, it needs to go to the SOX approver stage to approve the mitigation assignment before the request can be auto provisioned for any requests that had sod violations.
  But it seems to skip the sox approver detour path stage after the role owner approval and go directly to auto provisioing. I thought that any requests that had sod violations inspite of having mitigation assignment in a previous stage can be detoured to the next path for SOX approval and then auto provisioned. Since SAP doesn't give different approval option to approve mitigation vs. approve roles, wherever you make the risk analysis mandatory, that's where the mitigation controls have to be assigned. But we want the option to detour the path to SOX approver to approve those mitigation controls b4 auto provisioning the request.
  Any idea of how to fix this?
  Is the detour only going to work if the mitigation wasn't assigned? But then how can you get approval for the mitigation on a different stage if the same person has to assign and approve that?
  Will appreciate any feedback in this.
  Thanks,
  Alley

  I was actually able to resolve the issue by adding the role approver stage first to the sox approver detour path.. this way..if the manager has roles with sod violations and updates mitigations for it, it goes to the role approver via detour path as well first and then to the sox approver stage b4 auto provisioining. So, that solved our problem. And if the request doesn't have SOD violations then it just goes to the next stage without detour which also has the role approver as the last stage.
  Since I couldn't get the sox approver stage to show up after the role approver as originally anticipated since the request already had mitigation assigned at the manager level, we did the above scenario to fix the issue.
  Requestor>Manager->Role Approver-->auto provisioning (without SOD violations)
  Requestor>Manager> Detour (Role Approver>SOX Approver)->Auto Provisioning (with SOD violations)

• Reg_Access Request Submission Notification to GRAC_REQUESTER

  Hi All,
  I have an issues in SAP GRC 10.0 with respect to Notifications and variables, Currently in the Process SAP_GRAC_ACCESS_REQUEST, i have by default global notification settings which are mentioned below.
      Notification Event                              Template ID                                Recipient ID
  1. END_OF_REQUEST                         GRAC_AR_CLOSE                    GRAC_USER
  2. REQUEST_SUBMISSION                  GRAC_AR_SUBMIT                   GRAC_REQUESTER
  Now when i try to create a change access request which is by adding roles to the user in the connector system, the request gets submitted. So because of the Request Submission Notification event , a notification is sent to the requester and notification has the text which is mentioned in the document object associated to the message class<0AC_AR_SUBMIT>. Now i have created a custom Document object <Z_GRAC_AR_SUBMIT_BODY> and assigned that to the <0AC_AR_SUBMIT> by maintaining the table GRFNVNOTIFYMSG and also have changed the subject in that.
  But Now when the requester receives the notification, the subject is < Access Request Submission Notification > where as it is mentioned differently as shown below.
  Where as when the requester gets the submission notification as shown below, it looks different, i mean even the first name and last name too are not coming correctly.
  where as the user name maintained in the Requester's User master record is
  Could you please help why there are discrepencies and also how can i know where the sender is maintained, the mail id which sends the notifcations to the users.
  Thanks and Regards,
  Naga.

  Hi Filip,
  i have found out answer to one one part.
  Actually I have followed that document, and forgot to update one step, that is once i have created a custom document object thru SE61 and then we also need to assign it through SPRO-->GRC-->Access Control-->Maintain Custom Notification messages where we assign the custom document object to the message class and also we can update the sender there< from which user id's email id the notification mail should go to the requester) that is the reason why the mail is coming from GRCIDM rather than WF-BATCH...
  I have one more question , when ever requester is trying to raise a change request for assigning of roles to other user, when i click on the requester link as shown below, it is showing me details of the requester which in connector system.
  Note:Requester user id MARAMNA is present in both GRC system and connector system, where as it is showing me the details of connector system rather than GRC system.
  Thanks and Regards,
  Naga.

• Risk Analysis On Request Submission property config

  Hi,
  We have configured the New and Change access request to go through a Role Owner Approval in CUP. As to enable the role owners aware of the reported risks with an access request when it lands in their Inbox, we have enabled the Risk Analysis config:  'Risk Analysis On Request Submission' to Yes. This setting makes the system to perform Risk Analysis using the RA webservice on ALL requests.
  But we are not enforcing the Risk analysis and mitigation in all systems that are provisioned through GRC CUP. The property seems global and hence we are looking for a work around to bypass the RA on requests for some systems or rather a system specific setting.
  Is there any tweak available with GRC 5.3 SP08 to achieve this?
  As of now, we don't maintain the RAR rules for the systems where risk analysis is non-mandatory, but notice that the system is unnecessarily performing RA amounting to inefficient utilization of  resources.
  Any help would be greatly appreciated.
  Thanks, Anil

  Anil,
  There will be a few seconds extra for each system not included in risk analysis, but it should realize very quickly that there are no rules for that system (and that it can't even connect to pull authorizations if it is a dummy system).
  Sorry there isn't a better answer, but it's the way it is built.
  Tyler

• OIM Custom validation on entitlement request submission.

  Hi,
  We have a requirement in OIM to do some custom validation on entitlement request submission through catalogue.
  Can we leverage the requestdatavalidator here. Is there any other way of doing it?
  Thanks in advance,

  What you would need to do is create a controller to allow for this functionality to occur. the processformrequest procedure is the best one to achieve this functionality. Once you have written the custom validation, personalize the page you need the control on and add in the controller.

• SAP GRC 5.3 CUP Archiving Requests

  All,
  I have a question about archiving and re reviewing requests after they are closed (approved/rejected).
  Let's say I create a request, my manager performs a risk analysis and SOD violations occur, but my manager approves the request. If at some point (say a year down the line) I want to review the request to see what the conflicts were would the request: a. still be in CUP to review and b. would it show the conflicts that were identified at the time.
  How would archiving play into this scenario as well.
  Unfortunately, I cannot test this in CUP as it is time sensitive, but I'm hoping someone has come across this before.
  Thanks,
  Kunal

  Hello Kunal,
  You can test this in a development by re-creating the scenario and archiving the completed request. The length of time archived is not an issue.
  In answer, yes you can pull up the archived request information (provided that you did not delete the archive) and you can see what were the recorded SOD risks at the time. However, the request itself will not tell you the individual transactions that caused the conflicts and may no longer be accurate if the risks and business functions have changed in their content since the time of the request.
  This said, GRC AC seems to be changing in "leaps and bounds" with recent support packs... Who knows if the archiving process will change in the future.
  Best Regards, Dylan

• Route the request from Proxy Service in OSB to external BusinessService URL

  Hi,
  How to route the request from Proxy service to the Business Service(Which is not registered in the OSB) using End point URL.Dynamically look up the URL and route the req from Proxy to Business service.
  thanks in Advance
  Edited by: user10680427 on Jul 14, 2009 2:57 AM
  Edited by: user10680427 on Jul 14, 2009 3:34 AM

  Hi..
  Just set in within a routing options in a route node, either dynamic routing or just setting the uri, depends on your specific case..

• Is it possible to route EJB requests?

  I have an EJB (Stateless Session Bean) which is a DataBase Adapter. Its goal is to access Oracle DataBase to execute select queries and stored procedures.
  The problem is that some of the requests take so long to execute while others take a short time.
  It occurs because some queries return 10,000 rows and others return 1 row.
  Imagine that I have 10 instances of my bean and WLS received 11 requests.
  10 first requests - heavy load
  11th request - take short time to execute
  The problem is that the 11th request will be enqueue.
  What I would like to do is to route EJB requests, so I could have 8 EJB instances in charge of heavy requests and 2 EJB instances in charge of light requests.
  Is it possible? How?
  Thanks in advance,
  Marco Campelo

  Marco Campelo <[email protected]> writes:
  I have an EJB (Stateless Session Bean) which is a DataBase Adapter. Its goal is to access Oracle DataBase to execute select queries and stored procedures.
  The problem is that some of the requests take so long to execute while others take a short time.
  It occurs because some queries return 10,000 rows and others return 1 row.
  Imagine that I have 10 instances of my bean and WLS received 11 requests.
  10 first requests - heavy load
  11th request - take short time to execute
  The problem is that the 11th request will be enqueue.
  What I would like to do is to route EJB requests, so I could have 8 EJB instances in charge of heavy requests and 2 EJB instances in charge of light requests.
  Is it possible? How?Its not clear that you can tell before the fact which is going to take
  longer - if that's the case then you are out of luck. In 9.0 we have a
  feature that allows you too prioritize requests of various type, this
  would almost certainly help you here if you can solve the first
  problem.
  andy

• Errored during request submission using request see APIs

  Hi guys, this error is giving me when i call a concurrent program and do a request sumission and the request status is red(error) with the next error:
  "Errored during request submission using request see APIs "
  Im using forms 6i and EBS

  Hi,
  I am getting the exact same error.
  It appears when we run request sets!
  We have made a trigger that sends an email to our sysadmins every time a concurrent request fails. This trigger fires on insert or update of applsys.fnd_concurrent_requests when new.status_code = 'E' /*Error*/ and new.phase_code ; = 'C' /*Complete*/.
  In other words we should only get a message when the request has the status Error and is Complete.
  However for request sets we get an email saying that it has failed with the following message "Errored during request submission using request see APIs". BUT, when we query the request in the Application, it has the status Normal! This applies to several different request sets.
  So, my question is: Does anyone know if, or why, the standard request submission of request sets updates the status to Error for a short time, and then updates it to Normal afterwards?
  Thanks
  Roy

• Concurrent request submission displays Output in xml format ?

  Hi ,
  I am submitting a concurrent request from workflow which is an xml publisher report . my problem when the program is run individually it displays the output correctly in rtf format but when the same request is submitted from worklfow the output comes in xml format ?
  What could be the problem ?
  I am using the standard submission "FND_WF_STANDARD.SUBMITCONCPROGRAM " program and assigning the values directly to it . the submission activity is working fine but the output comes as mentioned above.
  Regards,
  Skg

  Kiran ,
  I am not using fnd_request.submit request coc I don't need to capture the user information for my workflow .
  I am only using the standard " FND_WF_STANDARD.SUBMITCONCPROGRAM " . this Package only submits the concurrent program through workflow in a function.
  no need of backend programming.
  My job is to submit and move to the next function . the output will be determined via custom profile option.
  now, for this package I am directly assigning the values like appshort name , prog shrt name , and parameter.
  there is no mention of layouts anywhere in the standard workflow package .
  its very urgent for me friend.
  Regards,
  Shashank.

• GRC 10.1 Simplified Access Request and Remediation View Issues

  Hi Everyone,
       We recently upgraded our GRC 10.0 environment to 10.1, SP 5 and am having the following issues--has anyone else also experienced?
  In the simplified access request form, it keeps telling me to enter a “valid user ID”—even though the ID is valid and works fine in the normal access request screen. Also tried to search and then select the ID in this field with the same error.
  In the SoD Remediation view, I keep getting “No Data Found”, even though in the detail view, there are risks the same request:
  I’ve checked the following things:
  I’ve used IE 8, IE 9, FireFox, Chrome, and the NWBC to see if any of these fix the issue
  I double checked the 10.1 “upgrade guide” to make sure Gateway configurations are correct
  It looks like we are on the latest support packs:
  Any help on this would be greatly appreciated!
  Thanks,
  Brett

  Hi Brett,
  For Remediation issue you can check the below thread.
  http://scn.sap.com/thread/3574790
  Regards,
  Neeraj

• Facing issue on request submission from Self user registration with workflow.

  HI Everyone,
  We have a use case where in User Registration process has a two stage workflow.
  In the first stage approver(Common admin) would open the request and approve it updating the organization to which the user belongs to and the the work flow should be routed to the selected organization admin in the second stage based on the org selected in the first level of approval.
  For this we have devloped a workflow and applied the same and now facing the issue once the request moves to Second level for approval.
  Request gets failed.
  Below is the exception found on clicking Request status from Track Requests.
  Can you kindly let me know any possible resolution to resolve this.

  Error log :
  IAM-2050126 : Invalid outcome com.oracle.bpel.client.BPELFault: faultName: {{http://schemas.oracle.com/bpel/extension}runtimeFault} messageType: {{http://schemas.oracle.com/bpel/extension}RuntimeFaultMessage} parts: {{ summary=<summary>oracle/iam/platform/OIMClient</summary> ,detail=<detail>java.lang.NoClassDefFoundError: oracle/iam/platform/OIMClient
  at orabpel.approvalprocess.ExecLetBxExe0.execute(ExecLetBxExe0.java:195)
  at com.collaxa.cube.engine.ext.bpel.common.wmp.BPELxExecWMP.__executeStatements(BPELxExecWMP.java:47) 
  at com.collaxa.cube.engine.ext.bpel.common.wmp.BaseBPELActivityWMP.perform(BaseBPELActivityWMP.java:173) 
  at com.collaxa.cube.engine.CubeEngine.performActivity(CubeEngine.java:2718)
  at com.collaxa.cube.engine.CubeEngine._handleWorkItem(CubeEngine.java:1197)
  at com.collaxa.cube.engine.CubeEngine.handleWorkItem(CubeEngine.java:1100)
  at com.collaxa.cube.engine.dispatch.message.instance.PerformMessageHandler.handleLocal(PerformMessageHandler.java:76) 
  at com.collaxa.cube.engine.dispatch.DispatchHelper.handleLocalMessage(DispatchHelper.java:251) 
  at com.collaxa.cube.engine.dispatch.DispatchHelper.sendMemory(DispatchHelper.java:330) 
  at com.collaxa.cube.engine.CubeEngine.endRequest(CubeEngine.java:4652)
  at com.collaxa.cube.engine.CubeEngine.endRequest(CubeEngine.java:4583)
  at com.collaxa.cube.engine.CubeEngine._createAndInvoke(CubeEngine.java:714)
  at com.collaxa.cube.engine.CubeEngineSecurityManager$2.run(CubeEngineSecurityManager.java:101) 
  at java.security.AccessController.doPrivileged(Native Method)
  at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:324)
  at oracle.security.jps.internal.jaas.AccActionExecutor.execute(AccActionExecutor.java:74) 
  at oracle.security.jps.internal.jaas.AbstractSubjectSecurity$ActionExecutorWrapper.execute(AbstractSubjectSecurity.java:242) 
  at oracle.security.jps.internal.jaas.CascadeActionExecutor$SubjectPrivilegedExceptionAction.run(CascadeActionExecutor.java:83) 
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363) 
  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146) 
  at weblogic.security.Security.runAs(Security.java:61)
  at oracle.security.jps.wls.jaas.WlsActionExecutor.execute(WlsActionExecutor.java:51) 
  at oracle.security.jps.internal.jaas.CascadeActionExecutor.execute(CascadeActionExecutor.java:56) 
  at oracle.security.jps.internal.jaas.AbstractSubjectSecurity$ActionExecutorWrapper.execute(AbstractSubjectSecurity.java:242) 
  at com.collaxa.cube.engine.CubeEngineSecurityManager.performActionAsSubject(CubeEngineSecurityManager.java:79) 
  at com.collaxa.cube.engine.CubeEngine.createAndInvoke(CubeEngine.java:555)
  at com.collaxa.cube.engine.delivery.DeliveryService.handleInvoke(DeliveryService.java:531) 
  at com.collaxa.cube.engine.ejb.impl.CubeDeliveryBean.handleInvoke(CubeDeliveryBean.java:319) 
  at sun.reflect.GeneratedMethodAccessor4136.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
  at java.lang.reflect.Method.invoke(Method.java:606)
  at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310) 
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182) 
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149) 
  at com.oracle.pitchfork.intercept.MethodInvocationInvocationContext.proceed(MethodInvocationInvocationContext.java:103) 
  at oracle.security.jps.ee.ejb.JpsAbsInterceptor$1.run(JpsAbsInterceptor.java:113) 
  at java.security.AccessController.doPrivileged(Native Method)
  at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:324)
  at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:460) 
  at oracle.security.jps.ee.ejb.JpsAbsInterceptor.runJaasMode(JpsAbsInterceptor.java:100) 
  at oracle.security.jps.ee.ejb.JpsAbsInterceptor.intercept(JpsAbsInterceptor.java:154) 
  at oracle.security.jps.ee.ejb.JpsInterceptor.intercept(JpsInterceptor.java:113) 
  at sun.reflect.GeneratedMethodAccessor1077.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
  at java.lang.reflect.Method.invoke(Method.java:606)
  at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310) 
  at com.oracle.pitchfork.intercept.JeeInterceptorInterceptor.invoke(JeeInterceptorInterceptor.java:68) 
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) 
  at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131) 
  at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119) 
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) 
  at com.oracle.pitchfork.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:34) 
  at weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54) 
  at com.oracle.pitchfork.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:42) 
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) 
  at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89) 
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) 
  at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131) 
  at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119) 
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) 
  at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) 
  at com.sun.proxy.$Proxy330.handleInvoke(Unknown Source)
  at com.collaxa.cube.engine.ejb.impl.bpel.BPELDeliveryBean_5k948i_ICubeDeliveryLocalBeanImpl.__WL_invoke(Unknown Source)
  at weblogic.ejb.container.internal.SessionLocalMethodInvoker.invoke(SessionLocalMethodInvoker.java:39) 
  at com.collaxa.cube.engine.ejb.impl.bpel.BPELDeliveryBean_5k948i_ICubeDeliveryLocalBeanImpl.handleInvoke(Unknown Source)
  at com.collaxa.cube.engine.dispatch.message.invoke.InvokeInstanceMessageHandler.handle(InvokeInstanceMessageHandler.java:30) 
  at com.collaxa.cube.engine.dispatch.DispatchHelper.handleMessage(DispatchHelper.java:141) 
  at com.collaxa.cube.engine.dispatch.BaseDispatchTask.process(BaseDispatchTask.java:89) 
  at com.collaxa.cube.engine.dispatch.BaseDispatchTask.run(BaseDispatchTask.java:65) 
  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) 
  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) 
  at com.collaxa.cube.engine.dispatch.Dispatcher$ContextCapturingThreadFactory$2.run(Dispatcher.java:933) 
  at java.lang.Thread.run(Thread.java:745) </detail> ,code=<code>java.lang.NoClassDefFoundError</code>} cause: {oracle/iam/platform/OIMClient} received from SOA for the request id 214.

• GRC AC 5.3 | CUP Request Type = Information

  Hello All,
  We have recently deployed GRC 5.3 and have seen in many demos by different partners that GRC CUP has request Type: "Information" which is used to search and view information about request types.
  During our implementation of CUP we didn't realize that some users would have difficulty in choosing Request types such as New/Change/Unlock etc, so we didn't bother configuring anything. But there are users who, for some reason, unable to select the right request type.
  I would like to know how do I configure Information request type where users can search information about request types? I was able to create the request type but not sure what action to assign to it or do I even need to?
  Any documentation or help would be greatly appreciated.
  Thanks!

  Thanks Raghu but I did try the wiki page section:
  "Configuring Requestor Landing Page for Compliant User Provisioning (PDF 220 KB")
  The purpose of this article is to provide the procedure required to customize the requestor landing page i.e. the request types on the request access screen in compliant user provisioning in SAP GRC Access Control.
  but I get the error message that:
  "Sorry, the page or document you've requested can't be found on our site (404 error). It may have been moved or removed, or (yikes!) the site may be down."

• WANT TO USE WEBLOGIC 10 R3 AS WEBSERVER FOR ONLY ROUTING HTTP REQUEST .

  Hi ,
  I have a requirement which I have to address ASAP . Any help would be appreciated .
  I want to use weblogic 10 R3 as web server. I understand by the definition of application server that it’s also capable of handling HTTP request . That means it’s having a build-in webserver in it. (Please correct me if I am wrong in my understanding .) Thus can I use the weblogic webserver for hosting all incoming http request and routing to the another instance of weblogic application server. (Could be the same instance also if possible .)
  I also understand that weblogic app server can be integrated with other third party web server like apache web server . But is it not possible to use weblogic 10g webserver ? If this is possible please guide me how I should proceed for this.
  With Regards
  AD

  Hi ,
  I am rephrasing my query as below:
  It’s my understanding that weblogic 10g R3 application server is capable of handling http requests also . That means it has a built-in webserver. Thus can I use this built-in weblogic webserver for hosting all incoming http requests and routing to the another instance of weblogic application server.
  With Regards
  AD

• Using HR Hierarchy to Route Access requests in AE 5.2 - Possible? How?

  Hi,
        My Client wants to be able to route the Access requests to the Requestors Manager based on the HR Hierarchy.
  Is it to possible to automatically populate the Manager information based on the Requstor on the requestor screen when my authentication systems is a SAP HR backend, if yes where can I find material on this config.
  The workflows now route the access requests to the the 'Manager Approver' stage - the person selected as Manager by the requestor on th request form.
  Thanks a lot in advance.

  Hi,
                   Can you please clarify what screen you are refrring to for the "A002 vs B012" setting.
  Also is to possible to Add "attributes" that are to be used for determining the next stage in a workflow. We would like to use a Role Rating to determine the workflow..situation explained below.
  The Roles being requested are divided into 3 categories and we would like to have 'manager approver' only and  'Auto Provision' for reporting/display roles (1 category).
  and
  have 'manager approver'  'Role Owner approver' stages, Auto provision for change/create roles(2 category)
  and
  have 'manager approver'  'BPO' approval, 'Role Owner approval' stages and manual provisioning for SoX Critical roles (3 category)
  Any help is greatly appreciated.
  Thank you