GRC 5.3 | CUP | Specific Interesting Workflow

Similar Messages

• GRC 10.0 CUP - Function Approval Workflow - Decision pending?

  Hi, i am customizing the Function Approval Workflow (SAP_GRAC_FUNC_APPR).
  I have one stage with only one agent authorization. The agent approved the request but in Search Request:
  Instance Status:  Running
  Instance Approval Status: Decision Pending
  Audit Log:
  + Request XXXX submitted..
  + Request is pending for approval at path GRAC_DEFAULT_PATH stage GRAC_DEFAULT_STAGE
  Approve ID: zzzz
  +Approved by ZZZZ at path GRAC_DEFAULT_PATH stage GRAC_DEFAULT_STAGE
  I don´t see the function in GRC. I´m in SP07
  Regards
  Ignacio

  Hi, my workflow Function Approval (default) have a wait event and i can´t delete this step succesfully.
  Here are more images about the workflow configuration of Function Approval.
  http://es.zimagez.com/zimage/wf10.php
  http://es.zimagez.com/zimage/wf20.php
  http://es.zimagez.com/zimage/wf30.php
  http://es.zimagez.com/zimage/wf40.php
  http://es.zimagez.com/zimage/wf5.php
  http://es.zimagez.com/zimage/wf6.php
  http://es.zimagez.com/zimage/wf7.php
  http://es.zimagez.com/zimage/wf8.php
  Thanks,
  Regards,
  Ignacio Barrionuevo.

• GRC AC 10 CUP : Provisioning of Approved roles (Line Item)

  Hello Gurus,
  We have configured CUP in GRC AC 10, and mapped a workflow for the same.
  Now when a user request for new roles e.g.) 3 roles
  Role 1 , Role 2 , Role 3 each roles has a different role owner.
  When the request goes to the role owner for approval and 1 of the 3 role owner rejects the request the whole request gets rejected.
  Is it possible to have functionality where roles which are approved will go ahead and get "Provisioned" and the whole request wont completely get rejected ??
  Looking forward for your inputs !!
  Thanks in advance.
  Regards,
  Victor

  Hello Victor,
  I guess you can work with the approval/ rejection level (stage 5 in the WF configuration).
  Have a look at here: http://forums.sdn.sap.com/thread.jspa?threadID=1637574
  Cheers,
  Diego.

• Custom Fields in GRC 10.0 - CUP

  Dear Experts,
  Please help me in creating Custom fields in GRC 10 - ARM (CUP). I want to create Custom field called Country and assign approvers to that field and Make user of this field in user request form as mandatory field.
  Could you please let me know how to create custom field and assign approvers to the same and make the same mandatory while user is create a request for new account in the sytem.
  I appreciate your help.
  Thanks,
  Raj

  Hello Raj
  As per my knowledge we can create custom fields in SPRO, path is
  IMG>GRC>General settings>User defined fileds
  under this you will get two types
  1.NON HR defined fields
  2.HR Defined filds
  Baithi

• GRC 5.3 CUP SP16 - User info not loading from LDAP into CUP

  Hello,
  We have multiple LDAPS that we needed to connect to our CUP system to authenticate the userids before a request can be created for them. And also to bring in Manager ID and manager email from LDAP as the first level approver for requests.
  My client hasn't maintained the actual LDAP userids, Manager and manager email fields correctly, so we utlized three other custom fields in LDAP and then did field mapping in CUP for those fields. But even when the connection to all the LDAPs is successful, there's no user information being pulled in from LDAP into CUP.  I noticed that when I use our backend SAP QA system as 'User Data Source' while using multiple LDAPS for 'User Detail Source Data' , it only reads data from SAP QA system SU01 area and even when I'm trying to create requests, no Manager info is being pulled from LDAPS for that user id. 
  SAP does not allow the use of multiple LDAPS for the configuration-->User Data Source , top option.  So, if a client has userids in multiple systems, it can only read from one data source.  But even when I temporarily assigned one active directory LDAP to the 'user data source' option, it stated, no records found. So, something is up that no data is being pulled from LDAPs even when the connection to those systems is successful. I just asked our AD guy to temporarily assign domain admin rights to that LDAP connection ID to see if it's access issue, and still I am not getting any LDAP data to read into GRC CUP.
  Anyone else has had this issue? Is there especial access that the LDAP connection id needs access in LDAP to be able to retreive data into GRC? Is there any jobs that need to be run to read LDAP data. I thought it should be live as the system is connected to LDAPs. I don't understand if the connection is successful, why the user info is not being pulled from there and even after the LDAP custom field mapping is done, those field values are not showing up on requests.
  We need the following to happen:
  1). Authenticate the custom userid field in LDAPs to ensure this user exist as an employee b4 request can be created for the user. For this I have configured the multiple LDAPS for the 'Authentication'. But it doesn't seem to confirm that option when creating a request for a user.
  2). The user details info source should bring in the custom manager id and manager email into the request to send the first level of approval via workflow to that manager. Since SAP doesn't give the option to define approvers per user group values in CUP, we had to actually map all the User Owner approvers this way since their direct managers are not aware of  what to request as the User owner approvers per user group are.  So, we added custom fields for Manager id and Manager EMail into LDAP to be ready automatically into the request when reading user id while creating request.
  I will greatly appreciate anyone's help on how they got the LDAP field values to be read into GRC CUP for request processing and what type of encripted access can a LDAP connection id have without assigning it complete domain admin rights on an open port 389 for LDAP and GRC CUP connection.
  Thanks and Regards,
  Alley

  Hi Alley,
  1). Authenticate the custom userid field in LDAPs to ensure this user exist as an employee b4 request can be created for the user. For this I have configured the multiple LDAPS for the 'Authentication'. But it doesn't seem to confirm that option when creating a request for a user.
  This is not possible. You can have only 1 LDAP. Why you want to authenticate the user in different sources?? CUP looks at only one user source, not many. The below wiki explains you the configuration part:
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/b089fb71-a3b7-2a10-64a2-8c77243b0664
  2). The user details info source should bring in the custom manager id and manager email into the request to send the first level of approval via workflow to that manager. Since SAP doesn't give the option to define approvers per user group values in CUP, we had to actually map all the User Owner approvers this way since their direct managers are not aware of what to request as the User owner approvers per user group are. So, we added custom fields for Manager id and Manager EMail into LDAP to be ready automatically into the request when reading user id while creating request.
  Based on user group is not possible. However, if you wish to maintain the Manager's Field, ensure that the CUP mapping is done correctly from the Configuration, Field Mapping, LDAP Mapping.
  While defining the workflow, take the approver determinator as Manager. This will route the request to the users manager. Also, ensure that LDAP is the source in all the confiuration areas in CUP.
  Check note 1228996 for more information.
  Hope this helps!!
  Regards,
  Raghu

• GRC 5.3: CUP asks to perform risk analysis even when there are no risks in request

  Hi All,
  We recently upgraded from GRC 5.3 SP13 to SP22.
  The one issue which we are facing after upgrade is that now CUP is forcing approvers to do Risk Analysis, even when there are no risks in the CUP Request, that is Risk Tab is Green.
  Previously approvers were able to approve requests without doing risk analysis, if there were no risks in the request.
  CUP used to force them to do risk analysis only when there were risks associated with requests.
  But now, it is forcing approvers to perform risk analysis, even if there are no risks, i.e. approvers are not able to approve requests without any risks without doing risk analysis.
  Please advise.
  Thanks
  Aditi

  Hi,
  Can you check if any change is made in Configuration -> Workflow -> Stage -> Approvers
  Regards,
  Claudio

• CUP Issue in workflow - Approver not found after SP13

  Dear All,
  We are facing an issue after upgrade to SP13 in CUP. The request is not getting saved and throwing an error - Approver not Found.
  We uploaded the xml files also of SP13 after upgrade has completed.
  We have not changed the workflow after upgrade and verified all the attributes of Initiator, CAD and approver is already available in CAD - but still we are receiving the error "Approver Not Found"
  The same workflow is working succesfully in Production system which is under SP9.
  Is this an issue with SP13. If any body has encountered please let us know how to resolve.
  Thanks and Best Regards,
  Srihari.K

  Dear Chinmaya,
  Below is the error log
  Log :
  2011-05-09 08:13:17,375 [SAPEngine_Application_Thread[impl:3]_25] ERROR NoApproverFoundException in Save request
  com.virsa.ae.workflow.NoApproverFoundException: No approvers found for req no : 135, for reqPathId, 209, for path, CHNG_ANZ_Z6 and approver determinator : ANZ_LAC
  Also, we tried with simple workflow as well with just 2 attribute logic. Still we received the same error
  Thanks and Best Regards,
  Srihari.K

• SAP GRC 5.3 CUP: Initial Password not displayed

  Hi,
  when a user account is created in the backend system CUP sents automatically the user ID and a link such as
  http://<Server>:50100/AE/showPassword.do?userId=NEWUSER30&ReqNo=1061&System=ERD
  to the user's email adresse. When opening the link no password is displayed.
  Could anybody help?
  Marco

  Hi Marco,
  Have you checked the Send Password in Mail option is  to Yes at Configuration>Workflow>Email reminder-->Closing Tab.
  This option is coming only in 5.3 version not in 5.2.
  Regards,
  Jagat

• GRC 5.3 CUP - Role level comment(Role approver comments)

  I have recently noticed that comments enterd by our role approvers are being cut short. Does anyone know if their is a character limit on this field?

  Hi Kevin,
  I had a simmillar issue with the textfield "request reason" when change a role vía ERM and the request is sent to to CUP workflow, there´s a textbox that allows you to comment the role changes. Are you talking about this?
  I used to write large explanations there and I realized that this explanations were shortened (cut) automaticaly by the application. I raised a SAP message and they told me that this is a functionality that they will take into account for the next patches and proposed me to write the comments in the "detailed description" field ("unlimited" lenght) instead as a workaround. I´m using SP 15, so i don´t know if this functionality was included in recently patches. maybe u can have a look on the patch info for the AC component.
  Regards,
  Diego.

• SAP GRC 5.3 CUP Archiving Requests

  All,
  I have a question about archiving and re reviewing requests after they are closed (approved/rejected).
  Let's say I create a request, my manager performs a risk analysis and SOD violations occur, but my manager approves the request. If at some point (say a year down the line) I want to review the request to see what the conflicts were would the request: a. still be in CUP to review and b. would it show the conflicts that were identified at the time.
  How would archiving play into this scenario as well.
  Unfortunately, I cannot test this in CUP as it is time sensitive, but I'm hoping someone has come across this before.
  Thanks,
  Kunal

  Hello Kunal,
  You can test this in a development by re-creating the scenario and archiving the completed request. The length of time archived is not an issue.
  In answer, yes you can pull up the archived request information (provided that you did not delete the archive) and you can see what were the recorded SOD risks at the time. However, the request itself will not tell you the individual transactions that caused the conflicts and may no longer be accurate if the risks and business functions have changed in their content since the time of the request.
  This said, GRC AC seems to be changing in "leaps and bounds" with recent support packs... Who knows if the archiving process will change in the future.
  Best Regards, Dylan

• GRC AC V10 - Mitigation Control Approval Workflow

  Hi guys,
  can me explain somebody the difference between the processID SAP_GRAC_CONTROL_ASGN und SAP_GRAC_CONTROL_MAINT?
  And as well can somebody provide me the initiator rule ID for both so that we can have a detailed look into the brfplus rule.
  We only want to mitigate controls via an controlowner approval and not a process for the creation of new controls.
  That means an asisgnment approval workflow for mitigation controls.
  Thanks a lot.

  Hello Alexa,
  Did you ever employ SAP_GRAC_CONTROL_ASGN ? Were you able to identify the included agents ?
  I am interested in identifying approvers for mitigating controls who can be included in the workflow but are not risk owners. Would you have any suggestions for this type of agent ?
  Any information would be appreciated.
  Thanks,
  Jamie

• SAP GRC 5.3 CUP: Approver Determinator "Super Access Owner"

  Hi,
  when configuring a stage, a standard approver determinator called "Super Access Owner" could be selected.My question is where to specify the Super Access Owner in SAP GRC CUP? In the Config Guide of SAP GRC AC 5.3 a hint explains on page 145
  "If you select Superuser Access Owner as the approver determinator, the system
  fetches the configured owner from the SAP system where the Superuser Privilege
  Management is installed and assigns the request to that particular approver." 
  I do not really unterstand where to specifiy. Is it the former FireFighter in the backend.
  Did anybody user this Approver Determinator already?
  Thank you in advance.
  Marco

  Hi Marco,
  Yes this approver is defined in the backend Firefighter which is now Super User Privelege Management. The Firefighter ID owner will be taken as the approver if we select Super User Access Owner in the CUP request. This option is basically being provided for  Integration of Compliant User Provisioning and Super User Privelege Management for SAP GRC AC 5.3. You may now create a request to assign a Firefighter ID to a Firefighter in CUP and do not need to go to SPM for the same.
  In case you do not want to use this approver, please create a Custom Approver Determinator for the same.
  Hope this helps.
  Harleen

• GRC 5.3 CUP auto provisioning of Mitigation Assignment in RAR

  Hello,
  Is there any other workflow that needs to be triggered for the auto provisioning of the Mitigation control id assignment to the userid in RAR system from CUP,  upon request completion?
  I created a request that after the final stage of sox approver, got auto provisioned roles assigned to the user id in the SAP system , but it also stated that auto provisioning failed and got re-routed to the detour path of the security admin as I configured in case of auto provisioning failure. When I look at the error log, it states:
  User Provisioning failed for System(s) : XYZ. Error Message : User type TE is unknown
     Role: ROLEA assigned to user: TESTER1 in System(s): XYZ.
  1). So, even though the approved role is being assigned to the user in the backend system, some other stuff is failing at auto provisioning. And I thought it might be the mitigation control assignment to the userid in RAR. I have the mitigation fields/objects active. But how do I ensure the auto-assignment of mitigation control ids also gets assigned on the same request upon sox approval?
  2). The other question is where is the value of the 'controller' stored when configuring a stage for workflow approver determinator in the sox approver stage? Where is this value picked up from? We don't want to use the RAR mitigation approvers or monitors, we want to use a custom approver id from CUP and then the control id to be assigned upon approval automatically to the userid in RAR via CUP request completion during auto provisioning. Is this possible? The only thing failing for us is trying to determine how to create the custom approver determinator for SOX approver in CUP since it asks for 'attribute' value for workflow type 'Compliant User Provisioning' which doesn't make sense for this.
  And then the above error even though the user role assignment is auto provisioning already but still giving the error as I listed above and re-routing to detour path instead of completing the request. Is it due to auto provisioning failure of mitigation control assignment in RAR?
  Thanks in advance,
  Alley
  Edited by: Alley1 on Sep 20, 2011 1:15 AM

  Hi Karell,
     Here is response to your questions:
  I can use the following CAD in an AE workflow: web service to fetch role approvers. I question this as it is merely a RE workflow service : No. As far as I know the web service is only for RE/ERM.
  Can the Risk Analysis be initiated in stage x automatically once stage (x-1) was completed. So no person involved, it is mandatory however, in my opinion there should be no extra person involved to actually press the button "Risk Analysis" : No. There is no way to automate the risk analysis part. Someone will have to click on the button to check for SoD violations. You can configure to run automatic risk analysis when the request is submitted but this is not 100% perfect. If someone adds or removes role during approval phase, it will invalidate the risk analysis which was run during request submission.
  Can somehow the Risk Owners defined in the RAR componed be asked to approve/reject risk that came out of the Risk Analysis described in my previous point. They should only be contacted when there is a risk indicated. : This is possible by following Babak's workflow.
  Regards,
  Alpesh

• Option with GRC 5.3 CUP to consolidate the Login Notif. for Xple Systems

  Hi,
  We are setting up a GRC environment for provisioning accounts for users in Dev and Test  SAP systems. We are planning to use a single request to provision accounts to 15-20 systems simultaneously and we are checking ways to consolidate the login notification to the user.
  With our current setting to auto provision the account, the user will get separate mails for each systems. Is there any tweak that will help in consolidating the different mails for different systems to a single one with the same UID and password.
  I know there may not be any standard way of doing this, but then there can be fresh ideas from experts.
  Thanks, Anil

  Sorry, Anil. There is no way to configure those provisioning emails. You can change the wordings or remove them but you won't be able to consolidate them.
  Regards,
  Alpesh

• Forwarding document (not work item) from specific SAP workflow to Outlook

  Hi,
  We are looking for ways to forward the email notification of leave approval from SAP inbox to MS Outlook.
  One way I know of is to create Auto forwarding in SAP inbox, however this would forward all documents received regardless of the work flow.
  Would appreciate it if any one out there could share your experience.
  Thanks.
  Siew May

  Use program RSWUWFML2.  You can get pretty fancy with it to setup wrapper text.  I have used it a lot so feel free to ping me with any questions.
  What is important to know is normal 'email' forwarding will not send workflow items.  I use this every 15 minutes to forward to Outlook and get the users into the Portal to manage the workflow.