MSMP Access request and mitigation assignment workflows

Similar Messages

• SharePoint 2013 - Site Settings - Users and permissions - "Access Request and invitations" link missing

  I am site collection administrator and have configured the outgoing email in Central administration but "Access Request and invitations" link  is missing, pl advice any additional configurations for this link to show up
  I was though able to configure access requests by going to Site Settings->Users and permission and on the ribbon selected "Access Request Settings"
  What is the difference in either of the approaches?
  Thanks
  Abhishek

  Hi there,
  I noticed this post, and didnt really find an appropriate solution to your issue. I noticed the same issue when dealing with Access Requests. First of all to make sure that the Request feature is enabled, you need to access 
  Site Settings -> Site Permissions -> Access Request Settings -> Make sure the
  'Allow access requests' option is enabled.
  The Allow access screen just allows you to enable the feature and also to specify a email address that notifications are sent to. Whereas the 'Access Requests and Invitations' section provides a screen to manage Access Requests and request history.
  I noticed then that the Access Requests and Invitations link under 'User and Permissions' didnt actually appear until someone actually requests to join the site. It seems that this is needed to display the screen. Once actioned once, the option stays there.
  Hope it helps

• Access Denied Error while accessing "Site Settings Access requests and invitations"

  Hi,
  I am getting Access Denied Error while accessing "Site Settings > Access requests and invitations" in SharePoint  2013 online. Currently I am the owner of the site and have "FULL CONTROL" access. I am able to access using
  site collection account. So, what permission I have to give my regular account to access this page?
  Thanks, Pal

  Hello,
  Have you recently changed the Owners group of the site collection or removed the user from the original owners group? 
  The reason I am asking is when the Access requests and invitations list are created, the permissions are given only to the default owners group at the time that the Access Request list was created.  If this "regular account" is not part of that owners
  group, the user will receive access denied.  Site Collection Admins always have permissions for the Access Request List.
  A workaround for the Access Denied issue is listed in the KB article http://support.microsoft.com/kb/2911390/en-us.  By giving the correct group or user the permissions to this list, the users will not receive
  the Access Denied issue anymore.  
  Preferably, in order to grant the user the full permissions ( you will see features like resending invitations may still fail after implementing the above workaround) there is one other workaround that may be required depending on what the original issue
  was.  Below are additional steps to restore full functionality.
  1)Access the /_layouts/15/permsetup.aspx of the site collection, make sure the default Owners Group
  is set correctly.  (There is a group selected)
  2) Add user to that Owners Group.  (Issue may be resolved at this step if the site collection Owners
  Group was never changed, if not continue to next step.)
  3) Implement workaround on http://support.microsoft.com/kb/2911390/en-us, by adding that owners
  group as Full control on Access Request list Permissions.
  Let me know how this works out for you.
  - Shpendi Jashari

• Can't find "Access requests and invitations" in PS2013

  Hi
  I can't see Access requests and invitations on a project site settings. Do I need to enable anything else besides ticking the box for <label for="ctl00_PlaceHolderMain_ctl00_chkRequestAccess">Allow access requests?
  I tried to follow the instructions on
  this thread but I can't find the </label>Global External Sharing
  in the SharePoint Central Administration, because this is not a Project Online instance.
  Thanks!

  Hi Pedro,
  You first have to configure outgoing email.
  See this reference below, it might help:
  http://sharepointrevealed.blogspot.ca/2013/08/access-request-in-sharepoint-2013.html
  Hope this helps,
  Guillaume Rouyre, MBA, MCP, MCTS |

• GRC 10.1 Simplified Access Request and Remediation View Issues

  Hi Everyone,
       We recently upgraded our GRC 10.0 environment to 10.1, SP 5 and am having the following issues--has anyone else also experienced?
  In the simplified access request form, it keeps telling me to enter a “valid user ID”—even though the ID is valid and works fine in the normal access request screen. Also tried to search and then select the ID in this field with the same error.
  In the SoD Remediation view, I keep getting “No Data Found”, even though in the detail view, there are risks the same request:
  I’ve checked the following things:
  I’ve used IE 8, IE 9, FireFox, Chrome, and the NWBC to see if any of these fix the issue
  I double checked the 10.1 “upgrade guide” to make sure Gateway configurations are correct
  It looks like we are on the latest support packs:
  Any help on this would be greatly appreciated!
  Thanks,
  Brett

  Hi Brett,
  For Remediation issue you can check the below thread.
  http://scn.sap.com/thread/3574790
  Regards,
  Neeraj

• Access Requests and Approvals

  We all know Site owners can set up the access request feature so that it sends them an email when someone requests access to a site.
  But what about the other side of it. Can we configure if/how an email is sent to the requestor (not the site owner)??
  Any thoughts on this???

  I am not really clear about "an email is sent to requester part". But i think you are already aware while you are adding the user in share point site, there is already a feature to send email to the user. 
  Please mark as helpful if it is really helpful

• Is it possible (and if so, how) to automatically approve Access Requests

  SharePoint 2013 (we are using SP 2013 On-Prem.) provides the ability for users to "request" access to a site, or for Site Members to "share" content with users outside of the current site users.  In both cases, however, the request
  for access/sharing is added to the hidden list Access Requests, and a notification sent to the Site Collection Owner/Administrator, who must then "approve" the request before access is actually granted to the outside user.
  We have a use case where we would like to have any access requests (specifically those initiated by Member users to share content with non-site users) automatically approved.  We still want the Access Request list to track all the requests, but we want
  to somehow set all requests to Approved as soon as they come in, so that the Site Owners/Admins do not become a bottleneck where it takes time for access to be granted.
  Is there any way to accomplish this without the need for custom code? 
  I tried leveraging a SPD-based workflow, but there are not properties on Access Request that seem to represent the Approved/Declined selections available in the Request user interface, so there does not appear to be a way (at least via workflows) to set
  a request  to approved.
  Any ideas/thoughts on how to maybe accomplish this? 

  Don't think there is a way to do this OOB.
  --Cheers

• Access Request list "Request For" Workflow

  We are looking at ways to use the current access request functionality.
  If we use the default view, pendingreq.aspx, for the Access Requests list, there is a column we are especially interested in "Request For".  This column, a hyperlink, tells you the level at which users are requesting access...and if approved,
  the level at which the SCA is about to give permission.
  If we create a new view on the Access Requests list, this "Request For" column isn't available anymore.
  I've tried to pull the list in to look @ all the available fields via:
  1. Report Builder 
  2. http://mySharePointSite.com/_api/lists/getbytitle('Access%20Requests')/items
  ...and can't find this "Request For" field.
  Any ideas?  Separate or linked list elsewhere?

  Hi Eric,
  I can now see the column via:
  http://mySharePointSite/_api/lists/getbytitle('Access%20Requests')/items?$select=ObjectRequestedTitleDisp
  Looks like from Report Builder {download here} if you select "Show Hidden Fields" @ the top of the modal window when building the query, you'll see the
  "Request_for" ...or this ObjectRequestedTitleDisp field.  Only bummer is it's just the name/title...there is no file extension or anything at the end of the string value.  So, if the name isn't "smart" coded/listed, you won't
  know if it's library, folder, document or site level...there is no ".docx" or ".xlsx" @ the end of the "Request_for" string.  At least, I haven't found a way to decipher that yet.
  In SharePoint Designer, I see the following View code which could lead to helping get to the right place, but I'm not familiar with this code just yet:
  <FieldRef Name="ObjectRequestedTitleDisp"/></ViewFields><RowLimit Paged="TRUE">15</RowLimit>
  <JSLink>accessrequestscontrol.js|mquery.js|callout.js|accessrequestsviewtemplate.js</JSLink>
  <XslLink Default="TRUE">main.xsl</XslLink><Toolbar Type="None"/></View></XmlDefinition>
  </WebPartPages:XsltListViewWebPart>
  Creating a view to enable access request delete functionality
  Open the site in SharePoint designer 2013 and click the “All Files” node
  Notice the right side shows the “Access Requests” list
  Right click the “Access Requests” list and select “Properties”
  On the Views panel click New
  Enter a name for the new view such as "showallitems"
  Click “OK”
  Navigate back to the original “Access Requests and Invitations” page
  Current URL is containing page name of “pendingreq.aspx”
  Change the URL to “showallitems.aspx”:
  The view will have no columns
  Click the ellipses and “Modify This View”
  Add at least the 2 columns with edit options
  Make sure if you select multiple columns (good practice so you can see the full scope of the request such as status and person), use the right side “Position from Left” ordering to have your edit item links located on the left side of the request row
  Click “OK” in upper right of page, and now you can see the view which contains the edit links to allow deletion of the item

• Provisioning log is not available on Access request type Change Account

  Hi,
  So I have and issue when I try to submit a request to add a role to a user and I'm trying to understand what could be the reason for it.  Basically I have a workflow that works perfectly for a "Change Request".  I can see that all the steps are executed and then at the end of the request when is suppose to do the actual role assignment I see the message "Provisioning log is not available" then the approval path is finish and the request is closed but when I take a look at the user in the back end the role is not assign.  In terms of access I have try giving SAP_ALL to WF-Batch, nothing shows in Yellow or Red on SLG1 and in SPRO->AC-> User Provisioning -> Define request Type I see "Change Account" with SAP_GRAC_ACCESS_REQUEST.  What else can I do to troubleshoot this error?
  Note: I when back to the  to the AC 10.0 Pre-Implementation From Post-Installation to First Access Request and everythings looks right in terms of the AC Configuration settings.

  Hi Jonathan,
  In my question I was referring to SPRO - GRC/access control/user provisioning / maintain provisioning settings. Those need to be setup (min. global provisioning settings) in order to have role being assigned to user at the end of path.
  Change account option you can see under request type is referring to change user master data(e.g. password/ account validity / details).
  Is this system maintain by CUA? If so settings have to be different (see CUA settings in SPRO)
  I would recommend moving to SP14 as in SP13 there were many bugs, by the way I believe the worst SP ever since beginning of AC is SP13 (maybe due to number), as it destroys many working functionality.
  Filip         

• PD Profile / Structural Authorization in Access Request - 10.1

  Hi - We are upgrading from 5.3 to 10.1 SP6.  We are not migrating.  In 5.3 we provisioned PD profiles directly to a user in OOSB.
  I'm having issues with our PD Profile showing up in my access request search.  Here's what I have done.
  Business Role Management
  - I created a "PD Profile" against my ECC "Landscape".  The "Project Release" is Production.  The Additonal Details -->Provisioning has my ECC system and allows for provisioning.  The "Current Phase" is Complete.
  When a search for the PD profile using "Role Type" PD Profile in Access Management-->Role Management-->Role Search, my PD profile appears.
  When I go to create an access request and I go to Add --> Role the "Select Roles" search screen appears.  I search by Role Type = PD Profile and nothing shows up.  I try to search by the actual PD Profile Name with no other selections and nothing shows up.  All my composite and single roles show up in my searches.
  When I go into table "GRACPDPROFILES", I see the PD Profile I created.  Field AC_REF_ROLE_ID contains a long string.  It has an updated date of when I created it.
  Any idea on what other setting I may be missing to make the PD profile available to select in an access request?
  We'll continue to do direct assignment within OOSB and not indirectly via the position.
  Thanks,
  Rich

  Hi Richard,
  You need to refer to: http://service.sap.com/sap/support/notes/1666128
  Hope this helps.
  Regards,
  Ameet

• WebDynpro Access Request

  Dear all.
  I am creating a Launchpad for a new Access Request form. My idea is to delete one of the tab (Custom tab) not for all users, just for some of them. So I have copied the Configuration component and the UIBB. Then I assign the ZGRAC_OIF_REQUEST_ROLE_TAB_CC and then I push over the Configure UIBB
  Then I can see all the tabs and then I remove the tab Custom Data tab.
  So now  I create a Launchpad. Creating two folders (Access Request and Access Risk Analysis) and I assigning the Access Request application the ZGRAC_OIF_REQUEST_SUBMISSION. Is that correct?
  Now  I create a single role and then I assign the Application Configuration I have created.
  But when I access to the user instead of appearing the two folders created previously (Access Request and Access Risk Analysis) I see the Access Request screen directly. In this screenshot you can see how the Custom tab does not appear anymore but I cannot see the two folders.
  I was expecting to see a menu similar to this image 8 attached.

  Hi Sara,
  parameters setup at end user personalization (EUP) may in your case overide your expected settings.
  Make sure in SPRO/EUP/ custom tab - is set to  visable and try again,
  FIlip

• Site access request alerts are not being sent to specified email.

  In my SharePoint 2013 deployment I can't seem to get access request alerts working correctly. I go into the site permissions for any given site, enable access request and set an email address. When a user requests access an email is never sent to the address
  i specified. Because of this site administrators have to constantly go into the site settings and check if there are any access requests and approve or deny them. I have checked my Exchange server logs and no email ever reaches it so it appears the alert is
  never generated. Other outgoing emails such as alerts on libraries do work correctly. 
  Please, help!

  I have a solution for you.
  Called MS Support and they told me that sharepoint tries to send these mails authenticated via the Web Appl Pool Account.
  So we started netmon to analyse this problem.
  There we found the entry:
  SMTP:Rsp 550  5.7.1 Client does not have permissions to send as this sender
  You can solve this problem by authorizing the Web Appl Pool User to the SMTP receive connector (on exchange server):
  Get-ReceiveConnector “<spconector>” | Add-ADPermission -User “CONTOSO\AppPoolAccount” -ExtendedRights “ms-Exch-SMTP-Accept-Authoritative-Domain-Sender”
  Get-ReceiveConnector “<spconector>” | Add-ADPermission -User “CONTOSO\AppPoolAccount” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Sender”
  or (this is what we do):
  Add the IP addresses of the sharepoint webservers to the relay of the exchange servers (for this you must have an open relay connector).

• Mitigation assignment approval in Access Request Workflow

  Hi Guys,
  I am currently implementing GRC for one of the clients. I have a question with respect to Mitigation assignment approval in Access Request Workflow.
  Below is the Scenario,
  1) User Submits the request
  2) Manager Approves
  3) Role Owner runs the SOD & finds SOD violations. Role Owner assigns the mitigation controls & approves the request
  Clarification:
  Once the role owner approves , depending on the mitigation controls assigned , can this request be routed to the mitigation control owner for approval in next stage? is this configurable with out custom BRF+ rules ? I know there is a workflow separately  (SAP_GRAC_CONTROL_ASGN) for approval of assignment which I suppose is out side of the Access request workflow.
  Please suggest.

  Pavan,
  more or less - as the control assignment workflow is independent the access request doens't wait. So if the role owner set a mitigation the control workflow starts. If you allow the role owner to approve the access request with risks, means if the risk isn't mitigated, then the role owner can proceed.
  To have your scenario working you must set the following in Access Request workflow: Role Owners are not allowed to approve as long as there are risks. All risks must either be remediated or mitigated before approval. That means if the role owner sets a mitigation the assignment workflow starts. As soon as the mitigation is valid (final approval) the access request can be approved.
  Technically both workflows are independent and don't have a relation to each other. But with some settings you can combine them.
  Does this answer your question?
  Regards,
  Alessandro

• OIM11g - Approval Workflow - Requester and Approver is same

  Hi All,
  I have a scenario where , requests are approved by a group. ( Resource Owners group).
  and if anyone needs access to this resource, the members of the group will approve the requests.
  What if any member of the "Resource Owners" groups raises a request on the same object ?? OIM functionally sends it to the group for approval, and it will become a self approval and is a conflict.
  How to avoid this kind of scenarios.
  Regards
  Vicky
  Edited by: vicky on Dec 7, 2011 5:18 AM

  AFAIK I haven't seen any system property to stop this. SOA does not care about who the requester is and who are the approvers. The way Oracle has impletmented the identity service for OIM in SOA does not handle this. Seems there is no SOD checks. Open a SR which I believe should be taken as a ER.
  Thus the workaround would be to get all the members of the approver group less the requester and assign to all the members. The member list should be comma seperated user ids.
  HTH,
  BB

• Regd. workflows and org. assignment

  Hi,
  Most of us would know PPOC and org. assignment used in workflows. What I want to know is, this org. assignments do they differ in the way they are built if we use SAP HR in our system. If so how do they differ, it is going to be the same PPOC isn't it.
  Regards,
  Vijay

  Hello,
  In my opinion they do not differ. It are the same HR objects. So techinally there is no difference i think.