MSMP Access request and mitigation assignment workflows
Hi Guys,
Need help in understanding access request workflow. Here is the flow:
Requester submitted access request.
1. Manager stage (010)
2. Role owner (020) - at this stage routing enabled for DETOUR_SODVIOL with standard rule ID by creating detour path with new stage (021).
3. Security Lead (030).
Instead of going to SoD stage (021) request is diverted to MIT_ASSIGNMENT workflow for applying mitigation control with a new number generated.
I am confused with system behavior, Please suggest.
Thanks all for your time.
Thanks & regards
Harry
Hello,
Based on your requirement you need 2 PATH .
PATH A : where you have 3 stages
Manager
Roleowner
Security Lead
and PATHB 2 stages if security Lead is required after SOD Stage.
1)SOD stage
2)Security Lad
Requester submitted access request. nThis is Go in PATHA
1. Manager stage (010): Manager Appoves then goes to Next stage
2. Role owner (020) - at this stage routing enabled for DETOUR_SODVIOL with standard rule ID by creating detour path with new stage (021).: After Role owner approves with check for condition and route mapping based on rule result value
3. Security Lead (030).
Instead of going to SoD stage (021) request is diverted to MIT_ASSIGNMENT workflow for applying mitigation control with a new number generated.
Ensure MITIGATION workflow in not active in Configuration parameter.
Good Luck
Prasant
Similar Messages
-
I am site collection administrator and have configured the outgoing email in Central administration but "Access Request and invitations" link is missing, pl advice any additional configurations for this link to show up
I was though able to configure access requests by going to Site Settings->Users and permission and on the ribbon selected "Access Request Settings"
What is the difference in either of the approaches?
Thanks
AbhishekHi there,
I noticed this post, and didnt really find an appropriate solution to your issue. I noticed the same issue when dealing with Access Requests. First of all to make sure that the Request feature is enabled, you need to access
Site Settings -> Site Permissions -> Access Request Settings -> Make sure the
'Allow access requests' option is enabled.
The Allow access screen just allows you to enable the feature and also to specify a email address that notifications are sent to. Whereas the 'Access Requests and Invitations' section provides a screen to manage Access Requests and request history.
I noticed then that the Access Requests and Invitations link under 'User and Permissions' didnt actually appear until someone actually requests to join the site. It seems that this is needed to display the screen. Once actioned once, the option stays there.
Hope it helps -
Access Denied Error while accessing "Site Settings Access requests and invitations"
Hi,
I am getting Access Denied Error while accessing "Site Settings > Access requests and invitations" in SharePoint 2013 online. Currently I am the owner of the site and have "FULL CONTROL" access. I am able to access using
site collection account. So, what permission I have to give my regular account to access this page?
Thanks, PalHello,
Have you recently changed the Owners group of the site collection or removed the user from the original owners group?
The reason I am asking is when the Access requests and invitations list are created, the permissions are given only to the default owners group at the time that the Access Request list was created. If this "regular account" is not part of that owners
group, the user will receive access denied. Site Collection Admins always have permissions for the Access Request List.
A workaround for the Access Denied issue is listed in the KB article http://support.microsoft.com/kb/2911390/en-us. By giving the correct group or user the permissions to this list, the users will not receive
the Access Denied issue anymore.
Preferably, in order to grant the user the full permissions ( you will see features like resending invitations may still fail after implementing the above workaround) there is one other workaround that may be required depending on what the original issue
was. Below are additional steps to restore full functionality.
1)Access the /_layouts/15/permsetup.aspx of the site collection, make sure the default Owners Group
is set correctly. (There is a group selected)
2) Add user to that Owners Group. (Issue may be resolved at this step if the site collection Owners
Group was never changed, if not continue to next step.)
3) Implement workaround on http://support.microsoft.com/kb/2911390/en-us, by adding that owners
group as Full control on Access Request list Permissions.
Let me know how this works out for you.
- Shpendi Jashari -
Can't find "Access requests and invitations" in PS2013
Hi
I can't see Access requests and invitations on a project site settings. Do I need to enable anything else besides ticking the box for <label for="ctl00_PlaceHolderMain_ctl00_chkRequestAccess">Allow access requests?
I tried to follow the instructions on
this thread but I can't find the </label>Global External Sharing
in the SharePoint Central Administration, because this is not a Project Online instance.
Thanks!Hi Pedro,
You first have to configure outgoing email.
See this reference below, it might help:
http://sharepointrevealed.blogspot.ca/2013/08/access-request-in-sharepoint-2013.html
Hope this helps,
Guillaume Rouyre, MBA, MCP, MCTS | -
GRC 10.1 Simplified Access Request and Remediation View Issues
Hi Everyone,
We recently upgraded our GRC 10.0 environment to 10.1, SP 5 and am having the following issues--has anyone else also experienced?
In the simplified access request form, it keeps telling me to enter a “valid user ID”—even though the ID is valid and works fine in the normal access request screen. Also tried to search and then select the ID in this field with the same error.
In the SoD Remediation view, I keep getting “No Data Found”, even though in the detail view, there are risks the same request:
I’ve checked the following things:
I’ve used IE 8, IE 9, FireFox, Chrome, and the NWBC to see if any of these fix the issue
I double checked the 10.1 “upgrade guide” to make sure Gateway configurations are correct
It looks like we are on the latest support packs:
Any help on this would be greatly appreciated!
Thanks,
BrettHi Brett,
For Remediation issue you can check the below thread.
http://scn.sap.com/thread/3574790
Regards,
Neeraj -
We all know Site owners can set up the access request feature so that it sends them an email when someone requests access to a site.
But what about the other side of it. Can we configure if/how an email is sent to the requestor (not the site owner)??
Any thoughts on this???I am not really clear about "an email is sent to requester part". But i think you are already aware while you are adding the user in share point site, there is already a feature to send email to the user.
Please mark as helpful if it is really helpful -
Is it possible (and if so, how) to automatically approve Access Requests
SharePoint 2013 (we are using SP 2013 On-Prem.) provides the ability for users to "request" access to a site, or for Site Members to "share" content with users outside of the current site users. In both cases, however, the request
for access/sharing is added to the hidden list Access Requests, and a notification sent to the Site Collection Owner/Administrator, who must then "approve" the request before access is actually granted to the outside user.
We have a use case where we would like to have any access requests (specifically those initiated by Member users to share content with non-site users) automatically approved. We still want the Access Request list to track all the requests, but we want
to somehow set all requests to Approved as soon as they come in, so that the Site Owners/Admins do not become a bottleneck where it takes time for access to be granted.
Is there any way to accomplish this without the need for custom code?
I tried leveraging a SPD-based workflow, but there are not properties on Access Request that seem to represent the Approved/Declined selections available in the Request user interface, so there does not appear to be a way (at least via workflows) to set
a request to approved.
Any ideas/thoughts on how to maybe accomplish this?Don't think there is a way to do this OOB.
--Cheers -
Access Request list "Request For" Workflow
We are looking at ways to use the current access request functionality.
If we use the default view, pendingreq.aspx, for the Access Requests list, there is a column we are especially interested in "Request For". This column, a hyperlink, tells you the level at which users are requesting access...and if approved,
the level at which the SCA is about to give permission.
If we create a new view on the Access Requests list, this "Request For" column isn't available anymore.
I've tried to pull the list in to look @ all the available fields via:
1. Report Builder
2. http://mySharePointSite.com/_api/lists/getbytitle('Access%20Requests')/items
...and can't find this "Request For" field.
Any ideas? Separate or linked list elsewhere?Hi Eric,
I can now see the column via:
http://mySharePointSite/_api/lists/getbytitle('Access%20Requests')/items?$select=ObjectRequestedTitleDisp
Looks like from Report Builder {download here} if you select "Show Hidden Fields" @ the top of the modal window when building the query, you'll see the
"Request_for" ...or this ObjectRequestedTitleDisp field. Only bummer is it's just the name/title...there is no file extension or anything at the end of the string value. So, if the name isn't "smart" coded/listed, you won't
know if it's library, folder, document or site level...there is no ".docx" or ".xlsx" @ the end of the "Request_for" string. At least, I haven't found a way to decipher that yet.
In SharePoint Designer, I see the following View code which could lead to helping get to the right place, but I'm not familiar with this code just yet:
<FieldRef Name="ObjectRequestedTitleDisp"/></ViewFields><RowLimit Paged="TRUE">15</RowLimit>
<JSLink>accessrequestscontrol.js|mquery.js|callout.js|accessrequestsviewtemplate.js</JSLink>
<XslLink Default="TRUE">main.xsl</XslLink><Toolbar Type="None"/></View></XmlDefinition>
</WebPartPages:XsltListViewWebPart>
Creating a view to enable access request delete functionality
Open the site in SharePoint designer 2013 and click the “All Files” node
Notice the right side shows the “Access Requests” list
Right click the “Access Requests” list and select “Properties”
On the Views panel click New
Enter a name for the new view such as "showallitems"
Click “OK”
Navigate back to the original “Access Requests and Invitations” page
Current URL is containing page name of “pendingreq.aspx”
Change the URL to “showallitems.aspx”:
The view will have no columns
Click the ellipses and “Modify This View”
Add at least the 2 columns with edit options
Make sure if you select multiple columns (good practice so you can see the full scope of the request such as status and person), use the right side “Position from Left” ordering to have your edit item links located on the left side of the request row
Click “OK” in upper right of page, and now you can see the view which contains the edit links to allow deletion of the item -
Provisioning log is not available on Access request type Change Account
Hi,
So I have and issue when I try to submit a request to add a role to a user and I'm trying to understand what could be the reason for it. Basically I have a workflow that works perfectly for a "Change Request". I can see that all the steps are executed and then at the end of the request when is suppose to do the actual role assignment I see the message "Provisioning log is not available" then the approval path is finish and the request is closed but when I take a look at the user in the back end the role is not assign. In terms of access I have try giving SAP_ALL to WF-Batch, nothing shows in Yellow or Red on SLG1 and in SPRO->AC-> User Provisioning -> Define request Type I see "Change Account" with SAP_GRAC_ACCESS_REQUEST. What else can I do to troubleshoot this error?
Note: I when back to the to the AC 10.0 Pre-Implementation From Post-Installation to First Access Request and everythings looks right in terms of the AC Configuration settings.Hi Jonathan,
In my question I was referring to SPRO - GRC/access control/user provisioning / maintain provisioning settings. Those need to be setup (min. global provisioning settings) in order to have role being assigned to user at the end of path.
Change account option you can see under request type is referring to change user master data(e.g. password/ account validity / details).
Is this system maintain by CUA? If so settings have to be different (see CUA settings in SPRO)
I would recommend moving to SP14 as in SP13 there were many bugs, by the way I believe the worst SP ever since beginning of AC is SP13 (maybe due to number), as it destroys many working functionality.
Filip -
PD Profile / Structural Authorization in Access Request - 10.1
Hi - We are upgrading from 5.3 to 10.1 SP6. We are not migrating. In 5.3 we provisioned PD profiles directly to a user in OOSB.
I'm having issues with our PD Profile showing up in my access request search. Here's what I have done.
Business Role Management
- I created a "PD Profile" against my ECC "Landscape". The "Project Release" is Production. The Additonal Details -->Provisioning has my ECC system and allows for provisioning. The "Current Phase" is Complete.
When a search for the PD profile using "Role Type" PD Profile in Access Management-->Role Management-->Role Search, my PD profile appears.
When I go to create an access request and I go to Add --> Role the "Select Roles" search screen appears. I search by Role Type = PD Profile and nothing shows up. I try to search by the actual PD Profile Name with no other selections and nothing shows up. All my composite and single roles show up in my searches.
When I go into table "GRACPDPROFILES", I see the PD Profile I created. Field AC_REF_ROLE_ID contains a long string. It has an updated date of when I created it.
Any idea on what other setting I may be missing to make the PD profile available to select in an access request?
We'll continue to do direct assignment within OOSB and not indirectly via the position.
Thanks,
RichHi Richard,
You need to refer to: http://service.sap.com/sap/support/notes/1666128
Hope this helps.
Regards,
Ameet -
Dear all.
I am creating a Launchpad for a new Access Request form. My idea is to delete one of the tab (Custom tab) not for all users, just for some of them. So I have copied the Configuration component and the UIBB. Then I assign the ZGRAC_OIF_REQUEST_ROLE_TAB_CC and then I push over the Configure UIBB
Then I can see all the tabs and then I remove the tab Custom Data tab.
So now I create a Launchpad. Creating two folders (Access Request and Access Risk Analysis) and I assigning the Access Request application the ZGRAC_OIF_REQUEST_SUBMISSION. Is that correct?
Now I create a single role and then I assign the Application Configuration I have created.
But when I access to the user instead of appearing the two folders created previously (Access Request and Access Risk Analysis) I see the Access Request screen directly. In this screenshot you can see how the Custom tab does not appear anymore but I cannot see the two folders.
I was expecting to see a menu similar to this image 8 attached.Hi Sara,
parameters setup at end user personalization (EUP) may in your case overide your expected settings.
Make sure in SPRO/EUP/ custom tab - is set to visable and try again,
FIlip -
Site access request alerts are not being sent to specified email.
In my SharePoint 2013 deployment I can't seem to get access request alerts working correctly. I go into the site permissions for any given site, enable access request and set an email address. When a user requests access an email is never sent to the address
i specified. Because of this site administrators have to constantly go into the site settings and check if there are any access requests and approve or deny them. I have checked my Exchange server logs and no email ever reaches it so it appears the alert is
never generated. Other outgoing emails such as alerts on libraries do work correctly.
Please, help!I have a solution for you.
Called MS Support and they told me that sharepoint tries to send these mails authenticated via the Web Appl Pool Account.
So we started netmon to analyse this problem.
There we found the entry:
SMTP:Rsp 550 5.7.1 Client does not have permissions to send as this sender
You can solve this problem by authorizing the Web Appl Pool User to the SMTP receive connector (on exchange server):
Get-ReceiveConnector “<spconector>” | Add-ADPermission -User “CONTOSO\AppPoolAccount” -ExtendedRights “ms-Exch-SMTP-Accept-Authoritative-Domain-Sender”
Get-ReceiveConnector “<spconector>” | Add-ADPermission -User “CONTOSO\AppPoolAccount” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Sender”
or (this is what we do):
Add the IP addresses of the sharepoint webservers to the relay of the exchange servers (for this you must have an open relay connector). -
Mitigation assignment approval in Access Request Workflow
Hi Guys,
I am currently implementing GRC for one of the clients. I have a question with respect to Mitigation assignment approval in Access Request Workflow.
Below is the Scenario,
1) User Submits the request
2) Manager Approves
3) Role Owner runs the SOD & finds SOD violations. Role Owner assigns the mitigation controls & approves the request
Clarification:
Once the role owner approves , depending on the mitigation controls assigned , can this request be routed to the mitigation control owner for approval in next stage? is this configurable with out custom BRF+ rules ? I know there is a workflow separately (SAP_GRAC_CONTROL_ASGN) for approval of assignment which I suppose is out side of the Access request workflow.
Please suggest.Pavan,
more or less - as the control assignment workflow is independent the access request doens't wait. So if the role owner set a mitigation the control workflow starts. If you allow the role owner to approve the access request with risks, means if the risk isn't mitigated, then the role owner can proceed.
To have your scenario working you must set the following in Access Request workflow: Role Owners are not allowed to approve as long as there are risks. All risks must either be remediated or mitigated before approval. That means if the role owner sets a mitigation the assignment workflow starts. As soon as the mitigation is valid (final approval) the access request can be approved.
Technically both workflows are independent and don't have a relation to each other. But with some settings you can combine them.
Does this answer your question?
Regards,
Alessandro -
OIM11g - Approval Workflow - Requester and Approver is same
Hi All,
I have a scenario where , requests are approved by a group. ( Resource Owners group).
and if anyone needs access to this resource, the members of the group will approve the requests.
What if any member of the "Resource Owners" groups raises a request on the same object ?? OIM functionally sends it to the group for approval, and it will become a self approval and is a conflict.
How to avoid this kind of scenarios.
Regards
Vicky
Edited by: vicky on Dec 7, 2011 5:18 AMAFAIK I haven't seen any system property to stop this. SOA does not care about who the requester is and who are the approvers. The way Oracle has impletmented the identity service for OIM in SOA does not handle this. Seems there is no SOD checks. Open a SR which I believe should be taken as a ER.
Thus the workaround would be to get all the members of the approver group less the requester and assign to all the members. The member list should be comma seperated user ids.
HTH,
BB -
Regd. workflows and org. assignment
Hi,
Most of us would know PPOC and org. assignment used in workflows. What I want to know is, this org. assignments do they differ in the way they are built if we use SAP HR in our system. If so how do they differ, it is going to be the same PPOC isn't it.
Regards,
VijayHello,
In my opinion they do not differ. It are the same HR objects. So techinally there is no difference i think.
Maybe you are looking for
-
For eg : I had a user called domain1\user1 whose mysite was created as http://my/personal/user1. Now this user moves to another domain say domain2\user1.Since mysite is already present no new mysite will be created. Move-SPUser –Identity "domain1\use
-
Forcing YYYY in locale SHORT date format
Does anyone know how to force Java 1.2.2 to display the year in SHORT format as 4 digits without destroying the locale sensitivity of the application. Take the following line of code.. DateFormat.getDateInstance(DateFormat.SHORT).format(value); That
-
How to make the light of screen the same every time
every time I restart the laptop, the light of LCD will return to the maximum. I hope I could change it one time. Thank you.
-
Select multiple files by dragging cursor
Almost every application in the world, both Windows and Mac, allows you to select multiple items by clicking and dragging the cursor. Is this, or something like this, possible in iTunes? I've never figured such out, and it frustrates me to no end; to
-
Remap Functionality Novo Key-- System Recovery
Hello to everybody....i have a rather crazy idea but....may be someone will help me. When you press the Novo key u get the following: Normal Startup Bios Setup Boot Menu System Recovery Well the interesting option is "System Recovery"... Normally th