Role Approver Actions-Add, Keep, Remove

Similar Messages

• SP12: Auto-provisioning failed for role with action "keep"

  Hi,
  If you want to keep an exisiting role for a user in CUP. It wasn't possible to change the validity of the role. Therefor you have to set parameter 145 value to 1 in database table VIRSA_AE_ERMCONFIG and refresh cache in CUP(solution with SP11).
  But know we have problemes with the auto-provisioning.
  We can enter the other validity of the role and after that the request provisioning failed. In our workflow the request rerouted to the admin because of escape-route settings. All other new roles in the request are assigned well to the user in the backend system.
  Any ideas?
  Many thanks,
  Alexa

  Hi,
  we actually have the same Problem, that changes to the role validity with action "keep" are not provisioned to the SAP system.
  If it is only possible to change the validity with the action "add" it is not possible to limit the validity of a previously unlimited role. Because as you said another role with the new validity dates is simply added to the existing roles.
  The only workaround would be to delete the old role and add a new one with new validity dates. But in my opinion this workaround is not acceptable for the users.
  Best Regards
  Jonas

• Role approver removed from role in GRC

  Hello Experts,
  I am a fresher to SAP GRC. Please help me on the below issue.
  In SAP GRC 5.3,  for some roles role approver has been removed and some roles automatically uploaded to GRC. The role that are uploaded to GRC should not be and while checking there is no change log for the role. For other roles for which role approver have been removed, also there is no log for which recent approver have been removed.
  Can you tell how it happened and who did this or way to troubleshoot.
  Thanks in Advance.
  Biswaranjan

  Hello samiran,
  Thanks for your reply.
  Yes we have already uploaded the OLD file. But my concern is how we can troubleshoot to find out how it was corrupted as no one did the change.  we can find the change log for the approver change for any role in GRC 5.3 .
  Or it is not possible to find out how it happened???
  Regards,
  Biswaranjan

• How to add and remove rows and keep track of it

  hi all,
  i hv an issue
  im developing a page which will hv remove and add buttons for 3 categories
  on clicking it it should add r remove HTML table rows respective to which category button is pressed. and also i should track the number of rows added or deleted for a particular category.
  Is it possible with JSP
  a sample code wil also help me a lot
  thanks in advance

  i could not under how ur page structure is but i will try to tell what i used in such a situation where u have to add or remove some elements from the page based on wht the user chooses.
  I put buttons linking to the same page with a variable containing the row id in the url (http://something.com?id=10')
  while displaying the records i will be iterating througnh the data row by row and displaying the text in the table.
  but when i find a row id equal to the rowid passed i display it in another format with a form and text boxes to edit the data and a submit button to submit the data
  like...........
  while (rs.next())
       if(rs.getString("recid").trim().equalsIgnoreCase(request.getParameter("recid").trim()))
  %>
       <form name="form2" method="post" onsubmit="javascript:return ValidateForm(form2)" action="camp_update_msg_a.jsp">
       <tr class="colstyle3">
            <td width="5%" valign="middle"><%= rs.getString("questionno").trim() %></td><td><TEXTAREA NAME="question" COLS=35 ROWS=4 ><%= rs.getString("question").trim() %></TEXTAREA></td><td><TEXTAREA NAME="answer" COLS=15 ROWS=4 ><%= rs.getString("answerno").trim() %></TEXTAREA></td>
            <td><INPUT id="submit1" type="submit" value="Submit"></td><td><a href="camp_del_msg.jsp?campid=<%=request.getParameter(campid").trim() %">&recid=<%= rs.getString("recid") %>">Delete</a></td>
       </tr>
       </form>
  <%           }
  else
       { %>
       <tr class="colstyle3">
            <td width="5%" valign="middle"><%= rs.getString("questionno").trim() %></td><td><%= rs.getString("question").trim() %></td><td><%= rs.getString("answerno").trim() %></td>
            <td><a href="camp_edit_msg.jsp?campid=<%=request.getParameter("campid").trim() %>&recid=<%= rs.getString("recid") %>">Edit</a></td><td><a href="camp_del_msg.jsp?campid=<%=request.getParameter("campid").trim() %>&recid=<%= rs.getString("recid") %>">Delete</a></td>
       </tr>
  <%
  I think this information is helpful to u.......
  Good luck.............</a>

• Role Approver of Removal of Roles

  HI Everyone,
  We are coming across a situation where the management team would like to have the "removed roles" in the access request not require the role approver approval and review. 
  Is there a way that AE allows for this?  I have tested various ways and can only come up with situations where the role approver has to approved removed roles.
  Thoughts?
  Thanks,
  Jerri,

  Hello Jerri,
  For achieving the role deletion without the approver of the role owner, create a different initiator with Request type change and probably some custom attribute and have this initiator configured with a path which has no Role Owner at any of the stages.
  This wil have the Request type "role deletion" with no Role Owner required to approve.
  Regards,
  Hersh.

• Action fo Request Type 21: Role Approval.

  Hello All,
  Can anyone please share what would be the Actions associated with the Request Type 21: Role Approval? I seached a lot in BRM dosuments but its not mentioned anywhere.
  The tasks that I would like to do from this is the changesor creation for the roles should go through an approval process.
  Thankyou.

  Hello Sudesh,
  Thank you for your reply. My question however is that for BRM request for triggering a mail when the role approval is requested(for which I assume I have to activate the request type "Role Approval"), which is the corresponding Action type. My intension is not to create a user when it does not exist or not, but to create a request when the role is changed or created. My emials are getting triggered for other request types, but not only for BRM.
  Thank you!

• Role approver - automatical approver

  Hi,
  We are testing IDM in our organization and we have following scenario. Managers of department are defined as role approvers. For example manager of operative is defined as role approver for role RW_access_operative. As manager of department is also responsible for adding this role to users in his department. Is it possible to setup IDM this way: If manager add role to the user and he is also role approver (and he is only one approver) the IDM will automatically approve this role assignment for it. As managers are complain that they must assign role and then approve it :-( which is time consuming ...
  Thanks for answer

  In your workflow, add a condition where you generate the approvers list.
  1. Read all the approvers for the role selected.(May be a configuration)
  2. If the above list contains only 1 approver = WF owner (Who initiated the workflow), set the list to null and set the variable to approved or true, (so that the rest of the workflow will proceed as if the request is approved).
  3. If the list from #1 has more than 1 approver id, remove the case owner id from the list and generate the approval workitem for the rest of the approvers.
  Thanks,

• My iTunes won't let me add or remove my music or playlists from my iPhone?

  I recently got an iPhone and have downloaded my music from one computer and stuff, but now I have a laptop I can use for my iTunes. I've authorized my apple ID with the computer, but it's still not letting me add or remove things to/from my iPhone. I've looked everywhere and tried everything for a solution but I just can't figure it out. I don't want to lose all the music and stuff that's already on my phone because it would be even more of a hassle to have to re-add all of that. I've tried using the original computer it was synced with instead but i don't have anything i want to transfer on that particular computer. Even so, the music and stuff will say it's transferring but never really does. Can anyone help me? It's rather annoying that no one on the internet seems to have any kind of helpful solution.

  Hi skipper8290,
  Thanks for using Apple Support Communities.  It sounds like you're syncing with a new computer and would benefit from moving your content from the previous computer to your current one.  This article has information on how to accomplish that:
  iTunes: How to move your music to a new computer
  http://support.apple.com/kb/HT4527
  Keep in mind since this is a new computer for the device, it will need to do a complete sync the first time, removing previously synced content.
  Cheers,
  - Ari

• Claim and Approval action giving abnormal behavior in worklist app in oim11gr2.

  hi guys
  we have following environment...
  weblogic 10.3.6 and oim 11g r2 bp03 in two node clustered environment which are load balanced with apache http server,everything was working fine with initially configured oim front end url wls.mycompany.com:80,Then we were forced to change the oimfront end url to identity.mycompany.com:80 by following
  1.oim config change
  2.call back url and worklist app changes in approval task of each composites in soa-infra
  Observed following abnormality behavior in approval workflow of application instance provisioning after oimfrontend url change.
  when approver click on approval task ,the claim action popup window displayed successfully
  when approver claim the action and it completes and popup window persist there with blank display(Observed a chopping  of  front end url from  identity.mycompany.com/identity/faces/...... to www.identity.com/faces/.........Then approver needs to close the popup).
  when approver click on approval task the approve action popup window displayed successfully
  when approver approve the action and it completes and popup window persist there with blank display(Observed a chopping  of  front end url from  identity.mycompany.com/identity/faces/...... to www.identity.com/faces/.......Then approver needs to close the popup).
  Application instance provisioning is working fine even though the above abnormal behavior was there...
  Why this url change is happening and How can we fix the abnormal url change from identity.mycompany.com/identity/faces/......  to   www.identiy.com/faces/...... ?
  Regards,
  Jdev

  Hi Ravi,
  Thnaks for your help.I will add this code and i will let you know.
  But the thing is recently 3 months back i implemented this ESS part in one server it is working fine.I'am able to apply Leave,Claims,Loan,travel from EP and the approver is able to approve the requests from UWL.When clicking on the Request in UWL it is launching a webdynpro iview and i'am able to perform the actions.
  Now i'am facing the problem and i hope i did the same config which i did previuosly.
  What would be the reason any Patch levels?
  Thanks and Regards,
  Praveen

• How to remove Java Applications from "Add and Remove Programs" list?

  I have deployed my Java applications (both JWS and Applet) via JNLP with allow-offline option enabled and without installer-desc option specified.
  My questions are:
  1. An entry is added to the Add and Remove Programs list after launching the application via JNLP. Is it due to the specification of JNLP or JWS? Is there anyway to prevent this behavior?
  2. I removed my application by clearing the cache via Java Control Panel but the entry for the application is still listed in Add and Remove Programs. How can I remove the entry in the Add and Remove Programs?
  I have tried following methods but neither works:
  1.Go to Add and Remove Programs, and click [remove] button to the right of my application.
  *Warning message like 'Application cannot be uninstalled completely' is thrown.
  2.Follow instructions listed @ [Microsoft Online Support site|http://support.microsoft.com/kb/314481/en-us] to remove my application manually via Windows registry.
  *Couldn't find appropriate registry entry to delete.
  Thanks in advance!

  Hi, guys!
  This issue has been officially approved as a new bug (Bug Id: 6946221) for the JDK 1.6_20(might include any release below) release.
  It will take a couple of days for it to be shown up in the external Bug database. However, once it becomes available for viewing on external Bug database.I would like to encourage your valuable participation to vote on this bug to get it fixed ASAP by the SUN developer teams.
  Java Bug Database @
  [http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6946221|http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6946221]
  Voting for the bug @
  [http://bugs.sun.com/bugdatabase/addVote.do?bug_id=6946221|http://bugs.sun.com/bugdatabase/addVote.do?bug_id=6946221]
  Thank you for your cooperation!
  Edited by: Jay-K on Apr 23, 2010 12:14 AM

• Uninstall firefox after trying add and remove akso Mozilla,s instructions

  I am using Mozilla Firefox version !8.0(x86 en gb on windows Xp) I wish to un-install Mozilla Firefox. I tried the usual "Add and Remove" from Control Panel, this did not work which in its self is odd. I then tried the Mozilla site and followed those instructions which failed also.It makes me feel uncomfortable that removing a program is made so difficult
  Please advise
  Mike R

  Seeing a couple of errors in the system log is not that unusual, but the number you are seeing is indicating a real problem.
  Did you double-click any of the errors in System Events? It would open a pop-up and give more detailed information on the error and usually has a link to the Microsoft help website concerning that specific error. It is likely the "msi" error is significant, as that is a Microsoft installer file (often used for uninstall also). It seems that either Control Panel is messing up or the msi process is crashing for some reason. The information in that error may contain the answer. If there are error numbers, you could do a search for that error number.
  When you say you "re-formatted" your computer, what exactly do you mean? Did you re-install Windows?
  SparkTrust PC Cleaner could possibly be the culprit. Security software, by design, watches for processes that try to make changes to your computer. Along with cleaning, it also claims to "optimize" the registry, which can lead to big trouble if a critical key is removed by accident. I use Registry Mechanic, but with any cleaner, I never allow it to make changes until I have a chance to examine each proposed change. The first "automatic" registry cleaner I used 15 years ago did severe damage to my machine. Windows became unbootable because of registry damage. I ended up having to re-install Windows from scratch.
  PC Cleaner should not have disabled System Restore. If you haven't made any large installs or changes, System Restore simply may not have created a restore point. But there should have been at least the original when you installed Windows. To verify the settings, right click on "My Computer" and choose "Properties". There should be a System Restore tab where you can verify the allowed size and whether or not it is active.
  It is generally a good idea to manually tell System Restore to create a restore point on occasion, on a day when everything is working as it should.
  Is there a way to temporarily disable SparkTrust? It might be possible it sees the uninstall action as some kind of malware and won't allow it to run. That is simply a guess, but it is generally good policy to disable active security software during an installation (of trusted software), as the security software may interfere with the processes.
  I really don't believe Firefox is the culprit here. I think there is a problem with Windows. I have been using Firefox for well over a decade and have never had an uninstall problem.
  If you can copy and paste error details for the event log, I may be able to learn more.

• Role Approval request not visible in Role Approvers ToDo tab

  Hi IDM Experts,
  We have implemented IDM 7.2 SP8 in our project. We have performed the basic configuration for Identity center and IDM UI. The initial load from CRM is also completed successfully.
  We followed the steps in guide https://scn.sap.com/docs/DOC-26322 to configure workflow such that in case role is requested to be assigned to user, the request goes to role approver(in his todo tab) for approval. The access will then be provisioned into backend CRM system on successfully
  approval. However, we are facing an issue where the Role approver does not get anything in "TODO" tab for approval. The request shows in "Pending" status and logs show that tthe request is pending approval, however, it never appears in role approvers queue.
  Kindly help on the issue. Please provide below information:
  1) We can check in logs that the request is pending approval. Is there any way we can check where is the request routed to and whoose approval is pending here if it did not goto "Role Approver" for approval.
  2) Any trouble shooting mechanism/tool available in IDM to debug issues like this.
  Thanks in advance for your help.
  Thanks and regards,
  Nitin

  Hi Nitin,
  How do you assign the role to the user? if it's trought IDM UI, you loggin with which user?
  There is a limitation on approval with SP08 : the requestor of the assignement can not be define as an approver.... but in this case the approval is automaticaly rejected by the system ...
  in which logs / table can you see that your request is "pending for approval" ?
  I also would recomand you to use the simple scenario "get approver from role/privs" of as krishna mentioned. (unless you need to do more custum actions)
  Besides, you can check approval entries and status in DB views :MXWV_ApprovalQueue ...
  Fadoua

• SOD Detour in Role Approval Workflow possible?

  Hello GRC Experts,
  we have implemented an Access Request Approval Workflow with a Detour Rule (GRAC_MSMP_DETOUR_SODVIOL).
  The second workflow we are working at is the Role Approval Workflow. Is it possible to use the SOD Detour Rule also in Role Approval Workflow? I didnt find the SOD Detour Rule in the MSMP Role Approval Workflow.
  We would like to implement a following Scenario:
  if the role contains an SOD the request should take Path 1 and if not Path 2.
  Is it in MSMP Standard possible or should we use BRF+ for creating a Detour Rule?
  Thanks,
  Best Regards
  Sabrina

  Hi Sabrina,
  For Access Request workflow, we generally use GRAC_MSMP_DETOUR_SODVIOL to implement routing rule(based on detour condition - risk found). Purpose of same (if I am not mistaken) is to through the request to another level of approver wherein mitigation monitor agent reviews the mitigation performed by role owner stage and approve/reject the request.
  But, when we create a role same is not the condition as we do not mitigate role level risk thus no need to go for mitigation monitor stage. May be you have some business scenario, if you can let us know will be gr8.
  For the rule ID, did you try adding the rule ID ?(you may already know, still would like to cross check with you).
  GRAC_MSMP_DETOUR_SODVIOL under list of rules for "
  Role Approval Workflow" In the screenshot you have shown, just click on ADD feed -
  Rule ID -GRAC_MSMP_DETOUR_SODVIOL.
  Rule description - same as Access request.
  Rule type - Function module based
  rule kind - routing rule.
  Add this and check if it works and let us know the result too.
  Regards,
  Nishant

• AE 5.2 - Detour Workflows - One of the Role Approver not found

  Hi All,
            My question is regarding using the Detour workflow functionality for the situation below - pls let me know if this possible or if any alternates are available.
  - Main path has 2 stages (1) manager approver, (2) Role Approver.
  If the Requestor asks for a Role that Does not have a Role Approver we would like to route this request to the Security lead.
  - I have created a Detour Path with 1 stages - Secuity lead and associated with Stage 2 (Role approver) of the Main path based on the condition "No Role Owners"
  - I still get the error "Approver not found at Stage @@@@"
  Is the condition "No Role Owner" in the Detour workflow config for "Role Expert" workflows or for Access requests?
  Is it possible to route the Request to Security if the Role being requested does not have a Role Approver? IF yes How?
  thanks
  T

  Hi,
  sometimes in the Detour configuration you have the problem that the "Save" action is not saved properly.
  If this entry is empty, please go into edit mode and save the detour config again, so that the action will actually display "Save".
  Hopefully it works, then.
  Regards,
  Daniela

• CUP: Notification Mail after Role Approval

  Dear SAP Experts
  We are running GRC AC 5.3 SP11.2  and facing a problem with the CUP workflow behavior.
  Each time we change a existing user in the system and assign him at least two new roles with diffrent role owners, we get some problems at the role owner approval stage.
  As soon as the first role owner provides his role approval a message is sent out to the requestor, manager and user that all changes to the user profile are done. This behavior repeats for each role owner which has to provide a approval to that request. The roles it self are assigned to the user account when the last role owner approved the request.
  Under AC 5.2 we had only one mail beeing sent out to the requestor, manager and user when all roles were approved.
  The role owner stage has following settings:
  Approval Type --> All Approvers
  Do we have to customize some more settings as well?
  Many thanks for your help Jeffrey

  Hi Frank
  Following settings are implemented at the role owner stage (last stage before auto provisioning):
  Notification Configuration:
  Approved --> User / Requestor / Manager
  Rejected --> Requestor / Manager
  Different text for mails are maintained
  Additional Configuration
  Risk Analysis Mandatory -> No
  Change Request Content --> Yes
  Add Role --> No
  Path Revaluation for New Roles --> All Roles in Evaluation Path
  Approval Level --> Role
  Rejection Level  --> Role
  Approval Type --> All Approvers
  E-mail Group --> BLank
  Comments Mandatory --> Yes / Rejected
  Request Rejection --> No
  Reroute --> No
  Confirm Approval --> No
  Confirm Rejection --> No
  Reject by E-mail --> No
  Approve by E-mail --> No
  Forward Allowed --> No
  Approve Request Despite Risks -> Yes
  Display Review Screen--> Yes
  Additional Security Configuration (Approval Reaffirm)
  Approve --> No
  Reject --> No
  Create User --> No
  Under AC 5.2 we used the Notification Configuration / Approved Mail to inform the defined persons that the request is approved and provisioning is done. This mail has been sent out only once to the persons after all role owners worked on the request. Obviously AC 5.3 behaves different after we have done the migration:-))
  Jeffrey