Role Expert Role Approval Error

Similar Messages

• AE 5.2 - Detour Workflows - One of the Role Approver not found

  Hi All,
            My question is regarding using the Detour workflow functionality for the situation below - pls let me know if this possible or if any alternates are available.
  - Main path has 2 stages (1) manager approver, (2) Role Approver.
  If the Requestor asks for a Role that Does not have a Role Approver we would like to route this request to the Security lead.
  - I have created a Detour Path with 1 stages - Secuity lead and associated with Stage 2 (Role approver) of the Main path based on the condition "No Role Owners"
  - I still get the error "Approver not found at Stage @@@@"
  Is the condition "No Role Owner" in the Detour workflow config for "Role Expert" workflows or for Access requests?
  Is it possible to route the Request to Security if the Role being requested does not have a Role Approver? IF yes How?
  thanks
  T

  Hi,
  sometimes in the Detour configuration you have the problem that the "Save" action is not saved properly.
  If this entry is empty, please go into edit mode and save the detour config again, so that the action will actually display "Save".
  Hopefully it works, then.
  Regards,
  Daniela

• Cannot edit any roles in CUP5.2 due to "Enter a valid Role Name" error

  We are running CUP 5.2.
  I am having a problem with our Roles after they were uploaded into CUP; I cannot make any changes to the Role Details because CUP returns an error stating that our Role Names are invalid.
  First I uploaded the roles (I continued to receive errors when trying to use the template, so I did them by uploading with the "Selected Roles" option). 
  Once they were uploaded, from the menu, I select:    Roles --> Search Role    and then I choose a role from the resulting list.  When the next screen appears (the "Role Details" screen), I added all of the respective details (Business Process, Sub-Process, Detailed Description, Role Approver, Functional Area, etc.).   When I pressed the SAVE button, I received the following error:
  Please correct the following errors:
  Please enter a valid "Role Name". Only Alpha-numeric, Space or Underscore characters are allowed
  So I realize what the problem is - the "Role Name" field is automatically populated with our security role name as it exists in our SAP system ... and because our security roles all begin with Z:, it does not follow the CUP naming convention. 
  I'd like to just update the "Role Name" field but when you are in the "Role Details" screen, the "Role Name" field cannot be edited.
  I saw the "Export" button and used that, in an attempt to edit the file to replace each occurence of Z: with Z_, and then upload it again.
  So I updated the file accordingly, and then did an upload, selecting the "Overwrite Existing Roles" box.
  It returned a successful message:
  Import Status: 133 successfully imported out of 133 records found
  Yet, when I go back to the list of roles, the roles still exist as Z: instead of Z_ so I still cannot edit any of the roles to add the required details ...  has anyone had a similar issue and know how to work around this?
  Thanks!

  Hello Alpesh,
  Thank you for replying!
  I had already tried to export the roles and replaced the Z: with Z_ before creating this message, but the upload attempts failed due to the explanation above.  But this time, I followed your (good) advice to delete the original Z: roles first, before uploading the corrected file.
  Sadly, even after I deleted the original Z: roles prior to uploading the corrected file, I am still having no luck ... when I uploaded the file, again it (falsely) reports that the import was successful:
      Import Status: 133 successfully imported out of 133 records found
  After seeing that message, I quickly checked the roles, and none of the roles had uploaded.  So now I have ZERO roles.
  Any further ideas?  I am thinking it may be something very small that is being overlooked ... perhaps certain buttons must be selected/not selected on the import screen?  Or could it be an issue with the file itself?
  When I do the import, I only select the button for "From File ..." and retrieve the file from my desktop via the Browse button.  I do not select any other button, nor do I make a selection from the System or Role Source boxes.  I have just selected that one button only ... I've tried it with and without checking the "Overwrite Existing Roles" box, but neither one works.
  The part that bugs me the most is that I receive what I perceive to be an inaccurate/bogus "successful" status each time I attempt the upload of the file.  At least if I had an error message, I might have something to work with to troubleshoot this.

• Role Approval request not visible in Role Approvers ToDo tab

  Hi IDM Experts,
  We have implemented IDM 7.2 SP8 in our project. We have performed the basic configuration for Identity center and IDM UI. The initial load from CRM is also completed successfully.
  We followed the steps in guide https://scn.sap.com/docs/DOC-26322 to configure workflow such that in case role is requested to be assigned to user, the request goes to role approver(in his todo tab) for approval. The access will then be provisioned into backend CRM system on successfully
  approval. However, we are facing an issue where the Role approver does not get anything in "TODO" tab for approval. The request shows in "Pending" status and logs show that tthe request is pending approval, however, it never appears in role approvers queue.
  Kindly help on the issue. Please provide below information:
  1) We can check in logs that the request is pending approval. Is there any way we can check where is the request routed to and whoose approval is pending here if it did not goto "Role Approver" for approval.
  2) Any trouble shooting mechanism/tool available in IDM to debug issues like this.
  Thanks in advance for your help.
  Thanks and regards,
  Nitin

  Hi Nitin,
  How do you assign the role to the user? if it's trought IDM UI, you loggin with which user?
  There is a limitation on approval with SP08 : the requestor of the assignement can not be define as an approver.... but in this case the approval is automaticaly rejected by the system ...
  in which logs / table can you see that your request is "pending for approval" ?
  I also would recomand you to use the simple scenario "get approver from role/privs" of as krishna mentioned. (unless you need to do more custum actions)
  Besides, you can check approval entries and status in DB views :MXWV_ApprovalQueue ...
  Fadoua

• SOD Detour in Role Approval Workflow possible?

  Hello GRC Experts,
  we have implemented an Access Request Approval Workflow with a Detour Rule (GRAC_MSMP_DETOUR_SODVIOL).
  The second workflow we are working at is the Role Approval Workflow. Is it possible to use the SOD Detour Rule also in Role Approval Workflow? I didnt find the SOD Detour Rule in the MSMP Role Approval Workflow.
  We would like to implement a following Scenario:
  if the role contains an SOD the request should take Path 1 and if not Path 2.
  Is it in MSMP Standard possible or should we use BRF+ for creating a Detour Rule?
  Thanks,
  Best Regards
  Sabrina

  Hi Sabrina,
  For Access Request workflow, we generally use GRAC_MSMP_DETOUR_SODVIOL to implement routing rule(based on detour condition - risk found). Purpose of same (if I am not mistaken) is to through the request to another level of approver wherein mitigation monitor agent reviews the mitigation performed by role owner stage and approve/reject the request.
  But, when we create a role same is not the condition as we do not mitigate role level risk thus no need to go for mitigation monitor stage. May be you have some business scenario, if you can let us know will be gr8.
  For the rule ID, did you try adding the rule ID ?(you may already know, still would like to cross check with you).
  GRAC_MSMP_DETOUR_SODVIOL under list of rules for "
  Role Approval Workflow" In the screenshot you have shown, just click on ADD feed -
  Rule ID -GRAC_MSMP_DETOUR_SODVIOL.
  Rule description - same as Access request.
  Rule type - Function module based
  rule kind - routing rule.
  Add this and check if it works and let us know the result too.
  Regards,
  Nishant

• Role approver removed from role in GRC

  Hello Experts,
  I am a fresher to SAP GRC. Please help me on the below issue.
  In SAP GRC 5.3,  for some roles role approver has been removed and some roles automatically uploaded to GRC. The role that are uploaded to GRC should not be and while checking there is no change log for the role. For other roles for which role approver have been removed, also there is no log for which recent approver have been removed.
  Can you tell how it happened and who did this or way to troubleshoot.
  Thanks in Advance.
  Biswaranjan

  Hello samiran,
  Thanks for your reply.
  Yes we have already uploaded the OLD file. But my concern is how we can troubleshoot to find out how it was corrupted as no one did the change.  we can find the change log for the approver change for any role in GRC 5.3 .
  Or it is not possible to find out how it happened???
  Regards,
  Biswaranjan

• CUP: Notification Mail after Role Approval

  Dear SAP Experts
  We are running GRC AC 5.3 SP11.2  and facing a problem with the CUP workflow behavior.
  Each time we change a existing user in the system and assign him at least two new roles with diffrent role owners, we get some problems at the role owner approval stage.
  As soon as the first role owner provides his role approval a message is sent out to the requestor, manager and user that all changes to the user profile are done. This behavior repeats for each role owner which has to provide a approval to that request. The roles it self are assigned to the user account when the last role owner approved the request.
  Under AC 5.2 we had only one mail beeing sent out to the requestor, manager and user when all roles were approved.
  The role owner stage has following settings:
  Approval Type --> All Approvers
  Do we have to customize some more settings as well?
  Many thanks for your help Jeffrey

  Hi Frank
  Following settings are implemented at the role owner stage (last stage before auto provisioning):
  Notification Configuration:
  Approved --> User / Requestor / Manager
  Rejected --> Requestor / Manager
  Different text for mails are maintained
  Additional Configuration
  Risk Analysis Mandatory -> No
  Change Request Content --> Yes
  Add Role --> No
  Path Revaluation for New Roles --> All Roles in Evaluation Path
  Approval Level --> Role
  Rejection Level  --> Role
  Approval Type --> All Approvers
  E-mail Group --> BLank
  Comments Mandatory --> Yes / Rejected
  Request Rejection --> No
  Reroute --> No
  Confirm Approval --> No
  Confirm Rejection --> No
  Reject by E-mail --> No
  Approve by E-mail --> No
  Forward Allowed --> No
  Approve Request Despite Risks -> Yes
  Display Review Screen--> Yes
  Additional Security Configuration (Approval Reaffirm)
  Approve --> No
  Reject --> No
  Create User --> No
  Under AC 5.2 we used the Notification Configuration / Approved Mail to inform the defined persons that the request is approved and provisioning is done. This mail has been sent out only once to the persons after all role owners worked on the request. Obviously AC 5.3 behaves different after we have done the migration:-))
  Jeffrey

• ARQ: How to configure Role Approve/Reject Email Notifications???

  Hi,
  I would like to achieve below for my business scenario with below MSMP stage configurations:
  MSMS Stages Configurations:
  MANAGER --> Can act on both request and line items level
  Role Owner--> Can ONLY act on line items
  Requirement
  In best case, a Manager approves all the line items in an Access Request. Then an email notification mail for "NEW WORK ITEM" would be sent to Role Owner(s) at next stage. This is achieved.
  Now at Role Owner Stage, below 3 cases are possible:
  1. All Role Owners can approve the line items
  2. All Role Owners can reject the line items
  3. Some of the Role Owners approve and Some of them reject line items
  In all the above cases, a Role Owner ALWAYS click on "SUBMIT" button (as he is not authorized to reject a request as a whole) and this action is considered to be as "APPROVED" and eventually, "APPROVED" event is triggered.
  This looks good in case numbers: 1 & 3. Meaning, even a single role is approved, request can be considered as approved and the request details can be sent to business user.
  However, I am facing a problem when ALL the line items are rejected by ALL the Role Owners!
  This will surely close the request. However, the email notification that will be sent to user in this case will be of "APPROVED" though the request is rejected in a sense (because all the roles are rejected)!
  Can anybody please he understand this and design proper solution?
  Regards,
  Faisal

  Hi Faisal,
  We are on GRC SP13.
  Please do below settings to make role approval/rejection comments mandatory.
  2040 - Set this parameter value as YES
  In MSMP - Role Owner - Stage settings - Please maintain these settings
  I have come across the same scenario as yours. Below is my observation.
  When all role owners rejects all roles by REJECTING roles at LINEITEM level, request instead of getting closed at ROLE OWNER stage, it is going to next stage and getting closed there. I assume this is standard behaviour
  Let's see if we can get experts advise on this.
  Regards,
  Madhu.

• Send Email Notification to Assignees in Role Approval Workflow in OIM 11g

  Hi Experts,
  I am using a Custom Workflow for Role Approval in OIM (11.1.1.5.4). It is a two stage Approval Process.
  First level Approval is Requester's Manager and Second Level Approver are Role Owners(Two users who are Role Owner in OIM).
  I want to send a Email Notification to this Assignees when a request is assignd to them . So i have done Email configurations in SOA. and i am receiving Mail in English.
  But, the requirement is the mail's language should be dependent on Locale of these users.
  for example if locale of Manager is German then Manager should recieve mail of Request assigned in German Language.
  and after manager Accepts the request, Request goes to Role Approvers where we have two User, So mail should go to this two users according to their Respective Locale.
  So how can i achive this????
  Thanks!!
  TJ

  One option would be to create views and then use the oob daily alert for each manager. If the number of managers is too much, then you should consider a custom timer job. 
  Your suggested approach is possible, but has potential issues in execution. I'd suggest the timer job first.
  Andy Wessendorf SharePoint Developer II | Rackspace [email protected]

• Invalid Security role-name error in Web Project

  Hi All,
  I have imported a J2EE application project built in JBOSS into NWDS 7.1.
  While building the project i get the following error
  <b>CHKJ3020E:Invalid Security role-name error: PEHNTAHO_ADMIN</b>
  This error directs me to the following code in web.xml
  <security-constraint>
            <display-name>Default JSP Security Constraints</display-name>
            <web-resource-collection>
                 <web-resource-name>Portlet Directory</web-resource-name>
                 <url-pattern>/jsp/*</url-pattern>
                 <http-method>GET</http-method>
                 <http-method>POST</http-method>
            </web-resource-collection>
            <auth-constraint>
                 <b><role-name>PEHNTAHO_ADMIN</role-name></b>
            </auth-constraint>
            <user-data-constraint>
                 <transport-guarantee>NONE</transport-guarantee>
            </user-data-constraint>
       </security-constraint>
  <b>I have tried out the following things to resolve this issue :</b>
  <b>1) Remove the role manually</b>(as suggested by various people in other J2EE forums), but then some other error came in to picture
  <b>2)Then I added the following code in web.xml</b>
  <security-role>
            <role-name>PEHNTAHO_ADMIN</role-name>
       </security-role>
  Then the above mentioned build error gets resolved, but then I get the following error while deploying the application.
  Dec 3, 2007 12:59:21 AM /userOut/daView_category (eclipse.UserOutLocation) [Thread[Deploy Thread,5,main]] ERROR: Deploy Exception.An error occurred while deploying the deployment item 'sap.com_AnalyticsApp2EAR'.; nested exception is:
       java.rmi.RemoteException:  class com.sap.engine.services.dc.gd.DeliveryException: An error occurred during deployment of sdu id: sap.com_AnalyticsApp2EAR
  sdu file path: D:\usr\sap\CE1\J01\j2ee\cluster\server0\temp\tcbldeploy_controller\archives\191\AnalyticsApp2EAR.ear
  version status: HIGHER
  deployment status: Admitted
  description:
            1. Error:
  Cannot update application sap.com/AnalyticsApp2EAR. Reason: The application sap.com/AnalyticsApp2EAR will not be update, because its validation failed. Reason:
  ERRORS:
  Web Model Builder: com.sap.engine.frame.core.configuration.NameNotFoundException: The parameter/s in String "<?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
  <web-app>
       <!-- whole web.xml-->
  </web-app>
  " is/are not defined and could not be substituted., file: AnalyticsApp2.war#WEB-INF/web.xml, column 0, line 0, severity: error
  WARNINGS:
  Web Model Builder: Following tests could not be executed because of failed precondition test "Web Model Builder" : Implicit Constraints Test, JSF Application Test, Mapping Test, Web File Existence Test, Web Class Existence Test, Security Role Test, file: AnalyticsApp2.war, column -1, line -1, severity: warning
  <b>3) I had also added the following code in web-j2ee-engine.xml</b>
  <security-role-map>
            <role-name>PEHNTAHO_ADMIN</role-name>
            <server-role-name>all</server-role-name>
       </security-role-map>
  but still i get the same deployment error.
  Please help me in resolving this problem.
  Can anybody tell me the use of role "PEHNTAHO_ADMIN"?
  Thanks and Regards,
  Sruti

  Hi Malathy,
  Once the users are created in Authentication Provider, and once the roles are created in Weblogic Server, You just have to map users to roles in Jazn-data.xml.
  Could you please let us know you created a roles named users in WLS ?
  Thanks & Regards,
  Murali.
  ============

• How to define role approver/owner - through condition id in ERM 10.0

  Hi All,
  We have created a BRF + rule for Role approver with Business Process & Function area by giving the Result value as Condition ID eg., Z001
  We have provided this condition ID Z001 - in Role Owners table [Under Set Up- Role Owners] and defined the role approver and assignment approver with the User details.
  Now when we are trying to create a role with the above attribute combination of Business Process & Function area - the role is not picking up the Role Owners automatically in Owners/Approver tab [In 5.3 we can maintain approval criteria where we can define the role owners/approvers based on different attributes].
  Are we missing any configuration setting here for auto pick up of Role Owners based on defined attributes from Role Owner table.
  Thanks and Best Regards,
  Srihari.K

  Hello All,
  Please help us , I am also struggling with same issue.
  Thanks in advance,
  Jagat

• Role Approval workflow and generation

  hi to all,
  can you just suggest me, what is the role approval workflow and tell brief about it
  give me any workflow
  thanks in advance
  Ramesh

  Hi Ramesh,
  Approval workflow is the way you can think of a process for approving a user to be created or assigned a group in the org. Example : User Create in HR -
  > Manager gets email notification -
  > Manager approves the user----
  > Division manager gets notified -
  > email sent to Helpdesk for a PC -
  > etc.
  Role Approval sounds like if the user is to be assigned a ROLE via an Approval Process before it gets created in LDAP. The provisioning will happan not just for the User but for the appropriate group according to the Role.
  Dev

• Role Approver of Removal of Roles

  HI Everyone,
  We are coming across a situation where the management team would like to have the "removed roles" in the access request not require the role approver approval and review. 
  Is there a way that AE allows for this?  I have tested various ways and can only come up with situations where the role approver has to approved removed roles.
  Thoughts?
  Thanks,
  Jerri,

  Hello Jerri,
  For achieving the role deletion without the approver of the role owner, create a different initiator with Request type change and probably some custom attribute and have this initiator configured with a path which has no Role Owner at any of the stages.
  This wil have the Request type "role deletion" with no Role Owner required to approve.
  Regards,
  Hersh.

• Action fo Request Type 21: Role Approval.

  Hello All,
  Can anyone please share what would be the Actions associated with the Request Type 21: Role Approval? I seached a lot in BRM dosuments but its not mentioned anywhere.
  The tasks that I would like to do from this is the changesor creation for the roles should go through an approval process.
  Thankyou.

  Hello Sudesh,
  Thank you for your reply. My question however is that for BRM request for triggering a mail when the role approval is requested(for which I assume I have to activate the request type "Role Approval"), which is the corresponding Action type. My intension is not to create a user when it does not exist or not, but to create a request when the role is changed or created. My emials are getting triggered for other request types, but not only for BRM.
  Thank you!

• Role Approver Actions-Add, Keep, Remove

  Currently, our role approvers were not able to modify the action of (ADD, KEEP, REMOVE).  This fields was greyed out and it was passed in by IDM as ADD or REMOVE depending on what the user selected.  We just implemented SP12 for CUP. We noticed that under Workflow>Stage>Change Request Content if this is set yo YES then the approver has the ability to do perform these functions below.  1 & 2 are ok.  We reject roles at the role level on the request.  However, we want to disable the ability for the role approver to modify ADD, REMOVE, KEEP  on #3.  
  1.  Approver can reject
  2.  Approver can modify the Valid State Date and Valid To Dates
  3.  Approver can modify the action and change it to KEEP or REMOVE.  We wnat to disable this drop-down selection.
  We noticed that if we Workflow>Stage>Change Request Content and change the value to No then the role approver can no longer reject the role.
  Does anyone know how to disable this functionality so that role approvers cannot change the action on the request?

  SAP confirmed  that there is no way turn this feature off if the approver needs to reject at the role level so this will be a process change we need to implement most likley.  However, it would appear that with the Add Role feature turned on there is a new button called Existing Roles/Groups that is displayed.  Approver can now view the roles assigned in the SAP ABAP back-end without adding new roles which is very nice that it is display only.  Thank you for your quick response to my question.
  New question:  Do you know if there is a web service that is used to call this new feature Existing Roles/Groups.  We would like to utilize that for our IDM system to call a web service and display this on the request form.