Role Member Approval

Similar Messages

• How can I add a user Role member that is from a different domain

  We are currently building out SCOM 2012 R2 to provide monitoring as a service to some of our customers.  As of now we have the RMS on our own department's domain (Domain A) which we have full control of and we have a gateway server that is on the company
  wide domain (Domain B) so that we can monitor other departments devices as the leverage this system.
  Monitoring is working just fine on both domains and we are just working on fine tuning SCOM so that we can roll it out as a service we offer to our customers.  One of the next steps we are working on before rolling it out is giving specific users access
  to view only their own devices, dashboards, and groups.  So I created a Read-Only profile and went to add a user to test it out, but that user is on Domain B and SCOM is unable to resolve this account.  I'm seeing Event ID 26319 with Error Code 1332.
  How can I get SCOM to discover devices on a different domain so that I can give them different permissions for accessing the Operations Console and/or Web Console?  Is this possible?
  Here is the Error I'm seeing.
  Log Name:      Operations Manager
  Source:        OpsMgr SDK Service
  Date:          2/4/2015 1:11:59 PM
  Event ID:      26319
  Task Category: None
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      xxxxx.xxxx.xxxxxxxx.xxx
  Description:
  An exception was thrown while processing UpsertUserRolesV2 for session ID uuid:f3b4015e-9583-4237-b7a6-406826434553;id=40.
   Exception message: The creator of this fault did not specify a Reason.
   Full Exception: System.ServiceModel.FaultException`1[Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException]: The creator of this fault did not specify a Reason. (Fault Detail is equal to Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException:
  Unable to resolve the user [email protected] associated with the user role. Error code 1332. Check your active directory configuration.).
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="OpsMgr SDK Service" />
      <EventID Qualifiers="49152">26319</EventID>
      <Level>2</Level>
      <Task>0</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2015-02-04T21:11:59.000000000Z" />
      <EventRecordID>172748</EventRecordID>
      <Channel>Operations Manager</Channel>
      <Computer>xxxxx.xxxx.xxxxxxxx.xxx</Computer>
      <Security />
    </System>
    <EventData>
      <Data>UpsertUserRolesV2</Data>
      <Data>uuid:f3b4015e-9583-4237-b7a6-406826434553;id=40</Data>
      <Data>The creator of this fault did not specify a Reason.</Data>
      <Data>System.ServiceModel.FaultException`1[Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException]: The creator of this fault did not specify a Reason. (Fault Detail is equal to Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException:
  Unable to resolve the user [email protected]  associated with the user role. Error code 1332. Check your active directory configuration.).</Data>
    </EventData>
  </Event>
  Thanks for any help I can get in resolving this issue.
  Jake

  The SCOM Management Server is in Domain A.  I've tried it already and it has failed.  
  So just to clarify the method I used was to go to Administration>Security>User Roles.  Then New User Role>Read-Only Operator.  In the Create User Role Wizard I then gave the User Role a name, Clicked "Add" under User Role Members.
   Then the Select Users or Groups window pops up and I changed the Locations from Domain A to Domain B and searched for the user, which it's able to find, then clicked "OK" to add it to the User Role members which it does just fine.  On
  the next page which is Group Scope I checked the one group I want this account to have access to and then click next.  This brings me to Dashboards and Views where I click the radio button for "Only the dashboards and views selected in each tab are
  approved" and chose the folder of dashboards I want this account to access and then click next.  This brings me to the Summary and I click "Create".  At this point it thinks for a moment then closes out the wizard but the new Read-Only
  Operator does not appear.  I then look in Event Viewer and see the Event I pasted above.
  Am I doing something wrong here?  Any guidance on how to get around this issue would be much appreciated.
  Thanks,
  Jake

• Role with Approval limits.  - urgent

  Hi,
  Ver : ECC 6
  Workflow : Contract workflow (n-step)
  I have to replace the agent determination logic for this workflow. Approvers are going have different roles (PFCG) with approval limit.
  Based on the value of contract, it should pick up the right apprver(s). i have no clue how to implement this. cud anyone of you please help me on this to achieve the solution??
  Thanks
  Jayanthi.K

  Hi Jayanthi,
  Then check the BADI's Parameter interface. Check if this BADI has any relation to the workflow, I mean check if the parameter interface is connected to Workflow Container elements(May be to the Agents Container element). If so, then based on the Import parameters, get the role and it's personalized parameter(Approval Limit), based on the condition, you must be able to populate the appropiate agent and send it back to the workflow.
  BTW,Howz the Agent determination done actually for that standard task? I mean is it through Expression or Rules ? If it is through rules, then I should really doubt the usage of BADI in your scenario.
  Am sorry, we dont have SRM implemented in our current site, Else, I must have found you a way out.
  Regards
  <i><b>Raja Sekhar</b></i>

• Making comments mandatory for only some roles when approving CUP requests.

  Does anyone know if there is a way to make Comments required in CUP requests when approving a request for just certain roles?  We don't want comments to always be required, just if you are approving a request for Role XXX for example.
  I tried using the Comments Mandatory setting that is available on the Role Details screen (along with the associated flags on the Roles/Role Selection screen), but this only seems to require a 'request reason' for the role when the request is being built.  It doesn't require comments when the request is being approved.  (There also appears to be a bug with this because this request reason doesn't show up anywhere in the request after it is built.)
  I know you can set the Comments Mandatory on for the workflow stage, but then you have to enter a comment for every request, regardless of the roles.  We are wanting them to required only for a few specific roles.
  We are on GRC 5.3 11.2.
  Thanks.

  Hi Bob,
  It is not possible to enable the comment option only for few roles. Either it can be on for all, or off.
  Rgds,
  Raghu

• GRC Access Control 5.3 CUP Role Provisioning Approval Buttons Missing

  When Approvers receive a Request in Compliant User Provisioning via email they click on the link but the action buttons are missing. (example approval, reject approval buttons are missing).  When they log in through the lauch pad the action buttons are visible.

  Hi,
  I would first check the links in the Application and redirect fields of the SMTP configuration.
  Then I would check the authorisations as these buttons are governed by authorisation actions.
  You can also look at the stage configuration and check whether th request reject field is set to show that button.
  Simon

• 'Approve' button not displaying in the Approve Role screen Inbox - AC 10

  Hello Gurus,
  I have a challenge and I'd be glad to have it fixed.
  I am configuring Role Management in GRC AC 10.0.
  I am in Approve Role phase.
  After clicking on Initiate Approval....It send the request to the Role Owner's work inbox for approval.
  However, when the role owner logs in, only the "Other actions" button shows. The "Approve" button does not show.
  The "other actions" have options for "Hold" and "Request information"
  Please note the following in the MSMP settings.
  I am using the default settings in MSMP
  Process ID - SAP_GRAC_ROLE_APPR
  Maintain Path (Path ID - GRAC_DEFAULT_PATH ) & Stage Config ID - GRAC_DEFAULT_STAGE
  Maintain Route Mapping - GRAC_ROLEAPPR_INITIATOR
  Generate Version - Version generation was successful.
  I have also assigned the following roles to the ROLE OWNER
  SAP_GRAC_BASE
  SAP_GRAC_NWBC
  SAP_GRAC_ROLE_MGMT_DESIGNER
  SAP_GRAC_ROLE_MGMT_ROLE_OWNER
  SAP_GRAC_ROLE_MGMT_USER
  Please help me...what am I doing wrong?
  Thanks

  Hi Colleen,
  Thanks for reply. I have configured the workflow with default path and with one stage (role owner approval). When we create roles, request is being sent for role owner for approval.
  Role owner is able to see the request in workplace inbox. But not able to approve it. We are getting the same kind of error when we raise requests for user access also (you can see the error screen shot for access request and the same kind of error is occurring for role approval also).
  All requests are stuck up at role owner for approval. Quick response is much appreciated.
  Regards
  Sasi

• GRC 10.0 - Auto Approve default roles

  Hello All,
  Could you please help out me in the below scenarios.
       1) We have maintained default roles in NBWC- Access Management - Default roles.
       Also set the parameter 2038 to Yes- Auto approve roles without approver.
  In MSMP we have maintained Escape path if approver is not found at the role level.
  As default roles have no approver maintained request is taking the Escape Path which should not happen.
  We just want to auto approve the defualt roles and other than defualt roles request should take escape path if no approver found.
       2) In other action its quite same as the above one.
       When we are using provisioning type REMOVE for role removal. Request also takes the Escape path as Defualt roles has no approver.
  Once the ,Manager at first stage is approved, request should close for the removal type access.
  Please advise. Thanks in advance.

  In your custom initiator, you need to have mapped out all the scenarios of which path each line item in your request goes to.
  The condition columns can be an array of attributes, i.e. Request Type, Role name, Role Connector (System the Role is in), Functional area etc.
  In your case, if you want "default roles" auto approved, easiest thing to so is create an empty path (i.e. No stages) and have the initiator set so that if the "Role Name" is "X" (i.e. your default role), go to the path with no stages.
  BRF plus Flate Rule - GRC Integration - Governance, Risk and Compliance - SCN Wiki

• GRC10 Role vs Request Approval

  Gurus, we are currently attempting to maintain the approval and rejection setting at the Request (vs the Role, System and Role) level for one of our stages. Irrespective of this setting being maintained at the Request level, when reviewing the request, the Approval Status column is still visible. Therefore the approver can still reject/approve individual roles within the request, vs rejecting/approving the request as whole. The status is set to 'Partially Ok'. This causes issue with our integration with NW IdM. I can maintain other stage settings that are reflected in the stage; once the workflow is re-activated; the role/request approval setting seems to have no impact. How do make this setting change so its reflected at the stage?
  We recently upgraded to SP7 in hopes that this issue would be resolved. Unfortunately it still exists. While we wait for SAP to get back to us on this I figured I would see if anyone else faced this same issue.
  Insight is appreciated.

  you can follow these videos to see if you can get a basic manager approval working for a self request resource.
  http://www.youtube.com/watch?v=KCA_cxKsi_o&feature=channel_video_title

• Removing the approval stage in the process of creation / maintenance roles (BRM)

  Gentlemen,
  Would help to change my process of creating and maintaining Roles via BRM.
  I want to remove the last phase of my process is approval.
  Thank you very much.

  Hi Andrzej,
  Thanks for the feedback.
  I've realized that change as you said.
  New roles for the process appears without the approval stage, but in the maintenance of existing roles the approval stage still appears.
  I must change the configuration to another location?
  Thank you.

• Approver for the application role not working out

  Hi,
  I have created a role with type application and Approver A, then created a business role with the Approver B and included application role into the business role.
  When i assign this business role to a user the only request for approval goes to Approver B and after approval the both application and business roles are assigned. Strangely it seem to skip the Approver A. I did even remove the approver in business role, leaving only approver in application role, still same result - it skips Approver A.
  I'm using IDM 8.0.0.1, any ideas why it would skip the approver in the included role?
  Thanks!

  Thanks for the quick reply. I've tried optional with approval and here is what I found.
  It seems I need a combination of the two. My end goal is to have a second level approval, one group would be responsible for approving the business role and the system owners would be responsible for approving the nested application roles. When a user requests the business role, they must have approvals for the business role and all of the nested application roles for their request to be completed.
  If the app. roles are required, the workflow automatically incorporate the nested appl. roles in the request but does not require approval for them. If they are conditional with approval, the user would have to submit a second request to get all of the nested application roles. It looks like I need a combination of the two, required with approval.
  I need it to behave like it does when you have a role with approver that includes resources with an approver. The role and resources must all be approved before the request can be completed successfully.
  I'm trying to see if this is possible through the GUI before I customize the workflow.

• CUP: Notification Mail after Role Approval

  Dear SAP Experts
  We are running GRC AC 5.3 SP11.2  and facing a problem with the CUP workflow behavior.
  Each time we change a existing user in the system and assign him at least two new roles with diffrent role owners, we get some problems at the role owner approval stage.
  As soon as the first role owner provides his role approval a message is sent out to the requestor, manager and user that all changes to the user profile are done. This behavior repeats for each role owner which has to provide a approval to that request. The roles it self are assigned to the user account when the last role owner approved the request.
  Under AC 5.2 we had only one mail beeing sent out to the requestor, manager and user when all roles were approved.
  The role owner stage has following settings:
  Approval Type --> All Approvers
  Do we have to customize some more settings as well?
  Many thanks for your help Jeffrey

  Hi Frank
  Following settings are implemented at the role owner stage (last stage before auto provisioning):
  Notification Configuration:
  Approved --> User / Requestor / Manager
  Rejected --> Requestor / Manager
  Different text for mails are maintained
  Additional Configuration
  Risk Analysis Mandatory -> No
  Change Request Content --> Yes
  Add Role --> No
  Path Revaluation for New Roles --> All Roles in Evaluation Path
  Approval Level --> Role
  Rejection Level  --> Role
  Approval Type --> All Approvers
  E-mail Group --> BLank
  Comments Mandatory --> Yes / Rejected
  Request Rejection --> No
  Reroute --> No
  Confirm Approval --> No
  Confirm Rejection --> No
  Reject by E-mail --> No
  Approve by E-mail --> No
  Forward Allowed --> No
  Approve Request Despite Risks -> Yes
  Display Review Screen--> Yes
  Additional Security Configuration (Approval Reaffirm)
  Approve --> No
  Reject --> No
  Create User --> No
  Under AC 5.2 we used the Notification Configuration / Approved Mail to inform the defined persons that the request is approved and provisioning is done. This mail has been sent out only once to the persons after all role owners worked on the request. Obviously AC 5.3 behaves different after we have done the migration:-))
  Jeffrey

• ARQ: How to configure Role Approve/Reject Email Notifications???

  Hi,
  I would like to achieve below for my business scenario with below MSMP stage configurations:
  MSMS Stages Configurations:
  MANAGER --> Can act on both request and line items level
  Role Owner--> Can ONLY act on line items
  Requirement
  In best case, a Manager approves all the line items in an Access Request. Then an email notification mail for "NEW WORK ITEM" would be sent to Role Owner(s) at next stage. This is achieved.
  Now at Role Owner Stage, below 3 cases are possible:
  1. All Role Owners can approve the line items
  2. All Role Owners can reject the line items
  3. Some of the Role Owners approve and Some of them reject line items
  In all the above cases, a Role Owner ALWAYS click on "SUBMIT" button (as he is not authorized to reject a request as a whole) and this action is considered to be as "APPROVED" and eventually, "APPROVED" event is triggered.
  This looks good in case numbers: 1 & 3. Meaning, even a single role is approved, request can be considered as approved and the request details can be sent to business user.
  However, I am facing a problem when ALL the line items are rejected by ALL the Role Owners!
  This will surely close the request. However, the email notification that will be sent to user in this case will be of "APPROVED" though the request is rejected in a sense (because all the roles are rejected)!
  Can anybody please he understand this and design proper solution?
  Regards,
  Faisal

  Hi Faisal,
  We are on GRC SP13.
  Please do below settings to make role approval/rejection comments mandatory.
  2040 - Set this parameter value as YES
  In MSMP - Role Owner - Stage settings - Please maintain these settings
  I have come across the same scenario as yours. Below is my observation.
  When all role owners rejects all roles by REJECTING roles at LINEITEM level, request instead of getting closed at ROLE OWNER stage, it is going to next stage and getting closed there. I assume this is standard behaviour
  Let's see if we can get experts advise on this.
  Regards,
  Madhu.

• Approval Process for Role in OIM

  Experts,
  When a role is approved for a user in OIM, can we stop the user without getting assigned to the role immediately.
  We would like this scenario, user requests for role, the role owner approves it in OIM and then the role assignment happens in OIA.(or)
  User requests for the role, the approval workflow sends the request to OIA for approval from role owner , once approved it can be assigned in OIA and then automatically reflected in OIM as well.
  Which option is more feasible...and recommended?
  Thanks,
  Krish

  Thanks Kevin for the reply.
  Approval process code will be initiated in OIM and approving happens in OIA. Once approved, the role can as well be assigned in OIA. This can update OIM automatically by assigning the user with the requested role.
  (Or)
  Approval process code will be initiated in OIM, approving also happens in OIM, the role also gets assigned in OIM and an OIA updates this change accordingly.
  Which one would be recommended?
  Krish.

• How to change a Server with DC role to a member of a DC

  Dear All,
  I have a Server which is connected on the Local Network.
  My server consists of 5 VM's.
  I would like to make my Host Machine a DC and the all the VM's as the member of this Host DC. (I can do this...No Problem)
  What I am worried about is, Later If I need to add my Host Machine Dc as a member of DC
  of Local Network Domain Controller.
  This means If i need to change the role of my DC to the role member of another DC! 
  Is it Possible? If possible then how to do it.
  Thankyou and Regards,
  Ahmed

  Hi Ahmed,
  Thanks for your reply.
  Since your questions are related to Hyper-V, I am sorry to say that I am not an expert for Hyper-V. I recommend you to ask in Hyper-V forum below and you will get professional assistance there:
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?category=windowsserver&filter=alltypes&sort=lastpostdesc
  Best regards,
  Susie
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• How to trigger approval request for resources after assigning role

  Hi,
  We have a use case where we need to assign resources to user via assigning roles.
  In order to achive this use case
  1. we have created a role and assigned the access policy to it which contain the resources to be provisioned once the role is assigned to the user.
  2. Created a SOA composite having manager approval and assigned this composite to a approval policy of type 'Assign Role'.
  3. I am already having the approval policy for the resources which are present in roles. The approval policy of resources is of type "Provision Resource".
  4. Also the SOA composite for resource apporal is deployed in OIM and assigned to the approval policy.
  5. Now when I am raising the request from OIM of type "Assign Role" the approval defined in the SOA composite for Role approval gets triggered. After approving the role request the role is assigned to the user and also the resources defined in the access policy gets provisioned to teh user account.
  Now I want to trigger the resource approval process after the role approval instead of directly provisioning the resources. So that once the role is approved the individual Approval Process of resources part of roles should also gets invoked. Based on the approval or rejection of resources approval, the resource gets assigned to the user.
  Please let me know how to achieve the above use case.
  Thanks in advance

  Access policy is saying whoever gets xyz role, will get this abc resource. Now once a user gets xyz role, you are stopping to get abc resource? both are contradictory. Don't go through access policy. User is anyway going to request for roles. Modify your flow and make user request for resource. Have your composite and approval policy attached. User will get resource once it is approved.
  regards,
  GP