Role Owner in CUP

Similar Messages

• Change Role Owner in CUP

  Experts, recently few of the role owners have left the company and we have new owners in their place. All the requests are still going to the old owners for approval. Each of them own about 100s of roles. Is it only possible change ownership to the roles one at a time or is there a much more efficient way of doing this? If so, please guide on the procedure. Awaiting your expert advice.
  Thank you.

  You should be able to do a mass upload using excel.
  Thanks,
  Chinmaya

• GRAC AC 10 CUP E-Mail Notification for Role Owner to approve

  Hello Experts ,
  I have my CUP working in such a way that role owners are able to go to their Inbox in UI>My Home . However I would like to send E-mail into their Inbox . Right now we are getting the e-mail only at the end of the request when the request is completed.
  What should be configured in MSMP ?  Following notification events defined for Process ID Access Request Approval Workflow
  Notification Event : END_OF_REQUEST Template ID : GRAC_AR_SUBMIT Recipient ID: Requestor
  For the stage Config ID GRAC_ROLEOWNER notification settings are :
  Not .Event : NEW_WORK_ITEM  Template ID : GRAC_AR_NEW_WORK_ITEM Recipient ID : Current Approvers .
  What else do I have to do .
  Reg,
  Anthony

  Hi,
  You will need to make sure that the submission and new work item notifications are activated in MSMP at the various stages and also make sure that the approvers are marked for both approval and notification at the agent assignments.
  I would also check to make sure that their emaill addresses are maintained correctly in the GRC system (the data sources will not pick up the approver email addresses automatically).
  Cheers, Simon
  Edited by: Simon Persin on Jan 25, 2012 6:27 PM

• Is it Possible to Create a Role Owner Group in CUP

  Currently has a workflow that has each role owner to approve a role request.  Would like to create to have two differenct role owners to have to  approve the same role but with these to role owners want to have one of the role owners to have two people were only one of them has to approve.  Can this be done in CUP?  Hope it makes sense,.  Thanks.
  Laura Kacal

  Hi Laura,
  I think now I understand your challenge, correct me if i'm wrong.
  one role, 2 approvers (A, B), both need to approve, but:
  Approver A = single user
  Approver B = group of users
  not possible. you can only setup the approval to be all need to approve or at least one.
  I would recommend a 2 stage workflow. 1st stage single user approval, 2st stage group approval (CAD).
  good luck.
  N

• GRC AC 10.0: Info about rejected roles in the CUP Email

  Hello all,
  the GRC componetent CUP seems to be technically mature in comparison to Role Management component, but there is one thing where I am not sure, is it an error or did I miss some config parameters:
  When the CUP Request ist closed, the user gets an email (Template ID: GRAC_AR_CLOSE). Not all of the roles were approved, some of the roles were rejected. But the user gets an email where only the approved roles are listed:
  We would like to inform the user about the status of all roles in the CUP requests: which roles were approved and which roles were rejected. Is it possible to configure in MSMP Workflow?
  Right now we have the following setting:
  Thanks,
  regards Sabrina

  Hi Sabrina,
  To notify the requester for the roles which got rejected, you can try with Email notification template: GRAC_MSMP_ERM_REJECTED for the for the message class.
  You can create custom version of this template. For more understanding on how to customize the Email notification template, you can refer to: http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/605077fc-3577-2e10-e1a6-a743514d4eb3?QuickLink=index&…
  Hope this helps, Let us know if you face any issues.
  Regards,
  Ameet

• GRC 10 - Business role, no role owner but associated role have owner....

  Dear All,
  In GRC 5.3 we perform the following mapping:
  Business Role A mapped with (no owner)
  - Technical Role 1 (from ECC with Owner1)
  - Technical Role 2 (from CRM with Owner2)
  - Technical Role 3 (from HR with Ownwer3)
  IN GRC 5.3 we have a business role mapped with multiple child role(techinical role) from other system.
  GRC 5.3 request is able to close and provisioned as it can see owners from child role.
  Now in GRC 10, we did the same. Create a business role, then mapped the child role (technical role). Unfortunately, when manager approves the workflow reroute to "NO OWNER DETOUR PATH" because it cannot see the technical role owner.
  Seems like GRC 10 is only looking at business role owner. We are unable to add Owner1, Owner2, Owner3 to the business role because when one of the owner approves, it will provision all the technical roles. We might have owners who will reject their role.
  Please advice.
  Jacky

  Hi Mustafa,
  you can use end user personalization to avoid a role owner to approve roles for himself. Define a dedicated EUP for role owner stage and restrict via "Approve/Reject Own Requests" like shown below:
  Does this answer your question?
  Regards,
  Alessandro

• GRC AC 10 SP13 - workflow not routing to multiple role owners

  hello
  We are experiencing issues in our production MSMP workflow where an access request with multiple business roles are not being routed to role owners after manager approval. The request contains four business roles. Three business roles have three different role owners. The fourth business role does not have a role owner assigned. After the manager approves the request, the business role without a role owner does not provision. The other three business roles do not route to their respective role owners. We have tested the same scenario in our development environment and it routes properly. I have validated our MSMP workflow settings in production and validated it was activated. I have also checked the instance monitor via GRFNMW_DBGMONITOR_WD and it does not give an indication why the request isn't routing.
  Any ideas why we are seeing this? Below is a screen shot of the audit log.

  Hi Stacey
  If DEV is working and PRD is not have you gone through and compared both and ensure latest MSMP configuration in PRD has been activated?
  Also, is the approver COCHGG00 also the Role Owner?
  Are you able to show you MSMP configuration? It's makes sense to analyse the log in the context of your configuration. E.g. does the Z_ADDTNL_ACCESS_PATH path have two stages: Manager and Role Owner of which there is a routing rule on the Manager approval to go to the NO_ROLE_OWNER path where the business role has no role owner?
  Regards
  Colleen

• ARQ: Manager/Role Owner can modify request details even after submitting the request???

  Hi All,
  I have noticed that after Submitting (Approving) a request, manager or role owner can still modify the user details (field are editable) like role validity date etc in a request. This is quite weird!
  Although, after submitting a request by a requester, all field are disabled.
  Has any one encountered with this problem? How can I control this?
  Please advise.
  Regards,
  Faisal

  Alessandro,
  Thanks for your reply.
  Yes, I got it and that is why I got confused.
  This EUP I have defined and the desired fields are visible and editable and seems to be working fine.
  However, the problem is, even after submitting a request, manager and role owner is able to edit the values in the fields which is incorrect!
  Actually, once a request is submitted, I believe request should be only display mode!
  You know what, this is working absolutely fine with requester. Meaning, once a requester submits a request, then all fields are disabled and values in them can not be modified any more.
  But I am not sure why this is not happening with managers/role owners.
  Please advise.
  Regards,
  Faisal

• Role Creation in CUP 5.3

  Hello,
  I'm trying to understand the concept of what is called "role creation" in Compliant User Provisioning.
  My understanding is that the "create role" option in CUP (configuration>Roles>Create Role) means simply adding the "attributes" such as a business process, functional area, system, or company, to the SAP roles that you imported into CUP.  
  It seems that, with CUP, once you have imported SAP roles and "adjusted" them (adding attributes), you are no longer operating PFCG and SU01 in the SAP backend system. From this point on, everything is done in CUP (provisioning) and ERM (creating additional roles).
  Please tell me if I'm wrong.
  HM

  HM,
    The create role option in CUP is mainly for legacy/non-cup supported systems. This way you can follow the standard workflow process for LDAP/Windows/legacy system. In this user provisioning and role assignment will not be done through CUP and will be manual. This is very important for some companies as they want user to go through same process if they want to get access to any system and not only ERP system.
  The below statement is wrong.
  It seems that, with CUP, once you have imported SAP roles and "adjusted" them (adding attributes), you are no longer operating PFCG and SU01 in the SAP backend system. From this point on, everything is done in CUP (provisioning) and ERM (creating additional roles).
  If you don't have ERM then you will have to use PFCG. Once you have CUP, you don't have to use SU01.
  Regards,
  Alpesh

• Business Role to System/Technical Role Mapping in CUP

  All,
  In our design of CUP we are having end-users logon and choose their "business role" and having CUP select the system/tecnhical roles. For example, we want an AP Clerk to be able to logon and choose "AP Clerk" and have role A, B & C from ECC selected and role D from BI.
  Is this type of design possible in CUP 5.3 or are we extending into IDM functionality (which we do not have). Has anyone had experience in type of design? What are your recommendations?
  Thank you,
  Grace Rae

  Grace,
  I assume you are looking for Job/Position roles roles but for SAP systems. Fortunately, CUP provides the flexibility to implement RBAC concept for both SAP & Non SAP systems.
  In this case, catch would be your blueprinting which depends on various parameters like u2013 How sound your authorization concept is placed in all the managed systems (R3, BI, non  sap etc), Approval criteria, organizational operational view etc. Concern is that we may run into other issues of violations, risk analysis, approvals etc if we donu2019t plan diligently
  Alpeshu2019s hint would be really helpful in terms of implementing this requirement.
  Thanks
  Qalid

• GRC AC V10 - one approval step for manager and role owner

  Hello Community,
  I have one, perhaps easy, question. Where is it possible to maintain the solution of one approval step for manager and roleowner, if both are unique.
  E.g.:
  simple approval workflow: manager stage afterwards roleowner stage afterwards auto-provisioning
  So if the request is routed to the manager and the manager is also the roleowner of the requested authorization role (same UserID). The user has to approve one and the same request twice.
  Is it possible in V.10 to change the config that the user has only to approve the request once? And then to decide on which relevant stage settings are valid for this process.
  Thanks,
  Alexa

  Hi Alexa,
  We have had a similar questions raised in a project. In an ideal world, a single "Sign-off approval" would be a great functionality where the same user has to approve the same consecutive stages, but the reason for different stages would entail that the responsibilities entailed per stage differ, e.g. Line Manager would just check the over request, and the role owner etc may be reviewing the elegibility of a specifc role etc.
  If it is likely to be the same person reviewing the 2 consecutive stages, maybe a single stage workflow would be sufficient to cover this scenario.
  I think the logic you are trying to configure in the workflow is possible but will require alot of work with knowing how to create a clever custom workflow with BRF+ or the actual WF stuff in SAP itself.

• Create Role Option in CUP 5.3

  HI,
  I would like to know the use of Create Role option in CUP.
  We have this option Configuration -> Roles -> Create Role.
  As we know we import roles form either SAP back-end system or ERM.
  In this case what is the use of Create Role option.
  Thanks in advance

  Hi ammu,
  This is just an option in case you need it. Roles created in CUP are just in CUP, not in the back-end. Remember that CUP can be used for non-SAP systems also, in this case the option to create roles in CUP is important. If you just use CUP with "ABAP-based" back-end systems you shouldn't create roles in CUP directly, you usually perform a sync or import form back-end or ERM.
  Cheers,
  Diego.

• Role Import in CUP

  Hi
  There are two options of choosing the source system for role import in CUP
  1. Back end system
  2. ERM
  I am facing problems in importing roles in CUP from ERM. The system shows a successful import but the number of roles imported are Zero. However if I choose the Backend system as source system, the roles get imported in CUP.
  can someone help me with this issue. I want to import roles from ERM because roles imported from ERM will have all the role attributes like Business process, Sub business process, functional area etc which are not available if we import roles from backend.
  Regards,
  Nitin

  Hi Sahad,
     Did you look at CUP logs? Is ERM and CUP installed on same server? Have you configured Business process and sub process exactly same as in ERM?
  There are 2 ways to upload roles into CUP using spreadsheet:
  1) Cumbersome method, if you don't have roles maintained in Excel: You can get R/3 roles via SUIM or some other method and manipulate them to match the role import template of CUP
  2) Easy method : Import all the necessary roles into CUP via Backend. Once you have all the roles in CUP, go to 'Search Roles'. Click on 'Search' button without providing any search criteria. This will return all the roles available in CUP. Now, click on Export button. CUP will export all the roles into Excel spreadsheet in the format which CUP understands. Now, delete all the roles from CUP and play with the spreadsheet to manipulate other parameters like role approvers, systems, business process etc and upload that spreadsheet into CUP.
  Both these methods require some manual work.
  Regards,
  Alpesh

• OIA : Assign Role Owner

  Hi,
  In OIA : Identity warehouse -> Roles -> New Role -> Ownership tab - > Add Owners.
  Here at Add Owners step I can see only users which are imported from OIM (global users / end user)
  And if I assign end user as owner of a role -> role membership approval task still goes to rabcxadmin.
  Can we select OIA users as a Role Owner?
  Is there any way to log in in OIA using global user/end user?
  Please help me to understand this scenario.
  Thanks,
  Pallavi Chaudhari

  Thanks user13285646
  What changes you did into : security-config-context.xml for certification user creation. I am n OIA 11.1.1.5.0 for me certifier user is getting created in rbacx-user-* tables without doing any change in security-config-context.xml file.
  OTB role assigned to user :
  <!-- OTB Roles assigned at the time we auto create accounts -->
  <property name="otbCertificationManagerRole">
  <value>CRTMGR</value>
  </property>
  <property name="otbPolicyViolationRemediator">
  <value>PVRM</value>
  </property>
  <property name="otbPolicyOwner">
  <value>IDAPLCOW</value>
  </property>
  but there is not any such information related role owner creation.

• Rejected/Approved request not showing up for role owner

  Hi Experts,
  For some user ,approved/rejected/pending access request are not showing up in NWBC->My Home->Access Request Status.
  Its working fine for others.Although that user has approved and rejected the requests.But count still shows zero.
  I have validated that its not an authorization issue.Any suggestion on this is appreciated..
  Thanks,
  Mamoon

  Hi Mohammed,
  Thanks for quick response.But user(A) is role owner who has approved and rejected many access request.
  Although A has not created the access request but its another user (let say B). But how could role owner see what are the access request he has approved and rejected.Is there any functionality???
  Thanks,
  Mamoon