Standard Approvers on GRC 10.0

Similar Messages

• Not able to see approvers in grc ac 10.0

  Hello gurus,
  I have configured workflows for access request for grc ac 10.0. When I submit a access request, my approver is not able to see any requests waiting for his approval. Also in the request status of the access request, no approvers are seen in given path when we click the instance status button. Please let me know where do we populate these approvers and how can we make them appear.
  Thanks in advance,
  Reyas

  Faisal,
  There are 2 places you need to define this.
  1) Within the "Access Control Owner" settings (NWBC>Access Managemetn), you need to assign the "Role Owner" tag to the user/s. this will enable you to select the user to be assigned as a assignement or content approver within the role definition (2)
  2) Against the actual role definition in Business Role Management (BRM/ERM) - you need to assign the user ID as the Assignment Approver of the role for the user to be able to approve the request as a Role Owner.
  If you have somehow created your own BRFplus custom agent for role owners (SAP standard delivered agent is fine!), then you obviously need to maintain your Decision table/Tree results.
  I strongly suggest you check these quick start guides out if you are having trouble configuring the basic settings.
  Business Role Management set up and terminology
  http://www.sdn.sap.com/irj/bpx/go/portal/prtroot/docs/library/uuid/80063a8e-1da6-2e10-aaa5-fda1f0936c37
  First Access Request
  http://www.sdn.sap.com/irj/bpx/go/portal/prtroot/docs/library/uuid/5067e447-5c64-2e10-7d9c-8f7e5953aadb
  I hope this helps answer your question Faisal
  All the best

• User Licensing for Approvers in GRC AC 5.3

  Hi all
  I am looking for some clarification regarding the user licensing.
  In CUP, we have managers who will need AEApprover role to approve the user requests.
  In our case, we have SAP EP as the single point of entry to the application (both ECC & GRC AC). Also
  some of the managers who are involved in the approval process (in CUP) do not need access to the ECC backend system.
  So managers only need an entry in the  AD(LDAP) which is the datasource for SAP EP, GRC AC. This means that GRC UME (authentication system for CUP) is the only place where the managers user profile are maintained.
  Will these managers be accounted for SAP licenses?
  My answer is No. The managers will not be accounted for SAP (prof/ limited prof) license cost as they do not have any access to the ECC system. All users in GRC system will be accounted for GRC AC licensing ( which is based on the operating budget of the organazation)
  Appreciate if you can confirm whether my understanding is correct.
  Thanks
  Keerthika

  Closing the request as this has been answered in the forum and I got a confirmative answer from SAP too..
  Rationale:
  GRC users dont count for SAP ECC license unless they have a dialog user account in the ECC system.
  Thanks
  Kee

• Reg:Auto Approve Roles without Approvers for GRC 10.0

  Hello,
  Is anyone using this option on GRC 10.0 as according to my understanding , if someone selects a role and it has no approver then the role has to be assigned to the user automatically but it is not happening in my system..The request is going to decision pending and it is still looking for role approver.
  Can someone provide their expertise on this issue .
  Thanks
  Uday

  Hi Uday,
  I have not used that functionality myself, as I find it too risky if a SOD or Critical risk would be introduced by assigning that role.
  I would have thought that by setting the correct values in SPRO would have enabled this functionality. It might be worth checking the settings again and resaving it.
  However, if you are purposly leaving the approver value blank for non-risky roles, as an alternativethe document below is worth a consideration for implementing via BRF+ in GRC 10. (I know the document is more GRC 5.3 related, but the concept is valid).
  Link: [http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/203d2716-ef84-2d10-3f81-a6f6643e308d?QuickLink=index&overridelayout=true]

• Additional Approvers for a changed shopping cart.

  Good afternoon all, hope you are all well.
  I hope one of you guy and guls can help me. We currently have one approver set to be able to approve changed carts and PO's can you tell me where we can add an additional approver, so basically they would both get informed there is a cart or po to approve?
  I hope i have explained what i require, please feel free to ask me more questions if need be.
  Regards
  Steve

  Hi,
  There are 2 options.
  1. Using SAP Business Workflow functions.
  Define new Agent object in SWO1 and change the workflow container type of Agent_001.
  [Change standard approvers for Invoice WF WS10400017 - 1 step approval|Change standard approvers for Invoice WF WS10400017 - 1 step approval]
  2. Using BADI and N-step approval template.
  Inplement the BBP_WFL_APPROV_BADI.
  Regards,
  Masa

• Is it possible to adding a "standard" custom approver?

  Hi forum,
  We have a requrement that the user needs to approve the last stage. I've been experimenting with custom field and adding  <virsa_ae_wrkflapvr ID="ZTRAINEE" APPROVER="ZTRAINEE" wftype="AE"/> to the init_clean_snf_insert_data file. As far without success. Is it possible to adding a "standard" custom approver?
  These users will be registred in UME through LDAP.
  Kind Regards,
  Vit Vesely
  Edited by: Vit Vesely on May 17, 2010 9:22 PM

  Hi VIt,
  it is possible to create a custom field that automatically fetches the user id by using LDAP mapping concept.
  What you can  do this bycreate a custom fields in CUP of field type as text. Then Go to Configuration-> fields mapping-> LDAP mapping.
  Now in additional field  select the custom field in AC field and user id ( "sAMAccountName" in case of active directory ) in LDAP field.
  Now when user login from end user form its information will come to CUP application userid will be also populated in the custom field that you have created.
  If you want provisioned user to be the approver it is difficult to achieve but can be done by one solution  In CUP apart from the standard approvers , you can create custom approver determanator. Configuration->Workflow->Custom Approver Determinator. It can be created on the basis of various CUP.attributes like request type, priority, role, custom fields etc. But you have define clearly in this if request has this value for this attribute than this will be the approver. So above created custom fields will have userid right. So you can create CAD for this custom fields. and than can define if User id is this then this is the approver. In you case if Custom field has values USER_NAME that Apprvoer is USER_NAME. All users in this case should exist in UME. Also CAD needs to be maintain for every user this will be tedious task. you can upload this by excel sheet also.
  Hope that it would be helpfull..
  Kind Regards,
  Srinivasan

• GRC - Test Cases

  Hi All,
  We are approaching SIT phase for GRC. Are there any standard scripts for GRC in specific during testing.
  I assume that below are SIT test cases. But if I am missing something, experts can advise.
  All my MSMP workflows - Using Template based requests (We are using Templates for each request type)
  checking Msmp workflows buttons (Approve, Reject, Forward, Return)
  checking UAR workflows
  Checking Risk analysis during workflows - For few important risks
  checking EAM workflows and how log review report workflows work
  Checking all Email notifications (If they are proper)
  Are there any other scenarios than the mentioned one's which will be crucial during roll out?
  Please suggest
  Thanks,
  Sai.

  Dear Sai,
  depends on your setup. Basically you have to define the test cases based on your requirements and setup. Hence it is difficult to tell you what needs to be tested.
  Best practise from my experience is to define all cases and expected output. Best if you think in processes and define test scripts for each process. In the end the process has to work from A to Z.
  Regards,
  Alessandro

• Retrieve approvers id of srm shopping carts, in ECC

  Hi everybody!
  I'm currently working on an SRM 5.0 in classic scenario and ECC6.0.
  We will have to create some specific reports and in that way I'm trying to retrieve in ECC, in a table or a function module, ID's of all approvers of my shopping carts in SRM.
  I really do not know where those data may be stored?.
  Please help!Thanks a lot!
  regards,
  morgane

  Hello Morgan
  In standard, approvers from Purchasing document approval workflow in SRM (in your case Shopping Cart) are not transmitted to R/3 backend.
  If it's mandatory for you to have those data in R/3 Backend, you could do this by storing approvers ID in CUF for SC header, then pass on those CUF to standard fields (or CUF) in corresponding R/3 purchasing document.
  Regards.
  Laurent.

• Mitigation Control Owner instead of Risk Owner.

  Hi All,
  In a Provisioning request after Risk analysis if there is any SOD found then request needs to be forwarded to Mitigation Control Owner instead of Risk owner
  Please advice whether standard Functionality in GRC 10.1 address this requirement or it needs development.
  Thanks in Advance

  Hi Babu,
  There is no standard functionality to forward this to mitigatiion control owner.
  Even forwarding to risk owner ,you may need some customization as per SAP Note 1670504.
  Thanks,
  Mamoon

• Add approval to bid: workflow WS14500027

  Hi to all,
  When i create a bidding in my system it stop waiting for authorization. When i go to authorization preview the message "No approver" it's show.
  Where i can define the standard approvers of a bidding??
  Thanks

  Hi Masa,
  Could you give a bit more clarification please.  We are running into the same issue and we see that the bid has been made but says "awaiting approval', but the approval preview says "approved".  Is there a workflow behind this event?  I do not recall activating a workflow for this. 
  So is what you are saying is that the person who created the bid invitation should have a user flagged as a manager in the organiation structure and that user will be the one to approve the bid???  Please clarify and thanks in advance for your help!
  Also another quick question is the approved bid able to create a shopping cart or does it have to be a local purchase order or contract?
  Regards,
  -Paul

• Processo Standard de Archiving para GRC NFe Inbound

  Olá pessoal tudo bem?
      Mais uma vez gostaria de apoio para definir a melhor estratégia. Estou em um projeto de implementação do GRC NFe In com o SP16, o ambiente ainda não está pronto para customizações e testes porém algumas preocupações surgiram devido ao volume de XMLs recebidos. Dessa forma, gostaria de entender melhor a abrangência da solução Standard para archiving no GRC NFe in.
      Pelo que percebi, existem monitores específicos para administrar NFe e CTe arquivados (é necessario ativar o service na SICF)
  NF-e Fiscal Workplace for Archived NF-es
  CT-e Inbound Fiscal Workplace for Archived CT-es
      Porém tenho algumas dúvidas quanto ao funcionamento. Alguém já implementou essa funcionalidade, pode me ajudar a esclarecer o funcionamento?
  a) Pelos monitores acima, é possível visualizar e realizar o download dos documentos arquivados? Isso é importante em caso de auditoria...
  b) Hoje utilizamos o monitor "Download XML of NF-es / CT-es" para fazer download em massa de XMLs. Também será possível fazer o download em massa dos registros arquivados?
  c) As rotinas de arquivamento são as mesmas utilizadas no ECC? (SARA. SARI e etc).
  d) Existe alguma limitação para realizar download de documentos arquivados?
      Obrigado pela apoio....
  Abraço
  Edson

  Bom dia Edson,
  b) Sim ele também lê o archiving, inclusive se as estruturas do archiving não estiverem ativas ele fica dando uma mensagem para ativá-las (mesmo que não execute o archiving)
  c) Sim. Entra na SARA e procura pelos objetos de achiving com a mascara /XNFE/*
  d) A limitação é autorização e que o archiving esteja disponível para consulta.
  Atenciosamente, Fernando Da Rós

• GRC 10.0 - how to upload secondary approvers

  hi all,
  In my company we have 2 role approvers for each role. Any one of them can approve. We were able to successfully upload 1 role approver but 2nd we have to manually maintain going to each and every role, one at a time in GRC, which seems time consuming since there are thousands of roles.
  Is there a workaround on this?

  Hi Pooja,
  You can use role import functionality and maintain second approvers in next line for the same role and import, it will work.
  Or you can use Role Update option under Role Mass Maintenance and can add additional approvers for same role.
  Regards,
  Madhu.

• We have migrated data from virsa 4.0 to grc 10.1, all virsa mitigation approvers and controllers got migrated but we are not able to map new mitigation approver and controller to the mitigation ids.

  Hello All,
  We have migrated data from virsa 4.0 to grc 10.1, all virsa mitigation
  approvers and controllers got migrated but we are not able to map new
  mitigation approver and controller to the mitigation ids.
  The steps we have done below.
  1. We have created user id in su01 with necessary authorizations
  2. we have declared this user id in Access control owners as a
      mitigation approver and assigned to the organization unit
  Now we are trying to map to newly created mitigation approver to the
  mitigation id but we are not able to find that approver id for the mitigation ids. (only old mitigation ids came from VIRSA only we are able to see, not able to add new mitigation approvers / controllers to the mitigation ids)
  Kindly check this issue, this is very critical for us.
  Thanks in advance.
  Regards,
  Karunakar

  Hi Karunakar,
  - Assign Owners to Organization unit
  - Make these owners as Mitigation Approver and Monitor
  - Create Mitigation Id in this Org. unit
  Regards
  plaban

• Runtime error OBJECTS_OBJREF_NOT_ASSIGNED when calling any standard GRC API's

  Hello colleagues,
  I always get the runtime error OBJECTS_OBJREF_NOT_ASSIGNED when calling any standard GRC API's
  For instance, lets take Function Modules:
  I tried almost any of them but in particular:
  GRPC_API_CONTROL_QUERY Load the list of controls
  GRPC_API_ISSUE_QUERY Retrieve issues of the case
  GRPC_API_ORGUNIT_QUERY Load list of Organizations
  GRPC_API_RMPLAN_QUERY Retrieve remediation plans of case
  GRPC_API_RISK_CONTROLS Retrieve the controls of the risk
  and etc.
  All of them return the runtime error OBJECTS_OBJREF_NOT_ASSIGNED, however I've provided Object ID's in the right format,
  The same is for corresponding classes,
  Does anyone have such problem before?
  Appreciate your responses,
  Thank you,
  Best Regards,
  Anton

  Hi Anton,
  We need to pass value for I_SESSION_ID. Because, when i execute FM: GRPC_API_RMPLAN_QUERY by giving correct I_OBJECT_ID as shown below, i'm also getting the same error.
  On executing..
  Getting following dump.
  And attached is the dump analysis .
  Thanks
  KH

• GRC EAM Authorizations: Few Anomalies in Standard Roles

  Hi GRC/ Security Experts,
  To brief you quickly, we have an SAP GRC AC 10 SP13 about to be deployed with ARA & EAM Modules as a first phase deployment.
  All of the functionality is almost setup, just refining few things before going live.
  About the GRC Authorizations, I observed few anomalies in the standard delivered SAP Roles for EAM.
  I am aware that processes & compliance's, can vary from organization to organization. I am trying to redesign some of the EAM related authorizations, especially for Firefighter Owner/Controller.
  In the standard delivered EAM roles, there are few things missing and few unnecessarily attached.
  I am already aware of the provided information in the following resources:
  - 1730649 - Firefighter owner can assign ANY Firefighter ID to Firefighter User
  - 1663949 - EAM: Authorization Fixes for Central Owners and Reason Codes and have referred to EAM Authorization
  - EAM Authorization Concepts & Guide
  - GRC AC Latest Security Guide.
  I am wondering, many of GRC AC 10 implementations must have gone live by now, and how can be the following authorization hardening concerns be addressed.
  I observed the following anomalies, and used ST01 tracing to refine and address few of them still some of them I cant seem to get hold of:
  1) [SOLVED] EAM Owners should technically not be allowed to Create/Maintain Reason Codes, that should be EAM Administrator's task. This was addressed by adjusting the auth objects from Owner's Role and only Reason Codes Display was provisioned to the owner's, hence this is addressed.
  2) [SOLVED] EAM Owners should not be allowed to Create/Maintain EAM Controllers. This is a grey controversy I believe, as in my organization EAM Controller is treated on even Higher Scale than Owner and thus EAM Controller maintenance should only be done by the EAM admin rather than EAM Owner. This also I have addressed by adjusting few auth objects, which leaves the EAM Owners with Display only access of EAM Controllers.
  3) [UNSOLVED] EAM Owner is able to assign any Firefighter ID to End-User: This is anomaly as per me, and is also specified in notes 1730649 & 1663949, but I find it hard to figure out the real solution of that specific issue. The notes just point to EAM Authorization Guide, which explain the GRC Authorization concept in general, which I of course get it. The GRC SP13 is already higher than the one applicable for the issue.
  Technically EAM Owner should only be able ASSIGN the FF IDs that are Owned by him, this I cant seem to figure out how exactly.
  I have gone through the Authorization Guide, Security Guide, Played too much with System Trace ST01 trying to redesign the authorizations. How would you have done it? This wasn't there in Virsa earlier, it used to bug you back saying that FF ID is not owned by you.
  4) [UNSOLVED] Similarly like above, EAM Owner is able to modify assignments/delete assignments of any FF ID. This is of course cascaded from the above issue. I believe it doesn't has to be like this, EAM Owner should only be able to access/modify/maintain the FF IDs owned. Maintenance of the FF IDs not owned by EAM Owner should be truly abstained.
  5) EAM Owners should not be able to Add/Delete the Assignments of Owner with FF ID. This is the starting point of the Firefighter Structure and must be restricted to EAM Administrator. In the Standard EAM Owner role, an EAM Owner can created another OWner, assign a FF ID to another Owner, Delete a Owner-FF ID assignment. EAM Owner should have display only access as far as it is concerned about the EAM Owners access Area. This one I have yet to test, which I think would be possible. Can't get hold of points 3 & 4.
  I have already studied/implemented the suggestions/recommendations/corrections from Authorization Guide.
  But i still feel that these are few loopholes and must be closed before I conclude the implementation.
  What do you think?
  Would truly appreciate, if you can point out the objects and values that can help to address the open issues.
  Apologies, for such a lengthy post, but the authorization goes deep here I guess and ST01 isn't helping me anymore to get over this.
  Regards,
  Akshay

  Hi Colleen,
  Thanks for your reply, I was sure I will be getting first response from you, as you are really proactive in GRC Space.
  W.r.t. your suggestions:
  1) I am not able to follow what you mean by "Are you able to try debugging "CALL METHOD cl_grac_auth_engine=>authority_check" ?? I am not much of a ABAPper/DEBUGGer, but if you can point what exactly is to be done/or to be get done I wouldn't mind getting my hands dirty at this too.
  Correct me if I am wrong, do you imply that, even though the specified correction in note is available in system (SP13), still this inbuilt authority check is not happening and is being bypassed?
  2) I checked the EAM Authorization Guide for Auth Object GRAC_USER.
  With what you feel in the below message of yours=>
  Starting to wonder if it is as the EAM Guide attached to the above notes mentions authorisation GRAC_USER which contains a field for user (quote from guide below).
  User ID : This Field Specifies which firefighter users you can Display and Perform other activities based on the Activity Field .
  That suggests you need different roles to restrict owners? I would have thought SAP would differentiate between authorisation to maintain FF as and Administrator versus Owner allow access to their Ids.
  I would have thought Administrator would get the GRAC* authorisations whilst Owners would obtain access via owner setup (mapping for FF Id)
  I went back to the EAM Guide and tried to put it all together to make sense.
  With my below observations, I think too that there is no such thing as mapping of FF ID with the Owner, out of the Box in GRC AC 10 so that Owner is able to access only the FF IDs owned.
  So, if that would be true, then to achieve this sort of wish, I would have to have separate roles from each EAM Owner specifying, the FF IDs that particular EAM Owner is able to access. And then there would be n number of Roles for n number of Owners, which is subject to change and has to be maintained again. Then also, the FF ID owned could also be added/removed etc, Whoa! That wouldn't make me far away from rationalizing the whole objective.
  I just wonder, if this is actually Ok? If there is no approach to this, would it be OK to let any EAM Owner work with any FF ID subject to their own desire.
  Anyways, check this out below , I will sideways open a message with SAP just to have my closure.
  From EAM Authorizations Guide in the note=>
  Now from the EAM Owner's Role=>
  This no where mentions of Restricting the FF IDs in the Role, if at all this concept exists, it would be through some internal check like the one above i.e. CALL METHOD cl_grac_auth_engine=>authority_check or something.
  Also, found these few specifications as well, which affirms the same I believe.
  Much thanks for your effort and patience.
  Regards,
  Akshay