Timeout in role approving.

Similar Messages

• How to define role approver/owner - through condition id in ERM 10.0

  Hi All,
  We have created a BRF + rule for Role approver with Business Process & Function area by giving the Result value as Condition ID eg., Z001
  We have provided this condition ID Z001 - in Role Owners table [Under Set Up- Role Owners] and defined the role approver and assignment approver with the User details.
  Now when we are trying to create a role with the above attribute combination of Business Process & Function area - the role is not picking up the Role Owners automatically in Owners/Approver tab [In 5.3 we can maintain approval criteria where we can define the role owners/approvers based on different attributes].
  Are we missing any configuration setting here for auto pick up of Role Owners based on defined attributes from Role Owner table.
  Thanks and Best Regards,
  Srihari.K

  Hello All,
  Please help us , I am also struggling with same issue.
  Thanks in advance,
  Jagat

• Role Approval request not visible in Role Approvers ToDo tab

  Hi IDM Experts,
  We have implemented IDM 7.2 SP8 in our project. We have performed the basic configuration for Identity center and IDM UI. The initial load from CRM is also completed successfully.
  We followed the steps in guide https://scn.sap.com/docs/DOC-26322 to configure workflow such that in case role is requested to be assigned to user, the request goes to role approver(in his todo tab) for approval. The access will then be provisioned into backend CRM system on successfully
  approval. However, we are facing an issue where the Role approver does not get anything in "TODO" tab for approval. The request shows in "Pending" status and logs show that tthe request is pending approval, however, it never appears in role approvers queue.
  Kindly help on the issue. Please provide below information:
  1) We can check in logs that the request is pending approval. Is there any way we can check where is the request routed to and whoose approval is pending here if it did not goto "Role Approver" for approval.
  2) Any trouble shooting mechanism/tool available in IDM to debug issues like this.
  Thanks in advance for your help.
  Thanks and regards,
  Nitin

  Hi Nitin,
  How do you assign the role to the user? if it's trought IDM UI, you loggin with which user?
  There is a limitation on approval with SP08 : the requestor of the assignement can not be define as an approver.... but in this case the approval is automaticaly rejected by the system ...
  in which logs / table can you see that your request is "pending for approval" ?
  I also would recomand you to use the simple scenario "get approver from role/privs" of as krishna mentioned. (unless you need to do more custum actions)
  Besides, you can check approval entries and status in DB views :MXWV_ApprovalQueue ...
  Fadoua

• SOD Detour in Role Approval Workflow possible?

  Hello GRC Experts,
  we have implemented an Access Request Approval Workflow with a Detour Rule (GRAC_MSMP_DETOUR_SODVIOL).
  The second workflow we are working at is the Role Approval Workflow. Is it possible to use the SOD Detour Rule also in Role Approval Workflow? I didnt find the SOD Detour Rule in the MSMP Role Approval Workflow.
  We would like to implement a following Scenario:
  if the role contains an SOD the request should take Path 1 and if not Path 2.
  Is it in MSMP Standard possible or should we use BRF+ for creating a Detour Rule?
  Thanks,
  Best Regards
  Sabrina

  Hi Sabrina,
  For Access Request workflow, we generally use GRAC_MSMP_DETOUR_SODVIOL to implement routing rule(based on detour condition - risk found). Purpose of same (if I am not mistaken) is to through the request to another level of approver wherein mitigation monitor agent reviews the mitigation performed by role owner stage and approve/reject the request.
  But, when we create a role same is not the condition as we do not mitigate role level risk thus no need to go for mitigation monitor stage. May be you have some business scenario, if you can let us know will be gr8.
  For the rule ID, did you try adding the rule ID ?(you may already know, still would like to cross check with you).
  GRAC_MSMP_DETOUR_SODVIOL under list of rules for "
  Role Approval Workflow" In the screenshot you have shown, just click on ADD feed -
  Rule ID -GRAC_MSMP_DETOUR_SODVIOL.
  Rule description - same as Access request.
  Rule type - Function module based
  rule kind - routing rule.
  Add this and check if it works and let us know the result too.
  Regards,
  Nishant

• Role approver removed from role in GRC

  Hello Experts,
  I am a fresher to SAP GRC. Please help me on the below issue.
  In SAP GRC 5.3,  for some roles role approver has been removed and some roles automatically uploaded to GRC. The role that are uploaded to GRC should not be and while checking there is no change log for the role. For other roles for which role approver have been removed, also there is no log for which recent approver have been removed.
  Can you tell how it happened and who did this or way to troubleshoot.
  Thanks in Advance.
  Biswaranjan

  Hello samiran,
  Thanks for your reply.
  Yes we have already uploaded the OLD file. But my concern is how we can troubleshoot to find out how it was corrupted as no one did the change.  we can find the change log for the approver change for any role in GRC 5.3 .
  Or it is not possible to find out how it happened???
  Regards,
  Biswaranjan

• AE 5.2 - Detour Workflows - One of the Role Approver not found

  Hi All,
            My question is regarding using the Detour workflow functionality for the situation below - pls let me know if this possible or if any alternates are available.
  - Main path has 2 stages (1) manager approver, (2) Role Approver.
  If the Requestor asks for a Role that Does not have a Role Approver we would like to route this request to the Security lead.
  - I have created a Detour Path with 1 stages - Secuity lead and associated with Stage 2 (Role approver) of the Main path based on the condition "No Role Owners"
  - I still get the error "Approver not found at Stage @@@@"
  Is the condition "No Role Owner" in the Detour workflow config for "Role Expert" workflows or for Access requests?
  Is it possible to route the Request to Security if the Role being requested does not have a Role Approver? IF yes How?
  thanks
  T

  Hi,
  sometimes in the Detour configuration you have the problem that the "Save" action is not saved properly.
  If this entry is empty, please go into edit mode and save the detour config again, so that the action will actually display "Save".
  Hopefully it works, then.
  Regards,
  Daniela

• Role Approval workflow and generation

  hi to all,
  can you just suggest me, what is the role approval workflow and tell brief about it
  give me any workflow
  thanks in advance
  Ramesh

  Hi Ramesh,
  Approval workflow is the way you can think of a process for approving a user to be created or assigned a group in the org. Example : User Create in HR -
  > Manager gets email notification -
  > Manager approves the user----
  > Division manager gets notified -
  > email sent to Helpdesk for a PC -
  > etc.
  Role Approval sounds like if the user is to be assigned a ROLE via an Approval Process before it gets created in LDAP. The provisioning will happan not just for the User but for the appropriate group according to the Role.
  Dev

• Role Approver of Removal of Roles

  HI Everyone,
  We are coming across a situation where the management team would like to have the "removed roles" in the access request not require the role approver approval and review. 
  Is there a way that AE allows for this?  I have tested various ways and can only come up with situations where the role approver has to approved removed roles.
  Thoughts?
  Thanks,
  Jerri,

  Hello Jerri,
  For achieving the role deletion without the approver of the role owner, create a different initiator with Request type change and probably some custom attribute and have this initiator configured with a path which has no Role Owner at any of the stages.
  This wil have the Request type "role deletion" with no Role Owner required to approve.
  Regards,
  Hersh.

• CUP: Notification Mail after Role Approval

  Dear SAP Experts
  We are running GRC AC 5.3 SP11.2  and facing a problem with the CUP workflow behavior.
  Each time we change a existing user in the system and assign him at least two new roles with diffrent role owners, we get some problems at the role owner approval stage.
  As soon as the first role owner provides his role approval a message is sent out to the requestor, manager and user that all changes to the user profile are done. This behavior repeats for each role owner which has to provide a approval to that request. The roles it self are assigned to the user account when the last role owner approved the request.
  Under AC 5.2 we had only one mail beeing sent out to the requestor, manager and user when all roles were approved.
  The role owner stage has following settings:
  Approval Type --> All Approvers
  Do we have to customize some more settings as well?
  Many thanks for your help Jeffrey

  Hi Frank
  Following settings are implemented at the role owner stage (last stage before auto provisioning):
  Notification Configuration:
  Approved --> User / Requestor / Manager
  Rejected --> Requestor / Manager
  Different text for mails are maintained
  Additional Configuration
  Risk Analysis Mandatory -> No
  Change Request Content --> Yes
  Add Role --> No
  Path Revaluation for New Roles --> All Roles in Evaluation Path
  Approval Level --> Role
  Rejection Level  --> Role
  Approval Type --> All Approvers
  E-mail Group --> BLank
  Comments Mandatory --> Yes / Rejected
  Request Rejection --> No
  Reroute --> No
  Confirm Approval --> No
  Confirm Rejection --> No
  Reject by E-mail --> No
  Approve by E-mail --> No
  Forward Allowed --> No
  Approve Request Despite Risks -> Yes
  Display Review Screen--> Yes
  Additional Security Configuration (Approval Reaffirm)
  Approve --> No
  Reject --> No
  Create User --> No
  Under AC 5.2 we used the Notification Configuration / Approved Mail to inform the defined persons that the request is approved and provisioning is done. This mail has been sent out only once to the persons after all role owners worked on the request. Obviously AC 5.3 behaves different after we have done the migration:-))
  Jeffrey

• Action fo Request Type 21: Role Approval.

  Hello All,
  Can anyone please share what would be the Actions associated with the Request Type 21: Role Approval? I seached a lot in BRM dosuments but its not mentioned anywhere.
  The tasks that I would like to do from this is the changesor creation for the roles should go through an approval process.
  Thankyou.

  Hello Sudesh,
  Thank you for your reply. My question however is that for BRM request for triggering a mail when the role approval is requested(for which I assume I have to activate the request type "Role Approval"), which is the corresponding Action type. My intension is not to create a user when it does not exist or not, but to create a request when the role is changed or created. My emials are getting triggered for other request types, but not only for BRM.
  Thank you!

• ARQ: How to configure Role Approve/Reject Email Notifications???

  Hi,
  I would like to achieve below for my business scenario with below MSMP stage configurations:
  MSMS Stages Configurations:
  MANAGER --> Can act on both request and line items level
  Role Owner--> Can ONLY act on line items
  Requirement
  In best case, a Manager approves all the line items in an Access Request. Then an email notification mail for "NEW WORK ITEM" would be sent to Role Owner(s) at next stage. This is achieved.
  Now at Role Owner Stage, below 3 cases are possible:
  1. All Role Owners can approve the line items
  2. All Role Owners can reject the line items
  3. Some of the Role Owners approve and Some of them reject line items
  In all the above cases, a Role Owner ALWAYS click on "SUBMIT" button (as he is not authorized to reject a request as a whole) and this action is considered to be as "APPROVED" and eventually, "APPROVED" event is triggered.
  This looks good in case numbers: 1 & 3. Meaning, even a single role is approved, request can be considered as approved and the request details can be sent to business user.
  However, I am facing a problem when ALL the line items are rejected by ALL the Role Owners!
  This will surely close the request. However, the email notification that will be sent to user in this case will be of "APPROVED" though the request is rejected in a sense (because all the roles are rejected)!
  Can anybody please he understand this and design proper solution?
  Regards,
  Faisal

  Hi Faisal,
  We are on GRC SP13.
  Please do below settings to make role approval/rejection comments mandatory.
  2040 - Set this parameter value as YES
  In MSMP - Role Owner - Stage settings - Please maintain these settings
  I have come across the same scenario as yours. Below is my observation.
  When all role owners rejects all roles by REJECTING roles at LINEITEM level, request instead of getting closed at ROLE OWNER stage, it is going to next stage and getting closed there. I assume this is standard behaviour
  Let's see if we can get experts advise on this.
  Regards,
  Madhu.

• Role Approver Actions-Add, Keep, Remove

  Currently, our role approvers were not able to modify the action of (ADD, KEEP, REMOVE).  This fields was greyed out and it was passed in by IDM as ADD or REMOVE depending on what the user selected.  We just implemented SP12 for CUP. We noticed that under Workflow>Stage>Change Request Content if this is set yo YES then the approver has the ability to do perform these functions below.  1 & 2 are ok.  We reject roles at the role level on the request.  However, we want to disable the ability for the role approver to modify ADD, REMOVE, KEEP  on #3.  
  1.  Approver can reject
  2.  Approver can modify the Valid State Date and Valid To Dates
  3.  Approver can modify the action and change it to KEEP or REMOVE.  We wnat to disable this drop-down selection.
  We noticed that if we Workflow>Stage>Change Request Content and change the value to No then the role approver can no longer reject the role.
  Does anyone know how to disable this functionality so that role approvers cannot change the action on the request?

  SAP confirmed  that there is no way turn this feature off if the approver needs to reject at the role level so this will be a process change we need to implement most likley.  However, it would appear that with the Add Role feature turned on there is a new button called Existing Roles/Groups that is displayed.  Approver can now view the roles assigned in the SAP ABAP back-end without adding new roles which is very nice that it is display only.  Thank you for your quick response to my question.
  New question:  Do you know if there is a web service that is used to call this new feature Existing Roles/Groups.  We would like to utilize that for our IDM system to call a web service and display this on the request form.

• AE-How can we restrict a role approver to request or approve is own access?

  Currently, in our AE a role approver can submit a request to add a role for which he is the approver and therefore he will be able to approve it as well.
  We would like to not authorize someone to approve his own access request.
  Is that possible and how ?

  Patrick-
  That enhancement is available in Access Control (CUP, formerly AE) 5.3.  It is not available in 5.2.
  Ankur

• Send Email Notification to Assignees in Role Approval Workflow in OIM 11g

  Hi Experts,
  I am using a Custom Workflow for Role Approval in OIM (11.1.1.5.4). It is a two stage Approval Process.
  First level Approval is Requester's Manager and Second Level Approver are Role Owners(Two users who are Role Owner in OIM).
  I want to send a Email Notification to this Assignees when a request is assignd to them . So i have done Email configurations in SOA. and i am receiving Mail in English.
  But, the requirement is the mail's language should be dependent on Locale of these users.
  for example if locale of Manager is German then Manager should recieve mail of Request assigned in German Language.
  and after manager Accepts the request, Request goes to Role Approvers where we have two User, So mail should go to this two users according to their Respective Locale.
  So how can i achive this????
  Thanks!!
  TJ

  One option would be to create views and then use the oob daily alert for each manager. If the number of managers is too much, then you should consider a custom timer job. 
  Your suggested approach is possible, but has potential issues in execution. I'd suggest the timer job first.
  Andy Wessendorf SharePoint Developer II | Rackspace [email protected]

• Role approver - automatical approver

  Hi,
  We are testing IDM in our organization and we have following scenario. Managers of department are defined as role approvers. For example manager of operative is defined as role approver for role RW_access_operative. As manager of department is also responsible for adding this role to users in his department. Is it possible to setup IDM this way: If manager add role to the user and he is also role approver (and he is only one approver) the IDM will automatically approve this role assignment for it. As managers are complain that they must assign role and then approve it :-( which is time consuming ...
  Thanks for answer

  In your workflow, add a condition where you generate the approvers list.
  1. Read all the approvers for the role selected.(May be a configuration)
  2. If the above list contains only 1 approver = WF owner (Who initiated the workflow), set the list to null and set the variable to approved or true, (so that the rest of the workflow will proceed as if the request is approved).
  3. If the list from #1 has more than 1 approver id, remove the case owner id from the list and generate the approval workitem for the rest of the approvers.
  Thanks,