Two Mitigation Approvers?

Similar Messages

• We have migrated data from virsa 4.0 to grc 10.1, all virsa mitigation approvers and controllers got migrated but we are not able to map new mitigation approver and controller to the mitigation ids.

  Hello All,
  We have migrated data from virsa 4.0 to grc 10.1, all virsa mitigation
  approvers and controllers got migrated but we are not able to map new
  mitigation approver and controller to the mitigation ids.
  The steps we have done below.
  1. We have created user id in su01 with necessary authorizations
  2. we have declared this user id in Access control owners as a
      mitigation approver and assigned to the organization unit
  Now we are trying to map to newly created mitigation approver to the
  mitigation id but we are not able to find that approver id for the mitigation ids. (only old mitigation ids came from VIRSA only we are able to see, not able to add new mitigation approvers / controllers to the mitigation ids)
  Kindly check this issue, this is very critical for us.
  Thanks in advance.
  Regards,
  Karunakar

  Hi Karunakar,
  - Assign Owners to Organization unit
  - Make these owners as Mitigation Approver and Monitor
  - Create Mitigation Id in this Org. unit
  Regards
  plaban

• Maximum Approvers for PR release WF

  Hi All,
  For the PR Release procedure, the std workflow is customized and there is no Org structure for agent determination  the user who is creating the PR has to manually key in 4 approvers on the PR screen and the remaining 4 are determined using the exit M06B0001, based on release codes.
  Is there any restriction that there can only be a maximum of 8 approvers for a PR release worflow.
  or
  can we have more than 8, bcoz i was asked to add two more approvers for the existing PR realease process.
  Thanks In Advance
  Prsna
  Edited by: Prasanna Ram on Jun 5, 2008 5:14 PM

  Hi PR,
  first of all why wld the client require more than 8 levels of approval for just releasing a PO (I think as a consultant, try to convince ur client on the intricacies faced with lots of approvers, as it wld firstly delay a simple process like PO release and wld generate chain of mails),
  secondly SAP can provide only 8 levels in a release.
  Aditya

• Need help in Mitigation...

  Hi , I have the CC 5.2 connected to single system and using GLOBAL ruleset.
  In backend i have created a role Z:CONFLICTING_ROLE and assigned to user ERIC.
  Now there are two risks in the role F030 and S027 , i have created two mitigating controls for them and have mitigated the risks at role level .
  When i run the report on the USER ERIC , it should show in there also as mitigated , but there is nothing in mitigation.
  I was under impression that roles once mitigated , users with be mitigated also, what is wrong here ? ?
  The option under Configuration :
  Risk Analysis ->Add Options -> Include Role/Profile Mitigating Controls in User Analysis
  is set to yes..
  Pls help me to resolve this issue.
  regds
  navdeep
  Edited by: navdeep pathania on Aug 25, 2008 11:02 PM

  navdeep,
  I was rather talking about the PFUD in the back-end system.
  But okay, if the synch with GRC is not working in the first place, then this issue should be addressed as well. However, that goes beyond this particular post 'Need help in Mitigation"
  In an attempt to help you : is your diamond shaped adapter green ? are you using the correct model in the JCO in terms of your release of backend system ? did you do a full sync or incremental ?
  for sure, this is your issue why the users are not mitigated through their assigned mitigated roles.
  succes
  sam

• GRC 5.3 CUP auto provisioning of Mitigation Assignment in RAR

  Hello,
  Is there any other workflow that needs to be triggered for the auto provisioning of the Mitigation control id assignment to the userid in RAR system from CUP,  upon request completion?
  I created a request that after the final stage of sox approver, got auto provisioned roles assigned to the user id in the SAP system , but it also stated that auto provisioning failed and got re-routed to the detour path of the security admin as I configured in case of auto provisioning failure. When I look at the error log, it states:
  User Provisioning failed for System(s) : XYZ. Error Message : User type TE is unknown
     Role: ROLEA assigned to user: TESTER1 in System(s): XYZ.
  1). So, even though the approved role is being assigned to the user in the backend system, some other stuff is failing at auto provisioning. And I thought it might be the mitigation control assignment to the userid in RAR. I have the mitigation fields/objects active. But how do I ensure the auto-assignment of mitigation control ids also gets assigned on the same request upon sox approval?
  2). The other question is where is the value of the 'controller' stored when configuring a stage for workflow approver determinator in the sox approver stage? Where is this value picked up from? We don't want to use the RAR mitigation approvers or monitors, we want to use a custom approver id from CUP and then the control id to be assigned upon approval automatically to the userid in RAR via CUP request completion during auto provisioning. Is this possible? The only thing failing for us is trying to determine how to create the custom approver determinator for SOX approver in CUP since it asks for 'attribute' value for workflow type 'Compliant User Provisioning' which doesn't make sense for this.
  And then the above error even though the user role assignment is auto provisioning already but still giving the error as I listed above and re-routing to detour path instead of completing the request. Is it due to auto provisioning failure of mitigation control assignment in RAR?
  Thanks in advance,
  Alley
  Edited by: Alley1 on Sep 20, 2011 1:15 AM

  Hi Karell,
     Here is response to your questions:
  I can use the following CAD in an AE workflow: web service to fetch role approvers. I question this as it is merely a RE workflow service : No. As far as I know the web service is only for RE/ERM.
  Can the Risk Analysis be initiated in stage x automatically once stage (x-1) was completed. So no person involved, it is mandatory however, in my opinion there should be no extra person involved to actually press the button "Risk Analysis" : No. There is no way to automate the risk analysis part. Someone will have to click on the button to check for SoD violations. You can configure to run automatic risk analysis when the request is submitted but this is not 100% perfect. If someone adds or removes role during approval phase, it will invalidate the risk analysis which was run during request submission.
  Can somehow the Risk Owners defined in the RAR componed be asked to approve/reject risk that came out of the Risk Analysis described in my previous point. They should only be contacted when there is a risk indicated. : This is possible by following Babak's workflow.
  Regards,
  Alpesh

• Features that are not supported by Excel in the browser and interactive reports will be removed from the saved copy

  I Created a power view in Excel 2013 and uploaded to my Power BI for o365 site.
  But when i click on my excel file it opens in browser,After that i click on File tab its showing me two option 
  1. Save a Copy
  2.Download a copy
  When i click on save a copy its showing me an warning below
  Features that are not supported by Excel in the browser and interactive reports will be removed from the saved copy.
  Continue with Save?
  If i continue saving it only saves an excel files with data only not the power view which i want to save with applied filters.
  Please help me for this

  Just to clarify, when you hit the option of Save As Copy, the whole experience goes into a "read-write" mode in Excel services, which currently doesn't support authoring, just consumption of PowerView sheets.
  Two mitigations that come to mind:
  1. Download the copy (as Brad suggests), rename the file and upload.
  2. Use the send to option of SharePoint online, give the file the right target document library (can be the same as source) and rename the file:
  GALROY

• OIM integration with MS CRM

  Guys,
  Anybody has ever done the MS CRM integration with OIM.
  MY requirement is as follows
  User initiates a self service request for the application and may populate some fields like country or primary service line (fields yet to be determined, but assuming the values for each field will be maintained in a lookup field)
  First Approval Step: User’s Manager must complete any missing required attributes that the user didn’t fill and must also populate the access level field (values will be something like local, country, regional or global), but again these will be pulled from a lookup field. Manager provides first level approval
  Second Approval Step: The owner approves/rejects the approval
  Provision the user to the application (notification sent to the user), also, provision user to AD group for the application
  Edited by: a73210 on Oct 28, 2009 10:42 PM

  I don have exp with MS CRM but if you have APIs then you can buid your custom connector. And for other things of your requirement.
  Just create an Object form with the fields as per ur requirement and use pre populate adapter to populate these fields.
  While creating form fields go to Properties tab and select property Required = true for required fields.
  And you can make fields mandatory while creating the form so OIM will validate automatically that whether required fields are filled or not.
  Create an Approval Process.
  Create two task Approval1 and Approval2 and assign both the tasks to two different approvers.
  Go to Approval1 > Responses
  Select Approve and below in Task to Generate select Approval2.
  You are done with 2nd level of approval.

• Problem in Hide Items Not Responsible

  Hi,
  I'm creating SC with two line items for two different approvers. The 1st approver is responsible for approving only the first line item but he can able to see both the line items and can able to change both the line items. The same is happening to second approver too. I've set 'X' for HIDE_ITEMS_NOT_RESPONSIBLE. Even though it is showing both the line items.
  Is there any config or something have to be done. Can you please help me regarding this ??
  Regards,
  JMB

  Try executing this program....
  you can understand...
  data: sym type ICON_D value '@1E@'.
  START-OF-SELECTION.
      FORMAT HOTSPOT.
      WRITE / 'ShowIcon'.
      HIDE: sym.
  AT LINE-SELECTION.
    WRITE: sym.
  And if i am not wrong, i hope you want to hide the "Display more" icon in the Select-options input. If that case, then use NO-EXTENSION keyword.
  Could you please tell me the exact requirement, why you want to hide that icon?

• Set SoD detour condition on path level?

  Dear forum,
  We have a parallel workflow where the different paths are divided by business processes.
  We want that SoD free paths continue as normal. Problematic paths are sent for resolution.
  The problem as I see it is that the SoD detour condition is set on request level, not path level. Both problematic and non-problematic paths will meet the condition and are pushed into the detour. The non-problematic path will get stalled, because it has to wait for mitigation approval.  Is there any workaround?
  Kind Regards,
  Vit V.

  Hi Jose,
  We have different detour paths for every parallel path. But if any SoD conflict is detected, the SoD condition is met for all paths and are pushed into the detour(s). Have you successfully tested it?
  Example:
  Main Paths
  P1
  P2
  P3
  Stages
  _1: Manager
  _2: Role Owner
  _3: BPO (CAD business process of role)
  P1_1
  P1_2
  P1_3
  P2_1
  P2_2
  P2_3
  P3_1
  P3_2
  P3_3
  Detours (1-stage with mitigation controll approver)
  P1_DT
  P2_DT
  P2_DT
  SoD detour takes place at stages:
  P1_2
  P2_2
  P3_2
  Problem 1: If the SoD conflict condition is met, all paths are pushed into their detours
  Problem 2: Let say we have two paths with SoD conflicts, a third one is not. Two mitigation controlls are applied. All three paths are pushed into their detour paths for mitigation approval.
  Worst case scenaro:
  Conflicting path 1: Mitgation Approver 1 approves
  Conflicting path 2: Mitgation Approver 1 + Mitgation Approver 2 Approves
  Non-conflicting path:  Mitgation Approver 1 + Mitgation Approver 2 Approves
  kind regards,
  vit v

• 2 days automatically routed to the next approval level

  I would like to know, is there anyone accepted this pre-defined rule setting, the order will automatically route to the next level approval if 2 days limited is passed? I think Oracle should provide the flexibility on choosing such routing rule.

  We agree. This should be identical to the current functionality of Oracle's iProcurement.
  We also need to have the second approver layer related to category. This means that per category it should be possible to route to two different approvers:
  - budget responsible manager
  - technical manager
  For some products and services this is a must have. For example, when a buyer selects a computer some companies require that also the department responsible for the maintainance of computers in some companies should give their approval for such a purchase.
  Kind regards,
  Michel de Knoop
  KPN Xchange
  null

• CUP - button to reject request inhibited Version 5.3 SP14

  Hi,
  after it was applied in the SP14 GRC button to reject the request was only inhibited in step functional allowing you to reject functions. Does anyone know why and how to adjust the error?
  thanks.

  Hello,
  we have the same problem with SP14 (SP12 is ok) - after clicking on Reject button the option "Reject Request" is disabled and the option "Reject Roles" is enabled. When approver chooses "Reject Roles" the request is completed and FF account provisioned!
  I had to change approving settings for that stage:
  Approval Level: "System and Role" -> "Request"
  Rejection Level: "System and Role" -> "Request"
  Now when there is a request with two FF accounts (and two different approvers) one can approve his FF but when the next approver rejects the request nothing is provisioned.
  But better is nothing than provisioning rejected FF account!
  Pavel

• Invoice hold workflow is not fetching the approver from ame

  Hi,
  I'm trying to get the next approver(3rd level) in wf process from ame through profile option, but it's not fetching the approver.
  my query is
  SELECT persion_id||employee_id
  FROM fnd_user
  WHERE employee_id = fnd_profile.VALUE('MG_AP09_PAYABLES_SUPERVISOR')
  other two level approvers (level1 and level 2)I'm getting , which is not through profile but direct join of tables as given below
  SELECT 'person_id:'|| rcv.EMPLOYEE_ID
  FROM ap_holds_all aph
  ,po_distributions_all pd
  ,rcv_transactions rcv
  WHERE pd.line_location_id = aph.line_location_id
  AND pd.PO_DISTRIBUTION_ID= rcv.PO_DISTRIBUTION_ID
  AND aph.hold_id = :transactionId
  AND transaction_type = 'DELIVER'
  SELECT 'person_id:'|| HR2.attribute2
  from ap_holds_all AH
  ,po_line_locations_all PLL
  ,hr_locations_all HR1
  ,hr_locations_all HR2
  where pll.line_location_id = AH.line_location_id
  AND pll.ship_to_location_id = HR1.location_id
  AND nvl(HR1.attribute1,HR1.location_id) = HR2.location_id
  AND AH.hold_id = :transactionId
  what may be the issue?

  Hi Surjith,
  Please look at the code I have written in the user exit, which is just for testing purpose. In SPRO I set workflow as 9 for all the release codes.
  IF i_eban-werks = '1000'.
    actor_tab-otype = 'US'.
    actor_tab-objid = 'S_RITESH'.
    APPEND actor_tab.
    CLEAR actor_tab.
  ENDIF.
  In PR I am getting the user name in processor coloumn correctly.
  please let me know if I am going wrong.
  Thank you.

• CUP 5.3 SP16, detour path for SOD violations doesn't exclude critical risks

  Hello,
  Has anyone else had this issue:
  If you set your configuration to not require mitigation of critical risks, but only SOD risks, the workflow detour path condition 'SOD violations' still triggers to go to the detour path even if the request only has critical risks. This is a bug in the workflow detour logic. First of all, CUP doesn't differentiate between SOD violations vs Critical Risks violations. If we only want the mitigation approver detour to happen for SOD risks, the detour seems to happen even if the request only has critical risks issue which doesn't require mitigation.
  Since our Approver determinator for SOX approval is the RAR Mitigation Control approver, the workflow detours to SOD violations path but doesn't find any mitigation approvers on critical risks and so goes to the administrator inbox as a approver not found issue escape route.
  If SAP gives the option to not require to mitigate critical risks under config>mitigation>uncheck mark  mitigation of critical risks not required, then the logic for detour also shouldn't happen for critical risks under 'SOD violations' condition. This doesn't make any sense why SAP has both in the same condition when one is clearly not SOD risks. Now our workflows keep failing bc of this bc we have several roles that might have a critical transaction or so, but we can't stop it from detouring even when we do not want them mitigated or approved for SOX stage. But we still need this detour path for additional approval for the actual SOD Risks.
  Will greatly appreciate any1's feedback on what they have done to resolve this.
  Thanks,
  A.

  I was actually able to resolve the issue by adding the role approver stage first to the sox approver detour path.. this way..if the manager has roles with sod violations and updates mitigations for it, it goes to the role approver via detour path as well first and then to the sox approver stage b4 auto provisioining. So, that solved our problem. And if the request doesn't have SOD violations then it just goes to the next stage without detour which also has the role approver as the last stage.
  Since I couldn't get the sox approver stage to show up after the role approver as originally anticipated since the request already had mitigation assigned at the manager level, we did the above scenario to fix the issue.
  Requestor>Manager->Role Approver-->auto provisioning (without SOD violations)
  Requestor>Manager> Detour (Role Approver>SOX Approver)->Auto Provisioning (with SOD violations)

• Approval of PO by two approvers

  Dear experts,
  Our requirement is that we want the 2 approvals in the hierarchy for the PO. and the approvals are at the same level , there is no difference between these approvers.When PO is sent for the approval it goes to both approvers but the error is coming that when we click the button of aprove on the PO there is option coming that to whom you want to move the document? either approver 1 or approver 2 ? and if we select the approver 1 then the notification goes to only 1st one or if we select the 2nd then notification goes to 2nd. Is there any solution of it ?
  Edited by: jahanzeb qureshi on Jun 17, 2011 3:04 AM

  Following is the solution i can think of
  After first Approver approves the PO you can initiate the forward action from approver1 to approver2 or vice versa.
  Approving and forwarding the PO will change the status of PO to PRE APPROVED (after 1st approval)
  This will allow next approver (approver 2) to approve the PO from PRE APPROVED to APPROVED status.
  So you will have to create a logic to identify approver1 or approver 2 has approved the PO first and then forward it to the next person. this can be achived programatically or by modifying workflow.

• Mitigation in SAP GRC AC

  Hi all,
  Two questions regarding mitigation in SAP GRC AC:
  1)
  Reading through the forum, we have seen that if monitor does not execute the report (action) within the frequecny set and alert is generated. Are these alerts sent out to the mitigation controls' approvers automatically or need to be triggered by executing alerts generation with mitigation flags set?
  2)
  If WF  is set and appropriate configuration is set in RAR, approver activities in CUP are approval for mitigation control maintenance and mitigation control assignment. Is this correct?
  Thanks in advance. Best regards,
    Imanol

  Hi Imanol,
     Here is my response:
  1) Reading through the forum, we have seen that if monitor does not execute the report (action) within the frequecny set and alert is generated. Are these alerts sent out to the mitigation controls' approvers automatically or need to be triggered by executing alerts generation with mitigation flags set?
  You need to go to Alert Generation -> Select Generate Alert log, Control Monitoring under Action Monitoring and Alert notification.
  2) If WF is set and appropriate configuration is set in RAR, approver activities in CUP are approval for mitigation control maintenance and mitigation control assignment. Is this correct?
  Yes, that is correct.
  Regards,
  Alpesh