Using HR Hierarchy to Route Access requests in AE 5.2 - Possible? How?

Similar Messages

• Can we add users to the 'Manage Access Request' field to process site access request in SharePoint Online?

  Hi,
  I have a requirement in which I have to assign couple of email ids to the "Manage Access Request" field to process site access requests. And, this is possible using server object model but I have to achieve this on SharePoint Online with the help
  of CSOM.
  There are two properties which control the access request configuration, first is "RequestAccessEnabled", a Boolean flag which turns on or off the access request feature for the site. The second property defines one or more email addresses where
  requests will be sent to. It is named "RequestAccessEmail".
  The above both properties are available for server object model but not for CSOM.
  So, is there any other workaround or way to achieve the sane in CSOM?
  Thanks,

  I don't think there is a programmatic workaround for SharePoint Online.  But the email address is just used for Notification.  Anyone with Manage Permissions can approve Access Requests.  If you create an email distribution list for the multiple
  addresses that should be notified you should be able to add the email address for the distribution list into the Access request email field using the user interface.
  Paul Stork SharePoint Server MVP
  Principal Architect: Blue Chip Consulting Group
  Blog: http://dontpapanic.com/blog
  Twitter: Follow @pstork
  Please remember to mark your question as "answered" if this solves your problem.

• Can i use ipad as a mobile access point

  I have a ipad 3g model and wondering if i can use is as a mobile access point or is that only possible with an ipad2?

  It's not possible on either iPad - currently only the iPhone 4 and 3GS models can be used as mobile hotspots

• Win 7 Pro 64 occasionally fails to connect using IKEV2 to Win2008R2 Routing and Remote Access server

  I'm a networking guy and having this troubling VPM issue that I can't find.
  I have a number of VPN connections from my Win7Pro 64 PC to various customers.  Their end points are all Windows Routing and Remote Access on Windows 2008R2 STD servers.
  Every once and a while I will hang at Verifying User ID and Password and eventually get  ERROR 809. Change the security type on my VPN connection from IKEV2 to PPTP - never an issue, connects in right away.
  I can also try from another PC (at the same or alternate location) to get into that same server using the same credentials and access - no issue using either IKEV2 or PPTP.
  This has happened at various times to various customers. Here is what I know it is not:
  - Not the local or remote routers or Firewalls since I can always get in from other PC's going through the same network. Even so, tried rebooting all several times
  - Not an ISP issue at either end since I can always get into other IKEV2 servers from the same PC and from other PC's to the server I can't from my PC.
  This leads to the only logical conclusion.  It is something to do with my Win7Pro 64 PC but for the life of my I can not find it.
  I have obviously tried rebooting the Win7Pro PC. I have also tried recreating the VPN connection several times. Nothing.
  Help!

  Hi,
  I know that you've mentioned that it is not a issue about firewall or router settings, but this error usually comes when some firewall between client and server is blocking the ports used by VPN tunnel.
  so to allow IKEv2 traffic, please make sure to configure the network firewall to open UDP ports 500 and 4500, and to allow IP protocol 50.
  If that is not possible, deploy SSTP based VPN tunnel on both VPN server and VPN client – that allows VPN connection across firewalls, web proxies and NAT
  You can refer to this blog
  http://blogs.technet.com/b/rrasblog/archive/2006/06/14/which-ports-to-unblock-for-vpn-traffic-to-pass-through.aspx
  Regards
  Yolanda
  TechNet Community Support

• I used to be able to access a site that I go to almost every day, Now I get Invalid URL The requested URL "/", is invalid. Reference #9.e452ccc0.1418310938.1ab

  I used to be able to access a certain website I goto almost everyday, by just finding the name in google search and clicking on the link found. Now for the past few days everytime I click on the link, I get this message:
  Invalid URL
  The requested URL "/", is invalid.
  Reference #9.f152ccc0.1418311273.10a6c886
  I tried going to the site from other different browers like google chrome, internet explorer and it still doesn't work.
  I cleared my caches, virus and anti malware checks.
  I even tried entering http:// before www and it still doesnt work. It gives me another message:
  Invalid URL
  The requested URL "/", is invalid.
  Reference #9.e452ccc0.1418311360.1ab2b938
  Please somebody help me
  Thanks

  I used a tracer;
  traceroute to revitcity.com (96.17.116.226), 30 hops max, 38 byte packets
  1 32.208.200.3 (32.208.200.3) 294.816 ms 69.444 ms 199.510 ms
  2 * 32.223.0.220 (32.223.0.220) 88.627 ms 20.079 ms
  3 32.223.104.37 (32.223.104.37) 23.946 ms 21.842 ms 32.223.104.33 (32.223.104.33) 72.087 ms
  4 ae4---0.car01.wlfr.ct.frontiernet.net (74.40.71.93) 81.267 ms 30.892 ms 76.408 ms
  5 ae6---0.cor01.nycm.ny.frontiernet.net (74.40.5.209) 118.819 ms 121.154 ms 88.931 ms
  6 * ae0---0.cbr01.nycm.ny.frontiernet.net (74.40.4.82) 23.539 ms *
  7 12.252.234.5 (12.252.234.5) 140.338 ms 12.252.234.13 (12.252.234.13) 114.809 ms 12.252.234.25 (12.252.234.25) 141.691 ms
  8 12.122.131.226 (12.122.131.226) 27.119 ms cr2.n54ny.ip.att.net (12.122.130.154) 26.317 ms 25.650 ms
  9 ggr7.n54ny.ip.att.net (12.122.131.93) 24.862 ms igs3.n54ny.ip.att.net (12.122.115.89) 23.760 ms 75.351 ms
  10 ae-15.r05.nycmny01.us.bb.gin.ntt.net (129.250.9.205) 23.138 ms 24.597 ms 24.173 ms
  11 ae-1.r23.nycmny01.us.bb.gin.ntt.net (129.250.4.68) 56.422 ms 35.363 ms 91.407 ms
  12 * * *
  13 ae-0.r23.asbnva02.us.bb.gin.ntt.net (129.250.3.85) 149.758 ms 156.189 ms *
  14 ae-1.r20.miamfl02.us.bb.gin.ntt.net (129.250.2.87) 154.165 ms 255.093 ms 242.591 ms
  15 ae-1.r05.miamfl02.us.bb.gin.ntt.net (129.250.2.185) 184.896 ms 182.873 ms 237.469 ms
  16 * a96-17-116-226.deploy.akamaitechnologies.com (96.17.116.226) 339.482 ms 262.937 ms

• Composite role not showing in Access request screen. (BRM not used)

  Dear All
  I have created a composite role in backend system with 2 single roles.
  a. I have imported the single roles using the NWBC screen.
  b. run the auth sync job.
  c. imported the composite role as a techincal role using the NWBC import screen.
  the import procedure was successfully completed.
  But when i try to search for the role in Access request screen for a user - i can only see the single roles & not the composite roles?
  Pls advise
  Raju

  Hi Raju,
  In addition to Alessandro's valuable inputs, you need to be sure whether or not you were able to generate the composite roles (in NWBC).
  The final stage of the composite role has to be in complete status.
  Regards,
  Ameet

• GRC 10.1 - Routing at Request Submission in case of SOD violations

  I am trying to configure MSMP workflow or risks analysis while creating userid
  1. No Risks >> User created and access assigned automatically
  2. Risks found >> forward to security team to review and approve
  I have checked the standard functional module - GRAC_MSMP_DETOUR_SODVIOL cannot be used in AC 10.0 . This is  only be used as Routing Rule after first stage approval and at subsequent stages as per Note - 1783157 - Routing at Request Submission in case of SOD violations
  Can anyone advise the standard SAP delivered rule / functional module we can use in GRC AC 10.1 to achieve the outcome at the time of request submission ??

  Hi Anil,
  You have enable riak analysis at submission buy setting parameter and the need to have a first stage as dummy where risk analysis result can be analysed and have a detour at this dummy stage so that in case of risk request is forwarded to next stage.
  Hope that helps..
  Regards
  Ashish

• ARQ: Default Role Provisioning Problem in Access Request???

  Hi,
  This Business Scenario is very common to have default role(s) assigned to a User at the back end system. So I have the same requirement. In achieving this, I followed below thread here:
  MSMP Issue - GRC 10
  I have also followed the note#1616092  for configuring the Default Roles.
  I have performed below activities:
  1. Param#2009 = YES
  2. Param#2010 = 001
  3. Param#2011 = REQUEST
  4. Param#2013 = SYSTEM
  5. Param#2038 = YES
  6. Imported a test role and NO ROLE OWNER is maintained.
  7.In NWBC->-AM->RM, I maintained a test role as a default.
  Now when I raise a request, application is successfully adding the default role to the request. However, the problem I am facing is that, one Manager approves the request, it is getting failed.
  The Audit Log says that, the STAGE is "Completed" but I could also see "No Agent Found, Cancelling path XYZ (in stage no. 002- GRAC_ROLEOWNER)
  May I know what I am missing here? Why I am getting error and how can I resolve it?
  Please advise.
  Regards,
  Faisal

  Hi Faisal,
  sorry for late resposne I was away traveling.
  default roles are being added by default to access request
  Yes, these roles are added to the access request.
  FN: OK
  and this roles are following your normal paths which I guess assumes manager and role owner.
  How such roles (not having role owner) will follow the normal path Manager->Role Owner if we are enabling routing (Rule ID: GRAC_MSMP_ROUTE_NO_ROLEOWNER) at manager stage level? Can you please help me understand this?
  FN: OK If you enable routing it will go to routing path. I have understood your post as you put in question the behavior of default roles and my point was - they act exacly the same like regular roles.
  - request is going to detour path
  Does it answer my question?
  FN: My point was default roles like all other will go to detur path (assuming you setup it globaly)
  Deafault roles can have separate path (in my case) where only supervisor is approving it.
  Instead of "GRAC_MSMP_ROUTE_NO_ROLEOWNER"  I believe we can have our own rule to have a separate path for such default roles based upon business requirement. Correct me, if required.
  FN; correct
  It was design in way that initiator rule based on role crtivality is sending this rule to separate path without role owner.
  Again, I believe you have enabled your custom rule here to achieve your business requirement instead standard rule id.
  correct
  If you do not have separate path - this role like any other will follow standard path you have.
  Here, I had used a stage called "ZNO_STAGE_PATH" for routing the system line item, which does not have any owner. I used the same path ID for "GRAC_MSMP_ROUTE_NO_ROLEOWNER"Rule ID and it is working fine as of now.
  FN: good
  My question is that, do you think if I don't use "ZNO_STAGE_PATH" as Path ID for "GRAC_MSMP_ROUTE_NO_ROLEOWNER" Rule ID, should it follow the standard Manager->Role Owner path and these default roles get approved and assigned automatically?
  FN: You should use the path ZNO_STAGE_PATH as path ID for routing rule.
  If the role does not have role owner it will not allow you the even get to Role Onwer stage - request will be detured.
  My point from the begining was - instead of using the routing rule - in our case we used separate path for default roles without role owner:) only consisted with manager stage. Again your approach is different but also will work.
  Then which Path ID should I use for "GRAC_MSMP_ROUTE_NO_ROLEOWNER" Rule ID, as it is mandatory?
  Should I use my current path for New/Change Account where at Manager level this was routed due to non availability of role owner?
  Are you asking for default roles?
  Please advise.
  Regards,
  Faisal

• Access Requests Not Sending Email

  Hi Everyone,
  We are having issues with access requests not sending in our new SP 2013 deployment.  All other emails are flowing properly including workflows, alerts and denials for the access requests.  We have verified that the addresses populated
  in the access request can receive email and have tested with multiple accounts and DG's. 
  We were receiving files in the badmail folder on our SMTP Relay every time there was an access request sent.  The error was 5.7.1 Client does not have permissions to send as this sender.  We updated the relay to allow for anonymous access
  in the access and delivery sections and added the WFE as well as the SMTP relay and App servers to the smarthost exception list.   After performing this action, we no longer see badmail files populating, but we are still
  not seeing the access requests coming through.
  Any assistance or guidance on why these emails are not coming through would be greatly appreciated.  Please let me know if I left anything out that could be helpful in solving this issue.
  Thanks,
  Dan

  We had this same surprise issue when we upgraded to SharePoint 2013 from 2010. In SP2013, the access request is being sent as the authenticated user of the SharePoint site that is requesting the access. While this makes it easier to reply to the user instead
  of having access requests coming from the general account specified in Central Admin, it breaks all other outbound emails if you're using an authenticated account on the SMTP server. Unfortunately, we need certain email groups to be restricted to authenticated
  users being able to send to them. This prevents the public from spamming one of our groups. Is anyone aware of a way to have access requests get routed to a different SMTP server than all other outbound emails? Or switch it back to all request coming from
  the general SharePoint outbound email account. When you try to route them through the authenticated SMTP it chokes on the mail because the person submitting the access request isn't authorized to "send as" the authenticated account the SMTP relay
  is configured to use. I've seen a work-around where users can be granted the right to send as the account used by the SMTP server, but that doesn't really scale well with almost a thousand users. 

• Split of an Access Request in GRC

  Hello GRC Experts,
  I have a following issue in my MSMP workflow:
  I have created a MSMP workflow using detour Rule GRAC_MSMP_DETOUR_SODVIOL ar first stage. If an Access request contains SOD violations the request should be routed to Security stage. If works fine so far, but with one exception. We have requests which contain three roles, two of them have SODs and one is clean. I expect that only two roles which contain SOD should be routed to SOD path, and the role which is clean should go the normal path (No SOD path). However I am facing the situation that the whole request is routed to the SOD path and Security stage.
  Do you have any idea how to solve this issue?
  thank you in advance
  best regards
  Sabrina
  Here are the screenshots from the MSMP workflow

  Hi Sabrina,
  we had exactly the same challenge - this is how we solve it:
  - check parameter: 1073 Enable sod violations detour on risks from existing roles (recommended YES)
  - routing level - make sure the stage settings (where your routing rule is executed) are set to "line item level" under MSMP Workflow configuration / Maintain paths/ maintain stage settings
  Hope this helps,
  Filip

• Site Access Request EMail not being sent

  Like others, my Access Request email messages aren't going out. I've read numerous blogs and such about this, but haven't found anything that is quite fitting my happenings.
  I'm using IIS 6 SMTP server on my SP server, Incoming Mail is configured as Advanced Mode, sites can receive mail (and some do and it works), No on SharePoint Directory Management Service, incoming email addy is configured and the e-mail drop folder is c:\inetpub\mailroot\drop.
  Outgoing mail points directly to my Exchange (2007) server, from and reply-to addys are configured, char set is 65001.
  As with others, outgoing email from SharePoint, other than access requests, is working. I get plenty of notices about documents changing, alerts, etc. But the alerts from Access Requests aren't going out. I found one blog somewhere that mentioned permissions
  to the \inetpub\mailroot folders, so I searched my ULS logs for system.net.mail issues, found one where it had an error about insufficient permissions to the \inetpub\mailroot\drop folder. Okay, seems odd, but what the heck, give it a shot. I grant some permissions
  to the drop folder and, surprise, the Outgoing Access Request EML file is dropped in the drop folder!
  But why? It should be going out to my Exchange server! I look in the message, there aren't any routing headers in the message indicating that it even tried the Exchange server, much less got bounced back to SP from Exchange. If I manually copy the EML file
  to the Pickup folder - off it goes and is properly mailed to my Exchange account.
  I don't get it.
  Thanks in advance,
  Steven

  Never mind. Stupid stupid stupid dumb dumb dumb...
  My IIS 7 .NET SMTP settings were to configured to drop outgoing mail in the DROP folder. Changed this setting to the Pickup folder and it starts working.
  Sorry for the interruption, now back to our regularly scheduled emergencies...
  Steven

• HOW TO CONFIGURE MANAGER or APPROVER USER IN ACCESS REQUEST MANAGEMENT TO APPROVE OR REJECT REQUEST

  hi sap gurus,
  i configured grc 10 system successfully. I created one user: GR_AR_APP001 and assign following roles:
  SAP_GRAC_ACCESS_APPROVER
  SAP_GRAC_ACCESS_REQUEST_ADMIN
  SAP_GRC_FN_BASE
  SAP_GRC_FN_NUSINESS_USER
  and I maintained GR_AR_APP001 in access control owners as "POINT OF CONTACT", "SECURITY LEAD" and "WORKFLOW ADMINISTRATOR"
  but when i am creating access request for new user and defining MANAGER under user details tab as GR_AR_APP001.
  the user GR_AR_APP001 is not receiving any request for APPROVE or REJECT in his WORK INBOX.
  can u please guide me how to configure APPROVER or MANAGER to approve or reject request.
  I will be very much thankful if you guide me successfully.

  Hi Colleen,
  thanks a lot for your time.
  PIC1: I created one user: GR_AR_APP001
  and assigned all the GRC ROLES.
  PIC2: I assigned owner type to GR_AR_APP001 user : POINT OF CONTACT, SECURITY LEAD and WORKFLOW ADMINISTRATOR in NWBC ACCESS CONTROL OWNERS
  PIC3: I created one EUP 980 (copied from default EUP)
  PIC4: I maintained default manager as GR_AR_APP001 user in 980 EUP
  PIC5: I selected SAP_GRAC_ACCESS_REQUEST process id
  PIC6: I created one agent id as ZGRAC_MANAGER11 in which I added approver user id: GR_AR_APP001
  PIC7: I saved agent id
  PIC8: I added agent id as ZGRAC_MANAGER11 in stage5 in manager stage.
  PIC9: I saved
  PIC10: I maintained EUP 980 (in which I configured manager as GR_AR_APP001 user) in stage 5 task settings
  PIC11: Maintain Route Mapping, I clicked on next
  PIC12 and PIC13: I saved and activated.
  After this process I created one request for new account and selected the manager as GR_AR_APP001 and one request is created with request no 9000000030.
  now I logged into system by user GR_AR_APP001 and checked, there is no request under his work inbox.
  please guide me at least one procedure, how to receive request in approver work inbox so that I can learn other procedures to configure approver as per our organization requirement.
  thanks for your support Colleen.

• How do I use a netgear N600 router with Infinity 1

  I have searched various forums etc. with mixed success so am hoping that someone here can give me an idiot's guide to connecting to the internet using my netgear N600 router rather than using the BT Homehub 5. BT say that I can do it (despite my router being set up for ADSL and the HH5 being set up for VDSL) but that they can't tell me how! They sent me an email with various details I would need but I can't see where most of them need to be added when I connect to the netgear set up wizard. What I could see I filled in but when I tried to connect the netgear genie told me the ADSL cable wasn't connected. Can anyone give me a step by step guide of what to do please? I would be very grateful. Thanks 

  nicolawatt wrote:
  I just have the homehub 5 - I have seen various complicated descriptions elsewhere explaining how to use the HH5 as just a modem or how to just connect directly with the Netgear but all have been a bit over my head!
  The HH5 cannot be used as a stand alone modem. You could use the Netgear as a simple wireless access point, but you would lose most of the functions, and would be better off using a proper wireless access point.
  You cannot use the Netgear as a router, without a modem.
  There are some useful help pages here, for BT Broadband customers only, on my personal website.
  BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones.

• How to delete i.e. clear the pending access requests list from Access request page in SharePoint 2013

  Hi Team,
  I am site collection admin of a SP13 site. The issue is we have added some of the users manually after we got requests from them for site access. But this has left those users as pending on Access requests page. We don't want that list to stack up.
  I can not decline those requests as those users will be notified with declined mail. I searched for clearing the list of those pending requests but did't find any guidelines for this. 
  Is there any way I can do this. Any help is appreciated thanks in advance  

  You might consider using PowerShell to remove unwanted items from the "Access Requests" list of the web site.  This list holds all of the access requests including pending, declined and approved.  The following example demonstrates removing
  the first item from the list.  Please note, I'm not aware whether or not there are any negative side effects to removing items from this list so doing so would be at your own risk.
  $web = get-spweb https://yoursharepointsite
  $list = $web.lists["Access Requests"]
  $list.items[0].delete()

• Access Denied Error while accessing "Site Settings Access requests and invitations"

  Hi,
  I am getting Access Denied Error while accessing "Site Settings > Access requests and invitations" in SharePoint  2013 online. Currently I am the owner of the site and have "FULL CONTROL" access. I am able to access using
  site collection account. So, what permission I have to give my regular account to access this page?
  Thanks, Pal

  Hello,
  Have you recently changed the Owners group of the site collection or removed the user from the original owners group? 
  The reason I am asking is when the Access requests and invitations list are created, the permissions are given only to the default owners group at the time that the Access Request list was created.  If this "regular account" is not part of that owners
  group, the user will receive access denied.  Site Collection Admins always have permissions for the Access Request List.
  A workaround for the Access Denied issue is listed in the KB article http://support.microsoft.com/kb/2911390/en-us.  By giving the correct group or user the permissions to this list, the users will not receive
  the Access Denied issue anymore.  
  Preferably, in order to grant the user the full permissions ( you will see features like resending invitations may still fail after implementing the above workaround) there is one other workaround that may be required depending on what the original issue
  was.  Below are additional steps to restore full functionality.
  1)Access the /_layouts/15/permsetup.aspx of the site collection, make sure the default Owners Group
  is set correctly.  (There is a group selected)
  2) Add user to that Owners Group.  (Issue may be resolved at this step if the site collection Owners
  Group was never changed, if not continue to next step.)
  3) Implement workaround on http://support.microsoft.com/kb/2911390/en-us, by adding that owners
  group as Full control on Access Request list Permissions.
  Let me know how this works out for you.
  - Shpendi Jashari