V5.3 Approvers approve request they submitted

Hello Experts,
We are currently using GRC CUP v5.3 SP0.
Approvers continue to be able to approve the same requests that they submitted. We were under the impression that v5.3 would prevent this from happening.
"Approval of the request: Whenever a request is in approval phase, the system validates if the approver and requestor are same. If so, it displays an error message." (Page 22 of GRC Access Control v5.3 Release Notes 2009-Sep).
Is there a configuration item we are missing?
Thank you!

Hello,
Thank you both for your replies.
I have configured this setting before and set it to:
Configuration Tab --> End User Personalization
Field Name: Approve Reject Own Requests
Mandatory: Not Configurable (defaulted to No)
Editable: Not Configurable (defaulted to No)
Visible: Yes
This setting affects a user's ability to approve access requests about him. (Mary submitted a request for John and John can't approve the request).
The release notes suggest that we would be able to prevent the requestor from approving the request he/she submitted. (Mary submitted a request for John and Mary can't approve the request for John).
Are there other configuration settings we are missing?
Thanks!

Similar Messages

Sending Approval Request to multiple Approvers

Hi All,
I'm facing problem in sending Approval request to multiple approvers.I have List of accountid's to which approval Requet has to be sent.I tried giving multiple id's in the "Owner" field of mannual action, which is not working.can any one let me know how to implement this.
Thanks

Hi,
I used multi approval subprocess, this is the code that i have used
<Action id='0' process='Configuration:Multi Approval'>
<Argument name='approver'>
<ref>$(approver)</ref>
</Argument>
<Argument name='approvalForm'>
<ref>New Profile Request</ref>
</Argument>
</Action>
but im unable to get the approval request in the corresponding Administrator approval list.

GRC10 Access control-how/where to check if an approval request email was sent?

Hi experts
Please could you let me know how/where to check if an approval request email was sent?
I some approvers complaining that they havent received the approval request email from GRC.
Please advise.
Thanks
Ran

Hi Ranjit
I tested it as well by stripping the access back and then used STAUTHTRACE (much nicer than ST01). You are right - it is asking for S_DEVELOP 02 DEBUG
METHOD check_admin_auth .
   DATA: lo_message_manager TYPE REF TO if_wd_message_manager,
       lo_api_controller TYPE REF TO if_wd_controller,
       lr_auth_node TYPE REF TO if_wd_context_node.
   lo_api_controller ?= wd_this->wd_get_api( ).
   lo_message_manager = lo_api_controller->get_message_manager( ).
   lr_auth_node = wd_context->get_child_node( name = 'AUTH' ).
   TRY.
       cl_grfn_msmp_authorizations=>check_sap_debug_authorization( ).
       lr_auth_node->set_attribute(
          EXPORTING
            value =     'X'
            name =     'CAN_RUN'
     CATCH cx_grfn_msmp.
       MESSAGE e197(grfnmw) INTO cx_grfn_msmp=>m_msg_str. ----> E197 (GRFNMW) matches the error msg
       lo_message_manager->report_t100_message(
    METHOD check_sap_debug_authorization.
   AUTHORITY-CHECK OBJECT 'S_DEVELOP'
             ID 'DEVCLASS' DUMMY
             ID 'OBJTYPE' FIELD 'DEBUG'
             ID 'OBJNAME' DUMMY
             ID 'P_GROUP' DUMMY
             ID 'ACTVT'    FIELD '02'.
   IF sy-subrc NE 0.
     MESSAGE e219(grfnmw) WITH sy-uname INTO cx_grfn_msmp=>m_msg_str.
     grfnw_msmp_raise_msg: cx_grfn_msmp_no_authorization.
   ENDIF.
ENDMETHOD.
I recommend raising a customer incident with SAP to get their input as I don't think DEBUG should be necessary for MSMP Instance Runtime - and then let us all know the outcome
Regards
Colleen

Sending manual Approval Request to multiple administrators

Hi,
I have a workflow which is having an Manual action that sends Approval request to the 'Owner' , specified in that action. I can give only one value for the "Owner" field, now my problem is, i need to send this approval request to multiple owners. can any one help me in this.
thanks

im getting
java.lang.NullPointerException
while doing the above.My multi approval xml is
<Action id='2' process='Configuration:Multi Approval'>
<Argument name='singleApprovalProcess' value='Approval'/>
<Argument name='approvers'>
<List>
<String>100200300</String>
<String>200200200</String>
</List>
</Argument>
<Argument name='approvalForm' value='New Profile Request'/>
<Argument name='style' value='first'/>
<Argument name='approvalTemplate' value='E-mail to administrator'/>
</Action>
Pls help me

Application Approval Request Permissions

I'm trying to setup a Security Role that allows our Service Desk to approve application requests. From what I've read, all I need is Application Read and Approve. When I apply those permissions in RBA Viewer, it shows that the user should be able
to see the requests and approve/deny, however when I have a Service Desk user test this, they are able to see the Application Management module but they do NOT see the requests.

Nevermind, I realized what was wrong. The Application did not have the correct Security Scope for the Service Desk selected. Once I set that correctly, I was able to see the Application and see the approval request.

Approval request escalation

Hi Guys
I am looking to fulfill the following requirement:
1. When a request is submitted for access to an application , the request is assigned to the requested user's manager. This is fine.
2. When this is not approved for 2 days send a reminder- Should I use scheduled task to figure this out and send emails?
3. When the request is still not approved escalate the request to approver's manager . Should I use scheduled task and API to perform this?
4. The request must be rejected finally if no action is taken?Should I use scheduled task and API to perform this?
Can such things be done OOTB in OIM?Or should I go for scheduled task?
I am using OIM 11.1.1.3. You can also let me know how can this be done in OIM9.x
Regards
user12841694

Alabhya Goel wrote:
Hi,
1. No, you need not to write any operation. OOTB it will escalate to approver's manager.
2. There are some system configuration properties like Day Limit Set for Request Reaise by You,Day Limit Set for Request Reaisefor You,Pending task limit in months. Try with first two properties. you need restart the server when you modify the property. You can try with Duration column in Task General tab but not sure about it. Try to modfiy the system configuration and test.
Let me knwo the results...
Regards
Alabhya GoelHi Alabhya
Day Limit Set for Request raised by You,Day Limit Set for Request raised for You , such system properties are not available with 11g. unfortunately , I couldn't verify with OIM9x.
I still have to test duration for auto rejected the request.Anyways thanks for you help.
Property to indicate day limit set for pending approvals
Used prior to implementation of the Separation of active/non-active task feature to specify the duration for which the pending approval tasks would be fetched. Used at the API level to get the Pending approval related counters.
+ +
XL.OpenTask.DayLimit 30
how can this be used?
Regards

Unable to run extended Approve Requests Application from Launchpad

We are implementing the approve request application for custom workflows and we have set up our eclipse environment and made the necessary changes to run our application locally in the Fiori Sandbox provided as part of the UI5 toolkit. We have extended the application by creating an extension project and fiori extensions in this extension project.
We are able to run this extended application also in the Sandbox and test it there.
When we upload the extended application to the ABAP server and change the URL in the Launchpad transaction LPD_CUST to point to the extended application we are getting an error.
I suspect it is related to how we have set up our component.js file for the extended application since it is responsible for merging the extended application with the parent one at runtime and displaying the extended application.
The error I am getting in the console is
Error - found in negative cache: 'cross/fnd/approve/requests/Component.js' from /sap/bc/ui5_ui5/sap/yca_all_apve/Component.js: TypeError: Cannot call method 'extend' of undefined core.js:78
u core.js:78
error core.js:78
sap.ui.controller.openApp core.js:663
sap.ui.core.EventBus.publish core.js:307
sap.ui.controller.openSomething core.js:663
f3 core.js:55
n core.js:55
o.fireWith core.js:55
o.fire core.js:55
(anonymous function) ushell-preload.js:45
(anonymous function) core.js:439
n9
Has anyone run into similar error and found a resolution?
Regards
Puneet

I'm sorry I can't help, but you might be better of posting this in the Reports forum at Reports

Error in RAR while approving request from CUP

Dear GRC Gurus,
I am getting error while approving request in CUP for RAR. Checked the related threads for this issue but still not getting any solution.
Connectors are working fine. Also web service URL is maintained correctly and password for the same is working fine in backend.
Error message is
Risk analysis failed: Exception in getting the results from the web service : Service call exception; nested exception is: java.rmi.RemoteException:
Pl help.
Regards,
Muskaan

Hi ,
You need to clarify what you are trying to do, type of request, timeout time, moment it fails...
If you are referring to the RAR SOD web-service call from CUP, the timeout defined may be too short, problems on the web service/backend connectors configuration or performance/resources available. I advise you to see the SAP Notes below.
Troubleshoot issues with risk analysis, see the SAP Notes 1136379, 1049058, 1145700, 1234807, 1085586, 1061088, 1003239, and 1166368.
This is the most common issue between CUP and RAR when running the SOD analysis, and some times the only solution is to improve the performance of the server with more memory/processor.
Regards,
N

How to get details of Pending Approval request in OIM 11g R2?

Hi,
We need to find out following details from Pending Approval Request in OIM 11g R2 -
Request ID,Assignees,Requested Resource Name, Title of Request, Beneficiary, Status of Request.
Out of above attributes we could find out Assignees, Title of Request, Status of Request, Beneficiary, etc. But we are not getting Request ID and Requested Resource Name.
We have used API - 'IworkflowServiceClient'
If we use API - 'RequestService' then we are not getting Assignees and Resource name from Pending approval request.
Can any one suggeste how can we get these details? Do we need to use other API or other alternative to get all of attributes from Pending Approval Request.
Thanks.

Thanks Kevin for your suggestion.
In OIM 11g R2 I tried task.getIdentificationKey() to get Request ID and task.getSystemMessageAttributes().getTextAttribute6() to get requested resource name but I am getting null values out of it. Is there something I am missing?
Which common thing I can use to retrieve data from both OIM and SOAINFRA? As I am not getting Request ID from 'IworkflowServiceClient' API so I could not use it to earch request in OIM using 'RequestService'. Even if I have to use query what will be common thing I can use to fetch data from both tablespaces?
Thanks.

GRC AC 10 Show approved requests in work inbox

Hello,
Is it possible to show approved requests in work inbox?
Denis.

Hi Victor,
No, there are no such tables which could give the relations between the ARM requests and the corresponding violations.
You have only one option; like Neeraj suggested, run the reports for this need.
Regards,
Ameet

Role info not appearing once role assignment request is submitted from UI

Hi Everyone,
We have a strange problem in our project in IDM 7.2 SP8 where IDM role concept is used which contains privileges (could be role/profile) of backend systems.
Usually when ever a role (i.e IDM role) assignment request is submitted from UI, the activity with the associated info (like user details, role details, audit ID) should be stored in MXI_LINK table from where the info will be fetched and used in next stages of the processing
Even though the information is getting available for most of the cases for all users but some times for few users once the role assignment request is initiated from UI there is no info is getting available in MXI_LINK table corresponding to this activity which is strange.
Because of this problem even though user submits role assignment request no role info getting passed to IDM, set to pending state for the user which is getting meaning of user not submitted any role assignment request at all.
Can any one suggest what are the things that gets involved between these two steps and any troubleshooting hints are highly appreciable.
Regards,
Venkata Bavirisetty

Is this a situation you recreate at will? In other words, is it always happening on the same users? If so, you could put a trace on that user's account then try to add the role and see what that trace log shows. Additionally, you could just follow the links in the chain of the various tasks that kick off when you do a role assignment and check each task / job's job log and see what that tells you. There's got to be an error somewhere along the way that's preventing this from executing properly.

ESS leave request workflow : not able to approve request

Hi experts,
When i create leave request, work item for approving request is not coming in the approver's bussiness workplace. I am using std workflow WS12300111. Is there any customization needs to be done ??
please help me
Pointes will be rewarded
Regards,
Sameer

Hi Samee,
Did you select General Task in the steps of workflow you have an agent?
Sónia
You have a chief position on the Organization Unit where you have the employees?
Sometimes it's possible to forget this one:
Transaction SWDD, select the workflow WS12300111 and press CTRL+F8 (Basic Data)
there's another button "Agent assignment for task" (SHIFT+F9)
set task to "General task" with the "Attributes..." Button. (EVERY user can start this task).
And check this to:
Using transaction SWFVISU, check the following entries and correct these where required:
TS12300097 Java WebDynpro APPLICATION LeaveRequestApprover
                 PACKAGE sap.com/ess~lea
TS12300116 Java WebDynpro
                 APPLICATION LeaveRequest
                 PACKAGE sap.com/ess~lea
(check this, because usually you have an error, instead of sap.com you have com.sap)
Register the work items again. Additional information about registering work items is available in the UWL documentation.
After re-register the System Alias again in the UWL - THIS IS VERY IMPORTANT
Edited by: Sonia Santos on Jan 28, 2008 12:49 PM
Edited by: Sonia Santos on Jan 28, 2008 12:51 PM

Is it true that apple approve that they are give the first 101,000 people to get a 5s or a 5c for free ?

Is it true that apple approve that they are giving the first 101,000 people to get a 5s or 5c for free ?

No, I meant ther source of the rumor, not how you read it. This should alert you not to believe everything you read from rumor sites. Believe even less if you are informed by third, fourth, fifth, etc. hand reports.

Ad hoc approval request in workflow

Hi experts,
Ad hoc approval request in workflow ,user should forward work item multiple times for different users . Ad hoc approval multiple times to the same or different employees. Could you please provide me steps by steps how I need to create ad hoc .

Hello Ganesh !
                Hope you want to define ad hoc agent agent assignment.
               If so, choose the activity step(the task's work item that you want to send) in workflow and from the menu take path : Extras -> Ad_hoc functions -> Enable the Adhoc Agent Assignment.
               In expression part , now you can find &Agent_0001.Agents& have automatically appeared.The one who want to start the workflow,can mention the SAP logon id of the agents to whom the work items needs to be sent.
Regards,
S.Suresh

Approval request autoescalation

The current scenario is like this.
User Self Registration -------(Request No:1 is send to Group 1 Users for approval )---------> Group1-----------(atleast one user approves ,Request No:1 is passed to Group 2 users)-----> Group 2.
I have achieved this. Now what I wanted is:
Even if the users from Group 1 doesn't approve the request for certain time peiord ,the request must be automatically moved from Group1 users to Group2 users.
What I need to do to achieve this.
I have tried with the escalation feature but i didn't know how to use it exactly.Anyways kindly help me achieving this.
Thank you.

Hi Thanks for the info. I have tried the approach.
Task Assignment adapter has two adapter variables - "Adapter Return value for key" ( Type - Object) and "Adapter Return value for key type" ( Type - Object)
1. I have added a task which invokes my custom java class method -- getApprover() - returns approver Name (User Id) -- String format -> I have mapped the output to adapter variable "KEY"
2. I have added another task which invokes my custom java class method -- getApproverType() - returns statuc string "User" -- String format -> I have mapped the output to adapter variable "TYPE"
I have attached this adapter to approval process with the mapping
Variable -Adapter Return value for key & Adapter Return value for key Type
Map To - Task Information
Qualifier - Note
When I request for the resource , the task assignment adapter assigns the approval request to the USER itself instead of the approver. Anything I am missing here??
Thanks & Regards
Inbaa

V5.3 Approvers approve request they submitted

Similar Messages

Maybe you are looking for