cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

In ARM, while creating a new/change request, roles are not added.

Go to solution
former_member339174
Explorer

on ‎2015 Feb 12 8:36 PM

0 Kudos
2,266

Hello Gurus,

I am implementing SAP GRC 10.1, in which I have encountered this issue in ARM whenever I am creating a new/change request, the new user is been created but the assignment of the roles to this new user is not done. The roles for the new user is empty.

FYI, in MSMP i have defined an agent ID as pfcg user groups, so basically it means all the approvals will come to the users who belongs to the user group and as a approver i m going into the inbox and approving the request and the request has been successfully processed and the new user has been created but the role is not assigned to him.

Please help.

Thanks

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (1)

Accepted Solutions (1)

former_member339174
Explorer
‎2015 Feb 24 9:09 PM
0 Kudos

Hello all,

there was an authorization for WF-BATCH user.

Show replies
Show replies

Answers (6)

Answers (6)

former_member339174
Explorer
‎2015 Feb 17 7:46 PM
0 Kudos

Hello All,

Can you all please confirm the actions in Request type?

The following screenshot is the list of action in Request type in my system, I dont see anything as Assign Role.

Show replies
Show replies
Former Member
‎2015 Feb 18 10:30 AM
0 Kudos

Hello Feroz,

  • Did you upload roles into BRM?
  • Did you set the status of the roles to production?

regards

deepak m

former_member204479
Active Participant
‎2015 Feb 18 12:57 PM
0 Kudos

Raj, Deepak,

If the roles are not uploaded in BRM or the status is not production or provisioning is not allowed ... the Roles would not be available for selection in the access request form itself, right?

But from the audit log it does look like the role was added to the request and submitted.

Feroz,

Action "Assign Objects" implies for roles and ff IDs/roles. There is no separate action called "Assign Roles".

Thanks

Sammukh

rindia
Active Contributor
‎2015 Feb 18 1:40 PM
0 Kudos

Hi Sammukh,

If provisioning Allowed is set to NO then in Access request this role will not be available to add in Access request form..

If Allow Autoprovisioning is set to NO, then it is available to add in Access request but upon approval this role will not be provisioned.

Regards

Raj

former_member339174
Explorer
‎2015 Feb 18 7:07 PM
0 Kudos

Deepak,

This is what i made changes to and yes i did imported all the role through BRM

former_member339174
Explorer
‎2015 Feb 17 7:41 PM
0 Kudos

Hello All,

This is what i found in SWIA, any idea what exactly is related to?

Show replies
Show replies
rindia
Active Contributor
‎2015 Feb 13 9:14 PM
0 Kudos

Hi Mohammed,

Have a quick check on these:

1. The value for Provisioning Allowed, Allow Auto Provisioning should be "YES" for a role.

NWBC - Role Management - Role Maintenance

2. In IMG are there any entries maintained in "Maintain System Provisioning Configuration" for your connector. If yes then check the value of Auto Prov.

The above entry will override the entries of "Maintain Global Provisioning Configuration".

Path: SPRO - IMG -GRC - AC - User Provisioning - Maintain Provisioning Settings

Regards

Raj

Show replies
Show replies
Former Member
‎2015 Feb 13 7:30 PM
0 Kudos

Hi Mohammed,

You have to take care of 3 aspects in this case:

1) As our friends mention check the request types activated in the process id Access_Request. Path is SPRO > SAP REF IMG > GRC > AC > User Provisioning > Define Request Type

Activate the request types - New Account, Change Account, & Assign Object. If you activate these requests in 3 different descriptions then ensure to activate all the 3.

2) In Auto provisioning settings check the provisioning settings as: End of the Request or Path

Also ensure to take care of other steps like provisioning type combined/ direct etc.

Path is: SPRO > SAP REF IMG > GRC > AC > User Provisioning > Auto Provisioning Settings

3) Important step is ensure to set the request field as system & role in the stage settings maintained in the path linked to this request at Maintain MSMP Workflow  

SPRO > SAP REF IMG > GRC > AC > Workfllow for access control > Maintain MSMP Workflow


If problem still persist may come back with more information. Please update how once it get fixed.


Thanks,

Sirish

Show replies
Show replies
former_member204479
Active Participant
‎2015 Feb 13 8:59 AM
0 Kudos

Hi Mohammed,

Can you check in request types (SPRO -> GRC -> Access Control -> User Provisioning -> Define Request Types) for new account and change account request types. If they have action "06 - Assign objects" added to them?

And yes, as Alessandro mentioned further information would be helpful!

Thanks

Sammukh

Show replies
Show replies
former_member339174
Explorer
‎2015 Feb 17 6:42 PM
0 Kudos

Hello Sammukh,

Earlier i only had Create user and Assign Object assigned to the New account Request type but today i have added Change user object as well.

alessandr0
Active Contributor
‎2015 Feb 13 8:14 AM
0 Kudos

Dear Mohammed,

can you share the provisioning log, SLG1 and STAUTHTRACE. Strange behaviour and without the proper information difficult to help.

Regards,

Alessandro

Show replies
Show replies
former_member339174
Explorer
‎2015 Feb 17 6:38 PM
0 Kudos

Hello,

here is the SLG1:

FYI,

In MSMP my client is using SAP_GRAC_ACCESS_REQUEST and not other Process ID and i dont think i even generated the other Process ID.

Quick Question: Do i need to generate SAP_GRAC_ROLE_APPR Workflow for Role assignment in the New account (SAP_GRAC_ACCESS_REQUET)??

Ask a Question