Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

No Approver found in the Access request for Risk owners?

Former Member

on ‎2018 Mar 20 9:05 AM

0 Likes
1,177

We are using class agent rule as per note: 1670504 . Request is taking the the SOD detour path and errors out as no approver found.

My request do have roles with risk and without risk .

i saw a thread which discussed about this , but didnt see a solution mentioned there

Any helpful inputs ?

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (3)

Answers (3)

sachin_awasthi2
Advisor
Advisor
‎2018 Mar 22 1:40 PM
0 Likes

Hi Sooraj,

For Access Request workflow process, when SOD detour condition is enabled and risks are found with the request, the request needs approval from respective risk owners. To configure this scenario, Risk owner agent is needed to be created. This agent is not part of shipped agents by SAP. The agent logic given below will create lineitem level agent i.e. only the roles which are having risks associated with them will be sent to their respective risk owners for approval. In case of Business roles and Composite roles this agent logic will send the Business role or Composite role to all the risk owners in the Business role or Composite role. So if there is some roles in request which don't have risk, then those roles will not be sent for approval to any approver and request will show 'approver note found' error.

Further information can be found in

1670504 - UAM: Risk Owner Wokrflow Agent - Class Based Rule

Regards,
Sachin

Show replies
Show replies
vijayakumarsuth
Product and Topic Expert
Product and Topic Expert
‎2018 Mar 20 4:42 PM
0 Likes

Hi Sooraj,

I would suggest you to review which role is pointing that approver not found, in case the message is from sod detour stage then, check (1) what is the rule used to determine the approvers and (2) if the role has valid risk owner because for sod detour path normal approach is to find the risk owners. I am sure, if you follow the mentioned points you will get clear lead on your next move.

Regards,

Vijay.

Show replies
Show replies
sreekanth_sunkara
Active Participant
‎2018 Mar 20 5:57 PM
0 Likes

Vijayakumar,

What is the best way to review the logs for such incidents, I reviewed the log from AL11 and also from DEBUGMONITOR but other than seeing the error msg: ZCL_GRAC_WFA_RISK_ONWER; no results retrieved and ZCL_GRAC_WFA_RISK_ONWER; returned 0 approvers. I am not seeing any further information.

Please let me know the best way to troubleshoot these kind of issues.

Thanks,

Sri.

vijayakumarsuth
Product and Topic Expert
Product and Topic Expert
‎2018 Mar 27 9:16 PM
0 Likes

In guess, you are using custom rules to determine the risk owner if so, you need to find what is the rule ZCL_GRAC_WFA_RISK_ONWER points to. If this rule is Function Module then I would suggest to test using TCODE SE37 or if it is class based rule then TCODE SE24 can be used to test the class methods

sreekanth_sunkara
Active Participant
‎2018 Mar 27 9:38 PM
0 Likes

Ok thank you.

Thanks,Sri.

Former Member
‎2018 Mar 20 3:55 PM
0 Likes

Hi Sooraj,

Here are the wordings from the SAP Note 1670504.

"So if there is some roles in request which don't have risk, then those roles will not be sent for approval to any approver and request will show 'approver note found' error "looks like its an expected error in your case as you do have some roles with no risks?

Thanks

Ramesh

Show replies
Show replies
sreekanth_sunkara
Active Participant
‎2018 Mar 20 5:51 PM
0 Likes

Ramesh,

I created BRF+ rule to detour requests with "High" risks / SOD conflicts to Risk Owner. But while testing i noticed the below. (we use Business roles just for provisioning)

1. Request with SOD violations are routed correctly to Risk Owners. Both New SOD violations by roles requested in access request and existing violations for the user that are not mitigated/requested are showing in the request (This is the standard behaviour as per SAP note 1939412).

2. Request that does not have SOD violations with roles requested in the Access request but having violations in the existing roles of the user that not mitigated are also routed to Risk Owners and getting "No approver found" error. If i submit the same roles/request to a user who does not have any violations, the request is correctly processed without routing to Risk Owner. I am not sure if Sooraj issue is similar to this scenario?

3. Request with "Medium", "Low" SOD violations in the roles requested via access request are also getting routed to RISK OWNER if there are any "High" Risks that are not mitigated and are in the existing roles of the user.

Parameter 1073 is set to no. But still Risks from Existing roles are also pulling in to SAP access request. I think this is because Risks that are not mitigated are considered as new as per SAP note 1939412

Please let me know how to get rid of the error in scenario 2.

Thanks,

Sri.

Former Member
‎2018 Mar 20 7:14 PM
0 Likes

Sri,

Its an expected behavior, risk is a risk(unless its mitigated) irrespective of the existing risk vs new risk.if you submit a new request with out any SOD's then its not routing to the risk owner.

Thanks

Ramesh

sreekanth_sunkara
Active Participant
‎2018 Mar 20 9:27 PM
0 Likes

Thanks Ramesh,

Correct, but my question why is my request going in to Error mode. I defined Risk owners for all the Risks and still it is showing no approvers found. Is there any limit on the number of Risk Owners that it is going to fetch/return? because the test request has more than 185 Risks.

I think what is happening in my case is that the BRF+ rule checks the results of Risk analysis in access request and routing it to VIOLATIONS path but then when retrieving the Risk Owners, the SAP standard ZCL_GRAC_WFA_RISK_OWNER rule is not able to fetch Risk Owners. I will try analyse more.

Thanks,

Sri.

Former Member
‎2018 Mar 21 4:16 PM
0 Likes

Sri,

185 unique risks or duplicate? I am guessing every risk got risk owner and the expectation that you are looking is if you have 100 unique risks with 100 unique approvers then it should generate 100 workflow for approval?

Thanks

Ramesh

sreekanth_sunkara
Active Participant
‎2018 Mar 21 4:20 PM
0 Likes

Ramesh,

2 same Risk Owners for all the Risks. I turned off the workflow for testing. So when Risk Owner opens the request they will assign Mitigation Monitors for those risks and approve the request. Is there any limit how many Risk Owners it can fetch?

I figured out the issue. The custom BRF+ rule that i created takes the risk analysis result for the user and not just for the roles requested (I do not know if there is a way to just run risk analysis only for the roles in the request). so the BRF+ with risk analysis result returned with result "VIOLATIONS". In my case since the user has some risks that are not mitigated so routed the request to RISK OWNER stage. But the roles requested in access request does not have any risks and the ZCL_GRAC_WFA_RISK_OWNER class returns the Risk Owners only for the roles that are in the Access Request and not for all the risks that are not mitigated. ZCL_GRAC_WFA_RISK_OWNER unable to find approvers as the Business role i requested does not have any Risks.

Let me know if i analysed it correctly. we do not want to create workflow for Risk approval as it will have a separate access request number and we cannot tie it to the current access request.

Thanks,

Sri.

Former Member
‎2018 Mar 22 3:16 PM
0 Likes

Sri,

I don't think there is any limitation on the how many risk owners it can fetch. You are absolutely right, if you submit a new user request you will not have a problem as the new user will not have any existing risks:) but if you try to submit a change request (existing user with existing risks which are not mitigated)then you will have the same issue(like I mentioned before risk is a risk).

Thanks

ramesh

Ask a Question