Showing results for 
Search instead for 
Did you mean: 

AC10 - UAM : System approver

Former Member
0 Kudos


When I try to add a system and roles to an access request, I get an error in the audit log : no agent found. and the request is in error state.

this is caused by the system line item.

If I add only roles in my access request it's ok, approvers are find and approvers can approve.!

I use a msmp workflow based on the GRAC_MSMP_ROLEOWNER_AGENT agent rule.

any idea ?


Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos


You will need to create a BRF+ Initiator rule which looks at the combination of the Request type, Role Name and any other attribute you wish to determine the request path.

If the Line Item is a role, then direct the request to a path which goes to the Role Owner agent, but If the Line Item is not a role i.e. a System (the Role_Name column in the BRF+ rule would equal "Is Initial") then direct the item to the Agent to approve the system access (which could be the Security Admin, or a custom Agent).

With BRF+ , it is important to point out that you will have to map out every single possible permutation of the types of requests you wish to approve via UAM within the Expression, usually a Decision table.

I hope that makes sense.

Answers (1)

Answers (1)

Former Member
0 Kudos

Hi Aurelien,

if you don't have any systemID approver you can also use the routing ruleID "no roleowner". This ID also works for systemID approvers. That mean you can activate on the actual roleowner stage the routing.

Then route the line item "system" to an empty stage with automatically approval. (No_stage)

BUT that means that all line item (roles and systemID) on this stage without roleowners are automatically approved and provisioned.

So you don't have to create a new own BRFplus rule, if you want to use the workflow like that.

Hope this info helps.



Former Member
0 Kudos


If you are only going to have systems assigned to users given they need a role in that system, you can just create the requests without a system line item, given you have set the "Maintain Provisioning Settings" in SPRO as follows:

This should create a new account at the point of provisioning, should one be required.

But for completeness, to cater for System only access requests, I would still recommend utilising a custom initiator and different paths. I do not think creating a request for a System ID and having no approval for the request is a good idea. I am sure the SAP Support/Basis/Security team would want to know what ID's are being created within the SAP estate, especially for licensing purposes.

Former Member
0 Kudos

This is a scope definition and belongs to your company requirements and to your standard path!

If you, e.g. have a manager always at the first stage level, the request will be approved always. And the approval doesn't belong to the systemID/roleOwnerID (if it is the second stage approval)

If you have only one approval step by roleowner it is correct that you should use another path (or split the path via initiator rule) if only a system is add in the request.

I think this is a customer definition and you have several solutions to handle this scenario.

As mentioned above:

- provisioning settings configurations

- brfplus (initiator rule)

- brfplus (create your own routing role, if the routing should be on a specific stage)

- routing rule (no_roleowner)

Former Member
0 Kudos

I'm only giving my opinion from what I have seen at customers so far,  as I have seen many situations where regardless of which manager has approved the request in the beginning, chances are they are unlikely to know/understand the technical implications of what they are really approving, especially "System only" requests.

As you have pointed out, there are many tools and configuration settings available to cater for YOUR requirements, all it really needs is some quality planning and design time to map out what you want the GRC system to do.

All the best.

Former Member
0 Kudos

Thanks for your propositions

I will turn to the alexa's solution. It seems to be the easiest way and this is in line with customer requirement.

I hope I have understood correctly and now I have just to set up...