cancel
Showing results for 
Search instead for 
Did you mean: 

HR Organizational Assignment Request

Former Member
0 Kudos

Hello Experts,

We are currently implementing position based security and were looking to use GRC 10's Org Assignment request to approve access to positions. We are using SAP GRC 10 SP11. I had some questions regarding the approval workflow:

1) Is it possible to set the approver as the role owner? We have tried mapping roles who have owners to positions, however, when we submit the request it does not seem to recognize the role as input and goes on directly to our security detour stage. Is there any way to fix this problem?

2) We have another problem, when the ZGRAC_SEC_DETOUR is taken, or when you assign a direct approver for this path, missing user detail error occurs when trying to approve the request. It is as though because we are using the SAP_GRAC_ACCESS_REQUEST MSMP Process ID for HR org assignment request, that the system is expecting user details to exist as part of the request even though this does not really apply to the type of request and is not even part of the request template. The error looks like this:

I have also tried to create an initor rule using SAP_GRAC_ACCESS_REQUEST_HR, it takes the connector as input. I can simulate the rule in BRF+ and it gives the correct result "ZROLE_OWN_APRV" which is what I have mapped in MSMP, however when I try to submit the request it gives me a "cannot resolve path" error (as a side note, SLG1 does not give me any further information). Again, your help is much appreciated.

Accepted Solutions (1)

Accepted Solutions (1)

0 Kudos

Looks like there is an OSS note for this now.





1880914 UAM: Role Owner is not determined in Org assignment request

Answers (4)

Answers (4)

Former Member
0 Kudos

Thank you Terry, the mentioned note was created to resolve my issue. Sorry for the late response.

Former Member
0 Kudos

Just to give an update, I have opened an OSS note with SAP and they are currently looking at the issue. I will update the thread once I hear back from them.

Colleen
Advisor
Advisor
0 Kudos

Hi Christobal

For Point 1

I would assume so as the MSMP provides an Agent called GRAC_ROLEOWNER (function module GRAC_MSMP_ROLEOWNER_AGENT)



For Point 2 -

Is is possible to create a New EUP to switch of mandatory for User Details? then for the MSMP Path/stage under the Task Settings you enter the EUP Value. If you go into "Maintain End User Personalization" and Copy 999 to another value you will be able to edit which fields are mandatory

For Point 3

  • Did you use "Define Workflow-Related MSMP Rules" in IMG to create the rule?
  • What is your BRFplus decision table logic?
  • How did you attempt to simulate the Function in BRFplus?
  • Do you have more than one rule result in BRFplus (if so, each must be in the Initiator Rule Result and mapped in the Routing section)
  • Have you checked your decision table to see if there are any unaccounted entries?
  • Did you replace the Global Initiator Rule in MSMP to be you BRFplus function instead of "GRAC_AR_INITIATOR"?
Former Member
0 Kudos

Hello Colleen,

I agree with you for Point 1, GRC provides GRAC_ROLEOWNER therefore when I submit an Org assginment request it should be able to find the corresponding role owner for eachline item and initiate the request. However, it does not.

I tried your point 2 yesterday and it worked, that cleared the user detail errors I was having.

I have not yet defined a BRF-Plus rule as I am not sure what the result would be. It does not seem to matter what initiator rule I use, when you submit a request of type HR organizational assignment it seems that the role owners cannot be found. So I could create one and assign a path to it but as long as the path leads to GRAC_ROLEOWNER it will not be found. I dont think creating an agent rule is the answer here as GRAC_ROLEOWNER seems to be what I need. Any thoughts?

Colleen
Advisor
Advisor
0 Kudos

Hi Cristobal

Focusing on the Role Owner Rule - it seems if you can get this working than point 3 may not be necessary

Have you tracked an example through to check what your Role Owners are for the example role - ZSI*xxx role in your MSMP example? For this

  1. Access Control Owner setup for Role Owner
  2. in BRM Role Definition, the Approver tab has a valid user with Role Assignment Approver Mapped?

If the above is in place, possibly put a break point on the function module and debug why it isn't finding the agent hasn't been determined. You can debug from CL_GRAC_MODEL_ROLE > GET_ROLE_APPROVER

Former Member
0 Kudos

In regards to point 3 below

For Point 3

  • Did you use "Define Workflow-Related MSMP Rules" in IMG to create the rule

If we havent done this before to configure BRF+ for Rule ID .. can we do this later after configuring BRF+ ?? I mean once we have Rule ID from BRF+ can we add this to the process ID .. SAP_GRAC_ACCESS_REQUEST_HR ???

I have configured the BRF+ and when I use this Rule ID it is giving me incompatible error for Rule ID .

Appreciate your feedback

Former Member
0 Kudos

There is an update to this question,

For the second part of this question, the reason why User details error was happening is because the EUP mapped in my MSMP workflow for the SEC_DETOUR stage required those mandatory fields. I was able to create a new EUP template and assign it to the approval stages in MSMP workflow configuration and solved the problem.

Still, we woul like to know why the HR Org assignment request cannot go to the role owner for approval. Do we need to create a custom initiator rule for this type of request? If so, how can I customize it so that the role owner has to approve the role assignment for the position?