cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC - Restricting owners and controllers from approving own requests

Go to solution
Former Member

on ‎09-26-2014 6:34 PM

0 Kudos

Hi Everyone,

We are implementing GRC 10.1. I have the SAP_GRAC_ACCESS_REQUEST and SAP_GRAC_FIREFIGHT_LOG_REPORT workflows working as expected except for one issue.

I am unable to restrict users from approving their own requests and FF id activity.

I wanted to create a condition in the workflow to  cancel whenever approver = user but couldnt figure out how to add the user value to the condition.

I have an option to add the workflow initiator but if i do that this will fail when we have someone else requesting a ff id for the user who is also the approver for a ff id.

Any ideas?

Please advise.

Sushni

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member204479
Active Participant
‎09-28-2014 5:49 PM
0 Kudos

Hi Sushni,

You might want to try controlling this through the field 'Approve/Reject Own Requests' in the EUP from SPRO. Maintain the value as NO for this.

You might want to create EUPs for FF owners and controllers with this field as NO. And then maintain the EUP number in the stage task settings of the MSMP workflow.

Thanks

Sammukh

Show replies
Show replies
Former Member
‎09-29-2014 2:52 PM
0 Kudos

Hi Sammukh and Neeraj,

Thank you for that information!! That fixed my issue when I entered the EUP value in the  access request workflow.

Is there anything that can be done to restrict controllers from approving their own FF id activity?

Sushni

Answers (3)

Answers (3)

former_member193066
Active Contributor
‎09-29-2014 1:20 PM
0 Kudos

Use BRF+ that might solve your issue.

There is similar thread hint is for managers .

you can use same logic creating DBlookup and achieve it.

Regards,

Prasant

Show replies
Show replies
Former Member
‎11-03-2014 1:09 PM
0 Kudos

Hi All,

I have a similar requirement for SPM Log Review workflow in GRC 10.1

If the controller is the Firefighter, then system should not allow him/her to approve/reject the Log.

Please help me to achieve this.

Regards,

J

Former Member
‎09-27-2014 12:51 AM
0 Kudos

Hi Everyone

Also, does any one know how to prevent Controllers from approving their own FFid activity.

Thank you.

Show replies
Show replies
kevin_tucholke1
Contributor
‎09-27-2014 1:08 AM
0 Kudos

In EAM, the system should already prevent you from being the Owner or Controller of a FF ID that you are assigned to and vice versa.  This is built into the tool.

If you have been able to do this, you have an issue in your system.  You issue is not being able to approve their own activity, the issue is that you have is in the assignment of FFID between FF ID Users and the Owners/Controllers.

Thanks.

Kevin Tucholke

Principal Consultant

SAP America.

Former Member
‎09-27-2014 2:45 AM
0 Kudos

Hi Kevin,

Issue 1:

Are you refering to the restrictions based of the parameters 4013 and 4014

I understand that these parameters can restrict owners and controllers from approving their own FF id requests. We have that enabled and it is working as expected but in GRC 5.3, which we used until now - owners were able to request ff ids that they owned but were just unable to approve it - the delegates in this case would approve it. I am not able to achieve the same here. Please advice.

Issue 2:

Is there a way we can restrict controllers from approving their own FF id activity ? The idea is to let the back up controllers approve the activity instead of the controller who is also the user in this case.

Just to make sure I understand what you said correctly - Are you proposing that we need to just make sure users dont use the FF ids that they are the controllers for ?

Thank you

sushni

kevin_tucholke1
Contributor
‎09-27-2014 3:02 PM
0 Kudos

Sushni:

Those parameters restrict which IDs the owner / controller can SUBMIT request for, not the approval.

As the functionality is designed, when you have a FFID in the systems, and UserA is the owner and/or the controller, the system should NOT allow assignment of that FFID to UserA as he/she would be the one to approve assignment or approve the log workflow.

You should not have to make sure that users don't use FFIDs they are owners or controllers of as the system is designed to disallow that situation.

Unless I am missing some information, this is how I have understood EAM is working and has worked for quite a while.

Thanks,

Kevin Tucholke

Principal Consultant

SAP America

Former Member
‎09-27-2014 3:52 PM
0 Kudos

Hi kevin

Sorry your right these parameters 4013 4014 restrict owners and controllers from submitting ffids they own.

Your right 5.3 always automatically restricted approvers from approving their own requests. I dont remember doing anything additional to make that work. In 10.1 however they are able to approve their own.  Can you think of anything I can check in the config to see what is wrong.

Thank you.

Sushni

former_member204204
Active Participant
‎09-29-2014 1:18 PM
0 Kudos

HI,

Please check the below blog.

http://scn.sap.com/docs/DOC-55401

Regards,

Neeraj

Former Member
‎09-26-2014 7:56 PM
0 Kudos

Hi Sushni,

You can refer note# http://service.sap.com/sap/support/notes/1659219

Kindly let us know whether or not this helps to meet your needs.

Regards,

Ameet

Show replies
Show replies
Former Member
‎09-26-2014 8:34 PM
0 Kudos

Hi Ameet,

No this will not help our situation because we want to approvers to be able to submit FF id requests for the Ids they own but we want only their delegates or backup approvers to be able to approve it.

Thank you

sushni

Ask a Question